Friday, February 5, 2021

Juniper Networks Secondary System Configuration

Juniper Networks switch series improve the economics of networking with cloud-grade, high-density Ethernet switching across your data center, campus, and branch.

Login Class

 

Login class specify the permission flags for certain commands. Authorization applies to both CLI and J-Web interface. There are four pre-defined classes:

  • super-user - all permissions
  • operator - clear, network, reset, trace and view permissions
  • read-only - view permissions
  • unauthorized - no permissions

 

You can use the deny-commands, allow-commands, deny-configuration, allow-configuration to define regular expressions that matches either operational or configuration statements. The Junos OS applies the deny- statements first before the allow- statements if the authorization of commands matches on both statements.

 

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

 

[edit]

jadmin@JR-1# edit system login

 

[edit system login]

jadmin@JR-1# set class ?

Possible completions:

  <class-name>         Login class name

  monitor              Login class name

[edit system login]

jadmin@JR-1# set class monitor ?

Possible completions:

  access-end           End time for remote access (hh:mm)

  access-start         Start time for remote access (hh:mm)

  allow-commands       Regular expression for commands to allow explicitly

  allow-configuration  Regular expression for configure to allow explicitly

+ allow-configuration-regexps  Object path regular expressions to allow

+ allowed-days         Day(s) of week when access is allowed.

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  deny-commands        Regular expression for commands to deny explicitly

  deny-configuration   Regular expression for configure to deny explicitly

+ deny-configuration-regexps  Object path regular expressions to deny

  idle-timeout         Maximum idle time before logout (minutes)

  logical-system       Logical system associated with login

  login-alarms         Display system alarms when logging in

  login-script         Execute this login-script when logging in

  login-tip            Display tip when logging in

+ permissions          Set of permitted operation categories

  security-role        Common Criteria security role

[edit system login]

jadmin@JR-1# set class monitor permissions ?

Possible completions:

  [                    Open a set of values

  access               Can view access configuration

  access-control       Can modify access configuration

  admin                Can view user accounts

  admin-control        Can modify user accounts

  all                  All permission bits turned on

  clear                Can clear learned network info

  configure            Can enter configuration mode

  control              Can modify any config

  field                Can use field debug commands

  firewall             Can view firewall configuration

  firewall-control     Can modify firewall configuration

  floppy               Can read and write the floppy

  flow-tap             Can view flow-tap configuration

  flow-tap-control     Can modify flow-tap configuration

  flow-tap-operation   Can tap flows

  idp-profiler-operation  Can Profiler data

  interface            Can view interface configuration

  interface-control    Can modify interface configuration

  maintenance          Can become the super-user

  network              Can access the network

  pgcp-session-mirroring  Can view pgcp session mirroring configuration

  pgcp-session-mirroring-control  Can modify pgcp session mirroring configuration

  reset                Can reset/restart interfaces and daemons

  rollback             Can rollback to previous configurations

  routing              Can view routing configuration

  routing-control      Can modify routing configuration

  secret               Can view secret statements

  secret-control       Can modify secret statements

  security             Can view security configuration

  security-control     Can modify security configuration

  shell                Can start a local shell

  snmp                 Can view SNMP configuration

  snmp-control         Can modify SNMP configuration

  storage              Can view fibre channel storage protocol configuration

  storage-control      Can modify fibre channel storage protocol configuration

  system               Can view system configuration

  system-control       Can modify system configuration

  trace                Can view trace file settings

  trace-control        Can modify trace file settings

  view                 Can view current values and statistics

  view-configuration   Can view all configuration (not including secrets)

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration ?

Possible completions:

  <[Enter]>            Execute this command

  access-end           End time for remote access (hh:mm)

  access-start         Start time for remote access (hh:mm)

  allow-commands       Regular expression for commands to allow explicitly

  allow-configuration  Regular expression for configure to allow explicitly

+ allow-configuration-regexps  Object path regular expressions to allow

+ allowed-days         Day(s) of week when access is allowed.

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  deny-commands        Regular expression for commands to deny explicitly

  deny-configuration   Regular expression for configure to deny explicitly

+ deny-configuration-regexps  Object path regular expressions to deny

  idle-timeout         Maximum idle time before logout (minutes)

  logical-system       Logical system associated with login

  login-alarms         Display system alarms when logging in

  login-script         Execute this login-script when logging in

  login-tip            Display tip when logging in

+ permissions          Set of permitted operation categories

  security-role        Common Criteria security role

  |                    Pipe through a command

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands ?

Possible completions:

  <allow-commands>     Regular expression for commands to allow explicitly

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" ?

Possible completions:

  <[Enter]>            Execute this command

  access-end           End time for remote access (hh:mm)

  access-start         Start time for remote access (hh:mm)

  allow-configuration  Regular expression for configure to allow explicitly

+ allow-configuration-regexps  Object path regular expressions to allow

+ allowed-days         Day(s) of week when access is allowed.

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  deny-commands        Regular expression for commands to deny explicitly

  deny-configuration   Regular expression for configure to deny explicitly

+ deny-configuration-regexps  Object path regular expressions to deny

  idle-timeout         Maximum idle time before logout (minutes)

  logical-system       Logical system associated with login

  login-alarms         Display system alarms when logging in

  login-script         Execute this login-script when logging in

  login-tip            Display tip when logging in

+ permissions          Set of permitted operation categories

  security-role        Common Criteria security role

  |                    Pipe through a command

[edit system login]

jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" deny-commands "configure"

 

 

[edit system login]

jadmin@JR-1# set class monitor allow-configuration ?

Possible completions:

  <allow-configuration>  Regular expression for configure to allow explicitly

[edit system login]

jadmin@JR-1# set class monitor allow-configuration "interfaces"

 

[edit system login]

jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration ?

Possible completions:

  <deny-configuration>  Regular expression for configure to deny explicitly

[edit system login]

 

jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration "firewall"

 

 

The monitor class has the interface, network, view, view-configuration permissions and allowed to configure interfaces statements.

 

[edit system login]

jadmin@JR-1# show

message "Juniper VM Lab";

class monitor {

    permissions [ interface network view view-configuration ];

    allow-commands show;

    deny-commands configure;

    allow-configuration interfaces;

    deny-configuration firewall;

}

user jadmin {

    uid 2002;

    class super-user;

    authentication {

        encrypted-password "$1$GV2Yds7K$1UWyPvsNzTW/C4FjYJVaU0"; ## SECRET-DATA

    }

}

user jadmin2 {

    uid 2003;

    class super-user;

    authentication {

        encrypted-password "$1$3ATAJNcI$fKjYSgcC4mwxXOoFl/Uvr0"; ## SECRET-DATA

    }

}

 

[edit system login]

 

 

System Logging (Syslog)

 

Junos OS stores syslogs messages in /var/log/messages directory. Remote syslog and log file archiving is recommended.

 

Use the show log messages to view log messages. A syslog message has of the following fields (using the first log message as an example):

  • Timestamp:  Oct 10 17:17:52
  • Name (device hostname): JR1
  • Process name or PID:  /kernel
  • Message-code: em0
  • Message-text: Link is Down

 

jadmin@JR-1> show log messages

Oct 10 17:17:52  JR1 /kernel: em0: Link is Down

Oct 10 17:17:52  JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0

Oct 10 17:17:55  JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex

Oct 10 17:19:26  JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode

Oct 10 17:22:41  JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:22:42  JR1 login[3055]: LOGIN_INFORMATION: User jadmin logged in from

host 10.1.1.10 on device ttyp1

Oct 10 17:40:36  JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:40:38  JR1 login[3091]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp1

Oct 10 17:42:34  JR1 mgd[1487]: UI_DBASE_LOGOUT_EVENT: User 'root' exiting configuration mode

Oct 10 17:42:47  JR1 mgd[1487]: UI_CHILD_EXITED: Child exited: PID 3099, status 1, command '/usr/libexec/ui/logout-user'

Oct 10 17:43:08  JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:43:11  JR1 login[3135]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0

Oct 10 17:43:38  JR1 login: Login attempt for user jadmin from host 10.1.1.10

Oct 10 17:43:41  JR1 login[3168]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0

Oct 10 17:45:38  JR1 mgd[3170]: UI_DBASE_LOGIN_EVENT: User 'jadmin' entering configuration mode

Oct 10 17:47:57  JR1 mgd[3170]: UI_DBASE_LOGOUT_EVENT: User 'jadmin' exiting configuration mode

Oct 10 20:44:24  JR1 /kernel: em0: Link is Down

Oct 10 20:44:24  JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0

Oct 10 20:44:26  JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex

Oct 10 21:25:20  JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode

Oct 10 21:26:06  JR1 mgd[1487]: UI_COMMIT: User 'root' requested 'commit' operation (comment: none)

 

<OUTPUT TRUNCATED>

 

 

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

 

[edit]

jadmin@JR-1# edit system syslog

[edit system syslog]

jadmin@JR-1# set host ?

Possible completions:

  <log-host-name>      Host to be notified

  other-routing-engine  Send to log file on other Routing Engine

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 ?

Possible completions:

  allow-duplicates     Do not suppress the repeated message

  any                  All facilities

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  authorization        Authorization system

  change-log           Configuration change log

  conflict-log         Configuration conflict log

  daemon               Various system processes

  dfc                  Dynamic flow capture

  explicit-priority    Include priority and facility in messages

  external             Local external applications

  facility-override    Alternate facility for logging to remote host

  firewall             Firewall filtering system

  ftp                  FTP process

  interactive-commands  Commands executed by the UI

  kernel               Kernel

  log-prefix           Prefix for all logging to this host

  match                Regular expression for lines to be logged

  ntp                  NTP process

  pfe                  Packet Forwarding Engine

  port                 Port number

  security             Security related

  source-address       Use specified address as source address

> structured-data      Log system message in structured format

  user                 User processes

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 any ?

Possible completions:

  alert                Conditions that should be corrected immediately

  any                  All levels

  critical             Critical conditions

  emergency            Panic conditions

  error                Error conditions

  info                 Informational messages

  none                 No messages

  notice               Conditions that should be handled specially

  warning              Warning messages

[edit system syslog]

jadmin@JR-1# set host 192.168.1.200 any info

 

[edit system syslog]

jadmin@JR-1#

 

[edit system syslog]

jadmin@JR-1# show

user * {                        // EMERGENCY LOG MESSAGES ARE SENT TO ALL LOGGED IN USERS

    any emergency;

}

host 192.168.1.200 {     // SEND LOG MESSAGES TO A REMOTE SYSLOG SERVER

    any info;

}

file messages {     // PRIMARY SYSLOG FILE

    any notice;

    authorization info;

}

file interactive-commands {      // LOGS ALL CLI COMMANDS

    interactive-commands any;

}

 

[edit system syslog]

 

 

You can use the help syslog operational command to interpret the log message code.

 

jadmin@JR-1> help syslog ?

Possible completions:

  <[Enter]>            Execute this command

  <syslog-tag>         System log tag or regular expression

  ACCT_ACCOUNTING_FERROR  LOG_PFE,Error occurred during file processing

  ACCT_ACCOUNTING_FOPEN_ERROR  LOG_PFE,Open operation failed on file

  ACCT_ACCOUNTING_SMALL_FILE_SIZE  LOG_PFE,Maximum file size is smaller than record size

  ACCT_BAD_RECORD_FORMAT  LOG_PFE,Record format does not match accounting profile

  ACCT_CU_RTSLIB_ERROR  LOG_PFE,Error occurred obtaining current class usage statistics

  ACCT_FORK_ERR        LOG_PFE,Could not create child process

  ACCT_FORK_LIMIT_EXCEEDED  LOG_PFE,Could not create child process because of limit

  ACCT_GETHOSTNAME_ERROR  LOG_PFE,gethostname function failed

  ACCT_MALLOC_FAILURE  LOG_PFE,Memory allocation failed

  ACCT_UNDEFINED_COUNTER_NAME  ANY,Filter profile used undefined counter name

  ACCT_XFER_FAILED     LOG_PFE,Attempt to transfer file failed

  ACCT_XFER_POPEN_FAIL  LOG_PFE,File transfer failed

  ALARMD_CONFIG_ACCESS_ERROR  LOG_DAEMON,Alarmd could not parse configuration database

  ALARMD_CONFIG_CLOSE_ERROR  LOG_DAEMON,Closing of configuration database failed

  ALARMD_CONFIG_PARSE_ERROR  LOG_DAEMON,Parsing of configuration failed

  ALARMD_CONFIG_RECONFIG_ERROR  LOG_DAEMON,Reconfiguration failed

  ALARMD_CONNECTION_FAILURE  LOG_DAEMON,Alarmd connection to another process failed

---(more 1%)---

 

<OUTPUT TRUNCATED>

 

 

jadmin@JR-1> help syslog UI_DBASE_LOGIN_EVENT

 

jadmin@JR-1> help syslog LOGIN_INFORMATION

Name:          LOGIN_INFORMATION

Message:       User <username> logged in from host <hostname> on device

               <tty-name>

Help:          User was authenticated and logged in

Description:   The indicated username was authenticated and logged into the

               shell specified for it in the password file.

Type:          Event: This message reports an event, not an error

Severity:      info

Facility:      LOG_AUTH

 

 

Tracing (debug in Cisco)

 

Junos OS sends tracing result in /var/log directory or to a remote syslog server. You can enable detailed tracing without impacting router performance due to the Junos OS design/architecture. You should always turn off tracing afterwards to avoid router resource consumption.

 

jadmin@JR-1> configure

Entering configuration mode

The configuration has been changed but not committed

 

[edit]

jadmin@JR-1# edit system tracing

 

[edit system tracing]

jadmin@JR-1# set destination-override ?

Possible completions:

> syslog               Send trace messages to remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog ?

Possible completions:

  host                 IPv4 address of remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog host ?

Possible completions:

  <host>               IPv4 address of remote syslog server

[edit system tracing]

jadmin@JR-1# set destination-override syslog host 192.168.1.100

 

[edit system tracing]

jadmin@JR-1# show

destination-override syslog host 192.168.1.100;

 

 

[edit system tracing]

jadmin@JR-1# top edit interfaces

 

[edit interfaces]

jadmin@JR-1# set traceoptions ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> file                 Trace file information

> flag                 Tracing parameters

  no-remote-trace      Disable remote tracing

[edit interfaces]

jadmin@JR-1# set traceoptions file ?

Possible completions:

  <filename>           Name of file in which to write trace information

  files                Maximum number of trace files (2..1000)

  match                Regular expression for lines to be logged

  no-world-readable    Don't allow any user to read the log file

  size                 Maximum trace file size (10240..1073741824)

  world-readable       Allow any user to read the log file

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 ?

Possible completions:

  <[Enter]>            Execute this command

  files                Maximum number of trace files (2..1000)

  match                Regular expression for lines to be logged

  no-world-readable    Don't allow any user to read the log file

  size                 Maximum trace file size (10240..1073741824)

  world-readable       Allow any user to read the log file

  |                    Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size ?

Possible completions:

  <size>               Maximum trace file size (10240..1073741824)

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 ?

Possible completions:

  <[Enter]>            Execute this command

  files                Maximum number of trace files (2..1000)

  match                Regular expression for lines to be logged

  no-world-readable    Don't allow any user to read the log file

  world-readable       Allow any user to read the log file

  |                    Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files ?

Possible completions:

  <files>              Maximum number of trace files (2..1000)

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 ?

Possible completions:

  <[Enter]>            Execute this command

  match                Regular expression for lines to be logged

  no-world-readable    Don't allow any user to read the log file

  world-readable       Allow any user to read the log file

  |                    Pipe through a command

[edit interfaces]

jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 world-readable  

 

[edit interfaces]

jadmin@JR-1# show

traceoptions {

    file trace-1 size 10k files 2 world-readable;

}

em0 {

    unit 0 {

        family inet {

            address 10.1.1.1/24;

        }

    }

}

 

[edit interfaces]

jadmin@JR-1# commit

commit complete

 

 

[edit interfaces]

jadmin@JR-1# set lo0 disable

 

[edit interfaces]

jadmin@JR-1# delete lo0 disable

 

[edit interfaces]

jadmin@JR-1# run show log trace-1    // DISPLAY THE TRACE FILE CONTENT

Oct 18 06:18:23  INFO:          Static config commit check        : user 0.000 s, sys 0.000 s, wall 0.006 s

Oct 18 06:18:23  INFO:  Phase Usage for IDLE               : user 1.464 s, sys 0.882 s, wall 6839.892 s

Oct 18 06:18:23  INFO: New phase is PRE_CONFIG

Oct 18 06:18:23  INFO:          Static config read usage          : user 0.001 s, sys 0.000 s, wall 0.014 s

Oct 18 06:18:23  INFO:  Phase Usage for PRE_CONFIG         : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO: New phase is CONFIG

Oct 18 06:18:23  INFO:          Config db overlay usage           : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0

Oct 18 06:18:23  INFO: dcd_new_phase - Running db_diff on static db

Oct 18 06:18:23  INFO:          Config static db diff usage       : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO:          Config sync io                    : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO:          Config depenency cleanup usage    : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO:  Phase Usage for CONFIG             : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:18:23  INFO: New phase is IDLE

Oct 18 06:18:23  INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs,  0 async bd msgs, 0 async mesh group msgs, 483 usec

 

 

jadmin@JR-1> monitor ?

Possible completions:

  interface            Show interface traffic

  label-switched-path  Show label-switched-path traffic

  list                 Show status of monitored files

  start                Start showing log file in real time

  static-lsp           Show static label-switched-path traffic

  stop                 Stop showing log file in real time

  traffic              Show real-time network traffic information

jadmin@JR-1> monitor start ?

Possible completions:

  <filename>           Name of log file

  aprobed              Size: 0, Last changed: May 09 2012

  apsd                 Size: 7972, Last changed: Oct 18 06:26:47

  authd_libstats       Size: 0, Last changed: May 09 2012

  authd_profilelib     Size: 0, Last changed: May 09 2012

  authd_sdb.log        Size: 0, Last changed: May 09 2012

  chassisd             Size: 105057, Last changed: Oct 18 06:26:08

  cosd                 Size: 116403, Last changed: Oct 18 06:26:08

  dcd                  Size: 59909, Last changed: Oct 18 06:26:08

  dfwc                 Size: 0, Last changed: May 09 2012

  eccd                 Size: 1736, Last changed: Oct 18 06:26:07

  ext/                 Last changed: May 09 2012

  file-1               Size: 23202, Last changed: Oct 13 19:00:00

  flowc/               Last changed: May 09 2012

  ggsn/                Last changed: May 09 2012

  gres-tp              Size: 17064, Last changed: Oct 10 22:20:30

  hostname-cached      Size: 612, Last changed: Oct 10 20:23:12

  ifstraced            Size: 180, Last changed: Oct 10 20:23:12

  interactive-commands  Size: 548923, Last changed: Oct 18 06:26:57

  interactive-commands.0.gz  Size: 8409, Last changed: Oct 11 01:14:03

  inventory            Size: 3698, Last changed: Oct 18 06:26:07

  lmpd                 Size: 1164, Last changed: Oct 10 20:23:27

  mastership           Size: 385, Last changed: Mar 27 2013

  messages             Size: 583035, Last changed: Oct 18 06:26:57

  messages.0.gz        Size: 23989, Last changed: Oct 11 01:14:03

  pf                   Size: 768, Last changed: Oct 10 20:23:10

  pfed                 Size: 0, Last changed: May 09 2012

  pgmd                 Size: 576, Last changed: Oct 10 20:23:12

  pppoed_era_jpppoed_era_in_progress.log  Size: 610, Last changed: Oct 12 20:08:07

  pppoed_era_jpppoed_era_in_progress.log.0  Size: 609, Last changed: Oct 10 20:23:10

  pppoed_era_jpppoed_era_in_progress.log.1  Size: 609, Last changed: Mar 27 2013

  pppoed_era_jpppoed_era_in_progress.log.2  Size: 609, Last changed: Mar 26 2013

  pppoed_era_jpppoed_era_in_progress.log.3  Size: 609, Last changed: Mar 26 2013

  rtspd                Size: 1518, Last changed: Oct 10 20:23:27

  smartd.trace         Size: 75, Last changed: Oct 11 01:14:03

  smartd.trace.0.gz    Size: 564, Last changed: Oct 11 01:14:03

  trace-1              Size: 4490, Last changed: Oct 18 06:26:47

  utmp                 Size: 0, Last changed: May 09 2012

  wtmp                 Size: 122324, Last changed: Oct 18 05:26:36

  wtmp.0.gz            Size: 170, Last changed: Oct 11 00:55:36

  wtmp.1.gz            Size: 143, Last changed: Oct 10 20:23:54

  wtmp.2.gz            Size: 341, Last changed: Mar 26 2013

  wtmp.3.gz            Size: 119, Last changed: May 09 2012

jadmin@JR-1> monitor start trace-1   // PERFORM REAL-TIME MONITORING

 

*** monitor and syslog output enabled, press ESC-Q to disable ***   // PRESS ESC+q TO ENABLE/DISABLE REAL-TIME OUTPUT TO YOUR TERMINAL SCREEN

 

*** trace-1 ***

Oct 18 06:29:39  INFO:          Static config commit check        : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO: Received SIGHUP, time to reparse.

Oct 18 06:29:39  INFO: Pending config request now being serviced

Oct 18 06:29:39  INFO:  Phase Usage for IDLE               : user 0.005 s, sys 0.000 s, wall 18.183 s

Oct 18 06:29:39  INFO: New phase is PRE_CONFIG

Oct 18 06:29:39  INFO:          Static config read usage          : user 0.001 s, sys 0.000 s, wall 0.002 s

Oct 18 06:29:39  INFO:  Phase Usage for PRE_CONFIG         : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO: New phase is CONFIG

Oct 18 06:29:39  INFO:          Config db overlay usage           : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0

Oct 18 06:29:39  INFO: dcd_new_phase - Running db_diff on static db

Oct 18 06:29:39  INFO:          Config static db diff usage       : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO:          Config sync io                    : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO:          Config depenency cleanup usage    : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO:  Phase Usage for CONFIG             : user 0.000 s, sys 0.000 s, wall 0.000 s

Oct 18 06:29:39  INFO: New phase is IDLE

Oct 18 06:29:39  INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs,  0 async bd msgs, 0 async mesh group msgs, 474 usec

 

*** monitor and syslog output disabled, press ESC-Q to enable ***

 

jadmin@JR-1# exit

Exiting configuration mode

 

jadmin@JR-1> monitor stop   // CEASE ALL MONITORING

 

jadmin@JR-1> clear log trace-1   // CLEAR CONTENTS OF LOG AND TRACE FILE

 

jadmin@JR-1> file delete trace-1   // DELETE LOG AND TRACE FILE

rm: /var/home/jadmin/trace-1: No such file or directory

 

[edit interfaces]

jadmin@JR-1# delete traceoptions   // DISABLE TRACING AT THE SPECIFIC CONFIG HIERARCHY

 

 

Network Time Protocol (NTP)

 

The Junos OS can't provide its own timing source since local crystal oscillator is not supported. NTP authentication is recommended to avoid compromise on the device.

 

jadmin@JR-1> configure

Entering configuration mode

Users currently editing the configuration:

  jadmin terminal p2 (pid 13914) on since 2020-10-18 06:40:58 SGT, idle 00:04:50

      [edit]

  root terminal v0 (pid 7917) on since 2020-10-18 06:28:43 SGT, idle 00:04:13

      [edit]

 

[edit]

jadmin@JR-1# edit system ntp

 

[edit system ntp]

jadmin@JR-1# set boot-server ?

Possible completions:

  <boot-server>        Server to query during boot sequence

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> authentication-key   Authentication key information

> broadcast            Broadcast parameters

  broadcast-client     Listen to broadcast NTP

> multicast-client     Listen to multicast NTP

> peer                 Peer parameters

> server               Server parameters

  source-address       Use specified address as source address

+ trusted-key          List of trusted authentication keys

  |                    Pipe through a command

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 server ?

Possible completions:

  <address>            Name or address of server

[edit system ntp]

jadmin@JR-1# set boot-server 192.168.1.100 server 192.168.1.100    // BOOT SERVER IS USED TO SET INITIAL NTP TIME UPON BOOTUP

 

[edit system ntp]

jadmin@JR-1# show

boot-server 192.168.1.100;

server 192.168.1.100;

 

[edit system ntp]

jadmin@JR-1# commit

commit complete

 

[edit system ntp]

jadmin@JR-1# run show ntp ?

Possible completions:

  associations         Show status of peers

  status               Show internal variables returned by peers

[edit system ntp]

jadmin@JR-1# run show ntp status

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.0-a Sat Mar 24 07:52:24 UTC 2012 (1)",

processor="i386", system="JUNOS12.1R1.9", leap=11, stratum=16,

precision=-22, rootdelay=0.000, rootdispersion=0.075, peer=0,

refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036 14:28:16.000,

poll=4, clock=e335f505.7e694223  Sun, Oct 18 2020  6:56:05.493, state=0,

offset=0.000, frequency=0.000, jitter=0.000, stability=0.000

 

[edit system ntp]

jadmin@JR-1# run show ntp associations

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 192.168.1.100   .INIT.          16 -    -   64    0    0.000    0.000 4000.00

 

[edit system ntp]

 

 

Automate Backup

 

It's recommended to perform a config backup in case the Juniper system storage failed. You can perform a backup either in a regular interval (transfer-interval) or every time a new change is committed (transfer-on-commit).

 

[edit]

jadmin@JR-1# edit system archival

 

[edit system archival]

jadmin@JR-1# set configuration ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> archive-sites        List of archive destinations

  transfer-interval    Frequency at which file transfer happens (minutes)

  transfer-on-commit   Transfer after each commit

[edit system archival]

jadmin@JR-1# set configuration transfer-on-commit archive-sites ?

Possible completions:

  <url>                URLs to receive configuration files

[edit system archival]

jadmin@JR-1# set configuration transfer-on-commit archive-sites "ftp://user@192.168.1.100:/archive" password password123

jadmin@JR-1# set configuration archive-sites "scp://user@192.168.2.100:/archive" password password456

[edit system archival]

jadmin@JR-1# show

configuration {

    transfer-on-commit;

    archive-sites {

        "ftp://user@192.168.1.100:/archive" password "$9$iHPQF39pOR6987VYZG69Atu1RhSlvWIR"; ## SECRET-DATA

        "scp://user@192.168.2.100:/archive" password "$9$ICxRyKMWxdwgLxqfz6u0LxN-VYaZUqP5Dj"; ## SECRET-DATA

 

[edit system archival]

jadmin@JR-1# commit

commit complete

 

jadmin@JR-1# run show log messages | match transfer

Oct 18 07:24:15  JR-1 logger: transfer-file failed to transfer /var/transfer/config/JR-1_juniper.conf.gz_20201017_232326

 

jadmin@JR-1# run file list /var/transfer/config ?

Possible completions:

  <[Enter]>            Execute this command

  detail               Display detailed output (like 'ls -l')

  recursive            Descend recursively through directory hierarchy

  |                    Pipe through a command

[edit system archival]

jadmin@JR-1# run file list /var/transfer/config detail

 

/var/transfer/config:

total 12

-rw-r-----  1 root  wheel        695 Oct 18 07:23 JR-1_juniper.conf.gz_20201017_232326

 

 

Simple Network Management Protocol (SNMP)
 

The Junos OS act as an SNMP agent and exchanges network management info with an SNMP manager or NMS. It can support SNMP versions 1, 2c and 3.

 

[edit]

jadmin@JR-1# edit snmp

 

[edit snmp]

jadmin@JR-1# set ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> client-list          Client list

> community            Configure a community string

  contact              Contact information for administrator

  description          System description

> engine-id            SNMPv3 engine ID

  filter-duplicates    Filter requests with duplicate source address/port and re

quest ID

> filter-interfaces    List of interfaces that needs to be filtered

> health-monitor       Health monitoring configuration

+ interface            Restrict SNMP requests to interfaces

  location             Physical location of system

  logical-system-trap-filter  Allow only logical-system specific traps

  name                 System name override

> nonvolatile          Configure the handling of nonvolatile SNMP Set requests

> rmon                 Remote Monitoring configuration

> routing-instance-access  SNMP routing-instance options

> traceoptions         Trace options for SNMP

> trap-group           Configure traps and notifications

> trap-options         SNMP trap options

> v3                   SNMPv3 configuration information

> view                 Define MIB views

[edit snmp]

jadmin@JR-1# set description "JR1 VM Lab"

 

[edit snmp]

jadmin@JR-1# set location "SG Home Lab"

 

[edit snmp]

jadmin@JR-1# set contact "John Lagura, john@lab.com"

 

[edit snmp]

jadmin@JR-1# set community ?

Possible completions:

  <community>          Community name

[edit snmp]

jadmin@JR-1# set community juniper123 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  authorization        Authorization type

  client-list-name     The name of client list or prefix list

> clients              List of source address prefix ranges to accept

> logical-system       Use logical-system name for v1/v2c clients

> routing-instance     Use routing-instance name for v1/v2c clients

  view                 View name

  |                    Pipe through a command

[edit snmp]

jadmin@JR-1# set community juniper123 authorization ?

Possible completions:

  read-only            Allow read-only access

  read-write           Allow read and write access

[edit snmp]

jadmin@JR-1# set community juniper123 authorization read-only clients ?

Possible completions:

  <prefix>             Address or prefix

[edit snmp]

jadmin@JR-1# set community juniper123 authorization read-only clients 192.168.1.0/24

jadmin@JR-1# set trap-group ?

Possible completions:

  <group-name>         Trap group name

[edit snmp]

jadmin@JR-1# set trap-group group-1 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> categories           Trap categories

  destination-port     SNMP trap receiver port number

  logical-system       Logical-system name for trap destination

  routing-instance     Routing instance for trap destination

> targets              Targets for trap messages

  version              SNMP version

  |                    Pipe through a command

[edit snmp]

jadmin@JR-1# set trap-group group-1 version ?

Possible completions:

  all                  Send SNMPv1 and SNMPv2 traps

  v1                   Send SNMPv1 traps

  v2                   Send SNMPv2 traps

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> categories           Trap categories

  destination-port     SNMP trap receiver port number

  logical-system       Logical-system name for trap destination

  routing-instance     Routing instance for trap destination

> targets              Targets for trap messages

  |                    Pipe through a command

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 categories ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  authentication       Authentication failures

  chassis              Chassis or environment notifications

  configuration        Configuration notifications

  link                 Link up-down transitions

> otn-alarms           OTN alarm trap subcategories

  remote-operations    Remote operations

  rmon-alarm           RMON rising and falling alarms

  routing              Routing protocol notifications

  services             Services notifications

> sonet-alarms         SONET alarm trap subcategories

  startup              System warm and cold starts

  vrrp-events          VRRP notifications

[edit snmp]

jadmin@JR-1# set trap-group group-1 version v2 categories chassis link configuration

jadmin@JR-1# set trap-group group-1 targets ?

Possible completions:

  <target>             IP address

[edit snmp]

jadmin@JR-1# set trap-group group-1 targets 192.168.1.100

 

[edit snmp]

jadmin@JR-1# show

description "JR1 VM Lab";

location "SG Home Lab";

contact "John Lagura, john@lab.com";

community juniper123 {

    authorization read-only;  

    clients {

        192.168.1.0/24;     // SNMP ACL; RESTRICT SNMP REQUEST FROM 192.168.1.0/24 SUBNET

    }

}

trap-group group-1 {

    version v2;     // SEND SNMPv2 TRAPS FOR CHASSIS, LINK AND CONFIGURATION

    categories {

        chassis;

        link;

        configuration;

    }

    targets {

        192.168.1.100;    // DEFINE DESTINATON NMS HOST IP

    }

}

 

 

You can monitor the Junos OS SNMP agent using an NMS tool (i.e. Solarwinds, PRTG, etc.) or view an SNMP walk in CLI.

 

jadmin@JR-1# run show snmp mib ?

Possible completions:

  get                  Get SNMP object value

  get-next             Get next SNMP object value

  walk                 Walk SNMP object values

[edit snmp]

jadmin@JR-1# run show snmp mib walk ?

Possible completions:

  <name>               Requested SNMP object names

  ascii                Convert string indices to 'ascii-keys' representation

  decimal              Decimal format (default)

[edit snmp]

jadmin@JR-1# run show snmp mib walk jnxOperatingDescr

 

[edit snmp]

jadmin@JR-1# run show snmp mib walk ?

Possible completions:

  <name>               Requested SNMP object names

  ascii                Convert string indices to 'ascii-keys' representation

  decimal              Decimal format (default)

[edit snmp]

jadmin@JR-1# run show snmp mib walk jnxMibs

mplsVersion.0 = 1

mplsSignalingProto.0 = 1

mplsConfiguredLsps.0 = 0

mplsActiveLsps.0 = 0

mplsTEDistProtocol.0 = 1

ifIn1SecRate.4 = 0

ifIn1SecRate.5 = 0

ifIn1SecRate.6 = 0

ifIn1SecRate.7 = 0

ifIn1SecRate.8 = 0

ifIn1SecRate.9 = 0

ifIn1SecRate.10 = 0

ifIn1SecRate.11 = 0

ifIn1SecRate.12 = 0

ifIn1SecRate.17 = 0

ifIn1SecRate.18 = 0

ifIn1SecRate.21 = 0

ifIn1SecRate.22 = 0

ifIn1SecRate.501 = 0

ifIn1SecRate.502 = 0

ifIn1SecRate.503 = 0

ifIn1SecRate.504 = 0

ifIn1SecRate.505 = 0

ifIn1SecOctets.4 = 0

---(more)---

 

<OUTPUT TRUNCATED>

 

No comments:

Post a Comment