Configuring Juniper Networks Routers

Module 2: Initial Configuration

CJNR-M-7.a.7.6.1
Copyright © 2006, Juniper Networks, Inc.
 Module Objectives
 After successfully completing this module, you will be
able to:
– Explain user authentication and authorization options
– Describe the use of configuration groups
– Configure system logging and tracing
– Configure interfaces
– Perform typical Initial system configuration according to a
checklist

Copyright © 2006, Juniper Networks, Inc.

 Agenda: Initial System Configuration
 User Authentication and Authorization
 Configuration Groups
 System Logging and Tracing
 Interface Configuration
 Initial Configuration Checklist and Examples

Copyright © 2006, Juniper Networks, Inc.

 User Authentication
 Local
– Name and password
– Individual accounts and home directories
– Per-user command class permissions
 RADIUS/TACACS+
– Supports authentication, per-class authorization, and
extended regular expressions that alter the permissions
associated with the user’s login class
 Authentication order can be specified
– By default, fall back to local authentication when RADIUS or
TACACS+ fails

Copyright © 2006, Juniper Networks, Inc.

 Login Class Permissions
 Each nonroot user is associated with a login class
– Each login class can be associated with one or more
permission flags
 Sample permissions include access, configuration, and clear
 Individual commands can be allowed or denied with regular expressions
 Default login classes and permissions
– operator
 Clear, network, reset, trace, view
– read-only
 View
– super-user (also known as superuser)
 All
– unauthorized
 None

Copyright © 2006, Juniper Networks, Inc.

 Login Class Configuration Example
 This configuration defines two nonroot users in the local
database
– The ops user has limited permissions, while the lab user has
all possible permissions
[edit system login]
Definition of permissions
lab@Sao_Paulo# show
for the ops login class
class ops {
permissions [ clear network view view-configuration ];
}
user lab {
uid 2000;
Predefined login class with all permissions granted
class superuser;
authentication {
encrypted-password "$1$EcLbIfpB$wzX7xVMo9ou8zmzdm4gHy/"; # SECRET-DATA
}
}
user ops {
uid 2004;
class ops; A custom login class
authentication {
encrypted-password "$1$b.a0nccU$kxy6u1iTADLzObeNDV0jq."; # SECRET-DATA
}
}
Copyright © 2006, Juniper Networks, Inc.
 RADIUS Authentication Example
 Use authentication-order to specify the sequence in
which a user should be authenticated
– Local password is the default
 Pop quiz: Based on this configuration, can the lab user
log in if the RADIUS server is unreachable?
[edit system]
root@Sao_Paulo# show
host-name Sao_Paulo;
authentication-order [ radius password ];
root-authentication {
encrypted-password "$1$5Jkjbxwx$UT2e1FhTb0yVgRfGjN8IE1"; # SECRET-DATA
}
radius-server {
10.0.1.201 secret "$9$3tRO/CuvMXwYo"; # SECRET-DATA
}
login {
user lab {
uid 2000;
class superuser;
}
}
. . .
Copyright © 2006, Juniper Networks, Inc.
 Agenda: Initial System Configuration
 User Authentication and Authorization
 Configuration Groups
 System Logging and Tracing
 Interface Configuration
 Initial Configuration Checklist and Examples

Copyright © 2006, Juniper Networks, Inc.

 Configuration Groups
 Groups of statements that you can apply to different
sections of a configuration
– Shortcut method of applying the same parameters to many
parts of a configuration
– Required for redundant RE support
 Target area of configuration inherits information from
source of configuration data
groups {
group-name {
configuration-data;
}
}

Copyright © 2006, Juniper Networks, Inc.

Copyright © 2006, Juniper Networks, Inc.
 Configuration Group Example
[edit] [edit]
lab@SanJose-re0# show groups re0 lab@SanJose-re0# show groups re1
re0 { re1 {
system { system {
host-name SanJose-re0; host-name SanJose-re1;
} }
interfaces { interfaces {
fxp0 { fxp0 {
unit 0 { unit 0 {
family inet { family inet {
address 192.168.200.51/24; address 192.168.200.52/24;
} }
} }
} }
} }
} }

[edit]
lab@SanJose-re0# set apply-groups [ re0 re1 ];

Copyright © 2006, Juniper Networks, Inc.

 Interface Group Example
[edit] [edit]
lab@SanJose# show groups [edit interfaces]
all-atm { lab@San_Jose-3# show
interfaces { apply-groups all-atm;
<at-*> { at-0/0/1 {
encapsulation atm-pvc; unit 100 {
atm-options {
family inet {
vpi 0 maximum-vcs 200;
address 1.1.1.1/24;
}
}
unit 100 {
point-to-point; }
vci 0.100; }
}
}
}
}

[edit]
lab@SanJose# set interfaces apply-
groups all-atm

Copyright © 2006, Juniper Networks, Inc.

 Displaying Inherited Configuration
[edit]
lab@San_Jose# show interfaces | display inheritance
at-0/0/1 {
##
## 'atm-pvc' was inherited from group 'all-atm'
##
encapsulation atm-pvc;
##
## 'atm-options' was inherited from group 'all-atm'
##
atm-options {
##
## '0' was inherited from group 'all-atm'
##
vpi 0 {
##
## '200' was inherited from group 'all-atm'
##
maximum-vcs 200;
}
}
unit 100 {
##
## 'point-to-point' was inherited from group 'all-atm'
##
point-to-point;
##
. . .

Hint: Pipe results to except

# to remove lines beginning
with # from the display

Copyright © 2006, Juniper Networks, Inc.

 Agenda: Initial System Configuration
 User Authentication and Authorization
 Configuration Groups
 System Logging and Tracing
 Interface Configuration
 Initial Configuration Checklist and Examples

Copyright © 2006, Juniper Networks, Inc.

 System Logging and Tracing
 Logging and tracing allows you to monitor system and
protocol events
– System logging
 Standard UNIX syslog syntax and options
 Primary destination is /var/log/messages
– Tracing operations
 Protocol-specific information, for example, BGP or OSPF
 General routing and interface behavior

lab@Sao_Paulo> show log messages | match fail

May 10 20:38:20 Sao_Paulo chassisd[2269]: CHASSISD_SNMP_TRAP6: SNMP
trap: Power Supply failed: jnxContentsContainerIndex 2,
jnxContentsL1Index 1, jnxContentsL2Index 0, jnxContentsL3Index 0,
jnxContentsDescr Power Supply A, jnxOperatingState/Temp 6

This log entry indicates a power supply failure

Copyright © 2006, Juniper Networks, Inc.

 System Logging Facilities
 The facility determines the type/class of events that
should be logged
– Facilities available in Release 6.3:

any All facilities

authorization Authorization system
change-log Configuration change log
conflict-log Configuration conflict log
daemon Various system processes
dfc Dynamic flow capture
firewall Firewall filtering system
ftp File Transfer Protocol process
interactive-commands Commands executed by the UI
kernel Kernel
pfe Packet Forwarding Engine
user User processes
Copyright © 2006, Juniper Networks, Inc.
 Syslog Severity Levels
 Setting a severity level causes router to log all
messages at or above the specified priority
– Logging at the critical level also causes alert and
emergency messages to appear

emergency alert critical error warning notice info debug none

Disables logging of that facility

Equal to or more severe

Copyright © 2006, Juniper Networks, Inc.

 Writing to a Local File
 Use the file keyword to write entries to the named
file on the local hard drive
– Log and trace files are housed in /var/log
 Use the archive keyword to set system-wide defaults
The file to which the entries are written
file filename {
What should be logged
facility severity-level;
archive {
files number; Archive settings for log history
size size;
(world-readable | no-world-readable);
}
}
archive size 1m files 5;

Copyright © 2006, Juniper Networks, Inc.

 Other Syslog Output Options
 Write to:
– A host
host hostname {
facility level;
}
– A user
user (username | *) {
facility level;
}
– The console
console {
facility level;
}

Copyright © 2006, Juniper Networks, Inc.

 Syslog Configuration Example
[edit system syslog]
lab@host# show
/* send all error messages to file “errors” with explicit priority */
file errors {
any error;
explicit-priority;
}
/* send all daemon at level info and above, and anything, */
/* warning and above, to host hot-dog.juniper.net */
host hot-dog.juniper.net { Comments
any warning;
daemon info; The log file name
}
/* send all security-related information to file "security" */
file security {
authorization info; The level at which to begin logging
interactive-commands info; The syslog facility
}
/* send generic messages (authorization at level notice and above, */
/* the rest at level warning and above) to file "messages" */
file messages {
any warning; Archive and permission settings
authorization notice; for the messages file
archive size 10m files 20 no-world-readable;
}
Copyright © 2006, Juniper Networks, Inc.
Copyright © 2006, Juniper Networks, Inc.
 Tracing Example
 Tracing is normally used to troubleshoot routing
protocol operation
– Configure with the traceoptions statement under the
protocol to be traced

[edit protocols isis] The trace file used to

store trace output
lab@Sao_Paulo# show
traceoptions {
file isis-trace; What is being traced,
and at what level of
flag error detail;
detail
flag hello detail;
}
level 1 disable;
interface fe-0/0/2.0;
interface lo0.0;

Copyright © 2006, Juniper Networks, Inc.

Copyright © 2006, Juniper Networks, Inc.
 Agenda: Initial System Configuration
 User Authentication and Authorization
 Configuration Groups
 System Logging and Tracing
 Interface Configuration
 Initial Configuration Checklist and Examples

Copyright © 2006, Juniper Networks, Inc.

 Configuring Interfaces
 Where we are going…
– Permanent and transient interfaces
– Interface naming and selected media types
– Logical units
– Physical and logical interface properties
– Configuration examples

Copyright © 2006, Juniper Networks, Inc.

 Permanent Interfaces
 Router has several permanent interfaces
– Out-of-band management interface is called fxp0
 Requires configuration
– Internal Routing Engine to Packet Forwarding Engine
connection is called fxp1/bcm0
– Internal RE-to-RE connection is fxp2 or em0
 Internal interfaces do not require any configuration; do not attempt to
modify these interfaces!
Internal link between
RE and PFE
Routing Engine RT FT JUNOS
CLI Software
fxp1/bcm0
Packet Forwarding Engine

FT

Copyright © 2006, Juniper Networks, Inc.

 Transient Interfaces
 PICs support transient
interfaces
Physical
– PICs plug into FPCs Interface
– FPC plugs into chassis Card (PIC)

 Transient interfaces are

named according to: PIC
– Interface media type FPC
– FPC slot number PIC
– PIC slot number within FPC
– PIC port number
– Channel number where PIC
applicable
 Naming example:

at-0/2/3 = port 3 of an ATM PIC in slot 2 on FPC 0

Copyright © 2006, Juniper Networks, Inc.

 Selected Interface Media Types
 Media types:
– at: ATM over SONET/SDH ports
– e1: E1 ports
– e3: E3 ports
– fe: Fast Ethernet ports
– so: SONET/SDH ports
– t1: T1 ports
– t3: DS-3 ports
– ge: Gigabit Ethernet ports
– ae: Aggregated Ethernet ports
 Various IP services and internal interface types
– No media or ports associated with IP services or internally
generated interfaces
 Examples include Adaptive Services and passive monitoring PICs

Copyright © 2006, Juniper Networks, Inc.

 Typical FPC and PIC Placement
Typical FPC and PIC Numbering
(T640)
 Transient interfaces
identified according to
FPC/PIC/port convention
 FPC and PIC numbering
varies by platform
– M40/M160 platforms support
eight FPCs, numbered from
left to right
FPCs 0–7  PICs numbered from top to
(Left to right) bottom (0–3)
– M20 platform supports four
FPCs numbered from top to
bottom
 PICs numbered from right to
left (0–3)
PICs 0–3  FPC slot and PIC port
(Top to bottom) numbers are labeled!
Copyright © 2006, Juniper Networks, Inc.
 Logical Units
so-5/2/3.43
 Logical units are like sub-interfaces in other equipment
– In JUNOS software, a logical unit is always required
 Also used to support multipoint technologies like Frame Relay, ATM, or
VLANs
 Interface unit number is separate in meaning from the
actual circuit identifier; can be any arbitrary value
– Suggested convention is to keep them the same
 PPP/HDLC encapsulations support only one logical unit
– Must configure unit number as zero for these encapsulations
 Multiple protocol addresses are supported on a single
logical unit
– Typing in additional addresses does not override previous
address
 Watch for multiple addresses when correcting addressing mistakes!
Copyright © 2006, Juniper Networks, Inc.
 Interface Properties
 Physical properties
– Clocking
– Scrambling
– FCS
– MTU
– Data link layer protocol, keepalives
– Diagnostic characteristics
 Local, remote, and facility loopback
 BERT
 Logical properties
– Protocol family (inet, inet6, iso, mpls)
– Addresses (IP address, ISO NET address)
– Virtual circuits (VCI/VPI, DLCI)
– Other characteristics

Copyright © 2006, Juniper Networks, Inc.

Generic Interface Configuration

interfaces { Physical properties are

interface-name { configured at the device level

physical-properties;
[…]
unit unit-number {
logical-properties;
[…] Logical properties are configured
at the logical unit level
}
}
}

Copyright © 2006, Juniper Networks, Inc.

 Configuring Physical Properties
 Configure physical properties of the interface using the
set command from the [edit] hierarchy:
[edit]
lab@omaha# set interfaces so-1/0/3 no-keepalives
 Or, park yourself at a sub-hierarchy
lab@omaha> configure
[edit]
lab@omaha# edit interfaces so-1/0/3
[edit interfaces so-1/0/3]
lab@omaha# set no-keepalives

Copyright © 2006, Juniper Networks, Inc.

 Logical Interface Settings
 Logical settings
– Protocol family (inet, inet6, iso, mpls)
 Protocol MTU
 Protocol addressing
 Other protocol options
– Virtual circuit identifiers (VPI/VCI, DLCI)
– Other properties according to circuit characteristics

Copyright © 2006, Juniper Networks, Inc.

 Configuring Logical Interfaces
 Use the set command to configure a logical interface
using the unit number
– For example:
lab@omaha> configure
[edit]
lab@omaha# set interfaces so-1/0/3 unit 40 dlci 40

 Or park yourself at the unit level:

lab@omaha> configure
[edit]
lab@omaha# edit interfaces so-1/0/3 unit 40
[edit interfaces so-1/0/3 unit 40]
lab@omaha# set dlci 40

Copyright © 2006, Juniper Networks, Inc.

 Configuring Protocol Families
 Each major protocol is called a family
– Multiple families can live on the same logical interface
– Family encompasses entire protocol suite
 Internet protocol has TCP, UDP, and ICMP as family members
 Supported protocol families are:
– IP (inet)
– IPv6 (inet6)
– International Standards Organization (iso)
– Traffic engineering (mpls)

Copyright © 2006, Juniper Networks, Inc.

 Internet Protocol Family (inet)
 Allows you to set:
– IP address: address A.B.C.D/prefix_length
– Remote address on point-to-point links: destination
A.B.C.D
– Broadcast address: broadcast A.B.C.D
– Primary address: primary
– Preferred address: preferred
– MTU size: mtu bytes
– ICMP redirect control: no-redirects
– Multicasts only: multicast-only

Copyright © 2006, Juniper Networks, Inc.

 Protocol Family Example
 Sample configuration for the inet family:
lab@omaha> configure
[edit] Note the use of CIDR
notation for mask length
lab@omaha# edit interfaces so-1/0/3
[edit interfaces so-1/0/3]
lab@omaha# set unit 0 family inet address 10.0.20.1/24
 Displayed as:
[edit interfaces so-0/1/3]
lab@omaha# show
unit 0 {
family inet {
address 10.0.20.1/24;
}
}
– Use display set to convert configuration stanza to set
commands
[edit interfaces so-0/1/3]
lab@omaha# show | display set
set interfaces so-0/1/3 unit 0 family inet address 10.0.20.1/24

Copyright © 2006, Juniper Networks, Inc.

 Interface Configuration Examples
[edit interfaces]
[edit interfaces] lab@Sydney# show fe-0/0/2
lab@Sydney# show at-0/2/1 unit 0 {
description "SY to HK and DE"; family inet {
atm-options { address 10.0.13.1/24;
vpi 0 { }
maximum-vcs 200; family mpls;
} }
}
unit 0 { Fast Ethernet with inet and mpls support
description "to HK";
vci 100; [edit interfaces]
family inet { lab@Sydney# show so-0/1/3
address 10.0.15.1/24;
no-keepalives;
}
} encapsulation frame-relay;
unit 101 { unit 100 {
description "to DE"; dlci 100;
vci 101; family inet {
family inet {
address 172.16.0.1/24; address 4.4.4.4/24;
} }
} }
An ATM interface with multiple units A SONET interface running Frame Relay
with keepalives (LMI) disabled
Copyright © 2006, Juniper Networks, Inc.
Copyright © 2006, Juniper Networks, Inc.
 Disabling and Deactivating
 Use deactivate to cause the related stanza to be ignored
[edit interfaces]
lab@San_Jose# deactivate so-0/1/0

[edit interfaces]
lab@San_Jose# show so-0/1/0
##
## inactive: interfaces so-0/1/0
##
unit 0 {
family inet {
address 10.0.1.2/24;
}
}
 Setting an interface or logical unit to disable signals
JUNOS software to treat that interface as administratively
down
[edit interfaces]
lab@San_Jose# set so-0/1/0 disable

[edit interfaces]
lab@San_Jose# show so-0/1/0
disable;
unit 0 {
family inet {
address 10.0.1.2/24;
}
}

Copyright © 2006, Juniper Networks, Inc.

 Agenda: Initial System Configuration
 User Authentication and Authorization
 Configuration Groups
 System Logging and Tracing
 Interface Configuration
 Initial Configuration Checklist and Examples

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration Checklist
 The following items are normally configured at initial
system installation:
– Root password
– Host name
– Domain name and DNS server address
– Configuration file compression (no longer necessary)
– System logging
– Out-of-band management interface
– Default and backup routers for management network
– Configure system services for remote access
– User accounts
– System time
– Loopback and transient interfaces
– Remaining configuration needed to place the router into service
(protocols, firewall filters, etc.)

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (1 of 10)
 Log in as root
. . .
starting local daemons:.
Fri Jan 17 22:23:32 UTC 1997
Amnesiac indicates a factory
default configuration
Amnesiac (ttyd0)

login: root
Last login: Fri Jan 17 22:21:55 on ttyd0

--- JUNOS 5.2R2.3 built 2002-03-23 02:44:36 UTC

Terminal type? [vt100] <enter> BSD shell prompt

root@%
 Start CLI
root@% cli
root>

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (2 of 10)
 Enter configuration mode
root> configure
[edit]
root#
 Configure root password
– Plain text
root# set system root-authentication plain-text-
password
– Pre-encrypted password
root# set system root-authentication encrypted-
password encrypted-password Do not enter a clear
– Secure Shell (SSH) key text password in this
mode!
root# set system root-authentication ssh-rsa key

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (3 of 10)
 Configure router name
[edit]
root# set system host-name lab2
 Configure router domain name
[edit]
root# set system domain-name domain-name.tld
 Configure name server address
[edit]
root@# set system name-server ns-address
 Configure configuration file compression
– Is the default for recent versions
– For older versions:
[edit]
root@# set system compress-configuration-files

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (4 of 10)
 Adjust syslog parameters as needed
– Interactive command and configuration change logging is a good
idea
– Adjusting archive settings for more history also recommended
[edit system syslog]
root@lab2# show
user * {
any emergency;
}
file messages {
any notice; Archive settings adjusted
authorization info; on default syslog file
archive size 1m files 20;
}
file cli-commands {
interactive-commands any;
archive size 1m files 10;
}
file config-changes { Interactive commands and
change-log info; configuration changes
archive size 1m files 10;
}

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (5 of 10)
 Commit changes so far
[edit]
root# commit Note host name takes
effect after the commit
commit complete

[edit]
root@lab2#
 Configure management interface IP address and prefix
[edit]
root@lab2# set interfaces fxp0 unit 0 family inet address
ip-address/prefix-length
 Define a backup router
– Used when routing daemon is not running
 Required when using redundant Routing Engines
[edit]
root@lab2# set system backup-router gateway-address

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (6 of 10)
 Define static route for OoB management network
[edit]
root@lab2# edit routing-options

[edit routing-options]
root@lab2# set static route ip-address/prefix-length
next-hop OoB-next-hop-address no-readvertise
 Configure system services for remote access
[edit]
root@lab2# set system services ssh
[edit]
root@lab2# set system services telnet
[edit]
root@lab2# set system services ftp
Copyright © 2006, Juniper Networks, Inc.
 Initial Configuration (7 of 10)
 Configure user accounts
– Use predefined login classes, or create your own

[edit system login]

root@lab2# show
user dr-data { The user ID is created automatically
full-name "The Doctor 'O Data"; when not explicitly configured
uid 2003;
class superuser;
authentication {
encrypted-password "$1$B78jkPLd$8VVjFv6D.ZQQev/5rstET0"; #
SECRET-DATA
} The commands used to create
} the dr-data user account,
courtesy of display set
[edit system login]
root@lab2# show | display set
set system login user dr-data full-name "The Doctor 'O Data"
set system login user dr-data uid 2003
set system login user dr-data class superuser
set system login user dr-data authentication encrypted-password
"$1$B78jkPLd$8VVjFv6D.ZQQev/5rstET0"
Copyright © 2006, Juniper Networks, Inc.
 Initial Configuration (8 of 10)
 Configure time zone and manually set the time of day
– Configure time zone:
[edit]
root@lab2# set system time-zone America/Los_Angeles
– Set date and time manually
root@lab2> set date ?
Possible completions:
<time> New date and time (YYYYMMDDhhmm.ss)
ntp Set date/time using Network Time Protocol
servers
root@lab2> set date 200405141017.20
Fri May 14 10:17:20 PDT 2004
 Or, configure NTP

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (9 of 10)
Configure loopback and transient interfaces
[edit interfaces]
root@lab2# set lo0 unit 0 family inet address 192.168.12.1

[edit interfaces]
root@lab2# set fe-0/0/2 unit 0 family inet address 10.0.13.2/24

[edit interfaces]
root@lab2# show lo0 Loopback interface
unit 0 { must use a /32
family inet {
address 192.168.12.1/32;
}
}

[edit interfaces]
root@lab2# show fe-0/0/2
unit 0 {
family inet {
address 10.0.13.2/24;
}
}

Copyright © 2006, Juniper Networks, Inc.

 Initial Configuration (10 of 10)
 Configure remaining items required to place the router
into service
– Routing protocols (OSPF, IS-IS, BGP, PIM, etc)
– Routing policies
– Firewall filters to secure the local router and possible attached
devices
– MPLS traffic engineering
 These tasks are detailed in subsequent modules

Copyright © 2006, Juniper Networks, Inc.

 Review Questions
1. What is the default root password?
2. Describe at least three parameters normally
configured as part of initial system configuration.
3. Explain when a backup router is needed.
4. Describe how a router’s permanent interfaces are
used.
5. List three examples of physical interface parameters.
6. List two examples of logical interface settings.
7. What FPC is associated with interface
at-0/3/2.135?
8. In the previous question, what does the .135
represent?

Copyright © 2006, Juniper Networks, Inc.

 Lab 2: Initial Configuration

Lab Objectives:
Perform initial system configuration and
monitor the router’s operation

Copyright © 2006, Juniper Networks, Inc.