IJOS-12.A_LGD (Detailed Lab Guide)

Introduction to the Junos 1194 North Mathilda Avenue

Worldwide Education ServicesWorldwide Education Services

Operating System12.a

Detailed Lab GuideSunnyvale, CA 94089USA408-745-2000www.juniper.net

Course Number: EDU-JUN-IJOS

This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

YEAR 2000 NOTICE

Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

Introduction to the Junos Operating System Detailed Lab Guide, Revision 12.a

Copyright 2012, Juniper Networks, Inc.

All rights reserved. Printed in USA.

Revision History:

Revision 9.aJuly 2009; Revision 9.bOctober 2009; Revision 10.aMay 2010; Revision 10.bMay 2010; Revision 11.aJune 2011

Revision 12.aJune 2012

The information in this document is current as of the date listed above.

The information in this document has been carefully verified and is believed to be accurate for software Release 12.1R1.9. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Contents

Lab 1: The Junos CLI (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1Part 1: Logging In and Exploring the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Lab 2: Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1Part 1: Loading a Factory-Default Configuration and Performing Initial Configuration . . . . . . . . . . 2-2Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration . . . . . . . . . . . . . . . . . .2-13Part 3: Configuring Interfaces and Verifying Operational State . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

Lab 3: Secondary System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1Part 1: Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2Part 2: Performing System Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13

Lab 4: Operational Monitoring and Maintenance (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1Part 1: Monitoring System and Chassis Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Part 2: Using Network Utilities and Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12Part 3: Upgrading the Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17Part 4: Recovering the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-20

Lab 5: The J-Web Interface (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1Part 1: Logging In to and Exploring the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Part 2: Exploring J-Web Configuration and Diagnostic Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1www.juniper.net Contents iii

iv Contents www.juniper.net

Course Overview

This one-day course provides students with the foundational knowledge required to work with the Junos operating system and to configure Junos devices. The course provides a brief overview of the Junos device families and discusses the key architectural components of the software. Additional key topics include user interface options with a heavy focus on the command-line interface (CLI), configuration tasks typically associated with the initial setup of devices, interface configuration basics with configuration examples, secondary system configuration, and the basics of operational monitoring and maintenance of Junos devices.

Through demonstrations and hands-on labs, you will gain experience in configuring and monitoring the Junos OS and monitoring basic device operations. This course uses Juniper Networks SRX Series Services Gateways for the hands-on component, but the lab environment does not preclude the course from being applicable to other Juniper hardware platforms running the Junos OS. This course is based on Junos OS Release 12.1R1.9.

ObjectivesAfter successfully completing this course, you should be able to:

Describe the basic design architecture of the Junos OS.

Identify and provide a brief overview of Junos devices.

Navigate within the Junos CLI.

Perform tasks within the CLI operational and configuration modes.

Restore a Junos device to its factory-default state.

Perform initial configuration tasks.

Configure and monitor network interfaces.

Describe user configuration and authentication options.

Perform secondary configuration tasks for features and services (such as system logging syslog) and tracing, Network Time Protocol (NTP), configuration archival, and SNMP.

Monitor basic operation for the Junos OS and devices.

Identify and use network utilities.

Upgrade the Junos OS.

Perform file system maintenance and password recovery on a Junos device.

Navigate within the Junos OS J-Web interface.

Intended AudienceThis course benefits individuals responsible for configuring and monitoring devices running the Junos OS.

Course LevelThe Introduction to the Junos Operating System course is a one-day, introductory course.

PrerequisitesStudents should have basic networking knowledge and an understanding of the Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite.www.juniper.net Course Overview v

Course Agenda

Day 1Chapter 1: Course Introduction

Chapter 2: Junos Operating System Fundamentals

Chapter 3: User Interface Options

Lab 1: The Junos CLI

Chapter 4: Initial Configuration

Lab 2: Initial System Configuration

Chapter 5: Secondary System Configuration

Lab 3: Secondary System Configuration

Chapter 6: Operational Monitoring and Maintenance

Lab 4: Operational Monitoring and Maintenance

Appendix A: Interface Configuration Examples

Appendix B: The J-Web Interface

Lab 5 (Optional): The J-Web Interfacevi Course Agenda www.juniper.net

Document Conventions

CLI and GUI TextFrequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table.

Input Text Versus Output TextYou will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply displayed.

Defined and Undefined Syntax VariablesFinally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables (where the value is already assigned defined variables) and syntax variables (where you must assign the value undefined variables). Note that these styles can be combined with the input style as well.

Style Description Usage Example

Franklin Gothic Normal text. Most of what you read in the Lab Guide and Student Guide.

Courier New Console text:

Screen captures

Noncommand-related syntax

GUI text elements:

Menu names

Text field entry

commit complete

Exiting configuration mode

Select File > Open, and then click Configuration.conf in the Filename text box.


Normal CLI

Normal GUI

No distinguishing variant. Physical interface:fxp0, Enabled

View configuration history by clicking Configuration > History.

CLI Input

GUI Input

Text that you must enter. lab@San_Jose> show route

Select File > Save, and type config.ini in the Filename field.


CLI Variable

GUI Variable

Text where variable value is already assigned.

policy my-peers

Click my-peers in the dialog.

CLI Undefined

GUI Undefined

Text where the variables value is the users discretion and text where the variables value as shown in the lab guide might differ from the value the user must input.

Type set policy policy-name.

ping 10.0.x.y

Select File > Save, and type filename in the Filename field.www.juniper.net Document Conventions vii

Additional Information

Education Services OfferingsYou can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to: http://www.juniper.net/training/education/.

About This PublicationThe Introduction to the Junos Operating System Detailed Lab Guide was developed and tested using software Release 12.1R1.9. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors.

This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to [email protected].

Technical PublicationsYou can print technical manuals and release notes directly from the Internet in a variety of formats:

Go to http://www.juniper.net/techpubs/.

Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.

Juniper Networks SupportFor technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).viii Additional Information www.juniper.net

Lab 1The Junos CLI (Detailed)

Overview

This lab introduces you to the Junos operating system command-line interface (CLI). In this lab, you will familiarize yourself with various CLI operational mode and configuration mode features.

The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands.

By completing this lab, you will perform the following tasks:

Log in to and explore the Junos CLI using both operational and configuration modes.www.juniper.net The Junos CLI (Detailed) Lab 1112.a.12.1R1.9

Part 1: Logging In and Exploring the CLI

In this lab part, you become familiar with the access details used to connect to the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your teams designated station and use the CLI to become familiar with operational mode and configuration mode. You also gain experience with some of the tools and functionality available within operational mode and configuration mode.

Step 1.1

Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the management network diagram to determine the management address of your student device

Question: What is the management address assigned to your station?

Answer: The answer varies; in the example used throughout this lab, the user belongs to the srxA-1 station, which uses an IP address of 10.210.14.131. Your answer will depend on the rack of equipment your class is using.

Step 1.2

Access the CLI at your station using either the console, Telnet, or SSH as directed by your instructor. Refer to the management network diagram for the IP address associated with your teams station. The following example uses a simple Telnet access to srxA-1 with the Secure CRT program as a basis:

Note

Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device.Lab 12 The Junos CLI (Detailed) www.juniper.net

Step 1.3

Log in to the student device with the username lab using a password of lab123. Note that both the name and password are case-sensitive. Issue the configure command to enter configuration mode and load the reset configuration file using the load override /var/home/lab/ijos/lab1-start.config command. After the configuration has been loaded, commit the changes and return to operational mode using the commit and-quit command.

srxA-1 (ttyp0)

login: labPassword:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTClab@srxA-1> configure Entering configuration mode

[edit]lab@srxA-1# load override ijos/lab1-start.config load complete

[edit]lab@srxA-1# commit and-quitcommit completeExiting configuration mode

lab@srxA-1>

Step 1.4

Determine what system information you can clear from the operational mode command prompt.

lab@srxA-1> clear ? Possible completions: amt Show AMT Protocol information arp Clear address resolution information auto-configuration Clear auto-configuration action bfd Clear Bidirectional Forwarding Detection information bgp Clear Border Gateway Protocol information bridge Clear learned Layer 2 MAC address informationwww.juniper.net The Junos CLI (Detailed) Lab 13

chassis Clear chassis information database-replication Clear database replication information dhcpv6 Clear DHCPv6 information dot1x Clear 802.1X session esis Clear end system-to-intermediate system information ethernet-switching Clear ethernet switching information fabric Clear RPDF Internal data structures firewall Clear firewall counters gvrp Clears Generic VLAN Registration Protocol information helper Clear port-forwarding helper information igmp Clear Internet Group Management Protocol information igmp-snooping Clear IGMP snooping information interfaces Clear interface information ipv6 Clear IP version 6 information isdn Clear Integrated Services Digital Network information isis Clear Intermediate System-to-Intermediate System information l2-learning Clear learned Layer 2 MAC address information lacp Clear Link Aggregation Control Protocol information ldp Clear Label Distribution Protocol information lldp Clear Link Layer Discovery Protocol information log Clear contents of log file mld Clear multicast listener discovery information mld-snooping Clear MLD snooping information mpls Clear mpls information msdp Clear Multicast Source Discovery Protocol information multicast Clear multicast information network-access Clear network-access related information ospf Clear Open Shortest Path First information ospf3 Clear Open Shortest Path First version 3 information passive-monitoring Clear passive monitoring statistics pfe Clear Packet Forwarding Engine information pgm Clear Pragmatic Generalized Multicast information pim Clear Protocol Independent Multicast information ppp Clear PPP information pppoe Clear PPP over Ethernet information protection-group Clear protection group information r2cp Clear Radio-to-Router Protocol information rip Clear Routing Information Protocol information ripng Clear Routing Information Protocol for IPv6 information rsvp Clear Resource Reservation Protocol information security Clear security information services Clear services snmp Clear Simple Network Management Protocol information spanning-tree Clear Spanning Tree Protocol information system Clear system information vpls Clear learned Layer 2 MAC address information vrrp Clear Virtual Router Redundancy Protocol statistics wlan Clear Wireless LAN informationLab 14 The Junos CLI (Detailed) www.juniper.net

Question: Which command do you use to clear the contents of a system log (syslog) file?

Answer: Use the clear log log-filename command to clear the contents of a particular syslog file.

Step 1.5

Experiment with command completion by entering show i.

lab@srxA-1> show i ^'i' is ambiguous.Possible completions: iccp Show Inter Chassis Control Protocol information igmp Show Internet Group Management Protocol information igmp-snooping Show IGMP snooping information ingress-replication Show Ingress-Replication tunnel information interfaces Show interface information ipv6 Show IP version 6 information isdn Show Integrated Services Digital Network information isis Show Intermediate System-to-Intermediate System information

Step 1.6

Add characters to disambiguate your command so that you can display interface-related information; use the Spacebar or Tab key for automatic command completion.

lab@srxA-1> show interfaces Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 507 Description: MGMT Interface - DO NOT DELETE Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80 Last flapped : 2011-04-20 02:02:04 UTC (2d 03:09 ago)

Note

You can return to the command prompt without scrolling through all of the generated output from a command. Enter the Ctrl+c key sequence or the q key to abort the operation and return to the command prompt.www.juniper.net The Junos CLI (Detailed) Lab 15

Input rate : 536 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None

Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 299996 Output packets: 211433 Security: Zone: Null...TRIMMED...

Step 1.7

Try to clear SNMP statistics by entering the clear snmp command.

lab@srxA-1> clear snmp ^syntax error, expecting .

Question: What do you think the resulting display means?

Answer: The display indicates that the command was incomplete as entered. The caret symbol (^) indicates the area of the problem, and the error message tells you that the system expects additional command input.

Step 1.8

Verify that the CLI does not let you complete invalid commands by trying to enter the command show ip interface brief.

lab@srxA-1> show ip

lab@srxA-1> show ipv6

lab@srxA-1> show ipinterfacebrief ^syntax error, expecting .Lab 16 The Junos CLI (Detailed) www.juniper.net

Question: What happens when you try to enter this command?

Answer: The systems command completion feature completes a show ipv6 command in this case because ipv6 is the only valid completion. If you attempt to continue with invalid syntax, the system informs you of your error. Unlike some CLI implementations, the Junos OS will not let you waste time typing in an illegitimate command!

Step 1.9

Enter a show route command followed by a show system users command. You are entering these commands to demonstrate command history recall. When finished, enter the keyboard sequences indicated to answer the related questions.

lab@srxA-1> show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both

10.210.14.128/27 *[Direct/0] 02:12:04 > via ge-0/0/0.010.210.14.131/32 *[Local/0] 02:12:10 Local via ge-0/0/0.0

lab@srxA-1> show system users 5:12AM up 2 days, 3:14, 1 user, load averages: 0.04, 0.10, 0.07USER TTY FROM LOGIN@ IDLE WHATlab u0 - 4:43AM - -cli (cli)

Question: What happens when you press Ctrl+p twice?

Answer: The system recalls the show route command and displays it at the prompt.

Question: What happens when you press Ctrl+n?

Answer: The system recalls the next command in the buffer, which is a show system users command in this example.www.juniper.net The Junos CLI (Detailed) Lab 17

Question: What happens when you use the Up Arrow and Down Arrow keys?

Answer: The Up Arrow and Down Arrow keys function as substitutes for the Ctrl+p and Ctrl+n sequences as long as the system is configured for VT100-type emulation, which is the default.

Step 1.10

In many cases, the output of a command might exceed one full screen. For example, the show interfaces interface-name extensive command displays a lot of information about the specified interface. Enter this command now for your systems ge-0/0/0 interface, and answer the following questions. Use the h key as needed to obtain help when CLI output is paused at the ---(more)--- prompt.

lab@srxA-1> show interfaces ge-0/0/0 extensive Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 507, Generation: 137 Description: MGMT Interface - DO NOT DELETE Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80 Last flapped : 2011-04-20 02:02:04 UTC (2d 03:11 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 197626475 1008 bps Output bytes : 196448392 0 bps Input packets: 300053 1 pps Output packets: 211433 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0...TRIMMED...Lab 18 The Junos CLI (Detailed) www.juniper.net

Question: What effect does pressing the Spacebar have?

Answer: The Spacebar causes the display to scroll forward to display the next screen of output.

Question: What effect does pressing the Enter key have on the paused output?

Answer: The Enter key causes the display to scroll forward by one line.

Question: What effect does pressing the b key have?

Answer: Pressing the b key causes the display to scroll backwards by one full screen, up to the point where the first full screen of information displays.

Question: What effect does pressing the u key have?

Answer: Pressing the u key causes the display to scroll backwards by one half of a screen, up to the point where the first screen displays.

Question: Which key would you press to search forward through a display that consists of multiple screens of output?

Answer: To search forward, press the forward slash (/) character followed by the search pattern.

Step 1.11

Use the pipe (|) and match functions of the Junos CLI to list all interfaces that are physically down.

lab@srxA-1> show interfaces | match down Physical interface: ge-0/0/5, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0www.juniper.net The Junos CLI (Detailed) Lab 19

Physical interface: ge-0/0/6, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/7, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/8, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/9, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/10, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/11, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/12, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/13, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/14, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0Physical interface: ge-0/0/15, Enabled, Physical link is Down Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0

Question: Are any of your interfaces listed as Down?

Answer: In this example, the answer is yes; several interfaces show as Down. The interfaces shown might vary depending on your lab environment.

Question: Can you think of a way to have the Junos OS count the number of interfaces that are physically down? (Hint: Remember that you can use the results of one pipe as input to another pipe operation.)

Answer: To count the number of down interfaces, pipe the results of the previous command to the CLI count function. In this example, we included an extra match function to ensure that the software does not count interfaces that are down both logically and physically more than once:Lab 110 The Junos CLI (Detailed) www.juniper.net

lab@srxA-1> show interfaces | match down | match Physical | count Count: 11 lines

Step 1.12

A large portion of the Junos OS documentation is available directly from the CLI. You can retrieve high-level topics using the help topic command, whereas you can obtain detailed configuration-related information with the help reference command.

Use the help reference command along with the CLI question-mark operator (?) to find detailed information about configuring a system hostname.

lab@srxA-1> help reference ? Possible completions: access accounting-options ancp applications bfd bgp bridge-domains chassis class-of-service connections diameter dlsw dot1x dvmrp dynamic-profiles esis event-options firewall forwarding-options igmp interfaces isis l2-learning l2circuit l2vpn layer2-control layer2-vpns Use the 'help reference l2vpn' command layer3-vpns ldp link-management lldp logical-systems mld mpls msdp mvpn oam ospf ospf3 pgm pim www.juniper.net The Junos CLI (Detailed) Lab 111

poe policy-options ppp protection-group rip ripng router-advertisement router-discovery routing-instances routing-options rsvp sap schedulers security services snmp stp switch-options system vpls vpns vrrp

Question: Which CLI command displays reference information about configuration of the systems hostname?

Answer: The help reference system host-name command displays information regarding system hostnames:

lab@srxA-1> help reference system host-name host-name

Syntax

host-name hostname;

Hierarchy Level

[edit system]

Release Information

Statement introduced before JUNOS Release 7.4.

Statement introduced in JUNOS Release 9.0 for EX Series switches.

Description

Set the hostname of the router or switch.Lab 112 The Junos CLI (Detailed) www.juniper.net

Options

hostname--Name of the router or switch. Required Privilege Level

system--To view this statement in the configuration.

system-control--To add this statement to the configuration.

Related Topics

* Configuring the Hostname of the Router

Step 1.13

Enter configuration mode.

lab@srxA-1> configure Entering configuration mode

[edit]lab@srxA-1#

Question: What happens to your prompt?

Answer: A pound sign (#) replaces the angle bracket (>), and a configuration hierarchy banner displays.

Question: According to the prompt, what is your position in the configuration hierarchy?

Answer: The display indicates that you are now at the [edit] hierarchy, which is the root of the configuration tree.

Step 1.14

Display the interfaces portion of the candidate configuration.

[edit]lab@srxA-1# show interfaces www.juniper.net The Junos CLI (Detailed) Lab 113

ge-0/0/0 { description "MGMT Interface - DO NOT DELETE"; unit 0 { family inet { address 10.210.14.131/27; } }}

Step 1.15

Position yourself at the [edit interfaces] configuration hierarchy.

[edit]lab@srxA-1# edit interfaces

[edit interfaces]lab@srxA-1#

Question: What happens to the banner?

Answer: The banner now correctly shows that the user is at the [edit interfaces] portion of the configuration hierarchy.

Question: What is the result of a show command now?

Answer: A show command displays information pertaining only to configuration statements at and below the current hierarchy. In this case, the software displays only the configuration statements for the systems ge-0/0/0 interface:

[edit interfaces]lab@srxA-1# show ge-0/0/0 { description "MGMT Interface - DO NOT DELETE"; unit 0 { family inet { address 10.210.14.131/27; } }} Lab 114 The Junos CLI (Detailed) www.juniper.net

Step 1.16

Move to the [edit protocols ospf] portion of the hierarchy. This step requires that you first visit the root of the hierarchy, as you cannot jump directly between branches. You can perform this step with a single command in the form of top edit protocols ospf, however.

[edit interfaces]lab@srxA-1# top edit protocols ospf

[edit protocols ospf]lab@srxA-1#

Question: Which commands can you now enter to reposition yourself at the [edit] portion of the hierarchy? Return to the [edit] hierarchy level now.

Answer: You can issue an up command twice, or an up 2 command. You can also issue an exit command or a top command.

[edit protocols ospf]lab@srxA-1# top

[edit]lab@srxA-1#

Step 1.17

Try to display the status of chassis hardware with a show chassis hardware operational command while in configuration mode.

[edit]lab@srxA-1# show chassis hardware ^syntax error.

Note

If you have not already done so, return to the [edit] hierarchy level using one of the available methods.www.juniper.net The Junos CLI (Detailed) Lab 115

Question: Why do you think you received an error? What can you do to execute operational mode commands while in configuration mode? Try that now.

Answer: The command issued is not valid in configuration mode. Precede operational mode commands with the keyword run to execute them while in configuration mode:

[edit]lab@srxA-1# run show chassis hardware Hardware inventory:Item Version Part number Serial number DescriptionChassis AH3809AA0054 SRX240h-poeRouting Engine REV 35 750-021794 AAAX6922 RE-SRX240H-POEFPC 0 FPC PIC 0 16x GE Base PICPower Supply 0

Step 1.18

Try to return to operational mode by entering an exit command.

[edit]lab@srxA-1# exit The configuration has been changed but not committedExit with uncommitted changes? [yes,no] (yes)

Question: What happens when you execute the exit command?

Answer: You should see a message indicating that uncommitted changes exist. This message results from the creation of an empty [edit protocols ospf] stanza. This empty stanza causes the configuration database to believe that the configuration actually changed.Lab 116 The Junos CLI (Detailed) www.juniper.net

Question: Which CLI command can you use to display differences between the candidate and active configuration file? Enter no at the current prompt and issue the required command to view the differences between the candidate and active configurations.

Answer: Use the show command with the results piped to compare rollback number. In this example, you should not see any actual configuration changes, as shown in the following sample capture:

The configuration has been changed but not committedExit with uncommitted changes? [yes,no] (yes) no

Exit aborted

[edit]lab@srxA-1# show | compare rollback 0

[edit]lab@srxA-1#

Question: Considering that nothing changed, which command can you enter to allow an exit from configuration mode without being warned of uncommitted changes? Issue that command now.

Answer: Issue a rollback 0 command to replace the candidate configuration with a new copy of the active configuration. You can now exit configuration mode without being warned of uncommitted changes:

[edit]lab@srxA-1# rollback 0 load complete

[edit]lab@srxA-1# exit Exiting configuration mode

lab@srxA-1>

Step 1.19

Log out of your assigned device using the exit command.www.juniper.net The Junos CLI (Detailed) Lab 117

lab@srxA-1> exit

srxA-1 (ttyu0)

login:

STOP Tell your instructor that you have completed Lab 1.Lab 118 The Junos CLI (Detailed) www.juniper.net

Lab 2Initial System Configuration (Detailed)

Overview

This lab demonstrates configuration tasks typically performed on new devices running the Junos operating system. In this lab, you use the CLI to perform initial configuration and basic interface configuration.

The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. Refer to the management network diagram for access details.


Load a factory-default configuration and perform initial system configuration.

Save, delete, and restore a rescue configuration.

Perform basic interface configuration.www.juniper.net Initial System Configuration (Detailed) Lab 2112.a.12.1R1.9

Introduction to the Junos Operating SystemPart 1: Loading a Factory-Default Configuration and Performing Initial Configuration

In this lab part, you will load the factory-default configuration and perform initial configuration tasks using the Junos CLI.

Step 1.1




Step 1.2

Access the CLI at your station using the console connection.

Note

During this lab, your access through the management network will be affected. Ensure that you use the console connection to access your assigned station. Using the console connection ensures persistent connectivity even when the management network access is unavailable. If needed, ask your instructor how to connect to your system using the console port.Lab 22 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating SystemStep 1.3

Log in to the student device with the username lab using a password of lab123. Note that both the name and password are case-sensitive. Enter configuration mode and load a factory-default configuration using the load factory-default command.

srxA-1 (ttyp0)

login: labPassword:


[edit]lab@srxA-1# load factory-default warning: activating factory configuration

Step 1.4

Display the factory-default configuration.

[edit]lab@srxA-1# show ## Last changed: 2012-04-17 23:59:34 UTCsystem { autoinstallation { delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit traceoptions { level verbose; flag { all; } } interfaces { ge-0/0/0 { bootp; } } } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate;www.juniper.net Initial System Configuration (Detailed) Lab 23

Introduction to the Junos Operating System interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; ## ## Warning: statement ignored: unsupported platform (srx240h) ## max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ## Warning: missing mandatory statement(s): 'root-authentication'}interfaces { ge-0/0/0 { unit 0; } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan {Lab 24 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan-trust;www.juniper.net Initial System Configuration (Detailed) Lab 25

Introduction to the Junos Operating System } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan-trust; }Lab 26 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System } } } ge-0/0/15 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } }}protocols { stp;}security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then {www.juniper.net Initial System Configuration (Detailed) Lab 27

Introduction to the Junos Operating System source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } } } }}vlans { vlan-trust { vlan-id 3; l3-interface vlan.0;Lab 28 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System }}

Step 1.5

Try to activate the factory-default configuration by issuing a commit command.

[edit]lab@srxA-1# commit [edit] 'system' Missing mandatory statement: 'root-authentication'error: commit failed: (missing statements)

Question: Did the commit operation succeed? If not, why not?

Answer: No, the commit operation should fail because the root authentication is missing.

Step 1.6

Navigate to the [edit system root-authentication] hierarchy level. Issue the set plain-text-password command. When prompted to enter a new password, type apples.

[edit]lab@srxA-1# edit system root-authentication

[edit system root-authentication]lab@srxA-1# set plain-text-password New password:error: require change of case, digits or punctuation

[edit system root-authentication]lab@srxA-1#

Question: What happens when you enter the specified password? Why?

Answer: The operation fails because the password does not meet the requirements.

Note

The factory-default configuration displays several statements pertaining to the security hierarchy level. This information is outside the scope of this class but is covered in the Junos for Security Platforms (JSEC) course.www.juniper.net Initial System Configuration (Detailed) Lab 29


Again, issue the set plain-text-password command. When prompted to enter a new password, type Apples. When prompted to confirm the password, type Oranges.

[edit system root-authentication]lab@srxA-1# set plain-text-password New password:Retype new password:error: Passwords are not equal; aborting

Question: What happens when you enter the specified passwords? Why?

Answer: The operation fails because the passwords are not equal.

Step 1.8

Issue the set plain-text-password command once again. When prompted to enter a new password, type Rootroot. When prompted to confirm the password, type Rootroot. Activate the change and return to operational mode by issuing a commit and-quit command.

[edit system root-authentication]lab@srxA-1# set plain-text-password New password:Retype new password:

[edit system root-authentication]lab@srxA-1# commit and-quit commit completeExiting configuration mode

lab@srxA-1>

Step 1.9

Issue the file list /var/tmp command.

lab@srxA-1> file list /var/tmp error: no local user: lab

Question: What happens when you enter the specified command? Why?

Answer: The operation generates an error because the lab user is no longer valid. We restore the lab user account in a subsequent lab step.Lab 210 Initial System Configuration (Detailed) www.juniper.net


Log out as the lab user and log in as root. Use the newly defined password of Rootroot.

lab@srxA-1> exit

srxA-1 (ttyu0)

login: rootPassword:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTCroot@srxA-1%

Step 1.11

Start the CLI with the cli command and enter configuration mode.

root@srxA-1% cliroot@srxA-1> configure Entering configuration mode

[edit]root@srxA-1#

Step 1.12

Define the systems hostname. Use the hostname specified on the management network diagram provided by your instructor.

[edit]root@srxA-1# set system host-name hostname

Step 1.13

Configure the time zone and system time using the local time zone and current date and time as input values.

[edit]root@srxA-1# set system time-zone time-zone

[edit]root@srxA-1# run set date date/timeWed April 25 04:19:00 PDT 2012

Note

You should see the previously defined hostname at the login prompt. The amnesiac hostname is shown when the hostname is removed and the system is rebooted. You do not need to reboot the system at this time because you will configure a new hostname shortly.www.juniper.net Initial System Configuration (Detailed) Lab 211


Remove the DHCP, interface, security, protocols and vlan sections from the factory-default configuration, as this is not necessary in this lab environment.

[edit]root@srxA-1# delete system services dhcp

[edit]root@srxA-1# delete interfaces

[edit]root@srxA-1# delete security

[edit]root@srxA-1# delete protocols

[edit]root@srxA-1# delete vlans

Step 1.15

Configure the ge-0/0/0 interface using the address and subnet mask specified on the management network diagram, and specify an interface description of "MGMT INTERFACE - DO NOT DELETE".

[edit]root@srxA-1# edit interfaces

[edit interfaces]root@srxA-1# set ge-0/0/0 unit 0 family inet address management IP address

[edit interfaces]root@srxA-1# set ge-0/0/0 description "MGMT Interface - DO NOT DELETE"

[edit interfaces]root@srxA-1#

Step 1.16

Navigate to [edit routing-options] and define a static route for the 10.210.0.0/16 destination prefix to allow for reachability beyond the local management subnet. Use the gateway address, shown on the management network diagram, as the next-hop value. When complete commit the configuration and return to operational mode.

[edit interfaces]root@srxA-1# top edit routing-options

[edit routing-options]root@srxA-1# set static route 10.210.0.0/16 next-hop gateway address

[edit routing-options]root@srxA-1# commit and-quit commit completeExiting configuration mode

root@srxA-1> Lab 212 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System STOP Wait for your instructor before you proceed to the next part.

Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration

In this lab part, you will save, display, load, and delete a rescue configuration using the Junos CLI.

Step 2.1

Enter configuration mode and load the lab2-part2-start.config file from the/var/home/lab/ijos/ directory. This will return the lab to its original state and reestablish the lab user. Commit your configuration and return to operational mode when complete.

root@srxA-1> configure

[edit]root@srxA-1# load override /var/home/lab/ijos/lab2-part2-start.config load complete

[edit]root@srxA-1# commit and-quit commit completeExiting configuration mode

root@srxA-1>

Step 2.2

Log out of the root user by issuing the exit command twice, then log in as the lab user using lab123 as the password.

root@srxA-1> exit

root@srxA-1% exitlogout

srxA-1 (ttyu0)

login: labPassword:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTClab@srxA-1>

Step 2.3

Save the active configuration as the rescue configuration.

lab@srxA-1> request system configuration rescue save

Step 2.4

Display the contents of the recently saved rescue configuration.www.juniper.net Initial System Configuration (Detailed) Lab 213

Introduction to the Junos Operating Systemlab@srxA-1> file show /config/rescue.conf.gz ## Last changed: 2012-04-17 20:11:13 PDTversion 12.1R1.9;system { host-name srxB-1; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1"; ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAACBAMQrfP2bZyBXJ6PC7XXZ+MzErI8Jl6jah5L4/O8BsfP2hC7EvRfNoX7MqbrtCX/9gUH9gChVuBCB+ERULMdgRvM5uGhC/gs4UX+4dBbfBgKYYwgmisM8EoT25m7qI8ybpl2YZvHNznvO8h7kr4kpYuQEpKvgsTdH/Jle4Uqnjv7DAAAAFQDZaqA6QAgbW3O/zveaLCIDj6p0dwAAAIB1iL+krWrXiD8NPpY+w4dWXEqaV3bnobzPC4eyxQKBUCOr80Q5YBlWXVBHx9elwBWZwj0SF4hLKHznExnLerVsMuTMA846RbQmSz62vM6kGM13HFonWeQvWia0TDr78+rOEgWF2KHBSIxL51lmIDW8Gql9hJfD/Dr/NKP97w3L0wAAAIEAr3FkWU8XbYytQYEKxsIN9P1UQ1ERXB3G40YwqFO484SlyKyYCfaz+yNsaAJu2C8UebDIR3GieyNcOAKf3inCG8jQwjLvZskuZwrvlsz/xtcxSoAh9axJcdUfSJYMW/g+mD26JK1Cliw5rwp2nH9kUrJxeI7IReDp4egNkM4i15o= [email protected]"; } login { user lab { uid 2000; class super-user; authentication { encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30"; } } } services { ssh; telnet; web-management { http { interface ge-0/0/0.0; } https { system-generated-certificate; interface all; } } } syslog { file messages { any critical; authorization info; } file interactive-commands { interactive-commands any; } } }interfaces { ge-0/0/0 { description "MGMT Interface - DO NOT DELETE";Lab 214 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System unit 0 { family inet { address 10.210.35.133/26; } } }}routing-options { static { route 10.210.0.0/16 next-hop 10.210.35.130; }}

Question: Does the rescue configuration match the recently created active configuration?

Answer: Yes, the rescue configuration should match the recently created active configuration.

Question: What CLI command could you issue to compare the active and rescue configuration files?

Answer: Use the file compare files /config/juniper.conf.gz /config/rescue.conf.gz command to compare the active and rescue configurations. As shown in the following sample capture, the files do not contain any differences:

lab@srxA-1> file compare files /config/juniper.conf.gz /config/rescue.conf.gz

Step 2.5

Return to configuration mode and delete the [edit system services] hierarchy level. Activate the change.


[edit]lab@srxA-1# delete system services

[edit]lab@srxA-1# commit commit complete

[edit]lab@srxA-1#

Step 2.6

Verify that the [edit system services] hierarchy level is empty and then load the rescue configuration.www.juniper.net Initial System Configuration (Detailed) Lab 215

Introduction to the Junos Operating System[edit]lab@srxA-1# show system services

[edit]lab@srxA-1# rollback rescue load complete

Step 2.7

Verify that the [edit system services] hierarchy level once again contains the ssh, telnet, and web-management services.

[edit]lab@srxA-1# show system services ssh;telnet;web-management { http { interface ge-0/0/0.0; } https { system-generated-certificate; interface all; }}

Question: Did the rescue configuration successfully load? Are the services enabled now? If not, why not?

Answer: Yes, the rescue configuration loaded successfully and restored the statements at the [edit system services] hierarchy level. However, the software did not enable the services. Remember, to enable the rescue configuration, or any other candidate configuration, you must commit!

Step 2.8

Activate the rescue configuration and return to operational mode.

[edit]lab@srxA-1# commit and-quit commit completeExiting configuration mode

lab@srxA-1>

Step 2.9

Delete the rescue configuration and attempt to display the rescue.conf.gz file to confirm the deletion.Lab 216 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating Systemlab@srxA-1> request system configuration rescue delete

lab@srxA-1> file show /config/rescue.conf.gz error: could not resolve file: /config/rescue.conf.gz

Question: Did you successfully delete the rescue configuration?

Answer: Yes, based on the results shown, the deletion of the rescue configuration was successful.

STOP Wait for your instructor before you proceed to the next part.

Part 3: Configuring Interfaces and Verifying Operational State

In this lab part, you will perform interface configuration and verify the operational state of interfaces using the Junos CLI.

Step 3.1

Enter configuration mode and load the lab2-part3-start.config file from the /var/home/lab/ijos/ directory. Commit you configuration when complete.


[edit]lab@srxA-1# load override ijos/lab2-part3-start.config load complete


[edit]lab@srxA-1#

Step 3.2

Refer to the network diagram for this lab and configure the listed interfaces. Use logical unit 0 on all specified interfaces. Commit the configuration and return to operational mode when complete.

[edit]lab@srxA-1# edit interfaces

[edit interfaces]lab@srxA-1# set ge-0/0/3 unit 0 family inet address address/30

[edit interfaces]lab@srxA-1# set ge-0/0/2 unit 0 family inet address address/30www.juniper.net Initial System Configuration (Detailed) Lab 217

Introduction to the Junos Operating System[edit interfaces]lab@srxA-1# set ge-0/0/1 unit 0 family inet address address/30

[edit interfaces]lab@srxA-1# set lo0 unit 0 family inet address address/32

[edit interfaces]lab@srxA-1# commit and-quit commit completeExiting configuration mode

lab@srxA-1>

Step 3.3

Issue the show interfaces terse CLI command to verify the state of the configured interfaces.

lab@srxA-1> show interfaces terseInterface Admin Link Proto Local Remotege-0/0/0 up up ge-0/0/0.0 up up inet 10.210.14.131/27...TRIMMED.. ge-0/0/1 up up ge-0/0/1.0 up up inet 172.20.77.1/30 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.20.66.1/30 ge-0/0/3 up up ge-0/0/3.0 up up inet 172.18.1.2/30 ...TRIMMED.. lo0 up up lo0.0 up up inet 192.168.1.1 --> 0/0...TRIMMED..

Question: What are the Admin and Link states of the recently configured interfaces?

Answer: All configured interfaces should show Admin and Link states of up, as shown in the sample capture.

Step 3.4

Log out of your assigned device using the exit command.

lab@srxA-1> exit

srxA-1 (ttyu0)

login: Lab 218 Initial System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System STOP Tell your instructor that you have completed Lab 2.www.juniper.net Initial System Configuration (Detailed) Lab 219

Introduction to the Junos Operating SystemLab 220 Initial System Configuration (Detailed) www.juniper.net

Lab 3Secondary System Configuration (Detailed)

Overview

This lab demonstrates typical secondary configuration tasks performed on devices running the Junos operating system.

The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample outputs from most commands.


Define user accounts and authentication options.

Set up and verify proper operation of system logging (syslog).

Configure and monitor NTP.

Enable and monitor the operation of SNMP.

Configure and monitor the configuration archival feature.www.juniper.net Secondary System Configuration (Detailed) Lab 3112.a.12.1R1.9

Introduction to the Junos Operating SystemPart 1: Configuring User Authentication

In this lab part, your team will configure user accounts and related authentication options.

Step 1.1




Step 1.2

Access the CLI at your station using either the console, Telnet, or SSH as directed by your instructor. Refer to the management network diagram for the IP address associated with your teams station. The following example uses a simple Telnet access to srxA-1 with the Secure CRT program as a basis:

Step 1.3

Log in to the student device with the username lab using a password of lab123. Note that both the name and password are case-sensitive. Enter configuration mode and load the reset configuration file using the load override /var/home/lab/ijos/lab3-start.config command. After the configuration has been loaded, commit the changes.

srxA-1 (ttyp0)

login: labLab 32 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating SystemPassword:


[edit]lab@srxA-1# load override ijos/lab3-start.config load complete

[edit]lab@srxA-1# commitcommit complete

[edit]lab@srxA-1#

Step 1.4

Navigate to [edit system login] and define a custom login class named juniper with the following permissions:

view

view-configuration

reset

[edit]lab@srxA-1# edit system login

[edit system login]lab@srxA-1# set class juniper permissions [view view-configuration reset]error: invalid value: ]

[edit system login]lab@srxB-1# show class juniper { permissions [ reset view view-configuration ];}user lab { uid 2000; class super-user; authentication { encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30"; ## SECRET-DATA }}

Note

There may be an error after entering the command, but it should still be added to the configuration. Use the show command to verify this.www.juniper.net Secondary System Configuration (Detailed) Lab 33


Next, define two new user accounts using the information from the following table:

[edit system login]lab@srxA-1# set user walter class juniper

[edit system login]lab@srxA-1# set user walter authentication plain-text-password New password:Retype new password:

[edit system login]lab@srxA-1# set user nancy class read-only

[edit system login]lab@srxA-1# set user nancy authentication plain-text-password New password:Retype new password:

Step 1.6

View the configuration under the [edit system login] hierarchy level. If you are satisfied with the results, activate your new configuration by issuing the commit command.

[edit system login]lab@srxA-1# show class juniper { permissions [ reset view view-configuration ];}user lab { uid 2000; class super-user; authentication { encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA }}user nancy { class read-only; authentication { encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA }}user walter { class juniper; authentication { encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA }}

Username Class Plain-Text Password

walter juniper walter123

nancy read-only nancy123Lab 34 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System[edit system login]lab@srxA-1# commit commit complete

Step 1.7

Open another terminal window and use Telnet to access your systems management IP address. If needed, refer to the management network diagram. Log in with the username walter.

srxA-1 (ttyp0)

login: walterPassword:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTCwalter@srxA-1>

Step 1.8

Using the new terminal session, try to enter configuration mode.

walter@srxA-1> configure ^unknown command.

Note

The remainder of this lab part tests user login options. To prevent yourself from being locked out, keep the current console session open!www.juniper.net Secondary System Configuration (Detailed) Lab 35

Introduction to the Junos Operating SystemQuestion: How does the CLI respond when you try to enter configuration mode?

Answer: The CLI does not let user walter enter configuration mode. It responds by stating that the command is unknown.

Step 1.9

Enter a question mark (?) at the prompt to view the permitted operational mode command options for the user walter.

walter@srxA-1> ?Possible completions: file Perform file operations help Provide help information load monitor Show real-time debugging information op Invoke an operation script quit Exit the management session request Make system-level requests restart Restart software process save set Set CLI properties, date/time, craft interface message show Show system information start Start shell test Perform diagnostic debugging

Question: Why is the user walter unable to enter configuration mode?

Answer: The custom login class defined for the user walter does not give permission for entering configuration mode.

Step 1.10

Verify that the user walter can view the configuration and other operational outputs such as interface information.

walter@srxA-1> show configuration ## Last commit: 2012-04-18 12:14:08 PDT by labversion 12.1R1.9;system { host-name srxA-1; time-zone America/Los_Angeles; root-authentication { encrypted-password /* SECRET-DATA */; ## SECRET-DATA ssh-dsa /* SECRET-DATA */;Lab 36 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating System } login { class juniper { permissions [ reset view view-configuration ]; } user lab { uid 2000; class super-user; authentication { encrypted-password /* SECRET-DATA */; ## SECRET-DATA } } user nancy { uid 2001; class read-only; authentication { encrypted-password /* SECRET-DATA */; ## SECRET-DATA } } user walter { uid 2002; class juniper; authentication { encrypted-password /* SECRET-DATA */; ## SECRET-DATA } } }...TRIMMED...

walter@srxA-1> show interfaces Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 508 Description: MGMT Interface - DO NOT DELETE Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: f8:c0:01:8f:8f:80, Hardware address: f8:c0:01:8f:8f:80 Last flapped : 2012-04-18 10:27:06 PDT (01:57:39 ago) Input rate : 976 bps (2 pps) Output rate : 1280 bps (1 pps) Active alarms : None Active defects : None Interface transmit statistics: Disabled

Logical interface ge-0/0/0.0 (Index 70) (SNMP ifIndex 512) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 157 Output packets: 81...TRIMMED...www.juniper.net Secondary System Configuration (Detailed) Lab 37

Introduction to the Junos Operating SystemQuestion: Can the user walter view the root password within the configuration? Why?

Answer: No. The Junos OS hides certain configuration elements that it determines to be security risks and notates them with a SECRET-DATA tag. In this case, the user walter does not have the secret permission defined for his login class. The secret permission is required to view configuration elements with the SECRET-DATA tag.

Step 1.11

Restart the routing process using the restart routing command. This command restarts the routing protocol daemon (rpd), which can be useful when troubleshooting routing problems.

walter@srxA-1> restart routing Routing protocols process started, pid 9777

Question: Which permission allows the user walter to perform this command?

Answer: The reset permission allows a user to restart software processes and certain hardware components. This permission will not, however, allow the user to reboot the system.

Step 1.12

Log out from the user walter and initiate a new Telnet session to the management interface for the user nancy. (Hint: Use the reconnect option on your terminal client.) Attempt to restart the routing protocol process using the restart routing command.

walter@srxA-1> exit

srxA-1 (ttyp0)

login: nancyPassword:

--- JUNOS 11.1R1.10 built 2011-03-16 08:20:26 UTCnancy@srxA-1> restart ^unknown command.Lab 38 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating SystemQuestion: Can nancy successfully issue the restart command?

Answer: As shown in the output, the user nancy cannot issue the operational mode restart command.

Question: What is a quick way to view the top-level operational mode commands available to nancy?

Answer: Use the question mark (?) to view available commands anywhere within a command line. Commands that are not permitted due to user permissions do not display.

Question: Can the user nancy view the configuration?

Answer: The user nancy can issue the command show configuration, but the contents are hidden. The following is a sample capture, taken from the srxA-1 device:

nancy@srxA-1> show configuration ## Last commit: 2012-04-18 12:14:08 PDT by labversion /* ACCESS-DENIED */;system { /* ACCESS-DENIED */ };interfaces { /* ACCESS-DENIED */ };routing-options { /* ACCESS-DENIED */ };

Step 1.13

Attempt to clear interface statistics for the ge-0/0/0 interface using the clear interfaces statistics ge-0/0/0 command.

nancy@srxA-1> clear ^unknown command.www.juniper.net Secondary System Configuration (Detailed) Lab 39

Introduction to the Junos Operating SystemQuestion: Which permission option would allow the user nancy to clear the interface statistics on the ge-0/0/0 interface?

Answer: The clear permission option would allow this behavior.

Step 1.14

Return to the original session opened to the lab user.

From the session opened to the lab user attempt to add the clear permission to the default read-only login class. Issue the show command to view the system login hierarchy.

[edit system login]lab@srxA-1# set class read-only permissions clear warning: 'read-only' is a predefined class name; changing to 'read-only-local'

[edit system login]lab@srxA-1# show class juniper { permissions [ reset view view-configuration ];}class read-only-local { permissions clear;}user lab { uid 2000; class super-user; authentication { encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA }}user nancy { uid 2003; class read-only; authentication { encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA }}user walter { uid 2004; class juniper; authentication { encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA }}Lab 310 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating SystemQuestion: What happened when you added the clear permission to the read-only login class?

Answer: Because you cannot alter predefined login classes, the Junos OS created a new login class named read-only-local that is not associated with any user.

Question: How can you add the clear permission for the user nancy?

Answer: You must define a new custom login class for this functionality.

Step 1.15

Navigate to the top of the configuration hierarchy and configure a RADIUS server for use with user authentication. Refer to your management network diagram for the server address. The RADIUS secret should be Juniper. Configure the authentication order so that user login attempts use only local password authentication if the RADIUS server is unreachable. Use commit to activate the changes.

[edit system login]lab@srxA-1# top

[edit]lab@srxA-1# set system radius-server RADIUS server secret Juniper

[edit]lab@srxA-1# set system authentication-order radius


[edit]lab@srxA-1# www.juniper.net Secondary System Configuration (Detailed) Lab 311

Introduction to the Junos Operating SystemQuestion: Must you include password in the authentication order to enable this behavior?

Answer: No. If an authentication method is unavailable because of a network or server outage, the software automatically consults the local password database.

Step 1.16

Return to the secondary Telnet session opened to you student device

From the secondary Telnet session in which the user nancy is logged in, issue the exit command to log out. Test the RADIUS server by reconnecting to the Telnet session and try to log back in as nancy.

nancy@srxA-1> exit

srxA-1 (ttyp0)

login: nancyPassword:Login incorrectlogin:

Question: Were you able to log in as nancy?

Answer: No. In this case, the server defined is actually reachable, and it is not configured with the nancy username.

Step 1.17

In the previous lab step, the defined RADIUS server was reachable. Because you did not define the username on the RADIUS server, the RADIUS server rejected the authentication. Therefore, the software did not consult the local password database.


From the session opened to the lab user and change the IP address of the RADIUS server to 10.1.1.1. You can use the rename command for this change. Do not forget to issue commit to activate the change.

[edit]lab@srxA-1# rename system radius-server RADIUS server to 10.1.1.1

[edit]lab@srxA-1# commit commit complete Lab 312 Secondary System Configuration (Detailed) www.juniper.net


Return to the secondary Telnet session opened to you student device

From the secondary Telnet session, try to log in to the system with the nancy username once again.

login: nancyPassword:Local password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTCnancy@srxA-1>

Question: What was different about the login behavior in this step as compared to the last step with respect to a reachable RADIUS server?

Answer: After entering the password, a short delay occurs while the system tries to consult the RADIUS server, and the user receives an option to enter a local password. After entering the users password, the system logs the user in.

Step 1.19


From the session opened to the lab user and delete the authentication-order statement. When complete commit your config and return to operational mode.

[edit]lab@srxA-1# delete system authentication-order

[edit]lab@srxA-1# commit and-quit commit completeExiting configuration mode

lab@srxA-1>

STOP Wait for your instructor before you proceed to the next part.

Part 2: Performing System Management Options

In this lab part, you will perform configuration of some common system management features. You will configure and monitor syslog, NTP, SNMP, and configuration archival.www.juniper.net Secondary System Configuration (Detailed) Lab 313


Enter configuration mode and load the lab3-part2-start.config file from the/var/home/lab/ijos/ directory. Commit your configuration when complete.


[edit]lab@srxA-1# load override ijos/lab3-part2-start.config load complete


[edit]lab@srxA-1#

Step 2.2

Use the show system syslog command to view the current syslog configuration.

[edit]lab@srxA-1# show system syslog file messages { any critical; authorization info;}file interactive-commands { interactive-commands any;}

Question: What facilities and severity levels currently log to the messages log file?

Answer: In the sample output, the messages file shows the any and authorization facilities using the critical and info severities, respectively. The actual settings might vary between Junos devices and software versions.

Question: What is the purpose of specifying a facility of any?

Answer: This option logs all facility levels.Lab 314 Secondary System Configuration (Detailed) www.juniper.net


Navigate to the [edit system syslog] hierarchy and configure a new syslog file named config-changes. Specify a facility of change-log and a severity of info. Also, set the severity level for the default messages file to any.

[edit]lab@srxA-1# edit system syslog

[edit system syslog]lab@srxA-1# set file config-changes change-log info

[edit system syslog]lab@srxA-1# set file messages any any

[edit system syslog]lab@srxA-1#

Step 2.4

Configure your system to send logs to a remote server running the standard syslog utility. Refer to your management network diagram for the server address. (Hint: Use the host option.) Choose the correct facility that logs access attempts on the system. (Hint: The current messages log file is already using this facility.) Use a severity level of info. Commit your changes when complete.

[edit system syslog]lab@srxA-1# set host server address authorization info

[edit system syslog]lab@srxA-1# commit commit complete

Step 2.5

Using the run file list /var/log/ command, verify the creation of a log file named config-changes.

[edit system syslog]lab@srxA-1# run file list /var/log/

/var/log/:authd_profilelibauthd_sdb.logautodchassisdconfig-changescosddcddfwcdfwdeccdgres-tphttpd.loghttpd.log.oldidpd.addverinteractive-commandsinventorywww.juniper.net Secondary System Configuration (Detailed) Lab 315

Introduction to the Junos Operating Systemjsrpdjsrpd_chk_onlykmdlicensemastershipmessages nsd_chk_onlypfpfed_trace.logpgmdrtlogdsampledsdxdutmd-av

Question: What other log files from your systems configuration does this directory store?

Answer: Although the files in the /var/log/ directory might vary on each system, the messages and interactive-commands log files should be present on all systems.

Step 2.6

Configure the system to synchronize its clock with an NTP server. Refer to the management network diagram for the servers IP address.

[edit system syslog]lab@srxA-1# top

[edit]lab@srxA-1# set system ntp server server address

Step 2.7

Use the same server IP address used in the previous step and configure an NTP boot server. Commit the configuration and return to operational mode when complete.

[edit]lab@srxA-1# set system ntp boot-server server address

[edit]lab@srxA-1# commit and-quit commit complete

Note

The files stored in the /var/log/ directory might vary between each system.Lab 316 Secondary System Configuration (Detailed) www.juniper.net

Introduction to the Junos Operating SystemExiting configuration mode

lab@srxA-1>

Step 2.8

View the config-changes log and verify the logging of the latest configuration changes.

lab@srxA-1> show log config-changes Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system ntp]Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system ntp server 10.210.14.130]Apr 22 18:58:16 srxA-1 mgd[2552]: UI_CFG_AUDIT_SET: User 'lab' set: [system ntp boot-server] -> "10.210.14.130"

Step 2.9

Manually force synchronization with the NTP server by issuing the set date ntp operational mode command.

lab@srxA-1> set date ntp 22 Apr 19:04:24 ntpdate[3080]: step time server 10.210.14.130 offset -0.000025 sec

Step 2.10

Verify synchronization with the NTP server by using the show ntp associations command. The system is synchronized with the NTP server if you see the server address in the remote column with an asterisk (*) next to it. Check the current system time using the show system uptime command.

Note

lab@srxA-1> show ntp associations remote refid st t when poll reach delay offset jitter==============================================================================*10.210.14.130 10.210.0.72 4 - 14 64 1 1.073 0.113 1.178

lab@srxA-1> show system uptime Current time: 2012-04-19 09:23:35 PDTSystem booted: 2012-04-18 10:24:42 PDT (22:58:53 ago)Protocols started: 2012-04-18 12:27:26 PDT (20:56:09 ago)Last configured: 2012-04-19 09:20:11 PDT (00:03:24 ago) by lab 9:23AM up 22:59, 2 users, load averages: 0.15, 0.07, 0.02

It might take a few minutes for the systems time to synchronize with the NTP server.www.juniper.net Secondary System Configuration (Detailed) Lab 317

Introduction to the Junos Operating SystemQuestion: What does the asterisk (*) next to the NTP server address signify?

Answer: The asterisk (*) represents the peer chosen for synchronization as well as a synchronized state with that peer. When you define multiple NTP peers, the system selects only a single NTP peer.

Step 2.11

Return to configuration mode and configure the system to allow SNMP access using a community value of junos. The system should allow processing of SNMP messages only when it receives them from the NMS servers IP address. Refer to the management network diagram for the servers IP address.


[edit]lab@srxA-1# set snmp community junos clients server address

[edit]lab@srxA-1#

Step 2.12

Configure an SNMP trap group to send traps to the NMS server. The SNMP trap group should send traps whenever an interface transitions to a down state. Name the trap group interfaces.

[edit]lab@srxA-1# set snmp trap-group interfaces targets server address

[edit]lab@srxA-1# set snmp trap-group interfaces categories link

Question: What trap category do you enable to receive traps for an over-temperature condition?

Answer: You enable the chassis category to send traps for an over-temperature condition.

Note

In subsequent steps you will disable the management interface. Ensure that the terminal session to your system uses the console connection. Lab 318 Secondary System Configuration (Detailed) www.juniper.net


To test your SNMP configuration, temporarily disable the ge-0/0/0 interface using the set interfaces ge-0/0/0 disable command. Commit the new setting and verify that the interface is down using the run show interfaces ge-0/0/0 terse command. Next, re-enable the interface by issuing the delete interfaces ge-0/0/0 disable command. Commit the change and return to operational mode when complete.

[edit]lab@srxA-1# set interfaces ge-0/0/0 disable


[edit]lab@srxA-1# run show interfaces ge-0/0/0 terse Interface Admin Link Proto Local Remotege-0/0/0 down down ge-0/0/0.0 up down inet 10.210.14.131/27

[edit]lab@srxA-1# delete interfaces ge-

Documents

IJOS-12.A_LGD (Detailed Lab Guide)