쫑콩아빠의 지금 이 순간...

Juniper Troubleshooting Commands

Managing configuration

configure exclusive – to prevent others modifying the while in configuration mode

status – show users currently logged in

compare (filename | rollback n)

#commit | display detail – debug commit
#commit check
#commit comment
#commit confirmed
#commit at [tt:mm | yyyy-mm-dd hh:mm | reboot], to cancel:

clear system [commit | reboot ] - to cancel scheduled state:

show system commit
show configuration ….

#load {set} {merge | replace | override } {relative} [terminal | file] – paste - Ctrl+D to end

show | # compare (filename | rollback n)

show | display set

show | display changed

show | display detail

show | display omit statement

Configuration modification commands:
#annotate “xxxxx” – annotate part of configuration
#activate/deactivate
#copy / delete / rename – works with wildcards, e.g. delete fe*
#rename – string in configuration
#replace pattern
#protect / unprotect a statement

#exit configuration-mode
#quit

show system rollback 10
show system rollback compare 10 12
show system commit

System:

show version {detail}
request system reboot | power-off

file [copy | list | delete | show | rename ]
show system storage

show chassis hardware detail
show chassis alarms
show chassis environment
show chassis craft-interface – show router LED alarms

show configuration | display detail
show system users – who is logged in to the system
request system logout use username – forcefully logout a user
request message all message “log out now”

show system boot-messages – boot log

Interfaces/Hardware:

Display information about memory, CPU temperature, load and uptime:

show chassis routing engine

To viw hardware and SFPs installed in a slot:

General hardware overview

show chassis hardware

Which fpc are in use

show chassis fpc

To display what details of pic intstalled in a slot:

show chassis pic pic-slot 0 fpc-slot 0

To see light levels for fibre interface:

show interfaces diagnostics optics

Logging

#set system syslog file messages any info – to save all log messages to file “messages”

show log messages | match LOGIN | match “Mar 16”
file list detail /var/log = ls –al (to see permitions, etc.)
clear log messages - to clear the contents of the messages file

monitor start messages - live monitoring of messages file
monitor list
monitor stop – to stop all

For more detailed information about a process, under the process level:
#set traceoptions file filenamefil world-readable
#set traceoptions flag all

help syslog – to show information about syslog messages

Security Policies
View security policy:

show security policies from-zone Proxy-DMZ to-zone Inside details

To check if traffic will pass through the security policies (useful when not able to generate traffic):

show security match-policies from-zone Outside to-zone Inside protocol xxx source-ip xxx source-port xxx destination-ip xxx destination-port xxxx

General Monitoring and troubleshooting

monitor traffic interface ge-0/0/0
monitor interface ge-0/0/0

monitor traffic interface ge-0/2/3 matching "proto 89" write-file ospf.cap - matches proto 89 and writes it in ospf.cap
show security flow session ... options
show system statistics – all packet types statistics for a device

test policy

Routing

show route
show route terse - nice concise output with the following information: A-active, Destination, P-protocol, Prf-preference, Metric1,2 Next-hop, AS Patch)
show route protocol [static|direct|ospf]

show route forwarding-table to see active routes in the forwarding table

Troubleshoot OSPF

show route forwarding-table to see active routes in the forwarding table

show route protocol ospf

show ospf overview
show ospf interaces
show ospf neighbor
show ospf dataset detail

show ospf neighbor [extensive]
clear ospf neighbor [192.168.254.225]

show ospf statistics

show ospf interface [extensive]

show ospf route [abr|asbr|extern]

show route protocol ospf

show ospf database [summary|brief]
show ospf database [router|network|netsummary|asbrsummary|extern|nssa]
show ospf database router advertising-router 10.0.3.3 detail
show ospf database router area 0 extensive
show ospf database area 0 lsa-id extensive
clear ospf database purge

show ospf log

show bgp summary
show bgp neighbor 1.1.1.1
show route advertising protocol bgp
show route receiving protocol bgp

To find a range of prefixes in the routing table:

show route 200.10/18

show route terse - better routing output

Troubleshoot NAT

Source

show security nat source summary
show security nat source rule
show security nat source pool

Static

show security nat static rule

Destination

show security nat destination summary
show security nat destination pool
show security nat destination rule

show security flow session

Set Firewall filter to count packtes (see further down)

Firewall

show firewall
show firewall log
clear firewall [all|filter-name|counter-name]
show interfaces filters
show interfaces policers
show policer

Set Firewall Filter to count packets through the SRX:

show interfaces ge-0/0/0

ge-0/0/0 {
unit 0 {
family inet {
filter {
input icmp-filter;
}
address 1.1.1.1/30; ## This address was already set on the interface
}
}
}

show firewall family inet filter icmp-filter

icmp-filter {
term 1 { ## This is the main term which will count the packets.
from {
source-address 3.3.3.3;
destination-address 1.1.1.1;
protocol icmp;
}
then {
count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
}
}

Then the Firewall Filter stats can be checked with the
show firewall filter icmp-filter
q
Counter Bytes Packets
icmp-counter 84 1
.
term default { ## This term will ensure that the other traffic is not affected.
accept;
}

}

Packet Flow

Monitor traffic targeting the interface (useful for ping, ssh, etc.)

monitor traffic interface ge-0/0/0 [extensive]

Display live sessions:

show security flow session [destination-port|destination-prefix|source-port|source-prefix] [extensive|brief|summary]

Create packet filter and capture packets:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

forwarding-options {

/* Filename and file properties  */
packet-capture {
    file filename test_capture;
    maximum-capture-size 1000;
}

}
firewall {
/* Capture filter with action sample /
filter CAPTURE_PCAP {
term 1 {
from {
source-address {
1.1.1.1/32;
}
destination-address {
2.2.2.2/32;
}
destination-port 22;
}
then {
sample;
accept;
}
}
term Allow_All {
then accept;
}
}
}
interfaces {
/ Apply the firewall filter on the desired interface for the input and output direction: */
ge-0/0/0
unit 0 {
family inet {
filter {
output CAPTURE_PCAP;
}
address 172.16.46.121/24;
}
}
}
}

File can be found in /var/tmp and opened with Wireshark

file list /var/tmp/ | match test_capture*

On EX Switches Mirror port traffic to remote capture server:

set analyzer employee-monitor input ingress interface ge-0/0/0.0

/* optional sampling ration - 1 of every 200 packets will be forwared */

set analyzer employee-monitor ratio 200

set analyzer employee-monitor output interface ge-0/0/10.0

Alternatively the output can be a vlin. Vlan needs to be specified under VLANs:

set vlans remote-analyzer vlan-id 999

Operational mode flow session monitoring (requires junos 12.1)

monitor security flow file tmp_test [files 2 size 100k match pattern ]
monitor security flow filter source-prefix 10.52.20.0/24 destination->prefix 10.75.0.1 destination-port 389 protocol tcp source-port 12354 temp_test_filter

show monitor security flow

monitor security flow start
monitor security flow stop

clear monitor security flow filter temp_test_filter

file delete /var/log/tmp_test

Tips

set cli timestamp
#set chassis alarm management-ethernet link-down ignore
show interfaces | match "(^Physical.* ge-)|(^Physical.*Up$)"
show version and haiku
Ctrl+R: search history of previous command
use # for the rest of the line in a script to be ignored
Use the save CLI pipe to save output to a local or remote file.
Type 'b' at the more prompt to go backwards one page.
Type '/' at the more prompt to search for a string in the rest of the output.
In configuration mode, type rollback ? to see when previous configurations were committed, and by whom.
In configuration mode, the status command displays who is editing the configuration and where in the hierarchy they are working.
In configuration mode, the delete command with no arguments will delete the entire configuration hierarchy under the current location.
show cli history
help tip cli
To move interface configuration: replace pattern ge-0/0/0 with ge-0/1/0

wildcard delete interfaces ge-0/0/[2-3]

Junos software contains default configurations in a hidden group named junos-defaults. To see them, use the show configuration groups junos-defaults command

test policy policy_name 1.1.1.1/12 – run a router through a policy

To see changes from a particular commit at the past:

show system commit - identify the change you wan to see (e.g. 2), and then
show system rollback compare 3 4

To see the default Junos preconfigure applications:

user@host> show configuration groups junos-defaults applications

패킷을 떠서 확인하는 방법.
명령어는 monitor traffic interface irb.1 write-file ICMP.pcap 입니다.
“write-file”은 hidden command라 ? 키 입력이나 tap 키로 확인되지는 않으나 직접 입력하시면 적용됩니다.