Juniper configuration recommendations/BCP

Sebastian Wiesinger sebastian at karotte.org
Wed Oct 21 13:35:13 UTC 2020


* Forrest Christian (List Account) <lists at packetflux.com> [2020-10-08 11:39]:
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history.   Is there anything I should worry about which is
> Juniper-specific?

Some things that come to mind:

* Juniper has a default ARP policer that is _shared_ between all
interfaces. This will bite you if you attach the box to a large L2
segment (*cough* DE-CIX *cough*). So you should either:
 - configure a non-shared policer:
    set firewall policer my-arp-policer if-exceeding ....
    set interface xe-0/0/0.0 family inet policer arp my-arp-policer

 - disable default ARP policer for the interface (this is not recommended
   and a hidden command)
    set interface xe-0/0/0.0 family inet policer disable-arp-policer


* If you do Aggregated Ethernet (Port-Channel interfaces) you need to
  reserve resources for the ae interface by declaring:
    set chassis aggregated-devices ethernet device-count X
  "device-count 3" would give you ae0 to ae2 as possible interfaces


* For all modern MX boxes you should normally set network-services
  mode to enhanced-ip (this requires a reboot of the box):
   set chassis network-services enhanced-ip

* Groups (set groups some-group ... / set <some config hierarchy> apply-group some-group)
  are your friend

  Want to see stuff that gets applied to the config trough groups?
   show <some config hierarchy> | display inheritance
   (add "no-comments" for just the config without additional information)

* It is kind of hard sometimes to figure out the right encapsulation /
  vlan-tagging config for an interface. For most flexible use of a
  port (this might differ depending on your configuration) on MX you
  can use:
   set interface xe-0/0/0 encapsulation flexible-ethernet-services
   set interface xe-0/0/0 flexible-vlan-tagging

* Physical interface MTU for Juniper includes Ethernet overhead
  (standard MTU is 1514, 1518 with VLAN tag). So basically coming from
  Cisco its Cisco-MTU+14. You can configure a separate MTU per
  protocol family (set interface ... family inet mtu 1500). Handy for
  OSPF and co.

* You need to enable every protocol family on an interface that you
  wish to accept. So for example if you want to do IPv4(OSPF) + IPv6(ISIS) + MPLS
  (with LDP) you need on the interface:

   set interface .. family inet ...
   set interface .. family inet6 ...
   set interface .. family iso
   set interface .. family mpls

  After that you need to enable the interface separately under the
  relevant protocols (set protocol mpls interface ..., set protocols
  ldp interface ...)

  Yes this is a bit much but I always try to remember that the first
  part enables the receiving of the protocol packets on the interface
  and the second part enables the processing of the received packets.

* I love that Juniper shows you all routes for a destination, so if a
  destination is reachable via BGP, OSPF and direct route a 'show
  route <prefix>' will show that information for all protocols. The
  active route is marked with a star. Routes that are hidden (for
  example BGP routes that are rejected by import filters) can be shown
  by 'show route hidden'.

* You can set standard BGP parameters for the whole box under
  'routing-options':

    set routing-options router-id 1.2.3.4
    set routing-options route-distinguisher-id 1.2.3.4
    set routing-options autonomous-system 65500

* You need to enable ECMP by binding a filter to the forwarding-table:
   set policy-options policy-statement ecmp term 10-ecmp then load-balance per-packet
   set routing-options forwarding-table export ecmp

  (Yes, per-packet means per-flow ECMP, don't ask)

* Sometimes if you change config and don't see a change in behaviour a
  'commit full' will fix the problem (this shouldn't be necessary
  normally).

* Some global BGP settings I would use:
   set protocols bgp precision-timers (Helps with very low BGP timers to avoid timeouts)
   set protocols bgp log-updown
   set protocols bgp always-compare-med (Depends on your routing policy)

* Want to look under the hood? Go to the linecard:
   > start shell pfe network fpcX (fpc0 only for MX204)
  Danger Zone: There are many commands on the linecard that can mess
  stuff up. I even managed to crash stuff with some 'show ..' commands
  there.

* Change things and want to apply it later? Save and load the patch
  later:
    <change stuff in config>
    # show | diff | tee patch.txt
    # rollback
    # exit
    <time goes by>
    # configure
    # load patch patch.txt
    # commit


Sebastian


-- 
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the NANOG mailing list