You are on page 1of 23

IJOS Lab Guide

Lab 3:
Secondar y System Configuration
In this activity, you you will perform the following tasks:
Part 1: Define user accounts and authentication options.
Part 2: Set up and verify proper operation of system logging (syslog).
Part 3: Configure and monitor NTP.
Part 4: Enable and monitor the operation of SNMP.
Part 5: Configure and monitor the configuration archival feature.

Page 1

IJOS Lab Guide

Part 1: Loading a Factory-Default Configuration


Step 1.1
Login as admin user, enter configuration mode. Define a custom login class named
juniper with the following permissions.
. view
. view-configuration
. reset

SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# edit system login
[edit system login]
admin@SRXP# set class juniper permissions [view view-configuration reset]
[edit system login]
admin@SRXP#

Step 1.2
Next, define two new user accounts using the information from the following
requirements.
Username
Class
Plain-Text Password
walter
juniper
walter123
nancy
read-only
nancy123

[edit system login]


admin@SRXP# set user walter class juniper

Page 2

IJOS Lab Guide

[edit system login]


admin@SRXP# set user walter authentication plain-text-password
New password: walter123
Retype new password: walter123
[edit system login]
admin@SRXP# set user nancy class read-only
[edit system login]
admin@SRXP# set user nancy authentication plain-text-password
New password: nancy123
Retype new password: nancy123

Step 1.3
View the configuration under the [edit system login] hierarchy level. If you are satisfied
with the results, activate your new configuration by issuing the commit command.
[edit system login]
admin@SRXP# show
class juniper {
permissions [ reset view view-configuration ];
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA
}
}
user nancy {
class read-only;
authentication {
encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA
}
}
user walter {
class juniper;
authentication {
encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA
}
}
[edit system login]
Page 3

IJOS Lab Guide

admin@SRXP# commit
commit complete
Note: The remainder of this lab part tests user login options. To prevent yourself from being
locked out, keep the current console session open!

Step 1.4
Access to the INSIDE-PA PC and use Telnet to access your INSIDE interface of SRX
device(10.0.P.1). If needed, refer to the web page diagram. Log in with the username
walter.

Step 1.5
Using the new terminal session, enter configuration mode.

Question:

How does the CLI respond when you try to enter configuration mode?
____________________________________________________________________________

Answer:

The CLI does not let user walter enter configuration mode. It responds by
Page 4

IJOS Lab Guide

stating that the command is unknown.

Step 1.6
Enter a question mark (?) at the prompt to view the permitted operational mode
command options for the user walter.

Question:

Why is the user walter unable to enter configuration mode?


____________________________________________________________________________

Answer:

The custom login class defined for the user walter does not give permission for
entering configuration mode.

Step 1.7
Verify that the user walter can view the configuration and other operational outputs
such as interface information listed below:
. show configuration
. show interfaces

Page 5

IJOS Lab Guide

Question:

Can the user walter view the root password within the configuration? Why?
____________________________________________________________________________

Answer:

No. The Junos OS hides certain configuration elements that it determines to be


security risks and notates them with a SECRET-DATA tag. In this case, the user
walter does not have the secret permission defined for his login class. The
secret permission is required to view configuration elements with the SECRETDATA tag.

Page 6

IJOS Lab Guide

Step 1.8
Restart the routing process using the restart routing command. This command restarts
the routing protocol daemon (rpd), which can be useful when troubleshooting routing
problems.

Question:

Which permission allows the user walter to perform this command?


____________________________________________________________________________

Answer:

The reset permission allows a user to restart software processes and certain
hardware components. This permission will not, however, allow the user to
reboot the system.

Step 1.9
Log out and initiate a new Telnet session to the management interface for the user
nancy. (Hint: Use the reconnect option on your terminal client.) Attempt to restart the
routing protocol process using the restart routing command

Question:

Can nancy successfully issue the restart command?


____________________________________________________________________________

Answer:

As shown in the output, the user nancy cannot issue the operational mode
restart command.

Page 7

IJOS Lab Guide

Question:

What is a quick way to view the top-level operational mode commands


available to nancy?
____________________________________________________________________________

Answer:

Use the question mark (?) to view available commands anywhere within a
command line. Commands that are not permitted due to user permissions do
not display.

Question:

Can the user nancy view the configuration?


____________________________________________________________________________

Answer:

The user nancy can issue the command show configuration, but the contents
are hidden. The following is a sample capture, taken from the SRX1 device.

Step 1.10
As login as user nancy, attempt to clear interface statistics for the ge-0/0/5 interface
using the clear interfaces statistics ge-0/0/5 command.

Question:

Which permission option would allow the user nancy to clear the interface
statistics on the ge-0/0/5 interface?
____________________________________________________________________________

Answer:

The clear permission option would allow this behavior.

Step 1.11
Page 8

IJOS Lab Guide

Return to the console terminal connection and attempt to add the clear permission to
the default read-only login class. Issue the show command to view the system login
hierarchy.
[edit system login]
admin@SRXP# set class read-only permissions clear
warning:
read-only is a predefined class name; changing to read-only-local
[edit system login]
admin@SRXP# show
class juniper {
permissions [ reset view view-configuration ];
}
class read-only-local {
permissions clear;
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$KwXSzls7$f7ZB3kFAjJRDst/CIxfLG/"; ## SECRET-DATA
}
}
user nancy {
uid 2003;
class read-only;
authentication {
encrypted-password "$1$5zDK.QBM$1yQwbYwGf0foM.mcOeFrr/"; ## SECRET-DATA
}
}
user walter {
uid 2004;
class juniper;
authentication {
encrypted-password "$1$hv/3C1Du$TydysUWUyfxUbanXVwc9R/"; ## SECRET-DATA
}
}

Question:

What happened when you added the clear permission to the read-only login
class?
____________________________________________________________________________

Answer:

Because you cannot alter predefined login classes, the Junos OS created a new
login class named read-only-local that is not associated with any user.
Page 9

IJOS Lab Guide

Question:

How can you add the clear permission for the user nancy?
____________________________________________________________________________

Answer:

You must define a new custom login class for this functionality.

Step 1.12
Using the console connection, navigate to the top of the configuration hierarchy and
configure a RADIUS server for use with user authentication. Use commit to activate the
changes. Use the RADIUS Server Information listed below:
. RADIUS Server IP
172.16.P.10
. RADIUS Secret
juniper123
Configure the authentication order so that user login attempts use only local password
authentication if the RADIUS server is unreachable.
[edit system login]
admin@SRXP# top
[edit]
admin@SRXP# set system radius-server 172.16.P.10 secret juniper123
[edit]
admin@SRXP# set system authentication-order radius
[edit]
admin@SRXP# commit
commit complete

Question:

Answer:

Must you include password in the authentication order to enable this behavior?
____________________________________________________________________________
No. If an authentication method is unavailable because of a network or server
outage, the software automatically consults the local password database.

Step 1.13
Return to the Telnet session in which the user nancy is logged in to the system. If you
already closed this session, initiate a new Telnet session. If the session still exists, log out
of the session and log in again as nancy.
Page 10

IJOS Lab Guide

Note: There is no RADIUS server existing in the lab.

Question:

Can you successfully login even the RADIUS server is unreachable?


____________________________________________________________________________

Answer:

Yes, after entering the password, a short delay occurs while the system tries to
consult the RADIUS server, and the user receives an option to enter a local
password. After entering the users password, the system logs the user in.

Step 1.14
Return to your console session and delete the authentication-order statement. Activate
your configuration and log out.
[edit]
admin@SRXP# delete system authentication-order
[edit]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
admin@SRXP> exit
SRXP (ttyu0)
login:

Page 11

IJOS Lab Guide

Part 2: Performing System Management Options.


Step 2.1
Log in using the admin user account. Display the configurations system syslog hierarchy.
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# show system syslog
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}

Question:

What facilities and severity levels currently log to the messages log file?
____________________________________________________________________________

Answer:

In the sample output, the messages file shows the any and authorization
facilities using the critical and info severities, respectively. The actual settings
might vary between Junos devices and software versions.

Question:

What is the purpose of specifying a facility of any?


____________________________________________________________________________

Answer:

This option logs all facility levels.

Page 12

IJOS Lab Guide

Step 2.2
Navigate to the [edit system syslog] hierarchy and configure a new syslog file named
config-changes. Specify a facility of change-log and a severity of info. Also, set the
severity level for the default messages file to any.
[edit]
admin@SRXP# edit system syslog
[edit system syslog]
admin@SRXP# set file config-changes change-log info
[edit system syslog]
admin@SRXP# set file messages any any

Step 2.3
Navigate Configure your system to send logs to INSIDE-PB PC(10.0.P.11) running the
standard syslog utility. Refer to your lab diagram for the server address. (Hint: Use the
host option.) Choose the correct facility that logs access attempts on the system. (Hint:
The current messages log file is already using this facility.) Use a severity level of info.
Commit your changes and exit configuration mode using the commit and-quit
command.
[edit system syslog]
admin@SRXP# set host 10.0.P.11 authorization info
[edit system syslog]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode

Step 2.4
Install 3ComDaemon Syslog server to your INSIDE-PB PC.
Access the INSIDE-PB PC and install the 3CDeamon server by accessing the software from
(CD2) E:\3com Daemon Directory. After the installation, start the application and keep it
ready to receive the log from SRX device.

Step 2.5

Page 13

IJOS Lab Guide

Using the file list /var/log command, verify the creation of a log file named configchanges.
admin@SRXP> file list /var/log
/var/log@ -> /cf/var/log
admin@SRXP> file list /cf/var/log
/cf/var/log:
TRACE.OSPF
TRACE.OSPF.0.gz
__jsrpd_commit_check__
appidd
authd_libstats
authd_profilelib
authd_sdb.log
autod
chassisd
config-changes
cosd
dcd
dfwc
eccd
ext/
flowc/
fwauthd_chk_only
ggsn/
gres-tp
httpd.log
idpd
idpinfo_err.20120402
ifstraced
interactive-commands
inventory
jsrpd
kmd
license
license_subs_trace.log
mastership
messages
messages.0.gz
messages.1.gz
nsd_chk_only
nstraced_chk_only
pf
Page 14

IJOS Lab Guide

pfed
pgmd
rtlogd
snapshot
utmd-av
wtmp
wtmp.0.gz
wtmp.1.gz
wtmp.2.gz
wtmp.3.gz
---(more)--Note: The files stored in the /var/log/ directory might vary between each system.

Question:

What other log files from your systems configuration does this directory store?
____________________________________________________________________________

Answer:

Although the files in the /var/log/ directory might vary on each system, the
messages and interactive-commands log files should be present on all
systems.

Step 2.6
Configure the system to synchronize its clock with an NTP server (RBB Router). The
servers IP address is 192.168.P.1.
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# set system ntp server 192.168.P.1

Step 2.7
Use the same IP address used in the previous step and configure an NTP
boot server. Commit the configuration and return to operational mode.
[edit]
admin@SRXP# set system ntp boot-server 192.168.P.1
[edit]
admin@SRXP# commit and-quit
commit complete
Page 15

IJOS Lab Guide

Exiting configuration mode


admin@SRXP>

Step 2.8
View the config-changes log and verify the logging of the latest configuration
changes.
admin@SRXP> show log config-changes
May 3 00:47:56 SRXP clear-log[6519]: logfile cleared
May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp]
May 3 00:48:15 SRXP mgd[5323]: UI_CFG_AUDIT_OTHER: User 'admin' set: [system ntp server 192.168.P.1]
May 3 00:48:24 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system ntp boot-server]
<unconfigured> -> "192.168.P.1"

Step 2.9
Manually force synchronization with the NTP server by issuing the set date ntp
operational mode command.
admin@SRXP> set date ntp
3 May 00:51:26 ntpdate[6816]: step time server 192.168.P.1 offset -0.036011 sec

Step 2.10
Verify synchronization with the NTP server by using the show ntp associations
command. The system is synchronized with the NTP server if you see the server address
in the remote column with an asterisk (*) next to it. Check the current system time using
the show system uptime command.
Note: It might take a few minutes for the systems time to synchronize with the NTP server.
admin@SRXP> show ntp associations
remote
refid
st t
when poll
reach delay offset jitter
============================================================
*192.168.P.1 192.168.1.2
414
64
1
1.073 0.113 1.178
admin@SRXP> show system uptime
Current time: 2012-05-03 08:44:27 CST
System booted: 2012-05-02 16:55:56 CST (15:48:31 ago)
Protocols started: 2012-05-02 22:59:57 CST (09:44:30 ago)
Last configured: 2012-05-03 00:48:36 CST (07:55:51 ago) by admin
Page 16

IJOS Lab Guide

8:44AM up 15:49, 1 user, load averages: 0.02, 0.03, 0.01


Question:

What does the asterisk (*) next to the NTP server address signify?
____________________________________________________________________________

Answer:

The asterisk (*) represents the peer chosen for synchronization as well as a
synchronized state with that peer. When you define multiple NTP peers, the
system selects only a single NTP peer.

Step 2.11
Return to configuration mode and configure the system to allow SNMP access using a
community value of junos. The system should allow processing of SNMP messages only
when it receives them from the NMS servers IP address. Use INSIDE-PB(10.0.P.11) as the
servers IP address.
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# set snmp community junos clients 10.0.P.11

Step 2.12
Configure an SNMP trap group to send traps to the NMS server. The SNMP trap group
should send traps whenever an interface transitions to a down state. Name the trap
group interfaces.
[edit]
admin@SRXP# set snmp trap-group interfaces targets 10.0.P.11
[edit]
admin@SRXP# set snmp trap-group interfaces categories link

Question:

What trap category do you enable to receive traps for an over-temperature


condition?
____________________________________________________________________________

Answer:

You enable the chassis category to send traps for an over-temperature


Condition.

Note: In subsequent steps you will disable the ge-0/0/2 interface. Ensure that the
Page 17

IJOS Lab Guide

terminal session to your system uses the console connection.

Step 2.13
To test your SNMP configuration, temporarily disable the ge-0/0/2 interface using the
set interfaces ge-0/0/2 disable command. Commit the new setting and verify that the
interface is down using the run show interfaces ge-0/0/2 terse command. Next, reenable the interface by issuing the delete interfaces ge-0/0/2 disable command. Commit
the change and return to operational mode.
[edit]
admin@SRXP# set interfaces ge-0/0/2 disable
[edit]
admin@SRXP# commit
commit complete
[edit]
admin@SRXP# delete interfaces ge-0/0/2 disable
[edit]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
admin@SRXP>

Step 2.14
Verify that the interface transition resulted in the sending of a trap by viewing the
messages log. Use the pipe symbol (|) and match on the ge-0/0/2 interface and the
keyword snmp to parse the messages log output. Next, issue the show snmp statistics
command and confirm that the Traps value in the Output section is not zero.
admin@SRXP> show log messages | match ge-0/0/2 | match snmp
May 3 12:43:29 SRXP mib2d[1206]: SNMP_TRAP_LINK_DOWN: ifIndex 509, ifAdminStatus down(2), ifOperStatus
down(2), ifName ge-0/0/2
May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 509, ifAdminStatus up(1), ifOperStatus
up(1), ifName ge-0/0/2
May 3 12:44:02 SRXP mib2d[1206]: SNMP_TRAP_LINK_UP: ifIndex 531, ifAdminStatus up(1), ifOperStatus
up(1), ifName ge-0/0/2.0

Page 18

IJOS Lab Guide

May 3 12:46:04 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
ge-0/0/2 | match snmp '
admin@SRXP> show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 6, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 6

Question:

Does the messages log show trap entries associated with the interface status
change?
____________________________________________________________________________

Answer:

Yes, you should see log entries for the status change for both the physical and
the logical interfaces.

Question:

Does the show snmp statistics command list a non-zero value for outgoing
traps?
____________________________________________________________________________

Answer:

Yes, you should see a non-zero value for the output traps counter. In the
sample output, you can see a value of 6. Your counters value might vary.

Step 2.15
Page 19

IJOS Lab Guide

Perform an SNMP MIB walk with the Junos CLI using the show snmp mib walk
jnxOperatingDescr command. Note that the resolved object identifier (OID) of
jnxOperatingDescr is case sensitive. The OID is variable; we are simply using this OID as
an example.
admin@SRXP> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1
jnxOperatingDescr.4.2.0.0 = SRX240 PowerSupply fan 2
jnxOperatingDescr.4.3.0.0 = SRX240 CPU fan 1
jnxOperatingDescr.4.4.0.0 = SRX240 CPU fan 2
jnxOperatingDescr.4.5.0.0 = SRX240 IO fan 1
jnxOperatingDescr.4.6.0.0 = SRX240 IO fan 2
jnxOperatingDescr.7.1.0.0 = FPC: FPC @ 0/*/*
jnxOperatingDescr.8.1.1.0 = PIC: 16x GE Base PIC @ 0/0/*
jnxOperatingDescr.9.1.0.0 = Routing Engine
jnxOperatingDescr.9.1.1.0 = USB Hub
Note: The Junos OS accepts both the dotted-decimal notation and alpha-numeric notation
of SNMP MIB OIDs. The previous example polls the Juniper Networks Chassis MIB for a
mapping of component OIDs. This tool is helpful for deciphering what component
might be initiating an SNMP trap when your NMS station reports the OID in only a
dotted-decimal notation. You do not need to configure SNMP to perform SNMP
polling from within the Junos OS.

Question:

What OID associates with the Routing Engine (RE) for your system?
____________________________________________________________________________

Answer:

The RE associates with the 9.1.0.0 OID leaf. This leaf is merely one leaf in the
MIB tree and does not represent the full OID string.

Step 2.16
Create ftp account to 3ComDaemon Syslog server on your INSIDE-PB PC.
Access to the 3CDeamon server on your INSIDE-PB PC, create a FTP user account with
username ftp and password juniper123. Also create a new directory as the root directory for
your FTP server.
Note: This FTP server will be used in the next step to receive files from the SRX device.

Page 20

IJOS Lab Guide

Step 2.17
Enter configuration mode and configure your system to archive its configuration to a
remote FTP server INSIDE-PB PC(10.0.P.11) whenever a commit operation occurs. You
should configure the archive-sites as ftp://ftp@10.0.P.11 including the quotation
marks. You should configure the password as juniper123. You perform this
configuration under the [edit system archival configuration] hierarchy level. Commit
your configuration and return to operational mode
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# edit system archival configuration
[edit system archival configuration]
admin@SRXP# set archive-sites "ftp://ftp@10.0.P.11" password juniper123
[edit system archival configuration]
admin@SRXP# set transfer-on-commit
[edit system archival configuration]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode

Step 2.18
Verify that the configuration successfully transferred to the remote FTP server by using
the show log messages | match transfer command
admin@SRXP> show log messages | match transfer
May 3 13:02:06 SRXP mgd[5323]: UI_CFG_AUDIT_SET: User 'admin' set: [system archival configuration]
<unconfigured> -> "transfer-on-commit"
May 3 13:02:06 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'set transfer-on-commit '
May 3 13:02:57 SRXP logger: transfer-file failed to transfer
/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225
May 3 13:05:27 SRXP mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
transfer '
May 3 13:06:57 SRXP1 logger: transfer-file: Transferred
/var/transfer/config/SRXP1_juniper.conf.gz_20120503_050630
May 3 13:06:58 SRXP1 logger: transfer-file: Transferred
/var/transfer/config/SRXP_juniper.conf.gz_20120503_050225

Page 21

IJOS Lab Guide

May 3 13:07:07 SRXP1 mgd[5323]: UI_CMDLINE_READ_LINE: User 'admin', command 'show log messages | match
transfer '
Note: Even when using the transfer-on-commit option with configuration archival, the
transfer is cyclical and uses a short time interval. If you do not see the transfer in your
log, wait a minute or two and look again.

Question:

What do the numbers at the end of the transferred filename represent?


____________________________________________________________________________

Answer:

The configuration file contains the current date and UTC time according to the
system clock.

Step 2.19
Save the current configuration to admins home directory.
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# save IJOS.LAB3
Wrote 146 lines of configuration to 'IJOS.LAB3'
[edit]
[edit]
admin@SRXP# run file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
IJOS.LAB3

By saving your current configuration, you are able to rollback at anytime.


For Example:
[edit]
Page 22

IJOS Lab Guide

admin@SRXP# load override IJOS.LAB3


load complete
[edit]
admin@SRXP# commit
commit complete

Tell your instructor that you have completed this lab.

Page 23

You might also like