System Management and Monitoring
Published
2021-04-18
User Guide
Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.
System Management and Monitoring User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.
Table of Contents
1
About This Guide | ix
Manage and Monitor
System Sengs | 2
Specifying the Physical Locaon of the Switch | 2
Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3
Conguring Junos OS to Extend the Default Port Address Range | 4
Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5
Reboong and Halng a Device | 6
iii
Hostnames | 8
Conguring the Hostname of a Device by Using a Conguraon Group | 8
Mapping the Hostname of the Switch to IP Addresses | 10
Example: Conguring the Name of the Switch, IP Address, and System ID | 10
Understanding and Conguring DNS | 11
DNS Overview | 11
Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12
Congure ICMP Features | 16
Protocol Redirect Messages | 16
Disable the Roung Engine Response to Mulcast Ping Packets | 18
Disable Reporng IP Address and Timestamps in Ping Responses | 18
Congure Junos OS to Ignore ICMP Source Quench Messages | 19
Rate Limit ICMPv4 and ICMPv6 Trac | 20
Rate Limit ICMPv4 and ICMPv6 Error Messages | 20
Alarms | 22
System Alarms | 23
Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface
2
Types | 23
System-Wide Alarms and Alarms for Each Interface Type | 24
System Troubleshoong | 27
Saving Core Files Generated by Junos OS Processes | 27
Viewing Core Files from Junos OS Processes | 28
Device Monitoring | 28
Monitoring System Properes | 29
Monitoring System Process Informaon | 32
Monitoring Interfaces | 33
Other Tools to Congure and Monitor Devices Running Junos OS | 35
iv
Passive Monitoring | 36
Understanding Passive Monitoring | 37
Example: Conguring Passive Monitoring on QFX10000 Switches | 38
Requirements | 38
Overview | 38
Conguraon | 39
Vericaon | 42
How to Locate a Device or Port Using the Chassis Beacon | 45
Turning On the Chassis Beacon For the Default Interval | 46
Turning On the Chassis Beacon For a Specied Interval | 47
Conguraon Statements
checksum | 51
compress-conguraon-les (System) | 53
domain-name | 54
domain-search | 56
enhanced-hash-key | 57
ethernet (Alarm) | 66
hardware-mestamp | 67
host-name | 68
inet (enhanced-hash-key) | 70
inet6-backup-router | 73
inet6 (enhanced-hash-key) | 75
internet-opons | 78
lcd-menu | 83
locaon | 85
locaon (System) | 87
max-conguraons-on-ash | 90
v
menu-item | 91
no-mulcast-echo | 97
no-ping-record-route | 98
no-ping-me-stamp | 99
no-redirects (IPv4 Trac) | 101
oponal | 103
passive-monitor-mode | 104
ports | 106
ports | 108
power | 109
processes | 112
saved-core-context | 115
saved-core-les | 116
stac-host-mapping | 118
me-format | 120
me-zone | 122
3
traceopons (Layer 2 Learning) | 125
traceopons (SBC Conguraon Process) | 129
use-imported-me-zones | 131
Operaonal Commands
clear log | 137
clear chassis display message | 139
clear system commit | 143
clear system reboot | 146
request chassis beacon | 151
vi
request chassis cb | 155
request chassis fabric plane | 160
request chassis fpc | 164
request chassis pic | 172
request chassis roung-engine master | 179
request system halt | 187
request system logout | 196
request system power-o | 198
request system reboot | 205
set chassis display message | 216
set date | 221
show chassis alarms | 223
show chassis beacon | 251
show chassis environment | 254
show chassis environment fpc | 373
show chassis environment pem | 456
show chassis environment power-supply-unit | 478
show chassis environment psu | 480
show chassis environment roung-engine | 482
show chassis ethernet-switch | 494
show chassis fan | 547
show chassis rmware | 566
show chassis fpc | 587
show chassis fabric fpcs | 647
show chassis fabric map | 688
vii
show chassis fabric plane | 699
show chassis fabric plane-locaon | 741
show chassis fabric sibs | 753
show chassis fabric summary | 773
show chassis hardware | 785
show chassis lcd | 807
show chassis led | 828
show chassis locaon | 844
show chassis mac-addresses | 850
show chassis pic | 859
show chassis roung-engine | 897
show chassis temperature-thresholds | 928
show chassis zones | 968
show forwarding-opons enhanced-hash-key | 980
show host | 988
show interfaces diagnoscs opcs | 991
show subscribers | 1001
show system alarms | 1053
show system audit | 1058
show system buers | 1070
show system cercate | 1080
show system commit | 1084
show system connecons | 1089
show system core-dumps | 1099
show system directory-usage | 1119
viii
show system rmware | 1126
show system reboot | 1130
show system soware | 1136
show system stascs | 1141
show system storage | 1159
show system upme | 1169
show system virtual-memory | 1177
show version | 1190
start shell | 1198
test conguraon | 1200
About This Guide
Use this guide to manage and monitor Juniper switches with the Junos OS command line-interface.
ix
1
CHAPTER
Manage and Monitor
System Sengs | 2
Hostnames | 8
Understanding and Conguring DNS | 11
Congure ICMP Features | 16
Alarms | 22
System Troubleshoong | 27
Device Monitoring | 28
Passive Monitoring | 36
How to Locate a Device or Port Using the Chassis Beacon | 45
System Sengs
IN THIS SECTION
Specifying the Physical Locaon of the Switch | 2
Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3
Conguring Junos OS to Extend the Default Port Address Range | 4
Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5
Reboong and Halng a Device | 6
2
Specifying the Physical Locaon of the Switch
To specify the physical locaon of the switch, specify the following opons for the locaon statement at
the [edit system] hierarchy level:
• altude
• building
enclose it in quotaon marks (" ").
• country-code
• oor
• hcoord
• lata
• latude
• longitude
• npa-nxx
feet
—Number of feet above sea level.
name
—Name of the building, 1 to 28 characters in length. If the string contains spaces,
code
—Two-leer country code.
number
—Floor in the building.
horizontal-coordinate
service-area
degrees
number
—Long-distance service area.
—Latude in degree format.
degrees
—Longitude in degree format.
—First six digits of the phone number (area code and exchange).
—Bellcore Horizontal Coordinate.
• postal-code
• rack
• vcoord
number
vercal-coordinate
postal-code
—Rack number.
—Postal code.
—Bellcore Vercal Coordinate.
The following example shows how to specify the physical locaon of the switch:
[edit system]
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
3
SEE ALSO
Example: Conguring the Name of the Switch, IP Address, and System ID
Modifying the Default Time Zone for a Router or Switch Running Junos OS
The default local me zone on the router or switch is UTC (Coordinated Universal Time, formerly known
as Greenwich Mean Time, or GMT).
• To modify the local me zone, include the me-zone statement at the [edit system] hierarchy level:
[edit system]
time-zone (GMT hour-offset | time-zone);
You can use the GMT
hour-oset
is 0. You can congure this to be a value from –14 to +12.
hour-oset
opon to set the me zone relave to UTC (GMT) me. By default,
You can also specify the
me-zone
value as a string such as PDT (Pacic Daylight Time) or WET
(Western European Time), or specify the connent and major city.
NOTE: Junos OS complies with the POSIX me-zone standard, which is counter-intuive to the
way me zones are generally indicated relave to UTC. A me zone ahead of UTC (east of the
Greenwich meridian) is commonly indicated as GMT +n; for example, the Central European Time
(CET) zone is indicated as GMT +1. However, this is not true for POSIX me zone designaons.
POSIX indicates CET as GMT-1. If you include the set system me-zone GMT+1 statement for a
router in the CET zone, your router me will be set to one hour behind GMT, or two hours
behind the actual CET me. For this reason, you might nd it easier to use the POSIX me-zone
strings, which you can list by entering set system me-zone ?.
For the me zone change to take eect for all processes running on the router or switch, you must
reboot the router or switch.
The following example shows how to change the current me zone to America/New_York:
4
[edit]
user@host# set system me-zone America/New_York
[edit]
user@host# show
system {
time-zone America/New_York;
}
SEE ALSO
Understanding NTP Time Servers
Updang the IANA Time Zone Database on Junos OS Devices
Conguring Junos OS to Extend the Default Port Address Range
By default, the upper range of a port address is 5000. You can increase the range from which the port
number can be selected to decrease the probability that someone can determine your port number.
• To congure Junos OS to extend the default port address range, include the source-port statement
at the [edit system internet-opons] hierarchy level:
[edit system internet-options]
source-port upper-limit upper-limit;
5
upper-limit
65,355.
SEE ALSO
upper-limit
is the upper limit of a source port address and can be a value from 5000 through
Congure TCP Opons
Congure ARP Learning and Aging Opons
Conguring Junos OS to Select a Fixed Source Address for Locally
Generated TCP/IP Packets
By default, the source address included in locally generated Transmission Control Protocol/IP (TCP/IP)
packets, such as FTP trac, and in User Datagram Protocol (UDP) and IP packets, such as Network Time
Protocol (NTP) requests, is chosen as the local address for the interface on which the trac is
transmied. This means that the local address chosen for packets to a parcular desnaon might
change from connecon to connecon based on the interface that the roung protocol has chosen to
reach the desnaon when the connecon is established. If mulple equal-cost next hops are present
for a desnaon, locally generated packets use the lo0 address as a source.
• To congure the soware to select a xed address to use as the source for locally generated IP
packets, include the default-address-selecon statement at the [edit system] hierarchy level:
[edit system]
default-address-selection;
If you include the default-address-selecon statement in the conguraon, the Junos OS chooses the
system default address as the source for most locally generated IP packets. The default address is
usually an address congured on the lo0 loopback interface. For example, if you specied that SSH and
telnet use a parcular address, but you also have default-address selecon congured, the system
default address is used.
Reboong and Halng a Device
To reboot the switch, issue the request system reboot command.
user@switch> request system reboot ?
Possible completions:
<[Enter]> Execute this command
all-members Reboot all virtual chassis members
at Time at which to perform the operation
both-routing-engines Reboot both the Routing Engines
fast-boot Enable fast reboot
hypervisor Reboot Junos OS, host OS, and Hypervisor
in Number of minutes to delay before operation
local Reboot local virtual chassis member
member Reboot specific virtual chassis member (0..9)
message Message to display to all users
other-routing-engine Reboot the other Routing Engine
| Pipe through a command
{master:0}
user@switch> request system reboot
Reboot the system ? [yes,no] (no) yes
Rebooting switch
6
NOTE: Not all opons shown in the preceding command output are available on all QFX Series,
OCX Series, and EX4600 switches. See the documentaon for the request system reboot
command for details about opons.
NOTE: When you issue the request system reboot hypervisor command on QFX10000
switches, the reboot takes longer than a standard Junos OS reboot.
Similarly, to halt the switch, issue the request system halt command.
CAUTION: Before entering this command, you must have access to the switch’s console
port in order to bring up the Roung Engine.
user@switch> request system halt ?
Possible completions:
<[Enter]> Execute this command
all-members Halt all virtual chassis members
at Time at which to perform the operation
backup-routing-engine Halt backup Routing Engine
both-routing-engines Halt both Routing Engines
in Number of minutes to delay before operation
local Halt local virtual chassis member
member Halt specific virtual chassis member (0..9)
message Message to display to all users
other-routing-engine Halt other Routing Engine
| Pipe through a command
7
NOTE: When you issue this command on an individual component in a QFabric system, you will
receive a warning that says “Hardware-based members will halt, Virtual Junos Roung Engines
will reboot.” If you want to halt only one member, use the member opon. You cannot issue this
command from the QFabric CLI.
Issuing the request system halt command on the switch halts the Roung Engine. To reboot a Roung
Engine that has been halted, you must connect through the console.
SEE ALSO
clear system reboot
request system halt
request system power-o
Connecng a QFX Series Device to a Management Console
RELATED DOCUMENTATION
Disable Reporng IP Address and Timestamps in Ping Responses
Hostnames
IN THIS SECTION
Conguring the Hostname of a Device by Using a Conguraon Group | 8
Mapping the Hostname of the Switch to IP Addresses | 10
Example: Conguring the Name of the Switch, IP Address, and System ID | 10
8
Conguring
The hostname of a Junos OS or Junos OS Evolved device is its idencaon. A network device must
have its identy established to be accessible on the network. That is perhaps the most important reason
to have a hostname, but a hostname has other purposes.
The soware uses the congured hostname as part of the command prompt and to prepend log les and
other accounng informaon. The hostname is also used anywhere else when knowing the device
identy is important. For these reasons, we recommend hostnames be descripve and memorable.
You can congure the hostname at the [edit system] hierarchy level, a procedure shown in
Device’s Unique Identy for the Network
system] hierarchy level, you can use a conguraon group, as shown in this procedure. This is a
recommended best pracce for conguring the hostname, especially if the device has dual Roung
Engines. This procedure uses groups called re0 and re1 as an example.
NOTE: Starng with Junos OS Release 13.2R3, if you congure hostnames that are longer than
the CLI screen width, regardless of the terminal screen width seng, the commit operaon
occurs successfully. Even if the terminal screen width is less than the hostname length, commit is
successful.
In Junos OS releases earlier than Release 13.2R3, if you congured such hostnames by using the
host-name
width was less than the length of the hostname by using the set cli screen-width statement, a
foreign le propagaon (p) failure error message is displayed when you aempt to commit the
conguraon. In such a case, because of the p failure, the commit operaon does not complete
the Hostname of a Device by Using a Conguraon Group
Conguring a
. Oponally, instead of conguring the hostname at the [edit
hostname
statement at the [edit system] hierarchy level and the the terminal screen
and you cannot recover the router unless you make the modicaon in the backend in the
juniper.conf.gz le and commit the change from the shell prompt.
To set the hostname using a conguraon group:
9
1. Include the host-name statement in the conguraon at the [edit groups
group-name
system
hierarchy level.
The name value must be less than 256 characters.
[edit groups group-name system]
host-name hostname;
For example:
[edit groups re0 system]
root@# set host-name san-jose-router0
[edit groups re1 system]
root@# set host-name san-jose-router1
2. If you used one or more conguraon groups, apply the conguraon groups, substung the
appropriate group names.
For example:
[edit]
user@host# set apply-groups [re0 re1]
3. Commit the changes.
[edit]
root@# commit
The hostname subsequently appears in the device CLI prompt.
san-jose-router0#
Mapping the Hostname of the Switch to IP Addresses
To map a hostname of a switch to one or more IP addresses, include the inet statement at the [edit
system stac-host-mapping
[edit system]
static-host-mapping {
hostname {
inet [ addresses ];
alias [ aliases ];
}
}
hostname
] hierarchy level:
10
hostname
is the name specied by the host-name statement at the [edit system] hierarchy level.
For each host, you can specify one or more aliases.
SEE ALSO
Conguring a DNS Name Server for Resolving Hostnames into Addresses
Conguring a Device’s Unique Identy for the Network
stac-host-mapping
Example: Conguring the Name of the Switch, IP Address, and System ID
The following example shows how to congure the switch name, map the name to an IP address and
alias, and congure a system idener:
[edit]
user@switch# set system host-name switch1
[edit]
user@switch# set system stac-host-mapping switch1 inet 192.168.1.77
[edit]
user@switch# set system stac-host-mapping switch1 alias sj1
[edit]
user@switch# set system stac-host-mapping switch1 sysid 1921.6800.1077
[edit]
user@switch# show
system {
host-name switch-sj1;
static-host-mapping {
switch-sj1 {
inet 192.168.1.77;
alias sj1;
sysid 1921.6800.1077;
}
}
}
Understanding and Conguring DNS
11
IN THIS SECTION
DNS Overview | 11
Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12
DNS Overview
IN THIS SECTION
DNS Components | 12
DNS Server Caching | 12
A Domain Name System (DNS) is a distributed hierarchical system that converts hostnames to IP
addresses. The DNS is divided into secons called zones. Each zone has name servers that respond to
the queries belonging to their zones.
This topic includes the following secons:
DNS Components
DNS includes three main components:
• DNS resolver: Resides on the client side of the DNS. When a user sends a hostname request, the
resolver sends a DNS query request to the name servers to request the hostname's IP address.
• Name servers: Processes the DNS query requests received from the DNS resolver and returns the IP
address to the resolver.
• Resource records: Data elements that dene the basic structure and content of the DNS.
DNS Server Caching
DNS name servers are responsible for providing the hostname IP address to users. The TTL eld in the
resource record denes the period for which DNS query results are cached. When the TTL value expires,
the name server sends a fresh DNS query and updates the cache.
12
SEE ALSO
Conguring the TTL Value for DNS Server Caching
Conguring a DNS Name Server for Resolving Hostnames into Addresses
Domain Name System (DNS) name servers are used for resolving hostnames to IP addresses.
Before you begin, congure your name servers with the hostname and an IP address for your Juniper
Networks device. It does not maer which IP address you assign as the address of your device in the
name server, as long it is an address that reaches your device. Normally, you would use the management
interface IP address, but you can choose the loopback interface IP address, or a network interface IP
address, or even congure mulple addresses on the name server.
For redundancy, it is a best pracce to congure access to mulple name servers. You can congure a
maximum of three name servers. The approach is similar to the way Web browsers resolve the names of
a Web site to its network address. Addionally, the soware enables you to congure one or more
domain names, which it uses to resolve hostnames that are not fully qualied (in other words, the
domain name is missing). This is convenient because you can use a hostname in conguring and
operang the soware without the need to reference the full domain name. Aer adding name server
addresses and domain names to your conguraon, you can use DNS resolvable hostnames in your
conguraons and commands instead of IP addresses.
Oponally, instead of conguring the name server at the [edit system] hierarchy level, you can use a
conguraon group, as shown in this procedure. This is a recommended best pracce for conguring the
name server.
Starng in Junos OS Release 19.2R1, you can route trac between a management roung instance and
DNS name server. Congure a roung instance at the [edit system name-server
server-ip-address
]
hierarchy level and the name server becomes reachable through this roung instance.
NOTE: This management roung instance opon is not supported for SRX Series devices.
To enable a management roung instance for DNS, congure the following:
user@host# set system management-instance
user@host# set routing-instances mgmt_junos description description
user@host# set system name-server server-ip-address routing-instance mgmt_junos
13
If you have congured the name server using a conguraon group, use the [edit groups
group-name
system name-server] hierarchy level, which is a recommended best pracce for conguring the name
server.
To congure the device to resolve hostnames into addresses:
1. Reference the IP addresses of your name servers.
[edit groups group-name system]
name-server {
address;
}
The following example shows how to reference two name servers:
[edit groups global system]
user@host# set name-server 192.168.1.253
user@host# set name-server 192.168.1.254
user@host# show
name server {
192.168.1.253/32;
192.168.1.254/32;
}
2. (Oponal) Congure the roung instance for DNS.
The following example shows how to congure the roung-instance for one of the name servers:
[edit groups global system]
user@host# set name-server 192.168.1.253 roung-instance mgmt_junos
Remember to also congure the following:
• management-instance statement at the [edit system] hierarchy level
• roung-instance statement at the [edit roung-instances] hierarchy level.
3. (Oponal) Congure the name of the domain in which the device itself is located.
This is a good pracce. The soware then uses this congured domain name as the default domain
name to append to hostnames that are not fully qualied.
14
[edit system]
domain-name domain-name;
The following example shows how to congure the domain name:
[edit groups global system]
user@host# set domain-name company.net
user@host# show
domain-name company.net;
4. (Oponal) Congure a list of domains to be searched.
If your device can reach several dierent domains, you can congure these as a list of domains to be
searched. The soware then uses this list to set an order in which it appends domain names when
searching for the IP address of a host.
[edit groups global system]
domain-search [ domain-list ];
The domain list can contain up to six domain names, with a total of up to 256 characters.
The following example shows how to congure two domains to be searched. This example congures
the soware to search the company.net domain and then the domainone.net domain and then the
domainonealternate.com domain when aempng to resolve unqualied hosts.
[edit groups global system]
domain-search [ company.net domainone.net domainonealternate.com ]
5. If you used a conguraon group, apply the conguraon group, substung global with the
appropriate group name.
[edit]
user@host# set apply-groups global
6. Commit the conguraon.
15
user@host# commit
7. Verify the conguraon.
If you have congured your name server with the hostname and an IP address for your device, you
can issue the following commands to conrm that DNS is working and reachable. You can either use
the congured hostname to conrm resoluon to the IP address or use the IP address of your device
to conrm resoluon to the congured hostname.
user@host> show host
user@host> show host
host-name
host-ip-address
For example:
user@host> show host device.example.net
device.example.net
device.example.net has address 192.168.187.1
user@host> show host 192.168.187.1
10.187.168.192.in-addr.arpa domain name pointer device.example.net.
SEE ALSO
name-server (System Services)
domain-search
RELATED DOCUMENTATION
Understanding Hostnames
DNSSEC Overview
Congure ICMP Features
16
IN THIS SECTION
Protocol Redirect Messages | 16
Disable the Roung Engine Response to Mulcast Ping Packets | 18
Disable Reporng IP Address and Timestamps in Ping Responses | 18
Congure Junos OS to Ignore ICMP Source Quench Messages | 19
Rate Limit ICMPv4 and ICMPv6 Trac | 20
Rate Limit ICMPv4 and ICMPv6 Error Messages | 20
Learn more about how to congure Internet Control Message Protocol (ICMP) features.
Protocol Redirect Messages
IN THIS SECTION
Understanding Protocol Redirect Messages | 17
Disable Protocol Redirect Messages | 17
ICMP redirect, also known as protocol redirect, is a mechanism used by switches and routers to convey
roung informaon to hosts. Devices use protocol redirect messages to nofy the hosts on the same
data link of the best route available for a given desnaon. All EX series switches support sending
protocol redirect messages for both IPv4 and IPv6 trac.
NOTE: Switches do not send protocol redirect messages if the data packet contains roung
informaon.
Understanding Protocol Redirect Messages
Protocol redirect messages inform a host to update its roung informaon and to send packets on an
alternate route. Suppose a host tries to send a data packet through a switch S1 and S1 sends the data
packet to another switch, S2. Also, suppose that a direct path from the host to S2 is available (that is, the
host and S2 are on the same Ethernet segment). S1 then sends a protocol redirect message to inform the
host that the best route for the desnaon is the direct route to S2. The host should then send packets
directly to S2 instead of sending them through S1. S2 sll sends the original packet that it received from
S1 to the intended desnaon.
17
Refer to RFC-1122 and RFC-4861 for more details on protocol redirecng.
Disable Protocol Redirect Messages
By default, devices send protocol redirect messages for both IPv4 and IPv6 trac. For security reasons,
you may want to disable the device from sending protocol redirect messages.
To disable protocol redirect messages for the enre device, include the no-redirects or no-redirects-
ipv6 statement at the [edit system] hierarchy level.
• For IPv4 trac:
[edit system]
user@host# set no-redirects
• For IPv6 trac:
[edit system]
user@host# set no-redirects-ipv6
To re-enable the sending of redirect messages on the device, delete the no-redirects statement (for IPv4
trac) or the no-redirects-ipv6 statement (for IPv6 trac) from the conguraon.
To disable protocol redirect messages on a per-interface basis, include the no-redirects statement at
the [edit interfaces
• For IPv4 trac:
[edit interfaces interface-name unit logical-unit-number]
user@host# set family inet no-redirects
• For IPv6 trac:
[edit interfaces interface-name unit logical-unit-number]
user@host# set family inet6 no-redirects
interface-name
unit
logical-unit-number
family
family
] hierarchy level.
18
Disable the Roung Engine Response to Mulcast Ping Packets
By default, the Roung Engine responds to ICMP echo requests sent to mulcast group addresses. By
conguring the Roung Engine to ignore mulcast ping packets, you can prevent unauthorized persons
from discovering the list of provider edge (PE) devices in the network.
To disable the Roung Engine from responding to these ICMP echo requests, include the no-
multicast-echo statement at the [edit system] hierarchy level:
[edit system]
no-multicast-echo;
Disable Reporng IP Address and Timestamps in Ping Responses
When you issue the ping command with the record-route opon, the Roung Engine displays the path
of the ICMP echo request packets and the mestamps in the ICMP echo responses by default. By
conguring the no-ping-record-route and no-ping-mestamp opons, you can prevent unauthorized
persons from discovering informaon about the provider edge (PE) device and its loopback address.
You can congure the Roung Engine to disable the seng of the record-route opon in the IP header
of the ping request packets. Disabling the record-route opon prevents the Roung Engine from
recording and displaying the path of the ICMP echo request packets in the response.
To congure the Roung Engine to disable the seng of the record route opon, include the no-ping-
record-route statement at the [edit system] hierarchy level:
[edit system]
no-ping-record-route;
To disable the reporng of mestamps in the ICMP echo responses, include the no-ping-time-stamp
opon at the [edit system] hierarchy level:
[edit system]
no-ping-time-stamp;
19
Congure Junos OS to Ignore ICMP Source Quench Messages
By default, the device reacts to Internet Control Message Protocol (ICMP) source quench messages. To
ignore ICMP source quench messages, include the no-source-quench statement at the [edit system
internet-options] hierarchy level:
[edit system internet-options]
no-source-quench;
To stop ignoring ICMP source quench messages, use the source-quench statement:
[edit system internet-options]
source-quench;
Rate Limit ICMPv4 and ICMPv6 Trac
To limit the rate at which ICMPv4 or ICMPv6 messages can be generated by the Roung Engine and
sent to the Roung Engine, include the appropriate rate liming statement at the [edit system
internet-options] hierarchy level.
• For IPv4:
[edit system internet-options]
icmpv4-rate-limit bucket-size bucket-size packet-rate packet-rate
• For IPv6:
[edit system internet-options]
icmpv6-rate-limit bucket-size bucket-size packet-rate packet-rate
20
Rate Limit ICMPv4 and ICMPv6 Error Messages
IN THIS SECTION
Why to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21
How to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21
By default, ICMP error messages for non-l-expired IPv4 and IPv6 packets are generated at the rate of
1 packet per second (pps). You can adjust this rate to a value that you decide provides sucient
informaon for your network without causing network congeson.
NOTE: For l-expired IPv4 or IPv6 packets, the rate for ICMP error messages is not congurable.
It is xed at 500 pps.
Why to Rate Limit ICMPv4 and ICMPv6 Error Messages
An example use case for adjusng the rate limit is a data center providing web services. Suppose this
data center has many servers on the network that use jumbo frames with an MTU of 9100 bytes when
they communicate to hosts over the Internet. These other hosts require an MTU of 1500 bytes. Unless
maximum segment size (MSS) is enforced on both sides of the connecon, a server might reply with a
packet that is too large to be transmied across the Internet without being fragmented when it reaches
the edge router in the data center.
Because TCP/IP implementaons oen have Path MTU Discovery enabled by default with the dontfragment bit set to 1, a transit device will drop a packet that is too big rather than fragmenng it. The
device will return an ICMP error message indicang the desnaon was unreachable because the packet
was too big. The message will also provide the MTU that is required where the error occurred. The
sending host should adjust the sending MSS for that connecon and resend the data in smaller packet
sizes to avoid the fragmentaon issue.
At high core interface speeds, the default rate limit of 1 pps for the error messages may not be enough
to nofy all the hosts when there are many hosts in the network that require this service. The
consequence is that outbound packets are silently dropped. This acon can trigger addional
retransmissions or back-o behaviors, depending on the volume of requests that the data center edge
router is handling on each core-facing interface.
21
In this situaon, you can increase the rate limit to enable a higher volume of oversized packets to reach
the sending hosts. (Adding more core-facing interfaces can also help resolve the problem.)
How to Rate Limit ICMPv4 and ICMPv6 Error Messages
Although you congure the rate limit at the [edit chassis] hierarchy level, it is not a chassis-wide limit.
Instead, the rate limit applies per interface family. This means, for example, that mulple physical
interfaces congured with family inet can simultaneously generate the ICMP error messages at the
congured rate.
NOTE: This rate limit takes eect only for trac that lasts 10 seconds or longer. The rate limit is
not applied to trac with a shorter duraon, such as 5 seconds or 9 seconds.
• To congure the rate limit for ICMPv4, use the icmp statement:
[edit chassis]
user@host# set icmp rate-limit
rate-limit
Starng in Junos OS Release 19.1R1, the maximum rate increased from 50 pps to 1000 pps.
• To congure the rate limit for ICMPv6, use the icmp6 statement:
[edit chassis]
user@host# set icmp6 rate-limit
You must also consider that the rate limit value can interact with your DDoS protecon conguraon.
The default bandwidth value for exceponed packets that exceed the MTU is 250 pps. DDoS protecon
ags a violaon when the number of packets exceeds that value. If you set the rate limit higher than the
current mtu-exceeded bandwidth value, then you must congure the bandwidth value to match the rate
limit.
For example, suppose you set the ICMP rate limit to 300 pps:
user@host# set chassis icmp rate-limit 300
You must congure the DDoS protecon mtu-exceeded bandwidth to match that value.
rate-limit
22
user@host# set system ddos-protecon protocols excepons mtu-exceeded bandwidth 300
RELATED DOCUMENTATION
Congure TCP Opons
Junos OS Network Interfaces Library for Roung Devices
Alarms
IN THIS SECTION
System Alarms | 23
Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface Types | 23
System-Wide Alarms and Alarms for Each Interface Type | 24
System Alarms
Switches provide predened system alarms that can be triggered by a missing rescue conguraon,
failure to install a license for a licensed soware feature, or high disk usage. You can display alarm
messages by issuing the show system alarms operaonal mode command.
For example: The switch might trigger an alarm when disk usage in the /var paron exceeds 75
percent. A usage level between 76 and 90 percent indicates high usage and raises a minor alarm
condion, whereas a usage level above 90 percent indicates that the paron is full and raises a major
alarm condion.
The following sample output shows the system alarm messages that are displayed when disk usage is
exceeded on the switch.
user@host> show system alarms
4 alarms currently active
Alarm time Class Description
2013-10-08 20:08:20 UTC Minor RE 0 /var partition usage is high
2013-10-08 20:08:20 UTC Major RE 0 /var partition is full
2013-10-08 20:08:08 UTC Minor FPC 1 /var partition usage is high
2013-10-08 20:08:08 UTC Major FPC 1 /var partition is full
23
BEST PRACTICE: We recommend that you regularly request a system le storage cleanup to
opmize the performance of the switch and prevent generang system alarms.
Conguring Junos OS to Determine Condions That Trigger Alarms on
Dierent Interface Types
For the dierent types of PICs, you can congure which condions trigger alarms and whether they
trigger a red or yellow alarm. Red alarm condions light the RED ALARM LED and trigger an audible
alarm if one is connected. Yellow alarm condions light the YELLOW ALARM LED and trigger an audible
alarm if one is connected.
NOTE: By default, any failure condion on the integrated-services interface (Adapve Services
PIC) triggers a red alarm.
To congure condions that trigger alarms and that can occur on any interface of the specied type,
include the alarm statement at the [edit chassis] hierarchy level.
[edit chassis]
alarm {
interface-type {
alarm-name (red | yellow | ignore);
}
}
24
alarm-name
is the name of an alarm.
System-Wide Alarms and Alarms for Each Interface Type
Table 1 on page 24 lists the system-wide alarms and the alarms for each interface type.
Table 1:
Interface/System Alarm Condion Conguraon Opon
SONET/SDH and ATM Link alarm indicaon signal ais-l
Congurable PIC Alarm Condions
Path alarm indicaon signal ais-p
Signal degrade (SD) ber-sd
Signal fail (SF) ber-sf
Loss of cell delineaon (ATM only) locd
25
Table 1: Congurable PIC Alarm Condions
Interface/System Alarm Condion Conguraon Opon
Loss of framing lof
Loss of light lol
Loss of pointer lop-p
Loss of signal los
Phase-locked loop out of lock pll
Synchronous transport signal (STS) payload label
(C2) mismatch
(Connued)
plm-p
Line remote failure indicaon r-l
Path remote failure indicaon r-p
STS path (C2) unequipped uneq-p
E3/T3 Alarm indicator signal ais
Excessive numbers of zeros exz
Failure of the far end ferf
Idle alarm idle
Line code violaon lcv
26
Table 1: Congurable PIC Alarm Condions
Interface/System Alarm Condion Conguraon Opon
Loss of frame lof
Loss of signal los
Phase-locked loop out of lock pll
Yellow alarm ylw
Ethernet Link has gone down link-down
DS1 Alarm indicator signal ais
(Connued)
Yellow alarm ylw
Integrated services Hardware or soware failure failure
Management Ethernet Link has gone down link-down
RELATED DOCUMENTATION
Chassis Condions That Trigger Alarms
Alarm Types and Severity Levels
Network Management and Monitoring Guide
Freeing Up System Storage Space
show system alarms
System Troubleshoong
IN THIS SECTION
Saving Core Files Generated by Junos OS Processes | 27
Viewing Core Files from Junos OS Processes | 28
Saving Core Files Generated by Junos OS Processes
By default, when an internal Junos OS process generates a core le, the le and associated context
informaon are saved for debugging purposes in a compressed tar le named /var/tmp/
name
.core.
core-number
message les.
.tgz. The contextual informaon includes the conguraon and system log
process-
27
• To disable the saving of core les and associated context informaon:
[edit system]
no-saved-core-context;
• To save the core les only:
[edit system]
saved-core-files number;
Where
• To save the core les along with the contextual informaon:
number
[edit system]
saved-core-context;
is the number of core les to save and can be a value from 1 through 10.
Viewing Core Files from Junos OS Processes
When an internal Junos OS process generates a core le, you can nd the output at /var/crash/
and /var/tmp/. For Junos OS Evolved, you can nd the output core les at /var/core/ for Roung
Engine core les and /var/lib/p/in/ for FPC core les. Using these directories provides a quick method
of nding core issues across large networks.
Use the CLI command show system core-dumps to view core les.
root@host> show system core-dumps
-rw------- 1 root wheel 268369920 Jun 18 17:59 /var/crash/vmcore.0
-rw-rw---- 1 root field 3371008 Jun 18 17:53 /var/tmp/rpd.core.0
-rw-r--r-- 1 root wheel 27775914 Jun 18 17:59 /var/crash/kernel.0
28
SEE ALSO
Saving Core Files from Junos OS Processes
RELATED DOCUMENTATION
Day One: Monitoring and Troubleshoong
hps://www.juniper.net/documentaon/en_US/junos/informaon-products/pathway-pages/qfxseries/troubleshoong-qf.html
Device Monitoring
IN THIS SECTION
Monitoring System Properes | 29
Monitoring System Process Informaon | 32
Monitoring Interfaces | 33
Other Tools to Congure and Monitor Devices Running Junos OS | 35
Monitoring System Properes
IN THIS SECTION
Purpose | 29
Acon | 29
Meaning | 29
Purpose
View system properes such as the name, IP address, and resource usage.
29
Acon
To monitor system properes in the CLI, enter the following commands:
• show system upme
• show system users
• show system storage
Meaning
Table 2 on page 29 summarizes key output elds in the system properes display.
Table 2: Summary of Key System
Field Values Addional Informaon
General Informaon
Properes Output Fields
Serial Number Serial number of device.
30
Table 2: Summary of Key System Properes Output Fields
Field Values Addional Informaon
Junos OS
Version
Hostname Name of the device.
IP Address IP address of the device.
Loopback
Address
Domain Name
Server
Version of Junos OS acve on the
switch, including whether the soware is
for domesc or export use.
Loopback address.
Address of the domain name server.
(Connued)
Export soware is for use outside the
USA and Canada.
Time Zone Time zone on the device.
Time
Current Time Current system me, in Coordinated
Universal Time (UTC).
System
Booted Time
Protocol
Started Time
Date and me when the device was last
booted and how long it has been
running.
Date and me when the protocols were
last started and how long they have
been running.
31
Table 2: Summary of Key System Properes Output Fields
Field Values Addional Informaon
Last
Congured
Time
Load Average CPU load average for 1, 5, and 15
Storage Media
Internal Flash
Memory
External Flash
Memory
Date and me when a conguraon was
last commied. This eld also shows the
name of the user who issued the last
commit command.
minutes.
Usage details of internal ash memory.
Usage details of external USB ash
memory.
(Connued)
Logged in Users Details
User Username of any user logged in to the
switch.
Terminal Terminal through which the user is
logged in.
From System from which the user has logged
in. A hyphen indicates that the user is
logged in through the console.
Login Time Time when the user logged in. This is the user@switch eld in show
system users command output.
Idle Time How long the user has been idle.
SEE ALSO
show system processes
Monitoring System Process Informaon
IN THIS SECTION
Purpose | 32
Acon | 32
Meaning | 32
32
Purpose
View the processes running on the device.
Acon
To view the soware processes running on the device:
user@switch> show system processes
Meaning
Table 3 on page 32 summarizes the output elds in the system process informaon display.
The display includes the total CPU load and total memory ulizaon.
Table 3: Summary of System Process
Field Values
Informaon Output Fields
PID Idener of the process.
Name Owner of the process.
33
Table 3: Summary of System Process Informaon Output Fields
Field Values
State Current state of the process.
CPU Load Percentage of the CPU that is being used by the process.
Memory Ulizaon Amount of memory that is being used by the process.
Start Time Time of day when the process started.
SEE ALSO
(Connued)
show system upme
Monitoring Interfaces
IN THIS SECTION
Purpose | 33
Acon | 33
Purpose
View general informaon about all physical and logical interfaces for a device.
Acon
Enter the following show commands in the CLI to view interface status and trac stascs.
• show interfaces terse
NOTE: On SRX Series devices, when conguring idencal IPs on a single interface, you will
not see a warning message; instead, you will see a syslog message.
• show interfaces extensive
34
• show interfaces
NOTE: If you are using the J-Web user interfaces, select Monitor>Interfaces in the J-Web user
interface. The J-Web Interfaces page displays the following details about each device interface:
• Port—Indicates the interface name.
• Admin Status—Indicates whether the interface is enabled (Up) or disabled (Down).
• Link Status—Indicates whether the interface is linked (Up) or not linked (Down).
• Address—Indicates the IP address of the interface.
• Zone—Indicates whether the zone is an untrust zone or a trust zone.
• Services—Indicates services that are enabled on the device, such as HTTP and SSH.
• Protocols—Indicates protocols that are enabled on the device, such as BGP and IGMP.
• Input Rate graph—Displays interface bandwidth ulizaon. Input rates are shown in bytes per
second.
interface-name
• Output Rate graph—Displays interface bandwidth ulizaon. Output rates are shown in bytes per
second.
• Error Counters chart—Displays input and output error counters in the form of a bar chart.
• Packet Counters chart—Displays the number of broadcast, unicast, and mulcast packet counters in
the form of a pie chart. (Packet counter charts are supported only for interfaces that support MAC
stascs.)
To change the interface display, use the following opons:
• Port for FPC—Controls the member for which informaon is displayed.
• Start/Stop buon—Starts or stops monitoring the selected interfaces.
• Show Graph—Displays input and output packet counters and error counters in the form of charts.
• Pop-up buon—Displays the interface graphs in a separate pop-up window.
• Details—Displays extensive stascs about the selected interface, including its general status, trac
informaon, IP address, I/O errors, class-of-service data, and stascs.
• Refresh Interval—Indicates the duraon of me aer which you want the data on the page to be
refreshed.
• Clear Stascs—Clears the stascs for the selected interface.
SEE ALSO
Interfaces User Guide for Security Devices
Other Tools to Congure and Monitor Devices Running Junos OS
35
Starng in Junos OS Release 15.1, apart from the command-line interface, Junos OS also supports the
following applicaons, scripts, and ulies that enable you to congure and monitor devices running
Junos OS:
• Junos XML Management Protocol Applicaon Programming Interface (API)—Applicaon
programmers can use the Junos XML Management Protocol API to monitor and congure Juniper
Networks devices. Juniper Networks provides a Perl module with the API to help you more quickly
and easily develop custom Perl scripts for conguring and monitoring the devices.
• NETCONF Applicaon Programming Interface (API)—Applicaon programmers can also use the
NETCONF API to monitor and congure Juniper Networks devices.
• Junos OS commit scripts—You can dene scripts to enforce custom conguraon tasks, enforce
consistency, prevent common mistakes, and more. Every me you commit a new candidate
conguraon, the acve commit scripts are called to inspect the new candidate conguraon. If a
conguraon violates your custom rules, the script can instruct the Junos OS to perform various
acons, including making changes to the conguraon and generang custom, warning, and system
log messages.
• Junos OS Op scripts—You can add your own commands to the operaon-mode CLI. You can use
these scripts to automate troubleshoong of known network problems and correct them.
• Junos OS event scripts—You can use event scripts to diagnose and x issues, monitor the overall
status of the system, and examine errors periodically. Event scripts are similar to op scripts except
that certain events on the switch will trigger these scripts.
• CHEF—You can use CHEF automate the provisioning and management of compute, networking, and
storage resources. Chef for Junos OS provides support for Chef on selected Junos OS devices,
allowing you to automate common switching network conguraons.
• Puppet—You can use PUPPET for conguraon management. Puppet provides an ecient and
scalable soluon for managing the conguraons of large numbers of devices. System administrators
take advantage of Puppet to manage compute resources such as physical and virtual servers.
SEE ALSO
CLI User Interface Overview
NETCONF XML Management Protocol Developer Guide
Release History Table
Release Descripon
36
15.1 Starng in Junos OS Release 15.1, apart from the command-line interface, Junos OS also supports the
following applicaons, scripts, and ulies that enable you to congure and monitor devices running
Junos OS:
RELATED DOCUMENTATION
Understanding Device and Network Management Features
Day One: Monitoring and Troubleshoong
Passive Monitoring
IN THIS SECTION
Understanding Passive Monitoring | 37
Example: Conguring Passive Monitoring on QFX10000 Switches | 38
Understanding Passive Monitoring
IN THIS SECTION
Passive Monitoring Benets | 37
Guidelines for Conguring Passive Monitoring | 37
Passive monitoring is a type of network monitoring used to passively capture trac from monitoring
interfaces. When you enable passive monitoring, the device accepts and monitors trac on the interface
and forwards the trac to monitoring tools like IDS servers and packet analyzers, or other devices such
as routers or end node hosts.
• Starng in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
37
• Starng in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.
Passive Monitoring Benets
• Provides ltering capabilies for monitoring ingress and egress trac at the Internet point of
presence (PoP) where security networks are aached.
Guidelines for Conguring Passive Monitoring
• You can only congure passive monitoring at the interface level. Conguraon per VLAN or logical
interface is not supported.
• A passive monitoring interface cannot be an aggregated Ethernet (AE) interface.
• Monitoring tools or devices must be directly connected to the switch or router.
• Packets with more than two MPLS labels and more than two VLAN tags are dropped.
• Excepon packets such as IP packet opons, router alert, and TTL expiry packets are treated as
regular trac.
• Ethernet encapsulaon is not supported.
• MPLS family lter conguraon is not supported.
• Link Aggregaon Control Protocol (LACP) is not supported on the AE bundle connected to the
monitoring tool or device.
Example: Conguring Passive Monitoring on QFX10000 Switches
IN THIS SECTION
Requirements | 38
Overview | 38
Conguraon | 39
Vericaon | 42
This example shows how to congure passive monitoring on QFX10000 switches.
Requirements
38
This example uses the following hardware and soware components:
• Two routers (R1 and R2)
• One QFX10002 switch
• Two devices, directly connected to the switch
• Junos OS Release 18.4R1 or later
Overview
IN THIS SECTION
Topology | 39
This example describes how to congure passive monitoring on the switch.
In Figure 1 on page 39, et-0/0/2 and et-0/0/4 are congured as passive monitoring interfaces. Packets
coming into the network are exchanged between Router 1 (R1) and Router 2 (R2) in two direcons (R1
to R2, R2 to R1) and are sent to the monitored interfaces. When trac is received, a rewall lter
transfers all packets to a roung instance and forwards the packets to the monitoring tools. The
interfaces are then grouped into a single logical interface, known as a link aggregaon group (LAG) or AE
bundle. This enables the trac to be evenly distributed across the monitoring tools eecvely
increasing the uplink bandwidth. If one interface fails, the bundle connues to carry trac over the
remaining interfaces.
Oponally, you can apply symmetric hashing over the passive monitor interfaces for load balancing
trac to the monitoring tools. This allows ingress and egress trac of the same ow to be sent out
through the same monitored interface. To congure symmetric hashing, include the no-incoming-port
opon under the [edit forwarding-opons enhanced-hash-key] hierarchy. Symmetric hashing is enabled
and disabled at the global level only. Per protocol hashing is not supported.
Topology
Figure 1: Passive Monitoring Topology
39
Conguraon
IN THIS SECTION
CLI Quick Conguraon | 40
Conguring Passive Monitoring | 40
The following example requires you to navigate various levels in the CLI hierarchy. For informaon about
navigang the CLI, see
Using the CLI Editor in Conguraon Mode
.
CLI Quick Conguraon
To quickly congure this example, copy the following commands, paste them into a text le, remove any
line breaks, change any details necessary to match your network conguraon, copy and paste the
commands into the CLI at the [edit] hierarchy level, and then enter commit from conguraon mode.
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet lter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet lter input pm1
set rewall family inet lter pm1 term t1 from interface et-0/0/4.0
set rewall family inet lter pm1 term t1 then count c1
set rewall family inet lter pm1 term t1 then roung-instance pm_inst
set rewall family inet lter pm term t1 from interface et-0/0/2.0
set rewall family inet lter pm term t1 then count c3
set rewall family inet lter pm term t1 then roung-instance pm_inst
set roung-instances pm_inst instance-type virtual-router
set roung-instances pm_inst interface ae0.0
set roung-instances pm_inst roung-opons stac route 0.0.0.0/0 next-hop 198.51.1.1
set interfaces xe-0/0/9:0 ether-opons 802.3ad ae0
set interfaces xe-0/0/9:1 ether-opons 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.1.2/24 arp 198.51.1.1 mac 00:10:94:00:00:05
set roung-instances pm_inst interface ae0.0
set forwarding-opons enhanced-hash-key inet no-incoming-port
40
Conguring Passive Monitoring
Step-by-Step Procedure
To congure passive monitoring:
1. Congure passive-monitor mode on the switch interfaces:
[edit]]
user@switch#
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet lter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet lter input pm1
2. Congure a family inet rewall lter on the passive monitor interfaces to forward the trac to a
roung instance. Supported lter acons are accept, reject, count, roung-instance.
[edit]
user@switch#
set rewall family inet lter pm1 term t1 from interface et-0/0/4.0
set rewall family inet lter pm1 term t1 then count c1
set rewall family inet lter pm1 term t1 then roung-instance pm_inst
set rewall family inet lter pm term t1 from interface et-0/0/2.0
set rewall family inet lter pm term t1 then count c3
set rewall family inet lter pm term t1 then roung-instance pm_inst
3. Create a roung-instance with a stac route that points to the devices.
[edit]
user@switch#
set roung-instances pm_inst instance-type virtual-router
set roung-instances pm_inst interface ae0.0
set roung-instances pm_inst roung-opons stac route 0.0.0.0/0 next-hop 198.1.1.1
41
4. Congure an AE bundle on the passive monitoring interfaces.
[edit]
user@switch#
set interfaces xe-0/0/9:0 ether-opons 802.3ad ae0
set interfaces xe-0/0/9:1 ether-opons 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.1.2/24 arp 198.51.1.1 mac 00:10:94:00:00:05
set roung-instances pm_inst interface ae0.0
5. (Oponal) Congure symmetric hashing.
[edit]
user@switch#
set forwarding-opons enhanced-hash-key inet no-incoming-port
6. From conguraon mode, conrm your conguraon by entering the show interfaces command. If
the command output does not display the intended conguraon, repeat the instrucons in this
example to correct it.
7. If you are done conguring the interfaces, enter commit from conguraon mode.
Vericaon
IN THIS SECTION
Verify the Passive Monitoring Conguraon | 42
Verify Symmetric Hashing | 44
Conrm that the conguraon is working properly.
Verify the Passive Monitoring Conguraon
42
Purpose
Verify that passive monitoring is working on the interfaces. If the interface output shows No-receive
and No-transmit, this means that passive monitoring is working.
Acon
From operaonal mode, enter the show interfaces command to view the passive monitoring interfaces.
user@host> show interfaces et-0/0/2
Physical interface: et-0/0/2, Enabled, Physical link is Up
Interface index: 146, SNMP ifIndex: 515
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error:
None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE
Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media
type: Fiber
Device flags : Present Running
Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
Last flapped : 2018-05-17 11:19:05 PDT (00:17:55 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
Ethernet FEC Mode : NONE
Ethernet FEC statistics Errors
FEC Corrected Errors 0
FEC Uncorrected Errors 0
FEC Corrected Errors Rate 0
FEC Uncorrected Errors Rate 0
PRBS Statistics : Disabled
Interface transmit statistics: Disabled
user@host show interfaces et-0/0/4
Physical interface: et-0/0/4, Enabled, Physical link is Up
Interface index: 146, SNMP ifIndex: 515
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error:
None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE
Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media
type: Fiber
Device flags : Present Running
Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
Last flapped : 2018-05-17 11:19:05 PDT (00:18:17 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
Ethernet FEC Mode : NONE
Ethernet FEC statistics Errors
FEC Corrected Errors 0
FEC Uncorrected Errors 0
FEC Corrected Errors Rate 0
FEC Uncorrected Errors Rate 0
43
PRBS Statistics : Disabled
Interface transmit statistics: Disabled
Verify Symmetric Hashing
Purpose
Verify the output for symmetric hashing. The incoming port elds for inet,inet6 and L2 should all be set
to No.
Acon
From conguraon mode, enter the show forwarding-opons enhanced-hash-key command.
Slot 0
44
Seed value for Hash function 0: 3626023417
Seed value for Hash function 1: 3626023417
Seed value for Hash function 2: 3626023417
Seed value for Hash function 3: 3626023417
Inet settings:
--------------
IPV4 dest address: Yes
IPV4 source address: Yes
L4 Dest Port: Yes
L4 Source Port: Yes
Incoming port: No
Inet6 settings:
--------------
IPV6 dest address: Yes
IPV6 source address: Yes
L4 Dest Port: Yes
L4 Source Port: Yes
Incoming port: No
L2 settings:
------------
Dest Mac address: No
Source Mac address: No
Vlan Id: Yes
Inner-vlan Id: No
Incoming port: No
GRE settings:
-------------
Key: No
Protocol: No
MPLS settings:
--------------
MPLS Enabled: Yes
VXLAN settings:
---------------
VXLAN VNID: No
Release History Table
Release Descripon
45
18.4R1 Starng in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
18.4R1 Starng in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.
How to Locate a Device or Port Using the Chassis Beacon
IN THIS SECTION
Turning On the Chassis Beacon For the Default Interval | 46
Turning On the Chassis Beacon For a Specied Interval | 47
By default, when a network port and its associated link are acve, the status LED for that port blinks
green at a rate of 8 blinks per second. With the chassis beacon feature, you can use the request
chassis beacon command to slow the current rate at which the status LED blinks green to 2 blinks per
second. The slower and steadier green light acts as a beacon that you, as a network administrator in a
remote oce, can enable to guide a network installer in a busy data center or lab to a Juniper Networks
device or port on the device.
You can use the following opons with the chassis beacon feature:
• Turn on the beacon for:
• 5 minutes (default)
• A specied number of minutes (1 through 120)
• Turn o the beacon:
• Immediately
• Aer a specied number of minutes (1 through 120) elapses
You can use these opons on all network ports on an FPC or just one network port on an FPC.
To turn the beacon on or o on a Virtual Chassis, you must:
46
• Issue the request chassis beacon command on the primary switch in the Virtual Chassis.
• When specifying the FPC slot number, use the target Virtual Chassis member number.
You can slow the rate at which the status LED blinks green to 2 blinks per second. The slower and
steadier green light acts as a beacon that guides a network installer in a busy data center or lab to a
Juniper Networks device or port on the device.
This topic covers the available opons in the following use cases:
Turning On the Chassis Beacon For the Default Interval
You can turn on the chassis beacon for the default interval, which is 5 minutes.
1. Turn on the chassis beacon using one of the following commands:
a. For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
on
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
port
port-number
on
Aer you turn on the chassis beacon, you can expect the following behavior:
• The chassis beacon overrides the current state of the status LED for all or the specied network
port on the FPC.
• If you turn on the beacon for only one network port, the status LEDs for the remaining network
ports on the FPC are turned o.
• Unless you issue a command to explicitly turn o the chassis beacon before the default interval is
over, it turns o aer 5 minutes. The state of the status LED for all ports or the specied port
returns to the state it was in before you turned on the chassis beacon.
2. If you want to turn the chassis beacon o before the 5-minute interval is over, use one of the
following commands:
a. For all network ports on a specied FPC:
47
user@switch> request chassis beacon fpc
slot-number
o
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
Turning On the Chassis Beacon For a Specied Interval
You can turn on the chassis beacon for 1 through 120 minutes.
1. Turn on the chassis beacon using one of the following commands:
a. For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
on mer
number-of-minutes
port
port-number
o
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
mer
number-of-minutes
slot-number
pic-slot
slot-number
Aer you turn on the chassis beacon, you can expect the following behavior:
port
port-number
on
• The chassis beacon overrides the current state of the status LEDs for all or one network port on
the FPC.
• If you turn on the chassis beacon for only one network port, the status LEDs for the remaining
network ports on the FPC are turned o.
• The chassis beacon stays on unl you explicitly issue a command to turn it o.
2. You can turn o the chassis beacon immediately or aer a specied me interval (1 through 120
minutes) is over.
a. To turn o the chassis beacon immediately, use one of the following commands:
For all network ports on a specied FPC:
48
user@switch> request chassis beacon fpc
slot-number
o
OR
For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
port
port-number
o
b. To turn o the chassis beacon aer a specied me interval of 1 through 120 minutes is over, use
one of the following commands:
For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
o mer
number-of-minutes
OR
For a specied network port on an FPC:
user@switch> request chassis beacon fpc
mer
number-of-minutes
slot-number
pic-slot
slot-number
port
port-number
o
Aer you turn o the chassis beacon, the state of the status LED for all or one port on the FPC
returns to the state it was in before you turned on the chassis beacon.
2
CHAPTER
Conguraon Statements
checksum | 51
compress-conguraon-les (System) | 53
domain-name | 54
domain-search | 56
enhanced-hash-key | 57
ethernet (Alarm) | 66
hardware-mestamp | 67
host-name | 68
inet (enhanced-hash-key) | 70
inet6-backup-router | 73
inet6 (enhanced-hash-key) | 75
internet-opons | 78
lcd-menu | 83
locaon | 85
locaon (System) | 87
max-conguraons-on-ash | 90
menu-item | 91
no-mulcast-echo | 97
no-ping-record-route | 98
no-ping-me-stamp | 99
no-redirects (IPv4 Trac) | 101
oponal | 103
passive-monitor-mode | 104
ports | 106
ports | 108
power | 109
processes | 112
saved-core-context | 115
saved-core-les | 116
stac-host-mapping | 118
me-format | 120
me-zone | 122
traceopons (Layer 2 Learning) | 125
traceopons (SBC Conguraon Process) | 129
use-imported-me-zones | 131
checksum
IN THIS SECTION
Syntax | 51
Hierarchy Level | 51
Descripon | 51
Opons | 52
Required Privilege Level | 52
Release Informaon | 52
51
Syntax
checksum (md5 | sha-256 | sha1) hash;
Hierarchy Level
[edit event-options event-script filefilename],
[edit system scripts commit file filename],
Descripon
For Junos commit scripts and op scripts, specify the MD5, SHA-1, or SHA-256 checksum hash. When it
executes a local event or commit script, the Junos OS veries the authencity of the script by using the
congured checksum hash.
Opons
md5
hash
—MD5 checksum of this script.
52
sha-256
sha1
hash
—SHA-256 checksum of this script.
hash
—SHA-1 checksum of this script.
Required Privilege Level
maintenance—To view this statement in the conguraon.
maintenance-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring Checksum Hashes for a Commit Script
Conguring Checksum Hashes for an Event Script
Conguring Checksum Hashes for an Op Script
le checksum md5
le checksum sha-256
le checksum sha1
compress-conguraon-les (System)
IN THIS SECTION
Syntax | 53
Hierarchy Level | 53
Descripon | 53
Default | 54
Required Privilege Level | 54
Release Informaon | 54
53
Syntax
(compress-configuration-files | no-compress-configuration-files);
Hierarchy Level
[edit system]
Descripon
Compress the current operaonal conguraon le. The le is stored in the le juniper.conf, in the /
cong le system, along with the last three commied versions of the conguraon. However, with
large networks, the current conguraon le might exceed the available space in the /cong le system.
Compressing the current conguraon le allows the le to t in the le system, typically reducing the
size of the le by 90 percent. The current conguraon le is compressed on the second commit of the
conguraon aer the rst commit is made to include the compress-conguraon-les statement.
NOTE: We recommend that you enable compression of the conguraon les to minimize the
amount of disk space that they require.
Default
The current operaonal conguraon le is uncompressed.
Required Privilege Level
system—To view this statement in the conguraon.
54
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Compressing the Current Conguraon File
domain-name
IN THIS SECTION
Syntax | 55
Hierarchy Level | 55
Descripon | 55
Opons | 55
Required Privilege Level | 55
Release Informaon | 56
Syntax
domain-name domain-name;
55
Hierarchy Level
[edit system]
Descripon
Congure the name of the domain in which the switch is located. This is the default domain name that is
appended to hostnames that are not fully qualied.
Opons
domain-name
—Name of the domain.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring a DNS Name Server for Resolving Hostnames into Addresses
domain-search
IN THIS SECTION
56
Syntax | 56
Hierarchy Level | 56
Descripon | 57
Opons | 57
Required Privilege Level | 57
Release Informaon | 57
Syntax
domain-search domain-list;
Hierarchy Level
[edit system]
Descripon
Congure a list of domains to be searched.
Opons
57
domain-list
up to 256 characters.
—List of domain names to search. The list can contain up to 6 domain names, with a total of
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring a DNS Name Server for Resolving Hostnames into Addresses
enhanced-hash-key
IN THIS SECTION
Syntax (EX Series) | 58
Syntax (QFX5000 Line of Switches) | 59
Syntax (QFX10000 Series Switches) | 63
Hierarchy Level | 64
Descripon | 64
Required Privilege Level | 65
Release Informaon | 65
Syntax (EX Series)
enhanced-hash-key {
ecmp-resilient-hash;
fabric-load-balance {
flowlet {
inactivity-interval interval;
}
per-packet;
}
hash-mode {
layer2-header;
layer2-payload;
}
family inet {
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
family inet6 {
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
layer2 {
58
no-destination-mac-address;
no-ether-type;
no-source-mac-address;
vlan-id;
}
}
Syntax (QFX5000 Line of Switches)
enhanced-hash-key {
conditional-match name {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata1 matchdata1;
matchdata1-mask matchdata1-mask;
offset1-value offset1-value;
}
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata2 matchdata2;
matchdata2-mask matchdata2-mask;
offset2-value offset2-value;
}
offset3 {
base-offset3 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata3 matchdata3;
matchdata3-mask matchdata3-mask;
offset3-value offset3-value;
}
offset4 {
base-offset4 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata4 matchdata4;
matchdata4-mask matchdata4-mask;
offset4-value offset4-value;
}
59
}
ecmp-dlb {
assigned-flow;
per-packet;
flowlet inactivity-interval;
ether-type (ipv4|ipv6|mpls);
}
ecmp-resilient-hash;
fabric-load-balance {
flowlet {
inactivity-interval interval;
}
per-packet;
}
flex-hashing name {
ethtype {
inet {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
}
inet6 {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
60
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
}
mpls {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
num-labels num-labels;
}
}
}
hash-mode {
layer2-header;
layer2-payload;
gtp-header-offset offset-value;
}
hash-parameters {
ecmp {
function {
(crc16-bisync | crc16-ccitt | crc32-hi | crc32-lo);
}
offset offset;
preprocess;
61
}
lag {
function {
(crc16-bisync | crc16-ccitt | crc32-hi | crc32-lo);
}
offset offset;
preprocess;
}
}
family inet {
gtp-tunnel-endpoint-identifier;
no-incoming-port;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
family inet6 {
no-incoming-port;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
layer2 {
no-destination-mac-address;
no-ether-type;
no-source-mac-address;
vlan-id;
}
symmetric-hash {
inet;
inet6;
}
}
vxlan {
no-inner-payload;
}
62
Syntax (QFX10000 Series Switches)
enhanced-hash-key {
hash-seed seed-value;
family inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
family inet6 {
gtp-tunnel-endpoint-identifier;
ipv6-flow-label;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
layer2 {
destination-mac-address
inner-vlan-id;
no-ether-type;
no-vlan-id;
source-mac-address;
}
no-mpls;
gre {
key;
protocol;
}
vxlan-vnid
}
}
63
Hierarchy Level
[edit forwarding-options]
Descripon
Congure the hashing key used to hash link aggregaon group (LAG) and equal-cost mulpath (ECMP)
trac, or enable adapve load balancing (ALB) in a Virtual Chassis Fabric (VCF).
NOTE: Starng in Junos OS Release 14.1X53-D46, 15.1R7, 16.1R6, 17.1R3, 17.2R2, 17.3R2, and
17.4R1, the ALB feature is deprecated. If fabric-load-balance is enabled in the conguraon for a
VCF, delete the conguraon item upon upgrading Junos OS.
64
The hashing algorithm is used to make trac-forwarding decisions for trac entering a LAG bundle or
for trac exing a switch when ECMP is enabled.
For LAG bundles, the hashing algorithm determines how trac entering a LAG bundle is placed onto the
bundle’s member links. The hashing algorithm tries to manage bandwidth by evenly load-balancing all
incoming trac across the member links in the bundle.
When ECMP is enabled, the hashing algorithm determines how incoming trac is forwarded to the
next-hop device.
On QFX10000 Series switches, you can congure the hash seed for load balancing. By default, the
QFX10000 Series switches use the system MAC address to generate a hash seed value. You can
congure the hash seed value using the hash-seed statement at the [edit forwarding-opons enhanced-
hash-key] hierarchy level. Set a value between 0 and 4294967295. If you do not congure a hash seed
value, the system generates a hash seed value based on the system MAC address.
The remaining statements are explained separately. See CLI Explorer.
Starng in Junos OS Release 18.4R1, symmetric hashing is supported on the QFX10000 Series switches.
You congure the no-incoming-port opon under the [edit forwarding-opons enhanced-hash-key]
hierarchy. By default, Dynamic IP (DIP), SIP, Layer 4 source and desnaon ports, and the incoming port
are used for hashing. You can only congure symmetric hashing at the global level.
Starng in Junos OS Release 19.4R1, the dynamic load balancing on ECMP is supported on
QFX5120-32C and QFX5120-48Y switches. You can congure the ecmp-dlb opon under the [edit
forwarding-opons enhanced-hash-key] hierarchy. Refer
Dynamic Load Balancing
for more details.
To enable symmetric hashing on the QFX5000 line of switches, congure the symmetric-hash opon.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
The fabric-load-balance statement introduced in Junos OS Release 14.1X53-D10.
65
The fabric-load-balance statement deprecated starng in Junos OS Releases 14.1X53-D46, 15.1R7,
16.1R6, 17.1R3, 17.2R2, 17.3R2, and 17.4R1.
The hash-seed statement introduced in Junos OS Release 15.1X53-D30.
The ecmp-dlb statement introduced in Junos OS Release 19.4R1 for QFX5120-32C and QFX5120-48Y
switches.
Opon symmetric-hash introduced in Junos OS Release 20.4R1.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding Passive Monitoring
Understanding Per-Packet Load Balancing
show forwarding-opons enhanced-hash-key
ethernet (Alarm)
IN THIS SECTION
Syntax | 66
Hierarchy Level | 66
Descripon | 66
Opons | 67
Required Privilege Level | 67
Release Informaon | 67
66
Syntax
ethernet {
link-down (red | yellow | ignore);
}
Hierarchy Level
[edit chassis alarm],
[edit chassis interconnect-device name alarm],
[edit chassis node-group name alarm]
Descripon
Congure alarms for an Ethernet interface.
Opons
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a
linked statement in the Syntax secon for details.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
67
Statement introduced in Junos OS Release 11.1.
hardware-mestamp
IN THIS SECTION
Syntax | 67
Hierarchy Level | 68
Descripon | 68
Required Privilege Level | 68
Release Informaon | 68
Syntax
hardware-timestamp;
Hierarchy Level
[edit services rpm probe owner test test-name]
Descripon
Enable mestamping of RPM probe messages in the Packet Forwarding Engine host processor. This
feature is supported only with icmp-ping, icmp-ping-mestamp, udp-ping, and udp-ping-mestamp
probe types.
Required Privilege Level
68
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 8.1.
Statement applied to MX Series routers in Junos OS Release 10.0.
Statement introduced in Junos OS Release 19.1 for PTX Series routers.
host-name
IN THIS SECTION
Syntax | 69
Hierarchy Level | 69
Descripon | 69
Opons | 69
Required Privilege Level | 69
Release Informaon | 70
Syntax
host-name hostname;
69
Hierarchy Level
[edit system]
Descripon
Set the hostname of the switch.
Opons
hostname
—Name of the switch.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring the Hostname of a Router or Switch by Using a Conguraon Group
inet (enhanced-hash-key)
IN THIS SECTION
70
Syntax (EX Series and QFX5100 Switch) | 70
Syntax (QFX10000 Series Switches) | 71
Hierarchy Level | 71
Descripon | 71
Default | 72
Opons | 72
Required Privilege Level | 72
Release Informaon | 73
Syntax (EX Series and QFX5100 Switch)
inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
Syntax (QFX10000 Series Switches)
inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
71
Hierarchy Level
[edit forwarding-options enhanced-hash-key family]
Descripon
Select the payload elds in IPv4 trac used by the hashing algorithm to make hashing decisions.
When IPv4 trac enters a LAG and the hash mode is set to Layer 2 payload, the hashing algorithm
checks the elds congured using the inet statement and uses the informaon in the elds to decide
how to place trac onto the LAG bundle’s member links or how to forward trac to the next hop
device when ECMP is enabled.
The hashing algorithm, when used to hash LAG bundle trac, always tries to manage bandwidth by
evenly load-balancing all incoming trac across the member links in the bundle.
The hashing algorithm only inspects the IPv4 elds in the payload to make hashing decisions when the
hash mode is set to layer2-payload. The hash mode is set to Layer 2 payload by default. You can set the
hash mode to Layer 2 payload using the set forwarding-opons enhanced-hash-key hash-mode layer2-
payload statement.
Default
The following elds are used by the hashing algorithm to make hashing decisions for IPv4 trac:
• IP desnaon address
• IP source address
• Layer 4 desnaon port
• Layer 4 source port
• Protocol
Opons
72
no-ipv4-desnaonaddress
no-ipv4-sourceaddress
no-l4-desnaon-port
no-l4-source-port
no-protocol
no-incoming-port
vlan-id
Exclude the IPv4 desnaon address eld from the hashing algorithm.
Exclude the IPv4 source address eld from the hashing algorithm.
Exclude the Layer 4 desnaon port eld from the hashing algorithm.
Exclude the Layer 4 source port eld from the hashing algorithm.
Exclude the protocol eld from the hashing algorithm.
Exclude the incoming port number from the hashing algorithm.
Include the VLAN ID eld in the hashing algorithm.
NOTE: The vlan-id opon is not supported and should not be
congured on a Virtual Chassis or Virtual Chassis Fabric (VCF) that
contains any of the following switches as members: EX4300, EX4600,
QFX3500, QFX3600, QFX5100, or QFX5110 switches.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac (QFX
10002 and QFX 10008 Switches)
Understanding Per-Packet Load Balancing
73
hash-seed
enhanced-hash-key | 57
hash-mode
inet (enhanced-hash-key) | 70
inet6-backup-router
IN THIS SECTION
Syntax | 74
Hierarchy Level | 74
Descripon | 74
Opons | 74
Required Privilege Level | 74
Release Informaon | 75
Syntax
inet6-backup-router address <destination destination-address>;
Hierarchy Level
[edit system]
Descripon
74
Set a default router (running IP version 6 [IPv6]) to use while the local router or switch (running IPv6) is
boong and if the roung protocol processes fail to start. The Junos OS removes the route to this router
or switch as soon as the soware starts.
Opons
address
desnaon
desnaonaddress
Address of the default router.
(Oponal) Desnaon address that is reachable through the backup router. You can
include this opon to achieve network reachability while loading, conguring, and
recovering the router or switch, but without the risk of installing a default route in
the forwarding table.
• Default: All hosts (default route) are reachable through the backup router.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.
inet6 (enhanced-hash-key)
IN THIS SECTION
Syntax (EX Series and QFX5100 Switch) | 75
Syntax (QFX10000 Series Switches) | 76
Hierarchy Level | 76
Descripon | 76
75
Default | 77
Opons | 77
Required Privilege Level | 77
Release Informaon | 78
Syntax (EX Series and QFX5100 Switch)
inet6 {
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
Syntax (QFX10000 Series Switches)
inet6 {
gtp-tunnel-endpoint-identifier;
ipv6-flow-label;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
Hierarchy Level
76
[edit forwarding-options enhanced-hash-key family]
Descripon
Select the payload elds in an IPv6 packet used by the hashing algorithm to make hashing decisions.
When IPv6 trac enters a LAG and the hash mode is set to Layer 2 payload, the hashing algorithm
checks the elds congured using this statement and uses the informaon in the elds to decide how to
place trac onto the LAG bundle’s member links or to forward trac to the next hop device when
ECMP is enabled.
The hashing algorithm, when used to hash LAG trac, always tries to manage bandwidth by evenly
load-balancing all incoming trac across the member links in the bundle.
The hashing algorithm only inspects the IPv6 elds in the payload to make hashing decisions when the
hash mode is set to Layer 2 payload. The hash mode is set to Layer 2 payload by default. You can set the
hash mode to Layer 2 payload using the set forwarding-opons enhanced-hash-key hash-mode layer2-
payload statement.
Default
The data in the following elds are used by the hashing algorithm to make hashing decisions for IPv6
trac:
• IP desnaon address
• IP source address
• Layer 4 desnaon port
• Layer 4 source port
• Next header
Opons
77
no-ipv6-desnaon-address
no-ipv6-source-address
no-l4-desnaon-port
no-l4-source-port
no-incoming-port
no-next-header
vlan-id
Exclude the IPv6 desnaon address eld from the hashing algorithm.
Exclude the IPv6 source address eld from the hashing algorithm.
Exclude the Layer 4 desnaon port eld from the hashing algorithm.
Exclude the Layer 4 source port eld from the hashing algorithm.
Exclude the incoming port number from the hashing algorithm.
Exclude the Next Header eld from the hashing algorithm.
Include the VLAN ID eld in the hashing algorithm.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac (QFX
10002 and QFX 10008 Switches)
Understanding Per-Packet Load Balancing
hash-seed
enhanced-hash-key | 57
hash-mode
78
inet (enhanced-hash-key) | 70
internet-opons
IN THIS SECTION
Syntax | 79
Hierarchy Level | 79
Descripon | 79
Opons | 80
Required Privilege Level | 82
Release Informaon | 82
Syntax
internet-options {
(gre-path-mtu-discovery | no-gre-path-mtu-discovery);
icmpv4-rate-limit bucket-size <bucket-size seconds> <packet-rate packet-
rate>;
icmpv6-rate-limit bucket-size <bucket-size seconds> <packet-rate packet-
rate>;
(ipip-path-mtu-discovery | no-ipip-path-mtu-discovery);
ipv6-duplicate-addr-detection-transmits ipv6-duplicate-addr-detection-
transmits;
(ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery);
(ipv6-reject-zero-hop-limit | no-ipv6-reject-zero-hop-limit);
ipv6-path-mtu-discovery-timeout minutes;
no-tcp-reset (drop-all-tcp | drop-tcp-with-syn-only);
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
(path-mtu-discovery | no-path-mtu-discovery);
source-port {
upper-limit upper-limit;
}
(source-quench | no-source-quench);
tcp-drop-synfin-set;
tcp-mss mss-value;
}
79
Hierarchy Level
[edit system]
Descripon
Congure system IP opons to protect against certain types of DoS aacks.
Opons
80
gre-path-mtudiscovery
icmpv4-ratelimit
icmpv6-ratelimit
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series,
QFX Series, SRX Series, T Series) Congure path MTU discovery for outgoing GRE
tunnel connecons. By default, path MTU discovery is enabled.
• no-gre-path-mtu-discovery—Path MTU discovery is disabled.
Congure rate-liming parameters for ICMPv4 messages sent.
• Values:
• bucket-size
through 4294967295 seconds. Default: 5.
• packet-rate
4294967295 pps. Default: 1000.
(ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series)
Congure rate-liming parameters for ICMPv6 messages sent.
• Values:
• bucket-size
through 4294967295 seconds. Default: 5.
seconds
pps
seconds
—Number of seconds in the rate-liming bucket. Range: 0
—Rate-liming packets earned per second. Range: 0 through
—Number of seconds in the rate-liming bucket. Range: 0
ipip-path-mtudiscovery
ipv6-duplicateaddr-detecontransmits
ipv6-path-mtudiscovery
• packet-rate
4294967295 pps. Default: 1000.
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series,
QFX Series, SRX Series, T Series) Congure path MTU discovery for outgoing IP-IP
tunnel connecons. By default, path MTU discovery is enabled.
• no-ipip-path-mtu-discovery—Path MTU discovery is disabled.
Control the number of aempts for IPv6 duplicate address detecon.
• Range: 0 to 20
• Default: 3
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series,
QFX Series, SRX Series, T Series) Congure path MTU discovery for IPv6 packets. By
default, IPv6 path MTU discovery is enabled.
• no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.
pps
—Rate-liming packets earned per second. Range: 0 through
81
ipv6-path-mtudiscoverymeout
ipv6-rejectzero-hop-limit
no-tcp-reset
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series,
QFX Series, SRX Series, T Series) Set the IPv6 path MTU discovery me-out interval.
• Values:
• Default: 10 minutes.
Reject incoming IPv6 packets with a zero hop-limit value in their header. This is
enabled by default.
• no-ipv6-reject-zero-hop-limit—Allow incoming IPv6 packets with a zero hop-limit
value in their header.
Do not send an RST TCP packet (a packet with the reset ag set) in response to a TCP
packet received on a non-listening port.
By default, when a TCP packet is received on a non-listening port, a device sends a
TCP packet with the RST ag set and drops the connecon. This might lead to a
security risk. Conguring this statement prevents the sending of RST TCP packets to
non-listening ports.
You must congure this statement with one of two opons:
minutes
—IPv6 path MTU discovery meout.
no-tcp-rfc1323
no-tcp-rfc1323paws
path-mtudiscovery
source-port
• drop-all-tcp—When a TCP segment is received on a closed port, the device drops
the packet and does not send back a RST segment. This helps to protect against
stealth port scans.
• drop-tcp-with-syn-only—When a TCP packet with a SYN bit is received on a nonlistening port, the device drops the packet and does not send back a RST segment,
which makes the device appear as a null route. For all other TCP packets, the
device sends back a RST segment and does not drop the packet.
Congure the Junos OS to disable RFC 1323 TCP extensions.
Congure the Junos OS to disable the RFC 1323 Protecon Against Wrapped
Sequence (PAWS) number extension.
Congure path MTU discovery for outgoing Transmission Control Protocol (TCP)
connecons. By default, path MTU discovery is enabled.
• no-path-mtu-discovery—Path MTU discovery is disabled.
Congure the range of port addresses.
• Values:
82
• upper-limit
from 5000 through 65,355.
source-quench
tcp-dropsynn-set
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a
linked statement in the Syntax secon for details.
Congure how the Junos OS handles Internet Control Message Protocol (ICMP)
source quench messages. By default, the Junos OS reacts to ICMP source quench
messages.
• no-source-quench—Do not react to incoming ICMP source quench messages.
Congure the device to drop packets that have both the SYN and FIN bits set.
upper-limit
—(Oponal) The range of port addresses can be a value
Required Privilege Level
admin—To view this statement in the conguraon.
admin-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.
no-tcp-reset introduced in Junos OS Release 9.4.
no-tcp-reset introduced in Junos OS Release 11.1 for SRX Series and vSRX devices.
icmpv4-rate-limit and source-port introduced in Junos OS Release 11.1 for the QFX Series and Junos
OS Release 14.1X53-D20 for the OCX Series.
RELATED DOCUMENTATION
Congure ICMP Features
Congure IPv6 Features
Congure Path MTU Discovery
Congure TCP Opons
Conguring Junos OS to Extend the Default Port Address Range
Understanding Trac Processing on Security Devices
lcd-menu
IN THIS SECTION
Syntax | 83
Hierarchy Level | 84
Descripon | 84
Opons | 84
Required Privilege Level | 84
Release Informaon | 85
83
Syntax
EX3200, EX3300, EX4200, or EX4500 switch:
lcd-menu fpc slot-number {
menu-item (menu-name | menu-option) <disable>;
}
EX6200 or EX8200 switch or XRE200 External Roung Engine:
lcd-menu {
menu-item (menu-name | menu-option) <disable>;
}
Hierarchy Level
[edit chassis]
Descripon
Disable or enable the Maintenance menu or the Status menu in the LCD panel.
Opons
none—(EX6200 and EX8200 switches and XRE200 External Roung Engines only) Disable or enable the
specied menu or menu opons.
84
fpc
slot-number
specied menu or menu opons, where
• 0—On standalone switches.
• 0–9—On a device in a Virtual Chassis. The value is the member ID of the device.
NOTE: This opon is not available on an EX8200 Virtual Chassis. The LCD panel on an
XRE200 External Roung Engine provides informaon for the XRE200 External Roung
Engine only.
disable—(Oponal) Disable the specied menu.
The remaining statement is explained separately. See CLI Explorer.
—(EX3200, EX3300, EX4200, and EX4500 switches only) Disable or enable the
slot-number
is:
Required Privilege Level
interface—To view this statement in the conguraon.
interface-level—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 10.2.
RELATED DOCUMENTATION
Conguring the LCD Panel on EX Series Switches (CLI Procedure)
LCD Panel in EX3200 Switches
LCD Panel in EX3300 Switches
LCD Panel in EX4200 Switches
LCD Panel in EX4500 Switches
LCD Panel in an EX6200 Switch
LCD Panel in an EX8200 Switch
LCD Panel in an XRE200 External Roung Engine
85
locaon
IN THIS SECTION
Syntax | 85
Hierarchy Level | 86
Descripon | 86
Opons | 86
Required Privilege Level | 87
Release Informaon | 87
Syntax
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
Hierarchy Level
86
[edit system]
Descripon
Congure the system locaon.
Opons
altude
building
the string contains spaces, enclose it in quotaon marks (" ").
country-code
oor
feet
name
number
—Number of feet above sea level.
—Name of the building. The name of the building can be 1 to 28 characters in length. If
code
—Two-leer country code.
—Floor in the building.
hcoord
lata
service-area
latude
horizontal-coordinate
—Long-distance service area.
degrees
—Latude in degree format.
—Bellcore Horizontal Coordinate.
87
longitude
npa-nxx
postal-code
rack
vcoord
degrees
number
—Longitude in degree format.
—First six digits of the phone number (area code and exchange).
postal-code
number
—Rack number.
vercal-coordinate
—Postal code.
—Bellcore Vercal Coordinate.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Specifying the Physical Locaon of the Switch
locaon (System)
IN THIS SECTION
Syntax | 88
Hierarchy Level | 88
Descripon | 88
Opons | 89
Required Privilege Level | 89
Release Informaon | 89
Syntax
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata transport-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
88
Hierarchy Level
[edit system]
Descripon
Congure the system locaon in various formats.
Opons
89
altude
building
country-code
oor
hcoord
lata
latude
longitude
npa-nxx
postal-code
rack
feet
name
number
horizontal-coordinate
transport-area
degrees
degrees
number
number
code
postal-code
Number of feet above sea level.
Name of building. The name of the building can be 1 to 28 characters in
length. If the string contains spaces, enclose it in quotaon marks (" ").
Two-leer country code.
Floor in the building.
Bellcore Horizontal Coordinate.
Local Access Transport Area.
Latude in degree format.
Longitude in degree format.
First six digits of the phone number (area code and exchange).
Postal code.
Rack number.
vcoord
vercal-coordinate
Bellcore Vercal Coordinate.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.
RELATED DOCUMENTATION
Specifying the Device Physical Locaon
max-conguraons-on-ash
IN THIS SECTION
Syntax | 90
Hierarchy Level | 90
Descripon | 90
Opons | 91
Required Privilege Level | 91
90
Release Informaon | 91
Syntax
max-configurations-on-flash number;
Hierarchy Level
[edit system]
Descripon
Specify the number of conguraons stored on the internal xed media storage (for example, USB
device).
Opons
91
number
• Range: 0 through 49. The most recently saved conguraon is number 0, and the oldest saved
—The number of conguraons stored on the CompactFlash card.
conguraon is number 49.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Saving a Conguraon to a File
Seng or Deleng the Rescue Conguraon
Uploading a Conguraon File
Uploading a Conguraon File
menu-item
IN THIS SECTION
Syntax | 92
Hierarchy Level | 92
Descripon | 92
Loading...