Friday 22 February 2013

Juniper JNCIA-Junos - Class of Service

For this last chapter, you are going to mark some traffic.

Exercise – Marking packets

Your goal is to create a filter that you will apply on JUNOS1′s em4 interface (input). This filter will mark all packets from 10.3.3.0/24 with expedited-forwarding (EF) DSCP.

Solution

firewall {
   family inet {
        filter apply-cos {
            term from-JUNOS3 {
                from {
                    source-address {
                        10.3.3.0/24;
                    }
                }
                then {
                    forwarding-class expedited-forwarding;
                    accept;
                }
            }
            term default {
                then accept;
            }
        }
    }
em4 {
     unit 0 {
         family inet {
             filter {
                 input apply-cos;
             }
             address 172.30.25.9/30;
         }
     }
 }
This is the end of our hands-on exercises, you should now be ready to seat for the
JNCIA-Junos certification. Don’t forget you can obtain 50% off the exam cost by passing the pre-assessment exam on Juniper’s website.

Juniper JNCIA-Junos - Routing Policy and Firewall Filters

We assume you have read chapter 2 of Juniper’s second PDF so that you can practice routing policy and firewall filters. First we are going to start with a simple route redistribution followed by a firewall filter to restrict telnet access.

Exercise 1 – Default route redistribution into OSPF

Create a policy to redistribute the existing default route (0.0.0.0/0) on JunOS1 into OSPF so that other routers can use it.

Solution

[edit]
root@JUNOS1# edit policy-options
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static from protocol static
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static from route-filter 0.0.0.0/0 exact
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static then accept
[edit policy-options]
root@JUNOS1# show
policy-statement default-static {
    term accept-default-static {
        from {
              protocol static;
              route-filter 0.0.0.0/0 exact;
             }
    then accept;
    }
}
[edit policy-options]
root@JUNOS1# top edit protocols ospf
[edit protocols ospf]
root@JUNOS1# set export default-static
[edit]
root@JUNOS1# commit
JUNOS1 advertises the default route in OSPF, check that JUNOS3 can actually see it.
root@JUNOS3# run show route protocol ospf
inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[OSPF/150] 00:00:05, metric 0, tag 0
> to 172.30.25.9 via em4.0

Juniper JNCIA-Junos - Routing Fundamentals

Starting with Juniper’s second PDF, we can make a new practice lab for the next 3 chapters. This lab is a bit more advanced than the previous one in order to test the OSPF routing protocol. You will need 3 Juniper routers, here are the connections:
  • JUNOS1, interface em0 <-> JUNOS2, interface em0
  • JUNOS1, interface em1 <-> JUNOS2, interface em1
  • JUNOS1, interface em4 <-> JUNOS3, interface em4
  • JUNOS2, interface em3 <-> JUNOS3, interface em3
Make sure the routers have a factory default configuration (use the load factory-default command if you need to). Then set the host-name, root password and IP addresses for each router, to save time you can copy and paste the following commands (don’t forget to commit):

JUNOS1

set system host-name JUNOS1
set interfaces em0 unit 0 family inet address 172.30.25.2/30
set interfaces em1 unit 0 family inet address 172.30.25.6/30
set interfaces em3 unit 0 family inet address 192.168.1.1/24
set interfaces em4 unit 0 family inet address 172.30.25.9/30
set interfaces lo0 unit 0 family inet address 10.1.1.1/24
set system root-authentication plain-text-password

Juniper JNCIA-Junos - Operational Monitoring and Maintenance

For the last chapter of Juniper’s first PDF, we are going to have a closer look how to get more information about JunOS and also practice the password recovery procedure that will sooner and later be useful for you.

Exercise 1 – boot messages

Do you remember the booting process in chapter 1? Well you have a command to see the messages again (hint: use the show system command).

Solution

root@JUNOS1# run show system boot-messages
Copyright (c) 1996-2010, Juniper Networks, Inc.
...
ad1: 1024MB <QEMU HARDDISK 0.11.0> at ata0-slave WDMA2
Trying to mount root from ufs:/dev/ad0s1a
vn_read_compressed_block: invalid block index 550

Juniper JNCIA-Junos - Secondary System Configuration

Before diving deeper into JunOS configuration you should have read chapter 4 of Juniper’s first PDF. Let’s continue with the same lab as before.

Exercise 1 – Syslog

On JUNOS2, set up a syslog file to record any config changes (hint: system syslog). Commit and quit.

Solution

[edit]
root@JUNOS2# set system syslog file config-changes change-log info
[edit]
root@JUNOS2# commit and-quit
commit complete
Exiting configuration mode
Now go back to configuration mode and change junuser to give operator permissions instead of super-user. Again, commit and-quit. Using the show command, display the log related to your previous commit.

Solution

[edit]
 root@JUNOS2# set system login user junuser class operator
[edit]
root@JUNOS2# commit and-quit
commit complete
Exiting configuration mode
root@JUNOS2> show log config-changes
 Dec 16 05:06:24  JUNOS2 mgd[1392]: UI_CFG_AUDIT_SET: User 'root' set:
[system login user junuser class] "super-user -> "operator"
Use the help syslog command to learn more about the message code (UI_CFG_AUDIT_SET).

Wednesday 20 February 2013

Juniper JNCIA-Junos - User Interface Options & Initial Configuration


This page is to practice what you learned in Juniper’s PDF (part 1), chapter 2 and 3.  So now it is time to get active and log in as root without any password.
First thing you should notice is that Amnesiac is the default host-name. This indicates that our JunOS is running with the factory-default configuration (you can use the load factory-default command in configuration mode to have a JunOS in this state).
You are logged in as root, you should see the UNIX shell prompt root@% where you can type UNIX commands like ls or ps but this is beyond our scope. What we want is the operational mode prompt root> that is started with the cli command.
Amnesiac (ttyd0)
 login: root
--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC
 root@% cli
 root>
Type show configuration to display the current factory-default configuration.
root> show configuration
## Last commit: 2011-02-17 00:34:21 UTC by root
version 10.1R1.8;
system {
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    ## Warning: missing mandatory statement(s): 'root-authentication'
}
Note the missing mandatory statement warning, this means you will not be able to commit your changes until you set up a password for root.

Juniper JNCIA-Junos - Operating System Fundamentals

This part is mainly theory and reading chapter 1 of Juniper’s PDF (part 1). It is only what you need for the exam; however, it is interesting to have an overview of how JunOS actually boots up.
First, make your lab in GNS3 by connecting 2 routers back to back using their em0 interface. Keep this lab for all your exercises for chapters of part 1.
Start your Juniper routers in GNS3 and console to them. As you learned in Juniper’s PDF, JunOS is based on FreeBSD, an open source UNIX Operating System. This OS is very reliable and you also get extra tools that you cannot find on Cisco IOS for instance.
The first thing you should see after starting JunOS, are the kernel modules being loaded. The kernel is the core component of the operating system.
/boot/modules/if_bge.ko text=0xa98c data=0x364+0xc syms=[0x4+0xd50+0x4+0xd18]
...
/boot/modules/mac_runasnonroot.ko text=0x7b4 data=0x4d0 syms=[0x4+0x310+0x4+0x39d]
Then, you have a chance to give parameters to the kernel in order to change the default booting process. This can be useful to recover the root password for example, but that’s not the only use. Root is the name given to the super administrator on UNIX.