Juniper and Cisco Wiring Examples for Virutal Chassis

Just a handy notes for Juniper EX Series Switches the cable layout for the virtual chassis link HERE. I can confirm for the EX4300 this method works as there is not documentation for the EX4300 option 1 and 2 is what I would stick with. Option 3 I would never use or could see not reason for it.

Option 1

 

 

 

 

 

 

 

 

 

 

 

 

Option 2

 

 

 

 

 

 

 

 

 

 

 

 

Cisco 3750 is commonly the switches I setup, HERE is the reference I use which I have applied to 2960x’s as well. Cisco Pretty much have simlar options to Juniper I for both I stick with the Port 1 SW01 to Port 2 SW02 Port 1 SW02 to Port 2 SW01

Stacking Guide

 

 

Stacking Guide

 

 

 

Advertisements

SSH Juniper EX series issue

So I recently experienced a switch which lost power and was not gracefully shut down.

After the switch came back up SSH stopped working. I had to console on to the switch to gain access.

Deleting SSH and re-adding it did not resolve any of the issues.

The following article HERE saved me when I discovered the following it the logs (below), researching this lead me to the article (4th line support Google)….

sshd 9299 – – fatal: Missing privilege separation directory: /var/empty

The following commands resolved the issue. Please note you will need to be logged in with root.

Start Shell
ls /var/empty
mkdir /var/empty
chown root:wheel /var/empty
chmod 555 /var/empty
ps aux sshd

If sshd is running already run ‘kill -HUP <PID of SSHD>’ without quotes where ‘PID’ is the process ID of sshd

Under shell you can do the following command to see the process and the PID of SSH.

top 

If sshd is not running

do the following command to start it under shell.

/usr/sbin/sshd

SRX IPsec VPN poor throughput

I recently came against an issue of slow throughput on a IPsecVPN between two SRX220’s. The SRX220 is capable of around 100Mbps according the spec sheet, with an IPsec VPN.

The issue I was seeing was around 25Mbps over the VPN. The connection between the two SRX’s is just a L2VPN interconnect, so I wouldn’t have thought this to be the issue. If it was a 3rd party Ethernet or ADSL would of lead me more down the path of checking connectivity.

Further investigation lead me to find out that from the customer that on the end of the SRX’s are 2x SAN’s with MTU 9000. this lead me to finding out that the VPN on the SRX is capable of MTU 1350. So by this the packets are being fragmented causing the lower throughput of the VPN.

With the following article LINK

Setting the following two commands on both SRX’s resolved the issue it did take a while for it to take affect so I would suggest applying and checking the next day to see any improvement.

set security flow tcp-session no-sequence-check
set security flow tcp-mss ipsec-vpn mss 1350

Cisco Interface IP Obtained from DHCP

Normally on VLAN’s and interfaces, I’m use to setting static IP’s on these. I had a situation where I had to have a WAN interface obtain an IP address from DHCP and it could not be static.

Here’s how to do it.

!
interface Vlan1
Description ***WAN INTERFACE***
ip address dhcp
!

Simple as that, yea I was unaware that I also had to change the default route.

from this

ip route 0.0.0.0 0.0.0.0 Vlan1

to this

ip route 0.0.0.0 0.0.0.0 Vlan1 dhcp

If you have an access list on the VLAN ensure you allow dhcp through on this. The same is for an interface if it is a Layer 3 interface.

Juniper – Show interface stats

Stumbled across a useful command for juniper devices which will display all interfaces and any part of info you wish from the interface statistics.

run show interfaces “[gfx]e-*” media detail | grep “(physical|crc)”

The part in red you can change to out put different so you can change this to speed to show all interface and speed of them interfaces. You can | this in at the end to display both CRC and Speed.

run show interfaces “[gfx]e-*” media detail | grep “(physical|crc|speed)”

This is an example of the output below.

root@SW-01# run show interfaces “[gfx]e-*” media detail | grep “(physical|crc)”

Physical interface: ge-0/0/0, Enabled, Physical link is Up

CRC/Align errors                       557                0

Physical interface: ge-0/0/1, Enabled, Physical link is Up

CRC/Align errors                         0                0

Physical interface: ge-0/0/2, Enabled, Physical link is Up

CRC/Align errors                         0                0

Physical interface: ge-0/0/3, Enabled, Physical link is Up

CRC/Align errors                         0                0

Physical interface: ge-0/0/4, Enabled, Physical link is Up

CRC/Align errors                         0                0

 

Cisco default interface

Need to wipe a config from an interface a quick and simple way is to use the default command.

rtr#conf t
rtr(config)#default interface GigabitEthernet0/0 
Building configuration...

Interface GigabitEthernet0/0 set to default configuration

Use sh run and this will remove all the configuration under this interface.

**note you do not have to go into the interface to clear the config from the interface.

 

 

Cisco 887 Web Access (quick and dirty!)

Quickest way to get access to a c887 out of the box for web access

Connect console cable to console port and issues the following commands.

 conf t
 int vlan 1
 ip address 192.168.1.2 255.255.255.0
 exit
 username "name" password 7 "password"
 ip http server
 ip http authentication local

Set ip on laptop 192.168.1.1 255.255.255.0

Browse to 192.168.1.2

Login with usename set above.

Juniper SRX210 JUNOS Update

First time doing this not yet had the chance to issue the firmware update, so I will update this again to add anything extra if needed.

Juniper do make it much easier to update their firmware than Cisco.

This is presuming the SRX210 is setup already and can be remotely accessed.  (I will add later on a from out of the box firmware update)

##WinSCP great tool for connect via SSH to linux and other deivce such a the SRX210.

WinSCP to SRX 210

Loging to SRX 210 as ROOT

##Copy firmware latest recommend fimrware for SRX to the following folder…

cf/var/tmp

##Check firmware has been added by running the following command…

file list /var/tmp/

##Once completed and ready to install run the following command

request system software add /var/tmp/junos-srxsme-11.4R5.5-domestic.tgz

##Once the message appears requesting to restart issue the following command

request system reboot

Cisco 877 & 887-VA Router Firmware Updates

A daily task before configuring any router is ensuring the router is fully up to date with ADSL firmware especially with the know issues of BT and CISCO.

Connect a laptop to the router on either of the ports from 0-3 set an IP address on the laptop something like 192.168.1.1 255.255.255.0 no need for a gateway.

You will need a TFTP program to copy the firmware across tftpd32 is what i use.

On the laptop drop the firmware within the root of the tftpd32 program or set a location within the program. Firmware which can be download from Cisco’s site for the 877 or 887-VA

Once you have this set up you need to issue the following commands on the router to firmware update it updating a 877 and 887 are different so I have put both guides in below.

Cisco 877

##Set and IP address on VLAN 1

ADSL-R1#conf t
ADS(config)#iint vlan 1
ADS(config-if)#ip address 192.168.1.2 255.255.255.0
ADS(config-if)#shut
ADS(config-if)#no shut
ADSL-R1#end

##Check VLAN 1 is up issue the following command

ADSL-R1#sh ip int brief

##Ping the laptop to prove you have connecitivity

ADSL-R1#ping 192.168.1.1

##If you get a response you are ready to copy the firmware form the laptop.

ADSL-R1#copy tftp: flash:
Address or name of remote host []? 192.168.1.1
Source filename []? adsl_alc_20190.bin <-- this is the name of the firmware
Destination filename [adsl_alc_20190.bin]?
Accessing tftp://192.168.1.1/adsl_alc_20190.bin...

##Once copied you can issue a the following command to check it is on the router.

ADSL-R1#sh flash

##You should see the firmware

##Issue the following command to ensure it set to use that firmware at boot.

ADSL(config)#boot system flash adsl_alc_20190.bin

##Save & Restart the router

ADSL-R1#wr
ADSL-R1#reload
ADSL-R1#sh dsl int atm 0

##This should show the new firmware after the router has been restarted and show it as not embedded any more.

———————————————————————————————————————————————————————–

Cisco 887-VA

##Set and IP address on VLAN 1

ADSL-R1#conf t
ADS(config)#iint vlan 1
ADS(config-if)#ip address 192.168.1.2 255.255.255.0
ADS(config-if)#shut
ADS(config-if)#no shut
ADSL-R1#end

##Check VLAN 1 is up issue the following command

ADSL-R1#sh ip int brief

##Ping the laptop to prove you have connecitivity

ADSL-R1#ping 192.168.1.1

##If you get a response you are ready to copy the firmware form the laptop.

ADSL-R1#copy tftp: flash:
Address or name of remote host []? 192.168.1.1
Source filename []? vdsl.bin <-- this is the name of the firmware
Destination filename [vdsl.bin]?
Accessing tftp://192.168.1.1/vdsl.bin...

##Once copied you can issue a the following command to check it is on the router.

ADSL-R1#sh flash

##You should see the firmware now you have to change the file that the VDSL controller uses.

ADSL-R1#conf t
ADS(config)#controllers vdsl 0
ADS(config-controller)#firmware filename flash:vdsl.bin
ADS(config-controller)#shut

## Give a minute

ADS(config-controller)#no shut
ADS(config-controller)#end
ADSL-R1#wr

##Issue the following command to check it has applied the highlighted section shows the updated firmware no need to reload the router.

ADSL-R1#sh controllers vdsl 0
Controller VDSL 0 is UP
Daemon Status: Up
XTU-R (DS) XTU-C (US)
 Chip Vendor ID: 'BDCM' 'TSTC'
 Chip Vendor Specific: 0x0000 0x0510
 Chip Vendor Country: 0xB500 0xB500
 Modem Vendor ID: 'CSCO' ' '
 Modem Vendor Specific: 0x4602 0x0000
 Modem Vendor Country: 0xB500 0x0000
 Serial Number Near: FGL1636276T 887VA-K9 15.1(4)M
 Serial Number Far: 00000000000000000000000000000000
 Modem Version Near: 15.1(4)M
 Modem Version Far: 0x0510
Modem Status: TC Sync (Showtime!)
 DSL Config Mode: AUTO
 Trained Mode: G.992.5 (ADSL2+) Annex A
 TC Mode: ATM
 Selftest Result: 0x00
 DELT configuration: disabled
 DELT state: not running
 Trellis: ON ON
 Line Attenuation: 56.5 dB 31.3 dB
 Signal Attenuation: 60.8 dB 0.0 dB
 Noise Margin: 7.3 dB 7.1 dB
 Attainable Rate: 4576 kbits/s 936 kbits/s
 Actual Power: 18.0 dBm 12.0 dBm
 Total FECS: 0 0
 Total ES: 117126 1902
 Total SES: 713 0
 Total LOSS: 0 0
 Total UAS: 30 30
 Total LPRS: 0 0
 Total LOFS: 0 0
 Total LOLS: 0 0
 Bit swap: 6853 1160
Full inits: 1
 Failed full inits: 0
 Short inits: 0
 Failed short inits: 0
Firmware Source File Name (version)
 -------- ------ -------------------
 VDSL user config flash:vdsl.bin-A2pv6C035j1 (10)
Modem FW Version: 120330_1738-4.02L.03.A2pv6C035j0.d23j
 Modem PHY Version: A2pv6C035j0.d23j
 DS Channel1 DS Channel0 US Channel1 US Channel0
 Speed (kbps): 0 3895 0 704
 Previous Speed: 0 0 0 0
 Total Cells: 0 2593180214 0 3934970443
 User Cells: 0 443676444 0 270164147
 Reed-Solomon EC: 0 0 0 0
 CRC Errors: 0 174408 0 2058
 Header Errors: 0 377211 0 720
 Interleave (ms): 0.00 0.24 0.00 1.00
 Actual INP: 0.00 0.00 0.00 0.00
Training Log : Stopped
 Training Log Filename : flash:vdsllog.bin