Tags
Guess it is time to get the party started! Just a quick note, there is a vendor that I have used in the past to get hardware for labs, if you are interested in hardware, please let me know and I will put you in touch with them. You can deal with them directly so that you know you are getting their best price.
I am not going to cover how to recovery a lost root password, but if you need that information here is a link to the Juniper KB Article KB17565 below. This article is for Junos 10.x and higher.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17565
What I will cover though is getting your Junos device up and running after you recover the root password. First thing you will want to do is zeroize the device, this will erase all configuration information and reboot the device.
root@J1> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes
warning: zeroizing re0
root@J1> Waiting (max 60 seconds) for system process `vnlru_mem’ to stop…done
Waiting (max 60 seconds) for system process `vnlru’ to stop…done
Waiting (max 60 seconds) for system process `bufdaemon’ to stop…done
Waiting (max 60 seconds) for system process `syncer’ to stop…
Syncing disks, vnodes remaining…0 0 0 done
syncing disks… All buffers synced.
Uptime: 5m9s
Rebooting…
[— Removed the reboot cycle output for this document —-]
Once the device finishes rebooting, you will be at the Amnesiac prompt. This is the prompt the system give you when there is no configuration on the device. Almost like is it brand new, out of the box!
Amnesiac (ttyu0)
login: root
(Note: No prompt for a root password as the system is not yet configured)
— JUNOS 12.1R2.9 built 2012-05-31 08:58:52 UTC
root@%
Cool, now we are logged in.
You will notice that you are at a % prompt. This is actually a BSD prompt where you can run normal BSD type commands like uname to show the version.
root@% uname -a
JUNOS 12.1R2.9 JUNOS 12.1R2.9 #0: 2012-05-31 08:58:52 UTC builder@greteth:/volume/build/junos/12.1/release/12.1R2.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel octeon
root@%
Ok, enough of that – we need to get to the command line. You do that by entering cli from the prompt.
Note: You will only need to do this if you are logged in as Root (I believe).
root@% cli
root>
There, the prompt changed.
Ok, time to see what the running config looks like by issuing the command show configuration:
root> show configuration
## Last commit: 2012-08-09 02:41:49 UTC by root
version 12.1R2.9;
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx210h)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): ‘root-authentication’
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
root>
WOW! There is a lot of stuff there! The joys of any new device, they usually come with some type of pre-configuration on them. Well, for this lab we don’t want any of that, so we will erase the configuration on the device and start from a blank slate.
To delete the config, we need to get into configuration mode (or edit mode)
You can use the edit command or configure command. I usually use edit. Be warned though, this is actually a hidden command and will not autocomplete.
root> edit
Entering configuration mode
[edit]
root#
There, we are in edit mode now. Now we should delete the current config. You do that by entering delete from the top most level, that is the level you enter. If you are unsure if you are at the top level, enter the command top.
[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
[edit]
root#
Now we can commit that and figure out what is next.
[edit]
root# commit
error: cannot commit an empty configuration
Hmm, cannot commit an empty config.
Guess we need to setup the root account and perhaps a user account so that we can access the system.
We will set the system host-name and root-authentication to accept a plain-text password that we enter. For this lab we will use juniper123
[edit]
root# set system root-authentication plain-text-password
New password: juniper123
Retype new password: juniper123
[edit]
root# set system host-name JJ1
Whoops, we meant to set it to J1. Well, we can delete that line by re-entering it but instead of using set, we will use delete
[edit]
root# delete system host-name JJ1
[edit]
root# set system host-name J1
Now we get to create a user for this lab. I will create jfry and assign him as a super-user, set his full name to Jeff Fry, and set his password to juniper123
[edit]
root# set system login user jjfry class super-user
Uh-oh, we meant to enter jfry and we entered jjfry. So do we need to delete that line and re-add it? Nope. We can use rename instead.
[edit]
root# rename system login user jjfry to user jfry
[edit]
root# set system login user jfry full-name “Jeff Fry”
[edit]
root# set system login user jfry authentication plain-text-password
New password: juniper123
Retype new password: juniper123
Time to look at the configuration before we commit it:
root# show
## Last changed: 2012-08-09 02:55:41 UTC
system {
host-name J1;
root-authentication {
encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”; ## SECRET-DATA
}
login {
user jfry {
full-name “Jeff Fry”;
class super-user;
authentication {
encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”; ## SECRET-DATA
}
}
}
}
[edit]
root#
You will notice that the output is in a stanza set, if you want to see the set based commands, just issue the command show | display set
[edit]
root# show | display set
set system host-name J1
set system root-authentication encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”
set system login user jfry full-name “Jeff Fry”
set system login user jfry class super-user
set system login user jfry authentication encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”
[edit]
root#
Ok, time to check our config and make sure its ok. To do this, you can issue commit check
[edit]
root# commit check
configuration check succeeds
Good, lets commit the changes. I will add in a comment for this commit by issuing commit comment “comment goes here”
[edit]
root# commit comment “Initial Setup for lab”
commit complete
Once you have committed the changes, you are still in edit mode. Just issue the command quote to get back to the cli.
[edit]
root@J1# quit
Exiting configuration mode
root@J1>
So what did that comment do, well let’s see:
root@J1> show system commit
0 2012-08-09 02:59:04 UTC by root via cli
Initial Setup for lab
root@J1>
There is our comment below our commit. It is a way that you can associate why you made the change. For business, think of a change control procedure – you can enter the Change number as part of your commit. Taking a lab? You can write the comment after the task number so you can revert if you make a mistake. I can be used for many things – notations of a change control, customer incident number, personal note in a lab, etc.
There we are back at the cli on J1. Now, we need to do a similar config on J2 and J3 for this lab.
The question is, is there an easier way to do this? Yes, there is and it is called load merge terminal. You can even load a file from file if you wanted to – say a USB drive?
We will merge in this config to the J2 router.
system {
host-name J2;
root-authentication {
encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”; ## SECRET-DATA
}
login {
user jfry {
full-name “Jeff Fry”;
uid 2002;
class super-user;
authentication {
encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”; ## SECRET-DATA
}
}
}
}
Since we are logged in as root, time to get to the CLI
root@% cli
And then Edit mode
root> edit
Entering configuration mode
Now we can delete the default configuration
[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
Now we can load the config from the terminal. Yup, you use the load merge terminal command and just paste your config in ending with a CTRL-D
[edit]
root# load merge terminal
[Type ^D at a new line to end input]
system {
host-name J2;
root-authentication {
encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”; ## SECRET-DATA
}
login {
user jfry {
full-name “Jeff Fry”;
uid 2002;
class super-user;
authentication {
encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”; ## SECRET-DATA
}
}
}
}
^D load complete
There, the config is now loaded!
Time to check out what got imported.
[edit]
root# show | display set
set system host-name J2
set system root-authentication encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”
set system login user jfry full-name “Jeff Fry”
set system login user jfry uid 2002
set system login user jfry class super-user
set system login user jfry authentication encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”
[edit]
root#
Now we can commit it and we are done with J2 base configuration. I will admit , that is a nice way to get the configuration loaded!
Now to J3:
root@% cli
root> edit
Entering configuration mode
[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
root# load merge terminal
[Type ^D at a new line to end input]
system {
host-name J3;
root-authentication {
encrypted-password “$1$KzNk.qW/$snaQkMp/4d3vZWjO5YONG/”; ## SECRET-DATA
}
login {
user jfry {
full-name “Jeff Fry”;
uid 2002;
class super-user;
authentication {
encrypted-password “$1$GlR67aAm$uTukNzdwUDf7VDIBxi6sq/”; ## SECRET-DATA
}
}
}
}
^D load complete
[edit]
root# commit and-quit
Exiting configuration mode
root@J3>
Cool, J3 done!
One last thing I wanted to cover and that is navigating the stanzas.
Most of the time you will use a single command line to enter a command, but there are times when it is easier to edit a section.
For instance I will use BGP. Instead of using set protocols bgp, I will use edit protocols bgp
[edit]
root@J1# edit protocols bgp
[edit protocols bgp]
root@J1#
As you can see, the [edit] line changed to the stanza that I am in [edit protocols bgp].
Now there are a few ways that we can get back to the top of the config [edit].
First, we can enter the command top and that will immediately take up to the top:
[edit protocols bgp]
root@J1# top
[edit]
root@J1#
We can use up to navigate up one level:
[edit]
root@J1# edit protocols bgp
[edit protocols bgp]
root@J1# up
[edit protocols]
root@J1# up
[edit]
root@J1#
Or we can enter up and a number, here 2, and we will go up that many levels.
[edit]
root@J1# edit protocols bgp
[edit protocols bgp]
root@J1# up 2
[edit]
root@J1#
Ok, one more thing, shutting your device down and rebooting.
To reboot, from the main CLI
root@J1> request system reboot
Reboot the system ? [yes,no] (no) yes
And to power off:
root@J1> request system power-off
Power Off the system ? [yes,no] (no) yes