Difference between revisions of "Juniper 101"

From Teknologisk videncenter
Jump to: navigation, search
m (Links)
m (Firewall som router)
Line 191: Line 191:
 
set security forwarding-options family mpls mode packet-based
 
set security forwarding-options family mpls mode packet-based
 
</source>
 
</source>
 +
=Debugging=
 +
Debug bliver kaldt traces på Junipersk. Alle traces bliver smidt i /var/log/filename.<br/>
 +
For at sætte logging op til messages og interactive kommandoer kan man bruger:
 +
<source lang=cli>
 +
system {
 +
    syslog {
 +
        user * {
 +
            any notice;
 +
        }
 +
        file messages {
 +
            any any;
 +
            authorization info;
 +
        }
 +
        file interactive-commands {
 +
            interactive-commands any;
 +
        }
 +
    }
 +
}
 +
</source>
 +
Vil man lave til egen log for fx, OSPF kan man gøre det med:
 +
<source lang=cli>
 +
protocols {
 +
    ospf {
 +
        traceoptions {
 +
            file ospf-trace size 128k files 10 no-world-readable;
 +
            flag event detail;
 +
            flag error detail;
 +
        }
 +
    }
 +
}
 +
</source>
 +
som vil blive gemt i /var/log/ospf-trace & som man kan se med:
 +
<source lang=cli>
 +
rael@SRX240> <input>show log ospf-trace</input>
 +
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
 +
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
 +
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
 +
Sep 20 08:52:15.164538 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
Sep 20 08:52:24.565608 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
</source>
 +
Vil man se den i real-tid kan man bruge:
 +
<source lang=cli>
 +
 +
rael@SRX240> <input>monitor start ospf-trace</input>
 +
 +
rael@SRX240>
 +
*** ospf-trace ***
 +
Sep 20 09:06:24.093057 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
Sep 20 09:06:33.360253 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
 +
<input>monitor stop</input>
 +
 +
rael@SRX240>
 +
</source>
 +
Vil man sortere i loggen kan man bruge:
 +
<source lang=cli>
 +
rael@SRX240> <input>show log ospf-trace | match "ge|lo"</input>
 +
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
 +
Sep 20 08:44:13.050316 IFL ge-0/0/2.0 iflchange 0x0
 +
Sep 20 08:44:13.050446 IFL ge-0/0/1.0 iflchange 0x0
 +
Sep 20 08:44:13.050538 IFL ge-0/0/0.0 iflchange 0x0
 +
Sep 20 08:44:13.050638 IFL lo0.32768 iflchange 0x0
 +
Sep 20 08:44:13.050730 IFL lo0.16385 iflchange 0x0
 +
Sep 20 08:44:13.050834 IFL lo0.16384 iflchange 0x0
 +
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
 +
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
 +
Sep 20 08:44:13.051636 IFL ge-0/0/2.0 addr (10.0.0.9) ifachange 0x0
 +
 +
rael@SRX240>
 +
</source>
 +
Vil man nulstille logfilen kan man bruge '''clear log ospf-trace'''<br/>
 +
vil man slette logfilen kan man bruger '''file delete /var/log/ospf-trace'''
 +
 
=Power Off=
 
=Power Off=
 
JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.
 
JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.

Revision as of 10:13, 20 September 2011

Se tegning af Junipers Hardware kasse

Software

Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget

Software Arkitektur

JUNOS baserer sig på FreeBSD Unix operativsystemet, men er dog ændret og hardende af Juniper til at kunne køre på deres udstyr.

JUNOS består bl.a. af følgende daemons

Routing Protocol Daemon(rpd)
rpd står for at sende og modtage routing protokol beskeder, ændring af routings tabellen og implementere routing politikker.
Device Control Daemon(dcd)
Routerens interfaces bliver styret af dcd, både de fysiske og logiske karaktertræk.
Management Daemon(mgd)
mgd styrer alt adgang til routeren SSH og cli.
Chassis Daemon(chassisd)
chassisd styrer selve routeren, og sammenhængen mellem den passive midplane, FPC og Control Board
Packet Forwarding Engine Daemon(pfed)
pfed styrer kommunikaitonen mellem Routing Engine og Packet Forwarding Engine. En af dens funktioner er fx. at indhente oplysninger om interface statistiker.

Software komponenter

JUNOS software består af forskellige pakker, og indeholder filer specifik til deres funktion. Følgende pakker kan findes i JUNOS software:

jkernel
Indeholder basis komponenterne for JUNOS software OS'et
jbase
Indeholder opdateringer til OS'et siden sidste jkernel
jroute
Indeholder den software der kør på Routing Engine, den styrer unicast routing, multicast routing og MPLS signalerings protokollerne. Pakken indeholder også nogle daemons som fx. mgd
jpfe
Indeholder det Embedded OS der styrer komponenterne på Packet Forwarding Engine.
jdocs
Indeholder komplet JUNOS dokumentation(help topic osfp area-backbone)
jcrypto
Indeholder krypterings software til fx, SSH og IPSec. Pakken er kun tilgængelig i US og Canada.
jbundle
jbundle er en enkelt pakke der indeholder alle de andre pakker.

Help Reference

root@SRX240# <input>help reference interfaces address</input>

    Syntax

   address address {
           arp ip-address (mac | multicast-mac) mac-address <publish>;
           broadcast address;
           destination address;
           destination-profile name;
           eui-64;
           master-only;
           multipoint-destination address dlci dlci-identifier;

...

    Hierarchy Level

   [edit interfaces interface-name unit logical-unit-number family family],

   [edit logical-systems logical-system-name interfaces interface-name unit
   logical-unit-number family family]

...

[edit]
root@SRX240#

Konfiguration

Login to the router

SRX240 (ttyu0)

login: <input>root</input>
Password:

--- JUNOS 9.5R1.8 built 2009-04-13 20:03:09 UTC

root@SRX240%<input>cli</input> - root brugeren skal starte CLI fra shell'en
root@SRX240> - Større end betyder routeren er i operational mode
root@SRX240> <input>configure</input> - Har hopper vi ind i Configuration Mode
Entering configuration mode

[edit]
root@SRX240# - Havelågen betyder at Routeren er i Configuration Mode

Run kommandoen

Hvis man vil køre operational mode kommandoer fra configuration mode skal man bruger run

root@SRX240> <input>show arp</input>
MAC Address       Address         Name                      Interface     Flags
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
00:18:b9:89:84:41 10.0.0.10       10.0.0.10                 ge-0/0/2.0    none
Total entries: 3

root@SRX240> <input>configure</input>
Entering configuration mode

[edit]
root@SRX240# <input>show arp</input>
                  ^
syntax error.

[edit]
root@SRX240# <input>run show arp</input>
MAC Address       Address         Name                      Interface     Flags
10:8c:cf:2e:7c:0d 10.0.0.1        10.0.0.1                  ge-0/0/0.0    none
10:8c:cf:2e:91:6e 10.0.0.6        10.0.0.6                  ge-0/0/1.0    none
00:18:b9:89:84:41 10.0.0.10       10.0.0.10                 ge-0/0/2.0    none
Total entries: 3

[edit]
root@SRX240#

Pipe kommandoen

root@SRX240> <input>show route | count</input>
Count: 15 lines

root@SRX240>

First Time Setup

root@R1> edit
Entering configuration mode

[edit]
root@R1# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root@R1# show 

[edit]
root@R1# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root@R1# set system host-name SRX240

[edit]
root@R1# set system services ssh 

root@R1# set system login user rael class super-user full-name "Rasmus" authentication plain-text-password
New password:
Retype new password:
rael@SRX240# show
## Last changed: 2011-09-19 13:25:31 UTC
version 9.5R1.8;
system {
    host-name SRX240;
    root-authentication {
        encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvoFlmY."; ## SECRET-DATA
    }
    login {
        user rael {
            full-name Rasmus;
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$F5hF7XvX$GSlLJb7pngskYzbMJxdvV."; ## SECR
ET-DATA
            }
        }
    }
    services {
        ssh;
    }
}

[edit]
rael@SRX240# show | display set
set version 9.5R1.8
set system host-name SRX240
set system root-authentication encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvo
FlmY."
set system login user rael full-name Rasmus
set system login user rael uid 2002
set system login user rael class super-user
set system login user rael authentication encrypted-password "$1$F5hF7XvX$GSlLJb
7pngskYzbMJxdvV."
set system services ssh

[edit]
rael@SRX240#

Firewall som router

Sådan her laver man en SRX firewall om fra flow-mode til packet-mode. I Flow-mode virker udstyret som en statefull firewall hvor den i packet mode virker som en Router.

delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based

Debugging

Debug bliver kaldt traces på Junipersk. Alle traces bliver smidt i /var/log/filename.
For at sætte logging op til messages og interactive kommandoer kan man bruger:

system {
    syslog {
        user * {
            any notice;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}

Vil man lave til egen log for fx, OSPF kan man gøre det med:

protocols {
    ospf {
        traceoptions {
            file ospf-trace size 128k files 10 no-world-readable;
            flag event detail;
            flag error detail;
        }
    }
}

som vil blive gemt i /var/log/ospf-trace & som man kan se med:

rael@SRX240> <input>show log ospf-trace</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:52:15.164538 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 08:52:24.565608 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67

Vil man se den i real-tid kan man bruge:

rael@SRX240> <input>monitor start ospf-trace</input>

rael@SRX240>
*** ospf-trace ***
Sep 20 09:06:24.093057 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 09:06:33.360253 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
<input>monitor stop</input>

rael@SRX240>

Vil man sortere i loggen kan man bruge:

rael@SRX240> <input>show log ospf-trace | match "ge|lo"</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.050316 IFL ge-0/0/2.0 iflchange 0x0
Sep 20 08:44:13.050446 IFL ge-0/0/1.0 iflchange 0x0
Sep 20 08:44:13.050538 IFL ge-0/0/0.0 iflchange 0x0
Sep 20 08:44:13.050638 IFL lo0.32768 iflchange 0x0
Sep 20 08:44:13.050730 IFL lo0.16385 iflchange 0x0
Sep 20 08:44:13.050834 IFL lo0.16384 iflchange 0x0
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:44:13.051636 IFL ge-0/0/2.0 addr (10.0.0.9) ifachange 0x0

rael@SRX240>

Vil man nulstille logfilen kan man bruge clear log ospf-trace
vil man slette logfilen kan man bruger file delete /var/log/ospf-trace

Power Off

JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.

user@router> request system halt

Links