Tags

,

Junos_sw_logo

Now to talk about some of the system services.  Services like NTP, Telnet, SSH, SNMP, Monitor and LAG interfaces.  This is a biggie!

Basicfunctions

There are a few services that I wanted to cover but wanted to wait until near the end.  The reason for waiting is that I wanted you to focus on the configuration on the protocols and not so much the access and supporting features.   Plus, having a routing protocol configured simplifies the testing of these commands.

For this lab you will need to rollback to the rescue config and then configure OSPF Area 0 on all the routers, configure R4 to connect to the Internet and advertise a default-route to OSPF.  Once you have that completed, we will continue on to discuss:

 

·         NTP

·         Telnet / SSH Access

·         SNMP

·         Monitor

·         LAG (Link Aggregation Group)


 

NTP
So, onto configure NTP on your J1, J2, and J3 routers.  For this lab, configure your Cisco router in UTC, set it to sync with 198.245.60.153, and finally as a NTP master.

R4:

R4(config)#

R4(config)#

R4(config)#clock time

R4(config)#clock timezone UTC -0

R4(config)#ntp server 198.245.60.153   

R4(config)#ntp master

 

Now we will configure J1, J2, and J3 to all sync with R4 4.4.4.4 interface for NTP.

First let’s see what time it is on J1:

jfry@J1> show system uptime 

Current time: 2010-09-04 11:01:01 UTC

System booted: 2010-09-04 10:46:02 UTC (00:14:59 ago)

Protocols started: 2010-09-04 10:48:51 UTC (00:12:10 ago)

Last configured: 2012-09-04 23:02:04 UTC (-12:-1:-3 ago) by jfry

11:01AM  up 15 mins, 1 user, load averages: 0.04, 0.50, 0.75

 

jfry@J1>

 

Ok, its September 4, 2012 at around 11 AM UTC.  Now to configure NTP:

[edit]

jfry@J1# set system time-zone UTC

 

[edit]

jfry@J1# set system ntp server 4.4.4.4

 

[edit]

jfry@J1# commit and-quit

 

Now, time to recheck:

jfry@J1> show system uptime

Current time: 2012-09-05 00:43:56 UTC

System booted: 2012-09-05 00:27:35 UTC (00:16:21 ago)

Protocols started: 2012-09-05 00:30:24 UTC (00:13:32 ago)

Last configured: 2010-09-04 11:02:00 UTC (104w3d 13:41 ago) by jfry

12:43AM  up 16 mins, 1 user, load averages: 0.47, 0.49, 0.72

 

And we can check our associations:

jfry@J1> show ntp associations

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 4.4.4.4         .STEP.          16 –  114   64    0    0.000    0.000 4000.00

 

jfry@J1>

 

Now, lets configure J2 and J3 the same way:

J2:

jfry@J2> edit

Entering configuration mode

 

[edit]

jfry@J2# set system time-zone UTC

 

[edit]

jfry@J2# set system ntp server 4.4.4.4

 

[edit]

jfry@J2# commit and-quit

 

And finally J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# set system time-zone UTC

 

[edit]

jfry@J3# set system ntp server 4.4.4.4

 

[edit]

jfry@J3# commit and-quit

commit complete

 

There is NTP in a nutshell!

 


 

Telnet/SSH

Now let’s configure Telnet/SSH access to these routers.

Note: I have configured the necessary routes to access this lab from my home network.

 

Ok, first up time to create a quick banner message to alert the user they are accessing a device:

[edit]

jfry@J1# set system login message “Ask yourself, are you allowed to login to this device?”     

 

Now we will set a message for after then are authenticated. The n means New Line, so this will place a new line between the message and the prompt.

 [edit]

jfry@J1# set system login announcement “Well, I guess so! n”

 

Now we can enable telnet and SSH

[edit]

jfry@J1# set system services telnet

 

[edit]

jfry@J1# set system services ssh

 

 [edit]

jfry@J1# commit and-quit

 

Now you should notice that it did not tell you that you need to generate a keygen like on Cisco. 

That is because the underling FreeBSD, already did that when it was initially installed. 

 

Time to test out Telnet access to J1 from R4:

R4#telnet 1.1.1.1

Trying 1.1.1.1 … Open

Ask yourself, are you allowed to login to this device?

 

J1 (ttyp1)

 

login: jfry

Password:

 

— JUNOS 12.1R2.9 built 2012-05-31 08:58:52 UTC

 

It appears so!

jfry@J1>

 

Now we can try SSH from a client – I use Secure CRT:
Upon connection I am presented to accept the key:
Sshkey

Ask yourself, are you allowed to login to this device?

— JUNOS 12.1R2.9 built 2012-05-31 08:58:52 UTC

It appears so!

jfry@J1>

 

To keep things consistent, we can add this config to J2 and J3:

jfry@J2> edit

Entering configuration mode

 

[edit]

jfry@J2# set system message “Ask yourself, are you allowed to login to this device?”      

 

[edit]

jfry@J2# set system login announcement “Well, I guess so! n”

 

[edit]

jfry@J2# set system services telnet

 

[edit]

jfry@J2# set system services ssh  

 

[edit]

jfry@J2# commit and-quit

commit complete

 

and finally J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# set system login announcement “Well, I guess so! n”

 [edit]

jfry@J3# set system login message “Ask yourself, are you allowed to login to this device?”      

 

[edit]

jfry@J3# set system services ssh

 

[edit]

jfry@J3# set system services telnet

 

[edit]

jfry@J3# commit and-quit    

 

Basic SNMP

Ok, time for some basic SNMP stuff. 

Since this is all the same across all the devices, we will just focus on J1 from here on out until we get to LAG.

 

For this one, we will create an SNMP community of fryguy and limit it to the loopback interface.

jfry@J1> edit

Entering configuration mode

 

[edit]

jfry@J1# set snmp community fryguy

 

Before we tell it lo0, here is what the interface command options provide you:

[edit]

jfry @J1# set snmp interface ?

Possible completions:

  <value>              Restrict SNMP requests to interfaces

  [                    Open a set of values

  lo0.0                Restrict SNMP requests to interfaces

[edit]

jfry @J1# set snmp interface lo0  

 

[edit]                                 

jfry @J1# set snmp contact jeff@fryguy.net

 

[edit]

jfry @J1# set snmp location Fryguy’s Lab

                                    ^

                        syntax error.

 

We got an error because of the space, since it has a space it needs to be in “ quotes “

[edit]

jfry@J1# set snmp location “Fryguy’s Lab” 

 

 

[edit]

jfry@J1# commit and-quit

 

If you want, you can even MIB walk right from the Junos CLI:

jfry@J1> show snmp mib walk 1.3.6

sysDescr.0    = Juniper Networks, Inc. srx210h internet router, kernel JUNOS 12.1R2.9 #0: 2012-05-31 08:58:52 UTC     builder@greteth:/volume/build/junos/12.1/release/12.1R2.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2012-05-31 11:07:04 UTC Copyright (c)

sysObjectID.0 = jnxProductNameSRX210

sysUpTime.0   = 1988441

sysContact.0  = jeff@fryguy.net

sysName.0     = J1

sysLocation.0 = Fryguy’s Lab

sysServices.0 = 4

ifNumber.0    = 39

—(more)—[abort]

 

Monitoring

Ok, now onto monitoring. 

 

Say we want to monitor the usage of an interface on J1, the interface facing R4 – fe-0/0/7.  We want to see input/output etc. 

We could do show interface fe-0/0/7

root@J1> show interfaces fe-0/0/7   

Physical interface: fe-0/0/7, Enabled, Physical link is Up

  Interface index: 141, SNMP ifIndex: 518

  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,

  Source filtering: Disabled, Flow control: Enabled

  Device flags   : Present Running

  Interface flags: SNMP-Traps Internal: 0x0

  CoS queues     : 8 supported, 8 maximum usable queues

  Current address: 00:24:dc:d4:b5:c7, Hardware address: 00:24:dc:d4:b5:c7

  Last flapped   : 2012-09-06 14:00:36 UTC (05:38:10 ago)

  Input rate     : 472 bps (0 pps)

  Output rate    : 472 bps (0 pps)

  Active alarms  : None

  Active defects : None

  Interface transmit statistics: Disabled

 

And then do that again, and again, and again monitoring the delta changes OR we could use the monitor command:

jfry @J1> monitor interface fe-0/0/7  

 

And you will get a screen that will constantly refresh and look like the following:

Monitorintf

Now what if we want to monitor the actual packets, in other words – sniff the traffic – we can use the command monitor traffic

jfry@J1> monitor traffic interface fe-0/0/7   

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on fe-0/0/7, capture size 96 bytes

 

Reverse lookup for 192.168.14.1 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

 

19:46:34.038029 Out IP truncated-ip – 20 bytes missing! 192.168.14.1 > 224.0.0.5: OSPFv2, Hello, length 60

19:46:41.290532  In IP 192.168.14.4 > 224.0.0.5: OSPFv2, Hello, length 60

19:46:42.234807  In 00:11:20:df:84:90 > 01:00:0c:cc:cc:cc SNAP Unnumbered, ui, Flags [Command], length 60

19:46:42.550634  In IP 192.168.0.28.57575 > 1.1.1.1.telnet: S 908673441:908673441(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>

19:46:42.550884 Out IP 1.1.1.1.telnet > 192.168.0.28.57575: S 3451348271:3451348271(0) ack 908673442 win 65535 <mss 1460,nop,wscale 1,sackOK,eol>

19:46:42.553560  In IP 192.168.0.28.57575 > 1.1.1.1.telnet: . ack 1 win 16695

19:46:42.555222  In IP 192.168.0.28.57575 > 1.1.1.1.telnet: P 1:7(6) ack 1 win 16695

19:46:42.628810 Out IP 1.1.1.1.telnet > 192.168.0.28.57575: P 1:16(15) ack 7 win 33387

 

Neat, we can do a quick packet capture from the CLI.  The output above shows OSPF at 224.0.0.5 and a telnet session from 192.168.0.28 to 1.1.1.1.

Link Aggregation Groups (LAG)

Ok, for this lab we will need to cable things up quick. I have installed a cable between J2 and J3 on ports fe-0/0/6 and fe-0/0/7 as per the diagram below:

LAG

Once that is cabled, we can now configure our LAG connection between the two devices.

 

First up though, we need to delete the existing configuration on the old interfaces since we will be reusing IPs and such.  Want to keep this simple.

J2:

jfry@J2> edit

Entering configuration mode

 

[edit]

jfry@J2# delete interfaces ge-0/0/1

 

[edit]

jfry@J2# commit and-quit

 

J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# delete interfaces fe-0/0/1

 

[edit]

jfry@J3# commit and-quit

 

Now we can configure our LAG on J2 first:

jfry@J2> edit

Entering configuration mode

 

First we need to tell it how many aggregate interfaces we want, for this example we will use 2:

[edit]

jfry@J2# set chassis aggregated-devices ethernet device-count 2

 

Now we need to tell the device what interfaces will be in 802.3ad and assigned them to aggregate Ethernet interface 0 (ae0)

[edit]

jfry@J2# set interfaces fe-0/0/6 fastether-options 802.3ad ae0

 

[edit]

jfry@J2# set interfaces fe-0/0/7 fastether-options 802.3ad ae0   

 

Now we can configure the ae0 interface with an IP.  This is just like any other interface we have configured.

[edit]

jfry@J2# set interfaces ae0 unit 0 family inet address 192.168.23.3/24

 

And then set LACP to ACTIVE mode under the aggregate interface:

[edit]

jfry@J2# set interfaces ae0 aggregated-ether-options lacp active

 

[edit]

jfry@J2# commit and-quit

commit complete

 

And now J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# set chassis aggregated-devices ethernet device-count 2

 

[edit]

jfry@J3# set interfaces fe-0/0/6 fastether-options 802.3ad ae0

 

[edit]

jfry@J3# set interfaces fe-0/0/7 fastether-options 802.3ad ae0   

 

[edit]

jfry@J3# set interfaces ae0 unit 0 family inet address 192.168.23.3/24

 

[edit]

jfry@J3# set interfaces ae0 aggregated-ether-options lacp active

 

[edit]

jfry@J3# commit and-quit

commit complete

 

 

 Now to see if our interface is up:

jfry@J2> show interfaces ae0 brief

Physical interface: ae0, Enabled, Physical link is Up

  Link-level type: Ethernet, MTU: 1514, Speed: 200mbps, Loopback: Disabled,

  Source filtering: Disabled, Flow control: Disabled

  Device flags   : Present Running

  Interface flags: SNMP-Traps Internal: 0x0

 

  Logical interface ae0.0

    Flags: SNMP-Traps 0x0 Encapsulation: ENET2

    Security: Zone: Null

    inet  192.168.23.2/24

 

jfry@J2>

 

Good, its up and the speed is 200mbps, just as it should be. 

Now we can look at LACP: (sorry for the font change, had to move to a fixed-width)

jfry@J2> show lacp interfaces

Aggregated interface: ae0

    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity

      fe-0/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active

      fe-0/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active

      fe-0/0/7       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active

      fe-0/0/7     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active

    LACP protocol:        Receive State  Transmit State          Mux State

      fe-0/0/6                  Current   Fast periodic Collecting distributing

      fe-0/0/7                  Current   Fast periodic Collecting distributing

 

jfry@J2>

 

Ok, lets test a PING quick and then we can reconfigure OSPF over this link.

jfry@J3> ping 192.168.23.2 rapid

PING 192.168.23.2 (192.168.23.2): 56 data bytes

!!!!!

— 192.168.23.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 2.085/2.182/2.290/0.079 ms

 

jfry@J3>

 

Good, now to reconfigure OSPF:

jfry@J2> edit

Entering configuration mode

 

[edit]

jfry@J2# set protocols ospf area 0 interface ae0

 

[edit]

jfry@J2# commit and-quit

 

and now J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# set protocols ospf area 0 interface ae0

 

[edit]

jfry@J3# commit and-quit

commit complete

Exiting configuration mode

 

Now lets see if we have an OSPF neighbor on that interface:

jfry@J2> show ospf neighbor

Address          Interface              State     ID               Pri  Dead

192.168.23.3     ae0.0                  2Way      3.3.3.3          128    39

192.168.12.1     ge-0/0/0.0             Full      1.1.1.1          128    35

 

jfry@J2>

 

There you go, we have a neighbor on ae0.0 between the routers!