Juniper configuration recommendations/BCP
Sebastian Wiesinger
sebastian at karotte.org
Wed Oct 21 13:35:13 UTC 2020
* Forrest Christian (List Account) <lists at packetflux.com> [2020-10-08 11:39]:
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history. Is there anything I should worry about which is
> Juniper-specific?
Some things that come to mind:
* Juniper has a default ARP policer that is _shared_ between all
interfaces. This will bite you if you attach the box to a large L2
segment (*cough* DE-CIX *cough*). So you should either:
- configure a non-shared policer:
set firewall policer my-arp-policer if-exceeding ....
set interface xe-0/0/0.0 family inet policer arp my-arp-policer
- disable default ARP policer for the interface (this is not recommended
and a hidden command)
set interface xe-0/0/0.0 family inet policer disable-arp-policer
* If you do Aggregated Ethernet (Port-Channel interfaces) you need to
reserve resources for the ae interface by declaring:
set chassis aggregated-devices ethernet device-count X
"device-count 3" would give you ae0 to ae2 as possible interfaces
* For all modern MX boxes you should normally set network-services
mode to enhanced-ip (this requires a reboot of the box):
set chassis network-services enhanced-ip
* Groups (set groups some-group ... / set <some config hierarchy> apply-group some-group)
are your friend
Want to see stuff that gets applied to the config trough groups?
show <some config hierarchy> | display inheritance
(add "no-comments" for just the config without additional information)
* It is kind of hard sometimes to figure out the right encapsulation /
vlan-tagging config for an interface. For most flexible use of a
port (this might differ depending on your configuration) on MX you
can use:
set interface xe-0/0/0 encapsulation flexible-ethernet-services
set interface xe-0/0/0 flexible-vlan-tagging
* Physical interface MTU for Juniper includes Ethernet overhead
(standard MTU is 1514, 1518 with VLAN tag). So basically coming from
Cisco its Cisco-MTU+14. You can configure a separate MTU per
protocol family (set interface ... family inet mtu 1500). Handy for
OSPF and co.
* You need to enable every protocol family on an interface that you
wish to accept. So for example if you want to do IPv4(OSPF) + IPv6(ISIS) + MPLS
(with LDP) you need on the interface:
set interface .. family inet ...
set interface .. family inet6 ...
set interface .. family iso
set interface .. family mpls
After that you need to enable the interface separately under the
relevant protocols (set protocol mpls interface ..., set protocols
ldp interface ...)
Yes this is a bit much but I always try to remember that the first
part enables the receiving of the protocol packets on the interface
and the second part enables the processing of the received packets.
* I love that Juniper shows you all routes for a destination, so if a
destination is reachable via BGP, OSPF and direct route a 'show
route <prefix>' will show that information for all protocols. The
active route is marked with a star. Routes that are hidden (for
example BGP routes that are rejected by import filters) can be shown
by 'show route hidden'.
* You can set standard BGP parameters for the whole box under
'routing-options':
set routing-options router-id 1.2.3.4
set routing-options route-distinguisher-id 1.2.3.4
set routing-options autonomous-system 65500
* You need to enable ECMP by binding a filter to the forwarding-table:
set policy-options policy-statement ecmp term 10-ecmp then load-balance per-packet
set routing-options forwarding-table export ecmp
(Yes, per-packet means per-flow ECMP, don't ask)
* Sometimes if you change config and don't see a change in behaviour a
'commit full' will fix the problem (this shouldn't be necessary
normally).
* Some global BGP settings I would use:
set protocols bgp precision-timers (Helps with very low BGP timers to avoid timeouts)
set protocols bgp log-updown
set protocols bgp always-compare-med (Depends on your routing policy)
* Want to look under the hood? Go to the linecard:
> start shell pfe network fpcX (fpc0 only for MX204)
Danger Zone: There are many commands on the linecard that can mess
stuff up. I even managed to crash stuff with some 'show ..' commands
there.
* Change things and want to apply it later? Save and load the patch
later:
<change stuff in config>
# show | diff | tee patch.txt
# rollback
# exit
<time goes by>
# configure
# load patch patch.txt
# commit
Sebastian
--
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the NANOG
mailing list