Juniper Cheatsheet

ScottLeave a comment

Just a few items I’ve found useful. I’ve noted them here for future reference/reminder.

Commit Confirm
Nothing is more comforting than the commit confirm feature, especially when working remotely. I make a habit of using this feature when working with distant devices.
The feature is simple – a commit is applied to the running config for a period of time (10min default) – then automatically rolled back after this period has elapsed. You apply a second commit during the rollback phase to commit the changes permanently. In other words – apply some changes, if you goofed – your changes will be reverted for you.

commit confirmed 15
<em>configuration check succeeds
commit confirmed will be automatically rolled back in 15 minutes unless confirmed
commit complete
# commit confirmed will be rolled back in 15 minutes</em>

You can view how much time is remaining on a confirmation

show system commit
# commit confirmed will be rolled back in 9 minutes</em>

Lock in the config.

commit check

Disable management link monitoring
In some scenarios it doesn’t make sense to have the management port connected.
This triggers the angry little amber light of doom.

set chassis alarm management-ethernet link-down ignore

All is good in the world again.

Output the configuration as input
Using the following, you can dump the configuration as a means for input.

show configuration |no-more | display set

Version Control
You can add some configuration, to upload a copy of the configuration each time it is commited.

configuration {
    transfer-on-commit;
    archive-sites {
        "scp://[email protected]:/home/switch-configs" password "123456789";
    }
}

Renaming a VLAN
You can use the ‘replace’ command to alter the configuration – however be cautious as it will replace any matching values throughout the configuration, not just vlans.

replace pattern "old-vlan" with "new-vlan"

A safer option is to use the rename command.

rename [path to-the-area required] [value1] to [value2]
Juniper Cheatsheet

Enable SNMP on a Juniper Switch (EX2200)

Scott, , , Leave a comment

The following was used to enable SNMP on Juniper EX2200 series switches. It will apply to JunOS based switches aswell. I use SNMP with Cacti, an oldie but a goodie. I also use the data to populate and create network weathermaps. That’s another post.

Create a ‘public’ SNMP community, and associate that with a list of intended clients/subnets.

Dive into configure mode on your switch and use something like the following :

configure
set snmp contact "Company IT"
set snmp name “NZ-Auck-ALB-01” 
set snmp description “Office”
set snmp location “Rack 1” contact “[email protected]”
set snmp community public authorization read-only
set snmp client-list list0 192.168.2.16/32
set snmp community public client-list-name list0
commit and-quit

The command “show snmp” should now give you something that looks a bit like this :

snmp
   name “NZ-Auck-ALB-01”;
   contact "Company IT";
   description “Albany Office”;
   location "Rack 1";
   client-list list0 {
       192.168.2.16/32;
   }
   community public {
       authorization read-only;
       client-list-name list0;
   }

You can do a quick test from one of the valid clients. Retrieve the switches uptime using “snmpget”.

snmpget -v2c -mALL 192.168.27.15 -c public .1.3.6.1.2.1.1.3.0

Boom. You’re good to get some data.

Enable SNMP on a Juniper Switch (EX2200)

Network Policy Server and 802.1x

Scott, , , , , Leave a comment

Here is some material I reference when working with RADIUS authentication.
I plan to post a basic guide here on implementation, as time allows.

Logging format : You’ll need this reference to translate logs. Windows NPS stores logiles in “c:\windows\system32\logfiles\”. They can be useful for troubleshooting.
Reason Codes : Translate the codes from the logs above.
RegEx Usage   : Get your Regex on in NPS policies.
Radius Packet Format :  Fundamentals.
General NPS : Microsofts general NPS admin documentation.

I have the log files shipping into Elasticsearch/Kibana, translated by Logstash along the way. I’ll post a guide for this eventually, along with the configs etc.

Network Policy Server and 802.1x

Testing LDAP connections

Scott, , , , Leave a comment

Integrating services with LDAP is a good way to keep users/authentication centralised.
The tests below will return a users information, if not you’ll have some information to go off.

Test LDAP

ldapsearch -d 5 -D "CN=BINDUSER,OU=Users,DC=example,DC=company" -s sub -b "dc=example,dc=company" -h myldapserver -p 389 -w <PASSWORD> -x "(sAMAccountName=scott.daniels)"

Test LDAPs

ldapsearch -ZZ -d 5 -D "CN=BINDUSER,OU=Users,DC=example,DC=company" -s sub -b "dc=example,dc=company" -h myldapserver -p 636 -w <PASSWORD> -x "(sAMAccountName=scott.daniels)"
Testing LDAP connections

Monitor Certificate Expiration with Sensu

Scott, , Leave a comment

Its very easy to monitor for certificate expiry using the “check_http” script. This is part of the “nagios-plugins” package.

A basic example:

    "checks": {
        "check_cert": {
            "handlers": ["default","email"],
            "command": "/usr/lib/nagios/plugins/check_http -H :::name::: -C 30,7",
            "interval": 1440,
            "subscribers": ["jenkins"]
        }
    }
}

This would check at 24hr intervals. A warning is issued when 30 days remain on the certificate. 7 days remaining will return a critical alert.

Plenty of time to get a replacement organised and installed. 🙂

Monitor Certificate Expiration with Sensu

DHCP Scope Check

Scott, , , Leave a comment
Here’s a Powershell script you can use with Sensu (or Nagios?) to monitor DHCP scopes. To help ensure you have few spare IP addresses to hand out. The moaning never ends when you run out.
The script will request all DHCP scopes, and check the percentage used. You can define a warning and critical percentage.

Defaults:
-server localhost
-w 80% returns a warning
-c 90% returns critical

/etc/sensu/plugins/check_dhcp.ps1

param ( [string]$server = localhost,
        [int]$warn = 80,
        [int]$crit= 90
)

try {

    foreach($scope in (Get-DhcpServerv4Scope -ComputerName $server)) {
    
        if(Get-DhcpServerv4ScopeStatistics -ComputerName $server -ScopeId $scope.ScopeId | where {$_.PercentageInUse -gt $warn }) {
            #Exit with a warning if more than 80 percent in use.
            write-host "WARNING:" $scope.ScopeId "("$scope.Name") has" (Get-DhcpServerv4ScopeStatistics -ComputerName eroaddc02 -ScopeId $scope.ScopeId | Select-Object -Expand Free) "IP(s) available."
            $warning = $warnalarm+1 #exit 2
    
        } elseif(Get-DhcpServerv4ScopeStatistics -ComputerName $server -ScopeId $scope.ScopeId | where {$_.PercentageInUse -gt $crit}) {
            #Exit with a critical if more than 90 percent in use.
            write-host "CRITICAL:" $scope.ScopeId "("$scope.Name") has" (Get-DhcpServerv4ScopeStatistics -ComputerName eroaddc02 -ScopeId $scope.ScopeId | Select-Object -Expand Free) "IP(s) available."
            $crit = $warnalarm+1 #exit 1
        } else { 
            # All scopes are OK.
            write-host "OK" $scope.ScopeId "("$scope.Name") has" (Get-DhcpServerv4ScopeStatistics -ComputerName eroaddc02 -ScopeId $scope.ScopeId | Select-Object -Expand Free) "IP(s) available."
        }

    }

    if($crit) { 
        write-host "$critalarm Critical(s)"
        exit 2 
    }
    if($warning) { 
        write-host "$warnalarm Warning(s)"
        exit 1 
    }
    write-host "All OK"
    exit 0
}

Catch [System.Exception] {
    Write-Host "Could not get DHCP information or script exception found."
    exit 3 
}

Example Sensu Check

/etc/sensu/conf.d/check_dhcp.conf

"checks": {
    "dhcp_scope": {
      "handlers": ["default","email"],
      "command": "/etc/sensu/plugins/check_dhcp.ps1 -server :::name::: -warn 60 -crit 90",
      "standalone": false,
      "interval": 60,
      "subscribers": ["dhcp"]
    }
}
DHCP Scope Check