My Network Lab: Juniper Networks Secondary System Configuration

Juniper Networks switch series improve the economics of networking with cloud-grade, high-density Ethernet switching across your data center, campus, and branch.

Login Class

Login class specify the permission flags for certain commands. Authorization applies to both CLI and J-Web interface. There are four pre-defined classes:

super-user - all permissions
operator - clear, network, reset, trace and view permissions
read-only - view permissions
unauthorized - no permissions

You can use the deny-commands, allow-commands, deny-configuration, allow-configuration to define regular expressions that matches either operational or configuration statements. The Junos OS applies the deny- statements first before the allow- statements if the authorization of commands matches on both statements.

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

[edit]

jadmin@JR-1# edit system login

[edit system login]

jadmin@JR-1# set class ?

Possible completions:

<class-name> Login class name

monitor Login class name

[edit system login]

jadmin@JR-1# set class monitor ?

Possible completions:

access-end End time for remote access (hh:mm)

access-start Start time for remote access (hh:mm)

allow-commands Regular expression for commands to allow explicitly

allow-configuration Regular expression for configure to allow explicitly

+ allow-configuration-regexps Object path regular expressions to allow

+ allowed-days Day(s) of week when access is allowed.

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

deny-commands Regular expression for commands to deny explicitly

deny-configuration Regular expression for configure to deny explicitly

+ deny-configuration-regexps Object path regular expressions to deny

idle-timeout Maximum idle time before logout (minutes)

logical-system Logical system associated with login

+ permissions Set of permitted operation categories

security-role Common Criteria security role

[edit system login]

jadmin@JR-1# set class monitor permissions ?

Possible completions:

[ Open a set of values

access Can view access configuration

access-control Can modify access configuration

admin Can view user accounts

admin-control Can modify user accounts

all All permission bits turned on

clear Can clear learned network info

configure Can enter configuration mode

control Can modify any config

field Can use field debug commands

firewall Can view firewall configuration

firewall-control Can modify firewall configuration

floppy Can read and write the floppy

flow-tap Can view flow-tap configuration

flow-tap-control Can modify flow-tap configuration

flow-tap-operation Can tap flows

idp-profiler-operation Can Profiler data

interface Can view interface configuration

interface-control Can modify interface configuration

maintenance Can become the super-user

network Can access the network

pgcp-session-mirroring Can view pgcp session mirroring configuration

pgcp-session-mirroring-control Can modify pgcp session mirroring configuration

reset Can reset/restart interfaces and daemons

rollback Can rollback to previous configurations

routing Can view routing configuration

routing-control Can modify routing configuration

secret Can view secret statements

secret-control Can modify secret statements

security Can view security configuration

security-control Can modify security configuration

shell Can start a local shell

snmp Can view SNMP configuration

snmp-control Can modify SNMP configuration

storage Can view fibre channel storage protocol configuration

storage-control Can modify fibre channel storage protocol configuration

system Can view system configuration

system-control Can modify system configuration

trace Can view trace file settings

trace-control Can modify trace file settings

view Can view current values and statistics

view-configuration Can view all configuration (not including secrets)

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration ?

Possible completions:

<[Enter]> Execute this command

access-end End time for remote access (hh:mm)

access-start Start time for remote access (hh:mm)

allow-commands Regular expression for commands to allow explicitly

allow-configuration Regular expression for configure to allow explicitly

+ allow-configuration-regexps Object path regular expressions to allow

+ allowed-days Day(s) of week when access is allowed.

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

deny-commands Regular expression for commands to deny explicitly

deny-configuration Regular expression for configure to deny explicitly

+ deny-configuration-regexps Object path regular expressions to deny

idle-timeout Maximum idle time before logout (minutes)

logical-system Logical system associated with login

+ permissions Set of permitted operation categories

security-role Common Criteria security role

| Pipe through a command

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands ?

Possible completions:

<allow-commands> Regular expression for commands to allow explicitly

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" ?

Possible completions:

<[Enter]> Execute this command

access-end End time for remote access (hh:mm)

access-start Start time for remote access (hh:mm)

allow-configuration Regular expression for configure to allow explicitly

+ allow-configuration-regexps Object path regular expressions to allow

+ allowed-days Day(s) of week when access is allowed.

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

deny-commands Regular expression for commands to deny explicitly

deny-configuration Regular expression for configure to deny explicitly

+ deny-configuration-regexps Object path regular expressions to deny

idle-timeout Maximum idle time before logout (minutes)

logical-system Logical system associated with login

+ permissions Set of permitted operation categories

security-role Common Criteria security role

| Pipe through a command

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" deny-commands "configure"

[edit system login]

jadmin@JR-1# set class monitor allow-configuration ?

Possible completions:

<allow-configuration> Regular expression for configure to allow explicitly

[edit system login]

jadmin@JR-1# set class monitor allow-configuration "interfaces"

[edit system login]

jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration ?

Possible completions:

<deny-configuration> Regular expression for configure to deny explicitly

[edit system login]

jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration "firewall"

The monitor class has the interface, network, view, view-configuration permissions and allowed to configure interfaces statements.

[edit system login]

jadmin@JR-1# show

message "Juniper VM Lab";

class monitor {

permissions [ interface network view view-configuration ];

allow-commands show;

deny-commands configure;

allow-configuration interfaces;

deny-configuration firewall;

}

user jadmin {

uid 2002;

class super-user;

authentication {

encrypted-password "$1$GV2Yds7K$1UWyPvsNzTW/C4FjYJVaU0"; ## SECRET-DATA

}

user jadmin2 {

uid 2003;

class super-user;

authentication {

encrypted-password "$1$3ATAJNcI$fKjYSgcC4mwxXOoFl/Uvr0"; ## SECRET-DATA

}

[edit system login]

System Logging (Syslog)

Junos OS stores syslogs messages in /var/log/messages directory. Remote syslog and log file archiving is recommended.

Use the show log messages to view log messages. A syslog message has of the following fields (using the first log message as an example):

Timestamp: Oct 10 17:17:52
Name (device hostname): JR1
Process name or PID: /kernel
Message-code: em0
Message-text: Link is Down

jadmin@JR-1> show log messages

Oct 10 17:17:52 JR1 /kernel: em0: Link is Down

Oct 10 17:17:52 JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0

Oct 10 17:17:55 JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex

Oct 10 17:19:26 JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode

Oct 10 17:22:41 JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:22:42 JR1 login[3055]: LOGIN_INFORMATION: User jadmin logged in from

host 10.1.1.10 on device ttyp1

Oct 10 17:40:36 JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:40:38 JR1 login[3091]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp1

Oct 10 17:42:34 JR1 mgd[1487]: UI_DBASE_LOGOUT_EVENT: User 'root' exiting configuration mode

Oct 10 17:42:47 JR1 mgd[1487]: UI_CHILD_EXITED: Child exited: PID 3099, status 1, command '/usr/libexec/ui/logout-user'

Oct 10 17:43:08 JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:43:11 JR1 login[3135]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0

Oct 10 17:43:38 JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:43:41 JR1 login[3168]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0

Oct 10 17:45:38 JR1 mgd[3170]: UI_DBASE_LOGIN_EVENT: User 'jadmin' entering configuration mode

Oct 10 17:47:57 JR1 mgd[3170]: UI_DBASE_LOGOUT_EVENT: User 'jadmin' exiting configuration mode

Oct 10 20:44:24 JR1 /kernel: em0: Link is Down

Oct 10 20:44:24 JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0

Oct 10 20:44:26 JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex

Oct 10 21:25:20 JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode

Oct 10 21:26:06 JR1 mgd[1487]: UI_COMMIT: User 'root' requested 'commit' operation (comment: none)

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

[edit]

jadmin@JR-1# edit system syslog

[edit system syslog]

jadmin@JR-1# set host ?

Possible completions:

<log-host-name> Host to be notified

other-routing-engine Send to log file on other Routing Engine

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 ?

Possible completions:

allow-duplicates Do not suppress the repeated message

any All facilities

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

authorization Authorization system

change-log Configuration change log

conflict-log Configuration conflict log

daemon Various system processes

dfc Dynamic flow capture

explicit-priority Include priority and facility in messages

external Local external applications

facility-override Alternate facility for logging to remote host

firewall Firewall filtering system

ftp FTP process

interactive-commands Commands executed by the UI

kernel Kernel

log-prefix Prefix for all logging to this host

match Regular expression for lines to be logged

ntp NTP process

pfe Packet Forwarding Engine

port Port number

security Security related

source-address Use specified address as source address

> structured-data Log system message in structured format

user User processes

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 any ?

Possible completions:

alert Conditions that should be corrected immediately

any All levels

critical Critical conditions

emergency Panic conditions

error Error conditions

info Informational messages

none No messages

notice Conditions that should be handled specially

warning Warning messages

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 any info

[edit system syslog]

jadmin@JR-1#

[edit system syslog]

jadmin@JR-1# show

user * { // EMERGENCY LOG MESSAGES ARE SENT TO ALL LOGGED IN USERS

any emergency;

}

host 192.168.1.200 { // SEND LOG MESSAGES TO A REMOTE SYSLOG SERVER

any info;

}

file messages { // PRIMARY SYSLOG FILE

any notice;

authorization info;

}

file interactive-commands { // LOGS ALL CLI COMMANDS

interactive-commands any;

}

[edit system syslog]

You can use the help syslog operational command to interpret the log message code.

jadmin@JR-1> help syslog ?

Possible completions:

<[Enter]> Execute this command

<syslog-tag> System log tag or regular expression

ACCT_ACCOUNTING_FERROR LOG_PFE,Error occurred during file processing

ACCT_ACCOUNTING_FOPEN_ERROR LOG_PFE,Open operation failed on file

ACCT_ACCOUNTING_SMALL_FILE_SIZE LOG_PFE,Maximum file size is smaller than record size

ACCT_BAD_RECORD_FORMAT LOG_PFE,Record format does not match accounting profile

ACCT_CU_RTSLIB_ERROR LOG_PFE,Error occurred obtaining current class usage statistics

ACCT_FORK_ERR LOG_PFE,Could not create child process

ACCT_FORK_LIMIT_EXCEEDED LOG_PFE,Could not create child process because of limit

ACCT_GETHOSTNAME_ERROR LOG_PFE,gethostname function failed

ACCT_MALLOC_FAILURE LOG_PFE,Memory allocation failed

ACCT_UNDEFINED_COUNTER_NAME ANY,Filter profile used undefined counter name

ACCT_XFER_FAILED LOG_PFE,Attempt to transfer file failed

ACCT_XFER_POPEN_FAIL LOG_PFE,File transfer failed

ALARMD_CONFIG_ACCESS_ERROR LOG_DAEMON,Alarmd could not parse configuration database

ALARMD_CONFIG_CLOSE_ERROR LOG_DAEMON,Closing of configuration database failed

ALARMD_CONFIG_PARSE_ERROR LOG_DAEMON,Parsing of configuration failed

ALARMD_CONFIG_RECONFIG_ERROR LOG_DAEMON,Reconfiguration failed

ALARMD_CONNECTION_FAILURE LOG_DAEMON,Alarmd connection to another process failed

---(more 1%)---

jadmin@JR-1> help syslog UI_DBASE_LOGIN_EVENT

jadmin@JR-1> help syslog LOGIN_INFORMATION

Name: LOGIN_INFORMATION

Message: User <username> logged in from host <hostname> on device

<tty-name>

Help: User was authenticated and logged in

Description: The indicated username was authenticated and logged into the

shell specified for it in the password file.

Type: Event: This message reports an event, not an error

Severity: info

Facility: LOG_AUTH

Tracing (debug in Cisco)

Junos OS sends tracing result in /var/log directory or to a remote syslog server. You can enable detailed tracing without impacting router performance due to the Junos OS design/architecture. You should always turn off tracing afterwards to avoid router resource consumption.

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

[edit]

jadmin@JR-1# edit system tracing

[edit system tracing]

jadmin@JR-1# set destination-override ?

Possible completions:

> syslog Send trace messages to remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog ?

Possible completions:

host IPv4 address of remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog host ?

Possible completions:

<host> IPv4 address of remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog host 192.168.1.100

[edit system tracing]

jadmin@JR-1# show

destination-override syslog host 192.168.1.100;

[edit system tracing]

jadmin@JR-1# top edit interfaces

[edit interfaces]

jadmin@JR-1# set traceoptions ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> file Trace file information

> flag Tracing parameters

no-remote-trace Disable remote tracing

[edit interfaces]

jadmin@JR-1# set traceoptions file ?

Possible completions:

<filename> Name of file in which to write trace information

files Maximum number of trace files (2..1000)

match Regular expression for lines to be logged

no-world-readable Don't allow any user to read the log file

size Maximum trace file size (10240..1073741824)

world-readable Allow any user to read the log file

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 ?

Possible completions:

<[Enter]> Execute this command

files Maximum number of trace files (2..1000)

match Regular expression for lines to be logged

no-world-readable Don't allow any user to read the log file

size Maximum trace file size (10240..1073741824)

world-readable Allow any user to read the log file

| Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size ?

Possible completions:

<size> Maximum trace file size (10240..1073741824)

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 ?

Possible completions:

<[Enter]> Execute this command

files Maximum number of trace files (2..1000)

match Regular expression for lines to be logged

no-world-readable Don't allow any user to read the log file

world-readable Allow any user to read the log file

| Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files ?

Possible completions:

<files> Maximum number of trace files (2..1000)

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 ?

Possible completions:

<[Enter]> Execute this command

match Regular expression for lines to be logged

no-world-readable Don't allow any user to read the log file

world-readable Allow any user to read the log file

| Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 world-readable

[edit interfaces]

jadmin@JR-1# show

traceoptions {

file trace-1 size 10k files 2 world-readable;

}

em0 {

unit 0 {

family inet {

address 10.1.1.1/24;

}

[edit interfaces]

jadmin@JR-1# commit

commit complete

[edit interfaces]

jadmin@JR-1# set lo0 disable

[edit interfaces]

jadmin@JR-1# delete lo0 disable

[edit interfaces]

jadmin@JR-1# run show log trace-1 // DISPLAY THE TRACE FILE CONTENT

Oct 18 06:18:23 INFO: Static config commit check : user 0.000 s, sys 0.000 s, wall 0.006 s

Oct 18 06:18:23 INFO: Phase Usage for IDLE : user 1.464 s, sys 0.882 s, wall 6839.892 s

Oct 18 06:18:23 INFO: New phase is PRE_CONFIG

Oct 18 06:18:23 INFO: Static config read usage : user 0.001 s, sys 0.000 s, wall 0.014 s

Oct 18 06:18:23 INFO: Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: New phase is CONFIG

Oct 18 06:18:23 INFO: Config db overlay usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0

Oct 18 06:18:23 INFO: dcd_new_phase - Running db_diff on static db

Oct 18 06:18:23 INFO: Config static db diff usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: Config sync io : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: Phase Usage for CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23 INFO: New phase is IDLE

Oct 18 06:18:23 INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 483 usec

jadmin@JR-1> monitor ?

Possible completions:

interface Show interface traffic

label-switched-path Show label-switched-path traffic

list Show status of monitored files

start Start showing log file in real time

static-lsp Show static label-switched-path traffic

stop Stop showing log file in real time

traffic Show real-time network traffic information

jadmin@JR-1> monitor start ?

Possible completions:

<filename> Name of log file

aprobed Size: 0, Last changed: May 09 2012

apsd Size: 7972, Last changed: Oct 18 06:26:47

authd_libstats Size: 0, Last changed: May 09 2012

authd_profilelib Size: 0, Last changed: May 09 2012

authd_sdb.log Size: 0, Last changed: May 09 2012

chassisd Size: 105057, Last changed: Oct 18 06:26:08

cosd Size: 116403, Last changed: Oct 18 06:26:08

dcd Size: 59909, Last changed: Oct 18 06:26:08

dfwc Size: 0, Last changed: May 09 2012

eccd Size: 1736, Last changed: Oct 18 06:26:07

ext/ Last changed: May 09 2012

file-1 Size: 23202, Last changed: Oct 13 19:00:00

flowc/ Last changed: May 09 2012

ggsn/ Last changed: May 09 2012

gres-tp Size: 17064, Last changed: Oct 10 22:20:30

hostname-cached Size: 612, Last changed: Oct 10 20:23:12

ifstraced Size: 180, Last changed: Oct 10 20:23:12

interactive-commands Size: 548923, Last changed: Oct 18 06:26:57

interactive-commands.0.gz Size: 8409, Last changed: Oct 11 01:14:03

inventory Size: 3698, Last changed: Oct 18 06:26:07

lmpd Size: 1164, Last changed: Oct 10 20:23:27

mastership Size: 385, Last changed: Mar 27 2013

messages Size: 583035, Last changed: Oct 18 06:26:57

messages.0.gz Size: 23989, Last changed: Oct 11 01:14:03

pf Size: 768, Last changed: Oct 10 20:23:10

pfed Size: 0, Last changed: May 09 2012

pgmd Size: 576, Last changed: Oct 10 20:23:12

pppoed_era_jpppoed_era_in_progress.log Size: 610, Last changed: Oct 12 20:08:07

pppoed_era_jpppoed_era_in_progress.log.0 Size: 609, Last changed: Oct 10 20:23:10

pppoed_era_jpppoed_era_in_progress.log.1 Size: 609, Last changed: Mar 27 2013

pppoed_era_jpppoed_era_in_progress.log.2 Size: 609, Last changed: Mar 26 2013

pppoed_era_jpppoed_era_in_progress.log.3 Size: 609, Last changed: Mar 26 2013

rtspd Size: 1518, Last changed: Oct 10 20:23:27

smartd.trace Size: 75, Last changed: Oct 11 01:14:03

smartd.trace.0.gz Size: 564, Last changed: Oct 11 01:14:03

trace-1 Size: 4490, Last changed: Oct 18 06:26:47

utmp Size: 0, Last changed: May 09 2012

wtmp Size: 122324, Last changed: Oct 18 05:26:36

wtmp.0.gz Size: 170, Last changed: Oct 11 00:55:36

wtmp.1.gz Size: 143, Last changed: Oct 10 20:23:54

wtmp.2.gz Size: 341, Last changed: Mar 26 2013

wtmp.3.gz Size: 119, Last changed: May 09 2012

jadmin@JR-1> monitor start trace-1 // PERFORM REAL-TIME MONITORING

*** monitor and syslog output enabled, press ESC-Q to disable *** // PRESS ESC+q TO ENABLE/DISABLE REAL-TIME OUTPUT TO YOUR TERMINAL SCREEN

*** trace-1 ***

Oct 18 06:29:39 INFO: Static config commit check : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: Received SIGHUP, time to reparse.

Oct 18 06:29:39 INFO: Pending config request now being serviced

Oct 18 06:29:39 INFO: Phase Usage for IDLE : user 0.005 s, sys 0.000 s, wall 18.183 s

Oct 18 06:29:39 INFO: New phase is PRE_CONFIG

Oct 18 06:29:39 INFO: Static config read usage : user 0.001 s, sys 0.000 s, wall 0.002 s

Oct 18 06:29:39 INFO: Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: New phase is CONFIG

Oct 18 06:29:39 INFO: Config db overlay usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0

Oct 18 06:29:39 INFO: dcd_new_phase - Running db_diff on static db

Oct 18 06:29:39 INFO: Config static db diff usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: Config sync io : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: Phase Usage for CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39 INFO: New phase is IDLE

Oct 18 06:29:39 INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 474 usec

*** monitor and syslog output disabled, press ESC-Q to enable ***

jadmin@JR-1# exit

Exiting configuration mode

jadmin@JR-1> monitor stop // CEASE ALL MONITORING

jadmin@JR-1> clear log trace-1 // CLEAR CONTENTS OF LOG AND TRACE FILE

jadmin@JR-1> file delete trace-1 // DELETE LOG AND TRACE FILE

rm: /var/home/jadmin/trace-1: No such file or directory

[edit interfaces]

jadmin@JR-1# delete traceoptions // DISABLE TRACING AT THE SPECIFIC CONFIG HIERARCHY

Network Time Protocol (NTP)

The Junos OS can't provide its own timing source since local crystal oscillator is not supported. NTP authentication is recommended to avoid compromise on the device.

jadmin@JR-1> configure

Entering configuration mode

Users currently editing the configuration:

jadmin terminal p2 (pid 13914) on since 2020-10-18 06:40:58 SGT, idle 00:04:50

[edit]

root terminal v0 (pid 7917) on since 2020-10-18 06:28:43 SGT, idle 00:04:13

[edit]

jadmin@JR-1# edit system ntp

[edit system ntp]

jadmin@JR-1# set boot-server ?

Possible completions:

<boot-server> Server to query during boot sequence

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 ?

Possible completions:

<[Enter]> Execute this command

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> authentication-key Authentication key information

> broadcast Broadcast parameters

broadcast-client Listen to broadcast NTP

> multicast-client Listen to multicast NTP

> peer Peer parameters

> server Server parameters

source-address Use specified address as source address

+ trusted-key List of trusted authentication keys

| Pipe through a command

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 server ?

Possible completions:

<address> Name or address of server

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 server 192.168.1.100 // BOOT SERVER IS USED TO SET INITIAL NTP TIME UPON BOOTUP

[edit system ntp]

jadmin@JR-1# show

boot-server 192.168.1.100;

server 192.168.1.100;

[edit system ntp]

jadmin@JR-1# commit

commit complete

[edit system ntp]

jadmin@JR-1# run show ntp ?

Possible completions:

associations Show status of peers

status Show internal variables returned by peers

[edit system ntp]

jadmin@JR-1# run show ntp status

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.0-a Sat Mar 24 07:52:24 UTC 2012 (1)",

processor="i386", system="JUNOS12.1R1.9", leap=11, stratum=16,

precision=-22, rootdelay=0.000, rootdispersion=0.075, peer=0,

refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,

poll=4, clock=e335f505.7e694223 Sun, Oct 18 2020 6:56:05.493, state=0,

offset=0.000, frequency=0.000, jitter=0.000, stability=0.000

[edit system ntp]

jadmin@JR-1# run show ntp associations

remote refid st t when poll reach delay offset jitter

==============================================================================

192.168.1.100 .INIT. 16 - - 64 0 0.000 0.000 4000.00

[edit system ntp]

Automate Backup

It's recommended to perform a config backup in case the Juniper system storage failed. You can perform a backup either in a regular interval (transfer-interval) or every time a new change is committed (transfer-on-commit).

[edit]

jadmin@JR-1# edit system archival

[edit system archival]

jadmin@JR-1# set configuration ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> archive-sites List of archive destinations

transfer-interval Frequency at which file transfer happens (minutes)

transfer-on-commit Transfer after each commit

[edit system archival]

jadmin@JR-1# set configuration transfer-on-commit archive-sites ?

Possible completions:

<url> URLs to receive configuration files

[edit system archival]

jadmin@JR-1# set configuration transfer-on-commit archive-sites "ftp://user@192.168.1.100:/archive" password password123

jadmin@JR-1# set configuration archive-sites "scp://user@192.168.2.100:/archive" password password456

[edit system archival]

jadmin@JR-1# show

configuration {

transfer-on-commit;

archive-sites {

"ftp://user@192.168.1.100:/archive" password "$9$iHPQF39pOR6987VYZG69Atu1RhSlvWIR"; ## SECRET-DATA

"scp://user@192.168.2.100:/archive" password "$9$ICxRyKMWxdwgLxqfz6u0LxN-VYaZUqP5Dj"; ## SECRET-DATA

[edit system archival]

jadmin@JR-1# commit

commit complete

jadmin@JR-1# run show log messages | match transfer

Oct 18 07:24:15 JR-1 logger: transfer-file failed to transfer /var/transfer/config/JR-1_juniper.conf.gz_20201017_232326

jadmin@JR-1# run file list /var/transfer/config ?

Possible completions:

<[Enter]> Execute this command

detail Display detailed output (like 'ls -l')

recursive Descend recursively through directory hierarchy

| Pipe through a command

[edit system archival]

jadmin@JR-1# run file list /var/transfer/config detail

/var/transfer/config:

total 12

-rw-r----- 1 root wheel 695 Oct 18 07:23 JR-1_juniper.conf.gz_20201017_232326

Simple Network Management Protocol (SNMP)

The Junos OS act as an SNMP agent and exchanges network management info with an SNMP manager or NMS. It can support SNMP versions 1, 2c and 3.

[edit]

jadmin@JR-1# edit snmp

[edit snmp]

jadmin@JR-1# set ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> client-list Client list

> community Configure a community string

contact Contact information for administrator

description System description

> engine-id SNMPv3 engine ID

filter-duplicates Filter requests with duplicate source address/port and re

quest ID

> filter-interfaces List of interfaces that needs to be filtered

> health-monitor Health monitoring configuration

+ interface Restrict SNMP requests to interfaces

location Physical location of system

logical-system-trap-filter Allow only logical-system specific traps

name System name override

> nonvolatile Configure the handling of nonvolatile SNMP Set requests

> rmon Remote Monitoring configuration

> routing-instance-access SNMP routing-instance options

> traceoptions Trace options for SNMP

> trap-group Configure traps and notifications

> trap-options SNMP trap options

> v3 SNMPv3 configuration information

> view Define MIB views

[edit snmp]

jadmin@JR-1# set description "JR1 VM Lab"

[edit snmp]

jadmin@JR-1# set location "SG Home Lab"

[edit snmp]

jadmin@JR-1# set contact "John Lagura, john@lab.com"

[edit snmp]

jadmin@JR-1# set community ?

Possible completions:

<community> Community name

[edit snmp]

jadmin@JR-1# set community juniper123 ?

Possible completions:

<[Enter]> Execute this command

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

authorization Authorization type

client-list-name The name of client list or prefix list

> clients List of source address prefix ranges to accept

> logical-system Use logical-system name for v1/v2c clients

> routing-instance Use routing-instance name for v1/v2c clients

view View name

| Pipe through a command

[edit snmp]

jadmin@JR-1# set community juniper123 authorization ?

Possible completions:

read-only Allow read-only access

read-write Allow read and write access

[edit snmp]

jadmin@JR-1# set community juniper123 authorization read-only clients ?

Possible completions:

<prefix> Address or prefix

[edit snmp]

jadmin@JR-1# set community juniper123 authorization read-only clients 192.168.1.0/24

jadmin@JR-1# set trap-group ?

Possible completions:

<group-name> Trap group name

[edit snmp]

jadmin@JR-1# set trap-group group-1 ?

Possible completions:

<[Enter]> Execute this command

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> categories Trap categories

destination-port SNMP trap receiver port number

logical-system Logical-system name for trap destination

routing-instance Routing instance for trap destination

> targets Targets for trap messages

version SNMP version

| Pipe through a command

[edit snmp]

jadmin@JR-1# set trap-group group-1 version ?

Possible completions:

all Send SNMPv1 and SNMPv2 traps

v1 Send SNMPv1 traps

v2 Send SNMPv2 traps

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 ?

Possible completions:

<[Enter]> Execute this command

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> categories Trap categories

destination-port SNMP trap receiver port number

logical-system Logical-system name for trap destination

routing-instance Routing instance for trap destination

> targets Targets for trap messages

| Pipe through a command

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 categories ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

authentication Authentication failures

chassis Chassis or environment notifications

configuration Configuration notifications

link Link up-down transitions

> otn-alarms OTN alarm trap subcategories

remote-operations Remote operations

rmon-alarm RMON rising and falling alarms

routing Routing protocol notifications

services Services notifications

> sonet-alarms SONET alarm trap subcategories

startup System warm and cold starts

vrrp-events VRRP notifications

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 categories chassis link configuration

jadmin@JR-1# set trap-group group-1 targets ?

Possible completions:

<target> IP address

[edit snmp]

jadmin@JR-1# set trap-group group-1 targets 192.168.1.100

[edit snmp]

jadmin@JR-1# show

description "JR1 VM Lab";

location "SG Home Lab";

contact "John Lagura, john@lab.com";

community juniper123 {

authorization read-only;

clients {

192.168.1.0/24; // SNMP ACL; RESTRICT SNMP REQUEST FROM 192.168.1.0/24 SUBNET

}

trap-group group-1 {

version v2; // SEND SNMPv2 TRAPS FOR CHASSIS, LINK AND CONFIGURATION

categories {

chassis;

link;

configuration;

}

targets {

192.168.1.100; // DEFINE DESTINATON NMS HOST IP

}

You can monitor the Junos OS SNMP agent using an NMS tool (i.e. Solarwinds, PRTG, etc.) or view an SNMP walk in CLI.

jadmin@JR-1# run show snmp mib ?

Possible completions:

get Get SNMP object value

get-next Get next SNMP object value

walk Walk SNMP object values

[edit snmp]

jadmin@JR-1# run show snmp mib walk ?

Possible completions:

<name> Requested SNMP object names

ascii Convert string indices to 'ascii-keys' representation

decimal Decimal format (default)

[edit snmp]

jadmin@JR-1# run show snmp mib walk jnxOperatingDescr

[edit snmp]

jadmin@JR-1# run show snmp mib walk ?

Possible completions:

<name> Requested SNMP object names

ascii Convert string indices to 'ascii-keys' representation

decimal Decimal format (default)

[edit snmp]

jadmin@JR-1# run show snmp mib walk jnxMibs

mplsVersion.0 = 1

mplsSignalingProto.0 = 1

mplsConfiguredLsps.0 = 0

mplsActiveLsps.0 = 0

mplsTEDistProtocol.0 = 1

ifIn1SecRate.4 = 0

ifIn1SecRate.5 = 0

ifIn1SecRate.6 = 0

ifIn1SecRate.7 = 0

ifIn1SecRate.8 = 0

ifIn1SecRate.9 = 0

ifIn1SecRate.10 = 0

ifIn1SecRate.11 = 0

ifIn1SecRate.12 = 0

ifIn1SecRate.17 = 0

ifIn1SecRate.18 = 0

ifIn1SecRate.21 = 0

ifIn1SecRate.22 = 0

ifIn1SecRate.501 = 0

ifIn1SecRate.502 = 0

ifIn1SecRate.503 = 0

ifIn1SecRate.504 = 0

ifIn1SecRate.505 = 0

ifIn1SecOctets.4 = 0

---(more)---

My Network Lab

Friday, February 5, 2021

Juniper Networks Secondary System Configuration

No comments:

Post a Comment