Tags
Yes, you are seeing that picture correctly – this post is about Junos.
I have decided to fire up my tiny Juniper lab that consists of two SRX210 and one SRX100 router/firewall. These devices connected to a Cisco 2500 (someone did say one router to rule them all 😛 ) for remote console access to the pod. I also have a small Cisco 831 in connected in this lab so that I can test commands and configuration interoperability. Also, if I know the Cisco router config is right and the Juniper router is not connecting, I can be confident that at least one end has a known good config.
Be kind to me, just getting into this stuff. I took a class a few years back on Junos, but much has changed since then.
So, what is the first thing you need to do when you get a SRX router for a lab? Its funny, but delete the default config is probably easiest. The joys of the SRX is that they come with DHCP and other stuff enabled and that just drives me nuts!
Let us start with powering a SRX up and getting some basic configs for remote access configured.
The first thing that you will probably see is Amnesiac. We should be able to log in as root with no password, or that is how my hardware was.
Amnesiac (ttyu0)
login: root
password:
— JUNOS 12.1R2.9 built 2012-05-31 08:58:52 UTC
root@%
Now that we are logged in, we need to start the CLI
root@% cli
root>
There, we are now at the CLI for Junos. Now we need to enter configuration mode. There are two ways to do this, by using the configure command or the edit command. I prefer the edit command when using Junos as it helps to keep my mind straight as to what code I am working with.
root> edit ?
Possible completions:
<[Enter]> Execute this command
batch Work in batch mode (commit happens in batch)
dynamic Work in dynamic database
exclusive Obtain exclusive lock (other users cannot make changes)
private Work in private database (other’s changes do not show)
| Pipe through a command
root> configure ?
Possible completions:
<[Enter]> Execute this command
batch Work in batch mode (commit happens in batch)
dynamic Work in dynamic database
exclusive Obtain exclusive lock (other users cannot make changes)
private Work in private database (other’s changes do not show)
| Pipe through a command
Ok, so let’s go into edit mode. Once you are in edit more, you will see [edit] in brackets above the command prompt.
root> edit
Entering configuration mode.
[edit]
root#
Now we can delete everything in the config. This is like doing a wr erase on a Cisco router when you get them. You know, all the silly stuff that Cisco ships their routers with (ACL, Usernames, etc), Juniper does similiar stuff.
[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
[edit]
root#
First we can set our hostname to J1:
[edit]
root# set system host-name J1
Now we can set our root password to juniper123
root# set system root-authentication plain-text-password
New password: juniper123
Retype new password: juniper123
Now that we have root taken care of, lets create a user and give them super-user access. There are few other options that you can choose, but for now we will just focus on Super-User.
[edit]
root# set system login user jfry class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
Now we can create a local user for this box:
[edit]
root# set system login user jfry class super-user
root# set system login user jfry authentication plain-text-password
New password: juniper123
Retype new password: juniper123
[edit]
root#
Now we can enable SSH so that we can remote to the equipment. This step is necessary as we will need to use a program like WINSCP to copy code to these devices.
[edit]
root# set system services ssh
Since the SRX is a firewall we should disable some of the firewall features. The easiest way to do this is to enable Packet-Based mode. Enable this for inet6, iso, and mpls as follows
[edit]
root# set security forwarding-options family inet6 mode packet-based
[edit]
root# set security forwarding-options family mpls mode packet-based
[edit]
root# set security forwarding-options family iso mode packet-based
I am sure you are asking “why are we setting the family to mpls?”, well I asked the same thing. I looked and found a document on Juniper.Net (http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf) that references this on page 6. What is says is:
When MPLS is configured, there is no way of knowing if an IP packet entering the services gateway will require MPLS encapsulation until the packet is processed, so enabling MPLS can be used to force an SRX Series or J Series device to forward all IPv4 traffic in packet mode.
Ahh, so setting MPLS mode is about the same as setting inet mode. Ok, they say so.
Ok, let’s save and apply what we have done so far:
[edit]
root# commit
commit complete
[edit]
root@J1#
Ok, so there you can see we not have a hostname, J1 listed. The last thing we will configure will be an IP address on the device. Instead of using all these set commands, we will do this a bit differently. We will use the edit command
(oh, and I am writing this part the next day so I am logged in as jfry, you will see the prompt change in the following examples)
First though, we should just take a quick look at what options we have after the edit command.
jfry@J1# edit ?
Possible completions:
> access Network access configuration
> access-profile Access profile for this instance
> accounting-options Accounting data configuration
> applications Define applications by protocol characteristics
> bridge-domains Bridge domain configuration
> chassis Chassis configuration
> class-of-service Class-of-service configuration
> ethernet-switching-options Ethernet-switching configuration options
> event-options Event processing configuration
> firewall Define a firewall configuration
> forwarding-options Configure options to control packet forwarding
> groups Configuration groups
> interfaces Interface configuration
> multi-chassis
> policy-options Policy option configuration
> protocols Routing protocol configuration
> routing-instances Routing instance configuration
> routing-options Protocol-independent routing option configuration
> schedulers Security scheduler
> security Security configuration
> services Set services parameters
> smtp Simple Mail Transfer Protocol service configuration
> snmp Simple Network Management Protocol configuration
> switch-options Options for default routing-instance of type virtual-switch
> system System parameters
> vlans VLAN configuration
> wlan Wireless access point configuration
If you are new to Junos, like me, the edit command is easier to navigate. The set command you really need to know the commands and options in order to use it effectively. The edit command will allow you to ? mark your way through :
Ok, let’s edit interfaces
[edit]
jfry@J1# edit interfaces
Now for this example, we will edit fe-0/0/2
[edit interfaces]
jfry@J1# edit fe-0/0/2
Now we can edit unit 0. Per the Junos Security book, it states:
When an interface is configured for use on the network it must always be configured with what is known as a unit. A unit is a logical entity that is applied to an interface. A physical interface must have at least one unit, but it can have as many as 16,000, depending on the need. This is a departure from other operating systems.
[edit interfaces fe-0/0/2]
jfry@J1# edit unit 0
Now we need to modify inet (inet6 would be for IPv6)
[edit interfaces fe-0/0/2 unit 0]
jfry@J1# edit family inet
And now we can set an IP address, here 192.168.0.201/24
[edit interfaces fe-0/0/2 unit 0 family inet]
jfry@J1# edit address 192.168.0.201/24
Now we can see that it is set, lets jump back to the TOP of the config heirarchy
[edit interfaces fe-0/0/2 unit 0 family inet address 192.168.0.201/24]
jfry@J1# top
and commit our changes.
[edit]
jfry@J1# commit
Once the config is committed, we can exit:
[edit]
jfry@J1# exit
Exiting configuration mode and be back at the CLI.
jfry@J1>
Now, let’s try to ping the gateway on this network – 192.168.0.1
jfry@J1> ping 192.168.0.1 count 5
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=2.908 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=2.882 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.690 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=2.883 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=2.493 ms
— 192.168.0.1 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.493/2.771/2.908/0.160 ms
jfry@J1>
And there you go, you are on the network!
Oh, if you are done playing for the day and want to power off your appliance, just use the command: request system power-off
jfry@J1> request system power-off
Power Off the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 1706]
jfry@J1>
*** FINAL System shutdown message from jfry@J1 ***
System going down IMMEDIATELY
And the system will then power-off when it is done shutting down gracefully.
Chris Jones said:
I have never seen anyone configure anything with edit like that. Just do set and ? until your command is done. set interfaces fe-0/0/2.0 family inet address 192.168.0.201/24, hitting ? after each item to see what the options are. Also, when editing something like that, you CAN’T set a value in Junos by using edit in that manner unless the final value you enter in the command has sub-options. For example, you could do “set address x.x.x.x/xx ?” and it would give you a list of options. For a value that only has as an option when you hit the ?, you will need to use set. Edit is only meant to navigate hierarchy. I actually very rarely use edit, unless im doing a lot of configuration under the same level of a hierarchy. Usually policy, firewall filters, or routing-instances. You better get out of that habit as soon as possible 🙂
The unit number is the same thing as the IOS subinterface, it’s just always required in Junos. It’s the logical interface, where fe-0/0/2 is the physical interface. You’d set things like speed and duplex under fe-0/0/2, but set things like IP addresses under the unit. The family mpls for setting packet mode is a legacy thing. Setting your router into packet mode was originally for the purpose of using mpls, so that’s what the command was used for. It’s just historical roots, and hopefully will get replaced with family inet someday.
fryguy said:
..gotta start somewhere 🙂 Thanks for the feedback.
Chris Jones said:
I have never seen anyone configure anything with edit like that. Just do set and ? until your command is done. set interfaces fe-0/0/2.0 family inet address 192.168.0.201/24, hitting ? after each item to see what the options are. Also, when editing something like that, you CAN’T set a value in Junos by using edit in that manner unless the final value you enter in the command has sub-options. For example, you could do “set address x.x.x.x/xx ?” and it would give you a list of options. For a value that only has as an option when you hit the ?, you will need to use set. Edit is only meant to navigate hierarchy. I actually very rarely use edit, unless im doing a lot of configuration under the same level of a hierarchy. Usually policy, firewall filters, or routing-instances. You better get out of that habit as soon as possible 🙂
The unit number is the same thing as the IOS subinterface, it’s just always required in Junos. It’s the logical interface, where fe-0/0/2 is the physical interface. You’d set things like speed and duplex under fe-0/0/2, but set things like IP addresses under the unit. The family mpls for setting packet mode is a legacy thing. Setting your router into packet mode was originally for the purpose of using mpls, so that’s what the command was used for. It’s just historical roots, and hopefully will get replaced with family inet someday.
Dave Mauro said:
If you don’t want to run in packet mode, here are the minimum commands to get this working in flow mode (which keeps track of sessions and gets you all teh security-related srx features):
# set up a single security zone and put interface(s) into it
set security zones security-zone trust interfaces fe-0/0/2.0
# allow all mgmt and control traffic destined to the box for that zone, for now
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
# set up default security policy to allow all traffic through the box
set security policies default-policy permit-all
This way it’s keeping track of flows, but you still get all the routing functionality and junos goodies. Nice post! Hope you are enjoying dipping your toe in.
Dave Mauro said:
If you don’t want to run in packet mode, here are the minimum commands to get this working in flow mode (which keeps track of sessions and gets you all teh security-related srx features):
# set up a single security zone and put interface(s) into it
set security zones security-zone trust interfaces fe-0/0/2.0
# allow all mgmt and control traffic destined to the box for that zone, for now
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
# set up default security policy to allow all traffic through the box
set security policies default-policy permit-all
This way it’s keeping track of flows, but you still get all the routing functionality and junos goodies. Nice post! Hope you are enjoying dipping your toe in.
linuxarco said:
the power off command defaulting to no, not sure where to change it to allow an option no hits on google search. root@juniperR1> request system power-off
Power Off the system ? [yes,no] (no)