Pagina Principal ARTIGOS Network

Juniper Troubleshooting Commands

Managing configuration
 
>configure exclusive – to prevent others modifying the while in configuration mode
# status – show users currently logged in
compare (filename | rollback n)
 
#commit | display detail – debug commit
#commit check
#commit comment
#commit confirmed
#commit at  [tt:mm | yyyy-mm-dd hh:mm | reboot], to cancel:
>clear system [commit | reboot ] - to cancel scheduled state:
 
>show system commit
>show configuration ….
 
 
#load {set}  {merge | replace | override } {relative} [terminal | file] – paste - Ctrl+D to end
 
 
# show |   # compare (filename | rollback n)
# show |  display set
# show |  display changed
# show |  display detail
# show |  display omit statement
 
Configuration modification commands:
#annotate “xxxxx” – annotate part of configuration
#activate/deactivate
#copy / delete / rename – works with wildcards, e.g. delete fe*
#rename – string in configuration
#replace pattern
#protect / unprotect a statement
 
#exit configuration-mode
#quit
 
>show system rollback 10
>show system rollback compare 10 12
>show system commit
 
 
 
 
System:
 
>show version {detail}
>request system reboot | power-off
 
>file [copy | list | delete | show | rename ]
>show system storage
 
>show chassis hardware detail
>show chassis alarms
>show chassis environment
>show chassis craft-interface – show router LED alarms
 
 
>show configuration | display detail
>show system users – who is logged in to the system
>request system logout use username – forcefully logout a user
>request message all message “log out now”
 
>show system boot-messages – boot log
 
 
 
Logging
 
#set system syslog file messages any info – to save all log messages to file “messages”
 
>show log messages | match LOGIN | match “Mar 16”
>file list detail /var/log = ls –al (to see permitions, etc.)
>clear log messages  - to clear the contents of the messages file
 
>monitor start       messages  - live monitoring of messages file
>monitor list
>monitor stop – to stop all
 
For more detailed information about a process, under the process level:
#set traceoptions file filenamefil world-readable
#set traceoptions flag all
 
>help syslog – to show information about syslog messages

 

General Monitoring and troubleshooting
 
 
>monitor traffic interface ge-0/0/0
>monitor interface ge-0/0/0
 
>monitor traffic interface ge-0/2/3 matching "proto 89" write-file ospf.cap - matches proto 89 and writes it in ospf.cap
> show security flow session
>show system statistics – all packet types statistics for a device
 
>test policy             
 
Routing
 
 
Troubleshoot OSPF
 
>show route forwarding-table to see active routes in the forwarding table
>show route protocol ospf
 
>show ospf overview
>show ospf interaces
>show ospf neighbor
>show ospf dataset detail

>show ospf neighbor [extensive]
>clear ospf neighbor [192.168.254.225]

>show ospf statistics

>show ospf interface [extensive]

>show ospf route [abr|asbr|extern]

>show route protocol ospf



>show ospf database [summary|brief]
>show ospf database [router|network|netsummary|asbrsummary|extern|nssa]
>show ospf database router advertising-router 10.0.3.3 detail
>show ospf database router area 0 extensive
>show ospf database area 0 lsa-id extensive
>clear ospf database purge

>show ospf log


*******

 
 
>show bgp summary
>show bgp neighbor 1.1.1.1
>show route advertising protocol bgp
>show route receiving protocol bgp
 
 
To find a range of prefixes in the routing table:
>show route 200.10/18

>show route terse  - better routing output
 


Troubleshoot NAT


Source
>show security nat source summary
>show security nat source rule
>show security nat source pool
 
 
Static
   
>show security nat static rule
 
 
Destination
 
>show security nat destination summary
>show security nat destination pool
>show security nat destination rule
 
 
 
>show security flow session
 
 

 
Set Firewall filter to count packtes (see further down)



Firewall

>show firewall
>show firewall log
>clear firewall [all|filter-name|counter-name]
>show interfaces filters
>show interfaces policers
>show policer
 
******

Set Firewall Filter to count packets through the SRX:

# show interfaces ge-0/0/0
ge-0/0/0 {
   unit 0 {
      family inet {
         filter {
            input icmp-filter;
         }
         address 1.1.1.1/30; ## This address was already set on the interface
      }
   }
}
 
# show firewall family inet filter icmp-filter
icmp-filter {
   term 1 { ## This is the main term which will count the packets.
      from {
         source-address 3.3.3.3;
         destination-address 1.1.1.1;
         protocol icmp;
      }
      then {
         count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
         accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
      }
   }
 
Then the Firewall Filter stats can be checked with the
show firewall filter icmp-filter
q
Counter                         Bytes          Packets
icmp-counter                    84             1
.
   term default { ## This term will ensure that the other traffic is not affected.
      accept;
   }

}

Packet Flow

 Monitor traffic targeting the interface (useful for ping, ssh, etc.)
>monitor traffic interface 

 Display live sessions:
 >show security flow session [destination-port|destination-prefix|source-port|source-prefix]  [extensive|brief|summary]


Create packet filter and capture packets:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

edit forwarding-options packet-capture
set file filename testpacketcapture
set maximum-capture-size 1500

# set firewall filter PCAP term 1 from source-address 10.209.144.32
# set firewall filter PCAP term 1 from destination-address 10.204.115.166 
# set firewall filter PCAP term 1 then sample 
# set firewall filter PCAP term 1 then accept 
# set firewall filter PCAP term 2 from source-address 10.204.115.166
# set firewall filter PCAP term 2 from destination-address 10.209.144.32
# set firewall filter PCAP term 2 then sample 
# set firewall filter PCAP term 2 then accept 
# set firewall filter PCAP term allow-all-else then accept 
Apply the firewall filter on the desired interface for the input and output direction:
 
# set interfaces ge-0/0/0 unit 0 family inet filter output PCAP
# set interfaces ge-0/0/0 unit 0 family inet filter input PCAP
 
File can be found in /var/tmp and opened with Wireshark
> file list /var/tmp/ | match testpacketcapture* 
 
 

***********
Tips
 
>set cli timestamp
#set chassis alarm management-ethernet link-down ignore
> show interfaces | match "(^Physical.* ge-)|(^Physical.*Up$)"
> show version and haiku
Ctrl+R: search history of previous command
use  for the rest of the line in a script to be ignored
Use the save CLI pipe to save output to a local or remote file.
Type 'b' at the more prompt to go backwards one page.
Type '/' at the more prompt to search for a string in the rest of the output.
In configuration mode, type rollback ? to see when previous configurations were committed, and by whom.
In configuration mode, the status command displays who is editing the configuration and where in the hierarchy they are working.
In configuration mode, the delete command with no arguments will delete the entire configuration hierarchy under the current location.
>show cli history 
>help tip cli
To move interface configuration: replace pattern ge-0/0/0 with ge-0/1/0
# wildcard delete interfaces ge-0/0/[2-3]
 
Junos software contains default configurations in a hidden group named junos-defaults. To see them, use the show configuration groups junos-defaults command
>test policy policy_name 1.1.1.1/12 – run a router through a policy


To see changes from a particular commit at the past:

>show system commit - identify the change you wan to see (e.g. 2), and then
>show system rollback compare 3 4 
 
 
Fonte: http://batdosi.blogspot.com.br/
.