Juniper 101
Se tegning af Junipers Hardware kasse
Contents
Software
Junos virker på sværs af alle hardware platforme.... ARGH der mangler noget
Software Arkitektur
JUNOS baserer sig på FreeBSD Unix operativsystemet, men er dog ændret og hardende af Juniper til at kunne køre på deres udstyr.
JUNOS består bl.a. af følgende daemons
- Routing Protocol Daemon(rpd)
- rpd står for at sende og modtage routing protokol beskeder, ændring af routings tabellen og implementere routing politikker.
- Device Control Daemon(dcd)
- Routerens interfaces bliver styret af dcd, både de fysiske og logiske karaktertræk.
- Management Daemon(mgd)
- mgd styrer alt adgang til routeren SSH og cli.
- Chassis Daemon(chassisd)
- chassisd styrer selve routeren, og sammenhængen mellem den passive midplane, FPC og Control Board
- Packet Forwarding Engine Daemon(pfed)
- pfed styrer kommunikaitonen mellem Routing Engine og Packet Forwarding Engine. En af dens funktioner er fx. at indhente oplysninger om interface statistiker.
Software komponenter
JUNOS software består af forskellige pakker, og indeholder filer specifik til deres funktion. Følgende pakker kan findes i JUNOS software:
- jkernel
- Indeholder basis komponenterne for JUNOS software OS'et
- jbase
- Indeholder opdateringer til OS'et siden sidste jkernel
- jroute
- Indeholder den software der kør på Routing Engine, den styrer unicast routing, multicast routing og MPLS signalerings protokollerne. Pakken indeholder også nogle daemons som fx. mgd
- jpfe
- Indeholder det Embedded OS der styrer komponenterne på Packet Forwarding Engine.
- jdocs
- Indeholder komplet JUNOS dokumentation(help topic osfp area-backbone)
- jcrypto
- Indeholder krypterings software til fx, SSH og IPSec. Pakken er kun tilgængelig i US og Canada.
- jbundle
- jbundle er en enkelt pakke der indeholder alle de andre pakker.
Help Reference
root@SRX240# <input>help reference interfaces address</input>
Syntax
address address {
arp ip-address (mac | multicast-mac) mac-address <publish>;
broadcast address;
destination address;
destination-profile name;
eui-64;
master-only;
multipoint-destination address dlci dlci-identifier;
...
Hierarchy Level
[edit interfaces interface-name unit logical-unit-number family family],
[edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number family family]
...
[edit]
root@SRX240#
Konfiguration
Login to the router
SRX240 (ttyu0)
login: <input>root</input>
Password:
--- JUNOS 9.5R1.8 built 2009-04-13 20:03:09 UTC
root@SRX240%<input>cli</input> - root brugeren skal starte CLI fra shell'en
root@SRX240> - Større end betyder routeren er i operational mode
root@SRX240> <input>configure</input> - Her hopper vi ind i Configuration Mode
Entering configuration mode
[edit]
root@SRX240# - Havelågen betyder at Routeren er i Configuration Mode
Run kommandoen
Hvis man vil køre operational mode kommandoer fra configuration mode skal man bruger run
root@SRX240> <input>show arp</input>
MAC Address Address Name Interface Flags
10:8c:cf:2e:7c:0d 10.0.0.1 10.0.0.1 ge-0/0/0.0 none
10:8c:cf:2e:91:6e 10.0.0.6 10.0.0.6 ge-0/0/1.0 none
00:18:b9:89:84:41 10.0.0.10 10.0.0.10 ge-0/0/2.0 none
Total entries: 3
root@SRX240> <input>configure</input>
Entering configuration mode
[edit]
root@SRX240# <input>show arp</input>
^
syntax error.
[edit]
root@SRX240# <input>run show arp</input>
MAC Address Address Name Interface Flags
10:8c:cf:2e:7c:0d 10.0.0.1 10.0.0.1 ge-0/0/0.0 none
10:8c:cf:2e:91:6e 10.0.0.6 10.0.0.6 ge-0/0/1.0 none
00:18:b9:89:84:41 10.0.0.10 10.0.0.10 ge-0/0/2.0 none
Total entries: 3
[edit]
root@SRX240#
Pipe kommandoen
root@SRX240> <input>show route | count</input>
Count: 15 lines
root@SRX240>
First Time Setup
root@R1> edit
Entering configuration mode
[edit]
root@R1# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
[edit]
root@R1# show
[edit]
root@R1# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root@R1# set system host-name SRX240
[edit]
root@R1# set system services ssh
root@R1# set system login user rael class super-user full-name "Rasmus" authentication plain-text-password
New password:
Retype new password:
rael@SRX240# show
## Last changed: 2011-09-19 13:25:31 UTC
version 9.5R1.8;
system {
host-name SRX240;
root-authentication {
encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvoFlmY."; ## SECRET-DATA
}
login {
user rael {
full-name Rasmus;
uid 2002;
class super-user;
authentication {
encrypted-password "$1$F5hF7XvX$GSlLJb7pngskYzbMJxdvV."; ## SECR
ET-DATA
}
}
}
services {
ssh;
}
}
[edit]
rael@SRX240# show | display set
set version 9.5R1.8
set system host-name SRX240
set system root-authentication encrypted-password "$1$514tUpUC$rtXccg48AnvxLqMvo
FlmY."
set system login user rael full-name Rasmus
set system login user rael uid 2002
set system login user rael class super-user
set system login user rael authentication encrypted-password "$1$F5hF7XvX$GSlLJb
7pngskYzbMJxdvV."
set system services ssh
[edit]
rael@SRX240#
Firewall som router
Sådan her laver man en SRX firewall om fra flow-mode til packet-mode. I Flow-mode virker udstyret som en statefull firewall hvor den i packet mode virker som en Router.
delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
Debugging
Debug bliver kaldt traces på Junipersk. Alle traces bliver smidt i /var/log/filename.
For at sætte logging op til messages og interactive kommandoer kan man bruger:
system {
syslog {
user * {
any notice;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
Vil man lave til egen log for fx, OSPF kan man gøre det med:
protocols {
ospf {
traceoptions {
file ospf-trace size 128k files 10 no-world-readable;
flag event detail;
flag error detail;
}
}
}
som vil blive gemt i /var/log/ospf-trace & som man kan se med:
rael@SRX240> <input>show log ospf-trace</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:52:15.164538 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 08:52:24.565608 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Vil man se den i real-tid kan man bruge:
rael@SRX240> <input>monitor start ospf-trace</input>
rael@SRX240>
*** ospf-trace ***
Sep 20 09:06:24.093057 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
Sep 20 09:06:33.360253 OSPF packet ignored: no matching interface from 10.0.0.1, IFL 67
<input>monitor stop</input>
rael@SRX240>
Vil man sortere i loggen kan man bruge:
rael@SRX240> <input>show log ospf-trace | match "ge|lo"</input>
Sep 20 08:44:13 trace_on: Tracing to "/var/log/ospf-trace" started
Sep 20 08:44:13.050316 IFL ge-0/0/2.0 iflchange 0x0
Sep 20 08:44:13.050446 IFL ge-0/0/1.0 iflchange 0x0
Sep 20 08:44:13.050538 IFL ge-0/0/0.0 iflchange 0x0
Sep 20 08:44:13.050638 IFL lo0.32768 iflchange 0x0
Sep 20 08:44:13.050730 IFL lo0.16385 iflchange 0x0
Sep 20 08:44:13.050834 IFL lo0.16384 iflchange 0x0
Sep 20 08:44:13.051243 IFL ge-0/0/0.0 addr (10.0.0.2) ifachange 0x0
Sep 20 08:44:13.051448 IFL ge-0/0/1.0 addr (10.0.0.5) ifachange 0x0
Sep 20 08:44:13.051636 IFL ge-0/0/2.0 addr (10.0.0.9) ifachange 0x0
rael@SRX240>
Vil man nulstille logfilen kan man bruge clear log ospf-trace
vil man slette logfilen kan man bruger file delete /var/log/ospf-trace <- brug ikke denne kommando
Interface status
Vil man se interface information kan man bruger show interfaces
rael@SRX240> <input>show interfaces</input>
Physical interface: <notice>ge-0/0/0, Enabled</notice>, Physical link is <notice>Up</notice>
Interface index: 131, SNMP ifIndex: 115
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 00:24:dc:d8:16:80, Hardware address: 00:24:dc:d8:16:80
Last flapped : 2011-09-19 10:44:07 UTC (22:42:57 ago)
Input rate : 8216 bps (17 pps)
Output rate : 16240 bps (16 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 116)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 4677
Output packets: 3300
Security: Zone: Null
Protocol inet, MTU: 1500
Flags: Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 10.0.0.0/30, Local: 10.0.0.2, Broadcast: 10.0.0.3
Physical interface: gr-0/0/0, Enabled, Physical link is Up
Interface index: 149, SNMP ifIndex: 132
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
Link flags : Scheduler Keepalives DTE
Device flags : Present Running
Interface flags: Point-To-Point
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Physical interface: ip-0/0/0, Enabled, Physical link is Up
Interface index: 150, SNMP ifIndex: 133
Type: IPIP, Link-level type: IP-over-IP, MTU: Unlimited, Speed: 800mbps
Link flags : Scheduler Keepalives DTE
Device flags : Present Running
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Vil man gerne have et hurtigt overblik kan man bruge <input>show interface terse</input>
rael@SRX240> <input>show interfaces terse</input>
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 <notice>up up</notice> inet <notice>10.0.0.2/30</notice>
gr-0/0/0 up up
ip-0/0/0 up up
ls-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
pd-0/0/0 up up
pe-0/0/0 up up
ge-0/0/1 up up
ge-0/0/1.0 up up inet 10.0.0.5/30
ge-0/0/2 up up
ge-0/0/2.0 up up inet 10.0.0.9/30
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/11 up down
ge-0/0/12 up down
ge-0/0/13 up down
ge-0/0/14 up down
ge-0/0/15 up down
gre up up
ipip up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.1.16 --> 0/0
inet6 fe80::224:dcff:fed8:1680
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
st0 up up
tap up up
vlan up up
rael@SRX240>
Vil man have real-tids statistik fra interfacet kan man bruge monitor interface ge-0/0/0
rael@SRX240> <input>monitor interface ge-0/0/0</input>
SRX240 Seconds: 4 Time: 09:37:16
Delay: 0/0/2
Interface: ge-0/0/0, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics: Current delta
Input bytes: 772560 (616 bps) [356]
Output bytes: 949366 (1832 bps) [8434]
Input packets: 5294 (1 pps) [8]
Output packets: 3698 (0 pps) [11]
Error statistics:
Input errors: 0 [0]
Input drops: 0 [0]
Input framing errors: 0 [0]
Policed discards: 135 [0]
L3 incompletes: 0 [0]
L2 channel errors: 0 [0]
L2 mismatch timeouts: 0 [0]
Carrier transitions: 3 [0]
Output errors: 0 [0]
Output drops: 0 [0]
Aged packets: 0 [0]
Active alarms : None
Active defects: None
Input MAC/Filter statistics:
Unicast packets 11670 [8]
Broadcast packets 44 [0]
Multicast packets 1946 [0]
Oversized frames 0 [0]
Packet reject count 0 [0]
DA rejects 0 [0]
SA rejects 0 [0]
Output MAC/Filter Statistics:
Unicast packets 3602 [13]
Broadcast packets 80 [0]
Multicast packets 0 [0]
Packet pad count 0 [0]
Packet error count 0 [0]
Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'
NTP
Her sætter vi NTP op så den synkroniserer når den starter op(boot-server) og en server som den bruger til opdatering
[edit]
rael@SRX240# <input>edit system ntp</input>
[edit system ntp]
rael@SRX240# <input>set boot-server mars.tekkom.dk</input>
[edit system ntp]
rael@SRX240# <input>set server mars.tekkom.dk</input>
[edit system ntp]
rael@SRX240#
Power Off
JUNOS skal helst lukkes pænt ned inden man fjerner strømmen.
user@router> request system halt
Interfaces Up/Down
#Shutdown an interface
reh@RERouter# set interfaces fe-0/0/0 disable
#enable an interface
reh@RERouter# delete interfaces fe-0/0/0 disable
DHCP Klient
[edit]
reh@RERouter# set interfaces fe-0/0/0 unit 0 family inet dhcp
Opgrader JUNOS
Den nyeste JUNOS kan hentes på junos.net, så længe man har en bruger og et S/N tilknyttet til brugeren.[1]
Jeg har her smidt den på en FTP server med anonumous adgang.
Kontroller om der er plads nok på udstyret:
root@SRX240> show system storage
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 898M 158M 669M 19% /
devfs 1.0K 1.0K 0B 100% /dev
devfs 1.0K 1.0K 0B 100% /dev/
/dev/md0 450M 450M 0B 100% /junos
/cf 898M 158M 669M 19% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/bo0s1e 24M 20K 22M 0% /config
/dev/da0s1f 61M 7.7M 48M 14% /cf/var/log
/dev/md1 84M 11M 66M 14% /mfs
/cf/var/jail 898M 158M 669M 19% /jail/var
devfs 1.0K 1.0K 0B 100% /jail/dev
Overfør software og genstart
root@SRX240> request system software add ftp://192.168.146.115/junos-srxsme-12.1X44-D40.2-domestic.tgz
- 1488 kB 1488 kBps
Package contains junos-12.1X44-D40.2 ; renaming ...
NOTICE: Validating configuration against junos-12.1X44-D40.2.
NOTICE: Use the 'no-validate' option to skip this if desired.
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_9_5_0
Using junos-12.1X44-D40.2-domestic from /var/tmp/junos-12.1X44-D40.2
Copying package ...
cp: /var/etc/master.passwd: No such file or directory
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-12.1X44-D40.2.tgz
JUNOS requires BIOS version upgrade from 0.0 to 2.7
Upgrading to BIOS 2.7 ...
boot.upgrade.uboot="0xbfc00000"
boot.upgrade.loader="0xbfe00000"
bootupgrade: illegal option -- U
Unknown option ?
bootupg -u <uboot-binary-file> -l <loader-elf-file> -v <pkgver>
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).