Professional Documents
Culture Documents
La b 2:
Initial System Configuration
In this activity, you will perform the following tasks:
Page 1
Step 1.2
Display the factory-default configuration.
[edit]
admin# show
## Last changed: 2012-05-05 10:09:47 UTC
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
Page 2
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.P.2 high 192.168.P.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx240h)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): 'root-authentication'
}
interfaces {
Page 3
ge-0/0/0
unit
}
ge-0/0/1
unit
{
0;
{
0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
Page 4
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
Page 5
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
Page 6
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
Page 7
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
Page 8
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Note: The factory-default configuration displays several statements pertaining to the
security hierarchy level. This information is outside the scope of this class but is
covered in the Junos for Security Platforms (JSEC) course.
Step 1.3
Activate the factory-default configuration by issuing a commit command.
admin# commit
[edit]
'system'
Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
Question:
Answer:
The commit operation should fail because the root authentication is missing.
We remedy this situation in the next lab part.
Navigate to the [edit system root-authentication] hierarchy level. Issue the set plaintext-password command. When prompted to enter a new password, type apples
[edit]
admin# edit system root-authentication
[edit system root-authentication]
admin# set plain-text-password
New password: apples
error: require change of case, digits or punctuation
Question:
Answer:
The operation fails because the password does not meet the requirements.
Step 2.2
Again, issue the set plain-text-password command. When prompted to enter a new
password, type Apples. When prompted to confirm the password, type Oranges.
[edit system root-authentication]
admin# set plain-text-password
New password: Apples
Retype new password: Oranges
error: Passwords are not equal; aborting
Question:
Answer:
Step 2.3
Issue the set plain-text-password command once again. When prompted to enter a new
password, type juniper123. When prompted to confirm the password, type juniper123.
Activate the change and return to operational mode by issuing a commit and-quit
command.
[edit system root-authentication]
admin# set plain-text-password
Page 10
Step 2.4
Issue the file list /var/tmp command.
admin> file list /var/tmp
error: no local user: admin
Question:
Answer:
The operation generates an error because the admin user is no longer valid.
We restore the admin user account in a subsequent lab step.
Step 2.5
Log out as the admin user and log in as root. Use the newly defined password of
juniper123.
admin> exit
Amnesiac (ttyu0)
login: root
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
root@%
Note: You should see the previously defined hostname at the login prompt. The Amnesiac
hostname is shown when the hostname is removed and the system is rebooted. You
do not need to reboot the system at this time because you will configure a new
hostname shortly.
Page 11
Step 2.6
Start the CLI with the cli command and enter configuration mode.
root@% cli
root> configure
Entering configuration mode
[edit]
root#
Step 2.7
Delete interfaces, and VLANs from the [edit] hierarchy.
[edit]
root# delete interfaces
[edit]
root# delete vlans
Step 2.8
Navigate to the [edit system] hierarchy level.
[edit]
root# edit system
[edit system]
root#
Step 2.9
Define the systems hostname. Use the hostname SRXP. Replace the P with your pod
number. For example, SRX1 for Pod 1.
[edit system]
root# set host-name SRXP
Step 2.10
Page 12
Configure the time zone and system time using the local time zone and current time as
input values.
[edit system]
root# set time-zone Asia/Taipei
[edit system]
root# run set date 201205011800.00
Tue May 1 18:00:00 UTC 2012
Note: The default time zone on Junos devices is UTC (Coordinated Universal Time, formerly
known as Greenwich Mean Time, or GMT). When you define the local time, you must
account for the time difference between the defined time zone and the default time
zone. Once the time zone is changed and committed, the local time is adjusted
accordingly to account for the difference. If you do not want to make the necessary
adjustments, you can simply set the systems time after the defined time zone
parameter has been committed.
Step 2.11
Navigate to the [edit system services] hierarchy level.
[edit system]
root# edit services
[edit system services]
root#
Step 2.12
Display the current dhcp service configuration under the [edit system services]
hierarchy], then erase them.
[edit system services]
root# show
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
Page 13
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.P.2 high 192.168.P.254;
}
propagate-settings ge-0/0/0.0;
}
[edit system services]
root# delete dhcp
Step 2.13
Configure the HTTP Web-management service to use the ge-0/0/5.0 interface. Remove
the vlan.0 interface from both the HTTP and HTTPS Web-management services.
Configure the HTTPS Web-management service to use all interfaces.
[edit system services]
root# set web-management http interface ge-0/0/5.0
[edit system services]
root# delete web-management http interface vlan.0
[edit system services]
root# delete web-management https interface vlan.0
[edit system services]
root# set web-management https interface all
Step 2.14
Configure the ge-0/0/5 interface using the address and subnet mask specified on the
web page diagram, and specify an interface description of "INSIDE INTERFACE ".
[edit system services]
root# top edit interfaces
[edit interfaces]
root# set ge-0/0/5 unit 0 family inet address 10.0.P.1/24
Page 14
[edit interfaces]
root# set ge-0/0/5 description "INSIDE INTERFACE"
Step 2.15
Configure the ge-0/0/3 interface using the address and subnet mask specified on the
web page diagram, and specify an interface description of "DMZ INTERFACE ".
[edit interfaces]
root# set ge-0/0/3 unit 0 family inet address 172.16.P.1/24
[edit interfaces]
root# set ge-0/0/3 description "DMZ INTERFACE"
Step 2.16
Configure the ge-0/0/2 interface using the address and subnet mask specified on the
web page diagram, and specify an interface description of "OUTSIDE INTERFACE ".
[edit interfaces]
root# set ge-0/0/2 unit 0 family inet address 192.168.P.2/24
[edit interfaces]
root# set ge-0/0/2 description "OUTSIDE INTERFACE"
Step 2.17
Verify all interfaces you configured in previous steps.
[edit interfaces]
root# show
ge-0/0/2 {
description "OUTSIDE INTERFACE";
unit 0 {
family inet {
address 192.168.P.2/24;
}
}
}
ge-0/0/3 {
description "DMZ INTERFACE";
unit 0 {
Page 15
family inet {
address 172.16.P.1/24;
}
}
}
ge-0/0/5 {
description "INSIDE INTERFACE";
unit 0 {
family inet {
address 10.0.P.1/24;
}
}
}
Step 2.18
Define a static default route to allow for reachability beyond the directly connected
subets. Use the RBB address, shown on the lab diagram, as the next-hop value.
[edit interfaces]
root# top edit routing-options
[edit routing-options]
root# set static route 0.0.0.0/0 next-hop 192.168.P.1
Step 2.19
From the top hierarchy, delete all security configuration.
[edit routing-options]
root# top
[edit]
root# delete security
Step 2.20
In the top of the configuration hierarchy, issue the show | compare command to view a
summary of the recent configuration additions
[edit]
root# show | compare
[edit system]
Page 16
+ host-name SRXP;
+ time-zone Asia/Taipei;
[edit system services web-management http]
interface vlan.0;
+
interface ge-0/0/5.0;
[edit system services web-management https]
interface vlan.0;
+
interface all;
[edit system services]
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.P.2 high 192.168.P.254;
}
propagate-settings ge-0/0/0.0;
}
[edit interfaces]
- ge-0/0/0 {
unit 0;
- }
- ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
[edit interfaces ge-0/0/2]
+ description "OUTSIDE INTERFACE";
[edit interfaces ge-0/0/2 unit 0]
+
family inet {
+
address 192.168.P.2/24;
+
}
family ethernet-switching {
vlan {
members vlan-trust;
}
}
[edit interfaces ge-0/0/3]
+ description "DMZ INTERFACE";
[edit interfaces ge-0/0/3 unit 0]
Page 17
+
family inet {
+
address 172.16.P.1/24;
+
}
family ethernet-switching {
vlan {
members vlan-trust;
}
}
[edit interfaces]
- ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
[edit interfaces ge-0/0/5]
+ description "INSIDE INTERFACE";
[edit interfaces ge-0/0/5 unit 0]
+
family inet {
+
address 10.0.P.1/24;
+
}
family ethernet-switching {
vlan {
members vlan-trust;
}
}
[edit interfaces]
- ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
Page 18
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
Page 19
}
}
- }
- ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
- }
- vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
- }
[edit]
+ routing-options {
+
static {
+
route 0.0.0.0/0 next-hop 192.168.P.1;
+
}
+ }
- security {
screen {
Page 20
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
Page 21
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
- }
- vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
- }
Question:
With the exception of the root authentication, does the generated output
Page 22
Step 2.21
Activate the changes and return to operational mode.
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root@SRXP>
Step 3.2
Display the contents of the recently saved rescue configuration.
root@SRXP> file show /config/rescue.conf.gz
## Last changed: 2012-05-01 18:05:49 UTC
version 12.1R1.9
system {
host-name SRXP;
time-zone Asia/Taipei;
root-authentication {
encrypted-password "$1$BPDZ4p0b$vb3OrwvurBAl.wrwQG16h/";
}
name-server {
Page 23
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface ge-0/0/5.0;
}
https {
system-generated-certificate;
interface all;
---(more)--< output omitted>
Question:
Does the rescue configuration match the recently created active configuration?
____________________________________________________________________________
Answer:
Yes, the rescue configuration should match the recently created active
configuration.
Question:
What CLI command could you issue to compare the active and rescue
configuration files?
____________________________________________________________________________
Answer:
Step 3.3
Return to configuration mode and delete the [edit system services] hierarchy level.
Activate the change.
root@SRXP> configure
Entering configuration mode
Page 24
[edit]
root@SRXP# delete system services
[edit]
root@SRXP# commit
commit complete
Step 3.4
Verify that the [edit system services] hierarchy level is empty and then load the rescue
configuration
[edit]
root@SRXP# show system services
[edit]
root@SRXP# rollback rescue
load complete
Step 3.5
Verify that the [edit system services] hierarchy level once again contains the ssh, telnet,
and web-management services.
[edit]
root@SRXP# show system services
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface ge-0/0/5.0;
}
https {
system-generated-certificate;
interface all;
}
}
Question:
Did the rescue configuration successfully load? Are the services enabled now?
If not, why not?
Page 25
____________________________________________________________________________
Answer:
Yes, the rescue configuration loaded successfully and restored the statements
at the [edit system services] hierarchy level. However, the software did not
enable the services. Remember, to enable the rescue configuration, or any
other candidate configuration, you must commit!
Step 3.6
Activate the rescue configuration and return to operational mode.
[edit]
root@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 3.7
Delete the rescue configuration and attempt to display the rescue.conf.gz file to confirm
the deletion.
root@SRXP> request system configuration rescue delete
root@SRXP> file show /config/rescue.conf.gz
error: could not resolve file: /config/rescue.conf.gz
Question:
Answer:
Yes, based on the results shown, the deletion of the rescue configuration was
successful.
ge-0/0/1
ge-0/0/2
ge-0/0/2.0
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/5
ge-0/0/5.0
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
up
up
down
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
Local
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
inet
192.168.P.2/24
inet
172.16.P.1/24
inet
10.0.P.1/24
tnp
0x1
inet
inet
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
Page 27
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
Question:
What are the Admin and Link states of the recently configured interfaces?
____________________________________________________________________________
Answer:
All configured interfaces should show Admin and Link states of up, as shown in
the sample capture..
Step 4.2
Verify the CLI default parameters and extend the CLI screen-width to 130 characters.
root@SRXP> show cli
CLI complete-on-space set to on
CLI idle-timeout disabled
CLI restart-on-upgrade set to on
CLI screen-length set to 24
CLI screen-width set to 80
CLI terminal is 'vt100'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/cf/root'
root@SRXP> set cli screen-width 130
Screen width set to 130
Step 4.3
Reconfigure the admin user account, with password juniper123. Commit the changes.
root@SRXP> configure
Entering configuration mode
Page 28
[edit]
root@SRXP# set system login user admin class super-user authentication plain-textpassword
New password: juniper123
Retype new password: juniper123
[edit]
root@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 4.4
Logout and then login as admin user.
root@SRXP> exit
root@SRXP% exit
logout
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
admin@SRXP>
Step 4.5
Verify the lab1 configuration file you saved in the previous lab.
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
Step 4.6
There are many methods to backup the configuration. One of the options is to Issue the
show configuration | save /cf/var/home/admin/IJOS.LAB2 CLI command to save
the active configuration as IJOS.LAB2 in the /cf/var/home/admin directory.
Page 29
By saving your current configuration, you are able to rollback at any time.
For Example:
[edit]
admin@SRXP# load override IJOS.LAB2
load complete
[edit]
admin@SRXP# commit
commit complete
Page 30