Difference between revisions of "JunOS Basics"

From ppwiki
Jump to navigation Jump to search
 
(49 intermediate revisions by the same user not shown)
Line 11: Line 11:
 
To complete this tutorial, you will need:
 
To complete this tutorial, you will need:
 
* A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16
 
* A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16
* A console cable. Since all the new laptops today don't come with a USB port, you will need a USB to Console adapter  
+
* A console cable. Since all the new laptops today don't come with a console port, you will need a USB to Console adapter  
 
* The program "Screen"
 
* The program "Screen"
 
If you don't have "screen" install it with the command below
 
If you don't have "screen" install it with the command below
Line 53: Line 53:
 
Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".
 
Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".
  
But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we scan ave the changes and that command is "show | compare"
+
But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we save  the changes and that command is "show | compare"
  
 
  root@switch# show | compare  
 
  root@switch# show | compare  
Line 173: Line 173:
 
  ppaul1@asw-a1-dfw# show interfaces me0  
 
  ppaul1@asw-a1-dfw# show interfaces me0  
 
  {master:0}[edit]
 
  {master:0}[edit]
ppaul1@asw-a1-dfw# set interfaces
 
  
We see that we have no output, this means that true the interface is enable but it is not configured  
+
We see that we have no output, this means that the interface is enable but it is not configured  
  
 
Let us configure the interface by typing the command " set interfaces me0 unit 0 family inet address 10.192.0.100/24.(Please change this IP address to match your environment)  
 
Let us configure the interface by typing the command " set interfaces me0 unit 0 family inet address 10.192.0.100/24.(Please change this IP address to match your environment)  
Line 206: Line 205:
 
  }
 
  }
  
we see that now we have an ip address set for on the interface  
+
we see that now we have an IP address set for on the interface  
  
Next step it to plug a cable to the interface and check the link on the interface to see if the link is "up". get back in operational mode and type "show interfaces me0" or form the configuration mode you can just type "run show interfaces me0"
+
Next step is to plug a cable to the interface and check the link on the interface to see if the link is "up". get back in operational mode and type "show interfaces me0" or from the configuration mode you can just type "run show interfaces me0"
  
 
   ppaul1@asw-a1-dfw# run show interfaces me0  
 
   ppaul1@asw-a1-dfw# run show interfaces me0  
Line 230: Line 229:
 
       Addresses, Flags: Is-Default Is-Preferred Is-Primary
 
       Addresses, Flags: Is-Default Is-Preferred Is-Primary
 
         Destination: 10.192.0/24, Local: 10.192.0.101, Broadcast: 10.192.0.255
 
         Destination: 10.192.0/24, Local: 10.192.0.101, Broadcast: 10.192.0.255
We see from the output that the interface is up .The next step will be to setup enable SSH
+
We see from the output that the interface is up .The next step will be to enable SSH
  
 
==Enable SSH==
 
==Enable SSH==
Line 294: Line 293:
 
     vlan-id 2003;
 
     vlan-id 2003;
 
  }
 
  }
 +
 +
Now we have all the VLAN's setup, in the next session we are going to create 5 interfaces-range.
  
 
=How to create interfaces range=
 
=How to create interfaces range=
 
As I mentioned earlier when setting up the management interface me0, all interfaces on the Juniper devices are enable by default. Setting up interfaces range, will help better organized and manage the device. Think of interface range as a group or category in which you can group interfaces with the same configuration set.
 
As I mentioned earlier when setting up the management interface me0, all interfaces on the Juniper devices are enable by default. Setting up interfaces range, will help better organized and manage the device. Think of interface range as a group or category in which you can group interfaces with the same configuration set.
 +
We mentioned earlier that by default all interfaces on the Juniper devices are enable. For security reason, it is best to disable all interfaces by default and just enable it when it has to be used.
 +
 +
The first interface-range we are going to create is the interface-range called disable and will have ford description DISABLED and we will set the interface to disable.
 +
 +
ppaul2@asw-a1-dfw# set interfaces interface-range disable disable description DISABLED
 +
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show | compare
 +
[edit interfaces]
 +
+  interface-range disable {
 +
+      description DISABLED;
 +
+      disable;
 +
+  }
 +
 +
we can see that we create an interface-range name disable with a description DISABLE and we disable the interface range.
 +
 +
we can not save the changes we made until we interface range has a member. if we try to save the change right now with the interface-range having no member will we get:
 +
ppaul2@asw-a1-dfw# commit
 +
error: interface-range 'disable' has no member/member-range statements
 +
error: interface-ranges expansion failed
 +
Before assigning a member to the interface-range, type in configuration mode " show interfaces"
 +
ppaul2@asw-a1-dfw# show interfaces
 +
interface-range disable {
 +
    description DISABLED;
 +
    disable;
 +
}
 +
ge-0/0/0 {
 +
    unit 0 {
 +
        family ethernet-switching;
 +
    }
 +
}
 +
ge-0/0/1 {
 +
    unit 0 {
 +
        family ethernet-switching;
 +
    }
 +
}
 +
---
 +
This output list all the interfaces on the devices. If you have 1GB interfaces and 10GB interfaces the 1GB interface will be listed as ge-0/0/x and the 10GB interfaces will be listed as xe-0/1/x. for the 1GB interfaces x = 0 to n , n being the last interface on the devices. for example if you have a device with 48 interfaces n =48 so you will have ge-0/0/0 to ge-/0/0/48.
 +
 +
In case of a device with 48 interfaces, we have the option to move all the 48 interfaces in the interface-range disable by using the member-range <start-range> to <end-range> command . But in this tutorial, we are going to move the interface using just "member" which is use to move interface by interface. I like this option because of the layout.
 +
 +
==How to assign members to an interface-range==
 +
we are going to assign the first 2 interface ge-0/0/0 and ge-0/0/1 to our interface-range disable
 +
 +
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/0
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show | compare
 +
[edit interfaces]
 +
+  interface-range disable {
 +
+      member ge-0/0/0;
 +
+      description DISABLED;
 +
+      disable;
 +
+  }
 +
 +
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/1   
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show | compare                                           
 +
[edit interfaces]
 +
+  interface-range disable {
 +
+      member ge-0/0/0;
 +
+      member ge-0/0/1;
 +
+      description DISABLED;
 +
+      disable;
 +
+  }
 +
 +
Now that we have the 2 first interfaces in the interface-range disable, let us save the changes and issue the command "show interfaces ge-/0/0/0 descriptions" in operational mode.
 +
Issue also the commmande " show interfaces"
 +
 +
ppaul2@asw-a1-dfw> show interfaces ge-0/0/0 descriptions   
 +
Interface      Admin Link Description
 +
ge-0/0/0        down  down DISABLED
 +
 +
ppaul2@asw-a1-dfw> show interfaces
 +
Physical interface: ge-0/0/0, Administratively down, Physical link is Down
 +
Interface index: 130, SNMP ifIndex: 504
 +
Description: DISABLED
 +
 +
Physical interface: ge-0/0/1, Administratively down, Physical link is Down
 +
  Interface index: 131, SNMP ifIndex: 506
 +
  Description: DISABLED
 +
==Create interface range for VLANS==
 +
In this section, we are going to create 4 interface-ranges for the 4 VLAN's we created in section.7
 +
* vlan-private1-a-dfw
 +
* vlan-private1-b-dfw
 +
* vlan-private1-c-dfw
 +
* vlan-private1-d-dfw
 +
 +
We know already the command to create an interface-range.
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching vlan members private1-a-dfw
 +
 +
This will create the interface-range vlan-private-a-dfw and assign the private1-a-dfw VLAN to it.
 +
 +
Next, we are going to set this interface range to be an access interface.
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching port-mode access
 +
 +
check before saving and save.
 +
ppaul2@asw-a1-dfw# show | compare
 +
[edit interfaces]
 +
    interface-range disable { ... }
 +
+  interface-range vlan-private1-a-dfw {
 +
+      unit 0 {
 +
+          family ethernet-switching {
 +
+              port-mode access;
 +
+              vlan {
 +
+                  members private1-a-dfw;
 +
+              }
 +
+          }
 +
+      }
 +
+  }
 +
before saving, we need to assign at less one member to the interface range and give that member a description
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw member ge-0/0/2
 +
 +
ppaul2@asw-a1-dfw# show | compare
 +
[edit interfaces]
 +
    interface-range disable { ... }
 +
+  interface-range vlan-private1-a-dfw {
 +
+      member ge-0/0/2;
 +
+        unit 0 {
 +
+          family ethernet-switching {
 +
+              port-mode access;
 +
+              vlan {
 +
+                  members private1-a-dfw;
 +
+              }
 +
+          }
 +
+      }
 +
+  }
 +
[edit interfaces ge-0/0/2]
 +
+  description testsrv2001;
 +
Now we can save the changes and issue the command "show interfaces"
 +
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show interfaces 
 +
interface-range disable {
 +
    member ge-0/0/0;
 +
    member ge-0/0/1;
 +
    description DISABLED;
 +
    disable;
 +
}
 +
interface-range vlan-private1-a-dfw {
 +
    member ge-0/0/2;
 +
    unit 0 {
 +
        family ethernet-switching {
 +
            port-mode access;
 +
            vlan {
 +
                members private1-a-dfw;
 +
            }
 +
        }
 +
    }
 +
}
 +
---
 +
Use the same steps to create the other interface-ranges. After that we should have all 4 interfaces and each one with a less 1 member.
 +
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show interfaces
 +
interface-range disable {
 +
    member ge-0/0/0;
 +
    member ge-0/0/1;
 +
    description DISABLED;
 +
    disable;
 +
}
 +
interface-range vlan-private1-a-dfw {
 +
    member ge-0/0/2;
 +
    unit 0 {
 +
        family ethernet-switching {
 +
            port-mode access;
 +
            vlan {
 +
                members private1-a-dfw;
 +
            }
 +
        }
 +
    }
 +
}
 +
interface-range vlan-private1-b-dfw {
 +
    member ge-0/0/12;
 +
    unit 0 {
 +
        family ethernet-switching {
 +
            port-mode access;
 +
            vlan {
 +
                members private1-b-dfw;
 +
            }
 +
        }
 +
    }
 +
}
 +
interface-range vlan-private1-c-dfw {
 +
    member ge-0/0/23;
 +
    unit 0 {
 +
        family ethernet-switching {
 +
            port-mode access;
 +
            vlan {
 +
                members private1-c-dfw;
 +
            }
 +
        }
 +
    }
 +
}
 +
interface-range vlan-private1-d-dfw {
 +
    member ge-0/0/35;
 +
    unit 0 {
 +
        family ethernet-switching {
 +
            port-mode access;
 +
            vlan {
 +
                members private1-d-dfw;
 +
            }
 +
        }
 +
    }
 +
}
 +
 +
Now that we have all VLAN's and interface-ranges setup it is time to configure a trunk interface that will connect this switch to our second switch.
 +
 +
=Setup a trunk interface=
 +
It is best practice to use the 10GB interface when it comes to configure a trunk port to connect to another switch. In our case the switch has one 10GB interface we are going to use this interface as trunk interface. you can use also any 1Gb port as trunk port.
 +
ppaul2@asw-a1-dfw> show interfaces | match xe
 +
Physical interface: xe-0/1/0, Enabled, Physical link is Down
 +
  Logical interface xe-0/1/0.0 (Index 115) (SNMP ifIndex 703)
 +
 +
{master:0}
 +
ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions
 +
 +
We see that the interface by default is enable but not configured.
 +
The command below will setup the interface as trunk
 +
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk   
 +
 +
{master:0}[edit]
 +
ppaul2@asw-a1-dfw# show | compare                                                             
 +
[edit interfaces xe-0/1/0 unit 0 family ethernet-switching]
 +
+      port-mode trunk;
 +
 +
Since this is a trunk port we need to decide from which VLAN this port would allow traffic. We set up 4 VLANS we can specify only the 4 VLANS or just set it to allow traffic from all VALNS
 +
 +
ppaul2@asw-a1-dfw# show interfaces xe-0/1/0           
 +
description trunk_asb-b1;
 +
unit 0 {
 +
    family ethernet-switching {
 +
        port-mode trunk;
 +
        vlan {
 +
            members all;
 +
        }
 +
    }
 +
}
 +
 +
We are done with the basic configuration of the switch. The next set is to configure the second switch and test connectivity between both switches.
 +
 +
=Setup second switch=
 +
The process of setting up the second switch is the same as setting up the first switch. Just redo all the steps. There are other methods like coping the configuration from the first switch to the second switch or use puppet to configure the switch. We are not going to discuss about those methods here.
 +
 +
The only thing that will be different on the second switch will be the name of the switch and the management IP. The second switch will be called asw-b1-dfw
 +
 +
=Testing connectivity=
 +
Now that the 2 switches are setup, we are going to connect both switches together using port xe-0/1/0. Right now, the port on both switches are configured as trunk port and there are not connected. (See below)
 +
 +
ppaul2@asw-a1-dfw> show interfaces descriptions   
 +
Interface      Admin Link Description
 +
ge-0/0/1        down  down DISABLED
 +
ge-0/0/2        down  down DISABLED
 +
ge-0/0/3        down  down DISABLED
 +
ge-0/0/4        down  down DISABLED
 +
ge-0/0/5        down  down DISABLED
 +
ge-0/0/6        down  down DISABLED
 +
<span style="color: red">xe-0/1/0        up    down trunk_asb-b1</span>
 +
 +
ppaul2@asw-b1-dfw> show interfaces descriptions
 +
Interface      Admin Link Description
 +
ge-0/0/1        down  down DISABLE
 +
ge-0/0/2        down  down DISABLE
 +
ge-0/0/3        down  down DISABLE
 +
ge-0/0/4        down  down DISABLE
 +
ge-0/0/5        down  down DISABLE
 +
ge-0/0/6        down  down DISABLE
 +
ge-0/0/7        down  down DISABLE
 +
ge-0/0/8        down  down DISABLE
 +
ge-0/0/9        down  down DISABLE
 +
ge-0/0/10      down  down DISABLE
 +
ge-0/0/11      down  down DISABLE
 +
<span style="color: red">xe-0/1/0        up    down trunk_asw-a1</span>
 +
 +
*Connect both switches
 +
We are going to use a fiber to connect both switches. When done, the link on both switches should show "UP"
 +
 +
ppaul2@asw-a1-dfw> show interfaces descriptions   
 +
Interface      Admin Link Description
 +
ge-0/0/1        down  down DISABLED
 +
ge-0/0/2        down  down DISABLED
 +
ge-0/0/3        down  down DISABLED
 +
ge-0/0/4        down  down DISABLED
 +
ge-0/0/5        down  down DISABLED
 +
ge-0/0/6        down  down DISABLED
 +
<span style="color: red">xe-0/1/0        up    up trunk_asb-b1</span>
 +
 +
ppaul2@asw-b1-dfw> show interfaces descriptions
 +
Interface      Admin Link Description
 +
ge-0/0/1        down  down DISABLE
 +
ge-0/0/2        down  down DISABLE
 +
ge-0/0/3        down  down DISABLE
 +
ge-0/0/4        down  down DISABLE
 +
ge-0/0/5        down  down DISABLE
 +
ge-0/0/6        down  down DISABLE
 +
ge-0/0/7        down  down DISABLE
 +
ge-0/0/8        down  down DISABLE
 +
ge-0/0/9        down  down DISABLE
 +
ge-0/0/10      down  down DISABLE
 +
ge-0/0/11      down  down DISABLE
 +
<span style="color: red">xe-0/1/0        up    up trunk_asw-a1</span>
 +
 +
*connect a host on port ge-0/0/0 which is part of vlan private1-a-dfw
 +
ppaul2@asw-a1-dfw> show interfaces descriptions
 +
Interface      Admin Link Description
 +
ge-0/0/0        up    up  test_host1
 +
 +
ppaul2@asw-a1-dfw> show ethernet-switching table interface ge-0/0/0                     
 +
Ethernet-switching table: 1 unicast entries
 +
  VLAN             MAC address      Type        Age Interfaces
 +
  private1-a-dfw    *                Flood          - All-members
 +
  private1-a-dfw    00:21:cc:70:fe:7a Learn          0 ge-0/0/0.0
 +
==Testing Vlans==
 +
For this lab, I am using a CISCO  2621 router for DHCP and have setup sub interfces on the router to route traffics between VALN's  (see configuration output below) on the first switch (asw-a1-dfw) I configured port ge-0/0/47 as a trunk to connect the switch to the CISCO router. You need to specify too which VLAN's are allowed on that port.In this case i just set it to members = all
 +
 +
ppaul2@asw-a1-dfw# show | compare
 +
[edit interfaces]
 +
+  ge-0/0/47 {
 +
+      description trunk_cr;
 +
+      unit 0 {
 +
+          family ethernet-switching {
 +
+              port-mode trunk;
 +
+              vlan {
 +
+                  members all;
 +
+              }
 +
+          }
 +
+      }
 +
+  }
 +
 +
 +
*Router output
 +
 +
ip dhcp pool private1-a-dfw
 +
  network 10.192.0.0 255.255.252.0
 +
  default-router 10.192.0.1
 +
!       
 +
ip dhcp pool private1-b-dfw
 +
  network 10.192.16.0 255.255.252.0
 +
  default-router 10.192.16.1
 +
!       
 +
ip dhcp pool private1-c-dfw
 +
  network 10.192.32.0 255.255.252.0
 +
  default-router 10.192.32.1
 +
!       
 +
ip dhcp pool private1-c-dfw
 +
  network 10.192.48.0 255.255.252.0
 +
  default-router 10.192.48.1
 +
 +
interface FastEthernet0/1.1
 +
encapsulation dot1Q 2000
 +
ip address 10.192.0.1 255.255.252.0
 +
!       
 +
interface FastEthernet0/1.2
 +
encapsulation dot1Q 2001
 +
ip address 10.192.16.1 255.255.252.0
 +
!
 +
interface FastEthernet0/1.3
 +
encapsulation dot1Q 2002
 +
ip address 10.192.32.1 255.255.252.0
 +
!
 +
interface FastEthernet0/1.4
 +
encapsulation dot1Q 2003
 +
ip address 10.192.48.1 255.255.252.0
 +
 +
We connect our host to each vlan using the correspond port for each vlan and here is the out put from the router:
 +
 +
cr-labppnet#show ip dhcp binding
 +
Bindings from all pools not associated with VRF:
 +
IP address          Client-ID/              Lease expiration        Type
 +
                    Hardware address/
 +
                    User name
 +
10.192.0.2          00e0.4c68.0658          Mar 02 1993 12:44 AM    Automatic
 +
10.192.16.2        00e0.4c68.0658          Mar 02 1993 12:29 AM    Automatic
 +
10.192.32.2        00e0.4c68.0658          Mar 02 1993 12:36 AM    Automatic
 +
10.192.48.2        00e0.4c68.0658          Mar 02 1993 12:39 AM    Automatic
 +
cr-labppnet#
 +
We can see that our host is able to obtain an address from the 10.192.0.0 network which is the private1-a-dfw vlan and the 10.192.16.0 network which is the second vlan and so on...
 +
 +
=Usefully commands=
 +
Below you will find some usefully commands when it comes to troubleshooting.
 +
 +
  show interfaces descriptions # displays all the interfaces on the switch that have a description
 +
 +
  show interfaces descriptions | match "xe-" #will only show you the 10G interfaces
 +
 +
  show interfaces ge-x/y/z media # that adds media related informations
 +
 +
  show interfaces diagnostics optics xe-x/y/z # shows the light levels for fiber optic
 +
 +
  show ethernet-switching table interface ge-x/y/x # shows you if the switch learned a mac address on a specific interface, and on which vlans it sees it
 +
 +
  show ethernet-switching table | match "00:00:00:00:00:00"  # to find a mac address somewhere on the switch stack if you are using switch stack in your environment.
 +
 +
  show interfaces ge-x/y/z extensive | match "error"`#to see if there are any errors on the interface, output is raw but a good start
 +
 +
  show lldp neighbors # will show you all the host connect to that switch
 +
 +
  show | compare #display the pending changes
 +
 +
  show | display set # show you the configuration at your current level in a "set" format, so you can copy/paste them or modify them more easily
 +
 +
  show interfaces ge-x/y/z | display set # shows you what to type to configure the interface the way it's configured
 +
 +
  show interfaces ge-5/0/17 | display inheritance # show you *everything* about a given port

Latest revision as of 23:13, 12 March 2019

In this Tutorial We will be discussing about the basic of the JunOS which will include:

  • How to setup the root password
  • How to change the device name
  • How to create a user with admin right using a password and using a SSH key
  • How to setup the management interface to ssh in to the switch
  • How to create VLAN's
  • How to create access and trunk ports
  • How to create interfaces range
  • How to connect 2 switches

Prerequisites

To complete this tutorial, you will need:

  • A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16
  • A console cable. Since all the new laptops today don't come with a console port, you will need a USB to Console adapter
  • The program "Screen"

If you don't have "screen" install it with the command below

sudo apt-get install screen

Accessing the device

  • Step 1: Plug the console cable to you device into the console port and start screen as root user on your laptop
screen /dev/ttyUSB0

  • step 2: Power on your device

After the device finished booting you will get at the prompt below

Login1.png

  • Step 3: Enter the username and password

By default, all Juniper devices username is "root" with no password. At the prompt, just type in root and hit enter

Login.png

How to setup the root password

When you come from a CISCO world like me, at the beginning it is a little bit confusing when working with JunOS. But, with time running a couple of commands, you get use to the concept.

For us to setup the root password, we need to be in configuration mode (#). Right now our prompt is showing "%". type in

cli

the prompt will change to ">" which is the operational mode and after that type in "edit" or "configuration" to enter the configuration mode

root@switch:RE:0% cli
{master:0}
root@switch> edit 
Entering configuration mode
{master:0}[edit]
root@switch#

To setup the root password with a plain-text password the command is "set system root-authentication plain-text-password" Type the command and hit enter. You will be asked to enter a password twice.

root@switch# set system root-authentication plain-text-password    
New password:
Retype new password:
{master:0}[edit]
root@switch#

Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".

But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we save the changes and that command is "show | compare"

root@switch# show | compare 
[edit system]
+   root-authentication {
+       encrypted-password "$1$vVYnP0uH$YmTKnA.L0W0KGFtTw36NJ/"; ## SECRET-DATA
+   }

The + sign in front of each lines means that those lines will to added to our devices configuration. Note: you can make all you changes and when done you can type the command " show | compare" before you save with "commit" or you can do one change at the time and do "show | compare" and "commit" and go to the next change. I recommend if you are starting to just do one change and "show | compare" then "commit"

Now we can save our first configuration

root@switch# commit 
configuration check succeeds
commit complete
{master:0}[edit]
root@switch#

Now that we have the root password set, we are going to give the switch a name: we are going to use "asw-a1-dfw" as name Note: in a production environment I recommend to disable login with root password. We will discuss about this later.

How to change the device name

The command to setup the device name is :set system host-name "device_name"

{master:0}[edit]
root@switch# set system host-name asw-a1-dfw 

Do a "show | compare"

 root@switch# show | compare 
[edit system]
+  host-name asw-a1-dfw;

Then a "commit"

root@switch# commit 
configuration check succeeds
commit complete
{master:0}[edit]
root@asw-a1-dfw# 

We can see that the device changed name from "switch" to "asw-a1-dfw"

How to create a privileged user

In the session, we are gong to setup 2 users. One user with a password and another user with a SSH key. The user with the password will be called ppaul1 and the user with the SSH key will be called ppaul2.

Setting user with password

Create user ppaul1

root@asw-a1-dfw# set system login user ppaul1 class super-user authentication plain-text-password
New password:
Retype new password:
 root@asw-a1-dfw# show | compare 
[edit system]
+   login {
+       user ppaul1 {
+           class super-user;
+           authentication {
+               encrypted-password "$1$LivXhitM$r9CHQgnCiT6nzRt7XhM/k/"; ## SECRET-DATA
+           }
+       }
+   }
 root@asw-a1-dfw# commit 
configuration check succeeds
commit complete


Testing user ppaul1

logout from the user "root" by just typing "exit" until you get to the login prompt

login: ppaul1
Password:
--- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC
{master:0}
ppaul1@asw-a1-dfw> 

We can see now that we have login as the user "ppaul1" with a password.in the next step we will create the user ppaul2 with SSH key.

Setting user with SSH key

You can login as root to create the user "ppaul2 or just use the user "ppaul1" to create the user "ppaul2" since ppaul2 is a supe-user

ppaul1@asw-a1-dfw# set system login user ppaul2 class super-user authentication ssh-rsa "ssh-rsa    AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO/AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"
 ppaul1@asw-a1-dfw# show | compare 
[edit system login]
+    user ppaul2 {
+        class super-user;
+        authentication {
+            ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO /AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"; ## SECRET-DATA
+        }
+    }
ppaul1@asw-a1-dfw# commit 
configuration check succeeds
commit complete

we can not test yet the user ppaul2 until we setup the management interface and ssh on the device which we are going to do in the next session (see 6.3)

How to setup management interface and SSH

Setting up mamagement interface

The management interface on Juniper switch is called "me0" Also all interfaces are enable by default on Juniper switches. Let use the command "show interfaces me0" to see its output.

Note you need to be in the operational mode (>) to execute this command

 ppaul1@asw-a1-dfw> show interfaces me0    
Physical interface: me0, Enabled, Physical link is Down
  Interface index: 1, SNMP ifIndex: 33
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514
  Device flags   : Present Running No-Carrier
  Interface flags: Hardware-Down SNMP-Traps
  Current address: 5c:5e:ab:75:6c:81, Hardware address: 5c:5e:ab:75:6c:ff
  Last flapped   : 2016-07-25 01:49:33 UTC (00:00:06 ago)
    Input packets : 1248 
    Output packets: 280
  Logical interface me0.0 (Index 6) (SNMP ifIndex 34) 
    Flags: Device-Down SNMP-Traps Encapsulation: ENET2
    Input packets : 1248 
    Output packets: 280
    Protocol eth-switch
      Flags: Is-Primary

We can see that interface is enable and down. Down means there is no cable plugged to it. Now in enter configuration mode and type " show interface me0"

 {master:0}[edit]
ppaul1@asw-a1-dfw# show interfaces me0 
{master:0}[edit]

We see that we have no output, this means that the interface is enable but it is not configured

Let us configure the interface by typing the command " set interfaces me0 unit 0 family inet address 10.192.0.100/24.(Please change this IP address to match your environment)

ppaul1@asw-a1-dfw# set interfaces me0 unite 0 family inet address 10.192.0.101/24 

See what will be the changes

 {master:0}[edit]
ppaul1@asw-a1-dfw# show | compare 
[edit interfaces]
+   me0 {
+       unit 0 {
+           family inet {
+               address 10.192.0.101/24;
+           }
+       }
+   }

Now save the changes

 ppaul1@asw-a1-dfw# commit 
configuration check succeeds
commit complete

check again the interface

ppaul1@asw-a1-dfw# show interfaces me0 
unit 0 {
    family inet {
        address 10.192.0.101/24;
    }
}

we see that now we have an IP address set for on the interface

Next step is to plug a cable to the interface and check the link on the interface to see if the link is "up". get back in operational mode and type "show interfaces me0" or from the configuration mode you can just type "run show interfaces me0"

 ppaul1@asw-a1-dfw# run show interfaces me0 
Physical interface: me0, Enabled, Physical link is Up
  Interface index: 1, SNMP ifIndex: 33
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps
  Device flags   : Present Running
  Interface flags: SNMP-Traps
  Link type      : Full-Duplex
  Current address: 5c:5e:ab:75:6c:ff, Hardware address: 5c:5e:ab:75:6c:ff
  Last flapped   : 2016-07-25 02:05:21 UTC (00:00:44 ago)
    Input packets : 1248 
    Output packets: 283
  Logical interface me0.0 (Index 7) (SNMP ifIndex 34) 
    Flags: SNMP-Traps Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 0 
    Output packets: 3
    Protocol inet
      Flags: Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.192.0/24, Local: 10.192.0.101, Broadcast: 10.192.0.255

We see from the output that the interface is up .The next step will be to enable SSH

Enable SSH

We just need one simple command to enable SSH on the device. The command is "set system services ssh"

ppaul1@asw-a1-dfw# set system services ssh
ppaul1@asw-a1-dfw# show | compare
[edit system]
+   services {
+       ssh;
+   }
{master:0}[edit]
ppaul1@asw-a1-dfw# commit 
configuration check succeedscommit complete

Now let us test user "ppaul2" . on your laptop open a terminal window and type in "ssh ppaul2@10.192.0.101" (Change IP address with your IP address you setup)

Testing user ppaul2

ssh ppaul2@10.192.0.101
--- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC
{master:0}
ppaul2@asw-a1-dfw>

We are able to login to the device with user "ppaul2: without a password. In the next session we are going to create 4 VLANs.

How to create VLANs

In this session we are going to create 4 VLAN's

  • Vlan private1-a-dfw with ID 2000
  • Vlan private1-b-dfw with ID 2001
  • Vlan private1-c-dfw with ID 2002
  • Vlan private1-d-dfw with ID 2003

The command to create the VLAN's is " set vlans vlan_name vlan-id XXXX"

ppaul2@asw-a1-dfw# set vlans private1-a-dfw vlan-id 2000 

Check the output before saving

ppaul2@asw-a1-dfw# show | compare 
[edit]
+  vlans {
+      private1-a-dfw {
+          vlan-id 2000;
+      }
+  }
ppaul2@asw-a1-dfw# commit 
configuration check succeedscommit complete

We have the first VLAN, we are going to use the same command the create the other VLAN's by changing the vlan_name and the the vlan_id. After create all the VLAN's type the command "show vlans"

Output

ppaul2@asw-a1-dfw# show vlans 
private1-a-dfw {
    vlan-id 2000;
}
private1-b-dfw {
    vlan-id 2001;
}
private1-c-dfw {
    vlan-id 2002;
}
private1-d-dfw {
    vlan-id 2003;
}

Now we have all the VLAN's setup, in the next session we are going to create 5 interfaces-range.

How to create interfaces range

As I mentioned earlier when setting up the management interface me0, all interfaces on the Juniper devices are enable by default. Setting up interfaces range, will help better organized and manage the device. Think of interface range as a group or category in which you can group interfaces with the same configuration set. We mentioned earlier that by default all interfaces on the Juniper devices are enable. For security reason, it is best to disable all interfaces by default and just enable it when it has to be used.

The first interface-range we are going to create is the interface-range called disable and will have ford description DISABLED and we will set the interface to disable.

ppaul2@asw-a1-dfw# set interfaces interface-range disable disable description DISABLED 
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
+   interface-range disable {
+       description DISABLED;
+       disable;
+   }

we can see that we create an interface-range name disable with a description DISABLE and we disable the interface range.

we can not save the changes we made until we interface range has a member. if we try to save the change right now with the interface-range having no member will we get:

ppaul2@asw-a1-dfw# commit 
error: interface-range 'disable' has no member/member-range statements
error: interface-ranges expansion failed

Before assigning a member to the interface-range, type in configuration mode " show interfaces"

ppaul2@asw-a1-dfw# show interfaces 
interface-range disable {
    description DISABLED;
    disable;
}
ge-0/0/0 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/1 {
    unit 0 {
        family ethernet-switching;
    }
}
---

This output list all the interfaces on the devices. If you have 1GB interfaces and 10GB interfaces the 1GB interface will be listed as ge-0/0/x and the 10GB interfaces will be listed as xe-0/1/x. for the 1GB interfaces x = 0 to n , n being the last interface on the devices. for example if you have a device with 48 interfaces n =48 so you will have ge-0/0/0 to ge-/0/0/48.

In case of a device with 48 interfaces, we have the option to move all the 48 interfaces in the interface-range disable by using the member-range <start-range> to <end-range> command . But in this tutorial, we are going to move the interface using just "member" which is use to move interface by interface. I like this option because of the layout.

How to assign members to an interface-range

we are going to assign the first 2 interface ge-0/0/0 and ge-0/0/1 to our interface-range disable

ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/0 
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
+   interface-range disable {
+       member ge-0/0/0;
+       description DISABLED;
+       disable;
+   }
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/1    
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare                                            
[edit interfaces]
+   interface-range disable {
+       member ge-0/0/0;
+       member ge-0/0/1;
+       description DISABLED;
+       disable;
+   }

Now that we have the 2 first interfaces in the interface-range disable, let us save the changes and issue the command "show interfaces ge-/0/0/0 descriptions" in operational mode. Issue also the commmande " show interfaces"

ppaul2@asw-a1-dfw> show interfaces ge-0/0/0 descriptions    
Interface       Admin Link Description
ge-0/0/0        down  down DISABLED

ppaul2@asw-a1-dfw> show interfaces
Physical interface: ge-0/0/0, Administratively down, Physical link is Down
Interface index: 130, SNMP ifIndex: 504
Description: DISABLED

Physical interface: ge-0/0/1, Administratively down, Physical link is Down
 Interface index: 131, SNMP ifIndex: 506
 Description: DISABLED

Create interface range for VLANS

In this section, we are going to create 4 interface-ranges for the 4 VLAN's we created in section.7

  • vlan-private1-a-dfw
  • vlan-private1-b-dfw
  • vlan-private1-c-dfw
  • vlan-private1-d-dfw

We know already the command to create an interface-range.

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching vlan members private1-a-dfw

This will create the interface-range vlan-private-a-dfw and assign the private1-a-dfw VLAN to it.

Next, we are going to set this interface range to be an access interface.

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching port-mode access

check before saving and save.

ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
    interface-range disable { ... }
+   interface-range vlan-private1-a-dfw {
+       unit 0 {
+           family ethernet-switching {
+               port-mode access;
+               vlan {
+                   members private1-a-dfw;
+               }
+           }
+       }
+   }

before saving, we need to assign at less one member to the interface range and give that member a description

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw member ge-0/0/2
ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
    interface-range disable { ... }
+   interface-range vlan-private1-a-dfw {
+       member ge-0/0/2;
+        unit 0 {
+           family ethernet-switching {
+               port-mode access;
+               vlan {
+                   members private1-a-dfw;
+               }
+           }
+       }
+   }
[edit interfaces ge-0/0/2]
+   description testsrv2001;

Now we can save the changes and issue the command "show interfaces"

{master:0}[edit]
ppaul2@asw-a1-dfw# show interfaces   
interface-range disable {
   member ge-0/0/0;
   member ge-0/0/1;
   description DISABLED;
   disable;
}
interface-range vlan-private1-a-dfw {
   member ge-0/0/2;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-a-dfw;
           }
       }
   }
}
---

Use the same steps to create the other interface-ranges. After that we should have all 4 interfaces and each one with a less 1 member.

{master:0}[edit]
ppaul2@asw-a1-dfw# show interfaces 
interface-range disable {
   member ge-0/0/0;
   member ge-0/0/1;
   description DISABLED;
   disable;
}
interface-range vlan-private1-a-dfw {
   member ge-0/0/2;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-a-dfw;
           }
       }
   }
}
interface-range vlan-private1-b-dfw {
   member ge-0/0/12;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-b-dfw;
           }
       }
   }
}
interface-range vlan-private1-c-dfw {
   member ge-0/0/23;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-c-dfw;
           }
       }
   }
}
interface-range vlan-private1-d-dfw {
   member ge-0/0/35;
   unit 0 {
       family ethernet-switching {
           port-mode access;
           vlan {
               members private1-d-dfw;
           }
       }
   }
}

Now that we have all VLAN's and interface-ranges setup it is time to configure a trunk interface that will connect this switch to our second switch.

Setup a trunk interface

It is best practice to use the 10GB interface when it comes to configure a trunk port to connect to another switch. In our case the switch has one 10GB interface we are going to use this interface as trunk interface. you can use also any 1Gb port as trunk port.

ppaul2@asw-a1-dfw> show interfaces | match xe 
Physical interface: xe-0/1/0, Enabled, Physical link is Down
  Logical interface xe-0/1/0.0 (Index 115) (SNMP ifIndex 703)
{master:0}
ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions 

We see that the interface by default is enable but not configured. The command below will setup the interface as trunk

{master:0}[edit]
ppaul2@asw-a1-dfw# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk    
{master:0}[edit]
ppaul2@asw-a1-dfw# show | compare                                                              
[edit interfaces xe-0/1/0 unit 0 family ethernet-switching]
+      port-mode trunk;

Since this is a trunk port we need to decide from which VLAN this port would allow traffic. We set up 4 VLANS we can specify only the 4 VLANS or just set it to allow traffic from all VALNS

ppaul2@asw-a1-dfw# show interfaces xe-0/1/0            
description trunk_asb-b1;
unit 0 {
   family ethernet-switching {
       port-mode trunk;
       vlan {
           members all;
       }
   }
}

We are done with the basic configuration of the switch. The next set is to configure the second switch and test connectivity between both switches.

Setup second switch

The process of setting up the second switch is the same as setting up the first switch. Just redo all the steps. There are other methods like coping the configuration from the first switch to the second switch or use puppet to configure the switch. We are not going to discuss about those methods here.

The only thing that will be different on the second switch will be the name of the switch and the management IP. The second switch will be called asw-b1-dfw

Testing connectivity

Now that the 2 switches are setup, we are going to connect both switches together using port xe-0/1/0. Right now, the port on both switches are configured as trunk port and there are not connected. (See below)

ppaul2@asw-a1-dfw> show interfaces descriptions    
Interface       Admin Link Description
ge-0/0/1        down  down DISABLED
ge-0/0/2        down  down DISABLED
ge-0/0/3        down  down DISABLED
ge-0/0/4        down  down DISABLED
ge-0/0/5        down  down DISABLED
ge-0/0/6        down  down DISABLED
xe-0/1/0        up    down trunk_asb-b1
ppaul2@asw-b1-dfw> show interfaces descriptions 
Interface       Admin Link Description
ge-0/0/1        down  down DISABLE
ge-0/0/2        down  down DISABLE
ge-0/0/3        down  down DISABLE
ge-0/0/4        down  down DISABLE
ge-0/0/5        down  down DISABLE
ge-0/0/6        down  down DISABLE
ge-0/0/7        down  down DISABLE
ge-0/0/8        down  down DISABLE
ge-0/0/9        down  down DISABLE
ge-0/0/10       down  down DISABLE
ge-0/0/11       down  down DISABLE
xe-0/1/0        up    down trunk_asw-a1
  • Connect both switches

We are going to use a fiber to connect both switches. When done, the link on both switches should show "UP"

ppaul2@asw-a1-dfw> show interfaces descriptions    
Interface       Admin Link Description
ge-0/0/1        down  down DISABLED
ge-0/0/2        down  down DISABLED
ge-0/0/3        down  down DISABLED
ge-0/0/4        down  down DISABLED
ge-0/0/5        down  down DISABLED
ge-0/0/6        down  down DISABLED
xe-0/1/0        up    up trunk_asb-b1
ppaul2@asw-b1-dfw> show interfaces descriptions 
Interface       Admin Link Description
ge-0/0/1        down  down DISABLE
ge-0/0/2        down  down DISABLE
ge-0/0/3        down  down DISABLE
ge-0/0/4        down  down DISABLE
ge-0/0/5        down  down DISABLE
ge-0/0/6        down  down DISABLE
ge-0/0/7        down  down DISABLE
ge-0/0/8        down  down DISABLE
ge-0/0/9        down  down DISABLE
ge-0/0/10       down  down DISABLE
ge-0/0/11       down  down DISABLE
xe-0/1/0        up    up trunk_asw-a1
  • connect a host on port ge-0/0/0 which is part of vlan private1-a-dfw
ppaul2@asw-a1-dfw> show interfaces descriptions 
Interface       Admin Link Description
ge-0/0/0        up    up   test_host1
ppaul2@asw-a1-dfw> show ethernet-switching table interface ge-0/0/0                      
Ethernet-switching table: 1 unicast entries
 VLAN	            MAC address       Type         Age Interfaces
 private1-a-dfw    *                 Flood          - All-members
 private1-a-dfw    00:21:cc:70:fe:7a Learn          0 ge-0/0/0.0

Testing Vlans

For this lab, I am using a CISCO 2621 router for DHCP and have setup sub interfces on the router to route traffics between VALN's (see configuration output below) on the first switch (asw-a1-dfw) I configured port ge-0/0/47 as a trunk to connect the switch to the CISCO router. You need to specify too which VLAN's are allowed on that port.In this case i just set it to members = all

ppaul2@asw-a1-dfw# show | compare 
[edit interfaces]
+   ge-0/0/47 {
+       description trunk_cr;
+       unit 0 {
+           family ethernet-switching {
+               port-mode trunk;
+               vlan {
+                   members all;
+               }
+           }
+       }
+   }


  • Router output
ip dhcp pool private1-a-dfw
  network 10.192.0.0 255.255.252.0
  default-router 10.192.0.1 
!         
ip dhcp pool private1-b-dfw
  network 10.192.16.0 255.255.252.0
  default-router 10.192.16.1 
!         
ip dhcp pool private1-c-dfw
  network 10.192.32.0 255.255.252.0
  default-router 10.192.32.1 
!         
ip dhcp pool private1-c-dfw
  network 10.192.48.0 255.255.252.0
  default-router 10.192.48.1
interface FastEthernet0/1.1
encapsulation dot1Q 2000
ip address 10.192.0.1 255.255.252.0
!         
interface FastEthernet0/1.2
encapsulation dot1Q 2001
ip address 10.192.16.1 255.255.252.0
!
interface FastEthernet0/1.3
encapsulation dot1Q 2002
ip address 10.192.32.1 255.255.252.0
!
interface FastEthernet0/1.4
encapsulation dot1Q 2003
ip address 10.192.48.1 255.255.252.0

We connect our host to each vlan using the correspond port for each vlan and here is the out put from the router:

cr-labppnet#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                   Hardware address/
                   User name
10.192.0.2          00e0.4c68.0658          Mar 02 1993 12:44 AM    Automatic
10.192.16.2         00e0.4c68.0658          Mar 02 1993 12:29 AM    Automatic
10.192.32.2         00e0.4c68.0658          Mar 02 1993 12:36 AM    Automatic
10.192.48.2         00e0.4c68.0658          Mar 02 1993 12:39 AM    Automatic
cr-labppnet#

We can see that our host is able to obtain an address from the 10.192.0.0 network which is the private1-a-dfw vlan and the 10.192.16.0 network which is the second vlan and so on...

Usefully commands

Below you will find some usefully commands when it comes to troubleshooting.

 show interfaces descriptions	# displays all the interfaces on the switch that have a description 
 show interfaces descriptions | match "xe-" #will only show you the 10G interfaces
 show interfaces ge-x/y/z media # that adds media related informations
 show interfaces diagnostics optics xe-x/y/z # shows the light levels for fiber optic
 show ethernet-switching table interface ge-x/y/x # shows you if the switch learned a mac address on a specific interface, and on which vlans it sees it
 show ethernet-switching table | match "00:00:00:00:00:00"   # to find a mac address somewhere on the switch stack if you are using switch stack in your environment.
 show interfaces ge-x/y/z extensive | match "error"`#to see if there are any errors on the interface, output is raw but a good start
 show lldp neighbors	# will show you all the host connect to that switch
 show | compare #display the pending changes
 show | display set # show you the configuration at your current level in a "set" format, so you can copy/paste them or modify them more easily
 show interfaces ge-x/y/z | display set # shows you what to type to configure the interface the way it's configured
 show interfaces ge-5/0/17 | display inheritance # show you *everything* about a given port