Junos Anglais

8/12/2019 Junos Anglais

1/27

Junos - Operating System Fundamentals

This part is mainly theory and reading chapter 1 of Junipers PDF (part 1). It is only what you

need for the exam; however, it is interesting to have an overview of how JunOS actually boots

up. First, make your lab in GNS3 by connecting 2 routers back to back using their em0interface. Keep this lab for all your exercises for chapters of part 1.

Start your Juniper routers in GNS3 and console to them. As you learned in Junipers PDF,

JunOS is based on FreeBSD, an open source UNIX Operating System. This OS is very

reliable and you also get extra tools that you cannot find on Cisco IOS for instance.

The first thing you should see after starting JunOS, are the kernel modules being loaded. The

kernel is the core component of the operating system.

/boot/modules/if_bge.ko text=0xa98c data=0x364+0xc syms=[0x4+0xd50+0x4+0xd18]...

/boot/modules/mac_runasnonroot.ko text=0x7b4 data=0x4d0 syms=[0x4+0x310+0x4+0x39d]

Then, you have a chance to give parameters to the kernel in order to change the default

booting process. This can be useful to recover the root password for example, but thats not

the only use. Root is the name given to the super administrator on UNIX.
http://www.gns3.net/wp-content/uploads/2011/12/jncia-junos-lab-part-1.png


2/27

Here you can just wait a few seconds or hit enter to boot immediately; the kernel is then being

loaded. There is a lot of information, most of it is really not relevant, but some might be

interesting, like how much memory has been detected or other CPU information.

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [/kernel]...platform_early_bootinit: M/T Series Early Boot Initialization

Olive CPU

...

Copyright (c) 1996-2010, Juniper Networks, Inc. All rights reserved.

Copyright (c) 1992-2006 The FreeBSD Project.

...

JUNOS 10.1R1.8 #0: 2010-02-12 17:15:05 UTC

[email protected]:/volume/build/junos/10.1/release/10.1R1.8/obj-

i386/bsd/sys/compile/JUNIPER

...

real memory = 268369920 (255 MB)

avail memory = 248840192 (237 MB)

...

Now, its time for the drivers to be loaded, these are what the OS needs to interface with

hardware components. Here you can see that our 6 network interface cards (em0 to em5) have

been detected and have correct Ethernet MAC addresses, which is good! What is a router

useful for if you dont have network interfaces?
http://www.gns3.net/wp-content/uploads/2011/12/junos-fundamentals-01.png


3/27

Setting up M/T interface operations and attributesplatform_mastership_init: Unknown product_type 0x00000001

em5: bus=0, device=8, func=0, Ethernet address 00:ab:ae:99:e3:05



em2: bus=0, device=5, func=0, Ethernet address 00:ab:ae:99:e3:02em1: bus=0, device=4, func=0, Ethernet address 00:ab:ae:99:e3:01

em0: bus=0, device=3, func=0, Ethernet address 00:aa:00:ca:a4:00

...

Next is JunOS itself, bundled in different packages, to be loaded into memory via virtual disks

(md0, md1 etc.). These packages begin with the letter j and we can guess their function, like

jkernel, jroute or jpfe (PFE) which if you remember chapter one stands for Packet

Forwarding Engine and is an important part of JunOS.

Mounted jbase package on /dev/md0...Verified manifest signed by PackageProduction_10_1_0

Verified jboot signed by PackageProduction_10_1_0

Verified jbase-10.1R1.8 signed by PackageProduction_10_1_0

Mounted jkernel package on /dev/md1...

Verified manifest signed by PackageProduction_10_1_0

Verified jkernel-10.1R1.8 signed by PackageProduction_10_1_0

Mounted jpfe package on /dev/md2...

Mounted jdocs package on /dev/md3...


Verified jdocs-10.1R1.8 signed by PackageProduction_10_1_0

Mounted jroute package on /dev/md4...

http://www.gns3.net/wp-content/uploads/2011/12/junos-fundamentals-02.png


4/27

Verified jroute-10.1R1.8 signed by PackageProduction_10_1_0

Mounted jcrypto package on /dev/md5...


Verified jcrypto-10.1R1.8 signed by PackageProduction_10_1_0

Mounted jpfe-common package on /dev/md6

...

Now that JunOS is in memory, it is executed and its modules/drivers loaded as well.

...ifpfed_ds1e1Loading E1/T1/J1 driver

ifpfed_ds3e3Loading the NETPFE DS3 module

ifpfed_eia530 ifpfed_ethLoading the NETPFE ethernet module

...

Loading Multilink Services PICs module.

Loading the M&T Platform NETPFE module...

Your FreeBSD/JunOS is ready. If everything went fine, you should see a login prompt.

See you onUser Interface Options & Initial Configuration to start playing with your new lab.

Junos - User Interface Options & Initial Configuration
http://www.gns3.net/labs/juniper/jncia-junos/user-interface-options-initial-configuration/http://www.gns3.net/wp-content/uploads/2011/12/junos-fundamentals-03.pnghttp://www.gns3.net/labs/juniper/jncia-junos/user-interface-options-initial-configuration/


5/27

First steps

This page is to practice what you learned in Junipers PDF (part 1), chapter 2 and 3. So now it

is time to get active and log in as root without any password.

First thing you should notice is that Amnesiac is the default host-name. This indicates that ourJunOS is running with the factory-default configuration (you can use the load factory-

defaultcommand in configuration mode to have a JunOS in this state).

You are logged in as root, you should see the UNIX shell prompt root@% where you can type

UNIX commands like lsor psbut this is beyond our scope. What we want is the operational

mode prompt root>that is started with the clicommand.

Amnesiac (ttyd0)

login: root

--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTCroot@% cli

root>

Type show configurationto display the current factory-default configuration.

root> show configuration

## Last commit: 2011-02-17 00:34:21 UTC by root

version 10.1R1.8;

system {

syslog {user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

## Warning: missing mandatory statement(s): 'root-authentication'

}

Note the missing mandatory statement warning, this means you will not be able to commit

your changes until you set up a password for root.

Exercise 1root password

Go to configuration mode using the configurecommand and try to commit the current

candidate configuration, then set a password for root and commit again.


6/27

Solution below

root> configure

Entering configuration mode

[edit]root# commit

[edit]

'system'

Missing mandatory statement: 'root-authentication'

error: commit failed: (missing statements)

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root# commit

commit complete

Now your JunOS route is ready for new commits! Lets see if you can apply the same

configuration on your second router without looking at the solution above. Remember, you

must first login, then go to operational mode and then to configuration mode. The command

to set up the root password starts with set system, use ?to find the complete command.

Finally, dont forget to commit or your configuration will not be active!

root# set system ?

Possible completions:

> accounting System accounting configuration

+ apply-groups Groups from which to inherit configuration data

...

> tracing System wide option for remote tracing

Also try out the help topiccommand to display usage guidelines (if you want the all story),

the help referencecommand to display summary information (the most useful when you wantto know about all command options) and the help apropos command which displays the

contexts (typically setcommands) relevant to the configuration hierarchy level at which you

are currently positioned (if you want help only for your current hierarchy level and nothing

else).

[edit]

root# help topic system root-authentication

root# help reference system root-authentication

root# help apropos root-authentication


7/27

Exercise 2host-name

Have you noticed? We have exactly the same prompt on both routers; this is annoying as we

want to know which is which. Lets add a host-name for both routers. Well let you find the

right command (hint: use set system ?)

Solution below

root# set system host-name JUNOS1

root# set system host-name JUNOS2

Now compare the candidate configuration with the active configuration using show |

compare. The + are lines that are going to be added to the active configuration when you

commit andlines are going to be removed. This is very useful to know exactly what is about

to be changed. Do it on both routers and commit.

root# show | compare

[edit system]

+ host-name JUNOS1;

[edit]

root# commit

commit complete

Exercise 3rollback

On JUNOS2, configure a wrong hostname, anything. Commit your configuration and rollback

to the one containing the right hostname.

Solution below

[edit]

root# set system host-name typo

[edit]

root@JUNOS2# commit

commit complete

[edit]

root@typo# rollback 1

load complete

[edit]

root@typo# show | compare

[edit system]

- host-name typo;

+ host-name JUNOS2;

[edit]


8/27

root@typo# commit

commit complete

[edit]

root@JUNOS2#

Exercise 4edit

Lets configure an IP address for the first interface on our JUNOS1 router using the edit

command. Place yourself at the following level:interfaces em0 unit 0 family inet. em0 is the

name for our first interface, give it this IP address and mask: 192.168.1.1/24

Solution below

[edit]

root@JUNOS1# edit interfaces em0 unit 0 family inet

[edit interfaces em0 unit 0 family inet]

root@JUNOS1# set address 192.168.1.1/24


root@JUNOS1# show

address 192.168.1.1/24;

Exercise 5up

Go back up 3 levels and edit em1 in the same way as em0. Configure the following IP addressand mask: 10.1.1.1/8

Solution below


root@JUNOS1# up 3

[edit interfaces]

root@JUNOS1# edit em1 unit 0 family inet



Exercise 6top & commit check

Go to the top level, check your configuration and commit.

Solution below


root@JUNOS1# top


9/27

[edit]

root@JUNOS1# commit check

configuration check succeeds

[edit]

root@JUNOS1# commit

commit complete

Exercise 7set vs. edit & set

Configure the em0 (logical unit 0, IPv4 family) interface on JUNOS2 router with

192.168.1.2/24 IP address using the set command from the top level (remember ? is your

friend).

Solution below

[edit]

root@JUNOS2# set interfaces em0 unit 0 family inet address 192.168.1.2/24

Configure IP address 10.1.1.2/8 on em1 by placing yourself to the last level using edit.

Solution below

[edit]

root@JUNOS2# edit interfaces em1 unit 0 family inet



Exercise 8telnet

Now we would like to configure telnet (SSH would be a better choice as it is secured) to

remotely configure JUNOS2 from JUNOS1. First check that nothing is configured

undersystem services level while staying at your current level (hint: use top). Then edit that

level without going back to the top level. Configure telnet with the setcommand, exit to the

top level, check what you are about to change and finally commit.

Solution below


root@JUNOS2# top show system services


root@JUNOS2# top edit system services

[edit system services]

root@JUNOS2# set telnet

[edit system services]


10/27

root@JUNOS2# exit

[edit]

root@JUNOS2# show | compare

[edit system]

+ services {

+ telnet;

+ }

[edit]

+ interfaces {

+ em0 {

+ unit 0 {

+ family inet {

+ address 192.168.1.2/24;

+ }

+ }+ }

+ em1 {

+ unit 0 {

+ family inet {

+ address 10.1.1.2/8;

+ }

+ }

+ }

+ }

[edit]root@JUNOS2# commit

commit complete

Add a user account to access this device using telnet and commit again.

Solution below

[edit]

root@JUNOS2# set system login user junuser class super-user authentication plain-text-

password

Exercise 9run

Back to JUNOS1, without leaving configuration mode, ping and telnet to JUNOS2 (IP

address: 192.168.1.2). Use Ctrl + C to stop pinging. Use the username and password you

previously created to authenticate with JUNOS2.

Solution below

[edit]

root@JUNOS1# run ping 192.168.1.2PING 192.168.1.2 (192.168.1.2): 56 data bytes


11/27

64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=1.019 ms


^C

--- 192.168.1.2 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.940/4.298/17.504/6.603 ms

[edit]

root@JUNOS1# run telnet 192.168.1.2

Trying 192.168.1.2...

Connected to 192.168.1.2.

Escape character is '^]'.

JUNOS2 (ttyp0)

login: junuserPassword:

--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC

junuser@JUNOS2> configure


Users currently editing the configuration:

root terminal d0 (pid 1392) on since 2011-12-15 18:57:48 UTC, idle 00:01:45

Exercise 10automatic rollback

From your telnet session on JUNOS2, delete the telnet statement undersystem servicesleveland commit in a way that if you lose your connection to JUNOS2, the configuration is

automatically rolled back after 1 minute. Exit both configuration and operational modes to go

back to JUNOS1. Try to telnet again to 192.168.1.2; this should not work. Wait about 2

minutes (take a coffee break) and try again. This time it should work as your previous commit

should have been rolled back.

Solution below

[edit]

junuser@JUNOS2# delete system services telnet

[edit]

junuser@JUNOS2# commit confirmed 1

commit confirmed will be automatically rolled back in 1 minutes unless confirmed

commit complete

# commit confirmed will be rolled back in 1 minute

[edit]

junuser@JUNOS2# exit

Exiting configuration mode

# commit confirmed will be rolled back in 1 minutejunuser@JUNOS2> exit


12/27

Exercise 11copy & rename

Copy em1 configuration to em2 and rename em2 to em3. Deactivate em3. Go

to interfaces level and display the candidate configuration. Note the inactive: em3. Finally

commit.

Solution below

[edit]

root@JUNOS1# copy interfaces em1 to em2

[edit]

root@JUNOS1# rename interfaces em2 to em3

[edit]

root@JUNOS1# deactivate interfaces em3

[edit]

root@JUNOS1# edit interfaces

[edit interfaces]

root@JUNOS1# show

em0 {

unit 0 {

family inet {

address 192.168.1.1/24;

}}

}

em1 {

unit 0 {

family inet {

address 10.1.1.1/8;

}

}

}

inactive: em3 {

unit 0 {family inet {

address 10.1.1.1/8;

}

}

}

[edit interfaces]

root@JUNOS1# commit

commit complete


13/27

Change em3 IP address from 10.1.1.1/8 to 10.1.1.3/8 (hint: use the renamecommand).

Maybe you would like to see what commands produced this candidate configuration?

Use showand a pipe to find out.

Solution below

[edit interfaces]

root@JUNOS1# rename em3 unit 0 family inet address 10.1.1.1/8 to address 10.1.1.3/8

[edit interfaces]

root@JUNOS1# show | display set

set interfaces em0 unit 0 family inet address 192.168.1.1/24



deactivate interfaces em3

Exercise 12

annotate

Add an annotation saying that em3 is inactive. Using only one command, commit with a

comment describing what you just did and return to operational mode.

Solution below

[edit interfaces]

root@JUNOS1# annotate em3 "Inactive interface"

[edit interfaces]root@JUNOS1# commit comment "Added inactive em3 interface" and-quit

commit complete


root@JUNOS1>

Compare the active configuration with the previous one using the show

configurationcommand.

Solution below

root@JUNOS1> show configuration | compare rollback 1

[edit interfaces]

+ /* Inactive interface */

+ inactive: em3 {

+ unit 0 {

+ family inet {

+ address 10.1.1.3/8;

+ }

+ }

+ }


14/27

Exercise 13rescue

You know your configuration works well (basic connectivity is established for instance).

Therefore you want to make it the rescue configuration in case of problem; this will speed up

a recovery. Create the rescue configuration and restore it.

Solution below

root@JUNOS1> request system configuration rescue save

root@JUNOS1> configure


root@JUNOS1# rollback rescue

load complete

[edit]

root@JUNOS1# commit

commit complete

Exercise 14preferred IP address

Configure an additional IP address (192.168.1.3/24) for em0 and configure your router so that

it uses this IP as the source when sending pings to JUNOS2. Commit, exit to operational

mode and check with the show interfacescommand that em0 has 2 IP addresses.

Solution below

[edit]

root@JUNOS1# set interfaces em0 unit 0 family inet address 192.168.1.3/24 preferred

[edit]

root@JUNOS1# show | compare


address 192.168.1.1/24 { ... }

+ address 192.168.1.3/24 {

+ preferred;

+ }

[edit]

root@JUNOS1# commit

commit complete

[edit]

root@JUNOS1# exit


root@JUNOS1> show interfaces em0 terse

Interface Admin Link Proto Local Remote

em0 up up

em0.0 up up inet 192.168.1.1/24


15/27

192.168.1.3/24

Lets check that JUNOS1 can actually send packets using source IP address 192.168.1.3. On

JUNOS2, in operational mode, use the following command to monitor the traffic to and from

the router: monitor traff ic inter face em0(Ctrl + C to exit). Then ping from JUNOS1 to192.168.1.2. You should see that you are receiving packets from 192.168.1.3 (192.168.1.3 >

192.168.1.2)

root@JUNOS1> ping 192.168.1.2

PING 192.168.1.2 (192.168.1.2): 56 data bytes



root@JUNOS2> monitor traffic interface em0

verbose output suppressed, use or for full protocol decode

Address resolution is ON. Use to avoid any reverse lookup delay.Address resolution timeout is 4s.

Listening on em0, capture size 96 bytes

04:37:18.543830 192.168.1.3 > 192.168.1.2: ICMP echo request, id 40718, seq 12, length 64

04:37:18.544023 192.168.1.2 > 192.168.1.3: ICMP echo reply, id 40718, seq 12, length 64

Junos - Operational Monitoring and Maintenance

Exercise 1

boot messages

Do you remember the booting process in chapter 1? Well you have a command to see the

messages again (hint: use the show systemcommand).

Solution below

root@JUNOS1# run show system boot-messages

Copyright (c) 1996-2010, Juniper Networks, Inc.

...

ad1: 1024MB at ata0-slave WDMA2Trying to mount root from ufs:/dev/ad0s1a

vn_read_compressed_block: invalid block index 550

Exercise 2JunOS packages

Still about the booting process, we have seen that JunOS packages are loaded on virtualmemory disks (you can still see that using theshow system storage command). Find the

command which list all these packages including their versions.

Solution below

root@JUNOS1> show version


16/27

Hostname: JUNOS1

Model: olive

JUNOS Base OS boot [10.1R1.8]

JUNOS Base OS Software Suite [10.1R1.8]

JUNOS AppId Services [10.1R1.8]

JUNOS IDP Services [10.1R1.8]

JUNOS Routing Software Suite [10.1R1.8]

Exercise 3network interfaces

Now show all interfaces configured on JUNOS1 (equivalent to show ip in ter face briefon

Cisco IOS) and then use a command to show a maximum of details for interface em0.

Solution below

root@JUNOS1> show interfaces terseInterface Admin Link Proto Local Remote

em0 up up

em0.0 up up inet 192.168.1.1/24

192.168.1.3/24

...

root@JUNOS1> show interfaces em0 extensive

Physical interface: em0, Enabled, Physical link is Up

Interface index: 8, SNMP ifIndex: 17, Generation: 134

Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Clocking:

...

Exercise 4monitor

Lets play a bit more with the monitorcommand. On JUNOS2, monitor all interface traffic

(statistics) in real time. From JUNOS1 ping JUNOS2 (192.168.1.2) and check the counters

incrementing.

Solution below

root@JUNOS2> monitor interface trafficInterface Link Input packets (pps) Output packets (pps)

...

em0 Up 1476 1302

...

Exercise 5password recovery

Now assume you have forgotten the root password for JUNOS2 or maybe you really have,

dont panic, you are going to do a password recovery. First reboot you system and be ready to

hit space to get to the kernel command prompt. Then follow the procedure as explained in the

documentation.


17/27

root@JUNOS2> request system reboot

Reboot the system ? [yes,no] (no) yes

...

Solution below

Hit [Enter] to boot immediately, or space bar for command prompt.

Type '?' for a list of commands, 'help' for more detailed help.

OK boots

...

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:

recovery

...

NOTE: Once in the CLI, you will need to enter configuration mode using

NOTE: the 'configure' command to make any required changes. For example,NOTE: to reset the root password, type:

NOTE: configure

NOTE: set system root-authentication plain-text-password

NOTE: (enter the new password when asked)

NOTE: commit

NOTE: exit

NOTE: exit

NOTE: When you exit the CLI, you will be asked if you want to reboot

NOTE: the system

Starting CLI ...

root> configure


[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root# commiterror: could not open database: /var/run/db/juniper.data: No such file or directory

error: Database open failed for file '/var/run/db/juniper.data': No such file or directory

commit complete

[edit]

root@JUNOS2# exit


root@JUNOS2> exit

Reboot the system? [y/n] y


18/27

Well done, you completed all exercises for Junipers first PDF, now it is time to go into more

serious stuff with the second PDF andRouting Fundamentals

Junos - Routing Fundamentals

Starting with Junipers second PDF, we can make a new practice lab for the next 3 chapters.

This lab is a bit more advanced than the previous one in order to test the OSPF routing

protocol. You will need 3 Juniper routers, here are the connections:

JUNOS1, interface em0 JUNOS2, interface em0 JUNOS1, interface em1 JUNOS2, interface em1 JUNOS1, interface em4 JUNOS3, interface em4 JUNOS2, interface em3 JUNOS3, interface em3

Make sure the routers have a factory default configuration (use theload factory-defaul t

command if you need to). Then set the host-name, root password and IP addresses for each

router, to save time you can copy and paste the following commands (dont forget to commit):

JUNOS1

set system host-name JUNOS1





set interfaces lo0 unit 0 family inet address 10.1.1.1/24set system root-authentication plain-text-password

JUNOS2





set interfaces lo0 unit 0 family inet address 10.2.2.2/24

set system root-authentication plain-text-password

JUNOS3


set interfaces lo0 unit 0 family inet address 10.3.3.3/24



set system root-authentication plain-text-password

If everything went fine, the topology for your new lab should be like in the following image.Please read chapter one of Junipers second PDF before continuing.
http://www.gns3.net/labs/juniper/jncia-junos/routing-fundamentals/http://www.gns3.net/labs/juniper/jncia-junos/routing-fundamentals/


19/27

Exercise 1Static routing

On JUNOS1, configure a default static route (0.0.0.0/0) to next-hop 172.30.25.1.

Solution below

[edit]

root@JUNOS1# set routing-options static route 0.0.0.0/0 next-hop 172.30.25.1

Add a second default static route with a preference of 7 to next-hop 172.30.25.5 that should

be used as a backup (floating static route) and commit.

[edit]

root@JUNOS1# set routing-options static route 0.0.0.0/0 qualified-next-hop 172.30.25.5

preference 7

[edit]

root@JUNOS1# commitcommit complete

Lets check that everything is working as expected:

root@JUNOS1# run show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:01:54

> to 172.30.25.1 via em0.0[Static/7] 00:00:13
http://www.gns3.net/wp-content/uploads/2011/12/lab-part-2.png


20/27

> to 172.30.25.5 via em1.0

...

[edit]

root@JUNOS1# run ping 10.2.2.2

PING 10.2.2.2 (10.2.2.2): 56 data bytes



root@JUNOS2# run monitor traffic interface em0

...


[edit]


[edit]

root@JUNOS1# commit

commit complete

[edit]

root@JUNOS1# run ping 10.2.2.2

PING 10.2.2.2 (10.2.2.2): 56 data bytes



[edit]root@JUNOS2# run monitor traffic interface em1

...


Exercise 2OSPF routing

Configure OSPF routing on all interfaces connecting routers and their loopbacks but no

adjacency should be formed on interfaces connecting to the 172.30.25.0/30 subnet

(172.30.25.1 and 172.30.25.2).

Solution below

JUNOS1

set protocols ospf area 0.0.0.0 interface em0.0 passive

set protocols ospf area 0.0.0.0 interface em1.0

set protocols ospf area 0.0.0.0 interface lo0.0



JUNOS2


21/27

set protocols ospf area 0.0.0.0 interface em0.0 passive




JUNOS3

set protocols ospf area 0.0.0.0 interface em3.0set protocols ospf area 0.0.0.0 interface em4.0


Lets check that everything is working as expected:

[edit]

root@JUNOS1# run show ospf neighborAddress Interface State ID Pri Dead

172.30.25.5 em1.0 Full 10.2.2.2 128 34

172.30.25.10 em4.0 Full 10.3.3.3 128 32

[edit]

root@JUNOS2# run show ospf neighbor

Address Interface State ID Pri Dead

172.30.25.6 em1.0 Full 10.1.1.1 128 36

172.30.25.14 em3.0 Full 10.3.3.3 128 38

[edit]root@JUNOS3# run show ospf neighbor

Address Interface State ID Pri Dead

172.30.25.13 em3.0 Full 10.2.2.2 128 36

172.30.25.9 em4.0 Full 10.1.1.1 128 35

root@JUNOS3# run show route protocol ospf

...

10.1.1.1/32 *[OSPF/10] 00:04:11, metric 1

...

10.2.2.2/32 *[OSPF/10] 00:04:11, metric 1

...

192.168.1.0/24 *[OSPF/10] 00:00:02, metric 2

> to 172.30.25.9 via em4.0

root@JUNOS3# run traceroute 192.168.1.1

traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 40 byte packets

1 192.168.1.1 (192.168.1.1) 1.611 ms 0.588 ms 1.362 ms

[edit]


[edit]


22/27

root@JUNOS3# commit

commit complete

[edit]

root@JUNOS3# run traceroute 192.168.1.1

traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 40 byte packets

1 172.30.25.13 (172.30.25.13) 2.316 ms 1.479 ms 0.882 ms

2 192.168.1.1 (192.168.1.1) 1.283 ms 1.300 ms 1.129 ms

Finally, dont forget to reactivate interface em4 and commit:

[edit]

root@JUNOS3# activate interfaces em4

[edit]root@JUNOS3# commit

commit complete

Junos - Routing Policy and Firewall Filters

We assume you have read chapter 2 of Junipers second PDF so that you can practice routing

policy and firewall filters. First we are going to start with a simple route redistribution

followed by a firewall filter to restrict telnet access.

Exercise 1Default route redistribution into OSPF

Create a policy to redistribute the existing default route (0.0.0.0/0) on JunOS1 into OSPF so

that other routers can use it.

Solution below

[edit]

root@JUNOS1# edit policy-options

[edit policy-options]

root@JUNOS1# set policy-statement default-static term accept-default-static from protocol

static


root@JUNOS1# set policy-statement default-static term accept-default-static from route-filter

0.0.0.0/0 exact


root@JUNOS1# set policy-statement default-static term accept-default-static then accept


23/27


root@JUNOS1# show

policy-statement default-static {

term accept-default-static {

from {

protocol static;

route-filter 0.0.0.0/0 exact;

}

then accept;

}

}


root@JUNOS1# top edit protocols ospf

[edit protocols ospf]root@JUNOS1# set export default-static

[edit]

root@JUNOS1# commit

JUNOS1 advertises the default route in OSPF, check that JUNOS3 can actually see it.

root@JUNOS3# run show route protocol ospfinet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[OSPF/150] 00:00:05, metric 0, tag 0 to 172.30.25.9 via em4.0

Exercise 2Firewall filtering

To complete this exercise, we have to activate telnet service on JUNOS1.

[edit]root@JUNOS1# set system services telnet

[edit]

root@JUNOS1# set system login user junuser class super-user authentication plain-text-password

[edit]

root@JUNOS1# commit

commit complete

Test the service from JUNOS3 using the loopback0 as the source interface.

[edit]

root@JUNOS3# run telnet 10.1.1.1 interface lo0Trying 10.1.1.1...


24/27



JUNOS1 (ttyp0)

login: junuser

Password:

--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC

junuser@JUNOS1> exit

Connection closed by foreign host.

Now add a firewall filter to allow telnet access to JUNOS3 loopback0 interface (10.3.3.3)

only. You have to define the firewall filter, a prefix list and apply the filter on JUNOS1s

loopback0.

Solution below

[edit]root@JUNOS1# edit firewall filter limit-telnet-access

[edit firewall filter limit-telnet-access]

root@JUNOS1# set term telnet-accept from source-prefix-list trusted


root@JUNOS1# set term telnet-accept from protocol tcp


root@JUNOS1# set term telnet-accept from destination-port telnet


root@JUNOS1# set term telnet-accept then accept


root@JUNOS1# set term telnet-reject from protocol tcp


root@JUNOS1# set term telnet-reject from destination-port telnet


root@JUNOS1# set term telnet-reject then discard


root@JUNOS1# set term telnet-reject then log


root@JUNOS1# set term else-accept then accept

[edit firewall filter limit-telnet-access]root@JUNOS1# show


25/27

term telnet-accept {

from {

source-prefix-list {

trusted; ## 'trusted' is not defined

}

protocol tcp;

destination-port telnet;

}

then accept;

}

term telnet-reject {

from {

protocol tcp;

destination-port telnet;

}

then {discard;

}

}

term else-accept {

then accept;

}


root@JUNOS1# top edit policy-options

[edit policy-options]root@JUNOS1# set prefix-list trusted 10.3.3.3


root@JUNOS1# top set interfaces lo0 unit 0 family inet filter input limit-telnet-access

Lets check we can only connect only from JUNOS3s loopback0 interface. Also have a look

at the firewall log on JUNOS1.

root@JUNOS2# run telnet 10.1.1.1 interface lo0

Trying 10.1.1.1...^C

[edit]

root@JUNOS3# run telnet 10.1.1.1 interface lo0

Trying 10.1.1.1...



JUNOS1 (ttyp0)

login:

root@JUNOS1# run show firewall log


26/27

Log :

Time Filter Action Interface Protocol Src Addr Dest Addr

01:42:37 limit-telnet-access D em1.0 TCP 10.2.2.2 10.1.1.1




Junos - Class of Service

Exercise Marking packets

Your goal is to create a filter that you will apply on JUNOS1s em4 interface (input). This

filter will mark all packets from 10.3.3.0/24 with expedited-forwarding (EF) DSCP.

Solution below

firewall {

family inet {

filter apply-cos {

term from-JUNOS3 {

from {

source-address {10.3.3.0/24;

}

}

then {

forwarding-class expedited-forwarding;

accept;

}

}

term default {

then accept;

}}

}

em4 {

unit 0 {

family inet {

filter {

input apply-cos;

}

address 172.30.25.9/30;

}

}


27/27

}

Documents

Junos Anglais