Introduction To The Junos Operating System - 12.A - Lab Guide Details

Introduction to the Junos
Operating System
12.a
Detailed Lab Guide
Worldwide Education Services
1194 North Mathilda Avenue

Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Course Number: EDU-JUN-IJOS

This document is produced by Juniper Networks, Inc.
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission
of Juniper Networks Education Services.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Introduction to the Junos Operating System Detailed Lab Guide, Revision 12.a
Copyright © 2012, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History:
Revision 9.a—July 2009; Revision 9.b—October 2009; Revision 10.a—May 2010; Revision 10.b—May 2010; Revision 11.a—June 2011
Revision 12.a—June 2012
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 12.1R1.9. Juniper Networks
assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct,
indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of
the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos
operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty
in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the
extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks
software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software
license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses,
and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Contents
Lab 1: The Junos CLI (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
Part 1: Logging In and Exploring the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Lab 2: Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Part 1: Loading a Factory-Default Configuration and Performing Initial Configuration . . . . . . . . . . 2-2
Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration . . . . . . . . . . . . . . . . . .2-13
Part 3: Configuring Interfaces and Verifying Operational State . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17
Lab 3: Secondary System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Part 1: Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Performing System Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13
Lab 4: Operational Monitoring and Maintenance (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

Part 1: Monitoring System and Chassis Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Part 2: Using Network Utilities and Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
Part 3: Upgrading the Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17
Part 4: Recovering the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-20
Lab 5: The J-Web Interface (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1

Part 1: Logging In to and Exploring the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Part 2: Exploring J-Web Configuration and Diagnostic Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
www.juniper.net Contents • iii

iv • Contents www.juniper.net
Course Overview
This one-day course provides students with the foundational knowledge required to work with the
Junos operating system and to configure Junos devices. The course provides a brief overview of the
Junos device families and discusses the key architectural components of the software. Additional
key topics include user interface options with a heavy focus on the command-line interface (CLI),
configuration tasks typically associated with the initial setup of devices, interface configuration
basics with configuration examples, secondary system configuration, and the basics of operational
monitoring and maintenance of Junos devices.
Through demonstrations and hands-on labs, you will gain experience in configuring and monitoring
the Junos OS and monitoring basic device operations. This course uses Juniper Networks
SRX Series Services Gateways for the hands-on component, but the lab environment does not
preclude the course from being applicable to other Juniper hardware platforms running the
Junos OS. This course is based on Junos OS Release 12.1R1.9.
Objectives
After successfully completing this course, you should be able to:
• Describe the basic design architecture of the Junos OS.
• Identify and provide a brief overview of Junos devices.
• Navigate within the Junos CLI.
• Perform tasks within the CLI operational and configuration modes.
• Restore a Junos device to its factory-default state.
• Perform initial configuration tasks.
• Configure and monitor network interfaces.
• Describe user configuration and authentication options.
• Perform secondary configuration tasks for features and services (such as system
logging syslog) and tracing, Network Time Protocol (NTP), configuration archival, and
SNMP.
• Monitor basic operation for the Junos OS and devices.
• Identify and use network utilities.
• Upgrade the Junos OS.
• Perform file system maintenance and password recovery on a Junos device.
• Navigate within the Junos OS J-Web interface.
Intended Audience
This course benefits individuals responsible for configuring and monitoring devices running the
Junos OS.
Course Level
The Introduction to the Junos Operating System course is a one-day, introductory course.
Prerequisites
Students should have basic networking knowledge and an understanding of the Open Systems
Interconnection (OSI) reference model and the TCP/IP protocol suite.
www.juniper.net Course Overview • v

Course Agenda
Day 1
Chapter 1: Course Introduction
Chapter 2: Junos Operating System Fundamentals
Chapter 3: User Interface Options
Lab 1: The Junos CLI
Chapter 4: Initial Configuration
Lab 2: Initial System Configuration
Chapter 5: Secondary System Configuration
Lab 3: Secondary System Configuration
Chapter 6: Operational Monitoring and Maintenance
Lab 4: Operational Monitoring and Maintenance
Appendix A: Interface Configuration Examples
Appendix B: The J-Web Interface
Lab 5 (Optional): The J-Web Interface
vi • Course Agenda www.juniper.net

Document Conventions
CLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style Description Usage Example
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
Courier New Console text:

commit complete
• Screen captures
• Noncommand-related Exiting configuration mode
syntax
GUI text elements:
Select File > Open, and then click
• Menu names Configuration.conf in the
Filename text box.
• Text field entry
Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances
will be shown in the context of where you must enter them. We use bold style to distinguish text
that is input versus text that is simply displayed.
Normal CLI No distinguishing variant. Physical interface:fxp0,

Enabled
Normal GUI
View configuration history by clicking
Configuration > History.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type
config.ini in the Filename field.
Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables (where the value is already assigned defined variables) and
syntax variables (where you must assign the value undefined variables). Note that these styles can
be combined with the input style as well.

CLI Variable Text where variable value is policy my-peers
already assigned.
GUI Variable
Click my-peers in the dialog.
CLI Undefined Text where the variable’s value Type set policy policy-name.
is the user’s discretion and text
ping 10.0.x.y
where the variable’s value as
GUI Undefined shown in the lab guide might Select File > Save, and type
differ from the value the user filename in the Filename field.
must input.
www.juniper.net Document Conventions • vii

Additional Information
Education Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.
About This Publication
The Introduction to the Junos Operating System Detailed Lab Guide was developed and tested
using software Release 12.1R1.9. Previous and later versions of software might behave differently
so you should always consult the documentation and release notes for the version of code you are
running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development
team. Please send questions and suggestions for improvement to [email protected].
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
• Go to http://www.juniper.net/techpubs/.
• Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Juniper Networks Support
For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or
at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
viii • Additional Information www.juniper.net

Lab 1
The Junos CLI (Detailed)
Overview
This lab introduces you to the Junos operating system command-line interface (CLI). In
this lab, you will familiarize yourself with various CLI operational mode and configuration
mode features.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Log in to and explore the Junos CLI using both operational and configuration
modes.
www.juniper.net The Junos CLI (Detailed) • Lab 1–1

12.a.12.1R1.9
Part 1: Logging In and Exploring the CLI
In this lab part, you become familiar with the access details used to connect to the
lab equipment. Once you are familiar with the access details, you will use the CLI to
log in to your team’s designated station and use the CLI to become familiar with
operational mode and configuration mode. You also gain experience with some of
the tools and functionality available within operational mode and configuration
mode.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device
Question: What is the management address

assigned to your station?
Answer: The answer varies; in the example used

throughout this lab, the user belongs to the
srxA-1 station, which uses an IP address of
10.210.14.131. Your answer will depend on the
rack of equipment your class is using.
Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the management network diagram for the IP address
associated with your team’s station. The following example uses a simple Telnet
access to srxA-1 with the Secure CRT program as a basis:
Lab 1–2 • The Junos CLI (Detailed) www.juniper.net

Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Issue the configure
command to enter configuration mode and load the reset configuration file using
the load override /var/home/lab/ijos/lab1-start.config
command. After the configuration has been loaded, commit the changes and return
to operational mode using the commit and-quit command.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override ijos/lab1-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.4
Determine what system information you can clear from the operational mode
command prompt.
lab@srxA-1> clear ?
Possible completions:
amt Show AMT Protocol information
arp Clear address resolution information
auto-configuration Clear auto-configuration action
bfd Clear Bidirectional Forwarding Detection information
bgp Clear Border Gateway Protocol information
bridge Clear learned Layer 2 MAC address information
chassis Clear chassis information
database-replication Clear database replication information
dhcpv6 Clear DHCPv6 information
dot1x Clear 802.1X session
esis Clear end system-to-intermediate system information
ethernet-switching Clear ethernet switching information
fabric Clear RPDF Internal data structures
firewall Clear firewall counters
gvrp Clears Generic VLAN Registration Protocol information
helper Clear port-forwarding helper information
igmp Clear Internet Group Management Protocol information
igmp-snooping Clear IGMP snooping information
interfaces Clear interface information
ipv6 Clear IP version 6 information
isdn Clear Integrated Services Digital Network information
isis Clear Intermediate System-to-Intermediate System
information
l2-learning Clear learned Layer 2 MAC address information
lacp Clear Link Aggregation Control Protocol information
ldp Clear Label Distribution Protocol information
lldp Clear Link Layer Discovery Protocol information
log Clear contents of log file
mld Clear multicast listener discovery information
mld-snooping Clear MLD snooping information
mpls Clear mpls information
msdp Clear Multicast Source Discovery Protocol information
multicast Clear multicast information
network-access Clear network-access related information
ospf Clear Open Shortest Path First information
ospf3 Clear Open Shortest Path First version 3 information
passive-monitoring Clear passive monitoring statistics
pfe Clear Packet Forwarding Engine information
pgm Clear Pragmatic Generalized Multicast information
pim Clear Protocol Independent Multicast information
ppp Clear PPP information
pppoe Clear PPP over Ethernet information
protection-group Clear protection group information
r2cp Clear Radio-to-Router Protocol information
rip Clear Routing Information Protocol information
ripng Clear Routing Information Protocol for IPv6 information
rsvp Clear Resource Reservation Protocol information
security Clear security information
services Clear services
snmp Clear Simple Network Management Protocol information
spanning-tree Clear Spanning Tree Protocol information
system Clear system information
vpls Clear learned Layer 2 MAC address information
vrrp Clear Virtual Router Redundancy Protocol statistics
wlan Clear Wireless LAN information

Question: Which command do you use to clear the
contents of a system log (syslog) file?
Answer: Use the clear log log-filename

command to clear the contents of a particular
syslog file.
Step 1.5
Experiment with command completion by entering show i<space>.
lab@srxA-1> show i
^
'i' is ambiguous.
iccp Show Inter Chassis Control Protocol information
igmp Show Internet Group Management Protocol information
igmp-snooping Show IGMP snooping information
ingress-replication Show Ingress-Replication tunnel information
interfaces Show interface information
ipv6 Show IP version 6 information
isdn Show Integrated Services Digital Network information
isis Show Intermediate System-to-Intermediate System
information
Step 1.6
Add characters to disambiguate your command so that you can display
interface-related information; use the Spacebar or Tab key for automatic command
completion.
Note
You can return to the command prompt
without scrolling through all of the
generated output from a command. Enter
the Ctrl+c key sequence or the q key to
abort the operation and return to the
command prompt.
lab@srxA-1> show int<space>erfaces

Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 507
Description: MGMT Interface - DO NOT DELETE
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80
Last flapped : 2011-04-20 02:02:04 UTC (2d 03:09 ago)

Input rate : 536 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509)

Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 299996
Output packets: 211433
Security: Zone: Null
...TRIMMED...
Step 1.7
Try to clear SNMP statistics by entering the clear snmp command.
lab@srxA-1> clear snmp
^
syntax error, expecting <command>.
Question: What do you think the resulting display

means?
Answer: The display indicates that the command

was incomplete as entered. The caret symbol (^)
indicates the area of the problem, and the error
message tells you that the system expects
additional command input.
Step 1.8
Verify that the CLI does not let you complete invalid commands by trying to enter the
command show ip interface brief.
lab@srxA-1> show ip<space>
lab@srxA-1> show ipv6
lab@srxA-1> show ipinterfacebrief

^
syntax error, expecting <command>.

Question: What happens when you try to enter this
command?
Answer: The system’s command completion feature

completes a show ipv6 command in this case
because ipv6 is the only valid completion. If you
attempt to continue with invalid syntax, the system
informs you of your error. Unlike some CLI
implementations, the Junos OS will not let you
waste time typing in an illegitimate command!
Step 1.9
Enter a show route command followed by a show system users command.
You are entering these commands to demonstrate command history recall. When
finished, enter the keyboard sequences indicated to answer the related questions.
lab@srxA-1> show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
10.210.14.128/27 *[Direct/0] 02:12:04

> via ge-0/0/0.0
10.210.14.131/32 *[Local/0] 02:12:10
Local via ge-0/0/0.0
lab@srxA-1> show system users

5:12AM up 2 days, 3:14, 1 user, load averages: 0.04, 0.10, 0.07
USER TTY FROM LOGIN@ IDLE WHAT
lab u0 - 4:43AM - -cli (cli)
Question: What happens when you press Ctrl+p

twice?
Answer: The system recalls the show route

command and displays it at the prompt.
Question: What happens when you press Ctrl+n?
Answer: The system recalls the next command in

the buffer, which is a show system users
command in this example.

Question: What happens when you use the Up
Arrow and Down Arrow keys?
Answer: The Up Arrow and Down Arrow keys

function as substitutes for the Ctrl+p and Ctrl+n
sequences as long as the system is configured for
VT100-type emulation, which is the default.
Step 1.10
In many cases, the output of a command might exceed one full screen. For example,
the show interfaces interface-name extensive command displays a lot
of information about the specified interface. Enter this command now for your
system’s ge-0/0/0 interface, and answer the following questions. Use the h key as
needed to obtain help when CLI output is paused at the ---(more)--- prompt.
lab@srxA-1> show interfaces ge-0/0/0 extensive
Interface index: 134, SNMP ifIndex: 507, Generation: 137
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80
Last flapped : 2011-04-20 02:02:04 UTC (2d 03:11 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 197626475 1008 bps
Output bytes : 196448392 0 bps
Input packets: 300053 1 pps
Output packets: 211433 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
...TRIMMED...

Question: What effect does pressing the Spacebar
have?
Answer: The Spacebar causes the display to scroll

forward to display the next screen of output.
Question: What effect does pressing the Enter key

have on the paused output?
Answer: The Enter key causes the display to scroll

forward by one line.
Question: What effect does pressing the b key

have?
Answer: Pressing the b key causes the display to

scroll backwards by one full screen, up to the point
where the first full screen of information displays.
Question: What effect does pressing the u key

have?
Answer: Pressing the u key causes the display to

scroll backwards by one half of a screen, up to the
point where the first screen displays.
Question: Which key would you press to search

forward through a display that consists of multiple
screens of output?
Answer: To search forward, press the forward slash

(/) character followed by the search pattern.
Step 1.11
Use the pipe (|) and match functions of the Junos CLI to list all interfaces that are
physically down.
lab@srxA-1> show interfaces | match down
Physical interface: ge-0/0/5, Enabled, Physical link is Down
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0

Question: Are any of your interfaces listed as Down?
Answer: In this example, the answer is yes; several

interfaces show as Down. The interfaces shown
might vary depending on your lab environment.
Question: Can you think of a way to have the

Junos OS count the number of interfaces that are
physically down? (Hint: Remember that you can use
the results of one pipe as input to another pipe
operation.)
Answer: To count the number of down interfaces,

pipe the results of the previous command to the CLI
count function. In this example, we included an
extra match function to ensure that the software
does not count interfaces that are down both
logically and physically more than once:

lab@srxA-1> show interfaces | match down | match Physical | count
Count: 11 lines
Step 1.12
A large portion of the Junos OS documentation is available directly from the CLI. You
can retrieve high-level topics using the help topic command, whereas you can
obtain detailed configuration-related information with the help reference
command.
Use the help reference command along with the CLI question-mark operator
(?) to find detailed information about configuring a system hostname.
lab@srxA-1> help reference ?
access
accounting-options
ancp
applications
bfd
bgp
bridge-domains
chassis
class-of-service
connections
diameter
dlsw
dot1x
dvmrp
dynamic-profiles
esis
event-options
firewall
forwarding-options
igmp
interfaces
isis
l2-learning
l2circuit
l2vpn
layer2-control
layer2-vpns Use the 'help reference l2vpn' command
layer3-vpns
ldp
link-management
lldp
logical-systems
mld
mpls
msdp
mvpn
oam
ospf
ospf3
pgm
pim

poe
policy-options
ppp
protection-group
rip
ripng
router-advertisement
router-discovery
routing-instances
routing-options
rsvp
sap
schedulers
security
services
snmp
stp
switch-options
system
vpls
vpns
vrrp
Question: Which CLI command displays reference

information about configuration of the system’s
hostname?
Answer: The help reference system

host-name command displays information
regarding system hostnames:
lab@srxA-1> help reference system host-name

host-name
Syntax
host-name hostname;
Hierarchy Level
[edit system]
Release Information
Statement introduced before JUNOS Release 7.4.
Statement introduced in JUNOS Release 9.0 for EX Series switches.
Description
Set the hostname of the router or switch.

Options
hostname--Name of the router or switch.
Required Privilege Level
system--To view this statement in the configuration.
system-control--To add this statement to the configuration.
Related Topics
* Configuring the Hostname of the Router

Step 1.13
Enter configuration mode.
[edit]
lab@srxA-1#
Question: What happens to your prompt?
Answer: A pound sign (#) replaces the angle bracket

(>), and a configuration hierarchy banner displays.
Question: According to the prompt, what is your

position in the configuration hierarchy?
Answer: The display indicates that you are now at

the [edit] hierarchy, which is the root of the
configuration tree.
Step 1.14
Display the interfaces portion of the candidate configuration.
[edit]
lab@srxA-1# show interfaces

ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
address 10.210.14.131/27;
}
}
}
Step 1.15
Position yourself at the [edit interfaces] configuration hierarchy.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1#
Question: What happens to the banner?
Answer: The banner now correctly shows that the

user is at the [edit interfaces] portion of the
configuration hierarchy.
Question: What is the result of a show command

now?
Answer: A show command displays information

pertaining only to configuration statements at and
below the current hierarchy. In this case, the
software displays only the configuration statements
for the system’s ge-0/0/0 interface:
[edit interfaces]
lab@srxA-1# show
ge-0/0/0 {
unit 0 {
family inet {
address 10.210.14.131/27;
}
}
}

Step 1.16
Move to the [edit protocols ospf] portion of the hierarchy. This step
requires that you first visit the root of the hierarchy, as you cannot jump directly
between branches. You can perform this step with a single command in the form of
top edit protocols ospf, however.
[edit interfaces]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]

lab@srxA-1#
Question: Which commands can you now enter to

reposition yourself at the [edit] portion of the
hierarchy? Return to the [edit] hierarchy level
now.
Answer: You can issue an up command twice, or an

up 2 command. You can also issue an exit
command or a top command.
[edit protocols ospf]

lab@srxA-1# top
[edit]
lab@srxA-1#
Note
If you have not already done so, return to
the [edit] hierarchy level using one of
the available methods.
Step 1.17
Try to display the status of chassis hardware with a show chassis hardware
operational command while in configuration mode.
[edit]
lab@srxA-1# show chassis hardware
^
syntax error.

Question: Why do you think you received an error?
What can you do to execute operational mode
commands while in configuration mode? Try that
now.
Answer: The command issued is not valid in

configuration mode. Precede operational mode
commands with the keyword run to execute them
while in configuration mode:
[edit]
lab@srxA-1# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis AH3809AA0054 SRX240h-poe
Routing Engine REV 35 750-021794 AAAX6922 RE-SRX240H-POE
FPC 0 FPC
PIC 0 16x GE Base PIC
Power Supply 0
Step 1.18
Try to return to operational mode by entering an exit command.
[edit]
lab@srxA-1# exit
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes)
Question: What happens when you execute the

exit command?
Answer: You should see a message indicating that

uncommitted changes exist. This message results
from the creation of an empty [edit protocols
ospf] stanza. This empty stanza causes the
configuration database to believe that the
configuration actually changed.

Question: Which CLI command can you use to
display differences between the candidate and
active configuration file? Enter no at the current
prompt and issue the required command to view
the differences between the candidate and active
configurations.
Answer: Use the show command with the results

piped to compare rollback number. In this
example, you should not see any actual
configuration changes, as shown in the following
sample capture:
The configuration has been changed but not committed

Exit with uncommitted changes? [yes,no] (yes) no
Exit aborted
[edit]
lab@srxA-1# show | compare rollback 0
[edit]
lab@srxA-1#
Question: Considering that nothing changed, which

command can you enter to allow an exit from
configuration mode without being warned of
uncommitted changes? Issue that command now.
Answer: Issue a rollback 0 command to replace

the candidate configuration with a new copy of the
active configuration. You can now exit configuration
mode without being warned of uncommitted
changes:
[edit]
lab@srxA-1# rollback 0
load complete
[edit]
lab@srxA-1# exit
lab@srxA-1>
Step 1.19
Log out of your assigned device using the exit command.

lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP Tell your instructor that you have completed Lab 1.

Lab 2
Initial System Configuration (Detailed)
Overview
This lab demonstrates configuration tasks typically performed on new devices running the
Junos operating system. In this lab, you use the CLI to perform initial configuration and
basic interface configuration.
sample output from most commands. Refer to the management network diagram for
access details.
• Load a factory-default configuration and perform initial system configuration.
• Save, delete, and restore a rescue configuration.
• Perform basic interface configuration.
www.juniper.net Initial System Configuration (Detailed) • Lab 2–1

12.a.12.1R1.9
Introduction to the Junos Operating System
Part 1: Loading a Factory-Default Configuration and Performing Initial Configuration
In this lab part, you will load the factory-default configuration and perform initial
configuration tasks using the Junos CLI.
Step 1.1


Step 1.2
Access the CLI at your station using the console connection.
Note
During this lab, your access through the
management network will be affected.
Ensure that you use the console
connection to access your assigned station.
Using the console connection ensures
persistent connectivity even when the
management network access is
unavailable. If needed, ask your instructor
how to connect to your system using the
console port.
Lab 2–2 • Initial System Configuration (Detailed) www.juniper.net

Step 1.3
Note that both the name and password are case-sensitive. Enter configuration mode
and load a factory-default configuration using the load factory-default
command.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

[edit]
lab@srxA-1# load factory-default
warning: activating factory configuration
Step 1.4
Display the factory-default configuration.
[edit]
lab@srxA-1# show
## Last changed: 2012-04-17 23:59:34 UTC
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/
commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;

interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx240h)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): 'root-authentication'
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {

members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
vlan {
members vlan-trust;

}
}
}
}
ge-0/0/9 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
vlan {
members vlan-trust;
}

}
}
}
ge-0/0/15 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {

source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;

}
}
Note
The factory-default configuration displays
several statements pertaining to the
security hierarchy level. This information is
outside the scope of this class but is
covered in the Junos for Security Platforms
(JSEC) course.
Step 1.5
Try to activate the factory-default configuration by issuing a commit command.
[edit]
lab@srxA-1# commit
[edit]
'system'
Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
Question: Did the commit operation succeed? If

not, why not?
Answer: No, the commit operation should fail

because the root authentication is missing.
Step 1.6
Navigate to the [edit system root-authentication] hierarchy level. Issue
the set plain-text-password command. When prompted to enter a new
password, type apples.
[edit]
lab@srxA-1# edit system root-authentication
[edit system root-authentication]

lab@srxA-1# set plain-text-password
New password:
error: require change of case, digits or punctuation

lab@srxA-1#
Question: What happens when you enter the

specified password? Why?
Answer: The operation fails because the password

does not meet the requirements.

Step 1.7
Again, issue the set plain-text-password command. When prompted to
enter a new password, type Apples. When prompted to confirm the password, type
Oranges.
New password:
Retype new password:
error: Passwords are not equal; aborting

specified passwords? Why?
Answer: The operation fails because the passwords

are not equal.
Step 1.8
Issue the set plain-text-password command once again. When prompted
to enter a new password, type Rootroot. When prompted to confirm the password,
type Rootroot. Activate the change and return to operational mode by issuing a
commit and-quit command.
New password:

commit complete
lab@srxA-1>
Step 1.9
Issue the file list /var/tmp command.
lab@srxA-1> file list /var/tmp
error: no local user: lab

specified command? Why?
Answer: The operation generates an error because

the lab user is no longer valid. We restore the lab
user account in a subsequent lab step.

Step 1.10
Log out as the lab user and log in as root. Use the newly defined password of
Rootroot.
lab@srxA-1> exit
srxA-1 (ttyu0)
login: root
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

root@srxA-1%
Note
You should see the previously defined
hostname at the login prompt. The
amnesiac hostname is shown when the
hostname is removed and the system is
rebooted. You do not need to reboot the
system at this time because you will
configure a new hostname shortly.
Step 1.11
Start the CLI with the cli command and enter configuration mode.
root@srxA-1% cli
root@srxA-1> configure
[edit]
root@srxA-1#
Step 1.12
Define the system’s hostname. Use the hostname specified on the management
network diagram provided by your instructor.
[edit]
root@srxA-1# set system host-name hostname
Step 1.13
Configure the time zone and system time using the local time zone and current date
and time as input values.
[edit]
root@srxA-1# set system time-zone time-zone
[edit]
root@srxA-1# run set date date/time
Wed April 25 04:19:00 PDT 2012

Step 1.14
Remove the DHCP, interface, security, protocols and vlan sections from the
factory-default configuration, as this is not necessary in this lab environment.
[edit]
root@srxA-1# delete system services dhcp
[edit]
root@srxA-1# delete interfaces
[edit]
root@srxA-1# delete security
[edit]
root@srxA-1# delete protocols
[edit]
root@srxA-1# delete vlans
Step 1.15
Configure the ge-0/0/0 interface using the address and subnet mask specified on
the management network diagram, and specify an interface description of "MGMT
INTERFACE - DO NOT DELETE".
[edit]
root@srxA-1# edit interfaces
[edit interfaces]
root@srxA-1# set ge-0/0/0 unit 0 family inet address management IP address
[edit interfaces]
root@srxA-1# set ge-0/0/0 description "MGMT Interface - DO NOT DELETE"
[edit interfaces]
root@srxA-1#
Step 1.16
Navigate to [edit routing-options] and define a static route for the
10.210.0.0/16 destination prefix to allow for reachability beyond the local
management subnet. Use the gateway address, shown on the management network
diagram, as the next-hop value. When complete commit the configuration and return
to operational mode.
[edit interfaces]
root@srxA-1# top edit routing-options
[edit routing-options]
root@srxA-1# set static route 10.210.0.0/16 next-hop gateway address
[edit routing-options]
root@srxA-1# commit and-quit
commit complete
root@srxA-1>

STOP Wait for your instructor before you proceed to the next part.
Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration
In this lab part, you will save, display, load, and delete a rescue configuration using
the Junos CLI.
Step 2.1
Enter configuration mode and load the lab2-part2-start.config file from
the/var/home/lab/ijos/ directory. This will return the lab to its original state
and reestablish the lab user. Commit your configuration and return to operational
mode when complete.
[edit]
root@srxA-1# load override /var/home/lab/ijos/lab2-part2-start.config
load complete
[edit]
commit complete
root@srxA-1>
Step 2.2
Log out of the root user by issuing the exit command twice, then log in as the
lab user using lab123 as the password.
root@srxA-1> exit
root@srxA-1% exit
logout
srxA-1 (ttyu0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

lab@srxA-1>
Step 2.3
Save the active configuration as the rescue configuration.
lab@srxA-1> request system configuration rescue save
Step 2.4
Display the contents of the recently saved rescue configuration.

lab@srxA-1> file show /config/rescue.conf.gz
## Last changed: 2012-04-17 20:11:13 PDT
version 12.1R1.9;
system {
host-name srxB-1;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password "$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1";
ssh-dsa "ssh-dss
AAAAB3NzaC1kc3MAAACBAMQrfP2bZyBXJ6PC7XXZ+MzErI8Jl6jah5L4/
O8BsfP2hC7EvRfNoX7MqbrtCX/9gUH9gChVuBCB+ERULMdgRvM5uGhC/
gs4UX+4dBbfBgKYYwgmisM8EoT25m7qI8ybpl2YZvHNznvO8h7kr4kpYuQEpKvgsTdH/
Jle4Uqnjv7DAAAAFQDZaqA6QAgbW3O/
zveaLCIDj6p0dwAAAIB1iL+krWrXiD8NPpY+w4dWXEqaV3bnobzPC4eyxQKBUCOr80Q5YBlWXVBHx9e
lwBWZwj0SF4hLKHznExnLerVsMuTMA846RbQmSz62vM6kGM13HFonWeQvWia0TDr78+rOEgWF2KHBSI
xL51lmIDW8Gql9hJfD/Dr/
NKP97w3L0wAAAIEAr3FkWU8XbYytQYEKxsIN9P1UQ1ERXB3G40YwqFO484SlyKyYCfaz+yNsaAJu2C8
UebDIR3GieyNcOAKf3inCG8jQwjLvZskuZwrvlsz/xtcxSoAh9axJcdUfSJYMW/
g+mD26JK1Cliw5rwp2nH9kUrJxeI7IReDp4egNkM4i15o= [email protected]";
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30";
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
interface all;
}
}
}
syslog {
file messages {
any critical;
authorization info;
}
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {

unit 0 {
family inet {
address 10.210.35.133/26;
}
}
}
}
routing-options {
static {
route 10.210.0.0/16 next-hop 10.210.35.130;
}
}
Question: Does the rescue configuration match the

recently created active configuration?
Answer: Yes, the rescue configuration should match

the recently created active configuration.
Question: What CLI command could you issue to

compare the active and rescue configuration files?
Answer: Use the file compare files /

config/juniper.conf.gz /config/
rescue.conf.gz command to compare the
active and rescue configurations. As shown in the
following sample capture, the files do not contain
any differences:
lab@srxA-1> file compare files /config/juniper.conf.gz /config/rescue.conf.gz

Step 2.5
Return to configuration mode and delete the [edit system services]
hierarchy level. Activate the change.
[edit]
lab@srxA-1# delete system services
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.6
Verify that the [edit system services] hierarchy level is empty and then load
the rescue configuration.
[edit]
lab@srxA-1# show system services
[edit]
lab@srxA-1# rollback rescue
load complete
Step 2.7
Verify that the [edit system services] hierarchy level once again contains
the ssh, telnet, and web-management services.
[edit]
lab@srxA-1# show system services
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
interface all;
}
}
Question: Did the rescue configuration successfully

load? Are the services enabled now? If not, why
not?
Answer: Yes, the rescue configuration loaded

successfully and restored the statements at the
[edit system services] hierarchy level.
However, the software did not enable the services.
Remember, to enable the rescue configuration, or
any other candidate configuration, you must
commit!
Step 2.8
Activate the rescue configuration and return to operational mode.
[edit]
commit complete
lab@srxA-1>
Step 2.9
Delete the rescue configuration and attempt to display the rescue.conf.gz file to
confirm the deletion.

lab@srxA-1> request system configuration rescue delete
lab@srxA-1> file show /config/rescue.conf.gz

error: could not resolve file: /config/rescue.conf.gz
Question: Did you successfully delete the rescue

configuration?
Answer: Yes, based on the results shown, the

deletion of the rescue configuration was successful.
Part 3: Configuring Interfaces and Verifying Operational State
In this lab part, you will perform interface configuration and verify the operational
state of interfaces using the Junos CLI.
Step 3.1
the /var/home/lab/ijos/ directory. Commit you configuration when complete.
[edit]
lab@srxA-1# load override ijos/lab2-part3-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 3.2
Refer to the network diagram for this lab and configure the listed interfaces. Use
logical unit 0 on all specified interfaces. Commit the configuration and return to
operational mode when complete.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set ge-0/0/3 unit 0 family inet address address/30
[edit interfaces]

[edit interfaces]
[edit interfaces]
lab@srxA-1# set lo0 unit 0 family inet address address/32
[edit interfaces]
commit complete
lab@srxA-1>
Step 3.3
Issue the show interfaces terse CLI command to verify the state of the
configured interfaces.
lab@srxA-1> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.210.14.131/27
...TRIMMED..
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.20.77.1/30
ge-0/0/2 up up
ge-0/0/2.0 up up inet 172.20.66.1/30
ge-0/0/3 up up
ge-0/0/3.0 up up inet 172.18.1.2/30
...TRIMMED..
lo0 up up
lo0.0 up up inet 192.168.1.1 --> 0/0
...TRIMMED..
Question: What are the Admin and Link states of

the recently configured interfaces?
Answer: All configured interfaces should show

Admin and Link states of up, as shown in the
sample capture.
Step 3.4
lab@srxA-1> exit
srxA-1 (ttyu0)
login:



Lab 3
Secondary System Configuration (Detailed)
Overview
This lab demonstrates typical secondary configuration tasks performed on devices
running the Junos operating system.
sample outputs from most commands.
• Define user accounts and authentication options.
• Set up and verify proper operation of system logging (syslog).
• Configure and monitor NTP.
• Enable and monitor the operation of SNMP.
• Configure and monitor the configuration archival feature.
www.juniper.net Secondary System Configuration (Detailed) • Lab 3–1

12.a.12.1R1.9
Part 1: Configuring User Authentication
In this lab part, your team will configure user accounts and related authentication
options.
Step 1.1


Step 1.2
Step 1.3
and load the reset configuration file using the load override /var/home/
lab/ijos/lab3-start.config command. After the configuration has been
loaded, commit the changes.
srxA-1 (ttyp0)
login: lab
Lab 3–2 • Secondary System Configuration (Detailed) www.juniper.net

Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

[edit]
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to [edit system login] and define a custom login class named
juniper with the following permissions:
• view
• view-configuration
• reset
[edit]
lab@srxA-1# edit system login
[edit system login]

lab@srxA-1# set class juniper permissions [view view-configuration reset]
error: invalid value: ]
Note
There may be an error after entering the
command, but it should still be added to
the configuration. Use the show command
to verify this.
[edit system login]

lab@srxB-1# show
class juniper {
permissions [ reset view view-configuration ];
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30"; ## SECRET-DATA
}
}

Step 1.5
Next, define two new user accounts using the information from the following table:
Username Class Plain-Text Password

walter juniper walter123
nancy read-only nancy123
[edit system login]

lab@srxA-1# set user walter class juniper
[edit system login]

lab@srxA-1# set user walter authentication plain-text-password
New password:
[edit system login]

lab@srxA-1# set user nancy class read-only
[edit system login]

lab@srxA-1# set user nancy authentication plain-text-password
New password:
Step 1.6
View the configuration under the [edit system login] hierarchy level. If you
are satisfied with the results, activate your new configuration by issuing the commit
command.
[edit system login]
lab@srxA-1# show
class juniper {
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA
}
}
user nancy {
class read-only;
authentication {
encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA
}
}
user walter {
class juniper;
authentication {
encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA
}
}

[edit system login]
lab@srxA-1# commit
commit complete
Note
The remainder of this lab part tests user
login options. To prevent yourself from
being locked out, keep the current console
session open!
Step 1.7
Open another terminal window and use Telnet to access your system’s management
IP address. If needed, refer to the management network diagram. Log in with the
username walter.
srxA-1 (ttyp0)
login: walter
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

walter@srxA-1>
Step 1.8
Using the new terminal session, try to enter configuration mode.
walter@srxA-1> configure
^
unknown command.

Question: How does the CLI respond when you try to
enter configuration mode?
Answer: The CLI does not let user walter enter

configuration mode. It responds by stating that the
command is unknown.
Step 1.9
Enter a question mark (?) at the prompt to view the permitted operational mode
command options for the user walter.
walter@srxA-1> ?
file Perform file operations
help Provide help information
load
monitor Show real-time debugging information
op Invoke an operation script
quit Exit the management session
request Make system-level requests
restart Restart software process
save
set Set CLI properties, date/time, craft interface message
show Show system information
start Start shell
test Perform diagnostic debugging
Question: Why is the user walter unable to enter

configuration mode?
Answer: The custom login class defined for the user

walter does not give permission for entering
configuration mode.
Step 1.10
Verify that the user walter can view the configuration and other operational
outputs such as interface information.
walter@srxA-1> show configuration
## Last commit: 2012-04-18 12:14:08 PDT by lab
version 12.1R1.9;
system {
host-name srxA-1;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA
ssh-dsa /* SECRET-DATA */;

}
login {
class juniper {
}
user lab {
uid 2000;
class super-user;
authentication {
}
}
user nancy {
uid 2001;
class read-only;
authentication {
}
}
user walter {
uid 2002;
class juniper;
authentication {
}
}
}
...TRIMMED...
walter@srxA-1> show interfaces

Interface index: 134, SNMP ifIndex: 508
Link flags : None
Current address: f8:c0:01:8f:8f:80, Hardware address: f8:c0:01:8f:8f:80
Last flapped : 2012-04-18 10:27:06 PDT (01:57:39 ago)
Input rate : 976 bps (2 pps)
Output rate : 1280 bps (1 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/0.0 (Index 70) (SNMP ifIndex 512)

Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 157
Output packets: 81
...TRIMMED...

Question: Can the user walter view the root
password within the configuration? Why?
Answer: No. The Junos OS hides certain

configuration elements that it determines to be
security risks and notates them with a
SECRET-DATA tag. In this case, the user walter
does not have the secret permission defined for
his login class. The secret permission is required
to view configuration elements with the
SECRET-DATA tag.
Step 1.11
Restart the routing process using the restart routing command. This
command restarts the routing protocol daemon (rpd), which can be useful when
troubleshooting routing problems.
walter@srxA-1> restart routing
Routing protocols process started, pid 9777
Question: Which permission allows the user

walter to perform this command?
Answer: The reset permission allows a user to

restart software processes and certain hardware
components. This permission will not, however,
allow the user to reboot the system.
Step 1.12
Log out from the user walter and initiate a new Telnet session to the management
interface for the user nancy. (Hint: Use the reconnect option on your terminal
client.) Attempt to restart the routing protocol process using the restart
routing command.
walter@srxA-1> exit
srxA-1 (ttyp0)
login: nancy
Password:
--- JUNOS 11.1R1.10 built 2011-03-16 08:20:26 UTC

nancy@srxA-1> restart
^
unknown command.

Question: Can nancy successfully issue the
restart command?
Answer: As shown in the output, the user nancy

cannot issue the operational mode restart
command.
Question: What is a quick way to view the top-level

operational mode commands available to nancy?
Answer: Use the question mark (?) to view available

commands anywhere within a command line.
Commands that are not permitted due to user
permissions do not display.
Question: Can the user nancy view the

configuration?
Answer: The user nancy can issue the command

show configuration, but the contents are
hidden. The following is a sample capture, taken
from the srxA-1 device:
nancy@srxA-1> show configuration

## Last commit: 2012-04-18 12:14:08 PDT by lab
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
Step 1.13
Attempt to clear interface statistics for the ge-0/0/0 interface using the clear
interfaces statistics ge-0/0/0 command.
nancy@srxA-1> clear
^
unknown command.

Question: Which permission option would allow the
user nancy to clear the interface statistics on the
ge-0/0/0 interface?
Answer: The clear permission option would allow

this behavior.
Step 1.14
Return to the original session opened to the lab user.
From the session opened to the lab user attempt to add the clear permission to
the default read-only login class. Issue the show command to view the system
login hierarchy.
[edit system login]
lab@srxA-1# set class read-only permissions clear
warning: 'read-only' is a predefined class name; changing to 'read-only-local'
[edit system login]

lab@srxA-1# show
class juniper {
}
class read-only-local {
permissions clear;
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA
}
}
user nancy {
uid 2003;
class read-only;
authentication {
encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA
}
}
user walter {
uid 2004;
class juniper;
authentication {
encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA
}
}

Question: What happened when you added the
clear permission to the read-only login class?
Answer: Because you cannot alter predefined login

classes, the Junos OS created a new login class
named read-only-local that is not associated
with any user.
Question: How can you add the clear permission

for the user nancy?
Answer: You must define a new custom login class

for this functionality.
Step 1.15
Navigate to the top of the configuration hierarchy and configure a RADIUS server for
use with user authentication. Refer to your management network diagram for the
server address. The RADIUS secret should be Juniper. Configure the
authentication order so that user login attempts use only local password
authentication if the RADIUS server is unreachable. Use commit to activate the
changes.
[edit system login]
lab@srxA-1# top
[edit]
lab@srxA-1# set system radius-server RADIUS server secret Juniper
[edit]
lab@srxA-1# set system authentication-order radius
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#

Question: Must you include password in the
authentication order to enable this behavior?
Answer: No. If an authentication method is

unavailable because of a network or server outage,
the software automatically consults the local
password database.
Step 1.16
Return to the secondary Telnet session opened to you student device
From the secondary Telnet session in which the user nancy is logged in, issue the
exit command to log out. Test the RADIUS server by reconnecting to the Telnet
session and try to log back in as nancy.
nancy@srxA-1> exit
srxA-1 (ttyp0)
login: nancy
Password:
Login incorrect
login:
Question: Were you able to log in as nancy?
Answer: No. In this case, the server defined is

actually reachable, and it is not configured with the
nancy username.
Step 1.17
In the previous lab step, the defined RADIUS server was reachable. Because you did
not define the username on the RADIUS server, the RADIUS server rejected the
authentication. Therefore, the software did not consult the local password database.
From the session opened to the lab user and change the IP address of the RADIUS
server to 10.1.1.1. You can use the rename command for this change. Do not forget
to issue commit to activate the change.
[edit]
lab@srxA-1# rename system radius-server RADIUS server to 10.1.1.1
[edit]
lab@srxA-1# commit
commit complete

Step 1.18
Return to the secondary Telnet session opened to you student device
From the secondary Telnet session, try to log in to the system with the nancy
username once again.
login: nancy
Password:
Local password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

nancy@srxA-1>
Question: What was different about the login

behavior in this step as compared to the last step
with respect to a reachable RADIUS server?
Answer: After entering the password, a short delay

occurs while the system tries to consult the RADIUS
server, and the user receives an option to enter a
local password. After entering the user’s password,
the system logs the user in.
Step 1.19
From the session opened to the lab user and delete the
authentication-order statement. When complete commit your config and
return to operational mode.
[edit]
lab@srxA-1# delete system authentication-order
[edit]
commit complete
lab@srxA-1>
Part 2: Performing System Management Options
In this lab part, you will perform configuration of some common system
management features. You will configure and monitor syslog, NTP, SNMP, and
configuration archival.
Step 2.1
the/var/home/lab/ijos/ directory. Commit your configuration when complete.
[edit]
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.2
Use the show system syslog command to view the current syslog
configuration.
[edit]
lab@srxA-1# show system syslog
file messages {
any critical;
authorization info;
}
interactive-commands any;
}
Question: What facilities and severity levels

currently log to the messages log file?
Answer: In the sample output, the messages file

shows the any and authorization facilities
using the critical and info severities,
respectively. The actual settings might vary between
Junos devices and software versions.
Question: What is the purpose of specifying a

facility of any?
Answer: This option logs all facility levels.

Step 2.3
Navigate to the [edit system syslog] hierarchy and configure a new syslog
file named config-changes. Specify a facility of change-log and a severity of
info. Also, set the severity level for the default messages file to any.
[edit]
lab@srxA-1# edit system syslog
[edit system syslog]

lab@srxA-1# set file config-changes change-log info

lab@srxA-1# set file messages any any

lab@srxA-1#
Step 2.4
Configure your system to send logs to a remote server running the standard syslog
utility. Refer to your management network diagram for the server address. (Hint: Use
the host option.) Choose the correct facility that logs access attempts on the
system. (Hint: The current messages log file is already using this facility.) Use a
severity level of info. Commit your changes when complete.
lab@srxA-1# set host server address authorization info

lab@srxA-1# commit
commit complete
Step 2.5
Using the run file list /var/log/ command, verify the creation of a log file
named config-changes.
lab@srxA-1# run file list /var/log/
/var/log/:
authd_profilelib
authd_sdb.log
autod
chassisd
config-changes
cosd
dcd
dfwc
dfwd
eccd
gres-tp
httpd.log
httpd.log.old
idpd.addver
interactive-commands
inventory

jsrpd
jsrpd_chk_only
kmd
license
mastership
messages
nsd_chk_only
pf
pfed_trace.log
pgmd
rtlogd
sampled
sdxd
utmd-av
Note
The files stored in the /var/log/
directory might vary between each system.
Question: What other log files from your system’s

configuration does this directory store?
Answer: Although the files in the /var/log/

directory might vary on each system, the
messages and interactive-commands log
files should be present on all systems.
Step 2.6
Configure the system to synchronize its clock with an NTP server. Refer to the
management network diagram for the server’s IP address.
lab@srxA-1# top
[edit]
lab@srxA-1# set system ntp server server address
Step 2.7
Use the same server IP address used in the previous step and configure an NTP
boot server. Commit the configuration and return to operational mode when
complete.
[edit]
lab@srxA-1# set system ntp boot-server server address
[edit]
commit complete

lab@srxA-1>
Step 2.8
View the config-changes log and verify the logging of the latest configuration
changes.
lab@srxA-1> show log config-changes
Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system
ntp]
Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system
ntp server 10.210.14.130]
Apr 22 18:58:16 srxA-1 mgd[2552]: UI_CFG_AUDIT_SET: User 'lab' set: [system ntp
boot-server] <unconfigured> -> "10.210.14.130"
Step 2.9
Manually force synchronization with the NTP server by issuing the set date ntp
operational mode command.
lab@srxA-1> set date ntp
22 Apr 19:04:24 ntpdate[3080]: step time server 10.210.14.130 offset -0.000025
sec
Step 2.10
Verify synchronization with the NTP server by using the show ntp
associations command. The system is synchronized with the NTP server if you
see the server address in the remote column with an asterisk (*) next to it. Check
the current system time using the show system uptime command.
Note
It might take a few minutes for the system’s

time to synchronize with the NTP server.
lab@srxA-1> show ntp associations

remote refid st t when poll reach delay offset jitter
==============================================================================
*10.210.14.130 10.210.0.72 4 - 14 64 1 1.073 0.113 1.178
lab@srxA-1> show system uptime

Current time: 2012-04-19 09:23:35 PDT
System booted: 2012-04-18 10:24:42 PDT (22:58:53 ago)
Protocols started: 2012-04-18 12:27:26 PDT (20:56:09 ago)
Last configured: 2012-04-19 09:20:11 PDT (00:03:24 ago) by lab
9:23AM up 22:59, 2 users, load averages: 0.15, 0.07, 0.02

Question: What does the asterisk (*) next to the
NTP server address signify?
Answer: The asterisk (*) represents the peer

chosen for synchronization as well as a
synchronized state with that peer. When you define
multiple NTP peers, the system selects only a single
NTP peer.
Step 2.11
Return to configuration mode and configure the system to allow SNMP access using
a community value of junos. The system should allow processing of SNMP
messages only when it receives them from the NMS server’s IP address. Refer to the
[edit]
lab@srxA-1# set snmp community junos clients server address
[edit]
lab@srxA-1#
Step 2.12
Configure an SNMP trap group to send traps to the NMS server. The SNMP trap
group should send traps whenever an interface transitions to a down state. Name
the trap group interfaces.
[edit]
lab@srxA-1# set snmp trap-group interfaces targets server address
[edit]
lab@srxA-1# set snmp trap-group interfaces categories link
Question: What trap category do you enable to

receive traps for an over-temperature condition?
Answer: You enable the chassis category to send

traps for an over-temperature condition.
Note
In subsequent steps you will disable the
management interface. Ensure that the
terminal session to your system uses the
console connection.

Step 2.13
To test your SNMP configuration, temporarily disable the ge-0/0/0 interface using
the set interfaces ge-0/0/0 disable command. Commit the new setting
and verify that the interface is down using the run show interfaces ge-0/
0/0 terse command. Next, re-enable the interface by issuing the delete
interfaces ge-0/0/0 disable command. Commit the change and return to
[edit]
lab@srxA-1# set interfaces ge-0/0/0 disable
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1# run show interfaces ge-0/0/0 terse
ge-0/0/0 down down
ge-0/0/0.0 up down inet 10.210.14.131/27
[edit]
lab@srxA-1# delete interfaces ge-0/0/0 disable
[edit]
commit complete
lab@srxA-1>
Step 2.14
Verify that the interface transition resulted in the sending of a trap by viewing the
messages log. Use the pipe symbol (|) and match on the ge-0/0/0 interface and
the keyword snmp to parse the messages log output. Next, issue the show snmp
statistics command and confirm that the Traps value in the Output section
is not zero.
lab@srxA-1> show log messages | match ge-0/0/0 | match snmp
Apr 19 11:05:22 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_DOWN: ifIndex 508,
ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/0/0
Apr 19 11:06:14 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_UP: ifIndex 508,
ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/0
Apr 19 11:06:14 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_UP: ifIndex 512,
ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/0.0
Apr 19 11:13:28 srxB-1 mgd[1291]: UI_CMDLINE_READ_LINE: User 'lab', command
'show log messages | match ge-0/0/0 | match snmp '
lab@srxA-1> show snmp statistics

SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,

Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 6, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 6
Question: Does the messages log show trap

entries associated with the interface status
change?
Answer: Yes, you should see log entries for the

status change for both the physical and the logical
interfaces.
Question: Does the show snmp statistics

command list a non-zero value for outgoing traps?
Answer: Yes, you should see a non-zero value for the

output traps counter. In the sample output, you can
see a value of 6. Your counter’s value might vary.
Step 2.15
Perform an SNMP MIB walk with the Junos CLI using the show snmp mib walk
jnxOperatingDescr command. Note that the resolved object identifier (OID) of
jnxOperatingDescr is case sensitive. The OID is variable; we are simply using
this OID as an example.
lab@srxA-1> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1
jnxOperatingDescr.4.2.0.0 = SRX240 PowerSupply fan 2
jnxOperatingDescr.4.3.0.0 = SRX240 CPU fan 1
jnxOperatingDescr.4.4.0.0 = SRX240 CPU fan 2
jnxOperatingDescr.4.5.0.0 = SRX240 IO fan 1

jnxOperatingDescr.4.6.0.0 = SRX240 IO fan 2
jnxOperatingDescr.7.1.0.0 = FPC: FPC @ 0/*/*
jnxOperatingDescr.7.2.0.0 = FPC: FPC @ 1/*/*
jnxOperatingDescr.8.1.1.0 = PIC: 16x GE Base PIC @ 0/0/*
jnxOperatingDescr.8.2.1.0 = PIC: 1x Serial mPIM @ 1/0/*
jnxOperatingDescr.9.1.0.0 = Routing Engine
jnxOperatingDescr.9.1.1.0 = USB Hub
Note
The Junos OS accepts both the

dotted-decimal notation and alpha-numeric
notation of SNMP MIB OIDs. The previous
example polls the Juniper Networks
Chassis MIB for a mapping of component
OIDs. This tool is helpful for deciphering
what component might be initiating an
SNMP trap when your NMS station reports
the OID in only a dotted-decimal notation.
You do not need to configure SNMP to
perform SNMP polling from within the
Junos OS.
Question: What OID associates with the Routing

Engine (RE) for your system?
Answer: The RE associates with the 9.1.0.0 OID

leaf. This leaf is merely one leaf in the MIB tree and
does not represent the full OID string.
Step 2.16
Enter configuration mode and configure your system to archive its configuration to a
remote FTP server whenever a commit operation occurs. You should configure the
archive-sites as “ftp://ftp@server address:/archive” including
the quotation marks. Refer to the management network diagram for the server’s IP
address. You should configure the password as ftp. You perform this configuration
under the [edit system archival configuration] hierarchy level.
Commit your configuration and return to operational mode when complete.
[edit]
lab@srxA-1# edit system archival configuration
[edit system archival configuration]

lab@srxA-1# set archive-sites "ftp://ftp@server address/archive" password ftp

lab@srxA-1# set transfer-on-commit


commit complete
lab@srxA-1>
Step 2.17
Verify that the configuration successfully transferred to the remote FTP server by
using the show log messages | match transfer command.
lab@srxA-1> show log messages | match transfer
Apr 19 13:01:46 srxB-1 mgd[1291]: UI_CFG_AUDIT_SET: User 'lab' set: [system
archival configuration] <unconfigured> -> "transfer-on-commit"
'set transfer-on-commit '
Apr 19 13:02:43 srxB-1 logger: transfer-file: Transferred /var/transfer/
config/srxB-1_juniper.conf.gz_20120419_200200
'show log messages | match transfer '
Note
Even when using the

transfer-on-commit option with
configuration archival, the transfer is
cyclical and uses a short time interval. If
you do not see the transfer in your log, wait
a minute or two and look again.
Question: What do the numbers at the end of the

transferred filename represent?
Answer: The configuration file contains the current

date and UTC time according to the system clock.
Step 2.18
lab@srxA-1> exit
srxA-1 (ttyu0)
login:

Lab 4
Operational Monitoring and Maintenance (Detailed)
Overview
This lab covers common operational monitoring and platform maintenance activities. In
this lab, you monitor system, chassis, and interface operation, use network utilities, and
perform system maintenance tasks.
sample output from most commands.
• Monitor chassis, system, and interface operation.
• Use network utilities.
• Upgrade a device running the Junos operating system and recover the root
password.
www.juniper.net Operational Monitoring and Maintenance (Detailed) • Lab 4–1

12.a.12.1R1.9
Part 1: Monitoring System and Chassis Operation
In this lab part, each team will use key commands within the CLI to monitor system
and chassis operation.
Step 1.1


Step 1.2
Step 1.3
loaded, commit the changes and return to operational mode.
srxA-1 (ttyp0)
login: lab
Password:
Lab 4–2 • Operational Monitoring and Maintenance (Detailed) www.juniper.net

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 1.4
Issue the show system processes extensive command to check the status
of the routing protocol daemon (rpd). Alternatively, issue the show system
processes extensive | match "pid | rpd" command to parse the
output. The use of two pipes (|) in this command allows you to make multiple
matches. In this case it matches rpd for the routing protocol process as well as PID
to view the column headers.
lab@srxA-1> show system processes extensive
last pid: 5976; load averages: 0.08, 0.14, 0.07 up 1+21:08:16 07:32:28
124 processes: 18 running, 95 sleeping, 11 waiting
Mem: 143M Active, 98M Inact, 535M Wired, 159M Cache, 112M Buf, 34M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1234 root 7 76 0 511M 61524K select 0 140.4H 282.62%
flowd_octeon_hm
22 root 1 171 52 0K 16K RUN 0 39.0H 87.94% idle: cpu0
23 root 1 -20 -139 0K 16K RUN 0 16:54 0.00% swi7: clock
1256 root 1 76 0 10896K 4104K select 0 5:14 0.00% license-check
5 root 1 -16 0 0K 16K rtfifo 0 5:12 0.00% rtfifo_kern_recv
1223 root 1 76 0 26180K 9224K select 0 4:03 0.00% mib2d
1225 root 1 76 0 18768K 7252K select 0 3:41 0.00% l2ald
1244 root 1 76 0 15588K 3464K select 0 2:48 0.00% shm-rtsdbd
1218 root 1 76 0 113M 16796K select 0 1:49 0.00% chassisd
19 root 1 171 52 0K 16K RUN 3 1:44 0.00% idle: cpu3
1227 root 2 76 0 22948K 7616K select 0 1:40 0.00% pfed
1222 root 1 76 0 18932K 11360K select 0 1:33 0.00% snmpd
1252 root 1 76 0 16684K 7916K select 0 1:28 0.00% utmd
50 root 1 -16 0 0K 16K psleep 0 1:14 0.00% vmkmemdaemon
25 root 1 -40 -159 0K 16K WAIT 0 1:13 0.00% swi2: netisr 0
1215 root 1 76 0 3288K 1376K select 0 1:10 0.00% bslockd
1219 root 1 76 0 11132K 3324K select 0 1:10 0.00% alarmd
1685 root 1 4 0 49392K 22156K kqread 0 0:40 0.00% rpd
...TRIMMED...

lab@srxA-1> show system processes extensive | match "pid | rpd"
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1685 root 1 4 0 49392K 22156K kqread 0 0:40 0.00% rpd
Question: What is the weighted CPU usage of rpd?
Answer: The answer can vary. In the sample output

taken from srxA-1, the weighted CPU usage is 0%.
The weighted CPU column represents the CPU
usage over a period of time.
Step 1.5
Issue the show system statistics command to view protocol statistics
related to your team’s device.
lab@srxA-1> show system statistics
tcp:
466 packets sent
340 data packets (16474 bytes)
0 data packets (0 bytes) retransmitted
0 resends initiated by MTU discovery
116 ack-only packets (91 delayed)
0 URG only packets
2 window probe packets
0 window update packets
10 control packets
...TRIMMED...
Question: How many TCP packets did your assigned

device send since the last clearing of the system
statistics?
Answer: The answer can vary. In the previous

example taken from srxA-1, the device sent 466
TCP packets.
Step 1.6
Issue the show system storage command to view information regarding the
device storage space.
lab@srxA-1> show system storage
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 898M 497M 330M 60% /
devfs 1.0K 1.0K 0B 100% /dev
devfs 1.0K 1.0K 0B 100% /dev/
/dev/md0 477M 477M 0B 100% /junos
/cf 898M 497M 330M 60% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/

procfs 4.0K 4.0K 0B 100% /proc
/dev/bo0s1e 24M 22K 22M 0% /config
/dev/md1 168M 13M 142M 8% /mfs
/dev/da0s1f 61M 624K 55M 1% /cf/var/log
/cf/var/jail 898M 497M 330M 60% /jail/var
devfs 1.0K 1.0K 0B 100% /jail/dev
/dev/md2 39M 4.0K 36M 0% /mfs/var/run/utm
Question: How much free space is available on your

device?
Answer: The answer can vary. In the sample output

taken from srxA-1, 330 Megabytes are available.
Step 1.7
Issue the show system uptime command to view the current system time.
lab@srxA-1> show system uptime
Current time: 2012-04-20 08:01:50 PDT
System booted: 2012-04-18 10:24:42 PDT (1d 21:37 ago)
Protocols started: 2012-04-18 12:27:26 PDT (1d 19:34 ago)
Last configured: 2012-04-20 07:52:13 PDT (00:09:37 ago) by lab
8:01AM up 1 day, 21:37, 2 users, load averages: 0.07, 0.05, 0.03
Question: When was your team’s device last

booted?
Answer: The answer will vary. In the example taken

from srxA-1, you can see that the system booted
close to two days ago.
Step 1.8
Open another terminal window and use Telnet to access your system’s management
IP address. If needed, refer to the management network diagram. Log in with the
username walter and the password walter123.

srxA-1 (ttyp0)
login: walter
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

walter@srxA-1>
Step 1.9
Return to the original session opened to your device.
Return to the original session logged in as lab and issue the show system users
command to view information about users logged in to your team’s device.
12:41PM up 46 mins, 2 users, load averages: 0.03, 0.08, 0.12
lab u0 - 2:33PM - -cli (cli)
walter p0 10.210.14.129 3:07PM 1 -cli (cli)
Question: What is the source IP address of the

Telnet session established by the user walter?
Answer: The answer will vary. In the following

example taken from srxA-1, the source IP address
of the telnet session established by the user
walter is 10.210.14.129.
Step 1.10
Issue the request system logout user walter command to force a log
out for the user walter. Next, issue the show system users command to verify
that the user session for walter was terminated.
lab@srxA-1> request system logout user walter
logout-user: done

12:46PM up 51 mins, 1 user, load averages: 0.06, 0.12, 0.12
lab u0 - 12:29PM - -cli (cli)
Question: Was the user Telnet session for walter

properly closed?
Answer: As shown in the sample output, the Telnet

session for the user walter should now be closed.

Step 1.11
Check the environmental status of your team’s device by issuing the show
chassis environment command.
lab@srxA-1> show chassis environment
Class Item Status Measurement
Temp Routing Engine OK 37 degrees C / 98 degrees F
Routing Engine CPU OK 36 degrees C / 96 degrees F
Fans SRX240 PowerSupply fan 1 OK Spinning at high speed
SRX240 PowerSupply fan 2 OK Spinning at high speed
SRX240 CPU fan 1 OK Spinning at high speed
SRX240 CPU fan 2 OK Spinning at high speed
SRX240 IO fan 1 OK Spinning at high speed
SRX240 IO fan 2 OK Spinning at high speed
Power Power Supply 0 OK
Question: What is the temperature and status of the

Routing Engine (RE)?
Answer: Your details might vary. The sample capture

shows a temperature of 37 degrees Celsius and a
status of OK.
Question: Name another show chassis

command that displays the RE temperature. (Hint:
Use the ?.)
Answer: As the following capture shows, the show

chassis routing-engine command displays
the RE temperature as well as other RE-specific
details.
lab@srxA-1> show chassis routing-engine

Routing Engine status:
Temperature 37 degrees C / 98 degrees F
CPU temperature 36 degrees C / 96 degrees F
Total memory 1024 MB Max 635 MB used ( 62 percent)
Control plane memory 560 MB Max 330 MB used ( 59 percent)
Data plane memory 464 MB Max 306 MB used ( 66 percent)
CPU utilization:
User 5 percent
Background 0 percent
Kernel 4 percent
Interrupt 0 percent
Idle 92 percent
Model RE-SRX240H-POE
Serial ID AAAD8406
Start time 2010-10-20 11:56:01 PDT
Uptime 58 minutes, 49 seconds
Last reboot reason 0x200:chassis control reset

Load averages: 1 minute 5 minute 15 minute
0.11 0.11 0.11
Step 1.12
Issue the show chassis temperature-thresholds command.
lab@srxA-1> show chassis temperature-thresholds
Fan speed Yellow alarm Red alarm Fire
(degrees C) (degrees C) (degrees C) (degrees C)
Item Normal High Normal Bad fan Normal Bad fan
Normal
Chassis default 35 45 50 40 75 65 100
Routing Engine 35 45 50 40 75 65 100
Question: At what temperature is a red alarm

generated for the RE?
Answer: Assuming the fans are operational, the

system raises a red alarm when the RE reaches 75
degrees Celsius. These threshold values can vary
between different Junos devices.
Step 1.13
View details about your system’s hardware components using the show chassis
hardware command.
lab@srxA-1> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis AH2909AA0041 SRX240-poe
Routing Engine REV 31 750-021794 AAAK4071 RE-SRX240-POE
FPC 0 FPC
PIC 0 16x GE Base PIC
Power Supply 0
Question: What is the chassis serial number for your

team’s device?
Answer: The answer will vary depending on your

assigned device. In the example, the chassis serial
number is AH2909AA0041.
Step 1.14
Issue the show interface terse command to quickly verify the administrative
and link state for your device’s interfaces.
lab@srxA-1> show interfaces terse
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.210.14.131/27

gr-0/0/0 up up
ip-0/0/0 up up
ls-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
pd-0/0/0 up up
pe-0/0/0 up up
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.20.77.1/30
ge-0/0/2 up up
ge-0/0/2.0 up up inet 172.20.66.1/30
ge-0/0/3 up up
ge-0/0/3.0 up up inet 172.18.1.2/30
ge-0/0/4 up up
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/11 up down
ge-0/0/12 up down
ge-0/0/13 up down
ge-0/0/14 up down
ge-0/0/15 up down
gre up up
ipip up up
lo0 up up
lo0.0 up up inet 192.168.1.1 --> 0/0
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.1.16 --> 0/0
inet6 fe80::226:88ff:fe02:6700
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
st0 up up
tap up up
vlan up up
Question: What are the Admin and Link states for

all configured interfaces?
Answer: All configured interfaces should show

Admin and Link states of up. If your output shows
otherwise, please contact your instructor.

Step 1.15
Issue the show interfaces ge-0/0/0 extensive command and answer
the questions that follow:
lab@srxA-1> show interfaces ge-0/0/0 extensive
Interface index: 131, SNMP ifIndex: 117, Generation: 134
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:26:88:02:67:00, Hardware address: 00:26:88:02:67:00
Last flapped : 2012-04-19 11:06:14 PDT (21:34:34 ago)
Statistics last cleared: Never
Traffic statistics:
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
...TRIMMED...
Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 118) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
...TRIMMED...
Question: What is the SNMP ifIndex for

ge-0/0/0? What about for ge-0/0/0.0?
Answer: The SNMP ifIndex values vary between

student devices. In the example, the SNMP
ifIndex for ge-0/0/0 and ge-0/0/0.0 are 117
and 118, respectively.
Question: What is the current hardware address for

the ge-0/0/0 interface?
Answer: The current hardware address for the

ge-0/0/0 interface varies between student devices.
In the example, the current hardware address is
00:26:88:02:67:00.

Question: Does the ge-0/0/0 interface show any
input errors?
Answer: Although it is possible that input errors

exist, the answer to this question should typically be
no.
Question: Does the ge-0/0/0 interface show input

and output traffic statistics? How are those
statistics counted?
Answer: The interface should show input and output

traffic statistics. The system counts traffic statistics
as both bytes and packets as shown in the sample
capture.
Step 1.16
Issue the clear interfaces statistics ge-0/0/0 command followed by
the show interfaces ge-0/0/0 extensive | find "traffic"
command.
lab@srxA-1> clear interfaces statistics ge-0/0/0
lab@srxA-1> show interfaces ge-0/0/0 extensive | find "traffic"

Traffic statistics:
...TRIMMED...
Question: Were the statistics for the ge-0/0/0

interface successfully cleared?
Answer: Although your statistics might not show all

zeros, as the sample capture does, the interface
statistics should clear.

Part 2: Using Network Utilities and Monitoring Traffic
In this lab part, each team will use network utilities within the CLI and monitor local
system traffic.
Step 2.1
the/var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 2.2
Start a continuous ping to the server with a data size of 500 bytes. Refer to the
Note
If you are not receiving Internet Control
Message Protocol (ICMP) echo replies from
the server, notify your instructor.
lab@srxA-1> ping server address size 500

PING 10.210.14.130 (10.210.14.130): 500 data bytes
508 bytes from 10.210.14.130: icmp_seq=0 ttl=64 time=3.649 ms
...TRIMMED...

Question: Which command option do you use to
make the ping continuous?
Answer: As shown in the sample output, you do not

need an extra command option to make the ping
continuous. Echo requests send continuously by
default. You can use the count option to send a
defined amount of packets.
Note
You can stop the ping operation by using
the Ctrl+c keystroke combination. You
should, however, let the ping operation
continue at this time for the subsequent
monitoring step.
Step 2.3
Open a new terminal session to your team’s device. Use Telnet to access your
system’s management IP address. If needed, refer to the management network
diagram. Log in with the lab user account and the password provided by the
instructor. You will use this separate terminal session to monitor ping traffic
generation.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

lab@srxA-1>

Step 2.4
Use the monitor traffic interface ge-0/0/0 command to begin
monitoring the ge-0/0/0 management interface.
Note
You can stop the monitoring operation by
using the Ctrl+c keystroke combination.
You can also increase the capture size
using the size option to avoid truncated
packets.
lab@srxA-1> monitor traffic interface ge-0/0/0

verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.210.14.129 failed (check DNS reachability).

Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
08:53:59.796502 In IP 10.210.14.129.35817 > 10.210.14.131.telnet: . ack 9055411

17 win 64422
08:53:59.796709 Out IP truncated-ip - 225 bytes missing! 10.210.14.131.telnet >
10.210.14.129.35817: P 1:246(245) ack 0 win 65535
08:54:00.005781 In IP 10.210.14.129.35817 > 10.210.14.131.telnet: . ack 246 win
64177
08:54:00.544439 Out IP truncated-ip - 24 bytes missing! 10.210.14.131 > 10.210.1
4.130: ICMP echo request, id 960, seq 148, length 64
08:54:00.546050 In IP 10.210.14.130 > 10.210.14.131: ICMP echo reply, id 960, s
eq 148, length 64
10.210.14.129.35817: P 246:428(182) ack 0 win 65535
63995
10.210.14.129.35817: P 428:974(546) ack 0 win 65535
64512
...TRIMMED...
Question: Does the capture display ICMP traffic?
Answer: Yes, you should see ICMP echoes and

replies from your ping operation, amongst other
traffic.

Question: How can you filter the output to show only
the ICMP traffic?
Answer: Use the matching option to filter by

header information in the output:
lab@srxA-1> monitor traffic interface ge-0/0/0 matching icmp



eq 1809, length 64
eq 1810, length 64
eq 1811, length 64
^C
18 packets received by filter
0 packets dropped by kernel
lab@srxA-1>
Question: What command option allows you to view

source and destination MAC addresses for the
captured packets?
Answer: Include the layer2-headers option to

view Layer 2 header information, including the
source and destination MAC addresses as shown:
lab@srxA-1> monitor traffic interface ge-0/0/0 matching icmp layer2-headers



09:24:05.438848 Out 0:24:dc:16:ab:80 > 0:e:c:bc:42:1b, ethertype IPv4 (0x0800),

length 74: truncated-ip - 24 bytes missing! 10.210.14.131 > 10.210.14.130: ICMP
echo request, id 960, seq 1932, length 64
09:24:05.440446 In PFE proto 2 (ipv4): 10.210.14.130 > 10.210.14.131: ICMP echo
reply, id 960, seq 1932, length 64
^C
lab@srxA-1>
Note
The monitor traffic command
captures only packets that are local to the
device. It does not capture transit packets.
Step 2.5
In preparation for the next lab part, stop the monitor operation using the Ctrl+c
keystroke combination, and close the extra terminal session that you opened.
...TRIMMED...
^C
lab@srxA-1>
Step 2.6
Return to the original session opened to your device.
From the original session opened to your device, issue the Ctrl+c keystroke
combination to stop the continuous ping.
...TRIMMED...
^C
--- 10.210.14.130 ping statistics ---
651 packets transmitted, 651 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.949/1.388/11.951/0.736 ms
lab@srxA-1>
Part 3: Upgrading the Junos OS
In this lab part, you will retrieve a Junos OS package from a remote server and
upgrade your assigned device. Note that to keep the software consistent, you
upgrade the device to the same version of the Junos OS that it is currently running.
Step 3.1
the/var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 3.2
Use the file copy command in conjunction with FTP to retrieve the install image
named junos-srxsme-12.1R1.9-domestic.tgz from the server. Refer to
the management network diagram for the server’s IP address. Use the username
ftp and a password of ftp. Save the image to the /var/tmp directory on the
local device.
lab@srxA-1> file copy ftp://ftp:ftp@server address/
junos-srxsme-12.1R1.9-domestic.tgz /var/tmp/
/var/home/lab/...transferring.file.........U4R100% of 200 MB 2946 kBps 00m00s

Question: Did the image successfully transfer from
the server to the /var/tmp directory on your
device?
Answer: The image should successfully transfer. If

not, check with your instructor for assistance.
Note
If there is not enough room in the
/var/tmp directory to accommodate the
software package, notify your instructor.
Step 3.3
Verify that the software package transferred correctly to the local /var/tmp
directory by using the file list /var/tmp | match junos command.
lab@srxA-1> file list /var/tmp/ | match junos
junos-srxsme-12.1R1.9-domestic.tgz
Question: Which file list command option

allows you to view the file size of the software
package stored in the /var/tmp directory?
Answer: Use the detail command option to show

the file size of the local software package:
lab@srxA-1> file list detail /var/tmp/ | match junos

-rw-r--r-- 1 lab wheel 159209811 Apr 11 06:07
junos-srxsme-12.1R1.9-domestic.tgz
Step 3.4
Issue the request system software add /var/tmp/
junos-srxsme-12.1R1.9-domestic.tgz command to upgrade your assigned
device. Use the reboot option to automatically perform a system reboot, which is a
requirement of the upgrade process. Use the console terminal session to monitor
the upgrade process.
lab@srxA-1> request system software add /var/tmp/
junos-srxsme-12.1R1.9-domestic.tgz reboot
NOTICE: Validating configuration against junos-srxsme-12.1R1.9-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s1a)...
/dev/da0s1a: 296.9MB (607996 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 74.22MB, 4750 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152032, 304032, 456032
Extracting /var/tmp/junos-srxsme-12.1R1.9-domestic.tgz ...
saving package file in /var/sw/pkg ...
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1R1.9-domestic signed by PackageProduction_12_1_0
Using junos-12.1R1.9-domestic from /altroot/cf/packages/install-tmp/
junos-12.1R1.9-domestic
Copying package ...
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-12.1R1.9-domestic'
...
Verified junos-boot-srxsme-12.1R1.9.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1R1.9-domestic signed by PackageProduction_12_1_0
JUNOS 12.1R1.9 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 7644]
Shutdown NOW!
*** FINAL System shutdown message from root@srxB-1 ***
System going down IMMEDIATELY
Shutdown NOW!
...TRIMMED...
Fri Apr 22 20:36:27 UTC 2011
srxA-1 (ttyu0)
login:
Step 3.5
After the reboot is complete, log in again as the lab user and issue the show
version command.
srxA-1 (ttyu0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

lab@srxA-1> show version
Hostname: srxA-1
Model: srx240-poe
JUNOS Software Release [12.1R1.9]
lab@srxA-1>

Part 4: Recovering the Root Password
In this lab part, you will perform root password recovery. The root password recovery
process requires that you use the console connection.
Step 4.1
the /var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 4.2
Using a terminal session connected to the console port, reboot the system. Enter
yes to authorize the reboot. When prompted to enter the command prompt, press
the space bar.
lab@srxA-1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 950]
lab@srxA-1>
*** FINAL System shutdown message from lab@srxA-1 ***
System going down IMMEDIATELY
...TRIMMED...
FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.9
([email protected], Mon May 17 05:45:58 UTC 2010)
Memory: 1024MB
[0]Booting from nand-flash slice 1
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0xa17310+0xdbc54 syms=[0x4+0x7f730+0x4+0xb6cd4]

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [/kernel] in 1 second...
Type '?' for a list of commands, 'help' for more detailed help.
loader>
Step 4.3
At the prompt, first disable the watchdog process by using the watchdog
disable command. Secondly, type boot -s and press Enter to boot the Junos OS
in single-user mode.
loader> watchdog disable
loader> boot -s
Kernel entry at 0x801000d8 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 512 Size 128 Asso 8
...TRIMMED...
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN
for /bin/sh:
Step 4.4
When prompted to enter a pathname for shell or ‘recovery’ for root password
recovery, type recovery and press Enter.
Enter full pathname of shell or 'recovery' for root password recovery or RETURN
for /bin/sh: recovery
Performing system setup ...

...TRIMMED...
Performing initialization of management services ...
Performing checkout of management services ...
NOTE: Once in the CLI, you will need to enter configuration mode using
NOTE: the 'configure' command to make any required changes. For example,
NOTE: to reset the root password, type:
NOTE: configure
NOTE: set system root-authentication plain-text-password
NOTE: (enter the new password when asked)
NOTE: commit
NOTE: exit
NOTE: exit
NOTE: When you exit the CLI, you will be asked if you want to reboot
NOTE: the system
Starting CLI ...

root@srxA-1>

Step 4.5
Once the prompt is available, enter configuration mode and set a new root password
of lab123. Commit the configuration and return to configuration mode. Use the
exit command to leave operational mode, the software prompts you about
rebooting. Type y and press Enter to reboot the system.
[edit]
root@srxA-1# set system root-authentication plain-text-password
New password:
[edit]
commit complete
lab@srxA-1> exit
Reboot the system? [y/n] y

Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...1 1 1 1 0 0 done
syncing disks... All buffers synced.

Uptime: 11m53s
Rebooting...
...TRIMMED...
Thu Oct 21 08:46:40 PDT 2010
srxA-1 (ttyu0)
login:
Step 4.6
Once the system boots, verify the root password recovery by logging in with the new
root password.
srxA-1 (ttyu0)
login: root
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
root@srxA-1%

Question: Were you successfully authenticated
using the new root password?
Answer: You should now be successfully

authenticated as root using the new root password.
This successful authentication verifies that the
access recovery process worked.
Step 4.7
Start the CLI and enter configuration mode.
root@srxA-1% cli
[edit]
root@srxA-1#
Step 4.8
Restore the lab4-part4-start configuration using the load override /
var/home/lab/ijos/lab4-part4-start.config command. Activate the
configuration and log out of the system.
[edit]
root@srxA-1# load override /var/home/lab/ijos/lab4-part4-start.config
load complete
[edit]
commit complete
root@srxA-1> exit
root@srxA-1% exit
logout
srxA-1 (ttyu0)
login:


Lab 5 (Optional)
The J-Web Interface (Detailed)
Overview
This lab introduces you to the J-Web graphical user interface (GUI). In this lab, you will
familiarize yourself with various J-Web features and capabilities.
The lab is available in two formats: a high-level format that is designed to make you think
through each step and a detailed format that offers step-by-step instructions complete
with sample output from most commands.
• Log in to the J-Web interface.
• Explore J-Web monitoring options.
• Explore J-Web configuration and diagnose options.
www.juniper.net The J-Web Interface (Detailed) • Lab 5–1

12.a.12.1R1.9
Part 1: Logging In to and Exploring the J-Web Interface
In this lab part, you will familiarize yourself with the access details for your team’s
station and log in through the J-Web interface. You will also familiarize yourself with
the various monitoring capabilities available in the J-Web user interface.
Note
Depending on the specifics of your class,
you might be accessing a router that is
remote from your physical location. The
instructor will inform you as to the nature of
your access and will provide you with the
details needed to access your router.
Step 1.1


Step 1.2
Lab 5–2 • The J-Web Interface (Detailed) www.juniper.net

Step 1.3
loaded, commit the changes and return to operational mode.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 1.4
Open a Web browser on your PC.
From a Web browser on your PC. navigate to the management address of your
device. Refer to the management network diagram for the IP address associated
with your team’s station.
Step 1.5
Log in as user lab with the password supplied by your instructor.

Step 1.6
After logging in click on the Dashboard tab in the upper left corner. Use the
information found in your browser to answer the following questions.

Question: What is the current system up time in
days?
Answer: The answers can vary. The capture taken

from srxA-1 shows an up time of 48 minutes.
Question: What is the current memory and CPU

usage on your assigned station?
Answer: The answer can vary. The capture taken

from srxA-1 shows memory and CPU utilization of
56% and 12% respectively for the control side and
67% and 0% respectively for the data side.
Step 1.7
Edit the Dashboard Preferences to display the Chassis Status.
1. Click Open Preferences Dialog in the upper right corner of the
screen.
2. Scroll down the list of available Panels, and select Chassis Status,
then click OK.

Question: What is the Routing Engine (RE)

temperature, and is this temperature considered
normal?
Answer: The capture taken from srxA-1 indicates

that the RE temperature is considered to be normal
at 44 degrees Celsius.
Question: How can you display the serial number

and model of the Routing Engine?
Answer: You can navigate directly to Monitor >

System View > Chassis Information by
clicking on the View chassis status link on
the newly created Dashboard panel:

Step 1.8
Navigate to Monitor > Interfaces and view the ge-0/0/0.0 interface.
Question: What is the status of the ge-0/0/0.0

interface?
Answer: The interface should indicate an

administrative and operational status of up, and it
should be configured with the management IP
address.
Question: How can you gain additional information

on a given interface?
Answer: Highlight the selected interface and click

Details to open a new window.

Step 1.9
Navigate to Monitor > Routing > Route Information to view the current
static routes.
Part 2: Exploring J-Web Configuration and Diagnostic Capabilities
In this lab part, you will familiarize yourself with the configuration and diagnostic
capabilities available in the J-Web interface. You will also identify the key pages that
relate to those capabilities.
Step 2.1
Access the J-Web configuration page by clicking the Configure tab.

Question: How do you display your station’s current
configuration?
Answer: Click CLI Tools, then click the CLI

Viewer link. This example is taken from srxA-1.
Step 2.2
Navigate to Configure > System Properties > User Management.
Step 2.3
Click Edit. In the Edit User Management window, click Add and create the
user Jweb. Use the password lab123 and fullname Jweb User. Keep the login
class as read-only. Leave the User ID field blank. Click OK when complete.

Step 2.4
Commit the new user by clicking on Actions in the upper right corner, then click
Commit.
Step 2.5
Return to User Management and remove the Jweb user created earlier.
1. Navigate to Configure > System Properties > User
Management.
2. Click Edit.
3. Highlight the Jweb user and click Delete.
4. Click OK.
Step 2.6
Click Actions, then click Compare to display changes in the configuration.

Step 2.7
Commit the changes by clicking on Actions then Commit.
Step 2.8
Navigate to Troubleshoot > Ping Host. Enter the IP address of the server in
the management network and click Start to begin the ping.

Question: Does the ping succeed?
Answer: Yes. As shown in the capture, the ping does

succeed.
Step 2.9
Logout of your J-Web session. Return to the cli session opened to your device and
log out using the exit command.
lab@srxA-1> exit
srxA-1 (ttyu0)
login:

Introduction to the Junos
Operating System
Appendix A: Lab Diagrams

A–2 • Lab Diagrams www.juniper.net

www.juniper.net Lab Diagrams • A–3

A–4 • Lab Diagrams www.juniper.net

Introduction To The Junos Operating System - 12.A - Lab Guide Details

Uploaded by

Copyright:

Available Formats

Introduction To The Junos Operating System - 12.A - Lab Guide Details

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To The Junos Operating System - 12.A - Lab Guide Details

Uploaded by

Copyright:

Available Formats

Introduction to the Junos

Detailed Lab Guide

Worldwide Education Services

1194 North Mathilda Avenue

Course Number: EDU-JUN-IJOS

Lab 2: Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Lab 3: Secondary System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Lab 4: Operational Monitoring and Maintenance (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

Lab 5: The J-Web Interface (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

www.juniper.net Contents • iii

www.juniper.net Course Overview • v

vi • Course Agenda www.juniper.net

CLI and GUI Text

Style Description Usage Example

Courier New Console text:

Input Text Versus Output Text

Style Description Usage Example

Normal CLI No distinguishing variant. Physical interface:fxp0,

Defined and Undefined Syntax Variables

Style Description Usage Example

www.juniper.net Document Conventions • vii

Education Services Offerings

viii • Additional Information www.juniper.net

www.juniper.net The Junos CLI (Detailed) • Lab 1–1

Question: What is the management address

Answer: The answer varies; in the example used

Lab 1–2 • The Junos CLI (Detailed) www.juniper.net

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

Lab 1–4 • The Junos CLI (Detailed) www.juniper.net

Answer: Use the clear log log-filename

lab@srxA-1> show int<space>erfaces

www.juniper.net The Junos CLI (Detailed) • Lab 1–5

Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509)

Question: What do you think the resulting display

Answer: The display indicates that the command

lab@srxA-1> show ipv6

lab@srxA-1> show ipinterfacebrief

Lab 1–6 • The Junos CLI (Detailed) www.juniper.net

Answer: The system’s command completion feature

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

10.210.14.128/27 *[Direct/0] 02:12:04

lab@srxA-1> show system users

Question: What happens when you press Ctrl+p

Answer: The system recalls the show route

Question: What happens when you press Ctrl+n?

Answer: The system recalls the next command in

www.juniper.net The Junos CLI (Detailed) • Lab 1–7

Answer: The Up Arrow and Down Arrow keys

Lab 1–8 • The Junos CLI (Detailed) www.juniper.net

Answer: The Spacebar causes the display to scroll

Question: What effect does pressing the Enter key

Answer: The Enter key causes the display to scroll

Question: What effect does pressing the b key

Answer: Pressing the b key causes the display to

Question: What effect does pressing the u key

Answer: Pressing the u key causes the display to

Question: Which key would you press to search

Answer: To search forward, press the forward slash