Juniper System Management and Monitoring User Manual

System Management and Monitoring

Published

2021-04-18

User Guide

Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.

System Management and Monitoring User Guide

Copyright © 2021 Juniper Networks, Inc. All rights reserved.

The informaon in this document is current as of the date on the tle page.

ii

YEAR 2000 NOTICE

Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.

Table of Contents

1

About This Guide | ix

Manage and Monitor

System Sengs | 2

Specifying the Physical Locaon of the Switch | 2

Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3

Conguring Junos OS to Extend the Default Port Address Range | 4

Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5

Reboong and Halng a Device | 6

iii

Hostnames | 8

Conguring the Hostname of a Device by Using a Conguraon Group | 8

Mapping the Hostname of the Switch to IP Addresses | 10

Example: Conguring the Name of the Switch, IP Address, and System ID | 10

Understanding and Conguring DNS | 11

DNS Overview | 11

Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12

Congure ICMP Features | 16

Protocol Redirect Messages | 16

Disable the Roung Engine Response to Mulcast Ping Packets | 18

Disable Reporng IP Address and Timestamps in Ping Responses | 18

Congure Junos OS to Ignore ICMP Source Quench Messages | 19

Rate Limit ICMPv4 and ICMPv6 Trac | 20

Rate Limit ICMPv4 and ICMPv6 Error Messages | 20

Alarms | 22

System Alarms | 23

Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface

2

Types | 23

System-Wide Alarms and Alarms for Each Interface Type | 24

System Troubleshoong | 27

Saving Core Files Generated by Junos OS Processes | 27

Viewing Core Files from Junos OS Processes | 28

Device Monitoring | 28

Monitoring System Properes | 29

Monitoring System Process Informaon | 32

Monitoring Interfaces | 33

Other Tools to Congure and Monitor Devices Running Junos OS | 35

iv

Passive Monitoring | 36

Understanding Passive Monitoring | 37

Example: Conguring Passive Monitoring on QFX10000 Switches | 38

Requirements | 38

Overview | 38

Conguraon | 39

Vericaon | 42

How to Locate a Device or Port Using the Chassis Beacon | 45

Turning On the Chassis Beacon For the Default Interval | 46

Turning On the Chassis Beacon For a Specied Interval | 47

Conguraon Statements

checksum | 51

compress-conguraon-les (System) | 53

domain-name | 54

domain-search | 56

enhanced-hash-key | 57

ethernet (Alarm) | 66

hardware-mestamp | 67

host-name | 68

inet (enhanced-hash-key) | 70

inet6-backup-router | 73

inet6 (enhanced-hash-key) | 75

internet-opons | 78

lcd-menu | 83

locaon | 85

locaon (System) | 87

max-conguraons-on-ash | 90

v

menu-item | 91

no-mulcast-echo | 97

no-ping-record-route | 98

no-ping-me-stamp | 99

no-redirects (IPv4 Trac) | 101

oponal | 103

passive-monitor-mode | 104

ports | 106

ports | 108

power | 109

processes | 112

saved-core-context | 115

saved-core-les | 116

stac-host-mapping | 118

me-format | 120

me-zone | 122

3

traceopons (Layer 2 Learning) | 125

traceopons (SBC Conguraon Process) | 129

use-imported-me-zones | 131

Operaonal Commands

clear log | 137

clear chassis display message | 139

clear system commit | 143

clear system reboot | 146

request chassis beacon | 151

vi

request chassis cb | 155

request chassis fabric plane | 160

request chassis fpc | 164

request chassis pic | 172

request chassis roung-engine master | 179

request system halt | 187

request system logout | 196

request system power-o | 198

request system reboot | 205

set chassis display message | 216

set date | 221

show chassis alarms | 223

show chassis beacon | 251

show chassis environment | 254

show chassis environment fpc | 373

show chassis environment pem | 456

show chassis environment power-supply-unit | 478

show chassis environment psu | 480

show chassis environment roung-engine | 482

show chassis ethernet-switch | 494

show chassis fan | 547

show chassis rmware | 566

show chassis fpc | 587

show chassis fabric fpcs | 647

show chassis fabric map | 688

vii

show chassis fabric plane | 699

show chassis fabric plane-locaon | 741

show chassis fabric sibs | 753

show chassis fabric summary | 773

show chassis hardware | 785

show chassis lcd | 807

show chassis led | 828

show chassis locaon | 844

show chassis mac-addresses | 850

show chassis pic | 859

show chassis roung-engine | 897

show chassis temperature-thresholds | 928

show chassis zones | 968

show forwarding-opons enhanced-hash-key | 980

show host | 988

show interfaces diagnoscs opcs | 991

show subscribers | 1001

show system alarms | 1053

show system audit | 1058

show system buers | 1070

show system cercate | 1080

show system commit | 1084

show system connecons | 1089

show system core-dumps | 1099

show system directory-usage | 1119

viii

show system rmware | 1126

show system reboot | 1130

show system soware | 1136

show system stascs | 1141

show system storage | 1159

show system upme | 1169

show system virtual-memory | 1177

show version | 1190

start shell | 1198

test conguraon | 1200

About This Guide

Use this guide to manage and monitor Juniper switches with the Junos OS command line-interface.

ix

1

CHAPTER

Manage and Monitor

System Sengs | 2

Hostnames | 8

Understanding and Conguring DNS | 11

Congure ICMP Features | 16

Alarms | 22

System Troubleshoong | 27

Device Monitoring | 28

Passive Monitoring | 36

How to Locate a Device or Port Using the Chassis Beacon | 45

System Sengs

IN THIS SECTION

Specifying the Physical Locaon of the Switch | 2

Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3

Conguring Junos OS to Extend the Default Port Address Range | 4

Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5

Reboong and Halng a Device | 6

2

Specifying the Physical Locaon of the Switch

To specify the physical locaon of the switch, specify the following opons for the locaon statement at
the [edit system] hierarchy level:

• altude

• building
enclose it in quotaon marks (" ").

• country-code

• oor

• hcoord

• lata

• latude

• longitude

• npa-nxx

feet

—Number of feet above sea level.

name

—Name of the building, 1 to 28 characters in length. If the string contains spaces,

code

—Two-leer country code.

number

—Floor in the building.

horizontal-coordinate

service-area

degrees

number

—Long-distance service area.

—Latude in degree format.

degrees

—Longitude in degree format.

—First six digits of the phone number (area code and exchange).

—Bellcore Horizontal Coordinate.

• postal-code

• rack

• vcoord

number

vercal-coordinate

postal-code

—Rack number.

—Postal code.

—Bellcore Vercal Coordinate.

The following example shows how to specify the physical locaon of the switch:

[edit system]

location {

altitude feet;

building name;

country-code code;

floor number;

hcoord horizontal-coordinate;

lata service-area;

latitude degrees;

longitude degrees;

npa-nxx number;

postal-code postal-code;

rack number;

vcoord vertical-coordinate;

}

3

SEE ALSO

Example: Conguring the Name of the Switch, IP Address, and System ID

Modifying the Default Time Zone for a Router or Switch Running Junos OS

The default local me zone on the router or switch is UTC (Coordinated Universal Time, formerly known
as Greenwich Mean Time, or GMT).

• To modify the local me zone, include the me-zone statement at the [edit system] hierarchy level:

[edit system]

time-zone (GMT hour-offset | time-zone);

You can use the GMT

hour-oset

is 0. You can congure this to be a value from –14 to +12.

hour-oset

opon to set the me zone relave to UTC (GMT) me. By default,

You can also specify the

me-zone

value as a string such as PDT (Pacic Daylight Time) or WET

(Western European Time), or specify the connent and major city.

NOTE: Junos OS complies with the POSIX me-zone standard, which is counter-intuive to the
way me zones are generally indicated relave to UTC. A me zone ahead of UTC (east of the
Greenwich meridian) is commonly indicated as GMT +n; for example, the Central European Time
(CET) zone is indicated as GMT +1. However, this is not true for POSIX me zone designaons.
POSIX indicates CET as GMT-1. If you include the set system me-zone GMT+1 statement for a
router in the CET zone, your router me will be set to one hour behind GMT, or two hours
behind the actual CET me. For this reason, you might nd it easier to use the POSIX me-zone
strings, which you can list by entering set system me-zone ?.

For the me zone change to take eect for all processes running on the router or switch, you must
reboot the router or switch.

The following example shows how to change the current me zone to America/New_York:

4

[edit]

user@host# set system me-zone America/New_York

[edit]

user@host# show

system {

time-zone America/New_York;

}

SEE ALSO

Understanding NTP Time Servers

Updang the IANA Time Zone Database on Junos OS Devices

Conguring Junos OS to Extend the Default Port Address Range

By default, the upper range of a port address is 5000. You can increase the range from which the port
number can be selected to decrease the probability that someone can determine your port number.

• To congure Junos OS to extend the default port address range, include the source-port statement
at the [edit system internet-opons] hierarchy level:

[edit system internet-options]

source-port upper-limit upper-limit;

5

upper-limit

65,355.

SEE ALSO

upper-limit

is the upper limit of a source port address and can be a value from 5000 through

Congure TCP Opons

Congure ARP Learning and Aging Opons

Conguring Junos OS to Select a Fixed Source Address for Locally
Generated TCP/IP Packets

By default, the source address included in locally generated Transmission Control Protocol/IP (TCP/IP)
packets, such as FTP trac, and in User Datagram Protocol (UDP) and IP packets, such as Network Time
Protocol (NTP) requests, is chosen as the local address for the interface on which the trac is
transmied. This means that the local address chosen for packets to a parcular desnaon might
change from connecon to connecon based on the interface that the roung protocol has chosen to
reach the desnaon when the connecon is established. If mulple equal-cost next hops are present
for a desnaon, locally generated packets use the lo0 address as a source.

• To congure the soware to select a xed address to use as the source for locally generated IP
packets, include the default-address-selecon statement at the [edit system] hierarchy level:

[edit system]

default-address-selection;

If you include the default-address-selecon statement in the conguraon, the Junos OS chooses the
system default address as the source for most locally generated IP packets. The default address is
usually an address congured on the lo0 loopback interface. For example, if you specied that SSH and
telnet use a parcular address, but you also have default-address selecon congured, the system
default address is used.

Reboong and Halng a Device

To reboot the switch, issue the request system reboot command.

user@switch> request system reboot ?

Possible completions:

<[Enter]> Execute this command

all-members Reboot all virtual chassis members

at Time at which to perform the operation

both-routing-engines Reboot both the Routing Engines

fast-boot Enable fast reboot

hypervisor Reboot Junos OS, host OS, and Hypervisor

in Number of minutes to delay before operation

local Reboot local virtual chassis member

member Reboot specific virtual chassis member (0..9)

message Message to display to all users

other-routing-engine Reboot the other Routing Engine

| Pipe through a command

{master:0}

user@switch> request system reboot

Reboot the system ? [yes,no] (no) yes

Rebooting switch

6

NOTE: Not all opons shown in the preceding command output are available on all QFX Series,

OCX Series, and EX4600 switches. See the documentaon for the request system reboot
command for details about opons.

NOTE: When you issue the request system reboot hypervisor command on QFX10000
switches, the reboot takes longer than a standard Junos OS reboot.

Similarly, to halt the switch, issue the request system halt command.

CAUTION: Before entering this command, you must have access to the switch’s console
port in order to bring up the Roung Engine.

user@switch> request system halt ?

Possible completions:

<[Enter]> Execute this command

all-members Halt all virtual chassis members

at Time at which to perform the operation

backup-routing-engine Halt backup Routing Engine

both-routing-engines Halt both Routing Engines

in Number of minutes to delay before operation

local Halt local virtual chassis member

member Halt specific virtual chassis member (0..9)

message Message to display to all users

other-routing-engine Halt other Routing Engine

| Pipe through a command

7

NOTE: When you issue this command on an individual component in a QFabric system, you will

receive a warning that says “Hardware-based members will halt, Virtual Junos Roung Engines
will reboot.” If you want to halt only one member, use the member opon. You cannot issue this
command from the QFabric CLI.

Issuing the request system halt command on the switch halts the Roung Engine. To reboot a Roung
Engine that has been halted, you must connect through the console.

SEE ALSO

clear system reboot

request system halt

request system power-o

Connecng a QFX Series Device to a Management Console

RELATED DOCUMENTATION

Disable Reporng IP Address and Timestamps in Ping Responses

Hostnames

IN THIS SECTION

Conguring the Hostname of a Device by Using a Conguraon Group | 8

Mapping the Hostname of the Switch to IP Addresses | 10

Example: Conguring the Name of the Switch, IP Address, and System ID | 10

8

Conguring

The hostname of a Junos OS or Junos OS Evolved device is its idencaon. A network device must
have its identy established to be accessible on the network. That is perhaps the most important reason
to have a hostname, but a hostname has other purposes.

The soware uses the congured hostname as part of the command prompt and to prepend log les and
other accounng informaon. The hostname is also used anywhere else when knowing the device
identy is important. For these reasons, we recommend hostnames be descripve and memorable.

You can congure the hostname at the [edit system] hierarchy level, a procedure shown in

Device’s Unique Identy for the Network

system] hierarchy level, you can use a conguraon group, as shown in this procedure. This is a
recommended best pracce for conguring the hostname, especially if the device has dual Roung
Engines. This procedure uses groups called re0 and re1 as an example.

NOTE: Starng with Junos OS Release 13.2R3, if you congure hostnames that are longer than
the CLI screen width, regardless of the terminal screen width seng, the commit operaon
occurs successfully. Even if the terminal screen width is less than the hostname length, commit is
successful.

In Junos OS releases earlier than Release 13.2R3, if you congured such hostnames by using the

host-name

width was less than the length of the hostname by using the set cli screen-width statement, a
foreign le propagaon (p) failure error message is displayed when you aempt to commit the
conguraon. In such a case, because of the p failure, the commit operaon does not complete

the Hostname of a Device by Using a Conguraon Group

Conguring a

. Oponally, instead of conguring the hostname at the [edit

hostname

statement at the [edit system] hierarchy level and the the terminal screen

and you cannot recover the router unless you make the modicaon in the backend in the
juniper.conf.gz le and commit the change from the shell prompt.

To set the hostname using a conguraon group:

9

1. Include the host-name statement in the conguraon at the [edit groups

group-name

system

hierarchy level.

The name value must be less than 256 characters.

[edit groups group-name system]

host-name hostname;

For example:

[edit groups re0 system]

root@# set host-name san-jose-router0

[edit groups re1 system]

root@# set host-name san-jose-router1

2. If you used one or more conguraon groups, apply the conguraon groups, substung the

appropriate group names.

For example:

[edit]

user@host# set apply-groups [re0 re1]

3. Commit the changes.

[edit]

root@# commit

The hostname subsequently appears in the device CLI prompt.

san-jose-router0#

Mapping the Hostname of the Switch to IP Addresses

To map a hostname of a switch to one or more IP addresses, include the inet statement at the [edit
system stac-host-mapping

[edit system]

static-host-mapping {

hostname {

inet [ addresses ];

alias [ aliases ];

}

}

hostname

] hierarchy level:

10

hostname

is the name specied by the host-name statement at the [edit system] hierarchy level.

For each host, you can specify one or more aliases.

SEE ALSO

Conguring a DNS Name Server for Resolving Hostnames into Addresses

Conguring a Device’s Unique Identy for the Network

stac-host-mapping

Example: Conguring the Name of the Switch, IP Address, and System ID

The following example shows how to congure the switch name, map the name to an IP address and
alias, and congure a system idener:

[edit]

user@switch# set system host-name switch1

[edit]

user@switch# set system stac-host-mapping switch1 inet 192.168.1.77

[edit]

user@switch# set system stac-host-mapping switch1 alias sj1

[edit]

user@switch# set system stac-host-mapping switch1 sysid 1921.6800.1077

[edit]

user@switch# show

system {

host-name switch-sj1;

static-host-mapping {

switch-sj1 {

inet 192.168.1.77;

alias sj1;

sysid 1921.6800.1077;

}

}

}

Understanding and Conguring DNS

11

IN THIS SECTION

DNS Overview | 11

Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12

DNS Overview

IN THIS SECTION

DNS Components | 12

DNS Server Caching | 12

A Domain Name System (DNS) is a distributed hierarchical system that converts hostnames to IP
addresses. The DNS is divided into secons called zones. Each zone has name servers that respond to
the queries belonging to their zones.

This topic includes the following secons:

DNS Components

DNS includes three main components:

• DNS resolver: Resides on the client side of the DNS. When a user sends a hostname request, the
resolver sends a DNS query request to the name servers to request the hostname's IP address.

• Name servers: Processes the DNS query requests received from the DNS resolver and returns the IP
address to the resolver.

• Resource records: Data elements that dene the basic structure and content of the DNS.

DNS Server Caching

DNS name servers are responsible for providing the hostname IP address to users. The TTL eld in the
resource record denes the period for which DNS query results are cached. When the TTL value expires,
the name server sends a fresh DNS query and updates the cache.

12

SEE ALSO

Conguring the TTL Value for DNS Server Caching

Conguring a DNS Name Server for Resolving Hostnames into Addresses

Domain Name System (DNS) name servers are used for resolving hostnames to IP addresses.

Before you begin, congure your name servers with the hostname and an IP address for your Juniper
Networks device. It does not maer which IP address you assign as the address of your device in the
name server, as long it is an address that reaches your device. Normally, you would use the management
interface IP address, but you can choose the loopback interface IP address, or a network interface IP
address, or even congure mulple addresses on the name server.

For redundancy, it is a best pracce to congure access to mulple name servers. You can congure a
maximum of three name servers. The approach is similar to the way Web browsers resolve the names of
a Web site to its network address. Addionally, the soware enables you to congure one or more
domain names, which it uses to resolve hostnames that are not fully qualied (in other words, the
domain name is missing). This is convenient because you can use a hostname in conguring and
operang the soware without the need to reference the full domain name. Aer adding name server

addresses and domain names to your conguraon, you can use DNS resolvable hostnames in your

conguraons and commands instead of IP addresses.

Oponally, instead of conguring the name server at the [edit system] hierarchy level, you can use a
conguraon group, as shown in this procedure. This is a recommended best pracce for conguring the

name server.

Starng in Junos OS Release 19.2R1, you can route trac between a management roung instance and
DNS name server. Congure a roung instance at the [edit system name-server

server-ip-address

]

hierarchy level and the name server becomes reachable through this roung instance.

NOTE: This management roung instance opon is not supported for SRX Series devices.

To enable a management roung instance for DNS, congure the following:

user@host# set system management-instance

user@host# set routing-instances mgmt_junos description description

user@host# set system name-server server-ip-address routing-instance mgmt_junos

13

If you have congured the name server using a conguraon group, use the [edit groups

group-name

system name-server] hierarchy level, which is a recommended best pracce for conguring the name

server.

To congure the device to resolve hostnames into addresses:

1. Reference the IP addresses of your name servers.

[edit groups group-name system]

name-server {

address;

}

The following example shows how to reference two name servers:

[edit groups global system]

user@host# set name-server 192.168.1.253

user@host# set name-server 192.168.1.254

user@host# show

name server {

192.168.1.253/32;

192.168.1.254/32;

}

2. (Oponal) Congure the roung instance for DNS.

The following example shows how to congure the roung-instance for one of the name servers:

[edit groups global system]

user@host# set name-server 192.168.1.253 roung-instance mgmt_junos

Remember to also congure the following:

• management-instance statement at the [edit system] hierarchy level

• roung-instance statement at the [edit roung-instances] hierarchy level.

3. (Oponal) Congure the name of the domain in which the device itself is located.

This is a good pracce. The soware then uses this congured domain name as the default domain
name to append to hostnames that are not fully qualied.

14

[edit system]

domain-name domain-name;

The following example shows how to congure the domain name:

[edit groups global system]

user@host# set domain-name company.net

user@host# show

domain-name company.net;

4. (Oponal) Congure a list of domains to be searched.

If your device can reach several dierent domains, you can congure these as a list of domains to be
searched. The soware then uses this list to set an order in which it appends domain names when
searching for the IP address of a host.

[edit groups global system]

domain-search [ domain-list ];

The domain list can contain up to six domain names, with a total of up to 256 characters.

The following example shows how to congure two domains to be searched. This example congures
the soware to search the company.net domain and then the domainone.net domain and then the
domainonealternate.com domain when aempng to resolve unqualied hosts.

[edit groups global system]

domain-search [ company.net domainone.net domainonealternate.com ]

5. If you used a conguraon group, apply the conguraon group, substung global with the

appropriate group name.

[edit]

user@host# set apply-groups global

6. Commit the conguraon.

15

user@host# commit

7. Verify the conguraon.

If you have congured your name server with the hostname and an IP address for your device, you
can issue the following commands to conrm that DNS is working and reachable. You can either use
the congured hostname to conrm resoluon to the IP address or use the IP address of your device
to conrm resoluon to the congured hostname.

user@host> show host

user@host> show host

host-name

host-ip-address

For example:

user@host> show host device.example.net

device.example.net

device.example.net has address 192.168.187.1

user@host> show host 192.168.187.1

10.187.168.192.in-addr.arpa domain name pointer device.example.net.

SEE ALSO

name-server (System Services)

domain-search

RELATED DOCUMENTATION

Understanding Hostnames

DNSSEC Overview

Congure ICMP Features

16

IN THIS SECTION

Protocol Redirect Messages | 16

Disable the Roung Engine Response to Mulcast Ping Packets | 18

Disable Reporng IP Address and Timestamps in Ping Responses | 18

Congure Junos OS to Ignore ICMP Source Quench Messages | 19

Rate Limit ICMPv4 and ICMPv6 Trac | 20

Rate Limit ICMPv4 and ICMPv6 Error Messages | 20

Learn more about how to congure Internet Control Message Protocol (ICMP) features.

Protocol Redirect Messages

IN THIS SECTION

Understanding Protocol Redirect Messages | 17

Disable Protocol Redirect Messages | 17

ICMP redirect, also known as protocol redirect, is a mechanism used by switches and routers to convey
roung informaon to hosts. Devices use protocol redirect messages to nofy the hosts on the same
data link of the best route available for a given desnaon. All EX series switches support sending
protocol redirect messages for both IPv4 and IPv6 trac.

NOTE: Switches do not send protocol redirect messages if the data packet contains roung
informaon.

Understanding Protocol Redirect Messages

Protocol redirect messages inform a host to update its roung informaon and to send packets on an
alternate route. Suppose a host tries to send a data packet through a switch S1 and S1 sends the data
packet to another switch, S2. Also, suppose that a direct path from the host to S2 is available (that is, the
host and S2 are on the same Ethernet segment). S1 then sends a protocol redirect message to inform the
host that the best route for the desnaon is the direct route to S2. The host should then send packets
directly to S2 instead of sending them through S1. S2 sll sends the original packet that it received from
S1 to the intended desnaon.

17

Refer to RFC-1122 and RFC-4861 for more details on protocol redirecng.

Disable Protocol Redirect Messages

By default, devices send protocol redirect messages for both IPv4 and IPv6 trac. For security reasons,
you may want to disable the device from sending protocol redirect messages.

To disable protocol redirect messages for the enre device, include the no-redirects or no-redirects-
ipv6 statement at the [edit system] hierarchy level.

• For IPv4 trac:

[edit system]

user@host# set no-redirects

• For IPv6 trac:

[edit system]

user@host# set no-redirects-ipv6

To re-enable the sending of redirect messages on the device, delete the no-redirects statement (for IPv4
trac) or the no-redirects-ipv6 statement (for IPv6 trac) from the conguraon.

To disable protocol redirect messages on a per-interface basis, include the no-redirects statement at
the [edit interfaces

• For IPv4 trac:

[edit interfaces interface-name unit logical-unit-number]

user@host# set family inet no-redirects

• For IPv6 trac:

[edit interfaces interface-name unit logical-unit-number]

user@host# set family inet6 no-redirects

interface-name

unit

logical-unit-number

family

family

] hierarchy level.

18

Disable the Roung Engine Response to Mulcast Ping Packets

By default, the Roung Engine responds to ICMP echo requests sent to mulcast group addresses. By
conguring the Roung Engine to ignore mulcast ping packets, you can prevent unauthorized persons

from discovering the list of provider edge (PE) devices in the network.

To disable the Roung Engine from responding to these ICMP echo requests, include the no-

multicast-echo statement at the [edit system] hierarchy level:

[edit system]

no-multicast-echo;

Disable Reporng IP Address and Timestamps in Ping Responses

When you issue the ping command with the record-route opon, the Roung Engine displays the path
of the ICMP echo request packets and the mestamps in the ICMP echo responses by default. By
conguring the no-ping-record-route and no-ping-mestamp opons, you can prevent unauthorized
persons from discovering informaon about the provider edge (PE) device and its loopback address.

You can congure the Roung Engine to disable the seng of the record-route opon in the IP header
of the ping request packets. Disabling the record-route opon prevents the Roung Engine from
recording and displaying the path of the ICMP echo request packets in the response.

To congure the Roung Engine to disable the seng of the record route opon, include the no-ping-

record-route statement at the [edit system] hierarchy level:

[edit system]

no-ping-record-route;

To disable the reporng of mestamps in the ICMP echo responses, include the no-ping-time-stamp
opon at the [edit system] hierarchy level:

[edit system]

no-ping-time-stamp;

19

Congure Junos OS to Ignore ICMP Source Quench Messages

By default, the device reacts to Internet Control Message Protocol (ICMP) source quench messages. To
ignore ICMP source quench messages, include the no-source-quench statement at the [edit system

internet-options] hierarchy level:

[edit system internet-options]

no-source-quench;

To stop ignoring ICMP source quench messages, use the source-quench statement:

[edit system internet-options]

source-quench;

Rate Limit ICMPv4 and ICMPv6 Trac

To limit the rate at which ICMPv4 or ICMPv6 messages can be generated by the Roung Engine and
sent to the Roung Engine, include the appropriate rate liming statement at the [edit system

internet-options] hierarchy level.

• For IPv4:

[edit system internet-options]

icmpv4-rate-limit bucket-size bucket-size packet-rate packet-rate

• For IPv6:

[edit system internet-options]

icmpv6-rate-limit bucket-size bucket-size packet-rate packet-rate

20

Rate Limit ICMPv4 and ICMPv6 Error Messages

IN THIS SECTION

Why to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21

How to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21

By default, ICMP error messages for non-l-expired IPv4 and IPv6 packets are generated at the rate of
1 packet per second (pps). You can adjust this rate to a value that you decide provides sucient
informaon for your network without causing network congeson.

NOTE: For l-expired IPv4 or IPv6 packets, the rate for ICMP error messages is not congurable.
It is xed at 500 pps.

Why to Rate Limit ICMPv4 and ICMPv6 Error Messages

An example use case for adjusng the rate limit is a data center providing web services. Suppose this
data center has many servers on the network that use jumbo frames with an MTU of 9100 bytes when
they communicate to hosts over the Internet. These other hosts require an MTU of 1500 bytes. Unless
maximum segment size (MSS) is enforced on both sides of the connecon, a server might reply with a
packet that is too large to be transmied across the Internet without being fragmented when it reaches
the edge router in the data center.

Because TCP/IP implementaons oen have Path MTU Discovery enabled by default with the dont­fragment bit set to 1, a transit device will drop a packet that is too big rather than fragmenng it. The
device will return an ICMP error message indicang the desnaon was unreachable because the packet
was too big. The message will also provide the MTU that is required where the error occurred. The
sending host should adjust the sending MSS for that connecon and resend the data in smaller packet
sizes to avoid the fragmentaon issue.

At high core interface speeds, the default rate limit of 1 pps for the error messages may not be enough
to nofy all the hosts when there are many hosts in the network that require this service. The
consequence is that outbound packets are silently dropped. This acon can trigger addional
retransmissions or back-o behaviors, depending on the volume of requests that the data center edge
router is handling on each core-facing interface.

21

In this situaon, you can increase the rate limit to enable a higher volume of oversized packets to reach
the sending hosts. (Adding more core-facing interfaces can also help resolve the problem.)

How to Rate Limit ICMPv4 and ICMPv6 Error Messages

Although you congure the rate limit at the [edit chassis] hierarchy level, it is not a chassis-wide limit.
Instead, the rate limit applies per interface family. This means, for example, that mulple physical
interfaces congured with family inet can simultaneously generate the ICMP error messages at the
congured rate.

NOTE: This rate limit takes eect only for trac that lasts 10 seconds or longer. The rate limit is
not applied to trac with a shorter duraon, such as 5 seconds or 9 seconds.

• To congure the rate limit for ICMPv4, use the icmp statement:

[edit chassis]

user@host# set icmp rate-limit

rate-limit

Starng in Junos OS Release 19.1R1, the maximum rate increased from 50 pps to 1000 pps.