Difference between revisions of "JunOS Basics"

From ppwiki
Jump to navigation Jump to search
Line 53: Line 53:
 
Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".
 
Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".
  
But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we scan ave the changes and that command is "show | compare"
+
But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we save  the changes and that command is "show | compare"
  
 
  root@switch# show | compare  
 
  root@switch# show | compare  

Revision as of 15:21, 3 September 2018

In this Tutorial We will be discussing about the basic of the JunOS which will include:

  • How to setup the root password
  • How to change the device name
  • How to create a user with admin right using a password and using a SSH key
  • How to setup the management interface to ssh in to the switch
  • How to create VLAN's
  • How to create access and trunk ports
  • How to create interfaces range
  • How to connect 2 switches

Prerequisites

To complete this tutorial, you will need:

  • A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16
  • A console cable. Since all the new laptops today don't come with a USB port, you will need a USB to Console adapter
  • The program "Screen"

If you don't have "screen" install it with the command below

sudo apt-get install screen

Accessing the device

  • Step 1: Plug the console cable to you device into the console port and start screen as root user on your laptop
screen /dev/ttyUSB0

  • step 2: Power on your device

After the device finished booting you will get at the prompt below

Login1.png

  • Step 3: Enter the username and password

By default, all Juniper devices username is "root" with no password. At the prompt, just type in root and hit enter

Login.png

How to setup the root password

When you come from a CISCO world like me, at the beginning it is a little bit confusing when working with JunOS. But, with time running a couple of commands, you get use to the concept.

For us to setup the root password, we need to be in configuration mode (#). Right now our prompt is showing "%". type in

cli

the prompt will change to ">" which is the operational mode and after that type in "edit" or "configuration" to enter the configuration mode

root@switch:RE:0% cli
{master:0}
root@switch> edit 
Entering configuration mode
{master:0}[edit]
root@switch#

To setup the root password with a plain-text password the command is "set system root-authentication plain-text-password" Type the command and hit enter. You will be asked to enter a password twice.

root@switch# set system root-authentication plain-text-password    
New password:
Retype new password:
{master:0}[edit]
root@switch#

Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".

But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we save the changes and that command is "show | compare"

root@switch# show | compare 
[edit system]
+   root-authentication {
+       encrypted-password "$1$vVYnP0uH$YmTKnA.L0W0KGFtTw36NJ/"; ## SECRET-DATA
+   }

The + sign in front of each lines means that those lines will to added to our devices configuration. Note: you can make all you changes and when done you can type the command " show | compare" before you save with "commit" or you can do one change at the time and do "show | compare" and "commit" and go to the next change. I recommend if you are starting to just do one change and "show | compare" then "commit"

Now we can save our first configuration

root@switch# commit 
configuration check succeeds
commit complete
{master:0}[edit]
root@switch#

Now that we have the root password set, we are going to give the switch a name: we are going to use "asw-a1-dfw" as name Note: in a production environment I recommend to disable login with root password. We will discuss about this later.

How to change the device name

The command to setup the device name is :set system host-name "device_name"

{master:0}[edit]
root@switch# set system host-name asw-a1-dfw 

Do a "show | compare"

 root@switch# show | compare 
[edit system]
+  host-name asw-a1-dfw;

Then a "commit"

root@switch# commit 
configuration check succeeds
commit complete
{master:0}[edit]
root@asw-a1-dfw# 

We can see that the device changed name from "switch" to "asw-a1-dfw"

How to create a privileged user

In the session, we are gong to setup 2 users. One user with a password and another user with a SSH key. The user with the password will be called ppaul1 and the user with the SSH key will be called ppaul2.

Setting user with password

Create user ppaul1

root@asw-a1-dfw# set system login user ppaul1 class super-user authentication plain-text-password
New password:
Retype new password:
 root@asw-a1-dfw# show | compare 
[edit system]
+   login {
+       user ppaul1 {
+           class super-user;
+           authentication {
+               encrypted-password "$1$LivXhitM$r9CHQgnCiT6nzRt7XhM/k/"; ## SECRET-DATA
+           }
+       }
+   }
 root@asw-a1-dfw# commit 
configuration check succeeds
commit complete


Testing user ppaul1

logout from the user "root" by just typing "exit" until you get to the login prompt

login: ppaul1
Password:
--- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC
{master:0}
ppaul1@asw-a1-dfw> 

We can see now that we have login as the user "ppaul1" with a password.in the next step we will create the user ppaul2 with SSH key.

Setting user with SSH key

You can login as root to create the user "ppaul2 or just use the user "ppaul1" to create the user "ppaul2" since ppaul2 is a supe-user

ppaul1@asw-a1-dfw# set system login user ppaul2 class super-user authentication ssh-rsa "ssh-rsa    AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO/AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"
 ppaul1@asw-a1-dfw# show | compare 
[edit system login]
+    user ppaul2 {
+        class super-user;
+        authentication {
+            ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO /AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"; ## SECRET-DATA
+        }
+    }
ppaul1@asw-a1-dfw# commit 
configuration check succeeds
commit complete

we can not test yet the user ppaul2 until we setup the management interface and ssh on the device which we are going to do in the next session (see 6.3)

How to setup management interface and SSH

Setting up mamagement interface

The management interface on Juniper switch is called "me0" Also all interfaces are enable by default on Juniper switches. Let use the command "show interfaces me0" to see its output.

Note you need to be in the operational mode (>) to execute this command

 ppaul1@asw-a1-dfw> show interfaces me0    
Physical interface: me0, Enabled, Physical link is Down
  Interface index: 1, SNMP ifIndex: 33
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514
  Device flags   : Present Running No-Carrier
  Interface flags: Hardware-Down SNMP-Traps
  Current address: 5c:5e:ab:75:6c:81, Hardware address: 5c:5e:ab:75:6c:ff
  Last flapped   : 2016-07-25 01:49:33 UTC (00:00:06 ago)
    Input packets : 1248 
    Output packets: 280
  Logical interface me0.0 (Index 6) (SNMP ifIndex 34) 
    Flags: Device-Down SNMP-Traps Encapsulation: ENET2
    Input packets : 1248 
    Output packets: 280
    Protocol eth-switch
      Flags: Is-Primary

We can see that interface is enable and down. Down means there is no cable plugged to it. Now in enter configuration mode and type " show interface me0"

 {master:0}[edit]
ppaul1@asw-a1-dfw# show interfaces me0 
{master:0}[edit]
ppaul1@asw-a1-dfw# set interfaces 

We see that we have no output, this means that true the interface is enable but it is not configured

Let us configure the interface by typing the command " set interfaces me0 unit 0 family inet address 10.192.0.100/24.(Please change this IP address to match your environment)

ppaul1@asw-a1-dfw# set interfaces me0 unite 0 family inet address 10.192.0.101/24 

See what will be the changes

 {master:0}[edit]
ppaul1@asw-a1-dfw# show | compare 
[edit interfaces]
+   me0 {
+       unit 0 {
+           family inet {
+               address 10.192.0.101/24;
+           }
+       }
+   }

Now save the changes

 ppaul1@asw-a1-dfw# commit 
configuration check succeeds
commit complete

check again the interface

ppaul1@asw-a1-dfw# show interfaces me0 
unit 0 {
    family inet {
        address 10.192.0.101/24;
    }
}

we see that now we have an ip address set for on the interface

Next step it to plug a cable to the interface and check the link on the interface to see if the link is "up". get back in operational mode and type "show interfaces me0" or form the configuration mode you can just type "run show interfaces me0"

 ppaul1@asw-a1-dfw# run show interfaces me0 
Physical interface: me0, Enabled, Physical link is Up
  Interface index: 1, SNMP ifIndex: 33
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps
  Device flags   : Present Running
  Interface flags: SNMP-Traps
  Link type      : Full-Duplex
  Current address: 5c:5e:ab:75:6c:ff, Hardware address: 5c:5e:ab:75:6c:ff
  Last flapped   : 2016-07-25 02:05:21 UTC (00:00:44 ago)
    Input packets : 1248 
    Output packets: 283
  Logical interface me0.0 (Index 7) (SNMP ifIndex 34) 
    Flags: SNMP-Traps Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 0 
    Output packets: 3
    Protocol inet
      Flags: Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.192.0/24, Local: 10.192.0.101, Broadcast: 10.192.0.255

We see from the output that the interface is up .The next step will be to setup enable SSH

Enable SSH

We just need one simple command to enable SSH on the device. The command is "set system services ssh"

ppaul1@asw-a1-dfw# set system services ssh
ppaul1@asw-a1-dfw# show | compare
[edit system]
+   services {
+       ssh;
+   }
{master:0}[edit]
ppaul1@asw-a1-dfw# commit 
configuration check succeedscommit complete

Now let us test user "ppaul2" . on your laptop open a terminal window and type in "ssh ppaul2@10.192.0.101" (Change IP address with your IP address you setup)

Testing user ppaul2

ssh ppaul2@10.192.0.101
--- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC
{master:0}
ppaul2@asw-a1-dfw>

We are able to login to the device with user "ppaul2: without a password. In the next session we are going to create 4 VLANs.

How to create VLANs

In this session we are going to create 4 VLAN's

  • Vlan private1-a-dfw with ID 2000
  • Vlan private1-b-dfw with ID 2001
  • Vlan private1-c-dfw with ID 2002
  • Vlan private1-d-dfw with ID 2003

The command to create the VLAN's is " set vlans vlan_name vlan-id XXXX"

ppaul2@asw-a1-dfw# set vlans private1-a-dfw vlan-id 2000 

Check the output before saving

ppaul2@asw-a1-dfw# show | compare 
[edit]
+  vlans {
+      private1-a-dfw {
+          vlan-id 2000;
+      }
+  }
ppaul2@asw-a1-dfw# commit 
configuration check succeedscommit complete

We have the first VLAN, we are going to use the same command the create the other VLAN's by changing the vlan_name and the the vlan_id. After create all the VLAN's type the command "show vlans"

Output

ppaul2@asw-a1-dfw# show vlans 
private1-a-dfw {
    vlan-id 2000;
}
private1-b-dfw {
    vlan-id 2001;
}
private1-c-dfw {
    vlan-id 2002;
}
private1-d-dfw {
    vlan-id 2003;
}

Now we have all the VLAN's setup, in the next session we are going to create 5 interfaces-range.

How to create interfaces range

As I mentioned earlier when setting up the management interface me0, all interfaces on the Juniper devices are enable by default. Setting up interfaces range, will help better organized and manage the device. Think of interface range as a group or category in which you can group interfaces with the same configuration set. We mentioned earlier that by default all interfaces on the Juniper devices are enable. For security reason, it is best to disable all interfaces by default and just enable it when it has to be used.

The first interface-range we are going to create is the interface-range called disable and will have ford description DISABLED and we will set the interface to disable.

ppaul2@asw-a1-dfw# set interfaces interface-range disable disable description DISABLED 
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
+   interface-range disable {
+       description DISABLED;
+       disable;
+   }

we can see that we create an interface-range name disable with a description DISABLE and we disable the interface range.

we can not save the changes we made until we interface range has a member. if we try to save the change right now with the interface-range having no member will we get:

ppaul2@asw-a1-dfw# commit 
error: interface-range 'disable' has no member/member-range statements
error: interface-ranges expansion failed

Before assigning a member to the interface-range, type in configuration mode " show interfaces"

ppaul2@asw-a1-dfw# show interfaces 
interface-range disable {
    description DISABLED;
    disable;
}
ge-0/0/0 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/1 {
    unit 0 {
        family ethernet-switching;
    }
}
---

This output list all the interfaces on the devices. If you have 1GB interfaces and 10GB interfaces the 1GB interface will be listed as ge-0/0/x and the 10GB interfaces will be listed as xe-0/1/x. for the 1GB interfaces x = 0 to n , n being the last interface on the devices. for example if you have a device with 48 interfaces n =48 so you will have ge-0/0/0 to ge-/0/0/48.

In case of a device with 48 interfaces, we have the option to move all the 48 interfaces in the interface-range disable by using the member-range <start-range> to <end-range> command . But in this tutorial, we are going to move the interface using just "member" which is use to move interface by interface. I like this option because of the layout.

How to assign members to an interface-range

we are going to assign the first 2 interface ge-0/0/0 and ge-0/0/1 to our interface-range disable

ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/0 
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
+   interface-range disable {
+       member ge-0/0/0;
+       description DISABLED;
+       disable;
+   }
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/1    
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare                                            
[edit interfaces]
+   interface-range disable {
+       member ge-0/0/0;
+       member ge-0/0/1;
+       description DISABLED;
+       disable;
+   }

Now that we have the 2 first interfaces in the interface-range disable, let us save the changes and issue the command "show interfaces ge-/0/0/0 descriptions" in operational mode. Issue also the commmande " show interfaces"

ppaul2@asw-a1-dfw> show interfaces ge-0/0/0 descriptions    
Interface       Admin Link Description
ge-0/0/0        down  down DISABLED

ppaul2@asw-a1-dfw> show interfaces
Physical interface: ge-0/0/0, Administratively down, Physical link is Down
Interface index: 130, SNMP ifIndex: 504
Description: DISABLED

Physical interface: ge-0/0/1, Administratively down, Physical link is Down
 Interface index: 131, SNMP ifIndex: 506
 Description: DISABLED

Create interface range for VLANS

In this section, we are going to create 4 interface-ranges for the 4 VLAN's we created in section.7

  • vlan-private1-a-dfw
  • vlan-private1-b-dfw
  • vlan-private1-c-dfw
  • vlan-private1-d-dfw

We know already the command to create an interface-range.

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching vlan members private1-a-dfw

This will create the interface-range vlan-private-a-dfw and assign the private1-a-dfw VLAN to it.

Next, we are going to set this interface range to be an access interface.{master:0}[edit] ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching port-mode access

check before saving and save.

ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
    interface-range disable { ... }
+   interface-range vlan-private1-a-dfw {
+       unit 0 {
+           family ethernet-switching {
+               port-mode access;
+               vlan {
+                   members private1-a-dfw;
+               }
+           }
+       }
+   }

before saving, we need to assign at less one member to the interface range and give that member a description

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw member ge-0/0/2
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
    interface-range disable { ... }
+   interface-range vlan-private1-a-dfw {
+       member ge-0/0/2;
+        unit 0 {
+           family ethernet-switching {
+               port-mode access;
+               vlan {
+                   members private1-a-dfw;
+               }
+           }
+       }
+   }
[edit interfaces ge-0/0/2]
+   description testsrv2001;

Now we can save the changes and issue the command "show interfaces"

{master:0}[edit]
ppaul2@asw-a1-dfw# show interfaces   
interface-range disable {
   member ge-0/0/0;
   member ge-0/0/1;
   description DISABLED;
   disable;
}
interface-range vlan-private1-a-dfw {
   member ge-0/0/2;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-a-dfw;
           }
       }
   }
}
---

Use the same steps to create the other interface-ranges. After that we should have all 4 interfaces and each one with a less 1 member.

{master:0}[edit]
ppaul2@asw-a1-dfw# show interfaces 
interface-range disable {
   member ge-0/0/0;
   member ge-0/0/1;
   description DISABLED;
   disable;
}
interface-range vlan-private1-a-dfw {
   member ge-0/0/2;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-a-dfw;
           }
       }
   }
}
interface-range vlan-private1-b-dfw {
   member ge-0/0/12;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-b-dfw;
           }
       }
   }
}
interface-range vlan-private1-c-dfw {
   member ge-0/0/23;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-c-dfw;
           }
       }
   }
}
interface-range vlan-private1-d-dfw {
   member ge-0/0/35;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-d-dfw;
           }
       }
   }
}

Now that we have all VLAN's and interface-ranges setup it is time to configure a trunk interface that will connect this switch to our second switch.

Setup a trunk interface

It is best practice to use the 10GB interface when it comes to configure a trunk port to connect to another switch. In our case the switch has one 10GB interface we are going to use this interface as trunk interface. you can use also any 1Gb port as trunk port.

ppaul2@asw-a1-dfw> show interfaces | match xe 
Physical interface: xe-0/1/0, Enabled, Physical link is Down
  Logical interface xe-0/1/0.0 (Index 115) (SNMP ifIndex 703)
{master:0}
ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions 

We see that the interface by default is enable by not configured. The command below will setup the interface as trunk

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk    
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare                                                              
[edit interfaces xe-0/1/0 unit 0 family ethernet-switching]
+      port-mode trunk;

We are done with the basic configuration of the switch. the next set is to configure the second switch and test connectivity between both switches.

Setup second switch

The process of setting up the second switch is the same as setting up the first switch. Just redo all the steps. There are other methods like coping the configuration from the first switch to the second switch or use puppet to configure the switch. We are not going to discuss about those methods here.

The only thing that will be different on the second switch will be the name of the switch. The second switch will be called asw-b1-dfw

Testing connectivity

Usefully commands

Below you will find some usefully commands when it comes to troubleshooting.

 show interfaces descriptions	# displays all the interfaces on the switch that have a description 
 show interfaces descriptions | match "xe-" #will only show you the 10G interfaces
 show interfaces ge-x/y/z media # that adds media related informations
 show interfaces diagnostics optics xe-x/y/z # shows the light levels for fiber optic
 show ethernet-switching table interface ge-x/y/x # shows you if the switch learned a mac address on a specific interface, and on which vlans it sees it
 show ethernet-switching table | match "00:00:00:00:00:00"   # to find a mac address somewhere on the switch stack if you are using switch stack in your environment.
 show interfaces ge-x/y/z extensive | match "error"`#to see if there are any errors on the interface, output is raw but a good start
 show lldp neighbors	# will show you all the host connect to that switch
 show | compare #display the pending changes
 show | display set # show you the configuration at your current level in a "set" format, so you can copy/paste them or modify them more easily
 show interfaces ge-x/y/z | display set # shows you what to type to configure the interface the way it's configured
 show interfaces ge-5/0/17 | display inheritance # show you *everything* about a given port