Page 1
IJOS Lab Guide
Page 1
In this activity, you you will perform the following tasks:
Part 1: Define user accounts and authentication options.
Part 2: Set up and verify proper operation of system logging (syslog).
Part 3: Configure and monitor NTP.
Part 4: Enable and monitor the operation of SNMP.
Part 5: Configure and monitor the configuration archival feature.
LLaabb 33::
SSeeccoonnddaarryy SSyysstteemm CCoonnffiigguurraattiioonn
Page 2
IJOS Lab Guide
Page 2
Part 1: Loading a Factory-Default Configuration
Step 1.1 Login as admin user, enter configuration mode. Define a custom login class named
juniper with the following permissions.
. view
. view-configuration
. reset
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# edit system login
[edit system login]
admin@SRXP# set class juniper permissions [view view-configuration reset]
[edit system login]
admin@SRXP#
Step 1.2 Next, define two new user accounts using the information from the following
requirements.
Username Class Plain-Text Password
walter juniper walter123
nancy read-only nancy123
[edit system login]
admin@SRXP# set user walter class juniper
Page 3
IJOS Lab Guide
Page 3
[edit system login]
admin@SRXP# set user walter authentication plain-text-password
New password: walter123
Retype new password: walter123
[edit system login]
admin@SRXP# set user nancy class read-only
[edit system login]
admin@SRXP# set user nancy authentication plain-text-password
New password: nancy123
Retype new password: nancy123
Step 1.3
View the configuration under the [edit system login] hierarchy level. If you are satisfied
with the results, activate your new configuration by issuing the commit command.
[edit system login]
admin@SRXP# show
class juniper {
permissions [ reset view view-configuration ];
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA
}
}
user nancy {
class read-only;
authentication {
encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA
}
}
user walter {
class juniper;
authentication {
encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA
}
}
[edit system login]
Page 4
IJOS Lab Guide
Page 4
admin@SRXP# commit
commit complete
Note: The remainder of this lab part tests user login options. To prevent yourself from being
locked out, keep the current console session open!
Step 1.4 Access to the INSIDE-PA PC and use Telnet to access your INSIDE interface of SRX
device(10.0.P.1). If needed, refer to the web page diagram. Log in with the username
walter.
Step 1.5 Using the new terminal session, enter configuration mode.
Question: How does the CLI respond when you try to enter configuration mode?
____________________________________________________________________________
Answer: The CLI does not let user walter enter configuration mode. It responds by
Page 5
IJOS Lab Guide
Page 5
stating that the command is unknown.
Step 1.6 Enter a question mark (?) at the prompt to view the permitted operational mode
command options for the user walter.
Question: Why is the user walter unable to enter configuration mode?
____________________________________________________________________________
Answer: The custom login class defined for the user walter does not give permission for
entering configuration mode.
Step 1.7 Verify that the user walter can view the configuration and other operational outputs
such as interface information listed below:
. show configuration
. show interfaces
Page 6
IJOS Lab Guide
Page 6
Question: Can the user walter view the root password within the configuration? Why?
____________________________________________________________________________
Answer: No. The Junos OS hides certain configuration elements that it determines to be
security risks and notates them with a SECRET-DATA tag. In this case, the user
walter does not have the secret permission defined for his login class. The
secret permission is required to view configuration elements with the SECRET-
DATA tag.
Page 7
IJOS Lab Guide
Page 7
Step 1.8
Restart the routing process using the restart routing command. This command restarts
the routing protocol daemon (rpd), which can be useful when troubleshooting routing
problems.
Question: Which permission allows the user walter to perform this command?
____________________________________________________________________________
Answer: The reset permission allows a user to restart software processes and certain
hardware components. This permission will not, however, allow the user to
reboot the system.
Step 1.9 Log out and initiate a new Telnet session to the management interface for the user
nancy. (Hint: Use the reconnect option on your terminal client.) Attempt to restart the
routing protocol process using the restart routing command
Question: Can nancy successfully issue the restart command?
____________________________________________________________________________
Answer: As shown in the output, the user nancy cannot issue the operational mode
restart command.
Page 8
IJOS Lab Guide
Page 8
Question: What is a quick way to view the top-level operational mode commands
available to nancy?
____________________________________________________________________________
Answer: Use the question mark (?) to view available commands anywhere within a
command line. Commands that are not permitted due to user permissions do
not display.
Question: Can the user nancy view the configuration?
____________________________________________________________________________
Answer: The user nancy can issue the command show configuration, but the contents
are hidden. The following is a sample capture, taken from the SRX1 device.
Step 1.10 As login as user nancy, attempt to clear interface statistics for the ge-0/0/5 interface
using the clear interfaces statistics ge-0/0/5 command.
Question: Which permission option would allow the user nancy to clear the interface
statistics on the ge-0/0/5 interface?
____________________________________________________________________________
Answer: The clear permission option would allow this behavior.
Step 1.11
Page 9
IJOS Lab Guide
Page 9
Return to the console terminal connection and attempt to add the clear permission to
the default read-only login class. Issue the show command to view the system login
hierarchy.
[edit system login]
admin@SRXP# set class read-only permissions clear
warning: ‘read-only’ is a predefined class name; changing to ‘read-only-local’
[edit system login]
admin@SRXP# show
class juniper {
permissions [ reset view view-configuration ];
}
class read-only-local {
permissions clear;
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA
}
}
user nancy {
uid 2003;
class read-only;
authentication {
encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA
}
}
user walter {
uid 2004;
class juniper;
authentication {
encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA
}
}
Question: What happened when you added the clear permission to the read-only login
class?
____________________________________________________________________________
Answer: Because you cannot alter predefined login classes, the Junos OS created a new
login class named read-only-local that is not associated with any user.
Page 10
IJOS Lab Guide
Page 10
Question: How can you add the clear permission for the user nancy?
____________________________________________________________________________
Answer: You must define a new custom login class for this functionality.
Step 1.12 Using the console connection, navigate to the top of the configuration hierarchy and
configure a RADIUS server for use with user authentication. Use commit to activate the
changes. Use the RADIUS Server Information listed below:
. RADIUS Server IP 172.16.P.10
. RADIUS Secret juniper123
Configure the authentication order so that user login attempts use only local password
authentication if the RADIUS server is unreachable.
[edit system login]
admin@SRXP# top
[edit]
admin@SRXP# set system radius-server 172.16.P.10 secret juniper123
[edit]
admin@SRXP# set system authentication-order radius
[edit]
admin@SRXP# commit
commit complete
Question: Must you include password in the authentication order to enable this behavior?
____________________________________________________________________________
Answer: No. If an authentication method is unavailable because of a network or server
outage, the software automatically consults the local password database.
Step 1.13
Return to the Telnet session in which the user nancy is logged in to the system. If you
already closed this session, initiate a new Telnet session. If the session still exists, log out
of the session and log in again as nancy.
Page 11
IJOS Lab Guide
Page 11
Note: There is no RADIUS server existing in the lab.
Question: Can you successfully login even the RADIUS server is unreachable?
____________________________________________________________________________
Answer: Yes, after entering the password, a short delay occurs while the system tries to
consult the RADIUS server, and the user receives an option to enter a local
password. After entering the user’s password, the system logs the user in.
Step 1.14 Return to your console session and delete the authentication-order statement. Activate
your configuration and log out.
[edit]
admin@SRXP# delete system authentication-order
[edit]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
admin@SRXP> exit
SRXP (ttyu0)
login:
Page 12
IJOS Lab Guide
Page 12
Part 2: Performing System Management Options.
Step 2.1 Log in using the admin user account. Display the configuration’s system syslog hierarchy.
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# show system syslog
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
Question: What facilities and severity levels currently log to the messages log file?
____________________________________________________________________________
Answer: In the sample output, the messages file shows the any and authorization
facilities using the critical and info severities, respectively. The actual settings
might vary between Junos devices and software versions.
Question: What is the purpose of specifying a facility of any?
____________________________________________________________________________
Answer: This option logs all facility levels.
Page 13
IJOS Lab Guide
Page 13
Step 2.2 Navigate to the [edit system syslog] hierarchy and configure a new syslog file named
config-changes. Specify a facility of change-log and a severity of info. Also, set the
severity level for the default messages file to any.
[edit]
admin@SRXP# edit system syslog
[edit system syslog]
admin@SRXP# set file config-changes change-log info
[edit system syslog]
admin@SRXP# set file messages any any
Step 2.3 Navigate Configure your system to send logs to INSIDE-PB PC(10.0.P.11) running the
standard syslog utility. Refer to your lab diagram for the server address. (Hint: Use the
host option.) Choose the correct facility that logs access attempts on the system. (Hint:
The current messages log file is already using this facility.) Use a severity level of info.
Commit your changes and exit configuration mode using the commit and-quit
command.
[edit system syslog]
admin@SRXP# set host 10.0.P.11 authorization info
[edit system syslog]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 2.4
Install 3ComDaemon Syslog server to your INSIDE-PB PC.
Access the INSIDE-PB PC and install the 3CDeamon server by accessing the software from
(CD2) E:\3com Daemon Directory. After the installation, start the application and keep it
ready to receive the log from SRX device.
Step 2.5
Page 14
IJOS Lab Guide
Page 14
Using the file list /var/log command, verify the creation of a log file named config-
changes.
admin@SRXP> file list /var/log
/var/log@ -> /cf/var/log
admin@SRXP> file list /cf/var/log
/cf/var/log:
TRACE.OSPF
TRACE.OSPF.0.gz
__jsrpd_commit_check__
appidd
authd_libstats
authd_profilelib
authd_sdb.log
autod
chassisd
config-changes
cosd
dcd
dfwc
eccd
ext/
flowc/
fwauthd_chk_only
ggsn/
gres-tp
httpd.log
idpd
idpinfo_err.20120402
ifstraced
interactive-commands
inventory
jsrpd
kmd
license
license_subs_trace.log
mastership
messages
messages.0.gz
messages.1.gz
nsd_chk_only
nstraced_chk_only
pf
Page 15
IJOS Lab Guide
Page 15
pfed
pgmd
rtlogd
snapshot
utmd-av
wtmp
wtmp.0.gz
wtmp.1.gz
wtmp.2.gz
wtmp.3.gz
---(more)---
Note: The files stored in the /var/log/ directory might vary between each system.
Question: What other log files from your system’s configuration does this directory store?
____________________________________________________________________________
Answer: Although the files in the /var/log/ directory might vary on each system, the
messages and interactive-commands log files should be present on all
systems.
Step 2.6 Configure the system to synchronize its clock with an NTP server (RBB Router). The
server’s IP address is 192.168.P.1.
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# set system ntp server 192.168.P.1
Step 2.7 Use the same IP address used in the previous step and configure an NTP
boot server. Commit the configuration and return to operational mode.
[edit]
admin@SRXP# set system ntp boot-server 192.168.P.1
[edit]
admin@SRXP# commit and-quit
commit complete
Page 16
IJOS Lab Guide
Page 16
Exiting configuration mode
admin@SRXP>
Step 2.8 View the config-changes log and verify the logging of the latest configuration
changes.
admin@SRXP> show log config-changes
May 3 00:47:56 SRXP clear-log[6519]: logfile cleared
May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp]
May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp server 192.168.P.1]
May 3 00:48:24 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system ntp boot-server]
<unconfigured> -> "192.168.P.1"
Step 2.9 Manually force synchronization with the NTP server by issuing the set date ntp
operational mode command.
admin@SRXP> set date ntp
3 May 00:51:26 ntpdate[6816]: step time server 192.168.P.1 offset -0.036011 sec
Step 2.10
Verify synchronization with the NTP server by using the show ntp associations
command. The system is synchronized with the NTP server if you see the server address
in the remote column with an asterisk (*) next to it. Check the current system time using
the show system uptime command.
Note: It might take a few minutes for the system’s time to synchronize with the NTP server.
admin@SRXP> show ntp associations
remote refid st t when poll reach delay offset jitter
============================================================
*192.168.P.1 192.168.1.2 4 - 14 64 1 1.073 0.113 1.178
admin@SRXP> show system uptime
Current time: 2012-05-03 08:44:27 CST
System booted: 2012-05-02 16:55:56 CST (15:48:31 ago)
Protocols started: 2012-05-02 22:59:57 CST (09:44:30 ago)
Last configured: 2012-05-03 00:48:36 CST (07:55:51 ago) by admin
Page 17
IJOS Lab Guide
Page 17
8:44AM up 15:49, 1 user, load averages: 0.02, 0.03, 0.01
Question: What does the asterisk (*) next to the NTP server address signify?
____________________________________________________________________________
Answer: The asterisk (*) represents the peer chosen for synchronization as well as a
synchronized state with that peer. When you define multiple NTP peers, the
system selects only a single NTP peer.
Step 2.11 Return to configuration mode and configure the system to allow SNMP access using a
community value of junos. The system should allow processing of SNMP messages only
when it receives them from the NMS server’s IP address. Use INSIDE-PB(10.0.P.11) as the
server’s IP address.
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# set snmp community junos clients 10.0.P.11
Step 2.12 Configure an SNMP trap group to send traps to the NMS server. The SNMP trap group
should send traps whenever an interface transitions to a down state. Name the trap
group interfaces.
[edit]
admin@SRXP# set snmp trap-group interfaces targets 10.0.P.11
[edit]
admin@SRXP# set snmp trap-group interfaces categories link
Question: What trap category do you enable to receive traps for an over-temperature
condition?
____________________________________________________________________________
Answer: You enable the chassis category to send traps for an over-temperature
Condition.
Note: In subsequent steps you will disable the ge-0/0/2 interface. Ensure that the
Page 18
IJOS Lab Guide
Page 18
terminal session to your system uses the console connection.
Step 2.13 To test your SNMP configuration, temporarily disable the ge-0/0/2 interface using the
set interfaces ge-0/0/2 disable command. Commit the new setting and verify that the
interface is down using the run show interfaces ge-0/0/2 terse command. Next, re-
enable the interface by issuing the delete interfaces ge-0/0/2 disable command. Commit
the change and return to operational mode.
[edit]
admin@SRXP# set interfaces ge-0/0/2 disable
[edit]
admin@SRXP# commit
commit complete
[edit]
admin@SRXP# delete interfaces ge-0/0/2 disable
[edit]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
admin@SRXP>
Step 2.14 Verify that the interface transition resulted in the sending of a trap by viewing the
messages log. Use the pipe symbol (|) and match on the ge-0/0/2 interface and the
keyword snmp to parse the messages log output. Next, issue the show snmp statistics
command and confirm that the Traps value in the Output section is not zero.
admin@SRXP> show log messages | match ge-0/0/2 | match snmp
May 3 12:43:29 SRXP mib2d[1206]: SNMP_TRAP_LINK_DOWN: ifIndex 509, ifAdminStatus down(2), ifOperStatus
down(2), ifName ge-0/0/2
May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 509, ifAdminStatus up(1), ifOperStatus
up(1), ifName ge-0/0/2
May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 531, ifAdminStatus up(1), ifOperStatus
up(1), ifName ge-0/0/2.0
Page 19
IJOS Lab Guide
Page 19
May 3 12:46:04 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
ge-0/0/2 | match snmp '
admin@SRXP> show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 6, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 6
Question: Does the messages log show trap entries associated with the interface status
change?
____________________________________________________________________________
Answer: Yes, you should see log entries for the status change for both the physical and
the logical interfaces.
Question: Does the show snmp statistics command list a non-zero value for outgoing
traps?
____________________________________________________________________________
Answer: Yes, you should see a non-zero value for the output traps counter. In the
sample output, you can see a value of 6. Your counter’s value might vary.
Step 2.15
Page 20
IJOS Lab Guide
Page 20
Perform an SNMP MIB walk with the Junos CLI using the show snmp mib walk
jnxOperatingDescr command. Note that the resolved object identifier (OID) of
jnxOperatingDescr is case sensitive. The OID is variable; we are simply using this OID as
an example.
admin@SRXP> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1
jnxOperatingDescr.4.2.0.0 = SRX240 PowerSupply fan 2
jnxOperatingDescr.4.3.0.0 = SRX240 CPU fan 1
jnxOperatingDescr.4.4.0.0 = SRX240 CPU fan 2
jnxOperatingDescr.4.5.0.0 = SRX240 IO fan 1
jnxOperatingDescr.4.6.0.0 = SRX240 IO fan 2
jnxOperatingDescr.7.1.0.0 = FPC: FPC @ 0/*/*
jnxOperatingDescr.8.1.1.0 = PIC: 16x GE Base PIC @ 0/0/*
jnxOperatingDescr.9.1.0.0 = Routing Engine
jnxOperatingDescr.9.1.1.0 = USB Hub
Note: The Junos OS accepts both the dotted-decimal notation and alpha-numeric notation
of SNMP MIB OIDs. The previous example polls the Juniper Networks Chassis MIB for a
mapping of component OIDs. This tool is helpful for deciphering what component
might be initiating an SNMP trap when your NMS station reports the OID in only a
dotted-decimal notation. You do not need to configure SNMP to perform SNMP
polling from within the Junos OS.
Question: What OID associates with the Routing Engine (RE) for your system?
____________________________________________________________________________
Answer: The RE associates with the 9.1.0.0 OID leaf. This leaf is merely one leaf in the
MIB tree and does not represent the full OID string.
Step 2.16 Create ftp account to 3ComDaemon Syslog server on your INSIDE-PB PC.
Access to the 3CDeamon server on your INSIDE-PB PC, create a FTP user account with
username ftp and password juniper123. Also create a new directory as the root directory for
your FTP server.
Note: This FTP server will be used in the next step to receive files from the SRX device.
Page 21
IJOS Lab Guide
Page 21
Step 2.17 Enter configuration mode and configure your system to archive its configuration to a
remote FTP server INSIDE-PB PC(10.0.P.11) whenever a commit operation occurs. You
should configure the archive-sites as “ftp://[email protected] ” including the quotation
marks. You should configure the password as juniper123. You perform this
configuration under the [edit system archival configuration] hierarchy level. Commit
your configuration and return to operational mode
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# edit system archival configuration
[edit system archival configuration]
admin@SRXP# set archive-sites "ftp://[email protected] " password juniper123
[edit system archival configuration]
admin@SRXP# set transfer-on-commit
[edit system archival configuration]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 2.18 Verify that the configuration successfully transferred to the remote FTP server by using
the show log messages | match transfer command
admin@SRXP> show log messages | match transfer
May 3 13:02:06 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system archival configuration]
<unconfigured> -> "transfer-on-commit"
May 3 13:02:06 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'set transfer-on-commit '
May 3 13:02:57 SRXP logger: transfer-file failed to transfer
/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225
May 3 13:05:27 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
transfer '
May 3 13:06:57 SRXP1 logger: transfer-file: Transferred
/var/transfer/config/SRXP1_juniper.conf.gz_20120503_050630
May 3 13:06:58 SRXP1 logger: transfer-file: Transferred
/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225
Page 22
IJOS Lab Guide
Page 22
May 3 13:07:07 SRXP1 mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
transfer '
Note: Even when using the transfer-on-commit option with configuration archival, the
transfer is cyclical and uses a short time interval. If you do not see the transfer in your
log, wait a minute or two and look again.
Question: What do the numbers at the end of the transferred filename represent?
____________________________________________________________________________
Answer: The configuration file contains the current date and UTC time according to the
system clock.
Step 2.19 Save the current configuration to admin’s home directory.
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# save IJOS.LAB3
Wrote 146 lines of configuration to 'IJOS.LAB3'
[edit]
[edit]
admin@SRXP# run file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
IJOS.LAB3
By saving your current configuration, you are able to rollback at anytime.
For Example:
[edit]
Page 23
IJOS Lab Guide
Page 23
admin@SRXP# load override IJOS.LAB3
load complete
[edit]
admin@SRXP# commit
commit complete
Tell your instructor that you have completed this lab.
