Juniper Networks switch series improve the economics of networking with cloud-grade, high-density Ethernet switching across your data center, campus, and branch.
Login Class
Login class specify the permission flags for certain commands. Authorization applies to both CLI and J-Web interface. There are four pre-defined classes:
- super-user - all permissions
- operator - clear, network, reset, trace and view permissions
- read-only - view permissions
- unauthorized - no permissions
You can use the deny-commands, allow-commands, deny-configuration, allow-configuration to define regular expressions that matches either operational or configuration statements. The Junos OS applies the deny- statements first before the allow- statements if the authorization of commands matches on both statements.
jadmin@JR-1> configure
Entering configuration mode
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit system login
[edit system login]
jadmin@JR-1# set class ?
Possible completions:
<class-name> Login class name
monitor Login class name
[edit system login]
jadmin@JR-1# set class monitor ?
Possible completions:
access-end End time for remote access (hh:mm)
access-start Start time for remote access (hh:mm)
allow-commands Regular expression for commands to allow explicitly
allow-configuration Regular expression for configure to allow explicitly
+ allow-configuration-regexps Object path regular expressions to allow
+ allowed-days Day(s) of week when access is allowed.
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny-commands Regular expression for commands to deny explicitly
deny-configuration Regular expression for configure to deny explicitly
+ deny-configuration-regexps Object path regular expressions to deny
idle-timeout Maximum idle time before logout (minutes)
logical-system Logical system associated with login
login-alarms Display system alarms when logging in
login-script Execute this login-script when logging in
login-tip Display tip when logging in
+ permissions Set of permitted operation categories
security-role Common Criteria security role
[edit system login]
jadmin@JR-1# set class monitor permissions ?
Possible completions:
[ Open a set of values
access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
flow-tap-operation Can tap flows
idp-profiler-operation Can Profiler data
interface Can view interface configuration
interface-control Can modify interface configuration
maintenance Can become the super-user
network Can access the network
pgcp-session-mirroring Can view pgcp session mirroring configuration
pgcp-session-mirroring-control Can modify pgcp session mirroring configuration
reset Can reset/restart interfaces and daemons
rollback Can rollback to previous configurations
routing Can view routing configuration
routing-control Can modify routing configuration
secret Can view secret statements
secret-control Can modify secret statements
security Can view security configuration
security-control Can modify security configuration
shell Can start a local shell
snmp Can view SNMP configuration
snmp-control Can modify SNMP configuration
storage Can view fibre channel storage protocol configuration
storage-control Can modify fibre channel storage protocol configuration
system Can view system configuration
system-control Can modify system configuration
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
view-configuration Can view all configuration (not including secrets)
[edit system login]
jadmin@JR-1# set class monitor permissions view-configuration ?
Possible completions:
<[Enter]> Execute this command
access-end End time for remote access (hh:mm)
access-start Start time for remote access (hh:mm)
allow-commands Regular expression for commands to allow explicitly
allow-configuration Regular expression for configure to allow explicitly
+ allow-configuration-regexps Object path regular expressions to allow
+ allowed-days Day(s) of week when access is allowed.
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny-commands Regular expression for commands to deny explicitly
deny-configuration Regular expression for configure to deny explicitly
+ deny-configuration-regexps Object path regular expressions to deny
idle-timeout Maximum idle time before logout (minutes)
logical-system Logical system associated with login
login-alarms Display system alarms when logging in
login-script Execute this login-script when logging in
login-tip Display tip when logging in
+ permissions Set of permitted operation categories
security-role Common Criteria security role
| Pipe through a command
[edit system login]
jadmin@JR-1# set class monitor permissions view-configuration allow-commands ?
Possible completions:
<allow-commands> Regular expression for commands to allow explicitly
[edit system login]
jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" ?
Possible completions:
<[Enter]> Execute this command
access-end End time for remote access (hh:mm)
access-start Start time for remote access (hh:mm)
allow-configuration Regular expression for configure to allow explicitly
+ allow-configuration-regexps Object path regular expressions to allow
+ allowed-days Day(s) of week when access is allowed.
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny-commands Regular expression for commands to deny explicitly
deny-configuration Regular expression for configure to deny explicitly
+ deny-configuration-regexps Object path regular expressions to deny
idle-timeout Maximum idle time before logout (minutes)
logical-system Logical system associated with login
login-alarms Display system alarms when logging in
login-script Execute this login-script when logging in
login-tip Display tip when logging in
+ permissions Set of permitted operation categories
security-role Common Criteria security role
| Pipe through a command
[edit system login]
jadmin@JR-1# set class monitor permissions view-configuration allow-commands "show" deny-commands "configure"
[edit system login]
jadmin@JR-1# set class monitor allow-configuration ?
Possible completions:
<allow-configuration> Regular expression for configure to allow explicitly
[edit system login]
jadmin@JR-1# set class monitor allow-configuration "interfaces"
[edit system login]
jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration ?
Possible completions:
<deny-configuration> Regular expression for configure to deny explicitly
[edit system login]
jadmin@JR-1# set class monitor allow-configuration "interfaces" deny-configuration "firewall"
The monitor class has the interface, network, view, view-configuration permissions and allowed to configure interfaces statements.
[edit system login]
jadmin@JR-1# show
message "Juniper VM Lab";
class monitor {
permissions [ interface network view view-configuration ];
allow-commands show;
deny-commands configure;
allow-configuration interfaces;
deny-configuration firewall;
}
user jadmin {
uid 2002;
class super-user;
authentication {
encrypted-password "$1$GV2Yds7K$1UWyPvsNzTW/C4FjYJVaU0"; ## SECRET-DATA
}
}
user jadmin2 {
uid 2003;
class super-user;
authentication {
encrypted-password "$1$3ATAJNcI$fKjYSgcC4mwxXOoFl/Uvr0"; ## SECRET-DATA
}
}
[edit system login]
System Logging (Syslog)
Junos OS stores syslogs messages in /var/log/messages directory. Remote syslog and log file archiving is recommended.
Use the show log messages to view log messages. A syslog message has of the following fields (using the first log message as an example):
- Timestamp: Oct 10 17:17:52
- Name (device hostname): JR1
- Process name or PID: /kernel
- Message-code: em0
- Message-text: Link is Down
jadmin@JR-1> show log messages
Oct 10 17:17:52 JR1 /kernel: em0: Link is Down
Oct 10 17:17:52 JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0
Oct 10 17:17:55 JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex
Oct 10 17:19:26 JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode
Oct 10 17:22:41 JR1 login: Login attempt for user jadmin from host 10.1.1.10
Oct 10 17:22:42 JR1 login[3055]: LOGIN_INFORMATION: User jadmin logged in from
host 10.1.1.10 on device ttyp1
Oct 10 17:40:36 JR1 login: Login attempt for user jadmin from host 10.1.1.10
Oct 10 17:40:38 JR1 login[3091]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp1
Oct 10 17:42:34 JR1 mgd[1487]: UI_DBASE_LOGOUT_EVENT: User 'root' exiting configuration mode
Oct 10 17:42:47 JR1 mgd[1487]: UI_CHILD_EXITED: Child exited: PID 3099, status 1, command '/usr/libexec/ui/logout-user'
Oct 10 17:43:08 JR1 login: Login attempt for user jadmin from host 10.1.1.10
Oct 10 17:43:11 JR1 login[3135]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0
Oct 10 17:43:38 JR1 login: Login attempt for user jadmin from host 10.1.1.10
Oct 10 17:43:41 JR1 login[3168]: LOGIN_INFORMATION: User jadmin logged in from host 10.1.1.10 on device ttyp0
Oct 10 17:45:38 JR1 mgd[3170]: UI_DBASE_LOGIN_EVENT: User 'jadmin' entering configuration mode
Oct 10 17:47:57 JR1 mgd[3170]: UI_DBASE_LOGOUT_EVENT: User 'jadmin' exiting configuration mode
Oct 10 20:44:24 JR1 /kernel: em0: Link is Down
Oct 10 20:44:24 JR1 mib2d[1316]: SNMP_TRAP_LINK_DOWN: ifIndex 17, ifAdminStatus up(1), ifOperStatus down(2), ifName em0
Oct 10 20:44:26 JR1 /kernel: em0: Link is up 1000 Mbps Full Duplex
Oct 10 21:25:20 JR1 mgd[1487]: UI_DBASE_LOGIN_EVENT: User 'root' entering configuration mode
Oct 10 21:26:06 JR1 mgd[1487]: UI_COMMIT: User 'root' requested 'commit' operation (comment: none)
<OUTPUT TRUNCATED>
jadmin@JR-1> configure
Entering configuration mode
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit system syslog
[edit system syslog]
jadmin@JR-1# set host ?
Possible completions:
<log-host-name> Host to be notified
other-routing-engine Send to log file on other Routing Engine
[edit system syslog]
jadmin@JR-1# set host 192.168.1.200 ?
Possible completions:
allow-duplicates Do not suppress the repeated message
any All facilities
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
authorization Authorization system
change-log Configuration change log
conflict-log Configuration conflict log
daemon Various system processes
dfc Dynamic flow capture
explicit-priority Include priority and facility in messages
external Local external applications
facility-override Alternate facility for logging to remote host
firewall Firewall filtering system
ftp FTP process
interactive-commands Commands executed by the UI
kernel Kernel
log-prefix Prefix for all logging to this host
match Regular expression for lines to be logged
ntp NTP process
pfe Packet Forwarding Engine
port Port number
security Security related
source-address Use specified address as source address
> structured-data Log system message in structured format
user User processes
[edit system syslog]
jadmin@JR-1# set host 192.168.1.200 any ?
Possible completions:
alert Conditions that should be corrected immediately
any All levels
critical Critical conditions
emergency Panic conditions
error Error conditions
info Informational messages
none No messages
notice Conditions that should be handled specially
warning Warning messages
[edit system syslog]
jadmin@JR-1# set host 192.168.1.200 any info
[edit system syslog]
jadmin@JR-1#
[edit system syslog]
jadmin@JR-1# show
user * { // EMERGENCY LOG MESSAGES ARE SENT TO ALL LOGGED IN USERS
any emergency;
}
host 192.168.1.200 { // SEND LOG MESSAGES TO A REMOTE SYSLOG SERVER
any info;
}
file messages { // PRIMARY SYSLOG FILE
any notice;
authorization info;
}
file interactive-commands { // LOGS ALL CLI COMMANDS
interactive-commands any;
}
[edit system syslog]
You can use the help syslog operational command to interpret the log message code.
jadmin@JR-1> help syslog ?
Possible completions:
<[Enter]> Execute this command
<syslog-tag> System log tag or regular expression
ACCT_ACCOUNTING_FERROR LOG_PFE,Error occurred during file processing
ACCT_ACCOUNTING_FOPEN_ERROR LOG_PFE,Open operation failed on file
ACCT_ACCOUNTING_SMALL_FILE_SIZE LOG_PFE,Maximum file size is smaller than record size
ACCT_BAD_RECORD_FORMAT LOG_PFE,Record format does not match accounting profile
ACCT_CU_RTSLIB_ERROR LOG_PFE,Error occurred obtaining current class usage statistics
ACCT_FORK_ERR LOG_PFE,Could not create child process
ACCT_FORK_LIMIT_EXCEEDED LOG_PFE,Could not create child process because of limit
ACCT_GETHOSTNAME_ERROR LOG_PFE,gethostname function failed
ACCT_MALLOC_FAILURE LOG_PFE,Memory allocation failed
ACCT_UNDEFINED_COUNTER_NAME ANY,Filter profile used undefined counter name
ACCT_XFER_FAILED LOG_PFE,Attempt to transfer file failed
ACCT_XFER_POPEN_FAIL LOG_PFE,File transfer failed
ALARMD_CONFIG_ACCESS_ERROR LOG_DAEMON,Alarmd could not parse configuration database
ALARMD_CONFIG_CLOSE_ERROR LOG_DAEMON,Closing of configuration database failed
ALARMD_CONFIG_PARSE_ERROR LOG_DAEMON,Parsing of configuration failed
ALARMD_CONFIG_RECONFIG_ERROR LOG_DAEMON,Reconfiguration failed
ALARMD_CONNECTION_FAILURE LOG_DAEMON,Alarmd connection to another process failed
---(more 1%)---
<OUTPUT TRUNCATED>
jadmin@JR-1> help syslog UI_DBASE_LOGIN_EVENT
jadmin@JR-1> help syslog LOGIN_INFORMATION
Name: LOGIN_INFORMATION
Message: User <username> logged in from host <hostname> on device
<tty-name>
Help: User was authenticated and logged in
Description: The indicated username was authenticated and logged into the
shell specified for it in the password file.
Type: Event: This message reports an event, not an error
Severity: info
Facility: LOG_AUTH
Tracing (debug in Cisco)
Junos OS sends tracing result in /var/log directory or to a remote syslog server. You can enable detailed tracing without impacting router performance due to the Junos OS design/architecture. You should always turn off tracing afterwards to avoid router resource consumption.
jadmin@JR-1> configure
Entering configuration mode
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit system tracing
[edit system tracing]
jadmin@JR-1# set destination-override ?
Possible completions:
> syslog Send trace messages to remote syslog server
[edit system tracing]
jadmin@JR-1# set destination-override syslog ?
Possible completions:
host IPv4 address of remote syslog server
[edit system tracing]
jadmin@JR-1# set destination-override syslog host ?
Possible completions:
<host> IPv4 address of remote syslog server
[edit system tracing]
jadmin@JR-1# set destination-override syslog host 192.168.1.100
[edit system tracing]
jadmin@JR-1# show
destination-override syslog host 192.168.1.100;
[edit system tracing]
jadmin@JR-1# top edit interfaces
[edit interfaces]
jadmin@JR-1# set traceoptions ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> file Trace file information
> flag Tracing parameters
no-remote-trace Disable remote tracing
[edit interfaces]
jadmin@JR-1# set traceoptions file ?
Possible completions:
<filename> Name of file in which to write trace information
files Maximum number of trace files (2..1000)
match Regular expression for lines to be logged
no-world-readable Don't allow any user to read the log file
size Maximum trace file size (10240..1073741824)
world-readable Allow any user to read the log file
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 ?
Possible completions:
<[Enter]> Execute this command
files Maximum number of trace files (2..1000)
match Regular expression for lines to be logged
no-world-readable Don't allow any user to read the log file
size Maximum trace file size (10240..1073741824)
world-readable Allow any user to read the log file
| Pipe through a command
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 size ?
Possible completions:
<size> Maximum trace file size (10240..1073741824)
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 size 10240 ?
Possible completions:
<[Enter]> Execute this command
files Maximum number of trace files (2..1000)
match Regular expression for lines to be logged
no-world-readable Don't allow any user to read the log file
world-readable Allow any user to read the log file
| Pipe through a command
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 size 10240 files ?
Possible completions:
<files> Maximum number of trace files (2..1000)
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 ?
Possible completions:
<[Enter]> Execute this command
match Regular expression for lines to be logged
no-world-readable Don't allow any user to read the log file
world-readable Allow any user to read the log file
| Pipe through a command
[edit interfaces]
jadmin@JR-1# set traceoptions file trace-1 size 10240 files 2 world-readable
[edit interfaces]
jadmin@JR-1# show
traceoptions {
file trace-1 size 10k files 2 world-readable;
}
em0 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
[edit interfaces]
jadmin@JR-1# commit
commit complete
[edit interfaces]
jadmin@JR-1# set lo0 disable
[edit interfaces]
jadmin@JR-1# delete lo0 disable
[edit interfaces]
jadmin@JR-1# run show log trace-1 // DISPLAY THE TRACE FILE CONTENT
Oct 18 06:18:23 INFO: Static config commit check : user 0.000 s, sys 0.000 s, wall 0.006 s
Oct 18 06:18:23 INFO: Phase Usage for IDLE : user 1.464 s, sys 0.882 s, wall 6839.892 s
Oct 18 06:18:23 INFO: New phase is PRE_CONFIG
Oct 18 06:18:23 INFO: Static config read usage : user 0.001 s, sys 0.000 s, wall 0.014 s
Oct 18 06:18:23 INFO: Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: New phase is CONFIG
Oct 18 06:18:23 INFO: Config db overlay usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0
Oct 18 06:18:23 INFO: dcd_new_phase - Running db_diff on static db
Oct 18 06:18:23 INFO: Config static db diff usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: Config sync io : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: Phase Usage for CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:18:23 INFO: New phase is IDLE
Oct 18 06:18:23 INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 483 usec
jadmin@JR-1> monitor ?
Possible completions:
interface Show interface traffic
label-switched-path Show label-switched-path traffic
list Show status of monitored files
start Start showing log file in real time
static-lsp Show static label-switched-path traffic
stop Stop showing log file in real time
traffic Show real-time network traffic information
jadmin@JR-1> monitor start ?
Possible completions:
<filename> Name of log file
aprobed Size: 0, Last changed: May 09 2012
apsd Size: 7972, Last changed: Oct 18 06:26:47
authd_libstats Size: 0, Last changed: May 09 2012
authd_profilelib Size: 0, Last changed: May 09 2012
authd_sdb.log Size: 0, Last changed: May 09 2012
chassisd Size: 105057, Last changed: Oct 18 06:26:08
cosd Size: 116403, Last changed: Oct 18 06:26:08
dcd Size: 59909, Last changed: Oct 18 06:26:08
dfwc Size: 0, Last changed: May 09 2012
eccd Size: 1736, Last changed: Oct 18 06:26:07
ext/ Last changed: May 09 2012
file-1 Size: 23202, Last changed: Oct 13 19:00:00
flowc/ Last changed: May 09 2012
ggsn/ Last changed: May 09 2012
gres-tp Size: 17064, Last changed: Oct 10 22:20:30
hostname-cached Size: 612, Last changed: Oct 10 20:23:12
ifstraced Size: 180, Last changed: Oct 10 20:23:12
interactive-commands Size: 548923, Last changed: Oct 18 06:26:57
interactive-commands.0.gz Size: 8409, Last changed: Oct 11 01:14:03
inventory Size: 3698, Last changed: Oct 18 06:26:07
lmpd Size: 1164, Last changed: Oct 10 20:23:27
mastership Size: 385, Last changed: Mar 27 2013
messages Size: 583035, Last changed: Oct 18 06:26:57
messages.0.gz Size: 23989, Last changed: Oct 11 01:14:03
pf Size: 768, Last changed: Oct 10 20:23:10
pfed Size: 0, Last changed: May 09 2012
pgmd Size: 576, Last changed: Oct 10 20:23:12
pppoed_era_jpppoed_era_in_progress.log Size: 610, Last changed: Oct 12 20:08:07
pppoed_era_jpppoed_era_in_progress.log.0 Size: 609, Last changed: Oct 10 20:23:10
pppoed_era_jpppoed_era_in_progress.log.1 Size: 609, Last changed: Mar 27 2013
pppoed_era_jpppoed_era_in_progress.log.2 Size: 609, Last changed: Mar 26 2013
pppoed_era_jpppoed_era_in_progress.log.3 Size: 609, Last changed: Mar 26 2013
rtspd Size: 1518, Last changed: Oct 10 20:23:27
smartd.trace Size: 75, Last changed: Oct 11 01:14:03
smartd.trace.0.gz Size: 564, Last changed: Oct 11 01:14:03
trace-1 Size: 4490, Last changed: Oct 18 06:26:47
utmp Size: 0, Last changed: May 09 2012
wtmp Size: 122324, Last changed: Oct 18 05:26:36
wtmp.0.gz Size: 170, Last changed: Oct 11 00:55:36
wtmp.1.gz Size: 143, Last changed: Oct 10 20:23:54
wtmp.2.gz Size: 341, Last changed: Mar 26 2013
wtmp.3.gz Size: 119, Last changed: May 09 2012
jadmin@JR-1> monitor start trace-1 // PERFORM REAL-TIME MONITORING
*** monitor and syslog output enabled, press ESC-Q to disable *** // PRESS ESC+q TO ENABLE/DISABLE REAL-TIME OUTPUT TO YOUR TERMINAL SCREEN
*** trace-1 ***
Oct 18 06:29:39 INFO: Static config commit check : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: Received SIGHUP, time to reparse.
Oct 18 06:29:39 INFO: Pending config request now being serviced
Oct 18 06:29:39 INFO: Phase Usage for IDLE : user 0.005 s, sys 0.000 s, wall 18.183 s
Oct 18 06:29:39 INFO: New phase is PRE_CONFIG
Oct 18 06:29:39 INFO: Static config read usage : user 0.001 s, sys 0.000 s, wall 0.002 s
Oct 18 06:29:39 INFO: Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: New phase is CONFIG
Oct 18 06:29:39 INFO: Config db overlay usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: dcd_new_phase:recover_type = 1, dcd_is_protocol_master =1,sdb_state = 2,run_dynamic_db_diff = 0
Oct 18 06:29:39 INFO: dcd_new_phase - Running db_diff on static db
Oct 18 06:29:39 INFO: Config static db diff usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: Config sync io : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: Phase Usage for CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s
Oct 18 06:29:39 INFO: New phase is IDLE
Oct 18 06:29:39 INFO: Going idle, 2 sync writes, 0 sync reads, 0 ifstate msgs,0 ifstate reads, 0 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 474 usec
*** monitor and syslog output disabled, press ESC-Q to enable ***
jadmin@JR-1# exit
Exiting configuration mode
jadmin@JR-1> monitor stop // CEASE ALL MONITORING
jadmin@JR-1> clear log trace-1 // CLEAR CONTENTS OF LOG AND TRACE FILE
jadmin@JR-1> file delete trace-1 // DELETE LOG AND TRACE FILE
rm: /var/home/jadmin/trace-1: No such file or directory
[edit interfaces]
jadmin@JR-1# delete traceoptions // DISABLE TRACING AT THE SPECIFIC CONFIG HIERARCHY
Network Time Protocol (NTP)
The Junos OS can't provide its own timing source since local crystal oscillator is not supported. NTP authentication is recommended to avoid compromise on the device.
jadmin@JR-1> configure
Entering configuration mode
Users currently editing the configuration:
jadmin terminal p2 (pid 13914) on since 2020-10-18 06:40:58 SGT, idle 00:04:50
[edit]
root terminal v0 (pid 7917) on since 2020-10-18 06:28:43 SGT, idle 00:04:13
[edit]
[edit]
jadmin@JR-1# edit system ntp
[edit system ntp]
jadmin@JR-1# set boot-server ?
Possible completions:
<boot-server> Server to query during boot sequence
[edit system ntp]
jadmin@JR-1# set boot-server 192.168.1.100 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> authentication-key Authentication key information
> broadcast Broadcast parameters
broadcast-client Listen to broadcast NTP
> multicast-client Listen to multicast NTP
> peer Peer parameters
> server Server parameters
source-address Use specified address as source address
+ trusted-key List of trusted authentication keys
| Pipe through a command
[edit system ntp]
jadmin@JR-1# set boot-server 192.168.1.100 server ?
Possible completions:
<address> Name or address of server
[edit system ntp]
jadmin@JR-1# set boot-server 192.168.1.100 server 192.168.1.100 // BOOT SERVER IS USED TO SET INITIAL NTP TIME UPON BOOTUP
[edit system ntp]
jadmin@JR-1# show
boot-server 192.168.1.100;
server 192.168.1.100;
[edit system ntp]
jadmin@JR-1# commit
commit complete
[edit system ntp]
jadmin@JR-1# run show ntp ?
Possible completions:
associations Show status of peers
status Show internal variables returned by peers
[edit system ntp]
jadmin@JR-1# run show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Sat Mar 24 07:52:24 UTC 2012 (1)",
processor="i386", system="JUNOS12.1R1.9", leap=11, stratum=16,
precision=-22, rootdelay=0.000, rootdispersion=0.075, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,
poll=4, clock=e335f505.7e694223 Sun, Oct 18 2020 6:56:05.493, state=0,
offset=0.000, frequency=0.000, jitter=0.000, stability=0.000
[edit system ntp]
jadmin@JR-1# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.1.100 .INIT. 16 - - 64 0 0.000 0.000 4000.00
[edit system ntp]
Automate Backup
It's recommended to perform a config backup in case the Juniper system storage failed. You can perform a backup either in a regular interval (transfer-interval) or every time a new change is committed (transfer-on-commit).
[edit]
jadmin@JR-1# edit system archival
[edit system archival]
jadmin@JR-1# set configuration ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> archive-sites List of archive destinations
transfer-interval Frequency at which file transfer happens (minutes)
transfer-on-commit Transfer after each commit
[edit system archival]
jadmin@JR-1# set configuration transfer-on-commit archive-sites ?
Possible completions:
<url> URLs to receive configuration files
[edit system archival]
jadmin@JR-1# set configuration transfer-on-commit archive-sites "ftp://user@192.168.1.100:/archive" password password123
jadmin@JR-1# set configuration archive-sites "scp://user@192.168.2.100:/archive" password password456
[edit system archival]
jadmin@JR-1# show
configuration {
transfer-on-commit;
archive-sites {
"ftp://user@192.168.1.100:/archive" password "$9$iHPQF39pOR6987VYZG69Atu1RhSlvWIR"; ## SECRET-DATA
"scp://user@192.168.2.100:/archive" password "$9$ICxRyKMWxdwgLxqfz6u0LxN-VYaZUqP5Dj"; ## SECRET-DATA
[edit system archival]
jadmin@JR-1# commit
commit complete
jadmin@JR-1# run show log messages | match transfer
Oct 18 07:24:15 JR-1 logger: transfer-file failed to transfer /var/transfer/config/JR-1_juniper.conf.gz_20201017_232326
jadmin@JR-1# run file list /var/transfer/config ?
Possible completions:
<[Enter]> Execute this command
detail Display detailed output (like 'ls -l')
recursive Descend recursively through directory hierarchy
| Pipe through a command
[edit system archival]
jadmin@JR-1# run file list /var/transfer/config detail
/var/transfer/config:
total 12
-rw-r----- 1 root wheel 695 Oct 18 07:23 JR-1_juniper.conf.gz_20201017_232326
Simple Network Management Protocol (SNMP)
The Junos OS act as an SNMP agent and exchanges network management info with an SNMP manager or NMS. It can support SNMP versions 1, 2c and 3.
[edit]
jadmin@JR-1# edit snmp
[edit snmp]
jadmin@JR-1# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> client-list Client list
> community Configure a community string
contact Contact information for administrator
description System description
> engine-id SNMPv3 engine ID
filter-duplicates Filter requests with duplicate source address/port and re
quest ID
> filter-interfaces List of interfaces that needs to be filtered
> health-monitor Health monitoring configuration
+ interface Restrict SNMP requests to interfaces
location Physical location of system
logical-system-trap-filter Allow only logical-system specific traps
name System name override
> nonvolatile Configure the handling of nonvolatile SNMP Set requests
> rmon Remote Monitoring configuration
> routing-instance-access SNMP routing-instance options
> traceoptions Trace options for SNMP
> trap-group Configure traps and notifications
> trap-options SNMP trap options
> v3 SNMPv3 configuration information
> view Define MIB views
[edit snmp]
jadmin@JR-1# set description "JR1 VM Lab"
[edit snmp]
jadmin@JR-1# set location "SG Home Lab"
[edit snmp]
jadmin@JR-1# set contact "John Lagura, john@lab.com"
[edit snmp]
jadmin@JR-1# set community ?
Possible completions:
<community> Community name
[edit snmp]
jadmin@JR-1# set community juniper123 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
authorization Authorization type
client-list-name The name of client list or prefix list
> clients List of source address prefix ranges to accept
> logical-system Use logical-system name for v1/v2c clients
> routing-instance Use routing-instance name for v1/v2c clients
view View name
| Pipe through a command
[edit snmp]
jadmin@JR-1# set community juniper123 authorization ?
Possible completions:
read-only Allow read-only access
read-write Allow read and write access
[edit snmp]
jadmin@JR-1# set community juniper123 authorization read-only clients ?
Possible completions:
<prefix> Address or prefix
[edit snmp]
jadmin@JR-1# set community juniper123 authorization read-only clients 192.168.1.0/24
jadmin@JR-1# set trap-group ?
Possible completions:
<group-name> Trap group name
[edit snmp]
jadmin@JR-1# set trap-group group-1 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> categories Trap categories
destination-port SNMP trap receiver port number
logical-system Logical-system name for trap destination
routing-instance Routing instance for trap destination
> targets Targets for trap messages
version SNMP version
| Pipe through a command
[edit snmp]
jadmin@JR-1# set trap-group group-1 version ?
Possible completions:
all Send SNMPv1 and SNMPv2 traps
v1 Send SNMPv1 traps
v2 Send SNMPv2 traps
[edit snmp]
jadmin@JR-1# set trap-group group-1 version v2 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> categories Trap categories
destination-port SNMP trap receiver port number
logical-system Logical-system name for trap destination
routing-instance Routing instance for trap destination
> targets Targets for trap messages
| Pipe through a command
[edit snmp]
jadmin@JR-1# set trap-group group-1 version v2 categories ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
authentication Authentication failures
chassis Chassis or environment notifications
configuration Configuration notifications
link Link up-down transitions
> otn-alarms OTN alarm trap subcategories
remote-operations Remote operations
rmon-alarm RMON rising and falling alarms
routing Routing protocol notifications
services Services notifications
> sonet-alarms SONET alarm trap subcategories
startup System warm and cold starts
vrrp-events VRRP notifications
[edit snmp]
jadmin@JR-1# set trap-group group-1 version v2 categories chassis link configuration
jadmin@JR-1# set trap-group group-1 targets ?
Possible completions:
<target> IP address
[edit snmp]
jadmin@JR-1# set trap-group group-1 targets 192.168.1.100
[edit snmp]
jadmin@JR-1# show
description "JR1 VM Lab";
location "SG Home Lab";
contact "John Lagura, john@lab.com";
community juniper123 {
authorization read-only;
clients {
192.168.1.0/24; // SNMP ACL; RESTRICT SNMP REQUEST FROM 192.168.1.0/24 SUBNET
}
}
trap-group group-1 {
version v2; // SEND SNMPv2 TRAPS FOR CHASSIS, LINK AND CONFIGURATION
categories {
chassis;
link;
configuration;
}
targets {
192.168.1.100; // DEFINE DESTINATON NMS HOST IP
}
}
You can monitor the Junos OS SNMP agent using an NMS tool (i.e. Solarwinds, PRTG, etc.) or view an SNMP walk in CLI.
jadmin@JR-1# run show snmp mib ?
Possible completions:
get Get SNMP object value
get-next Get next SNMP object value
walk Walk SNMP object values
[edit snmp]
jadmin@JR-1# run show snmp mib walk ?
Possible completions:
<name> Requested SNMP object names
ascii Convert string indices to 'ascii-keys' representation
decimal Decimal format (default)
[edit snmp]
jadmin@JR-1# run show snmp mib walk jnxOperatingDescr
[edit snmp]
jadmin@JR-1# run show snmp mib walk ?
Possible completions:
<name> Requested SNMP object names
ascii Convert string indices to 'ascii-keys' representation
decimal Decimal format (default)
[edit snmp]
jadmin@JR-1# run show snmp mib walk jnxMibs
mplsVersion.0 = 1
mplsSignalingProto.0 = 1
mplsConfiguredLsps.0 = 0
mplsActiveLsps.0 = 0
mplsTEDistProtocol.0 = 1
ifIn1SecRate.4 = 0
ifIn1SecRate.5 = 0
ifIn1SecRate.6 = 0
ifIn1SecRate.7 = 0
ifIn1SecRate.8 = 0
ifIn1SecRate.9 = 0
ifIn1SecRate.10 = 0
ifIn1SecRate.11 = 0
ifIn1SecRate.12 = 0
ifIn1SecRate.17 = 0
ifIn1SecRate.18 = 0
ifIn1SecRate.21 = 0
ifIn1SecRate.22 = 0
ifIn1SecRate.501 = 0
ifIn1SecRate.502 = 0
ifIn1SecRate.503 = 0
ifIn1SecRate.504 = 0
ifIn1SecRate.505 = 0
ifIn1SecOctets.4 = 0
---(more)---
<OUTPUT TRUNCATED>
No comments:
Post a Comment