This is an old revision of the document!
Configure the router
Use the following commands to configure the router:
root# cli root@> cli> configure [edit] root@# set system host-name juniper root@# set system domain-name x83.net root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24 root@# set system backup-router 10.2.2.1 root@# set system name-server 10.2.2.1 root@# set system root-authentication plain-text-password New password: Retype password: root@ show system { host-name juniper; domain-name x83.net; backup-router 10.2.2.1; root-authentication { encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveEq."; ## SECRET-DATA } name-server { 10.2.2.1; } interfaces { fxp0 { unit 0 { family inet { address 10.2.2.2/24; } } } } root@# commit root@juniper# exit root@juniper>
Other config params : </code> root@juniper# set system ntp server 192.168.2.100 root@juniper# set system time-zone Europe/Ljubljana root@juniper# set system services ssh root@juniper# set interfaces lo0 unit 0 family inet address 10.200.200.1/32
root@juniper> configure exclusive if several people login only you can use “configure” root@juniper> status root@juniper> request system logout user john kick someone out </code>
The show | display set
command is a handy way to reverse-engineer a router configuration when you are trying to duplicate portions of a configuration on many routers or when you need to write up configuration, monitoring, or troubleshooting procedures for your network operations staff. This command is especially useful if the configuration is complex and when setting it up involves many long commands and lots of typing.
Add comments
root@juniper# set area 0.0.0.0 interface fe-0/0/0 root@juniper# annotate area 0.0.0.0 "MESH routers" root@juniper# show /* MESH routers */ area 0.0.0.0 { interface fe-0/0/0.0; }
To delete a comment, use the annotate command with an empty string:
root@juniper# annotate area 0.0.0.0 ""
Check syntax (commit)
After configuring issue commit command.
root@juniper# commit check
If there are no errors you recieve : configuration check succeeds
To debug commit :
root@juniper# commit | display detail
To exit from a lower level to operational mode : 'exit configuration-mode'
Backing up configuration
root@juniper# file copy /config/juniper.conf.gz box:/root/tmp root@juniper# save box:configMay root@juniper# save configMay //copy to a localfile root@juniper# run file show configMay //to view it root@juniper# run show system storage // view diskspace
To backup every time you commit:
root@juniper# set archival configuration transfer-on-commit root@juniper# set archival configuration archive-sites ftp: //giany:password@box:/m40configs
Rollback
root@juniper# rollback 1 //loads other config root@juniper# show root@juniper# commit root@juniper# rollback ? //view rollbacks
View logs
root@juniper# run show log root@juniper# run show log messages
Install different jinstall
root@juniper# request system software add validate box:jinstall-8.4R2.6-domestic-signed.tgz
Or copy the file to /var/tmp
root@juniper# file copy box:jinstall-8.4R2.6-domestic-signed.tgz /var/tmp root@juniper# request system software add validate /var/tmp/jinstall-8.4R2.6-domestic-signed.tgz //and reboot here
and then reboot:
root@juniper# request system reboot
Gather system informations
root@juniper# show version root@juniper# show version detail root@juniper# show system processes root@juniper# run show system processes | match /syslogd root@juniper# run request support information root@juniper# run file list detail /var/tmp //look for cores
root@juniper# run show system users 2:40PM up 10:12, 1 user, load averages: 0.01, 0.06, 0.07 USER TTY FROM LOGIN@ IDLE WHAT root p1 10.2.2.1 2:28PM - cli root@juniper# run show system uptime Current time: 2008-05-24 13:52:15 EEST System booted: 2008-05-24 04:29:05 EEST (09:23:10 ago) Protocols started: 2008-05-24 04:34:42 EEST (09:17:33 ago) Last configured: 2008-05-24 13:38:28 EEST (00:13:47 ago) by root 1:52PM up 9:23, 1 user, load averages: 0.00, 0.02, 0.00
Accounts
root@juniper# set system login user giany full-name Foobaruser root@juniper# set system login user giany uid 1000 root@juniper# set system login user giany class super-user root@juniper# set system login user giany authentication encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspv32E." root@juniper# set system login password password maximum-length 18 // max length root@juniper# set system login password password minimum-length 8 // min lenght root@juniper# set system login password password minimum-changes 3 // 3 case changes
Tacacs
To allow authentification of users :
root@juniper# set login user operations class super-user root@juniper# set login user operations full-name "Operations Account" root@juniper# set login user operations uid 9999 root@juniper# set system authentication-order [ tacplus password ]; root@juniper# set tacacs-server 10.2.2.1 secret aaaaa
SSH/Telnet Filter
You want to filter incoming ssh/telnet connections to a set of ips. First create a prefix-list with allowed ips then create a policer that will discard all incoming connections. After that create the policer that will allow your prefix-list. In the end create the filters for discard/accept and apply the filter to the specified interface.
set policy-options prefix-list telnet-ssh-sessions 10.2.2.1/32 set firewall policer 1m-bw-limit if-exceeding bandwidth-limit 1m set firewall policer 1m-bw-limit if-exceeding burst-size-limit 15k set firewall policer 1m-bw-limit then discard set firewall policer 20m-bw-limit if-exceeding bandwidth-limit 20m set firewall policer 20m-bw-limit if-exceeding burst-size-limit 1m set firewall policer 20m-bw-limit then discard set firewall filter re-filter term police-ssh from source-prefix-list telnet-ssh-sessions set firewall filter re-filter term police-ssh from protocol tcp set firewall filter re-filter term police-ssh from port ssh set firewall filter re-filter term police-ssh from port telnet set firewall filter re-filter term police-ssh from tcp-initial set firewall filter re-filter term police-ssh then policer 1m-bw-limit set firewall filter re-filter term police-ssh then accept set firewall filter re-filter term ssh-telnet from source-prefix-list telnet-ssh-sessions set firewall filter re-filter term ssh-telnet from protocol tcp set firewall filter re-filter term ssh-telnet from port ssh set firewall filter re-filter term ssh-telnet from port telnet set firewall filter re-filter term ssh-telnet then policer 20m-bw-limit set firewall filter re-filter term ssh-telnet then accept set interfaces fxp0 unit 0 family inet filter input re-filter //apply filter
Sending messages
request message all message "Log out immediately" request system logout terminal p0 request system logout user giany request message user giany message "Log out immediately"