Difference between revisions of "Juniper 101"

From Teknologisk videncenter
Jump to: navigation, search
m (Created page with "Se tegning af Junipers Hardware kasse =Software= Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget")
 
m (Firewall som router)
 
(28 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
=Software=
 
=Software=
 
Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget
 
Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget
 +
==Software Arkitektur==
 +
JUNOS baserer sig på FreeBSD Unix operativsystemet, men er dog ændret og hardende af Juniper til at kunne køre på deres udstyr.<br/><br/>
 +
JUNOS består bl.a. af følgende daemons
 +
;Routing Protocol Daemon(rpd)
 +
:rpd står for at sende og modtage routing protokol beskeder, ændring af routings tabellen og implementere routing politikker.
 +
;Device Control Daemon(dcd)
 +
:Routerens interfaces bliver styret af dcd, både de fysiske og logiske karaktertræk.
 +
;Management Daemon(mgd)
 +
:mgd styrer alt adgang til routeren SSH og cli.
 +
;Chassis Daemon(chassisd)
 +
:chassisd styrer selve routeren, og sammenhængen mellem den passive midplane, FPC og Control Board
 +
;Packet Forwarding Engine Daemon(pfed)
 +
:pfed styrer kommunikaitonen mellem Routing Engine og Packet Forwarding Engine. En af dens funktioner er fx. at indhente oplysninger om interface statistiker.
 +
==Software komponenter==
 +
JUNOS software består af forskellige pakker, og indeholder filer specifik til deres funktion. Følgende pakker kan findes i JUNOS software:
 +
;jkernel
 +
:Indeholder basis komponenterne for JUNOS software OS'et
 +
;jbase
 +
:Indeholder opdateringer til OS'et siden sidste jkernel
 +
;jroute
 +
:Indeholder den software der kør på Routing Engine, den styrer unicast routing, multicast routing og MPLS signalerings protokollerne. Pakken indeholder også nogle daemons som fx. mgd
 +
;jpfe
 +
:Indeholder det Embedded OS der styrer komponenterne på Packet Forwarding Engine.
 +
;jdocs
 +
:Indeholder komplet JUNOS dokumentation(help topic osfp area-backbone)
 +
;jcrypto
 +
:Indeholder krypterings software til fx, SSH og IPSec. Pakken er kun tilgængelig i US og Canada.
 +
;jbundle
 +
:jbundle er en enkelt pakke der indeholder alle de andre pakker.
 +
=Help Reference=
 +
<source lang=cli>
 +
root@SRX240# <input>help reference interfaces address</input>
 +
 +
    Syntax
 +
 +
  address address {
 +
          arp ip-address (mac | multicast-mac) mac-address <publish>;
 +
          broadcast address;
 +
          destination address;
 +
          destination-profile name;
 +
          eui-64;
 +
          master-only;
 +
          multipoint-destination address dlci dlci-identifier;
 +
 +
...
 +
 +
    Hierarchy Level
 +
 +
  [edit interfaces interface-name unit logical-unit-number family family],
 +
 +
  [edit logical-systems logical-system-name interfaces interface-name unit
 +
  logical-unit-number family family]
 +
 +
...
 +
 +
[edit]
 +
root@SRX240#
 +
</source>
 +
=Konfiguration=
 +
Login to the router
 +
<source lang=cli>
 +
SRX240 (ttyu0)
 +
 +
login: <input>root</input>
 +
Password:
 +
 +
--- JUNOS 9.5R1.8 built 2009-04-13 20:03:09 UTC
 +
 +
root@SRX240%<input>cli</input> - root brugeren skal starte CLI fra shell'en
 +
root@SRX240> - Større end betyder routeren er i operational mode
 +
root@SRX240> <input>configure</input> - Her hopper vi ind i Configuration Mode
 +
Entering configuration mode
 +
 +
[edit]
 +
root@SRX240# - Havelågen betyder at Routeren er i Configuration Mode
 +
</source>
 +
==Run kommandoen==
 +
Hvis man vil køre operational mode kommandoer fra configuration mode skal man bruger run
 +
<source lang=cli>
 +
root@SRX240> <input>show arp</input>
 +
MAC Address      Address        Name                      Interface    Flags
 +
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
 +
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
 +
00:18:b9:89:84:41 10.0.0.10      10.0.0.10                ge-0/0/2.0    none
 +
Total entries: 3
 +
 +
root@SRX240> <input>configure</input>
 +
Entering configuration mode
 +
 +
[edit]
 +
root@SRX240# <input>show arp</input>
 +
                  ^
 +
syntax error.
 +
 +
[edit]
 +
root@SRX240# <input>run show arp</input>
 +
MAC Address      Address        Name                      Interface    Flags
 +
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
 +
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
 +
00:18:b9:89:84:41 10.0.0.10      10.0.0.10                ge-0/0/2.0    none
 +
Total entries: 3
 +
 +
[edit]
 +
root@SRX240#
 +
</source>
 +
==Pipe kommandoen==
 +
<source lang=cli>
 +
root@SRX240> <input>show route | count</input>
 +
Count: 15 lines
 +
 +
root@SRX240>
 +
</source>
 +
==First Time Setup==
 +
<source lang=cli>
 +
root@R1> edit
 +
Entering configuration mode
 +
 +
[edit]
 +
root@R1# delete
 +
This will delete the entire configuration
 +
Delete everything under this level? [yes,no] (no) yes
 +
 +
[edit]
 +
root@R1# show
 +
 +
[edit]
 +
root@R1# set system root-authentication plain-text-password
 +
New password:
 +
Retype new password:
 +
 +
[edit]
 +
root@R1# set system host-name SRX240
 +
 +
[edit]
 +
root@R1# set system services ssh
 +
 +
root@R1# set system login user rael class super-user full-name "Rasmus" authentication plain-text-password
 +
New password:
 +
Retype new password:
 +
</source>
 +
<source lang=cli>
 +
rael@SRX240# show
 +
## Last changed: 2011-09-19 13:25:31 UTC
 +
version 9.5R1.8;
 +
system {
 +
    host-name SRX240;
 +
    root-authentication {
 +
        encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvoFlmY."; ## SECRET-DATA
 +
    }
 +
    login {
 +
        user rael {
 +
            full-name Rasmus;
 +
            uid 2002;
 +
            class super-user;
 +
            authentication {
 +
                encrypted-password "$1$F5hF7XvX$GSlLJb7pngskYzbMJxdvV."; ## SECR
 +
ET-DATA
 +
            }
 +
        }
 +
    }
 +
    services {
 +
        ssh;
 +
    }
 +
}
 +
 +
[edit]
 +
rael@SRX240# show | display set
 +
set version 9.5R1.8
 +
set system host-name SRX240
 +
set system root-authentication encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvo
 +
FlmY."
 +
set system login user rael full-name Rasmus
 +
set system login user rael uid 2002
 +
set system login user rael class super-user
 +
set system login user rael authentication encrypted-password "$1$F5hF7XvX$GSlLJb
 +
7pngskYzbMJxdvV."
 +
set system services ssh
 +
 +
[edit]
 +
rael@SRX240#
 +
</source>
 +
 +
=Firewall som router=
 +
Sådan her laver man en SRX firewall om fra flow-mode til packet-mode. I Flow-mode virker udstyret som en statefull firewall hvor den i packet mode virker som en Router.
 +
<source lang=cli>
 +
delete security
 +
set security forwarding-options family inet6 mode packet-based
 +
set security forwarding-options family mpls mode packet-based
 +
</source>
 +
Kontrollér om det virker:
 +
<source lang=cli>
 +
rael@SRX240> <input>show security flow status</input>
 +
  Flow forwarding mode:
 +
    <notice>Inet forwarding mode: packet based
 +
    Inet6 forwarding mode: packet based
 +
    MPLS forwarding mode: packet based</notice>
 +
    ISO forwarding mode: drop
 +
  Flow trace status
 +
    Flow tracing status: off
 +
  Flow session distribution
 +
    Distribution mode: RR-based
 +
</source>
 +
 +
=Debugging=
 +
Debug bliver kaldt traces på Junipersk. Alle traces bliver smidt i /var/log/filename.<br/>
 +
For at sætte logging op til messages og interactive kommandoer kan man bruger:
 +
<source lang=cli>
 +
system {
 +
    syslog {
 +
        user * {
 +
            any notice;
 +
        }
 +
        file messages {
 +
            any any;
 +
            authorization info;
 +
        }
 +
        file interactive-commands {
 +
            interactive-commands any;
 +
        }
 +
    }
 +
}
 +
</source>
 +
Vil man lave til egen log for fx, OSPF kan man gøre det med:
 +
<source lang=cli>
 +
protocols {
 +
    ospf {
 +
        traceoptions {
 +
            file ospf-trace size 128k files 10 no-world-readable;
 +
            flag event detail;
 +
            flag error detail;
 +
        }
 +
    }
 +
}
 +
</source>
 +
som vil blive gemt i /var/log/ospf-trace & som man kan se med:
 +
<source lang=cli>
 +
rael@SRX240> <input>show log ospf-trace</input>
 +
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
 +
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
 +
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
 +
Sep 20 08:52:15.164538 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
Sep 20 08:52:24.565608 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
</source>
 +
Vil man se den i real-tid kan man bruge:
 +
<source lang=cli>
 +
 +
rael@SRX240> <input>monitor start ospf-trace</input>
 +
 +
rael@SRX240>
 +
*** ospf-trace ***
 +
Sep 20 09:06:24.093057 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
Sep 20 09:06:33.360253 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
<input>monitor stop</input>
 +
 +
rael@SRX240>
 +
</source>
 +
Vil man sortere i loggen kan man bruge:
 +
<source lang=cli>
 +
rael@SRX240> <input>show log ospf-trace | match "ge|lo"</input>
 +
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
 +
Sep 20 08:44:13.050316 IFL ge-0/0/2.0 iflchange 0x0
 +
Sep 20 08:44:13.050446 IFL ge-0/0/1.0 iflchange 0x0
 +
Sep 20 08:44:13.050538 IFL ge-0/0/0.0 iflchange 0x0
 +
Sep 20 08:44:13.050638 IFL lo0.32768 iflchange 0x0
 +
Sep 20 08:44:13.050730 IFL lo0.16385 iflchange 0x0
 +
Sep 20 08:44:13.050834 IFL lo0.16384 iflchange 0x0
 +
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
 +
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
 +
Sep 20 08:44:13.051636 IFL ge-0/0/2.0 addr (10.0.0.9) ifachange 0x0
 +
 +
rael@SRX240>
 +
</source>
 +
Vil man nulstille logfilen kan man bruge '''clear log ospf-trace'''<br/>
 +
vil man slette logfilen kan man bruger '''file delete /var/log/ospf-trace''' <- brug ikke denne kommando
 +
 +
=Interface status=
 +
Vil man se interface information kan man bruger '''show interfaces'''
 +
<source lang=cli>
 +
rael@SRX240> <input>show interfaces</input>
 +
Physical interface: <notice>ge-0/0/0, Enabled</notice>, Physical link is <notice>Up</notice>
 +
  Interface index: 131, SNMP ifIndex: 115
 +
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
 +
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
 +
  Device flags  : Present Running
 +
  Interface flags: SNMP-Traps Internal: 0x0
 +
  Link flags    : None
 +
  CoS queues    : 8 supported, 8 maximum usable queues
 +
  Current address: 00:24:dc:d8:16:80, Hardware address: 00:24:dc:d8:16:80
 +
  Last flapped  : 2011-09-19 10:44:07 UTC (22:42:57 ago)
 +
  Input rate    : 8216 bps (17 pps)
 +
  Output rate    : 16240 bps (16 pps)
 +
  Active alarms  : None
 +
  Active defects : None
 +
 +
  Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 116)
 +
    Flags: SNMP-Traps Encapsulation: ENET2
 +
    Input packets : 4677
 +
    Output packets: 3300
 +
    Security: Zone: Null
 +
    Protocol inet, MTU: 1500
 +
      Flags: Is-Primary
 +
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
 +
        Destination: 10.0.0.0/30, Local: 10.0.0.2, Broadcast: 10.0.0.3
 +
 +
Physical interface: gr-0/0/0, Enabled, Physical link is Up
 +
  Interface index: 149, SNMP ifIndex: 132
 +
  Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
 +
  Link flags    : Scheduler Keepalives DTE
 +
  Device flags  : Present Running
 +
  Interface flags: Point-To-Point
 +
  Input rate    : 0 bps (0 pps)
 +
  Output rate    : 0 bps (0 pps)
 +
 +
Physical interface: ip-0/0/0, Enabled, Physical link is Up
 +
  Interface index: 150, SNMP ifIndex: 133
 +
  Type: IPIP, Link-level type: IP-over-IP, MTU: Unlimited, Speed: 800mbps
 +
  Link flags    : Scheduler Keepalives DTE
 +
  Device flags  : Present Running
 +
  Input rate    : 0 bps (0 pps)
 +
  Output rate    : 0 bps (0 pps)
 +
 +
 +
</source>
 +
Vil man gerne have et hurtigt overblik kan man bruge <input>show interface terse</input>
 +
<source lang=cli>
 +
rael@SRX240> <input>show interfaces terse</input>
 +
Interface              Admin Link Proto    Local                Remote
 +
ge-0/0/0                up    up
 +
ge-0/0/0.0              <notice>up    up</notice>  inet    <notice>10.0.0.2/30</notice>
 +
gr-0/0/0                up    up
 +
ip-0/0/0                up    up
 +
ls-0/0/0                up    up
 +
lt-0/0/0                up    up
 +
mt-0/0/0                up    up
 +
pd-0/0/0                up    up
 +
pe-0/0/0                up    up
 +
ge-0/0/1                up    up
 +
ge-0/0/1.0              up    up  inet    10.0.0.5/30
 +
ge-0/0/2                up    up
 +
ge-0/0/2.0              up    up  inet    10.0.0.9/30
 +
ge-0/0/3                up    down
 +
ge-0/0/4                up    down
 +
ge-0/0/5                up    down
 +
ge-0/0/6                up    down
 +
ge-0/0/7                up    down
 +
ge-0/0/8                up    down
 +
ge-0/0/9                up    down
 +
ge-0/0/10              up    down
 +
ge-0/0/11              up    down
 +
ge-0/0/12              up    down
 +
ge-0/0/13              up    down
 +
ge-0/0/14              up    down
 +
ge-0/0/15              up    down
 +
gre                    up    up
 +
ipip                    up    up
 +
lo0                    up    up
 +
lo0.16384              up    up  inet    127.0.0.1          --> 0/0
 +
lo0.16385              up    up  inet    10.0.0.1            --> 0/0
 +
                                            10.0.0.16          --> 0/0
 +
                                            128.0.0.1          --> 0/0
 +
                                            128.0.1.16          --> 0/0
 +
                                  inet6    fe80::224:dcff:fed8:1680
 +
lo0.32768              up    up
 +
lsi                    up    up
 +
mtun                    up    up
 +
pimd                    up    up
 +
pime                    up    up
 +
pp0                    up    up
 +
st0                    up    up
 +
tap                    up    up
 +
vlan                    up    up
 +
 +
rael@SRX240>
 +
</source>
 +
Vil man have real-tids statistik fra interfacet kan man bruge '''monitor interface ge-0/0/0'''
 +
<source lang=cli>
 +
rael@SRX240> <input>monitor interface ge-0/0/0</input>
 +
SRX240                            Seconds: 4                  Time: 09:37:16
 +
                                                          Delay: 0/0/2
 +
Interface: ge-0/0/0, Enabled, Link is Up
 +
Encapsulation: Ethernet, Speed: 1000mbps
 +
Traffic statistics:                                          Current delta
 +
  Input bytes:                    772560 (616 bps)                    [356]
 +
  Output bytes:                  949366 (1832 bps)                  [8434]
 +
  Input packets:                    5294 (1 pps)                        [8]
 +
  Output packets:                  3698 (0 pps)                      [11]
 +
Error statistics:
 +
  Input errors:                        0                                [0]
 +
  Input drops:                        0                                [0]
 +
  Input framing errors:                0                                [0]
 +
  Policed discards:                  135                                [0]
 +
  L3 incompletes:                      0                                [0]
 +
  L2 channel errors:                  0                                [0]
 +
  L2 mismatch timeouts:                0                                [0]
 +
  Carrier transitions:                3                                [0]
 +
  Output errors:                      0                                [0]
 +
  Output drops:                        0                                [0]
 +
  Aged packets:                        0                                [0]
 +
Active alarms : None
 +
Active defects: None
 +
Input MAC/Filter statistics:
 +
  Unicast packets                  11670                                [8]
 +
  Broadcast packets                  44                                [0]
 +
  Multicast packets                1946                                [0]
 +
  Oversized frames                    0                                [0]
 +
  Packet reject count                  0                                [0]
 +
  DA rejects                          0                                [0]
 +
  SA rejects                          0                                [0]
 +
Output MAC/Filter Statistics:
 +
  Unicast packets                  3602                              [13]
 +
  Broadcast packets                  80                                [0]
 +
  Multicast packets                    0                                [0]
 +
  Packet pad count                    0                                [0]
 +
  Packet error count                  0                                [0]
 +
 +
 +
 +
 +
 +
 +
 +
 +
Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'
 +
</source>
 +
=NTP=
 +
Her sætter vi NTP op så den synkroniserer når den starter op(boot-server) og en server som den bruger til opdatering
 +
<source lang=cli>
 +
[edit]
 +
rael@SRX240# <input>edit system ntp</input>
 +
 +
[edit system ntp]
 +
rael@SRX240# <input>set boot-server mars.tekkom.dk</input>
 +
 +
[edit system ntp]
 +
rael@SRX240# <input>set server mars.tekkom.dk</input>
 +
 +
[edit system ntp]
 +
rael@SRX240#
 +
</source>
 +
 +
=Power Off=
 +
JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.
 +
<source lang=cli>
 +
user@router> request system halt
 +
</source>
 +
 +
=Interfaces Up/Down=
 +
<source lang=cli>
 +
#Shutdown an interface
 +
reh@RERouter# set interfaces fe-0/0/0 disable
 +
#enable an interface
 +
reh@RERouter# delete interfaces fe-0/0/0 disable
 +
</source>
 +
=DHCP Klient=
 +
<source lang=cli>
 +
[edit]
 +
reh@RERouter# set interfaces fe-0/0/0 unit 0 family inet dhcp
 +
</source>
 +
=Opgrader JUNOS=
 +
Den nyeste JUNOS kan hentes på junos.net, så længe man har en bruger og et S/N tilknyttet til brugeren.<ref>http://kb.juniper.net/InfoCenter/index?page=content&id=KB16652&smlogin=true#cli_tftp</ref><br/>
 +
Jeg har her smidt den på en FTP server med anonumous adgang.<br/><br/>
 +
Kontroller om der er plads nok på udstyret:
 +
<source lang=cli>
 +
root@SRX240> <input>show version</input>
 +
Hostname: SRX240
 +
Model: srx240-lm
 +
JUNOS Software Release [9.5R1.8] (Export edition)
 +
 +
root@SRX240> <input>show system storage</input>
 +
Filesystem              Size      Used      Avail  Capacity  Mounted on
 +
/dev/da0s1a            898M      158M      669M      19%  /
 +
devfs                  1.0K      1.0K        0B      100%  /dev
 +
devfs                  1.0K      1.0K        0B      100%  /dev/
 +
/dev/md0                450M      450M        0B      100%  /junos
 +
/cf                    898M      158M      669M      19%  /junos/cf
 +
devfs                  1.0K      1.0K        0B      100%  /junos/dev/
 +
procfs                  4.0K      4.0K        0B      100%  /proc
 +
/dev/bo0s1e              24M        20K        22M        0%  /config
 +
/dev/da0s1f              61M      7.7M        48M      14%  /cf/var/log
 +
/dev/md1                84M        11M        66M      14%  /mfs
 +
/cf/var/jail            898M      158M      669M      19%  /jail/var
 +
devfs                  1.0K      1.0K        0B      100%  /jail/dev
 +
</source>
 +
Overfør software og genstart
 +
<source lang=cli>
 +
root@SRX240> <input>request system software add ftp://192.168.146.115/junos-srxsme-12.1X44-D40.2-domestic.tgz no-validate no-copy</input>
 +
-                                                    1479 kB 1479 kBps
 +
Package contains junos-12.1X44-D40.2 ; renaming ...
 +
Installing package '/var/tmp/junos-12.1X44-D40.2' ...
 +
Verified junos-boot-srxsme-12.1X44-D40.2.tgz signed by PackageProduction_12_1_0
 +
Verified junos-srxsme-12.1X44-D40.2-domestic signed by PackageProduction_12_1_0
 +
Verified junos-boot-srxsme-12.1X44-D40.2.tgz signed by PackageProduction_12_1_0
 +
Verified junos-srxsme-12.1X44-D40.2-domestic signed by PackageProduction_12_1_0
 +
Available space: 342330 require: 198348
 +
WARNING: JUNOS edition domestic != export, need to regenerate ssh host keys
 +
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-12.1X44-D40.2.tgz
 +
JUNOS requires BIOS version upgrade from 0.0 to 2.7
 +
Upgrading to BIOS 2.7 ...
 +
boot.upgrade.uboot="0xbfc00000"
 +
boot.upgrade.loader="0xbfe00000"
 +
bootupgrade: illegal option -- U
 +
Unknown option ?
 +
bootupg -u <uboot-binary-file> -l <loader-elf-file> -v <pkgver>
 +
JUNOS 12.1X44-D40.2 will become active at next reboot
 +
WARNING: A reboot is required to load this software correctly
 +
WARNING:    Use the 'request system reboot' command
 +
WARNING:        when software installation is complete
 +
Saving state for rollback ...
 +
Removing /var/tmp/junos-12.1X44-D40.2
 +
Model: srx240-lm
 +
JUNOS Software Release [9.5R1.8] (Export edition)
 +
 +
root@SRX240> <input>request system reboot</input>
 +
Reboot the system ? [yes,no] (no) <input>yes</input>
 +
 +
Shutdown NOW!
 +
[pid 2197]
 +
<notice><--- output omitted ---></notice>
 +
root@SRX240> <input>show version</input> ilt 2014-08-28 12:20:14 UTC
 +
Hostname: SRX240
 +
Model: srx240b
 +
JUNOS Software Release [12.1X44-D40.2]
 +
 +
root@SRX240>
 +
</source>
 +
 +
=Links=
 +
*http://www.3fives.com/juniper-srx-crash-course
 +
*[http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694 Getting Started with SRX Guides]
 +
<references/>
 +
{{Source cli}}
 +
 +
[[Category:Juniper]]

Latest revision as of 16:16, 16 October 2014

Se tegning af Junipers Hardware kasse

Software

Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget

Software Arkitektur

JUNOS baserer sig på FreeBSD Unix operativsystemet, men er dog ændret og hardende af Juniper til at kunne køre på deres udstyr.

JUNOS består bl.a. af følgende daemons

Routing Protocol Daemon(rpd)
rpd står for at sende og modtage routing protokol beskeder, ændring af routings tabellen og implementere routing politikker.
Device Control Daemon(dcd)
Routerens interfaces bliver styret af dcd, både de fysiske og logiske karaktertræk.
Management Daemon(mgd)
mgd styrer alt adgang til routeren SSH og cli.
Chassis Daemon(chassisd)
chassisd styrer selve routeren, og sammenhængen mellem den passive midplane, FPC og Control Board
Packet Forwarding Engine Daemon(pfed)
pfed styrer kommunikaitonen mellem Routing Engine og Packet Forwarding Engine. En af dens funktioner er fx. at indhente oplysninger om interface statistiker.

Software komponenter

JUNOS software består af forskellige pakker, og indeholder filer specifik til deres funktion. Følgende pakker kan findes i JUNOS software:

jkernel
Indeholder basis komponenterne for JUNOS software OS'et
jbase
Indeholder opdateringer til OS'et siden sidste jkernel
jroute
Indeholder den software der kør på Routing Engine, den styrer unicast routing, multicast routing og MPLS signalerings protokollerne. Pakken indeholder også nogle daemons som fx. mgd
jpfe
Indeholder det Embedded OS der styrer komponenterne på Packet Forwarding Engine.
jdocs
Indeholder komplet JUNOS dokumentation(help topic osfp area-backbone)
jcrypto
Indeholder krypterings software til fx, SSH og IPSec. Pakken er kun tilgængelig i US og Canada.
jbundle
jbundle er en enkelt pakke der indeholder alle de andre pakker.

Help Reference

root@SRX240# <input>help reference interfaces address</input>

    Syntax

   address address {
           arp ip-address (mac | multicast-mac) mac-address <publish>;
           broadcast address;
           destination address;
           destination-profile name;
           eui-64;
           master-only;
           multipoint-destination address dlci dlci-identifier;

...

    Hierarchy Level

   [edit interfaces interface-name unit logical-unit-number family family],

   [edit logical-systems logical-system-name interfaces interface-name unit
   logical-unit-number family family]

...

[edit]
root@SRX240#

Konfiguration

Login to the router

SRX240 (ttyu0)

login: <input>root</input>
Password:

--- JUNOS 9.5R1.8 built 2009-04-13 20:03:09 UTC

root@SRX240%<input>cli</input> - root brugeren skal starte CLI fra shell'en
root@SRX240> - Større end betyder routeren er i operational mode
root@SRX240> <input>configure</input> - Her hopper vi ind i Configuration Mode
Entering configuration mode

[edit]
root@SRX240# - Havelågen betyder at Routeren er i Configuration Mode

Run kommandoen

Hvis man vil køre operational mode kommandoer fra configuration mode skal man bruger run

root@SRX240> <input>show arp</input>
MAC Address       Address         Name                      Interface     Flags
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
00:18:b9:89:84:41 10.0.0.10       10.0.0.10                 ge-0/0/2.0    none
Total entries: 3

root@SRX240> <input>configure</input>
Entering configuration mode

[edit]
root@SRX240# <input>show arp</input>
                  ^
syntax error.

[edit]
root@SRX240# <input>run show arp</input>
MAC Address       Address         Name                      Interface     Flags
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
00:18:b9:89:84:41 10.0.0.10       10.0.0.10                 ge-0/0/2.0    none
Total entries: 3

[edit]
root@SRX240#

Pipe kommandoen

root@SRX240> <input>show route | count</input>
Count: 15 lines

root@SRX240>

First Time Setup

root@R1> edit
Entering configuration mode

[edit]
root@R1# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root@R1# show 

[edit]
root@R1# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root@R1# set system host-name SRX240

[edit]
root@R1# set system services ssh 

root@R1# set system login user rael class super-user full-name "Rasmus" authentication plain-text-password
New password:
Retype new password:
rael@SRX240# show
## Last changed: 2011-09-19 13:25:31 UTC
version 9.5R1.8;
system {
    host-name SRX240;
    root-authentication {
        encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvoFlmY."; ## SECRET-DATA
    }
    login {
        user rael {
            full-name Rasmus;
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$F5hF7XvX$GSlLJb7pngskYzbMJxdvV."; ## SECR
ET-DATA
            }
        }
    }
    services {
        ssh;
    }
}

[edit]
rael@SRX240# show | display set
set version 9.5R1.8
set system host-name SRX240
set system root-authentication encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvo
FlmY."
set system login user rael full-name Rasmus
set system login user rael uid 2002
set system login user rael class super-user
set system login user rael authentication encrypted-password "$1$F5hF7XvX$GSlLJb
7pngskYzbMJxdvV."
set system services ssh

[edit]
rael@SRX240#

Firewall som router

Sådan her laver man en SRX firewall om fra flow-mode til packet-mode. I Flow-mode virker udstyret som en statefull firewall hvor den i packet mode virker som en Router.

delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based

Kontrollér om det virker:

rael@SRX240> <input>show security flow status</input>
  Flow forwarding mode:
    <notice>Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based</notice>
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

Debugging

Debug bliver kaldt traces på Junipersk. Alle traces bliver smidt i /var/log/filename.
For at sætte logging op til messages og interactive kommandoer kan man bruger:

system {
    syslog {
        user * {
            any notice;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}

Vil man lave til egen log for fx, OSPF kan man gøre det med:

protocols {
    ospf {
        traceoptions {
            file ospf-trace size 128k files 10 no-world-readable;
            flag event detail;
            flag error detail;
        }
    }
}

som vil blive gemt i /var/log/ospf-trace & som man kan se med:

rael@SRX240> <input>show log ospf-trace</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:52:15.164538 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 08:52:24.565608 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67

Vil man se den i real-tid kan man bruge:

rael@SRX240> <input>monitor start ospf-trace</input>

rael@SRX240>
*** ospf-trace ***
Sep 20 09:06:24.093057 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 09:06:33.360253 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
<input>monitor stop</input>

rael@SRX240>

Vil man sortere i loggen kan man bruge:

rael@SRX240> <input>show log ospf-trace | match "ge|lo"</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.050316 IFL ge-0/0/2.0 iflchange 0x0
Sep 20 08:44:13.050446 IFL ge-0/0/1.0 iflchange 0x0
Sep 20 08:44:13.050538 IFL ge-0/0/0.0 iflchange 0x0
Sep 20 08:44:13.050638 IFL lo0.32768 iflchange 0x0
Sep 20 08:44:13.050730 IFL lo0.16385 iflchange 0x0
Sep 20 08:44:13.050834 IFL lo0.16384 iflchange 0x0
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:44:13.051636 IFL ge-0/0/2.0 addr (10.0.0.9) ifachange 0x0

rael@SRX240>

Vil man nulstille logfilen kan man bruge clear log ospf-trace
vil man slette logfilen kan man bruger file delete /var/log/ospf-trace <- brug ikke denne kommando

Interface status

Vil man se interface information kan man bruger show interfaces

rael@SRX240> <input>show interfaces</input>
Physical interface: <notice>ge-0/0/0, Enabled</notice>, Physical link is <notice>Up</notice>
  Interface index: 131, SNMP ifIndex: 115
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:24:dc:d8:16:80, Hardware address: 00:24:dc:d8:16:80
  Last flapped   : 2011-09-19 10:44:07 UTC (22:42:57 ago)
  Input rate     : 8216 bps (17 pps)
  Output rate    : 16240 bps (16 pps)
  Active alarms  : None
  Active defects : None

  Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 116)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 4677
    Output packets: 3300
    Security: Zone: Null
    Protocol inet, MTU: 1500
      Flags: Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.0.0.0/30, Local: 10.0.0.2, Broadcast: 10.0.0.3

Physical interface: gr-0/0/0, Enabled, Physical link is Up
  Interface index: 149, SNMP ifIndex: 132
  Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
  Link flags     : Scheduler Keepalives DTE
  Device flags   : Present Running
  Interface flags: Point-To-Point
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

Physical interface: ip-0/0/0, Enabled, Physical link is Up
  Interface index: 150, SNMP ifIndex: 133
  Type: IPIP, Link-level type: IP-over-IP, MTU: Unlimited, Speed: 800mbps
  Link flags     : Scheduler Keepalives DTE
  Device flags   : Present Running
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

Vil man gerne have et hurtigt overblik kan man bruge <input>show interface terse</input>

rael@SRX240> <input>show interfaces terse</input>
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              <notice>up    up</notice>   inet     <notice>10.0.0.2/30</notice>
gr-0/0/0                up    up
ip-0/0/0                up    up
ls-0/0/0                up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
pd-0/0/0                up    up
pe-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.0.0.5/30
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     10.0.0.9/30
ge-0/0/3                up    down
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    down
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
ge-0/0/12               up    down
ge-0/0/13               up    down
ge-0/0/14               up    down
ge-0/0/15               up    down
gre                     up    up
ipip                    up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.1.16          --> 0/0
                                   inet6    fe80::224:dcff:fed8:1680
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
st0                     up    up
tap                     up    up
vlan                    up    up

rael@SRX240>

Vil man have real-tids statistik fra interfacet kan man bruge monitor interface ge-0/0/0

rael@SRX240> <input>monitor interface ge-0/0/0</input>
SRX240                            Seconds: 4                   Time: 09:37:16
                                                           Delay: 0/0/2
Interface: ge-0/0/0, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                           Current delta
  Input bytes:                    772560 (616 bps)                    [356]
  Output bytes:                   949366 (1832 bps)                  [8434]
  Input packets:                    5294 (1 pps)                        [8]
  Output packets:                   3698 (0 pps)                       [11]
Error statistics:
  Input errors:                        0                                [0]
  Input drops:                         0                                [0]
  Input framing errors:                0                                [0]
  Policed discards:                  135                                [0]
  L3 incompletes:                      0                                [0]
  L2 channel errors:                   0                                [0]
  L2 mismatch timeouts:                0                                [0]
  Carrier transitions:                 3                                [0]
  Output errors:                       0                                [0]
  Output drops:                        0                                [0]
  Aged packets:                        0                                [0]
Active alarms : None
Active defects: None
Input MAC/Filter statistics:
  Unicast packets                  11670                                [8]
  Broadcast packets                   44                                [0]
  Multicast packets                 1946                                [0]
  Oversized frames                     0                                [0]
  Packet reject count                  0                                [0]
  DA rejects                           0                                [0]
  SA rejects                           0                                [0]
Output MAC/Filter Statistics:
  Unicast packets                   3602                               [13]
  Broadcast packets                   80                                [0]
  Multicast packets                    0                                [0]
  Packet pad count                     0                                [0]
  Packet error count                   0                                [0]








Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

NTP

Her sætter vi NTP op så den synkroniserer når den starter op(boot-server) og en server som den bruger til opdatering

[edit]
rael@SRX240# <input>edit system ntp</input>

[edit system ntp]
rael@SRX240# <input>set boot-server mars.tekkom.dk</input>

[edit system ntp]
rael@SRX240# <input>set server mars.tekkom.dk</input>

[edit system ntp]
rael@SRX240#

Power Off

JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.

user@router> request system halt

Interfaces Up/Down

#Shutdown an interface
reh@RERouter# set interfaces fe-0/0/0 disable
#enable an interface
reh@RERouter# delete interfaces fe-0/0/0 disable

DHCP Klient

[edit]
reh@RERouter# set interfaces fe-0/0/0 unit 0 family inet dhcp

Opgrader JUNOS

Den nyeste JUNOS kan hentes på junos.net, så længe man har en bruger og et S/N tilknyttet til brugeren.[1]
Jeg har her smidt den på en FTP server med anonumous adgang.

Kontroller om der er plads nok på udstyret:

root@SRX240> <input>show version</input>
Hostname: SRX240
Model: srx240-lm
JUNOS Software Release [9.5R1.8] (Export edition)

root@SRX240> <input>show system storage</input>
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/da0s1a             898M       158M       669M       19%  /
devfs                   1.0K       1.0K         0B      100%  /dev
devfs                   1.0K       1.0K         0B      100%  /dev/
/dev/md0                450M       450M         0B      100%  /junos
/cf                     898M       158M       669M       19%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s1e              24M        20K        22M        0%  /config
/dev/da0s1f              61M       7.7M        48M       14%  /cf/var/log
/dev/md1                 84M        11M        66M       14%  /mfs
/cf/var/jail            898M       158M       669M       19%  /jail/var
devfs                   1.0K       1.0K         0B      100%  /jail/dev

Overfør software og genstart

root@SRX240> <input>request system software add ftp://192.168.146.115/junos-srxsme-12.1X44-D40.2-domestic.tgz no-validate no-copy</input>
-                                                     1479 kB 1479 kBps
Package contains junos-12.1X44-D40.2 ; renaming ...
Installing package '/var/tmp/junos-12.1X44-D40.2' ...
Verified junos-boot-srxsme-12.1X44-D40.2.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X44-D40.2-domestic signed by PackageProduction_12_1_0
Verified junos-boot-srxsme-12.1X44-D40.2.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X44-D40.2-domestic signed by PackageProduction_12_1_0
Available space: 342330 require: 198348
WARNING: JUNOS edition domestic != export, need to regenerate ssh host keys
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-12.1X44-D40.2.tgz
JUNOS requires BIOS version upgrade from 0.0 to 2.7
Upgrading to BIOS 2.7 ...
boot.upgrade.uboot="0xbfc00000"
boot.upgrade.loader="0xbfe00000"
bootupgrade: illegal option -- U
Unknown option ?
bootupg -u <uboot-binary-file> -l <loader-elf-file> -v <pkgver>
JUNOS 12.1X44-D40.2 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...
Removing /var/tmp/junos-12.1X44-D40.2
Model: srx240-lm
JUNOS Software Release [9.5R1.8] (Export edition)

root@SRX240> <input>request system reboot</input>
Reboot the system ? [yes,no] (no) <input>yes</input>

Shutdown NOW!
[pid 2197]
<notice><--- output omitted ---></notice>
root@SRX240> <input>show version</input> ilt 2014-08-28 12:20:14 UTC
Hostname: SRX240
Model: srx240b
JUNOS Software Release [12.1X44-D40.2]

root@SRX240>

Links