Juniper System Management and Monitoring User Manual

System Management and Monitoring
Published
2021-04-18
User Guide
Juniper Networks, Inc. 1133 Innovaon Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicaon without noce.
System Management and Monitoring User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such soware, you agree to the terms and condions of that EULA.

Table of Contents

1
About This Guide | ix
Manage and Monitor
System Sengs | 2
Specifying the Physical Locaon of the Switch | 2
Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3
Conguring Junos OS to Extend the Default Port Address Range | 4
Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5
Reboong and Halng a Device | 6
iii
Hostnames | 8
Conguring the Hostname of a Device by Using a Conguraon Group | 8
Mapping the Hostname of the Switch to IP Addresses | 10
Example: Conguring the Name of the Switch, IP Address, and System ID | 10
Understanding and Conguring DNS | 11
DNS Overview | 11
Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12
Congure ICMP Features | 16
Protocol Redirect Messages | 16
Disable the Roung Engine Response to Mulcast Ping Packets | 18
Disable Reporng IP Address and Timestamps in Ping Responses | 18
Congure Junos OS to Ignore ICMP Source Quench Messages | 19
Rate Limit ICMPv4 and ICMPv6 Trac | 20
Rate Limit ICMPv4 and ICMPv6 Error Messages | 20
Alarms | 22
System Alarms | 23
Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface
2
Types | 23
System-Wide Alarms and Alarms for Each Interface Type | 24
System Troubleshoong | 27
Saving Core Files Generated by Junos OS Processes | 27
Viewing Core Files from Junos OS Processes | 28
Device Monitoring | 28
Monitoring System Properes | 29
Monitoring System Process Informaon | 32
Monitoring Interfaces | 33
Other Tools to Congure and Monitor Devices Running Junos OS | 35
iv
Passive Monitoring | 36
Understanding Passive Monitoring | 37
Example: Conguring Passive Monitoring on QFX10000 Switches | 38
Requirements | 38
Overview | 38
Conguraon | 39
Vericaon | 42
How to Locate a Device or Port Using the Chassis Beacon | 45
Turning On the Chassis Beacon For the Default Interval | 46
Turning On the Chassis Beacon For a Specied Interval | 47
Conguraon Statements
checksum | 51
compress-conguraon-les (System) | 53
domain-name | 54
domain-search | 56
enhanced-hash-key | 57
ethernet (Alarm) | 66
hardware-mestamp | 67
host-name | 68
inet (enhanced-hash-key) | 70
inet6-backup-router | 73
inet6 (enhanced-hash-key) | 75
internet-opons | 78
lcd-menu | 83
locaon | 85
locaon (System) | 87
max-conguraons-on-ash | 90
v
menu-item | 91
no-mulcast-echo | 97
no-ping-record-route | 98
no-ping-me-stamp | 99
no-redirects (IPv4 Trac) | 101
oponal | 103
passive-monitor-mode | 104
ports | 106
ports | 108
power | 109
processes | 112
saved-core-context | 115
saved-core-les | 116
stac-host-mapping | 118
me-format | 120
me-zone | 122
3
traceopons (Layer 2 Learning) | 125
traceopons (SBC Conguraon Process) | 129
use-imported-me-zones | 131
Operaonal Commands
clear log | 137
clear chassis display message | 139
clear system commit | 143
clear system reboot | 146
request chassis beacon | 151
vi
request chassis cb | 155
request chassis fabric plane | 160
request chassis fpc | 164
request chassis pic | 172
request chassis roung-engine master | 179
request system halt | 187
request system logout | 196
request system power-o | 198
request system reboot | 205
set chassis display message | 216
set date | 221
show chassis alarms | 223
show chassis beacon | 251
show chassis environment | 254
show chassis environment fpc | 373
show chassis environment pem | 456
show chassis environment power-supply-unit | 478
show chassis environment psu | 480
show chassis environment roung-engine | 482
show chassis ethernet-switch | 494
show chassis fan | 547
show chassis rmware | 566
show chassis fpc | 587
show chassis fabric fpcs | 647
show chassis fabric map | 688
vii
show chassis fabric plane | 699
show chassis fabric plane-locaon | 741
show chassis fabric sibs | 753
show chassis fabric summary | 773
show chassis hardware | 785
show chassis lcd | 807
show chassis led | 828
show chassis locaon | 844
show chassis mac-addresses | 850
show chassis pic | 859
show chassis roung-engine | 897
show chassis temperature-thresholds | 928
show chassis zones | 968
show forwarding-opons enhanced-hash-key | 980
show host | 988
show interfaces diagnoscs opcs | 991
show subscribers | 1001
show system alarms | 1053
show system audit | 1058
show system buers | 1070
show system cercate | 1080
show system commit | 1084
show system connecons | 1089
show system core-dumps | 1099
show system directory-usage | 1119
viii
show system rmware | 1126
show system reboot | 1130
show system soware | 1136
show system stascs | 1141
show system storage | 1159
show system upme | 1169
show system virtual-memory | 1177
show version | 1190
start shell | 1198
test conguraon | 1200

About This Guide

Use this guide to manage and monitor Juniper switches with the Junos OS command line-interface.
ix
1
CHAPTER

Manage and Monitor

System Sengs | 2
Hostnames | 8
Understanding and Conguring DNS | 11
Congure ICMP Features | 16
Alarms | 22
System Troubleshoong | 27
Device Monitoring | 28
Passive Monitoring | 36
How to Locate a Device or Port Using the Chassis Beacon | 45
System Sengs
IN THIS SECTION
Specifying the Physical Locaon of the Switch | 2
Modifying the Default Time Zone for a Router or Switch Running Junos OS | 3
Conguring Junos OS to Extend the Default Port Address Range | 4
Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets | 5
Reboong and Halng a Device | 6
2
Specifying the Physical Locaon of the Switch
To specify the physical locaon of the switch, specify the following opons for the locaon statement at the [edit system] hierarchy level:
altude
building enclose it in quotaon marks (" ").
country-code
oor
hcoord
lata
latude
longitude
npa-nxx
feet
—Number of feet above sea level.
name
—Name of the building, 1 to 28 characters in length. If the string contains spaces,
code
—Two-leer country code.
number
—Floor in the building.
horizontal-coordinate
service-area
degrees
number
—Long-distance service area.
—Latude in degree format.
degrees
—Longitude in degree format.
—First six digits of the phone number (area code and exchange).
—Bellcore Horizontal Coordinate.
postal-code
rack
vcoord
number
vercal-coordinate
postal-code
—Rack number.
—Postal code.
—Bellcore Vercal Coordinate.
The following example shows how to specify the physical locaon of the switch:
[edit system]
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
3
SEE ALSO
Example: Conguring the Name of the Switch, IP Address, and System ID

Modifying the Default Time Zone for a Router or Switch Running Junos OS

The default local me zone on the router or switch is UTC (Coordinated Universal Time, formerly known as Greenwich Mean Time, or GMT).
• To modify the local me zone, include the me-zone statement at the [edit system] hierarchy level:
[edit system]
time-zone (GMT hour-offset | time-zone);
You can use the GMT
hour-oset
is 0. You can congure this to be a value from –14 to +12.
hour-oset
opon to set the me zone relave to UTC (GMT) me. By default,
You can also specify the
me-zone
value as a string such as PDT (Pacic Daylight Time) or WET
(Western European Time), or specify the connent and major city.
NOTE: Junos OS complies with the POSIX me-zone standard, which is counter-intuive to the way me zones are generally indicated relave to UTC. A me zone ahead of UTC (east of the Greenwich meridian) is commonly indicated as GMT +n; for example, the Central European Time (CET) zone is indicated as GMT +1. However, this is not true for POSIX me zone designaons. POSIX indicates CET as GMT-1. If you include the set system me-zone GMT+1 statement for a router in the CET zone, your router me will be set to one hour behind GMT, or two hours behind the actual CET me. For this reason, you might nd it easier to use the POSIX me-zone strings, which you can list by entering set system me-zone ?.
For the me zone change to take eect for all processes running on the router or switch, you must reboot the router or switch.
The following example shows how to change the current me zone to America/New_York:
4
[edit]
user@host# set system me-zone America/New_York
[edit]
user@host# show
system {
time-zone America/New_York;
}
SEE ALSO
Understanding NTP Time Servers
Updang the IANA Time Zone Database on Junos OS Devices
Conguring Junos OS to Extend the Default Port Address Range
By default, the upper range of a port address is 5000. You can increase the range from which the port number can be selected to decrease the probability that someone can determine your port number.
• To congure Junos OS to extend the default port address range, include the source-port statement at the [edit system internet-opons] hierarchy level:
[edit system internet-options]
source-port upper-limit upper-limit;
5
upper-limit
65,355.
SEE ALSO
upper-limit
is the upper limit of a source port address and can be a value from 5000 through
Congure TCP Opons
Congure ARP Learning and Aging Opons
Conguring Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets
By default, the source address included in locally generated Transmission Control Protocol/IP (TCP/IP) packets, such as FTP trac, and in User Datagram Protocol (UDP) and IP packets, such as Network Time Protocol (NTP) requests, is chosen as the local address for the interface on which the trac is transmied. This means that the local address chosen for packets to a parcular desnaon might change from connecon to connecon based on the interface that the roung protocol has chosen to reach the desnaon when the connecon is established. If mulple equal-cost next hops are present for a desnaon, locally generated packets use the lo0 address as a source.
• To congure the soware to select a xed address to use as the source for locally generated IP packets, include the default-address-selecon statement at the [edit system] hierarchy level:
[edit system]
default-address-selection;
If you include the default-address-selecon statement in the conguraon, the Junos OS chooses the system default address as the source for most locally generated IP packets. The default address is usually an address congured on the lo0 loopback interface. For example, if you specied that SSH and telnet use a parcular address, but you also have default-address selecon congured, the system default address is used.
Reboong and Halng a Device
To reboot the switch, issue the request system reboot command.
user@switch> request system reboot ?
Possible completions:
<[Enter]> Execute this command
all-members Reboot all virtual chassis members
at Time at which to perform the operation
both-routing-engines Reboot both the Routing Engines
fast-boot Enable fast reboot
hypervisor Reboot Junos OS, host OS, and Hypervisor
in Number of minutes to delay before operation
local Reboot local virtual chassis member
member Reboot specific virtual chassis member (0..9)
message Message to display to all users
other-routing-engine Reboot the other Routing Engine
| Pipe through a command
{master:0}
user@switch> request system reboot
Reboot the system ? [yes,no] (no) yes
Rebooting switch
6
NOTE: Not all opons shown in the preceding command output are available on all QFX Series,
OCX Series, and EX4600 switches. See the documentaon for the request system reboot command for details about opons.
NOTE: When you issue the request system reboot hypervisor command on QFX10000 switches, the reboot takes longer than a standard Junos OS reboot.
Similarly, to halt the switch, issue the request system halt command.
CAUTION: Before entering this command, you must have access to the switch’s console port in order to bring up the Roung Engine.
user@switch> request system halt ?
Possible completions:
<[Enter]> Execute this command
all-members Halt all virtual chassis members
at Time at which to perform the operation
backup-routing-engine Halt backup Routing Engine
both-routing-engines Halt both Routing Engines
in Number of minutes to delay before operation
local Halt local virtual chassis member
member Halt specific virtual chassis member (0..9)
message Message to display to all users
other-routing-engine Halt other Routing Engine
| Pipe through a command
7
NOTE: When you issue this command on an individual component in a QFabric system, you will
receive a warning that says “Hardware-based members will halt, Virtual Junos Roung Engines will reboot.” If you want to halt only one member, use the member opon. You cannot issue this command from the QFabric CLI.
Issuing the request system halt command on the switch halts the Roung Engine. To reboot a Roung Engine that has been halted, you must connect through the console.
SEE ALSO
clear system reboot
request system halt
request system power-o
Connecng a QFX Series Device to a Management Console
RELATED DOCUMENTATION
Disable Reporng IP Address and Timestamps in Ping Responses

Hostnames

IN THIS SECTION
Conguring the Hostname of a Device by Using a Conguraon Group | 8
Mapping the Hostname of the Switch to IP Addresses | 10
Example: Conguring the Name of the Switch, IP Address, and System ID | 10
8
Conguring
The hostname of a Junos OS or Junos OS Evolved device is its idencaon. A network device must have its identy established to be accessible on the network. That is perhaps the most important reason to have a hostname, but a hostname has other purposes.
The soware uses the congured hostname as part of the command prompt and to prepend log les and other accounng informaon. The hostname is also used anywhere else when knowing the device identy is important. For these reasons, we recommend hostnames be descripve and memorable.
You can congure the hostname at the [edit system] hierarchy level, a procedure shown in
Device’s Unique Identy for the Network
system] hierarchy level, you can use a conguraon group, as shown in this procedure. This is a recommended best pracce for conguring the hostname, especially if the device has dual Roung Engines. This procedure uses groups called re0 and re1 as an example.
NOTE: Starng with Junos OS Release 13.2R3, if you congure hostnames that are longer than the CLI screen width, regardless of the terminal screen width seng, the commit operaon occurs successfully. Even if the terminal screen width is less than the hostname length, commit is successful.
In Junos OS releases earlier than Release 13.2R3, if you congured such hostnames by using the
host-name
width was less than the length of the hostname by using the set cli screen-width statement, a foreign le propagaon (p) failure error message is displayed when you aempt to commit the conguraon. In such a case, because of the p failure, the commit operaon does not complete
the Hostname of a Device by Using a Conguraon Group
Conguring a
. Oponally, instead of conguring the hostname at the [edit
hostname
statement at the [edit system] hierarchy level and the the terminal screen
and you cannot recover the router unless you make the modicaon in the backend in the juniper.conf.gz le and commit the change from the shell prompt.
To set the hostname using a conguraon group:
9
1. Include the host-name statement in the conguraon at the [edit groups
group-name
system
hierarchy level.
The name value must be less than 256 characters.
[edit groups group-name system]
host-name hostname;
For example:
[edit groups re0 system]
root@# set host-name san-jose-router0
[edit groups re1 system]
root@# set host-name san-jose-router1
2. If you used one or more conguraon groups, apply the conguraon groups, substung the
appropriate group names.
For example:
[edit]
user@host# set apply-groups [re0 re1]
3. Commit the changes.
[edit]
root@# commit
The hostname subsequently appears in the device CLI prompt.
san-jose-router0#

Mapping the Hostname of the Switch to IP Addresses

To map a hostname of a switch to one or more IP addresses, include the inet statement at the [edit system stac-host-mapping
[edit system]
static-host-mapping {
hostname {
inet [ addresses ];
alias [ aliases ];
}
}
hostname
] hierarchy level:
10
hostname
is the name specied by the host-name statement at the [edit system] hierarchy level.
For each host, you can specify one or more aliases.
SEE ALSO
Conguring a DNS Name Server for Resolving Hostnames into Addresses
Conguring a Device’s Unique Identy for the Network
stac-host-mapping
Example: Conguring the Name of the Switch, IP Address, and System ID
The following example shows how to congure the switch name, map the name to an IP address and alias, and congure a system idener:
[edit]
user@switch# set system host-name switch1
[edit]
user@switch# set system stac-host-mapping switch1 inet 192.168.1.77
[edit]
user@switch# set system stac-host-mapping switch1 alias sj1
[edit]
user@switch# set system stac-host-mapping switch1 sysid 1921.6800.1077
[edit]
user@switch# show
system {
host-name switch-sj1;
static-host-mapping {
switch-sj1 {
inet 192.168.1.77;
alias sj1;
sysid 1921.6800.1077;
}
}
}
Understanding and Conguring DNS
11
IN THIS SECTION
DNS Overview | 11
Conguring a DNS Name Server for Resolving Hostnames into Addresses | 12

DNS Overview

IN THIS SECTION
DNS Components | 12
DNS Server Caching | 12
A Domain Name System (DNS) is a distributed hierarchical system that converts hostnames to IP addresses. The DNS is divided into secons called zones. Each zone has name servers that respond to the queries belonging to their zones.
This topic includes the following secons:
DNS Components
DNS includes three main components:
• DNS resolver: Resides on the client side of the DNS. When a user sends a hostname request, the resolver sends a DNS query request to the name servers to request the hostname's IP address.
• Name servers: Processes the DNS query requests received from the DNS resolver and returns the IP address to the resolver.
• Resource records: Data elements that dene the basic structure and content of the DNS.
DNS Server Caching
DNS name servers are responsible for providing the hostname IP address to users. The TTL eld in the resource record denes the period for which DNS query results are cached. When the TTL value expires, the name server sends a fresh DNS query and updates the cache.
12
SEE ALSO
Conguring the TTL Value for DNS Server Caching
Conguring a DNS Name Server for Resolving Hostnames into Addresses
Domain Name System (DNS) name servers are used for resolving hostnames to IP addresses.
Before you begin, congure your name servers with the hostname and an IP address for your Juniper Networks device. It does not maer which IP address you assign as the address of your device in the name server, as long it is an address that reaches your device. Normally, you would use the management interface IP address, but you can choose the loopback interface IP address, or a network interface IP address, or even congure mulple addresses on the name server.
For redundancy, it is a best pracce to congure access to mulple name servers. You can congure a maximum of three name servers. The approach is similar to the way Web browsers resolve the names of a Web site to its network address. Addionally, the soware enables you to congure one or more domain names, which it uses to resolve hostnames that are not fully qualied (in other words, the domain name is missing). This is convenient because you can use a hostname in conguring and operang the soware without the need to reference the full domain name. Aer adding name server
addresses and domain names to your conguraon, you can use DNS resolvable hostnames in your
conguraons and commands instead of IP addresses.
Oponally, instead of conguring the name server at the [edit system] hierarchy level, you can use a conguraon group, as shown in this procedure. This is a recommended best pracce for conguring the
name server.
Starng in Junos OS Release 19.2R1, you can route trac between a management roung instance and DNS name server. Congure a roung instance at the [edit system name-server
server-ip-address
]
hierarchy level and the name server becomes reachable through this roung instance.
NOTE: This management roung instance opon is not supported for SRX Series devices.
To enable a management roung instance for DNS, congure the following:
user@host# set system management-instance
user@host# set routing-instances mgmt_junos description description
user@host# set system name-server server-ip-address routing-instance mgmt_junos
13
If you have congured the name server using a conguraon group, use the [edit groups
group-name
system name-server] hierarchy level, which is a recommended best pracce for conguring the name
server.
To congure the device to resolve hostnames into addresses:
1. Reference the IP addresses of your name servers.
[edit groups group-name system]
name-server {
address;
}
The following example shows how to reference two name servers:
[edit groups global system]
user@host# set name-server 192.168.1.253
user@host# set name-server 192.168.1.254
user@host# show
name server {
192.168.1.253/32;
192.168.1.254/32;
}
2. (Oponal) Congure the roung instance for DNS.
The following example shows how to congure the roung-instance for one of the name servers:
[edit groups global system]
user@host# set name-server 192.168.1.253 roung-instance mgmt_junos
Remember to also congure the following:
management-instance statement at the [edit system] hierarchy level
roung-instance statement at the [edit roung-instances] hierarchy level.
3. (Oponal) Congure the name of the domain in which the device itself is located.
This is a good pracce. The soware then uses this congured domain name as the default domain name to append to hostnames that are not fully qualied.
14
[edit system]
domain-name domain-name;
The following example shows how to congure the domain name:
[edit groups global system]
user@host# set domain-name company.net
user@host# show
domain-name company.net;
4. (Oponal) Congure a list of domains to be searched.
If your device can reach several dierent domains, you can congure these as a list of domains to be searched. The soware then uses this list to set an order in which it appends domain names when searching for the IP address of a host.
[edit groups global system]
domain-search [ domain-list ];
The domain list can contain up to six domain names, with a total of up to 256 characters.
The following example shows how to congure two domains to be searched. This example congures the soware to search the company.net domain and then the domainone.net domain and then the domainonealternate.com domain when aempng to resolve unqualied hosts.
[edit groups global system]
domain-search [ company.net domainone.net domainonealternate.com ]
5. If you used a conguraon group, apply the conguraon group, substung global with the
appropriate group name.
[edit]
user@host# set apply-groups global
6. Commit the conguraon.
15
user@host# commit
7. Verify the conguraon.
If you have congured your name server with the hostname and an IP address for your device, you can issue the following commands to conrm that DNS is working and reachable. You can either use the congured hostname to conrm resoluon to the IP address or use the IP address of your device to conrm resoluon to the congured hostname.
user@host> show host
user@host> show host
host-name
host-ip-address
For example:
user@host> show host device.example.net
device.example.net
device.example.net has address 192.168.187.1
user@host> show host 192.168.187.1
10.187.168.192.in-addr.arpa domain name pointer device.example.net.
SEE ALSO
name-server (System Services)
domain-search
RELATED DOCUMENTATION
Understanding Hostnames
DNSSEC Overview
Congure ICMP Features
16
IN THIS SECTION
Protocol Redirect Messages | 16
Disable the Roung Engine Response to Mulcast Ping Packets | 18
Disable Reporng IP Address and Timestamps in Ping Responses | 18
Congure Junos OS to Ignore ICMP Source Quench Messages | 19
Rate Limit ICMPv4 and ICMPv6 Trac | 20
Rate Limit ICMPv4 and ICMPv6 Error Messages | 20
Learn more about how to congure Internet Control Message Protocol (ICMP) features.

Protocol Redirect Messages

IN THIS SECTION
Understanding Protocol Redirect Messages | 17
Disable Protocol Redirect Messages | 17
ICMP redirect, also known as protocol redirect, is a mechanism used by switches and routers to convey roung informaon to hosts. Devices use protocol redirect messages to nofy the hosts on the same data link of the best route available for a given desnaon. All EX series switches support sending protocol redirect messages for both IPv4 and IPv6 trac.
NOTE: Switches do not send protocol redirect messages if the data packet contains roung informaon.
Understanding Protocol Redirect Messages
Protocol redirect messages inform a host to update its roung informaon and to send packets on an alternate route. Suppose a host tries to send a data packet through a switch S1 and S1 sends the data packet to another switch, S2. Also, suppose that a direct path from the host to S2 is available (that is, the host and S2 are on the same Ethernet segment). S1 then sends a protocol redirect message to inform the host that the best route for the desnaon is the direct route to S2. The host should then send packets directly to S2 instead of sending them through S1. S2 sll sends the original packet that it received from S1 to the intended desnaon.
17
Refer to RFC-1122 and RFC-4861 for more details on protocol redirecng.
Disable Protocol Redirect Messages
By default, devices send protocol redirect messages for both IPv4 and IPv6 trac. For security reasons, you may want to disable the device from sending protocol redirect messages.
To disable protocol redirect messages for the enre device, include the no-redirects or no-redirects- ipv6 statement at the [edit system] hierarchy level.
• For IPv4 trac:
[edit system]
user@host# set no-redirects
• For IPv6 trac:
[edit system]
user@host# set no-redirects-ipv6
To re-enable the sending of redirect messages on the device, delete the no-redirects statement (for IPv4 trac) or the no-redirects-ipv6 statement (for IPv6 trac) from the conguraon.
To disable protocol redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces
• For IPv4 trac:
[edit interfaces interface-name unit logical-unit-number]
user@host# set family inet no-redirects
• For IPv6 trac:
[edit interfaces interface-name unit logical-unit-number]
user@host# set family inet6 no-redirects
interface-name
unit
logical-unit-number
family
family
] hierarchy level.
18
Disable the Roung Engine Response to Mulcast Ping Packets
By default, the Roung Engine responds to ICMP echo requests sent to mulcast group addresses. By conguring the Roung Engine to ignore mulcast ping packets, you can prevent unauthorized persons
from discovering the list of provider edge (PE) devices in the network.
To disable the Roung Engine from responding to these ICMP echo requests, include the no-
multicast-echo statement at the [edit system] hierarchy level:
[edit system]
no-multicast-echo;
Disable Reporng IP Address and Timestamps in Ping Responses
When you issue the ping command with the record-route opon, the Roung Engine displays the path of the ICMP echo request packets and the mestamps in the ICMP echo responses by default. By conguring the no-ping-record-route and no-ping-mestamp opons, you can prevent unauthorized persons from discovering informaon about the provider edge (PE) device and its loopback address.
You can congure the Roung Engine to disable the seng of the record-route opon in the IP header of the ping request packets. Disabling the record-route opon prevents the Roung Engine from recording and displaying the path of the ICMP echo request packets in the response.
To congure the Roung Engine to disable the seng of the record route opon, include the no-ping-
record-route statement at the [edit system] hierarchy level:
[edit system]
no-ping-record-route;
To disable the reporng of mestamps in the ICMP echo responses, include the no-ping-time-stamp opon at the [edit system] hierarchy level:
[edit system]
no-ping-time-stamp;
19
Congure Junos OS to Ignore ICMP Source Quench Messages
By default, the device reacts to Internet Control Message Protocol (ICMP) source quench messages. To ignore ICMP source quench messages, include the no-source-quench statement at the [edit system
internet-options] hierarchy level:
[edit system internet-options]
no-source-quench;
To stop ignoring ICMP source quench messages, use the source-quench statement:
[edit system internet-options]
source-quench;
Rate Limit ICMPv4 and ICMPv6 Trac
To limit the rate at which ICMPv4 or ICMPv6 messages can be generated by the Roung Engine and sent to the Roung Engine, include the appropriate rate liming statement at the [edit system
internet-options] hierarchy level.
• For IPv4:
[edit system internet-options]
icmpv4-rate-limit bucket-size bucket-size packet-rate packet-rate
• For IPv6:
[edit system internet-options]
icmpv6-rate-limit bucket-size bucket-size packet-rate packet-rate
20

Rate Limit ICMPv4 and ICMPv6 Error Messages

IN THIS SECTION
Why to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21
How to Rate Limit ICMPv4 and ICMPv6 Error Messages | 21
By default, ICMP error messages for non-l-expired IPv4 and IPv6 packets are generated at the rate of 1 packet per second (pps). You can adjust this rate to a value that you decide provides sucient informaon for your network without causing network congeson.
NOTE: For l-expired IPv4 or IPv6 packets, the rate for ICMP error messages is not congurable. It is xed at 500 pps.
Why to Rate Limit ICMPv4 and ICMPv6 Error Messages
An example use case for adjusng the rate limit is a data center providing web services. Suppose this data center has many servers on the network that use jumbo frames with an MTU of 9100 bytes when they communicate to hosts over the Internet. These other hosts require an MTU of 1500 bytes. Unless maximum segment size (MSS) is enforced on both sides of the connecon, a server might reply with a packet that is too large to be transmied across the Internet without being fragmented when it reaches the edge router in the data center.
Because TCP/IP implementaons oen have Path MTU Discovery enabled by default with the dont­fragment bit set to 1, a transit device will drop a packet that is too big rather than fragmenng it. The device will return an ICMP error message indicang the desnaon was unreachable because the packet was too big. The message will also provide the MTU that is required where the error occurred. The sending host should adjust the sending MSS for that connecon and resend the data in smaller packet sizes to avoid the fragmentaon issue.
At high core interface speeds, the default rate limit of 1 pps for the error messages may not be enough to nofy all the hosts when there are many hosts in the network that require this service. The consequence is that outbound packets are silently dropped. This acon can trigger addional retransmissions or back-o behaviors, depending on the volume of requests that the data center edge router is handling on each core-facing interface.
21
In this situaon, you can increase the rate limit to enable a higher volume of oversized packets to reach the sending hosts. (Adding more core-facing interfaces can also help resolve the problem.)
How to Rate Limit ICMPv4 and ICMPv6 Error Messages
Although you congure the rate limit at the [edit chassis] hierarchy level, it is not a chassis-wide limit. Instead, the rate limit applies per interface family. This means, for example, that mulple physical interfaces congured with family inet can simultaneously generate the ICMP error messages at the congured rate.
NOTE: This rate limit takes eect only for trac that lasts 10 seconds or longer. The rate limit is not applied to trac with a shorter duraon, such as 5 seconds or 9 seconds.
• To congure the rate limit for ICMPv4, use the icmp statement:
[edit chassis]
user@host# set icmp rate-limit
rate-limit
Starng in Junos OS Release 19.1R1, the maximum rate increased from 50 pps to 1000 pps.
• To congure the rate limit for ICMPv6, use the icmp6 statement:
[edit chassis]
user@host# set icmp6 rate-limit
You must also consider that the rate limit value can interact with your DDoS protecon conguraon. The default bandwidth value for exceponed packets that exceed the MTU is 250 pps. DDoS protecon ags a violaon when the number of packets exceeds that value. If you set the rate limit higher than the current mtu-exceeded bandwidth value, then you must congure the bandwidth value to match the rate limit.
For example, suppose you set the ICMP rate limit to 300 pps:
user@host# set chassis icmp rate-limit 300
You must congure the DDoS protecon mtu-exceeded bandwidth to match that value.
rate-limit
22
user@host# set system ddos-protecon protocols excepons mtu-exceeded bandwidth 300
RELATED DOCUMENTATION
Congure TCP Opons
Junos OS Network Interfaces Library for Roung Devices

Alarms

IN THIS SECTION
System Alarms | 23
Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface Types | 23
System-Wide Alarms and Alarms for Each Interface Type | 24

System Alarms

Switches provide predened system alarms that can be triggered by a missing rescue conguraon, failure to install a license for a licensed soware feature, or high disk usage. You can display alarm messages by issuing the show system alarms operaonal mode command.
For example: The switch might trigger an alarm when disk usage in the /var paron exceeds 75 percent. A usage level between 76 and 90 percent indicates high usage and raises a minor alarm condion, whereas a usage level above 90 percent indicates that the paron is full and raises a major alarm condion.
The following sample output shows the system alarm messages that are displayed when disk usage is exceeded on the switch.
user@host> show system alarms
4 alarms currently active
Alarm time Class Description
2013-10-08 20:08:20 UTC Minor RE 0 /var partition usage is high
2013-10-08 20:08:20 UTC Major RE 0 /var partition is full
2013-10-08 20:08:08 UTC Minor FPC 1 /var partition usage is high
2013-10-08 20:08:08 UTC Major FPC 1 /var partition is full
23
BEST PRACTICE: We recommend that you regularly request a system le storage cleanup to
opmize the performance of the switch and prevent generang system alarms.
Conguring Junos OS to Determine Condions That Trigger Alarms on Dierent Interface Types
For the dierent types of PICs, you can congure which condions trigger alarms and whether they trigger a red or yellow alarm. Red alarm condions light the RED ALARM LED and trigger an audible alarm if one is connected. Yellow alarm condions light the YELLOW ALARM LED and trigger an audible alarm if one is connected.
NOTE: By default, any failure condion on the integrated-services interface (Adapve Services PIC) triggers a red alarm.
To congure condions that trigger alarms and that can occur on any interface of the specied type, include the alarm statement at the [edit chassis] hierarchy level.
[edit chassis]
alarm {
interface-type {
alarm-name (red | yellow | ignore);
}
}
24
alarm-name
is the name of an alarm.

System-Wide Alarms and Alarms for Each Interface Type

Table 1 on page 24 lists the system-wide alarms and the alarms for each interface type.
Table 1:
Interface/System Alarm Condion Conguraon Opon
SONET/SDH and ATM Link alarm indicaon signal ais-l
Congurable PIC Alarm Condions
Path alarm indicaon signal ais-p
Signal degrade (SD) ber-sd
Signal fail (SF) ber-sf
Loss of cell delineaon (ATM only) locd
25
Table 1: Congurable PIC Alarm Condions
Interface/System Alarm Condion Conguraon Opon
Loss of framing lof
Loss of light lol
Loss of pointer lop-p
Loss of signal los
Phase-locked loop out of lock pll
Synchronous transport signal (STS) payload label (C2) mismatch
(Connued)
plm-p
Line remote failure indicaon r-l
Path remote failure indicaon r-p
STS path (C2) unequipped uneq-p
E3/T3 Alarm indicator signal ais
Excessive numbers of zeros exz
Failure of the far end ferf
Idle alarm idle
Line code violaon lcv
26
Table 1: Congurable PIC Alarm Condions
Interface/System Alarm Condion Conguraon Opon
Loss of frame lof
Loss of signal los
Phase-locked loop out of lock pll
Yellow alarm ylw
Ethernet Link has gone down link-down
DS1 Alarm indicator signal ais
(Connued)
Yellow alarm ylw
Integrated services Hardware or soware failure failure
Management Ethernet Link has gone down link-down
RELATED DOCUMENTATION
Chassis Condions That Trigger Alarms
Alarm Types and Severity Levels
Network Management and Monitoring Guide
Freeing Up System Storage Space
show system alarms
System Troubleshoong
IN THIS SECTION
Saving Core Files Generated by Junos OS Processes | 27
Viewing Core Files from Junos OS Processes | 28

Saving Core Files Generated by Junos OS Processes

By default, when an internal Junos OS process generates a core le, the le and associated context informaon are saved for debugging purposes in a compressed tar le named /var/tmp/
name
.core.
core-number
message les.
.tgz. The contextual informaon includes the conguraon and system log
process-
27
• To disable the saving of core les and associated context informaon:
[edit system]
no-saved-core-context;
• To save the core les only:
[edit system]
saved-core-files number;
Where
• To save the core les along with the contextual informaon:
number
[edit system]
saved-core-context;
is the number of core les to save and can be a value from 1 through 10.

Viewing Core Files from Junos OS Processes

When an internal Junos OS process generates a core le, you can nd the output at /var/crash/ and /var/tmp/. For Junos OS Evolved, you can nd the output core les at /var/core/ for Roung Engine core les and /var/lib/p/in/ for FPC core les. Using these directories provides a quick method of nding core issues across large networks.
Use the CLI command show system core-dumps to view core les.
root@host> show system core-dumps
-rw------- 1 root wheel 268369920 Jun 18 17:59 /var/crash/vmcore.0
-rw-rw---- 1 root field 3371008 Jun 18 17:53 /var/tmp/rpd.core.0
-rw-r--r-- 1 root wheel 27775914 Jun 18 17:59 /var/crash/kernel.0
28
SEE ALSO
Saving Core Files from Junos OS Processes
RELATED DOCUMENTATION
Day One: Monitoring and Troubleshoong
hps://www.juniper.net/documentaon/en_US/junos/informaon-products/pathway-pages/qfx­series/troubleshoong-qf.html

Device Monitoring

IN THIS SECTION
Monitoring System Properes | 29
Monitoring System Process Informaon | 32
Monitoring Interfaces | 33
Other Tools to Congure and Monitor Devices Running Junos OS | 35
Monitoring System Properes
IN THIS SECTION
Purpose | 29
Acon | 29
Meaning | 29
Purpose
View system properes such as the name, IP address, and resource usage.
29
Acon
To monitor system properes in the CLI, enter the following commands:
• show system upme
• show system users
• show system storage
Meaning
Table 2 on page 29 summarizes key output elds in the system properes display.
Table 2: Summary of Key System
Field Values Addional Informaon
General Informaon
Properes Output Fields
Serial Number Serial number of device.
30
Table 2: Summary of Key System Properes Output Fields
Field Values Addional Informaon
Junos OS Version
Hostname Name of the device.
IP Address IP address of the device.
Loopback Address
Domain Name Server
Version of Junos OS acve on the switch, including whether the soware is for domesc or export use.
Loopback address.
Address of the domain name server.
(Connued)
Export soware is for use outside the USA and Canada.
Time Zone Time zone on the device.
Time
Current Time Current system me, in Coordinated
Universal Time (UTC).
System Booted Time
Protocol Started Time
Date and me when the device was last booted and how long it has been running.
Date and me when the protocols were last started and how long they have been running.
31
Table 2: Summary of Key System Properes Output Fields
Field Values Addional Informaon
Last
Congured
Time
Load Average CPU load average for 1, 5, and 15
Storage Media
Internal Flash Memory
External Flash Memory
Date and me when a conguraon was last commied. This eld also shows the name of the user who issued the last commit command.
minutes.
Usage details of internal ash memory.
Usage details of external USB ash memory.
(Connued)
Logged in Users Details
User Username of any user logged in to the
switch.
Terminal Terminal through which the user is
logged in.
From System from which the user has logged
in. A hyphen indicates that the user is logged in through the console.
Login Time Time when the user logged in. This is the user@switch eld in show
system users command output.
Idle Time How long the user has been idle.
SEE ALSO
show system processes
Monitoring System Process Informaon
IN THIS SECTION
Purpose | 32
Acon | 32
Meaning | 32
32
Purpose
View the processes running on the device.
Acon
To view the soware processes running on the device:
user@switch> show system processes
Meaning
Table 3 on page 32 summarizes the output elds in the system process informaon display.
The display includes the total CPU load and total memory ulizaon.
Table 3: Summary of System Process
Field Values
Informaon Output Fields
PID Idener of the process.
Name Owner of the process.
33
Table 3: Summary of System Process Informaon Output Fields
Field Values
State Current state of the process.
CPU Load Percentage of the CPU that is being used by the process.
Memory Ulizaon Amount of memory that is being used by the process.
Start Time Time of day when the process started.
SEE ALSO
(Connued)
show system upme

Monitoring Interfaces

IN THIS SECTION
Purpose | 33
Acon | 33
Purpose
View general informaon about all physical and logical interfaces for a device.
Acon
Enter the following show commands in the CLI to view interface status and trac stascs.
show interfaces terse
NOTE: On SRX Series devices, when conguring idencal IPs on a single interface, you will not see a warning message; instead, you will see a syslog message.
show interfaces extensive
34
show interfaces
NOTE: If you are using the J-Web user interfaces, select Monitor>Interfaces in the J-Web user
interface. The J-Web Interfaces page displays the following details about each device interface:
• Port—Indicates the interface name.
• Admin Status—Indicates whether the interface is enabled (Up) or disabled (Down).
• Link Status—Indicates whether the interface is linked (Up) or not linked (Down).
• Address—Indicates the IP address of the interface.
• Zone—Indicates whether the zone is an untrust zone or a trust zone.
• Services—Indicates services that are enabled on the device, such as HTTP and SSH.
• Protocols—Indicates protocols that are enabled on the device, such as BGP and IGMP.
• Input Rate graph—Displays interface bandwidth ulizaon. Input rates are shown in bytes per second.
interface-name
• Output Rate graph—Displays interface bandwidth ulizaon. Output rates are shown in bytes per second.
• Error Counters chart—Displays input and output error counters in the form of a bar chart.
• Packet Counters chart—Displays the number of broadcast, unicast, and mulcast packet counters in the form of a pie chart. (Packet counter charts are supported only for interfaces that support MAC
stascs.)
To change the interface display, use the following opons:
• Port for FPC—Controls the member for which informaon is displayed.
• Start/Stop buon—Starts or stops monitoring the selected interfaces.
• Show Graph—Displays input and output packet counters and error counters in the form of charts.
• Pop-up buon—Displays the interface graphs in a separate pop-up window.
• Details—Displays extensive stascs about the selected interface, including its general status, trac informaon, IP address, I/O errors, class-of-service data, and stascs.
• Refresh Interval—Indicates the duraon of me aer which you want the data on the page to be refreshed.
• Clear Stascs—Clears the stascs for the selected interface.
SEE ALSO
Interfaces User Guide for Security Devices
Other Tools to Congure and Monitor Devices Running Junos OS
35
Starng in Junos OS Release 15.1, apart from the command-line interface, Junos OS also supports the following applicaons, scripts, and ulies that enable you to congure and monitor devices running Junos OS:
• Junos XML Management Protocol Applicaon Programming Interface (API)—Applicaon programmers can use the Junos XML Management Protocol API to monitor and congure Juniper Networks devices. Juniper Networks provides a Perl module with the API to help you more quickly and easily develop custom Perl scripts for conguring and monitoring the devices.
• NETCONF Applicaon Programming Interface (API)—Applicaon programmers can also use the NETCONF API to monitor and congure Juniper Networks devices.
• Junos OS commit scripts—You can dene scripts to enforce custom conguraon tasks, enforce consistency, prevent common mistakes, and more. Every me you commit a new candidate
conguraon, the acve commit scripts are called to inspect the new candidate conguraon. If a conguraon violates your custom rules, the script can instruct the Junos OS to perform various acons, including making changes to the conguraon and generang custom, warning, and system
log messages.
• Junos OS Op scripts—You can add your own commands to the operaon-mode CLI. You can use these scripts to automate troubleshoong of known network problems and correct them.
• Junos OS event scripts—You can use event scripts to diagnose and x issues, monitor the overall
status of the system, and examine errors periodically. Event scripts are similar to op scripts except that certain events on the switch will trigger these scripts.
• CHEF—You can use CHEF automate the provisioning and management of compute, networking, and storage resources. Chef for Junos OS provides support for Chef on selected Junos OS devices, allowing you to automate common switching network conguraons.
• Puppet—You can use PUPPET for conguraon management. Puppet provides an ecient and scalable soluon for managing the conguraons of large numbers of devices. System administrators take advantage of Puppet to manage compute resources such as physical and virtual servers.
SEE ALSO
CLI User Interface Overview
NETCONF XML Management Protocol Developer Guide
Release History Table
Release Descripon
36
15.1 Starng in Junos OS Release 15.1, apart from the command-line interface, Junos OS also supports the following applicaons, scripts, and ulies that enable you to congure and monitor devices running Junos OS:
RELATED DOCUMENTATION
Understanding Device and Network Management Features
Day One: Monitoring and Troubleshoong

Passive Monitoring

IN THIS SECTION
Understanding Passive Monitoring | 37
Example: Conguring Passive Monitoring on QFX10000 Switches | 38

Understanding Passive Monitoring

IN THIS SECTION
Passive Monitoring Benets | 37
Guidelines for Conguring Passive Monitoring | 37
Passive monitoring is a type of network monitoring used to passively capture trac from monitoring interfaces. When you enable passive monitoring, the device accepts and monitors trac on the interface and forwards the trac to monitoring tools like IDS servers and packet analyzers, or other devices such as routers or end node hosts.
Starng in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
37
Starng in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.
Passive Monitoring Benets
• Provides ltering capabilies for monitoring ingress and egress trac at the Internet point of presence (PoP) where security networks are aached.
Guidelines for Conguring Passive Monitoring
• You can only congure passive monitoring at the interface level. Conguraon per VLAN or logical interface is not supported.
• A passive monitoring interface cannot be an aggregated Ethernet (AE) interface.
• Monitoring tools or devices must be directly connected to the switch or router.
• Packets with more than two MPLS labels and more than two VLAN tags are dropped.
Excepon packets such as IP packet opons, router alert, and TTL expiry packets are treated as regular trac.
• Ethernet encapsulaon is not supported.
• MPLS family lter conguraon is not supported.
• Link Aggregaon Control Protocol (LACP) is not supported on the AE bundle connected to the monitoring tool or device.
Example: Conguring Passive Monitoring on QFX10000 Switches
IN THIS SECTION
Requirements | 38
Overview | 38
Conguraon | 39
Vericaon | 42
This example shows how to congure passive monitoring on QFX10000 switches.
Requirements
38
This example uses the following hardware and soware components:
• Two routers (R1 and R2)
• One QFX10002 switch
• Two devices, directly connected to the switch
• Junos OS Release 18.4R1 or later
Overview
IN THIS SECTION
Topology | 39
This example describes how to congure passive monitoring on the switch.
In Figure 1 on page 39, et-0/0/2 and et-0/0/4 are congured as passive monitoring interfaces. Packets coming into the network are exchanged between Router 1 (R1) and Router 2 (R2) in two direcons (R1 to R2, R2 to R1) and are sent to the monitored interfaces. When trac is received, a rewall lter transfers all packets to a roung instance and forwards the packets to the monitoring tools. The interfaces are then grouped into a single logical interface, known as a link aggregaon group (LAG) or AE bundle. This enables the trac to be evenly distributed across the monitoring tools eecvely
increasing the uplink bandwidth. If one interface fails, the bundle connues to carry trac over the remaining interfaces.
Oponally, you can apply symmetric hashing over the passive monitor interfaces for load balancing trac to the monitoring tools. This allows ingress and egress trac of the same ow to be sent out through the same monitored interface. To congure symmetric hashing, include the no-incoming-port opon under the [edit forwarding-opons enhanced-hash-key] hierarchy. Symmetric hashing is enabled
and disabled at the global level only. Per protocol hashing is not supported.
Topology
Figure 1: Passive Monitoring Topology
39
Conguraon
IN THIS SECTION
CLI Quick Conguraon | 40
Conguring Passive Monitoring | 40
The following example requires you to navigate various levels in the CLI hierarchy. For informaon about navigang the CLI, see
Using the CLI Editor in Conguraon Mode
.
CLI Quick Conguraon
To quickly congure this example, copy the following commands, paste them into a text le, remove any line breaks, change any details necessary to match your network conguraon, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from conguraon mode.
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet lter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet lter input pm1
set rewall family inet lter pm1 term t1 from interface et-0/0/4.0
set rewall family inet lter pm1 term t1 then count c1
set rewall family inet lter pm1 term t1 then roung-instance pm_inst
set rewall family inet lter pm term t1 from interface et-0/0/2.0
set rewall family inet lter pm term t1 then count c3
set rewall family inet lter pm term t1 then roung-instance pm_inst
set roung-instances pm_inst instance-type virtual-router
set roung-instances pm_inst interface ae0.0
set roung-instances pm_inst roung-opons stac route 0.0.0.0/0 next-hop 198.51.1.1
set interfaces xe-0/0/9:0 ether-opons 802.3ad ae0
set interfaces xe-0/0/9:1 ether-opons 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.1.2/24 arp 198.51.1.1 mac 00:10:94:00:00:05
set roung-instances pm_inst interface ae0.0
set forwarding-opons enhanced-hash-key inet no-incoming-port
40
Conguring Passive Monitoring
Step-by-Step Procedure
To congure passive monitoring:
1. Congure passive-monitor mode on the switch interfaces:
[edit]]
user@switch#
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet lter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet lter input pm1
2. Congure a family inet rewall lter on the passive monitor interfaces to forward the trac to a
roung instance. Supported lter acons are accept, reject, count, roung-instance.
[edit]
user@switch#
set rewall family inet lter pm1 term t1 from interface et-0/0/4.0
set rewall family inet lter pm1 term t1 then count c1
set rewall family inet lter pm1 term t1 then roung-instance pm_inst
set rewall family inet lter pm term t1 from interface et-0/0/2.0
set rewall family inet lter pm term t1 then count c3
set rewall family inet lter pm term t1 then roung-instance pm_inst
3. Create a roung-instance with a stac route that points to the devices.
[edit]
user@switch#
set roung-instances pm_inst instance-type virtual-router
set roung-instances pm_inst interface ae0.0
set roung-instances pm_inst roung-opons stac route 0.0.0.0/0 next-hop 198.1.1.1
41
4. Congure an AE bundle on the passive monitoring interfaces.
[edit]
user@switch#
set interfaces xe-0/0/9:0 ether-opons 802.3ad ae0
set interfaces xe-0/0/9:1 ether-opons 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.1.2/24 arp 198.51.1.1 mac 00:10:94:00:00:05
set roung-instances pm_inst interface ae0.0
5. (Oponal) Congure symmetric hashing.
[edit]
user@switch#
set forwarding-opons enhanced-hash-key inet no-incoming-port
6. From conguraon mode, conrm your conguraon by entering the show interfaces command. If
the command output does not display the intended conguraon, repeat the instrucons in this example to correct it.
7. If you are done conguring the interfaces, enter commit from conguraon mode.
Vericaon
IN THIS SECTION
Verify the Passive Monitoring Conguraon | 42
Verify Symmetric Hashing | 44
Conrm that the conguraon is working properly.
Verify the Passive Monitoring Conguraon
42
Purpose
Verify that passive monitoring is working on the interfaces. If the interface output shows No-receive and No-transmit, this means that passive monitoring is working.
Acon
From operaonal mode, enter the show interfaces command to view the passive monitoring interfaces.
user@host> show interfaces et-0/0/2
Physical interface: et-0/0/2, Enabled, Physical link is Up
Interface index: 146, SNMP ifIndex: 515
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error:
None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE
Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media
type: Fiber
Device flags : Present Running
Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
Last flapped : 2018-05-17 11:19:05 PDT (00:17:55 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
Ethernet FEC Mode : NONE
Ethernet FEC statistics Errors
FEC Corrected Errors 0
FEC Uncorrected Errors 0
FEC Corrected Errors Rate 0
FEC Uncorrected Errors Rate 0
PRBS Statistics : Disabled
Interface transmit statistics: Disabled
user@host show interfaces et-0/0/4
Physical interface: et-0/0/4, Enabled, Physical link is Up
Interface index: 146, SNMP ifIndex: 515
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error:
None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE
Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media
type: Fiber
Device flags : Present Running
Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
Last flapped : 2018-05-17 11:19:05 PDT (00:18:17 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
Ethernet FEC Mode : NONE
Ethernet FEC statistics Errors
FEC Corrected Errors 0
FEC Uncorrected Errors 0
FEC Corrected Errors Rate 0
FEC Uncorrected Errors Rate 0
43
PRBS Statistics : Disabled
Interface transmit statistics: Disabled
Verify Symmetric Hashing
Purpose
Verify the output for symmetric hashing. The incoming port elds for inet,inet6 and L2 should all be set to No.
Acon
From conguraon mode, enter the show forwarding-opons enhanced-hash-key command.
Slot 0
44
Seed value for Hash function 0: 3626023417
Seed value for Hash function 1: 3626023417
Seed value for Hash function 2: 3626023417
Seed value for Hash function 3: 3626023417
Inet settings:
--------------
IPV4 dest address: Yes
IPV4 source address: Yes
L4 Dest Port: Yes
L4 Source Port: Yes
Incoming port: No
Inet6 settings:
--------------
IPV6 dest address: Yes
IPV6 source address: Yes
L4 Dest Port: Yes
L4 Source Port: Yes
Incoming port: No
L2 settings:
------------
Dest Mac address: No
Source Mac address: No
Vlan Id: Yes
Inner-vlan Id: No
Incoming port: No
GRE settings:
-------------
Key: No
Protocol: No
MPLS settings:
--------------
MPLS Enabled: Yes
VXLAN settings:
---------------
VXLAN VNID: No
Release History Table
Release Descripon
45
18.4R1 Starng in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
18.4R1 Starng in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.

How to Locate a Device or Port Using the Chassis Beacon

IN THIS SECTION
Turning On the Chassis Beacon For the Default Interval | 46
Turning On the Chassis Beacon For a Specied Interval | 47
By default, when a network port and its associated link are acve, the status LED for that port blinks green at a rate of 8 blinks per second. With the chassis beacon feature, you can use the request
chassis beacon command to slow the current rate at which the status LED blinks green to 2 blinks per
second. The slower and steadier green light acts as a beacon that you, as a network administrator in a
remote oce, can enable to guide a network installer in a busy data center or lab to a Juniper Networks device or port on the device.
You can use the following opons with the chassis beacon feature:
• Turn on the beacon for:
• 5 minutes (default)
• A specied number of minutes (1 through 120)
• Turn o the beacon:
• Immediately
Aer a specied number of minutes (1 through 120) elapses
You can use these opons on all network ports on an FPC or just one network port on an FPC.
To turn the beacon on or o on a Virtual Chassis, you must:
46
• Issue the request chassis beacon command on the primary switch in the Virtual Chassis.
• When specifying the FPC slot number, use the target Virtual Chassis member number.
You can slow the rate at which the status LED blinks green to 2 blinks per second. The slower and steadier green light acts as a beacon that guides a network installer in a busy data center or lab to a Juniper Networks device or port on the device.
This topic covers the available opons in the following use cases:

Turning On the Chassis Beacon For the Default Interval

You can turn on the chassis beacon for the default interval, which is 5 minutes.
1. Turn on the chassis beacon using one of the following commands:
a. For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
on
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
port
port-number
on
Aer you turn on the chassis beacon, you can expect the following behavior:
• The chassis beacon overrides the current state of the status LED for all or the specied network port on the FPC.
• If you turn on the beacon for only one network port, the status LEDs for the remaining network ports on the FPC are turned o.
• Unless you issue a command to explicitly turn o the chassis beacon before the default interval is over, it turns o aer 5 minutes. The state of the status LED for all ports or the specied port returns to the state it was in before you turned on the chassis beacon.
2. If you want to turn the chassis beacon o before the 5-minute interval is over, use one of the following commands:
a. For all network ports on a specied FPC:
47
user@switch> request chassis beacon fpc
slot-number
o
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
Turning On the Chassis Beacon For a Specied Interval
You can turn on the chassis beacon for 1 through 120 minutes.
1. Turn on the chassis beacon using one of the following commands:
a. For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
on mer
number-of-minutes
port
port-number
o
b. For a specied network port on an FPC:
user@switch> request chassis beacon fpc
mer
number-of-minutes
slot-number
pic-slot
slot-number
Aer you turn on the chassis beacon, you can expect the following behavior:
port
port-number
on
• The chassis beacon overrides the current state of the status LEDs for all or one network port on
the FPC.
• If you turn on the chassis beacon for only one network port, the status LEDs for the remaining
network ports on the FPC are turned o.
• The chassis beacon stays on unl you explicitly issue a command to turn it o.
2. You can turn o the chassis beacon immediately or aer a specied me interval (1 through 120 minutes) is over.
a. To turn o the chassis beacon immediately, use one of the following commands:
For all network ports on a specied FPC:
48
user@switch> request chassis beacon fpc
slot-number
o
OR
For a specied network port on an FPC:
user@switch> request chassis beacon fpc
slot-number
pic-slot
slot-number
port
port-number
o
b. To turn o the chassis beacon aer a specied me interval of 1 through 120 minutes is over, use
one of the following commands:
For all network ports on a specied FPC:
user@switch> request chassis beacon fpc
slot-number
o mer
number-of-minutes
OR
For a specied network port on an FPC:
user@switch> request chassis beacon fpc
mer
number-of-minutes
slot-number
pic-slot
slot-number
port
port-number
o
Aer you turn o the chassis beacon, the state of the status LED for all or one port on the FPC returns to the state it was in before you turned on the chassis beacon.
2
CHAPTER
Conguraon Statements
checksum | 51
compress-conguraon-les (System) | 53
domain-name | 54
domain-search | 56
enhanced-hash-key | 57
ethernet (Alarm) | 66
hardware-mestamp | 67
host-name | 68
inet (enhanced-hash-key) | 70
inet6-backup-router | 73
inet6 (enhanced-hash-key) | 75
internet-opons | 78
lcd-menu | 83
locaon | 85
locaon (System) | 87
max-conguraons-on-ash | 90
menu-item | 91
no-mulcast-echo | 97
no-ping-record-route | 98
no-ping-me-stamp | 99
no-redirects (IPv4 Trac) | 101
oponal | 103
passive-monitor-mode | 104
ports | 106
ports | 108
power | 109
processes | 112
saved-core-context | 115
saved-core-les | 116
stac-host-mapping | 118
me-format | 120
me-zone | 122
traceopons (Layer 2 Learning) | 125
traceopons (SBC Conguraon Process) | 129
use-imported-me-zones | 131

checksum

IN THIS SECTION
Syntax | 51
Hierarchy Level | 51
Descripon | 51
Opons | 52
Required Privilege Level | 52
Release Informaon | 52
51
Syntax
checksum (md5 | sha-256 | sha1) hash;
Hierarchy Level
[edit event-options event-script filefilename],
[edit system scripts commit file filename],
Descripon
For Junos commit scripts and op scripts, specify the MD5, SHA-1, or SHA-256 checksum hash. When it executes a local event or commit script, the Junos OS veries the authencity of the script by using the congured checksum hash.
Opons
md5
hash
—MD5 checksum of this script.
52
sha-256
sha1
hash
—SHA-256 checksum of this script.
hash
—SHA-1 checksum of this script.
Required Privilege Level
maintenance—To view this statement in the conguraon.
maintenance-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring Checksum Hashes for a Commit Script
Conguring Checksum Hashes for an Event Script
Conguring Checksum Hashes for an Op Script
le checksum md5
le checksum sha-256
le checksum sha1
compress-conguraon-les (System)
IN THIS SECTION
Syntax | 53
Hierarchy Level | 53
Descripon | 53
Default | 54
Required Privilege Level | 54
Release Informaon | 54
53
Syntax
(compress-configuration-files | no-compress-configuration-files);
Hierarchy Level
[edit system]
Descripon
Compress the current operaonal conguraon le. The le is stored in the le juniper.conf, in the / cong le system, along with the last three commied versions of the conguraon. However, with
large networks, the current conguraon le might exceed the available space in the /cong le system. Compressing the current conguraon le allows the le to t in the le system, typically reducing the size of the le by 90 percent. The current conguraon le is compressed on the second commit of the conguraon aer the rst commit is made to include the compress-conguraon-les statement.
NOTE: We recommend that you enable compression of the conguraon les to minimize the amount of disk space that they require.
Default
The current operaonal conguraon le is uncompressed.
Required Privilege Level
system—To view this statement in the conguraon.
54
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Compressing the Current Conguraon File

domain-name

IN THIS SECTION
Syntax | 55
Hierarchy Level | 55
Descripon | 55
Opons | 55
Required Privilege Level | 55
Release Informaon | 56
Syntax
domain-name domain-name;
55
Hierarchy Level
[edit system]
Descripon
Congure the name of the domain in which the switch is located. This is the default domain name that is appended to hostnames that are not fully qualied.
Opons
domain-name
—Name of the domain.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring a DNS Name Server for Resolving Hostnames into Addresses

domain-search

IN THIS SECTION
56
Syntax | 56
Hierarchy Level | 56
Descripon | 57
Opons | 57
Required Privilege Level | 57
Release Informaon | 57
Syntax
domain-search domain-list;
Hierarchy Level
[edit system]
Descripon
Congure a list of domains to be searched.
Opons
57
domain-list
up to 256 characters.
—List of domain names to search. The list can contain up to 6 domain names, with a total of
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring a DNS Name Server for Resolving Hostnames into Addresses

enhanced-hash-key

IN THIS SECTION
Syntax (EX Series) | 58
Syntax (QFX5000 Line of Switches) | 59
Syntax (QFX10000 Series Switches) | 63
Hierarchy Level | 64
Descripon | 64
Required Privilege Level | 65
Release Informaon | 65
Syntax (EX Series)
enhanced-hash-key {
ecmp-resilient-hash;
fabric-load-balance {
flowlet {
inactivity-interval interval;
}
per-packet;
}
hash-mode {
layer2-header;
layer2-payload;
}
family inet {
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
family inet6 {
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
layer2 {
58
no-destination-mac-address;
no-ether-type;
no-source-mac-address;
vlan-id;
}
}
Syntax (QFX5000 Line of Switches)
enhanced-hash-key {
conditional-match name {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata1 matchdata1;
matchdata1-mask matchdata1-mask;
offset1-value offset1-value;
}
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata2 matchdata2;
matchdata2-mask matchdata2-mask;
offset2-value offset2-value;
}
offset3 {
base-offset3 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata3 matchdata3;
matchdata3-mask matchdata3-mask;
offset3-value offset3-value;
}
offset4 {
base-offset4 (start-of-L2Header | start-of-L3-InnerHeader | start-of-
L3-OuterHeader | start-of-L4-Header);
matchdata4 matchdata4;
matchdata4-mask matchdata4-mask;
offset4-value offset4-value;
}
59
}
ecmp-dlb {
assigned-flow;
per-packet;
flowlet inactivity-interval;
ether-type (ipv4|ipv6|mpls);
}
ecmp-resilient-hash;
fabric-load-balance {
flowlet {
inactivity-interval interval;
}
per-packet;
}
flex-hashing name {
ethtype {
inet {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
}
inet6 {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
60
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
}
mpls {
conditional-match conditional-match;
hash-offset {
offset1 {
base-offset1 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset1-mask offset1-mask;
offset1-value offset1-value;
offset2 {
base-offset2 (start-of-L2Header | start-of-L3-
InnerHeader | start-of-L3-OuterHeader | start-of-L4-Header);
offset2-mask offset2-mask;
offset2-value offset2-value;
}
}
}
interface interface;
num-labels num-labels;
}
}
}
hash-mode {
layer2-header;
layer2-payload;
gtp-header-offset offset-value;
}
hash-parameters {
ecmp {
function {
(crc16-bisync | crc16-ccitt | crc32-hi | crc32-lo);
}
offset offset;
preprocess;
61
}
lag {
function {
(crc16-bisync | crc16-ccitt | crc32-hi | crc32-lo);
}
offset offset;
preprocess;
}
}
family inet {
gtp-tunnel-endpoint-identifier;
no-incoming-port;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
family inet6 {
no-incoming-port;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
layer2 {
no-destination-mac-address;
no-ether-type;
no-source-mac-address;
vlan-id;
}
symmetric-hash {
inet;
inet6;
}
}
vxlan {
no-inner-payload;
}
62
Syntax (QFX10000 Series Switches)
enhanced-hash-key {
hash-seed seed-value;
family inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
family inet6 {
gtp-tunnel-endpoint-identifier;
ipv6-flow-label;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
layer2 {
destination-mac-address
inner-vlan-id;
no-ether-type;
no-vlan-id;
source-mac-address;
}
no-mpls;
gre {
key;
protocol;
}
vxlan-vnid
}
}
63
Hierarchy Level
[edit forwarding-options]
Descripon
Congure the hashing key used to hash link aggregaon group (LAG) and equal-cost mulpath (ECMP) trac, or enable adapve load balancing (ALB) in a Virtual Chassis Fabric (VCF).
NOTE: Starng in Junos OS Release 14.1X53-D46, 15.1R7, 16.1R6, 17.1R3, 17.2R2, 17.3R2, and
17.4R1, the ALB feature is deprecated. If fabric-load-balance is enabled in the conguraon for a VCF, delete the conguraon item upon upgrading Junos OS.
64
The hashing algorithm is used to make trac-forwarding decisions for trac entering a LAG bundle or for trac exing a switch when ECMP is enabled.
For LAG bundles, the hashing algorithm determines how trac entering a LAG bundle is placed onto the bundle’s member links. The hashing algorithm tries to manage bandwidth by evenly load-balancing all incoming trac across the member links in the bundle.
When ECMP is enabled, the hashing algorithm determines how incoming trac is forwarded to the next-hop device.
On QFX10000 Series switches, you can congure the hash seed for load balancing. By default, the QFX10000 Series switches use the system MAC address to generate a hash seed value. You can
congure the hash seed value using the hash-seed statement at the [edit forwarding-opons enhanced- hash-key] hierarchy level. Set a value between 0 and 4294967295. If you do not congure a hash seed
value, the system generates a hash seed value based on the system MAC address.
The remaining statements are explained separately. See CLI Explorer.
Starng in Junos OS Release 18.4R1, symmetric hashing is supported on the QFX10000 Series switches. You congure the no-incoming-port opon under the [edit forwarding-opons enhanced-hash-key] hierarchy. By default, Dynamic IP (DIP), SIP, Layer 4 source and desnaon ports, and the incoming port are used for hashing. You can only congure symmetric hashing at the global level.
Starng in Junos OS Release 19.4R1, the dynamic load balancing on ECMP is supported on QFX5120-32C and QFX5120-48Y switches. You can congure the ecmp-dlb opon under the [edit forwarding-opons enhanced-hash-key] hierarchy. Refer
Dynamic Load Balancing
for more details.
To enable symmetric hashing on the QFX5000 line of switches, congure the symmetric-hash opon.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
The fabric-load-balance statement introduced in Junos OS Release 14.1X53-D10.
65
The fabric-load-balance statement deprecated starng in Junos OS Releases 14.1X53-D46, 15.1R7,
16.1R6, 17.1R3, 17.2R2, 17.3R2, and 17.4R1.
The hash-seed statement introduced in Junos OS Release 15.1X53-D30.
The ecmp-dlb statement introduced in Junos OS Release 19.4R1 for QFX5120-32C and QFX5120-48Y switches.
Opon symmetric-hash introduced in Junos OS Release 20.4R1.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding Passive Monitoring
Understanding Per-Packet Load Balancing
show forwarding-opons enhanced-hash-key

ethernet (Alarm)

IN THIS SECTION
Syntax | 66
Hierarchy Level | 66
Descripon | 66
Opons | 67
Required Privilege Level | 67
Release Informaon | 67
66
Syntax
ethernet {
link-down (red | yellow | ignore);
}
Hierarchy Level
[edit chassis alarm],
[edit chassis interconnect-device name alarm],
[edit chassis node-group name alarm]
Descripon
Congure alarms for an Ethernet interface.
Opons
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax secon for details.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
67
Statement introduced in Junos OS Release 11.1.
hardware-mestamp
IN THIS SECTION
Syntax | 67
Hierarchy Level | 68
Descripon | 68
Required Privilege Level | 68
Release Informaon | 68
Syntax
hardware-timestamp;
Hierarchy Level
[edit services rpm probe owner test test-name]
Descripon
Enable mestamping of RPM probe messages in the Packet Forwarding Engine host processor. This feature is supported only with icmp-ping, icmp-ping-mestamp, udp-ping, and udp-ping-mestamp probe types.
Required Privilege Level
68
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 8.1.
Statement applied to MX Series routers in Junos OS Release 10.0.
Statement introduced in Junos OS Release 19.1 for PTX Series routers.

host-name

IN THIS SECTION
Syntax | 69
Hierarchy Level | 69
Descripon | 69
Opons | 69
Required Privilege Level | 69
Release Informaon | 70
Syntax
host-name hostname;
69
Hierarchy Level
[edit system]
Descripon
Set the hostname of the switch.
Opons
hostname
—Name of the switch.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Conguring the Hostname of a Router or Switch by Using a Conguraon Group

inet (enhanced-hash-key)

IN THIS SECTION
70
Syntax (EX Series and QFX5100 Switch) | 70
Syntax (QFX10000 Series Switches) | 71
Hierarchy Level | 71
Descripon | 71
Default | 72
Opons | 72
Required Privilege Level | 72
Release Informaon | 73
Syntax (EX Series and QFX5100 Switch)
inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-protocol;
vlan-id;
}
Syntax (QFX10000 Series Switches)
inet {
gtp-tunnel-endpoint-identifier;
no-ipv4-destination-address;
no-ipv4-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
71
Hierarchy Level
[edit forwarding-options enhanced-hash-key family]
Descripon
Select the payload elds in IPv4 trac used by the hashing algorithm to make hashing decisions.
When IPv4 trac enters a LAG and the hash mode is set to Layer 2 payload, the hashing algorithm checks the elds congured using the inet statement and uses the informaon in the elds to decide how to place trac onto the LAG bundle’s member links or how to forward trac to the next hop device when ECMP is enabled.
The hashing algorithm, when used to hash LAG bundle trac, always tries to manage bandwidth by evenly load-balancing all incoming trac across the member links in the bundle.
The hashing algorithm only inspects the IPv4 elds in the payload to make hashing decisions when the hash mode is set to layer2-payload. The hash mode is set to Layer 2 payload by default. You can set the hash mode to Layer 2 payload using the set forwarding-opons enhanced-hash-key hash-mode layer2-
payload statement.
Default
The following elds are used by the hashing algorithm to make hashing decisions for IPv4 trac:
• IP desnaon address
• IP source address
• Layer 4 desnaon port
• Layer 4 source port
• Protocol
Opons
72
no-ipv4-desnaon­address
no-ipv4-source­address
no-l4-desnaon-port
no-l4-source-port
no-protocol
no-incoming-port
vlan-id
Exclude the IPv4 desnaon address eld from the hashing algorithm.
Exclude the IPv4 source address eld from the hashing algorithm.
Exclude the Layer 4 desnaon port eld from the hashing algorithm.
Exclude the Layer 4 source port eld from the hashing algorithm.
Exclude the protocol eld from the hashing algorithm.
Exclude the incoming port number from the hashing algorithm.
Include the VLAN ID eld in the hashing algorithm.
NOTE: The vlan-id opon is not supported and should not be congured on a Virtual Chassis or Virtual Chassis Fabric (VCF) that
contains any of the following switches as members: EX4300, EX4600, QFX3500, QFX3600, QFX5100, or QFX5110 switches.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac (QFX 10002 and QFX 10008 Switches)
Understanding Per-Packet Load Balancing
73
hash-seed
enhanced-hash-key | 57
hash-mode
inet (enhanced-hash-key) | 70

inet6-backup-router

IN THIS SECTION
Syntax | 74
Hierarchy Level | 74
Descripon | 74
Opons | 74
Required Privilege Level | 74
Release Informaon | 75
Syntax
inet6-backup-router address <destination destination-address>;
Hierarchy Level
[edit system]
Descripon
74
Set a default router (running IP version 6 [IPv6]) to use while the local router or switch (running IPv6) is boong and if the roung protocol processes fail to start. The Junos OS removes the route to this router or switch as soon as the soware starts.
Opons
address
desnaon
desnaon­address
Address of the default router.
(Oponal) Desnaon address that is reachable through the backup router. You can include this opon to achieve network reachability while loading, conguring, and recovering the router or switch, but without the risk of installing a default route in the forwarding table.
• Default: All hosts (default route) are reachable through the backup router.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.

inet6 (enhanced-hash-key)

IN THIS SECTION
Syntax (EX Series and QFX5100 Switch) | 75
Syntax (QFX10000 Series Switches) | 76
Hierarchy Level | 76
Descripon | 76
75
Default | 77
Opons | 77
Required Privilege Level | 77
Release Informaon | 78
Syntax (EX Series and QFX5100 Switch)
inet6 {
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-next-header;
vlan-id;
}
Syntax (QFX10000 Series Switches)
inet6 {
gtp-tunnel-endpoint-identifier;
ipv6-flow-label;
no-ipv6-destination-address;
no-ipv6-source-address;
no-l4-destination-port;
no-l4-source-port;
no-incoming-port;
}
Hierarchy Level
76
[edit forwarding-options enhanced-hash-key family]
Descripon
Select the payload elds in an IPv6 packet used by the hashing algorithm to make hashing decisions.
When IPv6 trac enters a LAG and the hash mode is set to Layer 2 payload, the hashing algorithm checks the elds congured using this statement and uses the informaon in the elds to decide how to place trac onto the LAG bundle’s member links or to forward trac to the next hop device when ECMP is enabled.
The hashing algorithm, when used to hash LAG trac, always tries to manage bandwidth by evenly load-balancing all incoming trac across the member links in the bundle.
The hashing algorithm only inspects the IPv6 elds in the payload to make hashing decisions when the hash mode is set to Layer 2 payload. The hash mode is set to Layer 2 payload by default. You can set the hash mode to Layer 2 payload using the set forwarding-opons enhanced-hash-key hash-mode layer2-
payload statement.
Default
The data in the following elds are used by the hashing algorithm to make hashing decisions for IPv6 trac:
• IP desnaon address
• IP source address
• Layer 4 desnaon port
• Layer 4 source port
• Next header
Opons
77
no-ipv6-desnaon-address
no-ipv6-source-address
no-l4-desnaon-port
no-l4-source-port
no-incoming-port
no-next-header
vlan-id
Exclude the IPv6 desnaon address eld from the hashing algorithm.
Exclude the IPv6 source address eld from the hashing algorithm.
Exclude the Layer 4 desnaon port eld from the hashing algorithm.
Exclude the Layer 4 source port eld from the hashing algorithm.
Exclude the incoming port number from the hashing algorithm.
Exclude the Next Header eld from the hashing algorithm.
Include the VLAN ID eld in the hashing algorithm.
Required Privilege Level
interface—To view this statement in the conguraon.
interface-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 13.2X51-D15.
RELATED DOCUMENTATION
Conguring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Trac (CLI Procedure)
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac
Understanding the Algorithm Used to Hash LAG Bundle and Egress Next-Hop ECMP Trac (QFX 10002 and QFX 10008 Switches)
Understanding Per-Packet Load Balancing
hash-seed
enhanced-hash-key | 57
hash-mode
78
inet (enhanced-hash-key) | 70
internet-opons
IN THIS SECTION
Syntax | 79
Hierarchy Level | 79
Descripon | 79
Opons | 80
Required Privilege Level | 82
Release Informaon | 82
Syntax
internet-options {
(gre-path-mtu-discovery | no-gre-path-mtu-discovery);
icmpv4-rate-limit bucket-size <bucket-size seconds> <packet-rate packet-
rate>;
icmpv6-rate-limit bucket-size <bucket-size seconds> <packet-rate packet-
rate>;
(ipip-path-mtu-discovery | no-ipip-path-mtu-discovery);
ipv6-duplicate-addr-detection-transmits ipv6-duplicate-addr-detection-
transmits;
(ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery);
(ipv6-reject-zero-hop-limit | no-ipv6-reject-zero-hop-limit);
ipv6-path-mtu-discovery-timeout minutes;
no-tcp-reset (drop-all-tcp | drop-tcp-with-syn-only);
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
(path-mtu-discovery | no-path-mtu-discovery);
source-port {
upper-limit upper-limit;
}
(source-quench | no-source-quench);
tcp-drop-synfin-set;
tcp-mss mss-value;
}
79
Hierarchy Level
[edit system]
Descripon
Congure system IP opons to protect against certain types of DoS aacks.
Opons
80
gre-path-mtu­discovery
icmpv4-rate­limit
icmpv6-rate­limit
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Congure path MTU discovery for outgoing GRE tunnel connecons. By default, path MTU discovery is enabled.
• no-gre-path-mtu-discovery—Path MTU discovery is disabled.
Congure rate-liming parameters for ICMPv4 messages sent.
• Values:
• bucket-size through 4294967295 seconds. Default: 5.
• packet-rate 4294967295 pps. Default: 1000.
(ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series) Congure rate-liming parameters for ICMPv6 messages sent.
• Values:
• bucket-size through 4294967295 seconds. Default: 5.
seconds
pps
seconds
—Number of seconds in the rate-liming bucket. Range: 0
—Rate-liming packets earned per second. Range: 0 through
—Number of seconds in the rate-liming bucket. Range: 0
ipip-path-mtu­discovery
ipv6-duplicate­addr-detecon­transmits
ipv6-path-mtu­discovery
• packet-rate 4294967295 pps. Default: 1000.
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Congure path MTU discovery for outgoing IP-IP tunnel connecons. By default, path MTU discovery is enabled.
• no-ipip-path-mtu-discovery—Path MTU discovery is disabled.
Control the number of aempts for IPv6 duplicate address detecon.
• Range: 0 to 20
• Default: 3
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Congure path MTU discovery for IPv6 packets. By default, IPv6 path MTU discovery is enabled.
• no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.
pps
—Rate-liming packets earned per second. Range: 0 through
81
ipv6-path-mtu­discovery­meout
ipv6-reject­zero-hop-limit
no-tcp-reset
(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Set the IPv6 path MTU discovery me-out interval.
• Values:
• Default: 10 minutes.
Reject incoming IPv6 packets with a zero hop-limit value in their header. This is enabled by default.
• no-ipv6-reject-zero-hop-limit—Allow incoming IPv6 packets with a zero hop-limit value in their header.
Do not send an RST TCP packet (a packet with the reset ag set) in response to a TCP packet received on a non-listening port.
By default, when a TCP packet is received on a non-listening port, a device sends a TCP packet with the RST ag set and drops the connecon. This might lead to a security risk. Conguring this statement prevents the sending of RST TCP packets to non-listening ports.
You must congure this statement with one of two opons:
minutes
—IPv6 path MTU discovery meout.
no-tcp-rfc1323
no-tcp-rfc1323­paws
path-mtu­discovery
source-port
• drop-all-tcp—When a TCP segment is received on a closed port, the device drops the packet and does not send back a RST segment. This helps to protect against stealth port scans.
• drop-tcp-with-syn-only—When a TCP packet with a SYN bit is received on a non­listening port, the device drops the packet and does not send back a RST segment, which makes the device appear as a null route. For all other TCP packets, the device sends back a RST segment and does not drop the packet.
Congure the Junos OS to disable RFC 1323 TCP extensions.
Congure the Junos OS to disable the RFC 1323 Protecon Against Wrapped
Sequence (PAWS) number extension.
Congure path MTU discovery for outgoing Transmission Control Protocol (TCP) connecons. By default, path MTU discovery is enabled.
• no-path-mtu-discovery—Path MTU discovery is disabled.
Congure the range of port addresses.
• Values:
82
• upper-limit
from 5000 through 65,355.
source-quench
tcp-drop­synn-set
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax secon for details.
Congure how the Junos OS handles Internet Control Message Protocol (ICMP) source quench messages. By default, the Junos OS reacts to ICMP source quench messages.
• no-source-quench—Do not react to incoming ICMP source quench messages.
Congure the device to drop packets that have both the SYN and FIN bits set.
upper-limit
—(Oponal) The range of port addresses can be a value
Required Privilege Level
admin—To view this statement in the conguraon.
admin-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.
no-tcp-reset introduced in Junos OS Release 9.4.
no-tcp-reset introduced in Junos OS Release 11.1 for SRX Series and vSRX devices.
icmpv4-rate-limit and source-port introduced in Junos OS Release 11.1 for the QFX Series and Junos
OS Release 14.1X53-D20 for the OCX Series.
RELATED DOCUMENTATION
Congure ICMP Features
Congure IPv6 Features
Congure Path MTU Discovery
Congure TCP Opons
Conguring Junos OS to Extend the Default Port Address Range
Understanding Trac Processing on Security Devices

lcd-menu

IN THIS SECTION
Syntax | 83
Hierarchy Level | 84
Descripon | 84
Opons | 84
Required Privilege Level | 84
Release Informaon | 85
83
Syntax
EX3200, EX3300, EX4200, or EX4500 switch:
lcd-menu fpc slot-number {
menu-item (menu-name | menu-option) <disable>;
}
EX6200 or EX8200 switch or XRE200 External Roung Engine:
lcd-menu {
menu-item (menu-name | menu-option) <disable>;
}
Hierarchy Level
[edit chassis]
Descripon
Disable or enable the Maintenance menu or the Status menu in the LCD panel.
Opons
none—(EX6200 and EX8200 switches and XRE200 External Roung Engines only) Disable or enable the specied menu or menu opons.
84
fpc
slot-number
specied menu or menu opons, where
• 0—On standalone switches.
• 0–9—On a device in a Virtual Chassis. The value is the member ID of the device.
NOTE: This opon is not available on an EX8200 Virtual Chassis. The LCD panel on an XRE200 External Roung Engine provides informaon for the XRE200 External Roung Engine only.
disable—(Oponal) Disable the specied menu.
The remaining statement is explained separately. See CLI Explorer.
—(EX3200, EX3300, EX4200, and EX4500 switches only) Disable or enable the
slot-number
is:
Required Privilege Level
interface—To view this statement in the conguraon.
interface-level—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 10.2.
RELATED DOCUMENTATION
Conguring the LCD Panel on EX Series Switches (CLI Procedure)
LCD Panel in EX3200 Switches
LCD Panel in EX3300 Switches
LCD Panel in EX4200 Switches
LCD Panel in EX4500 Switches
LCD Panel in an EX6200 Switch
LCD Panel in an EX8200 Switch
LCD Panel in an XRE200 External Roung Engine
85
locaon
IN THIS SECTION
Syntax | 85
Hierarchy Level | 86
Descripon | 86
Opons | 86
Required Privilege Level | 87
Release Informaon | 87
Syntax
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
Hierarchy Level
86
[edit system]
Descripon
Congure the system locaon.
Opons
altude
building the string contains spaces, enclose it in quotaon marks (" ").
country-code
oor
feet
name
number
—Number of feet above sea level.
—Name of the building. The name of the building can be 1 to 28 characters in length. If
code
—Two-leer country code.
—Floor in the building.
hcoord
lata
service-area
latude
horizontal-coordinate
—Long-distance service area.
degrees
—Latude in degree format.
—Bellcore Horizontal Coordinate.
87
longitude
npa-nxx
postal-code
rack
vcoord
degrees
number
—Longitude in degree format.
—First six digits of the phone number (area code and exchange).
postal-code
number
—Rack number.
vercal-coordinate
—Postal code.
—Bellcore Vercal Coordinate.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Specifying the Physical Locaon of the Switch
locaon (System)
IN THIS SECTION
Syntax | 88
Hierarchy Level | 88
Descripon | 88
Opons | 89
Required Privilege Level | 89
Release Informaon | 89
Syntax
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata transport-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
88
Hierarchy Level
[edit system]
Descripon
Congure the system locaon in various formats.
Opons
89
altude
building
country-code
oor
hcoord
lata
latude
longitude
npa-nxx
postal-code
rack
feet
name
number
horizontal-coordinate
transport-area
degrees
degrees
number
number
code
postal-code
Number of feet above sea level.
Name of building. The name of the building can be 1 to 28 characters in length. If the string contains spaces, enclose it in quotaon marks (" ").
Two-leer country code.
Floor in the building.
Bellcore Horizontal Coordinate.
Local Access Transport Area.
Latude in degree format.
Longitude in degree format.
First six digits of the phone number (area code and exchange).
Postal code.
Rack number.
vcoord
vercal-coordinate
Bellcore Vercal Coordinate.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced before Junos OS Release 7.4.
RELATED DOCUMENTATION
Specifying the Device Physical Locaon
max-conguraons-on-ash
IN THIS SECTION
Syntax | 90
Hierarchy Level | 90
Descripon | 90
Opons | 91
Required Privilege Level | 91
90
Release Informaon | 91
Syntax

max-configurations-on-flash number;

Hierarchy Level
[edit system]
Descripon
Specify the number of conguraons stored on the internal xed media storage (for example, USB device).
Opons
91
number
• Range: 0 through 49. The most recently saved conguraon is number 0, and the oldest saved
—The number of conguraons stored on the CompactFlash card.
conguraon is number 49.
Required Privilege Level
system—To view this statement in the conguraon.
system-control—To add this statement to the conguraon.
Release Informaon
Statement introduced in Junos OS Release 11.1.
RELATED DOCUMENTATION
Saving a Conguraon to a File
Seng or Deleng the Rescue Conguraon
Uploading a Conguraon File
Uploading a Conguraon File

menu-item

IN THIS SECTION
Syntax | 92
Hierarchy Level | 92
Descripon | 92
Loading...