vDay One Mastering Junos Configuration Junos® Learning Sphere Whether you are new to Junos or just want to improve your configuration skills, this Junosphere lab will boost your mastery of the Junos O[.]
Trang 1Junos® Learning Sphere
Whether you are new to Junos or just
want to improve your configuration
skills, this Junosphere lab will boost
your mastery of the Junos OS.
by Antonio Sánchez-Monge
mastering JUnOs COnfigUratiOn
this vDay One book is all about Junos and
the magic behind the curly brackets Log onto Junosphere, load the topology file, watch the book’s videos, and then sim- ply copy and paste from the PDf book’s prompts to configure the Junosphere virtual machine online Learn by doing, not reading Junosphere ® provides a cost-effective and flexible environment where you can create and run networks in the cloud these net- works can be used for the same exercises you perform today in your physical lab and more, including network design, modeling, troubleshooting, testing, and training.
Virtual Day One - Learn by Doing!
n experience the Junos CLi in both videos and real hands-on training modules
n Learn how to navigate through the Junos hierarchies
n master basic and advanced configuration techniques
n Unveil the mysteries of rollback and commit internals
n Understand how Junos handles simultaneous configurations
n and much more in this 3 hour lab prepared just for you.
1 Vm - 3+ hrs
Trang 2Jtesting, design, and training exercises in a risk-free virtual environment that uses real network operating
systems Junosphere allows you to closely replicate physical networks consisting of Junos Os-based devices
and ecosystem tools without the cost, complexity, or limitations of a physical lab.
to ensure you have the best possible experience with Junosphere, check that you have the required settings
Consider these recommendations for optional freeware programs to facilitate Junosphere usage.
required
settings
n Only firefox 19 and higher, and internet explorer 9 and higher, are supported
n enable pop-ups for junosphere.net
n allow downloads from junosphere.net
n install latest Java plug-in
recommended
Downloads
nRealVNC - Remote access to the CentOS server
nPuTTY - ssH/telnet client to access device consoles
nNotepad++ - reader of configuration files
nFileZilla - ftP client to access device consoles
n7zip - Creates compressed topology filesets
n VmWare Player - to run the connector
Client Hardware Recommendations
CPU: 1 gHz or higher is recommended for Windows; for mac, 1 gHz g4 or intel processor is recommended
memory: minimum of 256 mB of available ram is recommended
Color quality: for best results, use 16-bit (8-bit, 24-bit, and 32-bit are also supported)
monitor resolutions: 1,024 x 768 pixels is recommended; up to 2,048 x 2,048 pixels is supported.
PDF Recommendations
Use acrobat reader to copy and paste this book’s config files into the terminal for the best results.
Check for the most recent updates and specifications at www.juniper.net/junosphere
ISBN 978-1936779796
9 781936 779796
5 0 9 0 0
Trang 3© 2013 by Juniper Networks, Inc All rights reserved
Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered
trademarks of Juniper Networks, Inc in the United States and other countries Junosphere is a
trademark of Juniper Networks, Inc All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document Juniper Networks
reserves the right to change, modify, transfer, or otherwise revise this publication without notice
Products made or sold by Juniper Networks or components thereof might be covered by one or more
of the following patents that are owned by or licensed to Juniper Networks: U.S Patent Nos
5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706,
6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Published by Juniper Networks Books: http://www.juniper.net/books
Author and Video Editor: Antonio Sanchez-Monge
Video Narration: Dave Dugal
Editor in Chief: Patrick Ames
Copyeditor and Proofer: Nancy Koerbel
J-Net Community Manager: Julie Wider
ISBN: 978-1-936779-79-6 (print)
Printed in the USA by Vervante Corporation, www.vervante.com
Version History: v1 September 2013
2 3 4 5 6 7 8 9 10
Acknowledgements
I would like to first thank my wife Eva, and my sons Manuel and Lucas, for their love and patience despite all the extra hours I dedicated to this project Patrick Ames for his endless positive energy and creativity Dave Dugal for the voice narration and his ability to make me smile Aleksey Mints for the very timely and collaborative integration of vDay One in
my favorite (by far) network lab environment: Junosphere Julie Wider for the kind help organizing the beta testing and for promoting the program inside the J-Net Community Diogo Montagner for the technical review and for his involvement in vDay One Pilar Somohano and Pablo Mosteiro for their honest support and global vision Levent Ogut for the commit history tip My father for the effort he always puts in to make complex things look simple: I wish I learned it from him!
Special thanks to the beta testers who went through the material and provided feedback All of them are from the Juniper Ambassador Team: Kevin Barker, Martin Brown, Nick Ryce, Steve Puluka and Victor Gonzalez Pilar Somohano and Aleksey Mints provided useful feedback on the Junosphere setup video Finally, I would also like to acknowledge all my customers and colleagues in Juniper Networks in Spain, who promoted this material and did the alpha testing of the proto-type, especially: David Soriano (Telefonica), Rubén Díaz (Acuntia), Alfredo Pelaez (NSN), Jose Maroto (Tecnocom), Daniel Toro, Rocio Benavente, Miguel Angel Rodriguez a.k.a Miguelon, Iria Varela, Jose Cid, Manuel Cornejo, Francisco Sanchez, Manuel de Miguel, Oscar Diaz Poveda, Estefania Rodriguez, and Laura Serrano
Antonio Sánchez-Monge, September 2013
Trang 4Welcome to vDay One
This vDay One book provides a virtual hands-on workshop
with the following components:
Videos: Each chapter contains a link to a YouTube video explaining the methodology or the relevant concepts in detail
A Real Junos OS Device: The single-device topology used in this workshop is ready for you to start and it is
in the Public Library of Junosphere The term device
refers to a router, or a switch, or a firewall, etc In this case, the device is a VJX, but the principles of Junos OS configuration that you learn here apply to all the physical and virtual platforms
This Book: In order to keep you focused on the cal tasks, this book simply contains a step-by-step lab procedure, together with the links to videos describing each lab practice
practi-This vDay One book covers the most important aspects of Junos Configuration It targets readers who are either new to Junos OS CLI or who want to improve their configuration skills The techniques covered range from very basic configura-tion to relatively advanced administration techniques With the toolbox covered in this book, you will boost your mastery of the Junos OS configuration database
Prerequisites
The 3h00m of net time needed to go through the material on Junosphere is an estimate It is suggested that you book more time to take breaks, though, as you may be curious enough to check out other commands, or you may need to spend addi-tional time if you are new to Junos OS or to Junosphere The current reservation model in Junosphere works on a per-day basis, so it’s flexible in that sense
The prerequisites for this virtual workshop are:
A valid Junosphere account (http://www.junosphere.net) To order Junosphere with a special discount, go
to tivity_info.aspx?id=5735 and enter promo code jun3928 , valid for Junosphere CLASSROOM only (not for LAB)
https://learningportal.juniper.net/juniper/user_ac-
You need to have administration rights on your computer to install the Network Connect software Note that although installation typically works fine in the first attempt, some users had to retry once or twice, and finally got it working
It is not possible to run two simultaneous instances of Network Connect, so if you are already have a Network Connect instance running for a corporate VPN, you will need to stop that first
Network Connect works best without web proxies, and it works fine with static proxy configuration as well However, it doesn’t work if the browser is configured with a PAC (Proxy Auto-Configuration) file
IMPORTANT The beginning of this book (you can see the back cover page) lists the web browser, system and application recommendations for Junosphere Save yourself time and read through the browser, system, and application requirements
TIP If you’ll be cutting and pasting commands and figuration blocks directly from this PDF into the terminal, tests have shown using Acrobat Reader works better than other apps with PDF capabilities – these other apps can run lines of code together
Trang 5con-1 Loading the Baseline Scenario
Start your Junos OS device using the instructions in Video 1, and verify that the topology.vmm file corresponds to Figure 1
Figure1 TheVMPhysicalTopology
Video 1 shows you how to start a 7 VM topology from another
vDay One book The process to start this book’s topology is very similar Just make sure you load the 1 VM topology named vDay One: Mastering Junos Configuration You can find it in the Public Library called Day One Books within Junosphere
Video 1 also shows you how to download a file called ing_Junos_Configuration.zip, that you can examine if you are curious and want to understand some of the magic behind Junosphere This zip file contains the following files:
TIP Lab vs Classroom? There are two types of sandbox: Lab
or Classroom The vDay One topologies are available for both
of them – make sure you choose the right one for your box Note that the promotional code is only available for Classroom
sand-Video1 StartingtheVMTopology(clickontheimageabovetolaunch)
IMPORTANT In Sections 2 and 3, and at the beginning of Section 4, you need to connect to the console of the Junos OS device In the remaining sections, you are expected to access the device using plain telnet
TIP If you lose connectivity to the Junosphere topology, don't worry! As long as the reservation doesn't expire, it will stay running in the background You just need to reconnect
MORE? For more information about the concepts behind Junosphere and its GUI, check out the videos at https://learn-ingportal.juniper.net/juniper/user_activity_info.aspx?id=5735
Trang 62 Navigating the Junos OS Configuration
Let’s start by loading a simple Junos OS configuration Then, you will examine it – without modifying it – using different CLI modes
First connect to the console of the device, using a telnet client:
telnet <IP> <port>
The <IP> address and the <port> are indicated in the column labeled Console, in the Virtual Machines tab of the Junosphere GUI The username is root and the password is Clouds Why the console and why the username root? Because you will soon erase most of the configuration, leaving root as the only valid user, and the console as the only valid access method The goal
is to obtain a very short and simple configuration, that can ease your learning process When you log in as root, the prompt is %, corresponding to the freeBSD shell This is not an officially sup-ported mode, so you need to start a Junos OS CLI session, changing the prompt to >
% cli
>
In Junosphere’s VJX, the initial configuration would be specified inside the topology.vmm file as follows:
install "ENV(HOME)/active/configset/juniper.conf" "/root/olive.conf";
This line is not present in your topology.vmm file, that’s why the device initially booted with factory defaults configuration
Let’s take a quick look at the configuration (you don’t really need to understand it, yet):
> show configuration
TIP Press or double-press the tab key often It allows you to autocomplete more words than you would expect! And, of course, the question mark can help you to find your way
MORE? If you feel like you need an introduction to the Junos
OS CLI in general, have a look at Day One: Exploring the Junos CLI You can find it in the Day One landing page (http://
www.juniper.net/dayone)
You are about to replace the currently active configuration with a simpler one The following command simply displays the contents of a file:
> file show /var/tmp/myJunos.conf
Later in this book, you will see the configure, load, save and
commit commands explained in detail The following procedure saves a backup of the current configuration into a file called
original.conf, and then activates a completely new tion based on the contents of myJunos.conf:
configura-> configure
# save /var/tmp/original.conf
# load override /var/tmp/myJunos.conf
# commit and-quit
CAUTION Currently Junosphere does not support a method
to reset console connections If for whatever reason you lose connectivity to the console before the middle of Section 4, and you fail to reconnect, you will need to restart the topology
It’s time to watch Video 2 But it’s important to watch the video
in its entirety, then tackle the hands-on tasks If you execute
commands before the video finishes (pausing and resuming it), testers have found the experience much less helpful, not to mention encountering slight differences between the video and the practice This advice is valid for all the videos in this book
Video2 NavigatingtheJunosOSConfiguration
Trang 7Have a look at the active configuration from operational mode (prompt >):
> show configuration
> show configuration interfaces
> show configuration interfaces ge-0/0/1
> show configuration interfaces ge-0/0/1 unit 1
> show configuration interfaces ge-0/0/1 unit 1 vlan-id
How is this configuration actually applied? Let’s see:
> show interfaces terse lo0.0
> show interfaces terse ge-0/0/1
> show interfaces terse ge-0/0/1 routing-instance default
> show interfaces ge-0/0/1.1 | match vlan
MORE? You can ignore the interface ge-0/0/1.32767, which is automatically created for internal communication between control plane components in the internal routing-instance
juniper_private1 These components are typically in different physical cards Not this time though, as you are in a virtual environment
NOTEYou may still see an IP address assigned to ge-0/0/0, even though it’s not configured You can think of it as part of the Junosphere infrastructure, and move on
Now let’s get into configuration mode (prompt #) In this mode, you could modify the configuration, although for the moment you are only going to view it:
> configure
# show
# show interfaces
# run show interfaces terse ge-0/0/1.1
QUESTION#1 What is the run command used for?
Now, follow the remaining steps in Video 2:
# show interfaces ge-0/0/1 unit 1
# show interfaces ge-0/0/1.1
# edit interfaces ge-0/0/1
# top show system
# top edit interfaces ge-0/0/1 unit 1
# edit vlan-id
It’s normal to see an error in the last command, as edit is designed to enter branches, not leaves Two more commands and you’ll be ready for the next section
# up 2
# top
TRYTHISYou can exit the configuration mode with exit or
quit These commands do the same thing when you execute them from the root of the tree, but not if you call them from a branch
3 Editing the Candidate Configuration
You already know the commands: show, edit, up, top and run Let’s get familiar with the power commands: set, delete, copy,
rename, replace,and insert
As their names suggest, these commands are used to modify the configuration, however, they do not act upon the active
configuration Instead, they make changes to a draft that is commonly called a candidate configuration or candidate database
As an example, you can add a new logical interface with the command set, but this new interface is not actually created into the device until you commit the changes to the active configura-tion This Section focuses on these basic commands that you can use to edit a configuration draft, and the details of commit
are left to Section 4
It’s time to watch Video 3
Trang 8Video3 EditingtheCandidateConfiguration
Let’s touch base with set and delete Execute the following sequence, which does not result in any net change on the candidate configuration, because the delete command reverts to the initial changes:
# show interfaces ge-0/0/1
# set interfaces ge-0/0/1 unit 2 vlan-id 2
# show interfaces ge-0/0/1
# edit interfaces ge-0/0/1
QUESTION#2 What is the difference between the show
command in configuration mode, and the show configuration
command in operational mode?
As you can check, the following command sequence – ing copy and rename – does not result in any net change on the
introduc-candidate configuration either: the initial and the final states are identical
# run show interfaces lo0.0 terse
QUESTION#3 Does the information provided by the last two commands match? Why? Let’s call these two commands #1 (# show) and #2 (# run show interfaces lo0.0 terse), respectively
Now exit configuration mode, and verify that there has been no change to the active configuration yet:
# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes,no] (yes) yes
> show configuration interfaces lo0
None of the changes performed so far has resulted in a change of the active configuration So, let’s go back to configuration mode and revert the changes performed in the candidate configura-tion:
> configure
# edit interfaces lo0 unit 0
# rename family inet address 10.200.1.1/32 to address 10.100.1.1/32
# show
Trang 9Let’s now face the risks of the powerful command replace The following sequence does not result in any net candidate configuration changes:
QUESTION#4What is the show | compare command doing?
You are not expected to know the answer right now, but it’s good to start getting used to it
Finally, use the insert command Changing the order of IPv4 addresses is not the most natural application of insert , as compared to reordering terms inside a firewall filter or a routing policy However, it is good to illustrate the technique here:
REMEMBER The tab key can make your life easier!
TRYTHIS The edit command also exists in operational mode It’s similar to configure and it can optionally take you to the branch you specify
4 Committing Configuration Changes
It’s time to introduce two of the most important and ating commands in Junos OS configuration: rollback and commit The terms are inherited from relational databases, and are based on opposite concepts
differenti-With rollback, you discard the pending configuration changes The candidate database becomes identical to the active configu-ration, which in turn does not change at all
With commit, you activate the configuration changes by copying the candidate database into the active configuration
Up to now, you have been using the console connection Let’s make some practical changes to the configuration, so that regular IPv4-based telnet connections are also possible You can start by discarding all the pending configuration changes:
> file show /var/tmp/original.conf | match address
> file show /config/mgmt.ipaddress
And configure your device for incoming telnet access In Junos
OS, the root user can access the device via SSH, but not via telnet For this reason, you also need to configure a non-root user This is the full procedure:
> configure
# set system services telnet
# set system login user vdayone class super-user authentication plain-text-password New password: Clouds
Retype new password: Clouds
# show | compare
# commit and-quit
Trang 10Now, from another terminal, try to telnet to the device using the address you wrote down, and the user and password just configured:
Now, let’s see a commit in action:
# set system host-name EVEREST
# show | compare
# commit
The prompt should have changed to EVEREST!
So what happens exactly during a commit operation? The sequence in a device with no control plane redundancy (just one Routing Engine) is:
First, the management daemon (mgd) responsible for the CLI session where the commit is being performed, calls all the background daemons that may be con-
cerned by the configuration change In this way, the routing protocol daemon (rpd), the firewall daemon (dfwd), the Class of Service daemon (cosd), the interface daemon (dcd), etc., may be requested to read the configuration and perform a validation check
NOTE A daemon is the common name of any background
process in freeBSD and other UNIX-like operating systems
Each background daemon does fork() a child daemon that will be in charge of the validation task, while the parent daemon keeps focused on its usual job Each child daemon inspects the part of the configuration that considers relevant, and checks its consistency – for example, an interface can not have a filter applied
if the filter is not globally defined The child processes return their validation results to mgd, and they expire
The validation check only succeeds if all the child daemons report a successful result of their validation
to mgd If the command commit was launched with the
check option, it would just provide the validation results and exit without committing any changes Likewise, a regular commit (without the check option) would stop here if any of the daemons reported a validation error
At this point, if the validation is successful and the
check option is not used, mgd activates the candidate configuration, rotates the configuration files as shown
in next section, sends a SIGHUP signal to the relevant background processes, and returns the prompt
The relevant backgroup processes (by themselves, not a child
of them) read the configuration changes and execute ration routines These routines can take significant time in highly provisioned devices For example, you can see the status
reconfigu-of rpd reconfiguration by executing the command show task jobs after the commit, and looking for reconfig tasks