Sunteți pe pagina 1din 23

IJOS Lab Guide

LLaabb 33::

SSeeccoonnddaarryy SSyysstteemm CCoonnffiigguurraattiioonn

In this activity, you you will perform the following tasks:

Part 1: Define user accounts and authentication options. Part 2: Set up and verify proper operation of system logging (syslog). Part 3: Configure and monitor NTP. Part 4: Enable and monitor the operation of SNMP. Part 5: Configure and monitor the configuration archival feature.

Part 4: Enable and monitor the operation of SNMP. Part 5: Configure and monitor the configuration

Page 1

IJOS Lab Guide

Part 1: Loading a Factory-Default Configuration

Step 1.1

Login as admin user, enter configuration mode. Define a custom login class named juniper with the following permissions.

.

view

.

view-configuration

.

reset

SRXP (ttyu0)

login: admin Password: juniper123

--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# edit system login

[edit system login] admin@SRXP# set class juniper permissions [view view-configuration reset]

[edit system login] admin@SRXP#

Step 1.2

Next, define two new user accounts using the information from the following requirements.

Username

Class

Plain-Text Password

walter

juniper

walter123

nancy

read-only

nancy123

[edit system login] admin@SRXP# set user walter class juniper

Page 2

IJOS Lab Guide

[edit system login] admin@SRXP# set user walter authentication plain-text-password New password: walter123 Retype new password: walter123

[edit system login] admin@SRXP# set user nancy class read-only

[edit system login] admin@SRXP# set user nancy authentication plain-text-password New password: nancy123 Retype new password: nancy123

Step 1.3

View the configuration under the [edit system login] hierarchy level. If you are satisfied with the results, activate your new configuration by issuing the commit command.

[edit system login] admin@SRXP# show class juniper { permissions [ reset view view-configuration ];

}

user admin { uid 2000; class super-user; authentication { encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA

}

}

user nancy { class read-only; authentication { encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA

}

}

user walter { class juniper; authentication { encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA

}

}

[edit system login]

Page 3

IJOS Lab Guide

admin@SRXP# commit commit complete

Note:

The remainder of this lab part tests user login options. To prevent yourself from being locked out, keep the current console session open!

Step 1.4

Access to the INSIDE-PA PC and use Telnet to access your INSIDE interface of SRX device(10.0.P.1). If needed, refer to the web page diagram. Log in with the username walter.

to the web page diagram. Log in with the username walter . Step 1.5 Using the
to the web page diagram. Log in with the username walter . Step 1.5 Using the

Step 1.5

Using the new terminal session, enter configuration mode.

Using the new terminal session, enter configuration mode. Question: How does the CLI respond when you

Question:

How does the CLI respond when you try to enter configuration mode?

Answer:

The CLI does not let user walter enter configuration mode. It responds by

Page 4

IJOS Lab Guide

stating that the command is unknown.

Step 1.6

Enter a question mark (?) at the prompt to view the permitted operational mode command options for the user walter.

operational mode command options for the user walter. Question: Why is the user walter unable to

Question:

Why is the user walter unable to enter configuration mode?

Answer:

The custom login class defined for the user walter does not give permission for entering configuration mode.

Step 1.7

Verify that the user walter can view the configuration and other operational outputs such as interface information listed below:

.

show configuration

.

show interfaces

Page 5

IJOS Lab Guide

IJOS Lab Guide Question: Can the user walter view the root password within the configuration? Why?
IJOS Lab Guide Question: Can the user walter view the root password within the configuration? Why?

Question:

Can the user walter view the root password within the configuration? Why?

Answer:

No. The Junos OS hides certain configuration elements that it determines to be security risks and notates them with a SECRET-DATA tag. In this case, the user walter does not have the secret permission defined for his login class. The secret permission is required to view configuration elements with the SECRET- DATA tag.

Page 6

IJOS Lab Guide

Step 1.8

Restart the routing process using the restart routing command. This command restarts the routing protocol daemon (rpd), which can be useful when troubleshooting routing problems.

which can be useful when troubleshooting routing problems. Question: Which permission allows the user walter to

Question:

Which permission allows the user walter to perform this command?

Answer:

The reset permission allows a user to restart software processes and certain hardware components. This permission will not, however, allow the user to reboot the system.

Step 1.9

Log out and initiate a new Telnet session to the management interface for the user nancy. (Hint: Use the reconnect option on your terminal client.) Attempt to restart the routing protocol process using the restart routing command

routing protocol process using the restart routing command Question: Can nancy successfully issue the restart

Question:

Can nancy successfully issue the restart command?

Answer:

As shown in the output, the user nancy cannot issue the operational mode restart command.

Page 7

IJOS Lab Guide

Question:

What is a quick way to view the top-level operational mode commands available to nancy?

Answer:

Use the question mark (?) to view available commands anywhere within a command line. Commands that are not permitted due to user permissions do not display.

Question:

Can the user nancy view the configuration?

Answer:

The user nancy can issue the command show configuration, but the contents are hidden. The following is a sample capture, taken from the SRX1 device.

following is a sample capture, taken from the SRX1 device. Step 1.10 As login as user

Step 1.10

As login as user nancy, attempt to clear interface statistics for the ge-0/0/5 interface using the clear interfaces statistics ge-0/0/5 command.

using the clear interfaces statistics ge-0/0/5 command. Question: Which permission option would allow the user

Question:

Which permission option would allow the user nancy to clear the interface statistics on the ge-0/0/5 interface?

Answer:

The clear permission option would allow this behavior.

Step 1.11

Page 8

IJOS Lab Guide

Return to the console terminal connection and attempt to add the clear permission to the default read-only login class. Issue the show command to view the system login hierarchy.

[edit system login]

admin@SRXP# set class read-only permissions clear

warning:

read-onlyis a predefined class name; changing to read-only-local

[edit system login] admin@SRXP# show class juniper { permissions [ reset view view-configuration ];

}

class read-only-local { permissions clear;

}

user admin { uid 2000; class super-user; authentication { encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA

}

}

user nancy { uid 2003; class read-only; authentication { encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA

}

}

user walter { uid 2004; class juniper; authentication { encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA

}

}

Question:

What happened when you added the clear permission to the read-only login class?

Answer:

Because you cannot alter predefined login classes, the Junos OS created a new login class named read-only-local that is not associated with any user.

Page 9

IJOS Lab Guide

Question:

How can you add the clear permission for the user nancy?

Answer:

You must define a new custom login class for this functionality.

Step 1.12

Using the console connection, navigate to the top of the configuration hierarchy and configure a RADIUS server for use with user authentication. Use commit to activate the changes. Use the RADIUS Server Information listed below:

.

RADIUS Server IP

172.16.P.10

.

RADIUS Secret

juniper123

Configure the authentication order so that user login attempts use only local password authentication if the RADIUS server is unreachable.

[edit system login] admin@SRXP# top

[edit] admin@SRXP# set system radius-server 172.16.P.10 secret juniper123

[edit] admin@SRXP# set system authentication-order radius

[edit] admin@SRXP# commit commit complete

Question:

Must you include password in the authentication order to enable this behavior?

Answer:

No. If an authentication method is unavailable because of a network or server outage, the software automatically consults the local password database.

Step 1.13

Return to the Telnet session in which the user nancy is logged in to the system. If you already closed this session, initiate a new Telnet session. If the session still exists, log out of the session and log in again as nancy.

Page 10

IJOS Lab Guide

IJOS Lab Guide Note: There is no RADIUS server existing in the lab. Question: Can you

Note:

There is no RADIUS server existing in the lab.

Question:

Can you successfully login even the RADIUS server is unreachable?

Answer:

Yes, after entering the password, a short delay occurs while the system tries to consult the RADIUS server, and the user receives an option to enter a local password. After entering the user’s password, the system logs the user in.

Step 1.14

Return to your console session and delete the authentication-order statement. Activate your configuration and log out.

[edit] admin@SRXP# delete system authentication-order

[edit] admin@SRXP# commit and-quit commit complete Exiting configuration mode

admin@SRXP> exit

SRXP (ttyu0)

login:

Page 11

IJOS Lab Guide

Part 2: Performing System Management Options.

Step 2.1

Log in using the admin user account. Display the configuration’s system syslog hierarchy.

SRXP (ttyu0)

login: admin Password: juniper123

--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# show system syslog archive size 100k files 3; user * { any emergency;

}

file messages { any critical; authorization info;

}

file interactive-commands { interactive-commands error;

}

Question:

What facilities and severity levels currently log to the messages log file?

Answer:

In the sample output, the messages file shows the any and authorization facilities using the critical and info severities, respectively. The actual settings might vary between Junos devices and software versions.

Question:

What is the purpose of specifying a facility of any?

Answer:

This option logs all facility levels.

Page 12

IJOS Lab Guide

Step 2.2

Navigate to the [edit system syslog] hierarchy and configure a new syslog file named config-changes. Specify a facility of change-log and a severity of info. Also, set the severity level for the default messages file to any.

[edit] admin@SRXP# edit system syslog

[edit system syslog] admin@SRXP# set file config-changes change-log info

[edit system syslog] admin@SRXP# set file messages any any

Step 2.3

Navigate Configure your system to send logs to INSIDE-PB PC(10.0.P.11) running the standard syslog utility. Refer to your lab diagram for the server address. (Hint: Use the host option.) Choose the correct facility that logs access attempts on the system. (Hint:

The current messages log file is already using this facility.) Use a severity level of info. Commit your changes and exit configuration mode using the commit and-quit command.

[edit system syslog] admin@SRXP# set host 10.0.P.11 authorization info

[edit system syslog] admin@SRXP# commit and-quit commit complete Exiting configuration mode

Step 2.4

Install 3ComDaemon Syslog server to your INSIDE-PB PC.

Access the INSIDE-PB PC and install the 3CDeamon server by accessing the software from (CD2) E:\3com Daemon Directory. After the installation, start the application and keep it ready to receive the log from SRX device.

Step 2.5

Page 13

IJOS Lab Guide

Using the file list /var/log command, verify the creation of a log file named config- changes.

admin@SRXP> file list /var/log /var/log@ -> /cf/var/log

admin@SRXP> file list /cf/var/log

/cf/var/log:

TRACE.OSPF

TRACE.OSPF.0.gz

jsrpd_commit_check appidd authd_libstats authd_profilelib authd_sdb.log autod chassisd config-changes cosd dcd dfwc eccd ext/ flowc/ fwauthd_chk_only ggsn/ gres-tp httpd.log idpd

idpinfo_err.20120402

ifstraced interactive-commands inventory jsrpd kmd license license_subs_trace.log mastership messages

messages.0.gz

messages.1.gz

nsd_chk_only

nstraced_chk_only

pf

Page 14

IJOS Lab Guide

pfed

pgmd

rtlogd

snapshot

utmd-av

wtmp

wtmp.0.gz

wtmp.1.gz

wtmp.2.gz

wtmp.3.gz

---(more)---

Note:

The files stored in the /var/log/ directory might vary between each system.

Question:

What other log files from your system’s configuration does this directory store?

Answer:

Although the files in the /var/log/ directory might vary on each system, the messages and interactive-commands log files should be present on all systems.

Step 2.6

Configure the system to synchronize its clock with an NTP server (RBB Router). The server’s IP address is 192.168.P.1.

admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# set system ntp server 192.168.P.1

Step 2.7

Use the same IP address used in the previous step and configure an NTP boot server. Commit the configuration and return to operational mode.

[edit] admin@SRXP# set system ntp boot-server 192.168.P.1

[edit] admin@SRXP# commit and-quit commit complete

Page 15

IJOS Lab Guide

Exiting configuration mode

admin@SRXP>

Step 2.8

View the config-changes log and verify the logging of the latest configuration changes.

admin@SRXP> show log config-changes May 3 00:47:56 SRXP clear-log[6519]: logfile cleared May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp] May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp server 192.168.P.1] May 3 00:48:24 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system ntp boot-server] <unconfigured> -> "192.168.P.1"

Step 2.9

Manually force synchronization with the NTP server by issuing the set date ntp operational mode command.

admin@SRXP> set date ntp 3 May 00:51:26 ntpdate[6816]: step time server 192.168.P.1 offset -0.036011 sec

Step 2.10

Verify synchronization with the NTP server by using the show ntp associations command. The system is synchronized with the NTP server if you see the server address in the remote column with an asterisk (*) next to it. Check the current system time using the show system uptime command.

Note:

It might take a few minutes for the system’s time to synchronize with the NTP server.

admin@SRXP> show ntp associations

poll

============================================================

remote refid

st t

when

reach

delay

offset

jitter

*192.168.P.1 192.168.1.2

4 -

14

64

1

1.073

0.113 1.178

admin@SRXP> show system uptime Current time: 2012-05-03 08:44:27 CST System booted: 2012-05-02 16:55:56 CST (15:48:31 ago) Protocols started: 2012-05-02 22:59:57 CST (09:44:30 ago) Last configured: 2012-05-03 00:48:36 CST (07:55:51 ago) by admin

Page 16

IJOS Lab Guide

8:44AM up 15:49, 1 user, load averages: 0.02, 0.03, 0.01

Question:

What does the asterisk (*) next to the NTP server address signify?

Answer:

The asterisk (*) represents the peer chosen for synchronization as well as a synchronized state with that peer. When you define multiple NTP peers, the system selects only a single NTP peer.

Step 2.11

Return to configuration mode and configure the system to allow SNMP access using a community value of junos. The system should allow processing of SNMP messages only when it receives them from the NMS server’s IP address. Use INSIDE-PB(10.0.P.11) as the server’s IP address.

admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# set snmp community junos clients 10.0.P.11

Step 2.12

Configure an SNMP trap group to send traps to the NMS server. The SNMP trap group should send traps whenever an interface transitions to a down state. Name the trap group interfaces.

[edit] admin@SRXP# set snmp trap-group interfaces targets 10.0.P.11

[edit] admin@SRXP# set snmp trap-group interfaces categories link

Question:

What trap category do you enable to receive traps for an over-temperature condition?

Answer:

You enable the chassis category to send traps for an over-temperature Condition.

Note:

In subsequent steps you will disable the ge-0/0/2 interface. Ensure that the

Page 17

IJOS Lab Guide

terminal session to your system uses the console connection.

Step 2.13

To test your SNMP configuration, temporarily disable the ge-0/0/2 interface using the set interfaces ge-0/0/2 disable command. Commit the new setting and verify that the interface is down using the run show interfaces ge-0/0/2 terse command. Next, re- enable the interface by issuing the delete interfaces ge-0/0/2 disable command. Commit the change and return to operational mode.

[edit] admin@SRXP# set interfaces ge-0/0/2 disable

[edit] admin@SRXP# commit

commit complete

[edit] admin@SRXP# delete interfaces ge-0/0/2 disable

[edit] admin@SRXP# commit and-quit commit complete Exiting configuration mode

admin@SRXP>

Step 2.14

Verify that the interface transition resulted in the sending of a trap by viewing the messages log. Use the pipe symbol (|) and match on the ge-0/0/2 interface and the keyword snmp to parse the messages log output. Next, issue the show snmp statistics command and confirm that the Traps value in the Output section is not zero.

admin@SRXP> show log messages | match ge-0/0/2 | match snmp May 3 12:43:29 SRXP mib2d[1206]: SNMP_TRAP_LINK_DOWN: ifIndex 509, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/0/2 May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 509, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/2 May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 531, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/2.0

Page 18

IJOS Lab Guide

May 3 12:46:04 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match ge-0/0/2 | match snmp '

admin@SRXP> show snmp statistics SNMP statistics:

Input:

Packets: 0, Bad versions: 0, Bad community names: 0, Bad community uses: 0, ASN parse errors: 0, Too bigs: 0, No such names: 0, Bad values: 0, Read onlys: 0, General errors: 0, Total request varbinds: 0, Total set varbinds: 0, Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 0, Traps: 0, Silent drops: 0, Proxy drops: 0, Commit pending drops: 0, Throttle drops: 0, Duplicate request drops: 0 V3 Input:

Unknown security models: 0, Invalid messages: 0 Unknown pdu handlers: 0, Unavailable contexts: 0 Unknown contexts: 0, Unsupported security levels: 0 Not in time windows: 0, Unknown user names: 0 Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0 Output:

Packets: 6, Too bigs: 0, No such names: 0, Bad values: 0, General errors: 0, Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 0, Traps: 6

Question:

Does the messages log show trap entries associated with the interface status change?

Answer:

Yes, you should see log entries for the status change for both the physical and the logical interfaces.

Question:

Does the show snmp statistics command list a non-zero value for outgoing traps?

Answer:

Yes, you should see a non-zero value for the output traps counter. In the sample output, you can see a value of 6. Your counter’s value might vary.

Step 2.15

Page 19

IJOS Lab Guide

Perform an SNMP MIB walk with the Junos CLI using the show snmp mib walk jnxOperatingDescr command. Note that the resolved object identifier (OID) of jnxOperatingDescr is case sensitive. The OID is variable; we are simply using this OID as an example.

admin@SRXP> show snmp mib walk jnxOperatingDescr jnxOperatingDescr.1.1.0.0 = midplane jnxOperatingDescr.2.1.0.0 = PEM 0 jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1 jnxOperatingDescr.4.2.0.0 = SRX240 PowerSupply fan 2 jnxOperatingDescr.4.3.0.0 = SRX240 CPU fan 1 jnxOperatingDescr.4.4.0.0 = SRX240 CPU fan 2 jnxOperatingDescr.4.5.0.0 = SRX240 IO fan 1 jnxOperatingDescr.4.6.0.0 = SRX240 IO fan 2 jnxOperatingDescr.7.1.0.0 = FPC: FPC @ 0/*/* jnxOperatingDescr.8.1.1.0 = PIC: 16x GE Base PIC @ 0/0/* jnxOperatingDescr.9.1.0.0 = Routing Engine jnxOperatingDescr.9.1.1.0 = USB Hub

Note:

The Junos OS accepts both the dotted-decimal notation and alpha-numeric notation of SNMP MIB OIDs. The previous example polls the Juniper Networks Chassis MIB for a mapping of component OIDs. This tool is helpful for deciphering what component might be initiating an SNMP trap when your NMS station reports the OID in only a dotted-decimal notation. You do not need to configure SNMP to perform SNMP polling from within the Junos OS.

Question:

What OID associates with the Routing Engine (RE) for your system?

Answer:

The RE associates with the 9.1.0.0 OID leaf. This leaf is merely one leaf in the MIB tree and does not represent the full OID string.

Step 2.16

Create ftp account to 3ComDaemon Syslog server on your INSIDE-PB PC.

Access to the 3CDeamon server on your INSIDE-PB PC, create a FTP user account with username ftp and password juniper123. Also create a new directory as the root directory for your FTP server.

Note:

This FTP server will be used in the next step to receive files from the SRX device.

Page 20

IJOS Lab Guide

Step 2.17

Enter configuration mode and configure your system to archive its configuration to a remote FTP server INSIDE-PB PC(10.0.P.11) whenever a commit operation occurs. You should configure the archive-sites as “ftp://ftp@10.0.P.11” including the quotation marks. You should configure the password as juniper123. You perform this configuration under the [edit system archival configuration] hierarchy level. Commit your configuration and return to operational mode

admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# edit system archival configuration

[edit system archival configuration] admin@SRXP# set archive-sites "ftp://ftp@10.0.P.11" password juniper123

[edit system archival configuration] admin@SRXP# set transfer-on-commit

[edit system archival configuration] admin@SRXP# commit and-quit commit complete Exiting configuration mode

Step 2.18

Verify that the configuration successfully transferred to the remote FTP server by using the show log messages | match transfer command

admin@SRXP> show log messages | match transfer May 3 13:02:06 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system archival configuration] <unconfigured> -> "transfer-on-commit" May 3 13:02:06 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'set transfer-on-commit ' May 3 13:02:57 SRXP logger: transfer-file failed to transfer

/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225

May 3 13:05:27 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match transfer ' May 3 13:06:57 SRXP1 logger: transfer-file: Transferred

/var/transfer/config/SRXP1_juniper.conf.gz_20120503_050630

May 3 13:06:58 SRXP1 logger: transfer-file: Transferred

/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225

Page 21

IJOS Lab Guide

May 3 13:07:07 SRXP1 mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match transfer '

Note:

Even when using the transfer-on-commit option with configuration archival, the transfer is cyclical and uses a short time interval. If you do not see the transfer in your log, wait a minute or two and look again.

Question:

What do the numbers at the end of the transferred filename represent?

Answer:

The configuration file contains the current date and UTC time according to the system clock.

Step 2.19

Save the current configuration to admins home directory.

admin@SRXP> file list

/cf/var/home/admin/:

.ssh/

IJOS.LAB1

IJOS.LAB2

admin@SRXP> configure Entering configuration mode

[edit] admin@SRXP# save IJOS.LAB3 Wrote 146 lines of configuration to 'IJOS.LAB3' [edit] [edit] admin@SRXP# run file list

/cf/var/home/admin/:

.ssh/

IJOS.LAB1

IJOS.LAB2

IJOS.LAB3

By saving your current configuration, you are able to rollback at anytime. For Example:

[edit]

Page 22

IJOS Lab Guide

admin@SRXP# load override IJOS.LAB3 load complete

[edit] admin@SRXP# commit commit complete

Tell your instructor that you have completed this lab.

Page 23