IJOS Lab Guide

IJOS Lab Guide
La b 2:
Initial System Configuration
In this activity, you will perform the following tasks:
Part 1: Load a factory-default configuration.

Part 2: Perform initial system configuration.
Part 3: Save, delete, and restore a rescue configuration.
Part 4: Verifying Interface State and Backup Configuration to file.
Page 1
IJOS Lab Guide
Part 1: Loading a Factory-Default Configuration

Step 1.1
Enter configuration mode and load a factory-default configuration using the load
factory-default command.
admin> configure
Entering configuration mode
[edit]
admin# load factory-default
warning: activating factory configuration
Step 1.2
Display the factory-default configuration.
[edit]
admin# show
## Last changed: 2012-05-05 10:09:47 UTC
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
Page 2
IJOS Lab Guide
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.P.2 high 192.168.P.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx240h)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): 'root-authentication'
}
interfaces {
Page 3
IJOS Lab Guide
ge-0/0/0
unit
}
ge-0/0/1
unit
{
0;
{
0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
vlan {
members vlan-trust;
}
Page 4
IJOS Lab Guide
}
}
}
ge-0/0/6 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
vlan {
members vlan-trust;
}
Page 5
IJOS Lab Guide
}
}
}
ge-0/0/11 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
vlan {
members vlan-trust;
}
Page 6
IJOS Lab Guide
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
Page 7
IJOS Lab Guide
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
system-services {
dhcp;
tftp;
Page 8
IJOS Lab Guide
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Note: The factory-default configuration displays several statements pertaining to the
security hierarchy level. This information is outside the scope of this class but is
covered in the Junos for Security Platforms (JSEC) course.
Step 1.3
Activate the factory-default configuration by issuing a commit command.
admin# commit
[edit]
'system'
Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
Question:
Did the commit operation succeed? If not, why not?

____________________________________________________________________________
Answer:
The commit operation should fail because the root authentication is missing.
We remedy this situation in the next lab part.
Part 2: Performing Initial Configuration

Step 2.1
Page 9
IJOS Lab Guide
Navigate to the [edit system root-authentication] hierarchy level. Issue the set plaintext-password command. When prompted to enter a new password, type apples
[edit]
admin# edit system root-authentication
[edit system root-authentication]
admin# set plain-text-password
New password: apples
error: require change of case, digits or punctuation
Question:
What happens when you enter the specified password? Why?

____________________________________________________________________________
Answer:
The operation fails because the password does not meet the requirements.
Step 2.2
Again, issue the set plain-text-password command. When prompted to enter a new
password, type Apples. When prompted to confirm the password, type Oranges.
New password: Apples
Retype new password: Oranges
error: Passwords are not equal; aborting
Question:
What happens when you enter the specified password? Why?

____________________________________________________________________________
Answer:
The operation fails because the password are not equal.
Step 2.3
Issue the set plain-text-password command once again. When prompted to enter a new
password, type juniper123. When prompted to confirm the password, type juniper123.
Activate the change and return to operational mode by issuing a commit and-quit
command.
Page 10
IJOS Lab Guide
New password: juniper123

Retype new password: juniper123
admin# commit and-quit
commit complete
Exiting configuration mode
admin>
Step 2.4
Issue the file list /var/tmp command.
admin> file list /var/tmp
error: no local user: admin
Question:
What happens when you enter the specified command? Why?

____________________________________________________________________________
Answer:
The operation generates an error because the admin user is no longer valid.
We restore the admin user account in a subsequent lab step.
Step 2.5
Log out as the admin user and log in as root. Use the newly defined password of
juniper123.
admin> exit
Amnesiac (ttyu0)
login: root
Password: juniper123
--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC
root@%
Note: You should see the previously defined hostname at the login prompt. The Amnesiac
hostname is shown when the hostname is removed and the system is rebooted. You
do not need to reboot the system at this time because you will configure a new
hostname shortly.
Page 11
IJOS Lab Guide
Step 2.6
Start the CLI with the cli command and enter configuration mode.
root@% cli
root> configure
[edit]
root#
Step 2.7
Delete interfaces, and VLANs from the [edit] hierarchy.
[edit]
root# delete interfaces
[edit]
root# delete vlans
Step 2.8
Navigate to the [edit system] hierarchy level.
[edit]
root# edit system
[edit system]
root#
Step 2.9
Define the systems hostname. Use the hostname SRXP. Replace the P with your pod
number. For example, SRX1 for Pod 1.
[edit system]
root# set host-name SRXP
Step 2.10
Page 12
IJOS Lab Guide
Configure the time zone and system time using the local time zone and current time as
input values.
[edit system]
root# set time-zone Asia/Taipei
[edit system]
root# run set date 201205011800.00
Tue May 1 18:00:00 UTC 2012
Note: The default time zone on Junos devices is UTC (Coordinated Universal Time, formerly
known as Greenwich Mean Time, or GMT). When you define the local time, you must
account for the time difference between the defined time zone and the default time
zone. Once the time zone is changed and committed, the local time is adjusted
accordingly to account for the difference. If you do not want to make the necessary
adjustments, you can simply set the systems time after the defined time zone
parameter has been committed.
Step 2.11
Navigate to the [edit system services] hierarchy level.
[edit system]
root# edit services
[edit system services]
root#
Step 2.12
Display the current dhcp service configuration under the [edit system services]
hierarchy], then erase them.
root# show
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
Page 13
IJOS Lab Guide
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
}
}
root# delete dhcp
Step 2.13
Configure the HTTP Web-management service to use the ge-0/0/5.0 interface. Remove
the vlan.0 interface from both the HTTP and HTTPS Web-management services.
Configure the HTTPS Web-management service to use all interfaces.
root# set web-management http interface ge-0/0/5.0
root# delete web-management http interface vlan.0
root# delete web-management https interface vlan.0
root# set web-management https interface all
Step 2.14
Configure the ge-0/0/5 interface using the address and subnet mask specified on the
web page diagram, and specify an interface description of "INSIDE INTERFACE ".
root# top edit interfaces
[edit interfaces]
root# set ge-0/0/5 unit 0 family inet address 10.0.P.1/24
Page 14
IJOS Lab Guide
[edit interfaces]
root# set ge-0/0/5 description "INSIDE INTERFACE"
Step 2.15
web page diagram, and specify an interface description of "DMZ INTERFACE ".
[edit interfaces]
[edit interfaces]
root# set ge-0/0/3 description "DMZ INTERFACE"
Step 2.16
web page diagram, and specify an interface description of "OUTSIDE INTERFACE ".
[edit interfaces]
[edit interfaces]
root# set ge-0/0/2 description "OUTSIDE INTERFACE"
Step 2.17
Verify all interfaces you configured in previous steps.
[edit interfaces]
root# show
ge-0/0/2 {
description "OUTSIDE INTERFACE";
unit 0 {
family inet {
address 192.168.P.2/24;
}
}
}
ge-0/0/3 {
description "DMZ INTERFACE";
unit 0 {
Page 15
IJOS Lab Guide
family inet {
address 172.16.P.1/24;
}
}
}
ge-0/0/5 {
description "INSIDE INTERFACE";
unit 0 {
family inet {
address 10.0.P.1/24;
}
}
}
Step 2.18
Define a static default route to allow for reachability beyond the directly connected
subets. Use the RBB address, shown on the lab diagram, as the next-hop value.
[edit interfaces]
root# top edit routing-options
[edit routing-options]
root# set static route 0.0.0.0/0 next-hop 192.168.P.1
Step 2.19
From the top hierarchy, delete all security configuration.
[edit routing-options]
root# top
[edit]
root# delete security
Step 2.20
In the top of the configuration hierarchy, issue the show | compare command to view a
summary of the recent configuration additions
[edit]
root# show | compare
[edit system]
Page 16
IJOS Lab Guide
+ host-name SRXP;
+ time-zone Asia/Taipei;
[edit system services web-management http]
interface vlan.0;
+
interface ge-0/0/5.0;
[edit system services web-management https]
interface vlan.0;
+
interface all;
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
}
}
[edit interfaces]
- ge-0/0/0 {
unit 0;
- }
- ge-0/0/1 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
[edit interfaces ge-0/0/2]
+ description "OUTSIDE INTERFACE";
[edit interfaces ge-0/0/2 unit 0]
+
family inet {
+
address 192.168.P.2/24;
+
}
vlan {
members vlan-trust;
}
}
+ description "DMZ INTERFACE";
Page 17
IJOS Lab Guide
+
family inet {
+
address 172.16.P.1/24;
+
}
vlan {
members vlan-trust;
}
}
[edit interfaces]
- ge-0/0/4 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
+ description "INSIDE INTERFACE";
+
family inet {
+
address 10.0.P.1/24;
+
}
vlan {
members vlan-trust;
}
}
[edit interfaces]
- ge-0/0/6 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/7 {
unit 0 {
vlan {
members vlan-trust;
}
Page 18
IJOS Lab Guide
}
}
}
ge-0/0/8 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
vlan {
members vlan-trust;
}
Page 19
IJOS Lab Guide
}
}
- }
- ge-0/0/13 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/14 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
- ge-0/0/15 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
- }
- vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
- }
[edit]
+ routing-options {
+
static {
+
route 0.0.0.0/0 next-hop 192.168.P.1;
+
}
+ }
- security {
screen {
Page 20
IJOS Lab Guide
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
Page 21
IJOS Lab Guide
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
- }
- vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
- }
Question:
With the exception of the root authentication, does the generated output
Page 22
IJOS Lab Guide
summarize the newly added configuration statements?

____________________________________________________________________________
Answer:
The output should summarize the recently added configuration statements.
Step 2.21
Activate the changes and return to operational mode.
[edit]
root# commit and-quit
commit complete
root@SRXP>
Part 3: Saving, Displaying, Loading, and Deleting a Rescue

Configuration
Step 3.1
Save the active configuration as the rescue configuration
root@SRXP> request system configuration rescue save
Step 3.2
Display the contents of the recently saved rescue configuration.
root@SRXP> file show /config/rescue.conf.gz
## Last changed: 2012-05-01 18:05:49 UTC
version 12.1R1.9
system {
host-name SRXP;
time-zone Asia/Taipei;
root-authentication {
encrypted-password "$1$BPDZ4p0b$vb3OrwvurBAl.wrwQG16h/";
}
name-server {
Page 23
IJOS Lab Guide
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
}
https {
interface all;
---(more)--< output omitted>
Question:
Does the rescue configuration match the recently created active configuration?
____________________________________________________________________________
Answer:
Yes, the rescue configuration should match the recently created active
configuration.
Question:
What CLI command could you issue to compare the active and rescue
configuration files?
____________________________________________________________________________
Answer:
Use the file compare files / config/juniper.conf.gz /config/ rescue.conf.gz

command to compare the active and rescue configurations. As shown in the
following sample capture, the files do not contain any differences:.
root@SRXP> file compare files /config/juniper.conf.gz /config/rescue.conf.gz
Step 3.3
Return to configuration mode and delete the [edit system services] hierarchy level.
Activate the change.
root@SRXP> configure
Page 24
IJOS Lab Guide
[edit]
root@SRXP# delete system services
[edit]
root@SRXP# commit
commit complete
Step 3.4
Verify that the [edit system services] hierarchy level is empty and then load the rescue
configuration
[edit]
root@SRXP# show system services
[edit]
root@SRXP# rollback rescue
load complete
Step 3.5
Verify that the [edit system services] hierarchy level once again contains the ssh, telnet,
and web-management services.
[edit]
root@SRXP# show system services
ssh;
telnet;
xnm-clear-text;
web-management {
http {
}
https {
interface all;
}
}
Question:
Did the rescue configuration successfully load? Are the services enabled now?
If not, why not?
Page 25
IJOS Lab Guide
____________________________________________________________________________
Answer:
Yes, the rescue configuration loaded successfully and restored the statements
at the [edit system services] hierarchy level. However, the software did not
enable the services. Remember, to enable the rescue configuration, or any
other candidate configuration, you must commit!
Step 3.6
Activate the rescue configuration and return to operational mode.
[edit]
root@SRXP# commit and-quit
commit complete
Step 3.7
Delete the rescue configuration and attempt to display the rescue.conf.gz file to confirm
the deletion.
root@SRXP> request system configuration rescue delete
root@SRXP> file show /config/rescue.conf.gz
error: could not resolve file: /config/rescue.conf.gz
Question:
Did you successfully delete the rescue configuration?

____________________________________________________________________________
Answer:
Yes, based on the results shown, the deletion of the rescue configuration was
successful.
Part 4: Verifying Interface State and Backup Configuration to file.

Step 4.1
Issue the show interfaces terse CLI command to verify the state of the configured
interfaces.
Page 26
IJOS Lab Guide
root@SRXP> show interfaces terse

Interface
Admin Link Proto
ge-0/0/0
up
down
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up inet
sp-0/0/0.16383
up
up inet
ge-0/0/1
ge-0/0/2
ge-0/0/2.0
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/5
ge-0/0/5.0
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
up
up
down
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
Local
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
inet
192.168.P.2/24
inet
172.16.P.1/24
inet
10.0.P.1/24
tnp
0x1
inet
inet
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
Page 27
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
IJOS Lab Guide
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
Question:
What are the Admin and Link states of the recently configured interfaces?
____________________________________________________________________________
Answer:
All configured interfaces should show Admin and Link states of up, as shown in
the sample capture..
Step 4.2
Verify the CLI default parameters and extend the CLI screen-width to 130 characters.
root@SRXP> show cli
CLI complete-on-space set to on
CLI idle-timeout disabled
CLI restart-on-upgrade set to on
CLI screen-length set to 24
CLI screen-width set to 80
CLI terminal is 'vt100'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/cf/root'
root@SRXP> set cli screen-width 130
Screen width set to 130
Step 4.3
Reconfigure the admin user account, with password juniper123. Commit the changes.
root@SRXP> configure
Page 28
IJOS Lab Guide
[edit]
root@SRXP# set system login user admin class super-user authentication plain-textpassword
New password: juniper123
Retype new password: juniper123
[edit]
root@SRXP# commit and-quit
commit complete
Step 4.4
Logout and then login as admin user.
root@SRXP> exit
root@SRXP% exit
logout
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
admin@SRXP>
Step 4.5
Verify the lab1 configuration file you saved in the previous lab.
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
Step 4.6
There are many methods to backup the configuration. One of the options is to Issue the
show configuration | save /cf/var/home/admin/IJOS.LAB2 CLI command to save
the active configuration as IJOS.LAB2 in the /cf/var/home/admin directory.
Page 29
IJOS Lab Guide
admin@SRXP> show configuration | save /cf/var/home/admin/IJOS.LAB2

Wrote 90 lines of output to '/cf/var/home/admin/IJOS.LAB2'
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
By saving your current configuration, you are able to rollback at any time.
For Example:
[edit]
admin@SRXP# load override IJOS.LAB2
load complete
[edit]
admin@SRXP# commit
commit complete
Tell your instructor that you have completed this lab.
Page 30

IJOS Lab Guide - Lab2.Ready

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IJOS Lab Guide - Lab2.Ready

Uploaded by

Copyright:

Available Formats

Part 1: Load a factory-default configuration.

IJOS Lab Guide

Part 1: Loading a Factory-Default Configuration

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

Did the commit operation succeed? If not, why not?

Part 2: Performing Initial Configuration

IJOS Lab Guide

What happens when you enter the specified password? Why?

What happens when you enter the specified password? Why?

The operation fails because the password are not equal.

IJOS Lab Guide

New password: juniper123

What happens when you enter the specified command? Why?

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

summarize the newly added configuration statements?

The output should summarize the recently added configuration statements.

Part 3: Saving, Displaying, Loading, and Deleting a Rescue

IJOS Lab Guide

Use the file compare files / config/juniper.conf.gz /config/ rescue.conf.gz

root@SRXP> file compare files /config/juniper.conf.gz /config/rescue.conf.gz

IJOS Lab Guide

IJOS Lab Guide

Did you successfully delete the rescue configuration?

Part 4: Verifying Interface State and Backup Configuration to file.

IJOS Lab Guide

root@SRXP> show interfaces terse

IJOS Lab Guide

IJOS Lab Guide

IJOS Lab Guide

admin@SRXP> show configuration | save /cf/var/home/admin/IJOS.LAB2

Tell your instructor that you have completed this lab.

You might also like