IJOS Lab Guide -Lab2.Ready

7/21/2019 IJOS Lab Guide -Lab2.Ready

http://slidepdf.com/reader/full/ijos-lab-guide-lab2ready 1/30

IJOS Lab Guide

In this activity, you will perform the following tasks:

Part 1: Load a factory-default configuration.

Part 2: Perform initial system configuration.

Part 3: Save, delete, and restore a rescue configuration.Part 4: Verifying Interface State and Backup Configuration to file.

LLaabb 22::

IInniittiiaall SSyysstteemm CCoonnf f iigguurraattiioonn



IJOS Lab Guide

Part 1: Loading a Factory-Default Configuration

Step 1.1Enter configuration mode and load a factory-default configuration using the load

factory-default command.

admin> configure

Entering configuration mode

[edit]

admin# load factory-default

warning: activating factory configuration

Step 1.2Display the factory-default configuration.

[edit]

admin# show ## Last changed: 2012-05-05 10:09:47 UTC

system {

autoinstallation {

delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit

traceoptions {

level verbose;flag {

all;

}

}

interfaces {

ge-0/0/0 {

bootp;

}

}

}

name-server {208.67.222.222;

208.67.220.220;

}

services {

ssh;

telnet;

xnm-clear-text;



IJOS Lab Guide

web-management {

http {

interface vlan.0;

}

https {

system-generated-certificate;

interface vlan.0;}

}

dhcp {

router {

192.168.1.1;

}

pool 192.168.1.0/24 {

address-range low 192.168.P.2 high 192.168.P.254;

}

propagate-settings ge-0/0/0.0;

}

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any critical;

authorization info;

}file interactive-commands {

interactive-commands error;

}

}

max-configurations-on-flash 5;

##

## Warning: statement ignored: unsupported platform (srx240h)

##

max-configuration-rollbacks 5;

license {

autoupdate {url https://ae1.juniper.net/junos/key_retrieval;

}

}

## Warning: missing mandatory statement(s): 'root-authentication'

}

interfaces {



IJOS Lab Guide

ge-0/0/0 {

unit 0;

}

ge-0/0/1 {

unit 0 {

family ethernet-switching {

vlan {members vlan-trust;

}

}

}

}

ge-0/0/2 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

ge-0/0/3 {

unit 0 {


vlan {

members vlan-trust;

}

}}

}

ge-0/0/4 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}ge-0/0/5 {

unit 0 {


vlan {

members vlan-trust;

}



IJOS Lab Guide

}

}

}

ge-0/0/6 {

unit 0 {



}

}

}

}

ge-0/0/7 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

ge-0/0/8 {

unit 0 {


vlan {

members vlan-trust;

}

}}

}

ge-0/0/9 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}ge-0/0/10 {

unit 0 {


vlan {

members vlan-trust;

}



IJOS Lab Guide

}

}

}

ge-0/0/11 {

unit 0 {



}

}

}

}

ge-0/0/12 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}

ge-0/0/13 {

unit 0 {


vlan {

members vlan-trust;

}

}}

}

ge-0/0/14 {

unit 0 {


vlan {

members vlan-trust;

}

}

}

}ge-0/0/15 {

unit 0 {


vlan {

members vlan-trust;

}



IJOS Lab Guide

}

}

}

vlan {

unit 0 {

family inet {

address 192.168.1.1/24;}

}

}

}

protocols {

stp;

}

security {

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

nat {

source {

rule-set trust-to-untrust {from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}



IJOS Lab Guide

then {

source-nat {

interface;

}

}

}

}}

}

policies {

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;}

protocols {

all;

}

}

interfaces {

vlan.0;

}

}

security-zone untrust {

screen untrust-screen;interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

dhcp;

tftp;



IJOS Lab Guide

}

}

}

}

}

}

}vlans {

vlan-trust {

vlan-id 3;

l3-interface vlan.0;

}

}

Note: The factory-default configuration displays several statements pertaining to the

security hierarchy level. This information is outside the scope of this class but is

covered in the Junos for Security Platforms (JSEC) course.

Step 1.3 Activate the factory-default configuration by issuing a commit command.

admin# commit

[edit]

'system'

Missing mandatory statement: 'root-authentication'

error: commit failed: (missing statements)

Question: Did the commit operation succeed? If not, why not?

____________________________________________________________________________

Answer: The commit operation should fail because the root authentication is missing.

We remedy this situation in the next lab part.

Part 2: Performing Initial Configuration

Step 2.1



IJOS Lab Guide

Navigate to the [edit system root-authentication] hierarchy level. Issue the set plain-

text-password command. When prompted to enter a new password, type apples

[edit]

admin# edit system root-authentication

[edit system root-authentication]

admin# set plain-text-password

New password: apples

error: require change of case, digits or punctuation

Question: What happens when you enter the specified password? Why?

____________________________________________________________________________

Answer: The operation fails because the password does not meet the requirements.

Step 2.2 Again, issue the set plain-text-password command. When prompted to enter a new

password, type Apples. When prompted to confirm the password, type Oranges.



New password: Apples

Retype new password: Oranges

error: Passwords are not equal; aborting

Question: What happens when you enter the specified password? Why?

____________________________________________________________________________

Answer: The operation fails because the password are not equal.

Step 2.3

Issue the set plain-text-password command once again. When prompted to enter a new password, type juniper123. When prompted to confirm the password, type juniper123.

Activate the change and return to operational mode by issuing acommit and-quit

command.





IJOS Lab Guide

New password: juniper123

Retype new password: juniper123


admin# commit and-quit

commit complete

Exiting configuration mode

admin>

Step 2.4Issue the file list /var/tmp command.

admin> file list /var/tmp

error: no local user: admin

Question: What happens when you enter the specified command? Why?

____________________________________________________________________________

Answer: The operation generates an error because the admin user is no longer valid.

We restore the admin user account in a subsequent lab step.

Step 2.5

Log out as the admin user and log in as root. Use the newly defined password of juniper123.

admin> exit

Amnesiac (ttyu0)

login: root

Password: juniper123

--- JUNOS 11.4R2.14 built 2012-03-17 19:13:21 UTC

root@%

Note: You should see the previously defined hostname at the login prompt. The Amnesiac

hostname is shown when the hostname is removed and the system is rebooted. You

do not need to reboot the system at this time because you will configure a new

hostname shortly.



IJOS Lab Guide

Step 2.6Start the CLI with the cli command and enter configuration mode.

root@% cli root> configure


[edit]

root#

Step 2.7Delete interfaces, and VLANs from the [edit] hierarchy.

[edit]

root# delete interfaces

[edit]

root# delete vlans

Step 2.8Navigate to the [edit system] hierarchy level.

[edit]

root# edit system

[edit system]

root#

Step 2.9Define the system’s hostname. Use the hostname SRX P . Replace the P with your pod

number. For example, SRX1 for Pod 1.

[edit system]

root# set host-name SRXP

Step 2.10



IJOS Lab Guide

Configure the time zone and system time using the local time zone and current time as

input values.

[edit system]

root# set time-zone Asia/Taipei

[edit system]

root# run set date 201205011800.00

Tue May 1 18:00:00 UTC 2012

Note: The default time zone on Junos devices is UTC (Coordinated Universal Time, formerly

known as Greenwich Mean Time, or GMT). When you define the local time, you must

account for the time difference between the defined time zone and the default time

zone. Once the time zone is changed and committed, the local time is adjusted

accordingly to account for the difference. If you do not want to make the necessary

adjustments, you can simply set the system’s time after the defined time zone

parameter has been committed.

Step 2.11Navigate to the [edit system services] hierarchy level.

[edit system]

root# edit services

[edit system services]

root#

Step 2.12Display the current dhcp service configuration under the [edit system services]

hierarchy], then erase them.


root# show ssh;

telnet;xnm-clear-text;

web-management {

http {

interface vlan.0;

}

https {




IJOS Lab Guide

interface vlan.0;

}

}

dhcp {

router {

192.168.1.1;

}pool 192.168.1.0/24 {

address-range low 192.168.P.2 high 192.168.P.254;

}

propagate-settings ge-0/0/0.0;

}


root# delete dhcp

Step 2.13Configure the HTTP Web-management service to use the ge-0/0/5.0 interface. Remove

the vlan.0 interface from both the HTTP and HTTPS Web-management services.

Configure the HTTPS Web-management service to use all interfaces.


root# set web-management http interface ge-0/0/5.0


root# delete web-management http interface vlan.0


root# delete web-management https interface vlan.0


root# set web-management https interface all

Step 2.14

Configure the ge-0/0/5 interface using the address and subnet mask specified on theweb page diagram, and specify an interface description of "INSIDE INTERFACE ".


root# top edit interfaces

[edit interfaces]

root# set ge-0/0/5 unit 0 family inet address 10.0.P.1/24



IJOS Lab Guide

[edit interfaces]

root# set ge-0/0/5 description "INSIDE INTERFACE"

Step 2.15Configure the ge-0/0/3 interface using the address and subnet mask specified on the

web page diagram, and specify an interface description of "DMZ INTERFACE ".

[edit interfaces]


[edit interfaces]

root# set ge-0/0/3 description "DMZ INTERFACE"

Step 2.16Configure the ge-0/0/2 interface using the address and subnet mask specified on the

web page diagram, and specify an interface description of "OUTSIDE INTERFACE ".

[edit interfaces]


[edit interfaces]

root# set ge-0/0/2 description "OUTSIDE INTERFACE"

Step 2.17Verify all interfaces you configured in previous steps.

[edit interfaces]

root# show

ge-0/0/2 {

description "OUTSIDE INTERFACE";

unit 0 {

family inet {

address 192.168.P.2/24;

}

}

}

ge-0/0/3 {

description "DMZ INTERFACE";

unit 0 {



IJOS Lab Guide

family inet {

address 172.16.P.1/24;

}

}

}

ge-0/0/5 {

description "INSIDE INTERFACE";

unit 0 {

family inet {

address 10.0.P.1/24;

}

}

}

Step 2.18Define a static default route to allow for reachability beyond the directly connected

subets. Use the RBB address, shown on the lab diagram, as the next-hop value.

[edit interfaces]

root# top edit routing-options

[edit routing-options]

root# set static route 0.0.0.0/0 next-hop 192.168.P.1

Step 2.19From the top hierarchy, delete all security configuration.

[edit routing-options]

root# top

[edit]

root# delete security

Step 2.20In the top of the configuration hierarchy, issue the show | compare command to view a

summary of the recent configuration additions

[edit]

root# show | compare [edit system]



IJOS Lab Guide

+ host-name SRXP;

+ time-zone Asia/Taipei;

[edit system services web-management http]

- interface vlan.0;

+ interface ge-0/0/5.0;

[edit system services web-management https]

- interface vlan.0;+ interface all;


- dhcp {

- router {

- 192.168.1.1;

- }

- pool 192.168.1.0/24 {

- address-range low 192.168.P.2 high 192.168.P.254;

- }

- propagate-settings ge-0/0/0.0;

- }

[edit interfaces]

- ge-0/0/0 {

- unit 0;

- }

- ge-0/0/1 {

- unit 0 {

- family ethernet-switching {

- vlan {

- members vlan-trust;

- }- }

- }

- }

[edit interfaces ge-0/0/2]

+ description "OUTSIDE INTERFACE";

[edit interfaces ge-0/0/2 unit 0]

+ family inet {

+ address 192.168.P.2/24;

+ }


- vlan {- members vlan-trust;

- }

- }


+ description "DMZ INTERFACE";




IJOS Lab Guide

+ family inet {

+ address 172.16.P.1/24;

+ }


- vlan {


- }- }

[edit interfaces]

- ge-0/0/4 {

- unit 0 {


- vlan {


- }

- }

- }

- }


+ description "INSIDE INTERFACE";


+ family inet {

+ address 10.0.P.1/24;

+ }


- vlan {


- }- }

[edit interfaces]

- ge-0/0/6 {

- unit 0 {


- vlan {


- }

- }

- }

- }- ge-0/0/7 {

- unit 0 {


- vlan {


- }



IJOS Lab Guide

- }

- }

- }

- ge-0/0/8 {

- unit 0 {



- }

- }

- }

- }

- ge-0/0/9 {

- unit 0 {


- vlan {


- }

- }

- }

- }

- ge-0/0/10 {

- unit 0 {


- vlan {


- }

- }- }

- }

- ge-0/0/11 {

- unit 0 {


- vlan {


- }

- }

- }

- }- ge-0/0/12 {

- unit 0 {


- vlan {


- }



IJOS Lab Guide

- }

- }

- }

- ge-0/0/13 {

- unit 0 {



- }

- }

- }

- }

- ge-0/0/14 {

- unit 0 {


- vlan {


- }

- }

- }

- }

- ge-0/0/15 {

- unit 0 {


- vlan {


- }

- }- }

- }

- vlan {

- unit 0 {

- family inet {

- address 192.168.1.1/24;

- }

- }

- }

[edit]

+ routing-options {+ static {

+ route 0.0.0.0/0 next-hop 192.168.P.1;

+ }

+ }

- security {

- screen {



IJOS Lab Guide

- ids-option untrust-screen {

- icmp {

- ping-death;

- }

- ip {

- source-route-option;

- tear-drop;- }

- tcp {

- syn-flood {

- alarm-threshold 1024;

- attack-threshold 200;

- source-threshold 1024;

- destination-threshold 2048;

- timeout 20;

- }

- land;

- }

- }

- }

- nat {

- source {

- rule-set trust-to-untrust {

- from zone trust;

- to zone untrust;

- rule source-nat-rule {

- match {

- source-address 0.0.0.0/0;- }

- then {

- source-nat {

- interface;

- }

- }

- }

- }

- }

- }

- policies {- from-zone trust to-zone untrust {

- policy trust-to-untrust {

- match {

- source-address any;

- destination-address any;

- application any;



IJOS Lab Guide

- }

- then {

- permit;

- }

- }

- }

- }- zones {

- security-zone trust {

- host-inbound-traffic {

- system-services {

- all;

- }

- protocols {

- all;

- }

- }

- interfaces {

- vlan.0;

- }

- }

- security-zone untrust {

- screen untrust-screen;

- interfaces {

- ge-0/0/0.0 {

- host-inbound-traffic {

- system-services {

- dhcp;- tftp;

- }

- }

- }

- }

- }

- }

- }

- vlans {

- vlan-trust {

- vlan-id 3;- l3-interface vlan.0;

- }

- }

Question: With the exception of the root authentication, does the generated output



IJOS Lab Guide

summarize the newly added configuration statements?

____________________________________________________________________________

Answer: The output should summarize the recently added configuration statements.

Step 2.21 Activate the changes and return to operational mode.

[edit]

root# commit and-quit

commit complete


root@SRXP>

Part 3: Saving, Displaying, Loading, and Deleting a Rescue

Configuration

Step 3.1

Save the active configuration as the rescue configuration

root@SRXP> request system configuration rescue save

Step 3.2Display the contents of the recently saved rescue configuration.

root@SRXP> file show /config/rescue.conf.gz ## Last changed: 2012-05-01 18:05:49 UTC

version 12.1R1.9system {

host-name SRXP;

time-zone Asia/Taipei;

root-authentication {

encrypted-password "$1$BPDZ4p0b$vb3OrwvurBAl.wrwQG16h/";

}

name-server {



IJOS Lab Guide

208.67.222.222;

208.67.220.220;

}

services {

ssh;

telnet;

xnm-clear-text;web-management {

http {

interface ge-0/0/5.0;

}

https {


interface all;

---(more)---

< output omitted>

Question: Does the rescue configuration match the recently created active configuration?

____________________________________________________________________________

Answer: Yes, the rescue configuration should match the recently created active

configuration.

Question: What CLI command could you issue to compare the active and rescue

configuration files?____________________________________________________________________________

Answer: Use the file compare files / config/juniper.conf.gz /config/ rescue.conf.gz

command to compare the active and rescue configurations. As shown in the

following sample capture, the files do not contain any differences:.

root@SRXP> file compare files /config/juniper.conf.gz /config/rescue.conf.gz

Step 3.3Return to configuration mode and delete the [edit system services] hierarchy level.

Activate the change.

root@SRXP> configure




IJOS Lab Guide

[edit]

root@SRXP# delete system services

[edit]

root@SRXP# commit

commit complete

Step 3.4Verify that the [edit system services] hierarchy level is empty and then load the rescue

configuration

[edit]

root@SRXP# show system services

[edit]

root@SRXP# rollback rescue

load complete

Step 3.5Verify that the [edit system services] hierarchy level once again contains the ssh, telnet,

and web-management services.

[edit]

root@SRXP# show system services

ssh;

telnet;

xnm-clear-text;

web-management {

http {

interface ge-0/0/5.0;

}

https {


interface all;}

}

Question: Did the rescue configuration successfully load? Are the services enabled now?

If not, why not?



IJOS Lab Guide

____________________________________________________________________________

Answer: Yes, the rescue configuration loaded successfully and restored the statements

at the [edit system services] hierarchy level. However, the software did not

enable the services. Remember, to enable the rescue configuration, or any

other candidate configuration, you must commit!

Step 3.6 Activate the rescue configuration and return to operational mode.

[edit]

root@SRXP# commit and-quit

commit complete


Step 3.7Delete the rescue configuration and attempt to display the rescue.conf.gz file to confirm

the deletion.

root@SRXP> request system configuration rescue delete

root@SRXP> file show /config/rescue.conf.gz

error: could not resolve file: /config/rescue.conf.gz

Question: Did you successfully delete the rescue configuration?

____________________________________________________________________________

Answer: Yes, based on the results shown, the deletion of the rescue configuration was

successful.

Part 4: Verifying Interface State and Backup Configuration to file.

Step 4.1Issue the show interfaces terse CLI command to verify the state of the configured

interfaces.



IJOS Lab Guide

root@SRXP> show interfaces terse Interface Admin Link Proto Local Remote

ge-0/0/0 up down

gr-0/0/0 up up

ip-0/0/0 up up

lsq-0/0/0 up uplt-0/0/0 up up

mt-0/0/0 up up

sp-0/0/0 up up

sp-0/0/0.0 up up inet

sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16

10.0.0.6 --> 0/0

128.0.0.1 --> 128.0.1.16

128.0.0.6 --> 0/0

ge-0/0/1 up up

ge-0/0/2 up up

ge-0/0/2.0 up up inet 192.168.P.2/24

ge-0/0/3 up up

ge-0/0/3.0 up up inet 172.16.P.1/24

ge-0/0/4 up down

ge-0/0/5 up up

ge-0/0/5.0 up up inet 10.0.P.1/24

ge-0/0/6 up down

ge-0/0/7 up up

ge-0/0/8 up up

ge-0/0/9 up up

ge-0/0/10 up upge-0/0/11 up up

ge-0/0/12 up up

ge-0/0/13 up up

ge-0/0/14 up up

ge-0/0/15 up up

fxp2 up up

fxp2.0 up up tnp 0x1

gre up up

ipip up up

irb up up

lo0 up uplo0.16384 up up inet 127.0.0.1 --> 0/0

lo0.16385 up up inet 10.0.0.1 --> 0/0

10.0.0.16 --> 0/0

128.0.0.1 --> 0/0

128.0.0.4 --> 0/0

128.0.1.16 --> 0/0



IJOS Lab Guide

lo0.32768 up up

lsi up up

mtun up up

pimd up up

pime up up

pp0 up up

ppd0 up upppe0 up up

st0 up up

tap up up

vlan up up

Question: What are the Admin and Link states of the recently configured interfaces?

____________________________________________________________________________

Answer: All configured interfaces should show Admin and Link states of up, as shown inthe sample capture..

Step 4.2Verify the CLI default parameters and extend the CLI screen-width to 130 characters.

root@SRXP> show cliCLI complete-on-space set to on

CLI idle-timeout disabled

CLI restart-on-upgrade set to on

CLI screen-length set to 24

CLI screen-width set to 80

CLI terminal is 'vt100'

CLI is operating in enhanced mode

CLI timestamp disabled

CLI working directory is '/cf/root'

root@SRXP> set cli screen-width 130

Screen width set to 130

Step 4.3Reconfigure the admin user account, with password “juniper123”. Commit the changes.

root@SRXP> configure




IJOS Lab Guide

[edit]

root@SRXP# set system login user admin class super-user authentication plain-text-

password

New password: juniper123

Retype new password: juniper123

[edit]

root@SRXP# commit and-quit

commit complete


Step 4.4Logout and then login as admin user.

root@SRXP> exit

root@SRXP% exit

logout

SRXP (ttyu0)

login: admin

Password: juniper123

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

admin@SRXP>

Step 4.5Verify the lab1 configuration file you saved in the previous lab.

admin@SRXP> file list

/cf/var/home/admin/:

.ssh/

IJOS.LAB1

Step 4.6There are many methods to backup the configuration. One of the options is to Issue the

show configuration | save /cf/var/home/admin/IJOS.LAB2 CLI command to save

the active configuration as IJOS.LAB2 in the /cf/var/home/admin directory.



IJOS Lab Guide

admin@SRXP> show configuration | save /cf/var/home/admin/IJOS.LAB2

Wrote 90 lines of output to '/cf/var/home/admin/IJOS.LAB2'

admin@SRXP> file list

/cf/var/home/admin/:

.ssh/

IJOS.LAB1

IJOS.LAB2

By saving your current configuration, you are able to rollback at any time.

For Example:

[edit]

admin@SRXP# load override IJOS.LAB2

load complete

[edit]

admin@SRXP# commit

commit complete

Tell your instructor that you have completed this lab.

IJOS Lab Guide -Lab2.Ready

Documents

Transcript of IJOS Lab Guide -Lab2.Ready