JNAA IJOS 12.a - LGD

Juniper Networks Academic Series
Introduction to the Junos

Operating System
12.a
Detailed Lab Guide
Worldwide Education Services

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Course Number: EDU-JNAA-IJOS
This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission
of Juniper Networks Education Services.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Introduction to the Junos Operating System Detailed Lab Guide, Revision 12.a
Copyright 2012, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History:
Revision 10.b--June 2011
Revision 12.aJuly 2012
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 12.1R1.9. Juniper Networks
assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct,
indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of
the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos
operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty
in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the
extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks
software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software
license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses,
and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Contents
Lab 1:
The Junos CLI (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Part 1: Logging In and Exploring the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Lab 2:
Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Part 1: Loading a Factory-Default Configuration and Performing Initial Configuration . . . . . . . . . . 2-2
Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration . . . . . . . . . . . . . . . . . .2-13
Part 3: Configuring Interfaces and Verifying Operational State . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17
Lab 3:
Secondary System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Part 1: Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Performing System Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13
Lab 4:
Operational Monitoring and Maintenance (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

Part 1: Monitoring System and Chassis Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Part 2: Using Network Utilities and Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
Part 3: Upgrading the Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17
Part 4: Recovering the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-20
Lab 5:
The J-Web Interface (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1

Part 1: Logging In to and Exploring the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Part 2: Exploring J-Web Configuration and Diagnostic Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
www.juniper.net
Contents iii
iv Contents
www.juniper.net
Course Overview
This one-day course provides students with the foundational knowledge required to work with the
Junos operating system and to configure Junos devices. The course provides a brief overview of the
Junos device families and discusses the key architectural components of the software. Additional
key topics include user interface options with a heavy focus on the command-line interface (CLI),
configuration tasks typically associated with the initial setup of devices, interface configuration
basics with configuration examples, secondary system configuration, and the basics of operational
monitoring and maintenance of Junos devices.
Through demonstrations and hands-on labs, you will gain experience in configuring and monitoring
the Junos OS and monitoring basic device operations. This course is based on Junos OS Release
12.1R1.9.
Objectives
After successfully completing this course, you should be able to:
Describe the basic design architecture of the Junos OS.
Identify and provide a brief overview of Junos devices.
Navigate within the Junos CLI.
Perform tasks within the CLI operational and configuration modes.
Restore a Junos device to its factory-default state.
Perform initial configuration tasks.
Configure and monitor network interfaces.
Describe user configuration and authentication options.
Perform secondary configuration tasks for features and services such as system
logging (syslog) and tracing, Network Time Protocol (NTP), configuration archival, and
SNMP.
Monitor basic operation for the Junos OS and devices.
Identify and use network utilities.
Upgrade the Junos OS.
Perform file system maintenance and password recovery on a Junos device.
Navigate within the Junos OS J-Web interface.
Intended Audience
This course benefits individuals responsible for configuring and monitoring devices running the
Junos OS.
Course Level
The Introduction to the Junos Operating System course is a one-day, introductory course.
Prerequisites
Students should have basic networking knowledge and an understanding of the Open Systems
Interconnection (OSI) reference model and the TCP/IP protocol suite.
www.juniper.net
Course Overview v
Course Agenda
Day 1
Chapter 1:
Junos Operating System Fundamentals
Chapter 2:
User Interface Options

Lab 1: The Junos CLI
Chapter 3:
Initial Configuration
Lab 2: Initial System Configuration
Chapter 4:
Secondary System Configuration

Lab 3: Secondary System Configuration
Chapter 5:
Operational Monitoring and Maintenance

Lab 4: Operational Monitoring and Maintenance
Appendix A: Interface Configuration Examples

Appendix B: The J-Web Interface
Lab 5 (Optional): The J-Web Interface
vi Course Agenda
www.juniper.net
Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style
Description
Usage Example
Franklin Gothic
Normal text.
Most of what you read in the Lab Guide

and Study Guide.
Courier New
Console text:
Screen captures
Noncommand-related
syntax
GUI text elements:

Menu names
Text field entry
commit complete
Exiting configuration mode
Select File > Open, and then click
Configuration.conf in the
Filename text box.
Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances
will be shown in the context of where you must enter them. We use bold style to distinguish text
that is input versus text that is simply displayed.
Style
Description
Usage Example
Normal CLI
No distinguishing variant.
Physical interface:fxp0,
Enabled
Normal GUI
CLI Input
View configuration history by clicking

Configuration > History.
Text that you must enter.
lab@San_Jose> show route

Select File > Save, and type
config.ini in the Filename field.
GUI Input
Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables where the value is already assigned (defined variables) and
syntax variables where you must assign the value (undefined variables). Note that these styles can
be combined with the input style as well.
Style
Description
Usage Example
CLI Variable
Text where variable value is

already assigned.
policy my-peers
GUI Variable
Click my-peers in the dialog.

CLI Undefined
GUI Undefined
www.juniper.net
Text where the variables value

is the users discretion and text
where the variables value as
shown in the lab guide might
differ from the value the user
must input.
Type set policy policy-name.

ping 10.0.x.y
Select File > Save, and type
filename in the Filename field.
Document Conventions vii
Additional Information
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.
About This Publication

The Introduction to the Junos Operating System Detailed Lab Guide was developed and tested
using software Release 12.1R1.9. Previous and later versions of software might behave
differently so you should always consult the documentation and release notes for the version of
code you are running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development
team. Please send questions and suggestions for improvement to training@juniper.net.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.net/techpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or
at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
viii Additional Information
www.juniper.net
Lab 1
The Junos CLI (Detailed)
Overview
This lab introduces you to the Junos operating system command-line interface (CLI). In
this lab, you will familiarize yourself with various CLI operational mode and configuration
mode features.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
www.juniper.net
Log in to and explore the Junos CLI using both operational and configuration
modes.
The Junos CLI (Detailed) Lab 11

12.a.12.1R1.9
Part 1: Logging In and Exploring the CLI

In this lab part, you become familiar with the access details used to connect to the
lab equipment. Once you are familiar with the access details, you will use the CLI to
log in to your teams designated station and use the CLI to become familiar with
operational mode and configuration mode. You also gain experience with some of
the tools and functionality available within operational mode and configuration
mode.
Note
Depending on the class, the lab equipment

used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device
Question: What is the management address
assigned to your station?
Answer: The answer varies; in the example used

throughout this lab, the user belongs to the
srxA-1 station, which uses an IP address of
10.210.14.131. Your answer will depend on the
rack of equipment your class is using.
Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the management network diagram for the IP address
associated with your teams station. The following example uses a simple Telnet
access to srxA-1 with the Secure CRT program as a basis:
Lab 12 The Junos CLI (Detailed)
www.juniper.net
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Issue the configure
command to enter configuration mode and load the reset configuration file using
the load override /var/home/lab/ijos/lab1-start.config
command. After the configuration has been loaded, commit the changes and return
to operational mode using the commit and-quit command.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override ijos/lab1-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
lab@srxA-1>
Step 1.4
Determine what system information you can clear from the operational mode
command prompt.
lab@srxA-1> clear ?
Possible completions:
amt
arp
auto-configuration
bfd
bgp
bridge
www.juniper.net
Show AMT Protocol information

Clear address resolution information
Clear auto-configuration action
Clear Bidirectional Forwarding Detection information
Clear Border Gateway Protocol information
Clear learned Layer 2 MAC address information
chassis
database-replication
dhcpv6
dot1x
esis
ethernet-switching
fabric
firewall
gvrp
helper
igmp
igmp-snooping
interfaces
ipv6
isdn
isis
information
l2-learning
lacp
ldp
lldp
log
mld
mld-snooping
mpls
msdp
multicast
network-access
ospf
ospf3
passive-monitoring
pfe
pgm
pim
ppp
pppoe
protection-group
r2cp
rip
ripng
rsvp
security
services
snmp
spanning-tree
system
vpls
vrrp
wlan
Clear chassis information

Clear database replication information
Clear DHCPv6 information
Clear 802.1X session
Clear end system-to-intermediate system information
Clear ethernet switching information
Clear RPDF Internal data structures
Clear firewall counters
Clears Generic VLAN Registration Protocol information
Clear port-forwarding helper information
Clear Internet Group Management Protocol information
Clear IGMP snooping information
Clear interface information
Clear IP version 6 information
Clear Integrated Services Digital Network information
Clear Intermediate System-to-Intermediate System
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
Clear
learned Layer 2 MAC address information

Link Aggregation Control Protocol information
Label Distribution Protocol information
Link Layer Discovery Protocol information
contents of log file
multicast listener discovery information
MLD snooping information
mpls information
Multicast Source Discovery Protocol information
multicast information
network-access related information
Open Shortest Path First information
Open Shortest Path First version 3 information
passive monitoring statistics
Packet Forwarding Engine information
Pragmatic Generalized Multicast information
Protocol Independent Multicast information
PPP information
PPP over Ethernet information
protection group information
Radio-to-Router Protocol information
Routing Information Protocol information
Routing Information Protocol for IPv6 information
Resource Reservation Protocol information
security information
services
Simple Network Management Protocol information
Spanning Tree Protocol information
system information
learned Layer 2 MAC address information
Virtual Router Redundancy Protocol statistics
Wireless LAN information
www.juniper.net
Question: Which command do you use to clear the

contents of a system log (syslog) file?
Answer: Use the clear log log-filename

command to clear the contents of a particular
syslog file.
Step 1.5
Experiment with command completion by entering show i<space>.
lab@srxA-1> show i
^
'i' is ambiguous.
iccp
igmp
igmp-snooping
ingress-replication
interfaces
ipv6
isdn
isis
information
Show
Show
Show
Show
Show
Show
Show
Show
Inter Chassis Control Protocol information

Internet Group Management Protocol information
IGMP snooping information
Ingress-Replication tunnel information
interface information
IP version 6 information
Integrated Services Digital Network information
Intermediate System-to-Intermediate System
Step 1.6
Add characters to disambiguate your command so that you can display
interface-related information; use the Spacebar or Tab key for automatic command
completion.
Note
You can return to the command prompt

without scrolling through all of the
generated output from a command. Enter
the Ctrl+c key sequence or the q key to
abort the operation and return to the
command prompt.
lab@srxA-1> show int<space>erfaces
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 507
Description: MGMT Interface - DO NOT DELETE
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80
Last flapped
: 2011-04-20 02:02:04 UTC (2d 03:09 ago)
www.juniper.net
Input rate
Output rate
Active alarms
Active defects
:
:
:
:
536 bps (0 pps)

0 bps (0 pps)
None
None
Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509)

Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 299996
Output packets: 211433
Security: Zone: Null
...TRIMMED...
Step 1.7
Try to clear SNMP statistics by entering the clear snmp command.
lab@srxA-1> clear snmp
^
syntax error, expecting <command>.
Question: What do you think the resulting display

means?
Answer: The display indicates that the command

was incomplete as entered. The caret symbol (^)
indicates the area of the problem, and the error
message tells you that the system expects
additional command input.
Step 1.8
Verify that the CLI does not let you complete invalid commands by trying to enter the
command show ip interface brief.
lab@srxA-1> show ip<space>
lab@srxA-1> show ipv6
lab@srxA-1> show ipinterfacebrief
^
syntax error, expecting <command>.
www.juniper.net
Question: What happens when you try to enter this

command?
Answer: The systems command completion feature

completes a show ipv6 command in this case
because ipv6 is the only valid completion. If you
attempt to continue with invalid syntax, the system
informs you of your error. Unlike some CLI
implementations, the Junos OS will not let you
waste time typing in an illegitimate command!
Step 1.9
Enter a show route command followed by a show system users command.
You are entering these commands to demonstrate command history recall. When
finished, enter the keyboard sequences indicated to answer the related questions.
lab@srxA-1> show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.210.14.128/27
10.210.14.131/32
*[Direct/0] 02:12:04
> via ge-0/0/0.0
*[Local/0] 02:12:10
Local via ge-0/0/0.0
lab@srxA-1> show system users

5:12AM up 2 days, 3:14, 1 user, load averages: 0.04, 0.10, 0.07
USER
TTY
FROM
LOGIN@ IDLE WHAT
lab
u0
4:43AM
- -cli (cli)
Question: What happens when you press Ctrl+p

twice?
Answer: The system recalls the show route

command and displays it at the prompt.
Question: What happens when you press Ctrl+n?
Answer: The system recalls the next command in

the buffer, which is a show system users
command in this example.
www.juniper.net
Question: What happens when you use the Up

Arrow and Down Arrow keys?
Answer: The Up Arrow and Down Arrow keys

function as substitutes for the Ctrl+p and Ctrl+n
sequences as long as the system is configured for
VT100-type emulation, which is the default.
Step 1.10
In many cases, the output of a command might exceed one full screen. For example,
the show interfaces interface-name extensive command displays a lot
of information about the specified interface. Enter this command now for your
systems ge-0/0/0 interface, and answer the following questions. Use the h key as
needed to obtain help when CLI output is paused at the ---(more)--- prompt.
lab@srxA-1> show interfaces ge-0/0/0 extensive
Interface index: 134, SNMP ifIndex: 507, Generation: 137
Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80
Last flapped
: 2011-04-20 02:02:04 UTC (2d 03:11 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
197626475
1008 bps
Output bytes :
196448392
0 bps
Input packets:
300053
1 pps
Output packets:
211433
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
...TRIMMED...
www.juniper.net
Question: What effect does pressing the Spacebar

have?
Answer: The Spacebar causes the display to scroll

forward to display the next screen of output.
Question: What effect does pressing the Enter key
have on the paused output?
Answer: The Enter key causes the display to scroll

forward by one line.
Question: What effect does pressing the b key
have?
Answer: Pressing the b key causes the display to

scroll backwards by one full screen, up to the point
where the first full screen of information displays.
Question: What effect does pressing the u key
have?
Answer: Pressing the u key causes the display to

scroll backwards by one half of a screen, up to the
point where the first screen displays.
Question: Which key would you press to search
forward through a display that consists of multiple
screens of output?
Answer: To search forward, press the forward slash

(/) character followed by the search pattern.
Step 1.11
Use the pipe (|) and match functions of the Junos CLI to list all interfaces that are
physically down.
lab@srxA-1> show interfaces | match down
Physical interface: ge-0/0/5, Enabled, Physical link is Down
Device flags
: Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
www.juniper.net

Device flags
Device flags
Device flags
Device flags
Device flags
Device flags
Device flags
Device flags
Device flags
Device flags
Question: Are any of your interfaces listed as Down?
Answer: In this example, the answer is yes; several

interfaces show as Down. The interfaces shown
might vary depending on your lab environment.
Question: Can you think of a way to have the
Junos OS count the number of interfaces that are
physically down? (Hint: Remember that you can use
the results of one pipe as input to another pipe
operation.)
Answer: To count the number of down interfaces,

pipe the results of the previous command to the CLI
count function. In this example, we included an
extra match function to ensure that the software
does not count interfaces that are down both
logically and physically more than once:
www.juniper.net
lab@srxA-1> show interfaces | match down | match Physical | count

Count: 11 lines
Step 1.12
A large portion of the Junos OS documentation is available directly from the CLI. You
can retrieve high-level topics using the help topic command, whereas you can
obtain detailed configuration-related information with the help reference
command.
Use the help reference command along with the CLI question-mark operator
(?) to find detailed information about configuring a system hostname.
lab@srxA-1> help reference ?
access
accounting-options
ancp
applications
bfd
bgp
bridge-domains
chassis
class-of-service
connections
diameter
dlsw
dot1x
dvmrp
dynamic-profiles
esis
event-options
firewall
forwarding-options
igmp
interfaces
isis
l2-learning
l2circuit
l2vpn
layer2-control
layer2-vpns
Use the 'help reference l2vpn' command
layer3-vpns
ldp
link-management
lldp
logical-systems
mld
mpls
msdp
mvpn
oam
ospf
ospf3
pgm
pim
www.juniper.net
poe
policy-options
ppp
protection-group
rip
ripng
router-advertisement
router-discovery
routing-instances
routing-options
rsvp
sap
schedulers
security
services
snmp
stp
switch-options
system
vpls
vpns
vrrp
Question: Which CLI command displays reference

information about configuration of the systems
hostname?
Answer: The help reference system

host-name command displays information
regarding system hostnames:
lab@srxA-1> help reference system host-name
host-name
Syntax
host-name hostname;
Hierarchy Level
[edit system]
Release Information
Statement introduced before JUNOS Release 7.4.
Statement introduced in JUNOS Release 9.0 for EX Series switches.
Description
Set the hostname of the router or switch.
www.juniper.net
Options
hostname--Name of the router or switch.
Required Privilege Level
system--To view this statement in the configuration.
system-control--To add this statement to the configuration.
Related Topics
* Configuring the Hostname of the Router
Step 1.13
Enter configuration mode.
[edit]
lab@srxA-1#
Question: What happens to your prompt?
Answer: A pound sign (#) replaces the angle bracket

(>), and a configuration hierarchy banner displays.
Question: According to the prompt, what is your
position in the configuration hierarchy?
Answer: The display indicates that you are now at

the [edit] hierarchy, which is the root of the
configuration tree.
Step 1.14
Display the interfaces portion of the candidate configuration.
[edit]
lab@srxA-1# show interfaces
www.juniper.net
ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
address 10.210.14.131/27;
}
}
}
Step 1.15
Position yourself at the [edit interfaces] configuration hierarchy.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1#
Question: What happens to the banner?
Answer: The banner now correctly shows that the

user is at the [edit interfaces] portion of the
configuration hierarchy.
Question: What is the result of a show command
now?
Answer: A show command displays information

pertaining only to configuration statements at and
below the current hierarchy. In this case, the
software displays only the configuration statements
for the systems ge-0/0/0 interface:
[edit interfaces]
lab@srxA-1# show
ge-0/0/0 {
unit 0 {
family inet {
address 10.210.14.131/27;
}
}
}
www.juniper.net
Step 1.16
Move to the [edit protocols ospf] portion of the hierarchy. This step
requires that you first visit the root of the hierarchy, as you cannot jump directly
between branches. You can perform this step with a single command in the form of
top edit protocols ospf, however.
[edit interfaces]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]
lab@srxA-1#
Question: Which commands can you now enter to

reposition yourself at the [edit] portion of the
hierarchy? Return to the [edit] hierarchy level
now.
Answer: You can issue an up command twice, or an

up 2 command. You can also issue an exit
command or a top command.
[edit protocols ospf]
lab@srxA-1# top
[edit]
lab@srxA-1#
Note
If you have not already done so, return to

the [edit] hierarchy level using one of
the available methods.
Step 1.17
Try to display the status of chassis hardware with a show chassis hardware
operational command while in configuration mode.
[edit]
lab@srxA-1# show chassis hardware
^
syntax error.
www.juniper.net
Question: Why do you think you received an error?

What can you do to execute operational mode
commands while in configuration mode? Try that
now.
Answer: The command issued is not valid in

configuration mode. Precede operational mode
commands with the keyword run to execute them
while in configuration mode:
[edit]
lab@srxA-1# run show chassis hardware
Hardware inventory:
Item
Version Part number
Chassis
Routing Engine
REV 35
750-021794
FPC 0
PIC 0
Power Supply 0
Serial number
AH3809AA0054
AAAX6922
Description
SRX240h-poe
RE-SRX240H-POE
FPC
16x GE Base PIC
Step 1.18
Try to return to operational mode by entering an exit command.
[edit]
lab@srxA-1# exit
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes)
Question: What happens when you execute the

exit command?
Answer: You should see a message indicating that

uncommitted changes exist. This message results
from the creation of an empty [edit protocols
ospf] stanza. This empty stanza causes the
configuration database to believe that the
configuration actually changed.
www.juniper.net
Question: Which CLI command can you use to

display differences between the candidate and
active configuration file? Enter no at the current
prompt and issue the required command to view
the differences between the candidate and active
configurations.
Answer: Use the show command with the results

piped to compare rollback number. In this
example, you should not see any actual
configuration changes, as shown in the following
sample capture:
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes) no
Exit aborted
[edit]
lab@srxA-1# show | compare rollback 0
[edit]
lab@srxA-1#
Question: Considering that nothing changed, which

command can you enter to allow an exit from
configuration mode without being warned of
uncommitted changes? Issue that command now.
Answer: Issue a rollback 0 command to replace

the candidate configuration with a new copy of the
active configuration. You can now exit configuration
mode without being warned of uncommitted
changes:
[edit]
lab@srxA-1# rollback 0
load complete
[edit]
lab@srxA-1# exit
lab@srxA-1>
Step 1.19
Log out of your assigned device using the exit command.
www.juniper.net
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP
Tell your instructor that you have completed Lab 1.
www.juniper.net
Lab 2
Initial System Configuration (Detailed)
Overview
This lab demonstrates configuration tasks typically performed on new devices running the
Junos operating system. In this lab, you use the CLI to perform initial configuration and
basic interface configuration.
sample output from most commands. Refer to the management network diagram for
access details.
www.juniper.net
Load a factory-default configuration and perform initial system configuration.
Save, delete, and restore a rescue configuration.
Perform basic interface configuration.
Initial System Configuration (Detailed) Lab 21

12.a.12.1R1.9
Introduction to the Junos Operating System
Part 1: Loading a Factory-Default Configuration and Performing Initial Configuration

In this lab part, you will load the factory-default configuration and perform initial
configuration tasks using the Junos CLI.
Step 1.1

Step 1.2
Access the CLI at your station using the console connection.
Note
During this lab, your access through the

management network will be affected.
Ensure that you use the console
connection to access your assigned station.
Using the console connection ensures
persistent connectivity even when the
management network access is
unavailable. If needed, ask your instructor
how to connect to your system using the
console port.
Lab 22 Initial System Configuration (Detailed)
www.juniper.net
Step 1.3
Note that both the name and password are case-sensitive. Enter configuration mode
and load a factory-default configuration using the load factory-default
command.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
[edit]
lab@srxA-1# load factory-default
warning: activating factory configuration
Step 1.4
Display the factory-default configuration.
[edit]
lab@srxA-1# show
## Last changed: 2012-04-17 23:59:34 UTC
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/
commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
www.juniper.net
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx240h)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): 'root-authentication'
}
interfaces {
ge-0/0/0
unit
}
ge-0/0/1
unit
{
0;
{
0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
www.juniper.net
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
vlan {
members vlan-trust;
www.juniper.net
}
}
}
}
ge-0/0/9 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
vlan {
members vlan-trust;
}
www.juniper.net
}
}
}
ge-0/0/15 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
www.juniper.net
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
www.juniper.net
}
}
Note
The factory-default configuration displays

several statements pertaining to the
security hierarchy level. This information is
outside the scope of this class but is
covered in the Junos for Security Platforms
(JSEC) course.
Step 1.5
Try to activate the factory-default configuration by issuing a commit command.
[edit]
lab@srxA-1# commit
[edit]
'system'
Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
Question: Did the commit operation succeed? If

not, why not?
Answer: No, the commit operation should fail

because the root authentication is missing.
Step 1.6
Navigate to the [edit system root-authentication] hierarchy level. Issue
the set plain-text-password command. When prompted to enter a new
password, type apples.
[edit]
lab@srxA-1# edit system root-authentication
[edit system root-authentication]
lab@srxA-1# set plain-text-password
New password:
error: require change of case, digits or punctuation
lab@srxA-1#
Question: What happens when you enter the

specified password? Why?
Answer: The operation fails because the password

does not meet the requirements.
www.juniper.net
Step 1.7
Again, issue the set plain-text-password command. When prompted to
enter a new password, type Apples. When prompted to confirm the password, type
Oranges.
New password:
Retype new password:
error: Passwords are not equal; aborting

specified passwords? Why?
Answer: The operation fails because the passwords

are not equal.
Step 1.8
Issue the set plain-text-password command once again. When prompted
to enter a new password, type Rootroot. When prompted to confirm the password,
type Rootroot. Activate the change and return to operational mode by issuing a
commit and-quit command.
New password:
commit complete
lab@srxA-1>
Step 1.9
Issue the file list /var/tmp command.
lab@srxA-1> file list /var/tmp
error: no local user: lab

specified command? Why?
Answer: The operation generates an error because

the lab user is no longer valid. We restore the lab
user account in a subsequent lab step.
www.juniper.net
Step 1.10
Log out as the lab user and log in as root. Use the newly defined password of
Rootroot.
lab@srxA-1> exit
srxA-1 (ttyu0)
login: root
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
root@srxA-1%
Note
You should see the previously defined

hostname at the login prompt. The
amnesiac hostname is shown when the
hostname is removed and the system is
rebooted. You do not need to reboot the
system at this time because you will
configure a new hostname shortly.
Step 1.11
Start the CLI with the cli command and enter configuration mode.
root@srxA-1% cli
root@srxA-1> configure
[edit]
root@srxA-1#
Step 1.12
Define the systems hostname. Use the hostname specified on the management
network diagram provided by your instructor.
[edit]
root@srxA-1# set system host-name hostname
Step 1.13
Configure the time zone and system time using the local time zone and current date
and time as input values.
[edit]
root@srxA-1# set system time-zone time-zone
[edit]
root@srxA-1# run set date date/time
Wed April 25 04:19:00 PDT 2012
www.juniper.net
Step 1.14
Remove the DHCP, interface, security, protocols and vlan sections from the
factory-default configuration, as this is not necessary in this lab environment.
[edit]
root@srxA-1# delete system services dhcp
[edit]
root@srxA-1# delete interfaces
[edit]
root@srxA-1# delete security
[edit]
root@srxA-1# delete protocols
[edit]
root@srxA-1# delete vlans
Step 1.15
Configure the ge-0/0/0 interface using the address and subnet mask specified on
the management network diagram, and specify an interface description of "MGMT
INTERFACE - DO NOT DELETE".
[edit]
root@srxA-1# edit interfaces
[edit interfaces]
root@srxA-1# set ge-0/0/0 unit 0 family inet address management IP address
[edit interfaces]
root@srxA-1# set ge-0/0/0 description "MGMT Interface - DO NOT DELETE"
[edit interfaces]
root@srxA-1#
Step 1.16
Navigate to [edit routing-options] and define a static route for the
10.210.0.0/16 destination prefix to allow for reachability beyond the local
management subnet. Use the gateway address, shown on the management network
diagram, as the next-hop value. When complete commit the configuration and return
to operational mode.
[edit interfaces]
root@srxA-1# top edit routing-options
[edit routing-options]
root@srxA-1# set static route 10.210.0.0/16 next-hop gateway address
[edit routing-options]
root@srxA-1# commit and-quit
commit complete
root@srxA-1>
www.juniper.net
STOP
Wait for your instructor before you proceed to the next part.
Part 2: Saving, Displaying, Loading, and Deleting a Rescue Configuration

In this lab part, you will save, display, load, and delete a rescue configuration using
the Junos CLI.
Step 2.1
Enter configuration mode and load the lab2-part2-start.config file from
the/var/home/lab/ijos/ directory. This will return the lab to its original state
and reestablish the lab user. Commit your configuration and return to operational
mode when complete.
[edit]
root@srxA-1# load override /var/home/lab/ijos/lab2-part2-start.config
load complete
[edit]
commit complete
root@srxA-1>
Step 2.2
Log out of the root user by issuing the exit command twice, then log in as the
lab user using lab123 as the password.
root@srxA-1> exit
root@srxA-1% exit
logout
srxA-1 (ttyu0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1>
Step 2.3
Save the active configuration as the rescue configuration.
lab@srxA-1> request system configuration rescue save
Step 2.4
Display the contents of the recently saved rescue configuration.
www.juniper.net
lab@srxA-1> file show /config/rescue.conf.gz

## Last changed: 2012-04-17 20:11:13 PDT
version 12.1R1.9;
system {
host-name srxB-1;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password "$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1";
ssh-dsa "ssh-dss
AAAAB3NzaC1kc3MAAACBAMQrfP2bZyBXJ6PC7XXZ+MzErI8Jl6jah5L4/
O8BsfP2hC7EvRfNoX7MqbrtCX/9gUH9gChVuBCB+ERULMdgRvM5uGhC/
gs4UX+4dBbfBgKYYwgmisM8EoT25m7qI8ybpl2YZvHNznvO8h7kr4kpYuQEpKvgsTdH/
Jle4Uqnjv7DAAAAFQDZaqA6QAgbW3O/
zveaLCIDj6p0dwAAAIB1iL+krWrXiD8NPpY+w4dWXEqaV3bnobzPC4eyxQKBUCOr80Q5YBlWXVBHx9e
lwBWZwj0SF4hLKHznExnLerVsMuTMA846RbQmSz62vM6kGM13HFonWeQvWia0TDr78+rOEgWF2KHBSI
xL51lmIDW8Gql9hJfD/Dr/
NKP97w3L0wAAAIEAr3FkWU8XbYytQYEKxsIN9P1UQ1ERXB3G40YwqFO484SlyKyYCfaz+yNsaAJu2C8
UebDIR3GieyNcOAKf3inCG8jQwjLvZskuZwrvlsz/xtcxSoAh9axJcdUfSJYMW/
g+mD26JK1Cliw5rwp2nH9kUrJxeI7IReDp4egNkM4i15o= configurator@server1.he";
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30";
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
interface all;
}
}
}
syslog {
file messages {
any critical;
authorization info;
}
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {
www.juniper.net
unit 0 {
family inet {
address 10.210.35.133/26;
}
}
}
}
routing-options {
static {
route 10.210.0.0/16 next-hop 10.210.35.130;
}
}
Question: Does the rescue configuration match the

recently created active configuration?
Answer: Yes, the rescue configuration should match

the recently created active configuration.
Question: What CLI command could you issue to
compare the active and rescue configuration files?
Answer: Use the file compare files /

config/juniper.conf.gz /config/
rescue.conf.gz command to compare the
active and rescue configurations. As shown in the
following sample capture, the files do not contain
any differences:
lab@srxA-1> file compare files /config/juniper.conf.gz /config/rescue.conf.gz
Step 2.5
Return to configuration mode and delete the [edit system services]
hierarchy level. Activate the change.
[edit]
lab@srxA-1# delete system services
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.6
Verify that the [edit system services] hierarchy level is empty and then load
the rescue configuration.
www.juniper.net
[edit]
lab@srxA-1# show system services
[edit]
lab@srxA-1# rollback rescue
load complete
Step 2.7
Verify that the [edit system services] hierarchy level once again contains
the ssh, telnet, and web-management services.
[edit]
lab@srxA-1# show system services
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
interface all;
}
}
Question: Did the rescue configuration successfully

load? Are the services enabled now? If not, why
not?
Answer: Yes, the rescue configuration loaded

successfully and restored the statements at the
[edit system services] hierarchy level.
However, the software did not enable the services.
Remember, to enable the rescue configuration, or
any other candidate configuration, you must
commit!
Step 2.8
Activate the rescue configuration and return to operational mode.
[edit]
commit complete
lab@srxA-1>
Step 2.9
Delete the rescue configuration and attempt to display the rescue.conf.gz file to
confirm the deletion.
www.juniper.net
lab@srxA-1> request system configuration rescue delete

lab@srxA-1> file show /config/rescue.conf.gz
error: could not resolve file: /config/rescue.conf.gz
Question: Did you successfully delete the rescue

configuration?
Answer: Yes, based on the results shown, the

deletion of the rescue configuration was successful.
STOP
Part 3: Configuring Interfaces and Verifying Operational State

In this lab part, you will perform interface configuration and verify the operational
state of interfaces using the Junos CLI.
Step 3.1
the /var/home/lab/ijos/ directory. Commit you configuration when complete.
[edit]
lab@srxA-1# load override ijos/lab2-part3-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 3.2
Refer to the network diagram for this lab and configure the listed interfaces. Use
logical unit 0 on all specified interfaces. Commit the configuration and return to
operational mode when complete.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set ge-0/0/3 unit 0 family inet address address/30
[edit interfaces]
www.juniper.net
[edit interfaces]
[edit interfaces]
lab@srxA-1# set lo0 unit 0 family inet address address/32
[edit interfaces]
commit complete
lab@srxA-1>
Step 3.3
Issue the show interfaces terse CLI command to verify the state of the
configured interfaces.
lab@srxA-1> show interfaces terse
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
...TRIMMED..
ge-0/0/1
up
up
ge-0/0/1.0
up
up
ge-0/0/2
up
up
ge-0/0/2.0
up
up
ge-0/0/3
up
up
ge-0/0/3.0
up
up
...TRIMMED..
lo0
up
up
lo0.0
up
up
...TRIMMED..
Proto
Local
inet
10.210.14.131/27
inet
172.20.77.1/30
inet
172.20.66.1/30
inet
172.18.1.2/30
inet
192.168.1.1
Remote
--> 0/0
Question: What are the Admin and Link states of

the recently configured interfaces?
Answer: All configured interfaces should show

Admin and Link states of up, as shown in the
sample capture.
Step 3.4
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
www.juniper.net
STOP
www.juniper.net
www.juniper.net
Lab 3
Secondary System Configuration (Detailed)
Overview
This lab demonstrates typical secondary configuration tasks performed on devices
running the Junos operating system.
sample outputs from most commands.
www.juniper.net
Define user accounts and authentication options.
Set up and verify proper operation of system logging (syslog).
Configure and monitor NTP.
Enable and monitor the operation of SNMP.
Configure and monitor the configuration archival feature.
Secondary System Configuration (Detailed) Lab 31

12.a.12.1R1.9
Part 1: Configuring User Authentication

In this lab part, your team will configure user accounts and related authentication
options.
Step 1.1

Step 1.2
Step 1.3
and load the reset configuration file using the load override /var/home/
lab/ijos/lab3-start.config command. After the configuration has been
loaded, commit the changes.
srxA-1 (ttyp0)
login: lab
Lab 32 Secondary System Configuration (Detailed)
www.juniper.net
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
[edit]
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to [edit system login] and define a custom login class named
juniper with the following permissions:
view
view-configuration
reset
[edit]
lab@srxA-1# edit system login
[edit system login]
lab@srxA-1# set class juniper permissions [view view-configuration reset]
error: invalid value: ]
Note
There may be an error after entering the

command, but it should still be added to
the configuration. Use the show command
to verify this.
[edit system login]
lab@srxB-1# show
class juniper {
permissions [ reset view view-configuration ];
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$84J5Maes$cni5Hrazbd/IEHr/50oY30"; ## SECRET-DATA
}
}
www.juniper.net
Step 1.5
Next, define two new user accounts using the information from the following table:
Username
Class
Plain-Text Password
walter
juniper
walter123
nancy
read-only
nancy123
[edit system login]

lab@srxA-1# set user walter class juniper
[edit system login]
lab@srxA-1# set user walter authentication plain-text-password
New password:
[edit system login]
lab@srxA-1# set user nancy class read-only
[edit system login]
lab@srxA-1# set user nancy authentication plain-text-password
New password:
Step 1.6
View the configuration under the [edit system login] hierarchy level. If you
are satisfied with the results, activate your new configuration by issuing the commit
command.
[edit system login]
lab@srxA-1# show
class juniper {
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA
}
}
user nancy {
class read-only;
authentication {
encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA
}
}
user walter {
class juniper;
authentication {
encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA
}
}
www.juniper.net
[edit system login]

lab@srxA-1# commit
commit complete
Note
The remainder of this lab part tests user

login options. To prevent yourself from
being locked out, keep the current console
session open!
Step 1.7
Open another terminal window and use Telnet to access your systems management
IP address. If needed, refer to the management network diagram. Log in with the
username walter.
srxA-1 (ttyp0)
login: walter
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
walter@srxA-1>
Step 1.8
Using the new terminal session, try to enter configuration mode.
walter@srxA-1> configure
^
unknown command.
www.juniper.net
Question: How does the CLI respond when you try to

enter configuration mode?
Answer: The CLI does not let user walter enter

configuration mode. It responds by stating that the
command is unknown.
Step 1.9
Enter a question mark (?) at the prompt to view the permitted operational mode
command options for the user walter.
walter@srxA-1> ?
file
help
load
monitor
op
quit
request
restart
save
set
show
start
test
Perform file operations

Provide help information
Show real-time debugging information
Invoke an operation script
Exit the management session
Make system-level requests
Restart software process
Set CLI properties, date/time, craft interface message
Show system information
Start shell
Perform diagnostic debugging
Question: Why is the user walter unable to enter

configuration mode?
Answer: The custom login class defined for the user

walter does not give permission for entering
configuration mode.
Step 1.10
Verify that the user walter can view the configuration and other operational
outputs such as interface information.
walter@srxA-1> show configuration
## Last commit: 2012-04-18 12:14:08 PDT by lab
version 12.1R1.9;
system {
host-name srxA-1;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA
ssh-dsa /* SECRET-DATA */;
www.juniper.net
}
login {
class juniper {
}
user lab {
uid 2000;
class super-user;
authentication {
}
}
user nancy {
uid 2001;
class read-only;
authentication {
}
}
user walter {
uid 2002;
class juniper;
authentication {
}
}
}
...TRIMMED...
walter@srxA-1> show interfaces
Interface index: 134, SNMP ifIndex: 508
Device flags
: Present Running
Link flags
: None
CoS queues
Current address: f8:c0:01:8f:8f:80, Hardware address: f8:c0:01:8f:8f:80
Last flapped
: 2012-04-18 10:27:06 PDT (01:57:39 ago)
Input rate
: 976 bps (2 pps)
Output rate
: 1280 bps (1 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/0.0 (Index 70) (SNMP ifIndex 512)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 157
Output packets: 81
...TRIMMED...
www.juniper.net
Question: Can the user walter view the root

password within the configuration? Why?
Answer: No. The Junos OS hides certain

configuration elements that it determines to be
security risks and notates them with a
SECRET-DATA tag. In this case, the user walter
does not have the secret permission defined for
his login class. The secret permission is required
to view configuration elements with the
SECRET-DATA tag.
Step 1.11
Restart the routing process using the restart routing command. This
command restarts the routing protocol daemon (rpd), which can be useful when
troubleshooting routing problems.
walter@srxA-1> restart routing
Routing protocols process started, pid 9777
Question: Which permission allows the user

walter to perform this command?
Answer: The reset permission allows a user to

restart software processes and certain hardware
components. This permission will not, however,
allow the user to reboot the system.
Step 1.12
Log out from the user walter and initiate a new Telnet session to the management
interface for the user nancy. (Hint: Use the reconnect option on your terminal
client.) Attempt to restart the routing protocol process using the restart
routing command.
walter@srxA-1> exit
srxA-1 (ttyp0)
login: nancy
Password:
--- JUNOS 11.1R1.10 built 2011-03-16 08:20:26 UTC
nancy@srxA-1> restart
^
unknown command.
www.juniper.net
Question: Can nancy successfully issue the

restart command?
Answer: As shown in the output, the user nancy

cannot issue the operational mode restart
command.
Question: What is a quick way to view the top-level
operational mode commands available to nancy?
Answer: Use the question mark (?) to view available

commands anywhere within a command line.
Commands that are not permitted due to user
permissions do not display.
Question: Can the user nancy view the
configuration?
Answer: The user nancy can issue the command

show configuration, but the contents are
hidden. The following is a sample capture, taken
from the srxA-1 device:
nancy@srxA-1> show configuration
## Last commit: 2012-04-18 12:14:08 PDT by lab
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
Step 1.13
Attempt to clear interface statistics for the ge-0/0/0 interface using the clear
interfaces statistics ge-0/0/0 command.
nancy@srxA-1> clear
^
unknown command.
www.juniper.net
Question: Which permission option would allow the

user nancy to clear the interface statistics on the
ge-0/0/0 interface?
Answer: The clear permission option would allow

this behavior.
Step 1.14
Return to the original session opened to the lab user.
From the session opened to the lab user attempt to add the clear permission to
the default read-only login class. Issue the show command to view the system
login hierarchy.
[edit system login]
lab@srxA-1# set class read-only permissions clear
warning: 'read-only' is a predefined class name; changing to 'read-only-local'
[edit system login]
lab@srxA-1# show
class juniper {
}
class read-only-local {
permissions clear;
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA
}
}
user nancy {
uid 2003;
class read-only;
authentication {
encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA
}
}
user walter {
uid 2004;
class juniper;
authentication {
encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA
}
}
www.juniper.net
Question: What happened when you added the

clear permission to the read-only login class?
Answer: Because you cannot alter predefined login

classes, the Junos OS created a new login class
named read-only-local that is not associated
with any user.
Question: How can you add the clear permission
for the user nancy?
Answer: You must define a new custom login class

for this functionality.
Step 1.15
Navigate to the top of the configuration hierarchy and configure a RADIUS server for
use with user authentication. Refer to your management network diagram for the
server address. The RADIUS secret should be Juniper. Configure the
authentication order so that user login attempts use only local password
authentication if the RADIUS server is unreachable. Use commit to activate the
changes.
[edit system login]
lab@srxA-1# top
[edit]
lab@srxA-1# set system radius-server RADIUS server secret Juniper
[edit]
lab@srxA-1# set system authentication-order radius
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
www.juniper.net
Question: Must you include password in the

authentication order to enable this behavior?
Answer: No. If an authentication method is

unavailable because of a network or server outage,
the software automatically consults the local
password database.
Step 1.16
Return to the secondary Telnet session opened to you student device
From the secondary Telnet session in which the user nancy is logged in, issue the
exit command to log out. Test the RADIUS server by reconnecting to the Telnet
session and try to log back in as nancy.
nancy@srxA-1> exit
srxA-1 (ttyp0)
login: nancy
Password:
Login incorrect
login:
Question: Were you able to log in as nancy?
Answer: No. In this case, the server defined is

actually reachable, and it is not configured with the
nancy username.
Step 1.17
In the previous lab step, the defined RADIUS server was reachable. Because you did
not define the username on the RADIUS server, the RADIUS server rejected the
authentication. Therefore, the software did not consult the local password database.
From the session opened to the lab user and change the IP address of the RADIUS
server to 10.1.1.1. You can use the rename command for this change. Do not forget
to issue commit to activate the change.
[edit]
lab@srxA-1# rename system radius-server RADIUS server to 10.1.1.1
[edit]
lab@srxA-1# commit
commit complete
www.juniper.net
Step 1.18
Return to the secondary Telnet session opened to you student device
From the secondary Telnet session, try to log in to the system with the nancy
username once again.
login: nancy
Password:
Local password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
nancy@srxA-1>
Question: What was different about the login

behavior in this step as compared to the last step
with respect to a reachable RADIUS server?
Answer: After entering the password, a short delay

occurs while the system tries to consult the RADIUS
server, and the user receives an option to enter a
local password. After entering the users password,
the system logs the user in.
Step 1.19
From the session opened to the lab user and delete the
authentication-order statement. When complete commit your config and
return to operational mode.
[edit]
lab@srxA-1# delete system authentication-order
[edit]
commit complete
lab@srxA-1>
STOP
Part 2: Performing System Management Options

In this lab part, you will perform configuration of some common system
management features. You will configure and monitor syslog, NTP, SNMP, and
configuration archival.
www.juniper.net
Step 2.1
the/var/home/lab/ijos/ directory. Commit your configuration when complete.
[edit]
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.2
Use the show system syslog command to view the current syslog
configuration.
[edit]
lab@srxA-1# show system syslog
file messages {
any critical;
authorization info;
}
interactive-commands any;
}
Question: What facilities and severity levels

currently log to the messages log file?
Answer: In the sample output, the messages file

shows the any and authorization facilities
using the critical and info severities,
respectively. The actual settings might vary between
Junos devices and software versions.
Question: What is the purpose of specifying a
facility of any?
Answer: This option logs all facility levels.
www.juniper.net
Step 2.3
Navigate to the [edit system syslog] hierarchy and configure a new syslog
file named config-changes. Specify a facility of change-log and a severity of
info. Also, set the severity level for the default messages file to any.
[edit]
lab@srxA-1# edit system syslog
[edit system syslog]
lab@srxA-1# set file config-changes change-log info
lab@srxA-1# set file messages any any
lab@srxA-1#
Step 2.4
Configure your system to send logs to a remote server running the standard syslog
utility. Refer to your management network diagram for the server address. (Hint: Use
the host option.) Choose the correct facility that logs access attempts on the
system. (Hint: The current messages log file is already using this facility.) Use a
severity level of info. Commit your changes when complete.
lab@srxA-1# set host server address authorization info
lab@srxA-1# commit
commit complete
Step 2.5
Using the run file list /var/log/ command, verify the creation of a log file
named config-changes.
lab@srxA-1# run file list /var/log/
/var/log/:
authd_profilelib
authd_sdb.log
autod
chassisd
config-changes
cosd
dcd
dfwc
dfwd
eccd
gres-tp
httpd.log
httpd.log.old
idpd.addver
interactive-commands
inventory
www.juniper.net
jsrpd
jsrpd_chk_only
kmd
license
mastership
messages
nsd_chk_only
pf
pfed_trace.log
pgmd
rtlogd
sampled
sdxd
utmd-av
Note
The files stored in the /var/log/

directory might vary between each system.
Question: What other log files from your systems
configuration does this directory store?
Answer: Although the files in the /var/log/

directory might vary on each system, the
messages and interactive-commands log
files should be present on all systems.
Step 2.6
Configure the system to synchronize its clock with an NTP server. Refer to the
management network diagram for the servers IP address.
lab@srxA-1# top
[edit]
lab@srxA-1# set system ntp server server address
Step 2.7
Use the same server IP address used in the previous step and configure an NTP
boot server. Commit the configuration and return to operational mode when
complete.
[edit]
lab@srxA-1# set system ntp boot-server server address
[edit]
commit complete
www.juniper.net

lab@srxA-1>
Step 2.8
View the config-changes log and verify the logging of the latest configuration
changes.
lab@srxA-1> show log config-changes
Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system
ntp]
Apr 22 18:58:08 srxA-1 mgd[2552]: UI_CFG_AUDIT_OTHER: User 'lab' set: [system
ntp server 10.210.14.130]
Apr 22 18:58:16 srxA-1 mgd[2552]: UI_CFG_AUDIT_SET: User 'lab' set: [system ntp
boot-server] <unconfigured> -> "10.210.14.130"
Step 2.9
Manually force synchronization with the NTP server by issuing the set date ntp
operational mode command.
lab@srxA-1> set date ntp
22 Apr 19:04:24 ntpdate[3080]: step time server 10.210.14.130 offset -0.000025
sec
Step 2.10
Verify synchronization with the NTP server by using the show ntp
associations command. The system is synchronized with the NTP server if you
see the server address in the remote column with an asterisk (*) next to it. Check
the current system time using the show system uptime command.
Note
It might take a few minutes for the systems

time to synchronize with the NTP server.
lab@srxA-1> show ntp associations
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
*10.210.14.130
10.210.0.72
4 14
64
1
1.073
0.113
1.178
lab@srxA-1> show system uptime
Current time: 2012-04-19 09:23:35 PDT
System booted: 2012-04-18 10:24:42 PDT (22:58:53 ago)
Protocols started: 2012-04-18 12:27:26 PDT (20:56:09 ago)
Last configured: 2012-04-19 09:20:11 PDT (00:03:24 ago) by lab
9:23AM up 22:59, 2 users, load averages: 0.15, 0.07, 0.02
www.juniper.net
Question: What does the asterisk (*) next to the

NTP server address signify?
Answer: The asterisk (*) represents the peer

chosen for synchronization as well as a
synchronized state with that peer. When you define
multiple NTP peers, the system selects only a single
NTP peer.
Step 2.11
Return to configuration mode and configure the system to allow SNMP access using
a community value of junos. The system should allow processing of SNMP
messages only when it receives them from the NMS servers IP address. Refer to the
[edit]
lab@srxA-1# set snmp community junos clients server address
[edit]
lab@srxA-1#
Step 2.12
Configure an SNMP trap group to send traps to the NMS server. The SNMP trap
group should send traps whenever an interface transitions to a down state. Name
the trap group interfaces.
[edit]
lab@srxA-1# set snmp trap-group interfaces targets server address
[edit]
lab@srxA-1# set snmp trap-group interfaces categories link
Question: What trap category do you enable to

receive traps for an over-temperature condition?
Answer: You enable the chassis category to send

traps for an over-temperature condition.
Note
In subsequent steps you will disable the

management interface. Ensure that the
terminal session to your system uses the
console connection.
www.juniper.net
Step 2.13
To test your SNMP configuration, temporarily disable the ge-0/0/0 interface using
the set interfaces ge-0/0/0 disable command. Commit the new setting
and verify that the interface is down using the run show interfaces ge-0/
0/0 terse command. Next, re-enable the interface by issuing the delete
interfaces ge-0/0/0 disable command. Commit the change and return to
[edit]
lab@srxA-1# set interfaces ge-0/0/0 disable
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1# run show interfaces ge-0/0/0 terse
Interface
Admin Link Proto
Local
ge-0/0/0
down down
ge-0/0/0.0
up
down inet
10.210.14.131/27
Remote
[edit]
lab@srxA-1# delete interfaces ge-0/0/0 disable
[edit]
commit complete
lab@srxA-1>
Step 2.14
Verify that the interface transition resulted in the sending of a trap by viewing the
messages log. Use the pipe symbol (|) and match on the ge-0/0/0 interface and
the keyword snmp to parse the messages log output. Next, issue the show snmp
statistics command and confirm that the Traps value in the Output section
is not zero.
lab@srxA-1> show log messages | match ge-0/0/0 | match snmp
Apr 19 11:05:22 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_DOWN: ifIndex 508,
ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/0/0
Apr 19 11:06:14 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_UP: ifIndex 508,
ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/0
Apr 19 11:06:14 srxB-1 mib2d[1223]: SNMP_TRAP_LINK_UP: ifIndex 512,
ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/0/0.0
Apr 19 11:13:28 srxB-1 mgd[1291]: UI_CMDLINE_READ_LINE: User 'lab', command
'show log messages | match ge-0/0/0 | match snmp '
lab@srxA-1> show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
www.juniper.net
Read onlys: 0, General errors: 0,

Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 6, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 6
Question: Does the messages log show trap

entries associated with the interface status
change?
Answer: Yes, you should see log entries for the

status change for both the physical and the logical
interfaces.
Question: Does the show snmp statistics
command list a non-zero value for outgoing traps?
Answer: Yes, you should see a non-zero value for the

output traps counter. In the sample output, you can
see a value of 6. Your counters value might vary.
Step 2.15
Perform an SNMP MIB walk with the Junos CLI using the show snmp mib walk
jnxOperatingDescr command. Note that the resolved object identifier (OID) of
jnxOperatingDescr is case sensitive. The OID is variable; we are simply using
this OID as an example.
lab@srxA-1> show snmp mib
jnxOperatingDescr.1.1.0.0
walk jnxOperatingDescr
= midplane
= PEM 0
= SRX240 PowerSupply fan 1
= SRX240 PowerSupply fan 2
= SRX240 CPU fan 1
= SRX240 CPU fan 2
= SRX240 IO fan 1
www.juniper.net
=
=
=
=
=
=
=
SRX240 IO fan 2
FPC: FPC @ 0/*/*
FPC: FPC @ 1/*/*
PIC: 16x GE Base PIC @ 0/0/*
PIC: 1x Serial mPIM @ 1/0/*
Routing Engine
USB Hub
Note
The Junos OS accepts both the

dotted-decimal notation and alpha-numeric
notation of SNMP MIB OIDs. The previous
example polls the Juniper Networks
Chassis MIB for a mapping of component
OIDs. This tool is helpful for deciphering
what component might be initiating an
SNMP trap when your NMS station reports
the OID in only a dotted-decimal notation.
You do not need to configure SNMP to
perform SNMP polling from within the
Junos OS.
Question: What OID associates with the Routing
Engine (RE) for your system?
Answer: The RE associates with the 9.1.0.0 OID

leaf. This leaf is merely one leaf in the MIB tree and
does not represent the full OID string.
Step 2.16
Enter configuration mode and configure your system to archive its configuration to a
remote FTP server whenever a commit operation occurs. You should configure the
archive-sites as ftp://ftp@server address:/archive including
the quotation marks. Refer to the management network diagram for the servers IP
address. You should configure the password as ftp. You perform this configuration
under the [edit system archival configuration] hierarchy level.
Commit your configuration and return to operational mode when complete.
[edit]
lab@srxA-1# edit system archival configuration
[edit system archival configuration]
lab@srxA-1# set archive-sites "ftp://ftp@server address/archive" password ftp
lab@srxA-1# set transfer-on-commit
www.juniper.net

commit complete
lab@srxA-1>
Step 2.17
Verify that the configuration successfully transferred to the remote FTP server by
using the show log messages | match transfer command.
lab@srxA-1> show log messages | match transfer
Apr 19 13:01:46 srxB-1 mgd[1291]: UI_CFG_AUDIT_SET: User 'lab' set: [system
archival configuration] <unconfigured> -> "transfer-on-commit"
'set transfer-on-commit '
Apr 19 13:02:43 srxB-1 logger: transfer-file: Transferred /var/transfer/
config/srxB-1_juniper.conf.gz_20120419_200200
'show log messages | match transfer '
Note
Even when using the

transfer-on-commit option with
configuration archival, the transfer is
cyclical and uses a short time interval. If
you do not see the transfer in your log, wait
a minute or two and look again.
Question: What do the numbers at the end of the
transferred filename represent?
Answer: The configuration file contains the current

date and UTC time according to the system clock.
Step 2.18
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP
www.juniper.net
Lab 4
Operational Monitoring and Maintenance (Detailed)
Overview
This lab covers common operational monitoring and platform maintenance activities. In
this lab, you monitor system, chassis, and interface operation, use network utilities, and
perform system maintenance tasks.
sample output from most commands.
www.juniper.net
Monitor chassis, system, and interface operation.
Use network utilities.
Upgrade a device running the Junos operating system and recover the root
password.
Operational Monitoring and Maintenance (Detailed) Lab 41

12.a.12.1R1.9
Part 1: Monitoring System and Chassis Operation

In this lab part, each team will use key commands within the CLI to monitor system
and chassis operation.
Step 1.1

Step 1.2
Step 1.3
loaded, commit the changes and return to operational mode.
srxA-1 (ttyp0)
login: lab
Password:
Lab 42 Operational Monitoring and Maintenance (Detailed)
www.juniper.net
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC

[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 1.4
Issue the show system processes extensive command to check the status
of the routing protocol daemon (rpd). Alternatively, issue the show system
processes extensive | match "pid | rpd" command to parse the
output. The use of two pipes (|) in this command allows you to make multiple
matches. In this case it matches rpd for the routing protocol process as well as PID
to view the column headers.
lab@srxA-1> show system processes extensive
last pid: 5976; load averages: 0.08, 0.14, 0.07
124 processes: 18 running, 95 sleeping, 11 waiting
up 1+21:08:16
07:32:28
Mem: 143M Active, 98M Inact, 535M Wired, 159M Cache, 112M Buf, 34M Free
Swap:
PID USERNAME THR PRI NICE
SIZE
RES STATE C
TIME
WCPU COMMAND
1234 root
7 76
0
511M 61524K select 0 140.4H 282.62%
flowd_octeon_hm
22 root
1 171
52
0K
16K RUN
0 39.0H 87.94% idle: cpu0
23 root
1 -20 -139
0K
16K RUN
0 16:54 0.00% swi7: clock
1256 root
1 76
0 10896K 4104K select 0
5:14 0.00% license-check
5 root
1 -16
0
0K
16K rtfifo 0
5:12 0.00% rtfifo_kern_recv
1223 root
1 76
0 26180K 9224K select 0
4:03 0.00% mib2d
1225 root
1 76
0 18768K 7252K select 0
3:41 0.00% l2ald
1244 root
1 76
0 15588K 3464K select 0
2:48 0.00% shm-rtsdbd
1218 root
1 76
0
113M 16796K select 0
1:49 0.00% chassisd
19 root
1 171
52
0K
16K RUN
3
1:44 0.00% idle: cpu3
20 root
1 171
52
0K
16K RUN
2
1:44 0.00% idle: cpu2
21 root
1 171
52
0K
16K RUN
1
1:43 0.00% idle: cpu1
1227 root
2 76
0 22948K 7616K select 0
1:40 0.00% pfed
1222 root
1 76
0 18932K 11360K select 0
1:33 0.00% snmpd
1252 root
1 76
0 16684K 7916K select 0
1:28 0.00% utmd
50 root
1 -16
0
0K
16K psleep 0
1:14 0.00% vmkmemdaemon
25 root
1 -40 -159
0K
16K WAIT
0
1:13 0.00% swi2: netisr 0
1215 root
1 76
0 3288K 1376K select 0
1:10 0.00% bslockd
1219 root
1 76
0 11132K 3324K select 0
1:10 0.00% alarmd
1685 root
1
4
0 49392K 22156K kqread 0
0:40 0.00% rpd
...TRIMMED...
www.juniper.net
lab@srxA-1> show system processes extensive | match "pid | rpd"

PID USERNAME THR PRI NICE
SIZE
RES STATE C
TIME
WCPU COMMAND
1685 root
1
4
0 49392K 22156K kqread 0
0:40 0.00% rpd
Question: What is the weighted CPU usage of rpd?
Answer: The answer can vary. In the sample output

taken from srxA-1, the weighted CPU usage is 0%.
The weighted CPU column represents the CPU
usage over a period of time.
Step 1.5
Issue the show system statistics command to view protocol statistics
related to your teams device.
lab@srxA-1> show system statistics
tcp:
466 packets sent
340 data packets (16474 bytes)
0 data packets (0 bytes) retransmitted
0 resends initiated by MTU discovery
116 ack-only packets (91 delayed)
0 URG only packets
2 window probe packets
0 window update packets
10 control packets
...TRIMMED...
Question: How many TCP packets did your assigned

device send since the last clearing of the system
statistics?
Answer: The answer can vary. In the previous

example taken from srxA-1, the device sent 466
TCP packets.
Step 1.6
Issue the show system storage command to view information regarding the
device storage space.
lab@srxA-1> show system storage
Filesystem
Size
/dev/da0s1a
898M
devfs
1.0K
devfs
1.0K
/dev/md0
477M
/cf
898M
devfs
1.0K
Used
497M
1.0K
1.0K
477M
497M
1.0K
Avail
330M
0B
0B
0B
330M
0B
Capacity
60%
100%
100%
100%
60%
100%
Mounted on
/
/dev
/dev/
/junos
/junos/cf
/junos/dev/
www.juniper.net
procfs
/dev/bo0s1e
/dev/md1
/dev/da0s1f
/cf/var/jail
devfs
/dev/md2
4.0K
24M
168M
61M
898M
1.0K
39M
4.0K
22K
13M
624K
497M
1.0K
4.0K
0B
22M
142M
55M
330M
0B
36M
100%
0%
8%
1%
60%
100%
0%
/proc
/config
/mfs
/cf/var/log
/jail/var
/jail/dev
/mfs/var/run/utm
Question: How much free space is available on your

device?
Answer: The answer can vary. In the sample output

taken from srxA-1, 330 Megabytes are available.
Step 1.7
Issue the show system uptime command to view the current system time.
lab@srxA-1> show system uptime
Current time: 2012-04-20 08:01:50 PDT
System booted: 2012-04-18 10:24:42 PDT (1d 21:37 ago)
Protocols started: 2012-04-18 12:27:26 PDT (1d 19:34 ago)
Last configured: 2012-04-20 07:52:13 PDT (00:09:37 ago) by lab
8:01AM up 1 day, 21:37, 2 users, load averages: 0.07, 0.05, 0.03
Question: When was your teams device last

booted?
Answer: The answer will vary. In the example taken

from srxA-1, you can see that the system booted
close to two days ago.
Step 1.8
Open another terminal window and use Telnet to access your systems management
IP address. If needed, refer to the management network diagram. Log in with the
username walter and the password walter123.
www.juniper.net
srxA-1 (ttyp0)
login: walter
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
walter@srxA-1>
Step 1.9
Return to the original session opened to your device.
Return to the original session logged in as lab and issue the show system users
command to view information about users logged in to your teams device.
12:41PM up 46 mins, 2 users, load averages: 0.03, 0.08, 0.12
USER
TTY
FROM
LOGIN@ IDLE WHAT
lab
u0
2:33PM
- -cli (cli)
walter
p0
10.210.14.129
3:07PM
1 -cli (cli)
Question: What is the source IP address of the

Telnet session established by the user walter?
Answer: The answer will vary. In the following

example taken from srxA-1, the source IP address
of the telnet session established by the user
walter is 10.210.14.129.
Step 1.10
Issue the request system logout user walter command to force a log
out for the user walter. Next, issue the show system users command to verify
that the user session for walter was terminated.
lab@srxA-1> request system logout user walter
logout-user: done
12:46PM up 51 mins, 1 user, load averages: 0.06, 0.12, 0.12
USER
TTY
FROM
LOGIN@ IDLE WHAT
lab
u0
12:29PM
- -cli (cli)
Question: Was the user Telnet session for walter

properly closed?
Answer: As shown in the sample output, the Telnet

session for the user walter should now be closed.
www.juniper.net
Step 1.11
Check the environmental status of your teams device by issuing the show
chassis environment command.
lab@srxA-1> show chassis environment
Class Item
Status
Temp Routing Engine
OK
Routing Engine CPU
OK
Fans SRX240 PowerSupply fan 1
OK
SRX240 PowerSupply fan 2
OK
SRX240 CPU fan 1
OK
SRX240 CPU fan 2
OK
SRX240 IO fan 1
OK
SRX240 IO fan 2
OK
Power Power Supply 0
OK
Measurement
37 degrees C / 98 degrees F
Spinning at high speed
Question: What is the temperature and status of the

Routing Engine (RE)?
Answer: Your details might vary. The sample capture

shows a temperature of 37 degrees Celsius and a
status of OK.
Question: Name another show chassis
command that displays the RE temperature. (Hint:
Use the ?.)
Answer: As the following capture shows, the show

chassis routing-engine command displays
the RE temperature as well as other RE-specific
details.
lab@srxA-1> show chassis routing-engine
Routing Engine status:
Temperature
CPU temperature
Total memory
1024 MB Max
635 MB used ( 62 percent)
Control plane memory
560 MB Max
Data plane memory
464 MB Max
CPU utilization:
User
5 percent
Background
0 percent
Kernel
4 percent
Interrupt
0 percent
Idle
92 percent
Model
RE-SRX240H-POE
Serial ID
AAAD8406
Start time
2010-10-20 11:56:01 PDT
Uptime
58 minutes, 49 seconds
Last reboot reason
0x200:chassis control reset
www.juniper.net
Load averages:
1 minute
0.11
5 minute
0.11
15 minute
0.11
Step 1.12
Issue the show chassis temperature-thresholds command.
lab@srxA-1> show chassis temperature-thresholds
Fan speed
Yellow alarm
Red alarm
Fire
(degrees C)
(degrees C)
(degrees C) (degrees C)
Item
Normal High
Normal Bad fan
Normal Bad fan
Normal
Chassis default
35
45
50
40
75
65
100
Routing Engine
35
45
50
40
75
65
100
Question: At what temperature is a red alarm

generated for the RE?
Answer: Assuming the fans are operational, the

system raises a red alarm when the RE reaches 75
degrees Celsius. These threshold values can vary
between different Junos devices.
Step 1.13
View details about your systems hardware components using the show chassis
hardware command.
lab@srxA-1> show chassis hardware
Hardware inventory:
Item
Version Part number
Chassis
Routing Engine
REV 31
750-021794
FPC 0
PIC 0
Power Supply 0
Serial number
AH2909AA0041
AAAK4071
Description
SRX240-poe
RE-SRX240-POE
FPC
16x GE Base PIC
Question: What is the chassis serial number for your

teams device?
Answer: The answer will vary depending on your

assigned device. In the example, the chassis serial
number is AH2909AA0041.
Step 1.14
Issue the show interface terse command to quickly verify the administrative
and link state for your devices interfaces.
lab@srxA-1> show interfaces terse
Interface
Admin Link Proto
ge-0/0/0
up
up
ge-0/0/0.0
up
up
inet
Local
Remote
10.210.14.131/27
www.juniper.net
gr-0/0/0
ip-0/0/0
ls-0/0/0
lt-0/0/0
mt-0/0/0
pd-0/0/0
pe-0/0/0
ge-0/0/1
ge-0/0/1.0
ge-0/0/2
ge-0/0/2.0
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
gre
ipip
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
down
down
down
down
down
down
down
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
inet
172.20.77.1/30
inet
172.20.66.1/30
inet
172.18.1.2/30
inet
inet
inet
192.168.1.1
--> 0/0
127.0.0.1
--> 0/0
10.0.0.1
--> 0/0
10.0.0.16
--> 0/0
128.0.0.1
--> 0/0
128.0.1.16
--> 0/0
fe80::226:88ff:fe02:6700
inet6
Question: What are the Admin and Link states for

all configured interfaces?
Answer: All configured interfaces should show

Admin and Link states of up. If your output shows
otherwise, please contact your instructor.
www.juniper.net
Step 1.15
Issue the show interfaces ge-0/0/0 extensive command and answer
the questions that follow:
lab@srxA-1> show interfaces ge-0/0/0 extensive
Interface index: 131, SNMP ifIndex: 117, Generation: 134
Device flags
: Present Running
Link flags
: None
CoS queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:26:88:02:67:00, Hardware address: 00:26:88:02:67:00
Last flapped
: 2012-04-19 11:06:14 PDT (21:34:34 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
2145595228
0 bps
Output bytes :
118650
0 bps
Input packets:
35759921
0 pps
Output packets:
1512
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
...TRIMMED...
Logical interface ge-0/0/0.0 (Index 67) (SNMP ifIndex 118) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
...TRIMMED...
Question: What is the SNMP ifIndex for

ge-0/0/0? What about for ge-0/0/0.0?
Answer: The SNMP ifIndex values vary between

student devices. In the example, the SNMP
ifIndex for ge-0/0/0 and ge-0/0/0.0 are 117
and 118, respectively.
Question: What is the current hardware address for
the ge-0/0/0 interface?
Answer: The current hardware address for the

ge-0/0/0 interface varies between student devices.
In the example, the current hardware address is
00:26:88:02:67:00.
www.juniper.net
Question: Does the ge-0/0/0 interface show any

input errors?
Answer: Although it is possible that input errors

exist, the answer to this question should typically be
no.
Question: Does the ge-0/0/0 interface show input
and output traffic statistics? How are those
statistics counted?
Answer: The interface should show input and output

traffic statistics. The system counts traffic statistics
as both bytes and packets as shown in the sample
capture.
Step 1.16
Issue the clear interfaces statistics ge-0/0/0 command followed by
the show interfaces ge-0/0/0 extensive | find "traffic"
command.
lab@srxA-1> clear interfaces statistics ge-0/0/0
lab@srxA-1> show interfaces ge-0/0/0 extensive | find "traffic"
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
...TRIMMED...
Question: Were the statistics for the ge-0/0/0

interface successfully cleared?
Answer: Although your statistics might not show all

zeros, as the sample capture does, the interface
statistics should clear.
STOP
www.juniper.net
Part 2: Using Network Utilities and Monitoring Traffic

In this lab part, each team will use network utilities within the CLI and monitor local
system traffic.
Step 2.1
the/var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 2.2
Start a continuous ping to the server with a data size of 500 bytes. Refer to the
Note
If you are not receiving Internet Control

Message Protocol (ICMP) echo replies from
the server, notify your instructor.
lab@srxA-1> ping server address size 500
PING 10.210.14.130 (10.210.14.130): 500 data bytes
508 bytes from 10.210.14.130: icmp_seq=0 ttl=64 time=3.649
...TRIMMED...
ms
ms
ms
ms
ms
ms
ms
www.juniper.net
Question: Which command option do you use to

make the ping continuous?
Answer: As shown in the sample output, you do not

need an extra command option to make the ping
continuous. Echo requests send continuously by
default. You can use the count option to send a
defined amount of packets.
Note
You can stop the ping operation by using

the Ctrl+c keystroke combination. You
should, however, let the ping operation
continue at this time for the subsequent
monitoring step.
Step 2.3
Open a new terminal session to your teams device. Use Telnet to access your
systems management IP address. If needed, refer to the management network
diagram. Log in with the lab user account and the password provided by the
instructor. You will use this separate terminal session to monitor ping traffic
generation.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1>
www.juniper.net
Step 2.4
Use the monitor traffic interface ge-0/0/0 command to begin
monitoring the ge-0/0/0 management interface.
Note
You can stop the monitoring operation by

using the Ctrl+c keystroke combination.
You can also increase the capture size
using the size option to avoid truncated
packets.
lab@srxA-1> monitor traffic interface ge-0/0/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.210.14.129 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
08:53:59.796502 In IP 10.210.14.129.35817 > 10.210.14.131.telnet: . ack 9055411
17 win 64422
08:53:59.796709 Out IP truncated-ip - 225 bytes missing! 10.210.14.131.telnet >
10.210.14.129.35817: P 1:246(245) ack 0 win 65535
08:54:00.005781 In IP 10.210.14.129.35817 > 10.210.14.131.telnet: . ack 246 win
64177
08:54:00.544439 Out IP truncated-ip - 24 bytes missing! 10.210.14.131 > 10.210.1
4.130: ICMP echo request, id 960, seq 148, length 64
08:54:00.546050 In IP 10.210.14.130 > 10.210.14.131: ICMP echo reply, id 960, s
eq 148, length 64
10.210.14.129.35817: P 246:428(182) ack 0 win 65535
63995
10.210.14.129.35817: P 428:974(546) ack 0 win 65535
64512
...TRIMMED...
Question: Does the capture display ICMP traffic?
Answer: Yes, you should see ICMP echoes and

replies from your ping operation, amongst other
traffic.
www.juniper.net
Question: How can you filter the output to show only

the ICMP traffic?
Answer: Use the matching option to filter by

header information in the output:
lab@srxA-1> monitor traffic interface ge-0/0/0 matching icmp
eq 1809, length 64
eq 1810, length 64
eq 1811, length 64
^C
18 packets received by filter
0 packets dropped by kernel
lab@srxA-1>
Question: What command option allows you to view

source and destination MAC addresses for the
captured packets?
Answer: Include the layer2-headers option to

view Layer 2 header information, including the
source and destination MAC addresses as shown:
lab@srxA-1> monitor traffic interface ge-0/0/0 matching icmp layer2-headers
www.juniper.net

09:24:05.438848 Out 0:24:dc:16:ab:80 > 0:e:c:bc:42:1b, ethertype IPv4 (0x0800),
length 74: truncated-ip - 24 bytes missing! 10.210.14.131 > 10.210.14.130: ICMP
echo request, id 960, seq 1932, length 64
09:24:05.440446 In PFE proto 2 (ipv4): 10.210.14.130 > 10.210.14.131: ICMP echo
reply, id 960, seq 1932, length 64
^C
lab@srxA-1>
Note
The monitor traffic command

captures only packets that are local to the
device. It does not capture transit packets.
Step 2.5
In preparation for the next lab part, stop the monitor operation using the Ctrl+c
keystroke combination, and close the extra terminal session that you opened.
...TRIMMED...
^C
lab@srxA-1>
Step 2.6
Return to the original session opened to your device.
From the original session opened to your device, issue the Ctrl+c keystroke
combination to stop the continuous ping.
...TRIMMED...
508 bytes from 10.210.14.130: icmp_seq=3 ttl=64 time=2.803 ms
www.juniper.net

^C
--- 10.210.14.130 ping statistics --651 packets transmitted, 651 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.949/1.388/11.951/0.736 ms
lab@srxA-1>
STOP
Part 3: Upgrading the Junos OS

In this lab part, you will retrieve a Junos OS package from a remote server and
upgrade your assigned device. Note that to keep the software consistent, you
upgrade the device to the same version of the Junos OS that it is currently running.
Step 3.1
the/var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 3.2
Use the file copy command in conjunction with FTP to retrieve the install image
named junos-srxsme-12.1R1.9-domestic.tgz from the server. Refer to
the management network diagram for the servers IP address. Use the username
ftp and a password of ftp. Save the image to the /var/tmp directory on the
local device.
lab@srxA-1> file copy ftp://ftp:ftp@server address/
junos-srxsme-12.1R1.9-domestic.tgz /var/tmp/
/var/home/lab/...transferring.file.........U4R100% of
www.juniper.net
200 MB 2946 kBps 00m00s
Question: Did the image successfully transfer from

the server to the /var/tmp directory on your
device?
Answer: The image should successfully transfer. If

not, check with your instructor for assistance.
Note
If there is not enough room in the

/var/tmp directory to accommodate the
software package, notify your instructor.
Step 3.3
Verify that the software package transferred correctly to the local /var/tmp
directory by using the file list /var/tmp | match junos command.
lab@srxA-1> file list /var/tmp/ | match junos
junos-srxsme-12.1R1.9-domestic.tgz
Question: Which file list command option

allows you to view the file size of the software
package stored in the /var/tmp directory?
Answer: Use the detail command option to show

the file size of the local software package:
lab@srxA-1> file list detail /var/tmp/ | match junos
-rw-r--r-- 1 lab
wheel 159209811 Apr 11 06:07
junos-srxsme-12.1R1.9-domestic.tgz
Step 3.4
Issue the request system software add /var/tmp/
junos-srxsme-12.1R1.9-domestic.tgz command to upgrade your assigned
device. Use the reboot option to automatically perform a system reboot, which is a
requirement of the upgrade process. Use the console terminal session to monitor
the upgrade process.
lab@srxA-1> request system software add /var/tmp/
junos-srxsme-12.1R1.9-domestic.tgz reboot
NOTICE: Validating configuration against junos-srxsme-12.1R1.9-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s1a)...
/dev/da0s1a: 296.9MB (607996 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 74.22MB, 4750 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152032, 304032, 456032
www.juniper.net
Extracting /var/tmp/junos-srxsme-12.1R1.9-domestic.tgz ...

saving package file in /var/sw/pkg ...
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1R1.9-domestic signed by PackageProduction_12_1_0
Using junos-12.1R1.9-domestic from /altroot/cf/packages/install-tmp/
junos-12.1R1.9-domestic
Copying package ...
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-12.1R1.9-domestic'
...
Verified junos-boot-srxsme-12.1R1.9.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1R1.9-domestic signed by PackageProduction_12_1_0
JUNOS 12.1R1.9 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 7644]
Shutdown NOW!
*** FINAL System shutdown message from root@srxB-1 ***
System going down IMMEDIATELY
Shutdown NOW!
...TRIMMED...
Fri Apr 22 20:36:27 UTC 2011
srxA-1 (ttyu0)
login:
Step 3.5
After the reboot is complete, log in again as the lab user and issue the show
version command.
srxA-1 (ttyu0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1> show version
Hostname: srxA-1
Model: srx240-poe
JUNOS Software Release [12.1R1.9]
lab@srxA-1>
www.juniper.net
STOP
Part 4: Recovering the Root Password

In this lab part, you will perform root password recovery. The root password recovery
process requires that you use the console connection.
Step 4.1
the /var/home/lab/ijos/ directory. Commit your configuration and return to
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 4.2
Using a terminal session connected to the console port, reboot the system. Enter
yes to authorize the reboot. When prompted to enter the command prompt, press
the space bar.
lab@srxA-1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 950]
lab@srxA-1>
*** FINAL System shutdown message from lab@srxA-1 ***
System going down IMMEDIATELY
...TRIMMED...
FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.9
(builder@zigeth.juniper.net, Mon May 17 05:45:58 UTC 2010)
Memory: 1024MB
[0]Booting from nand-flash slice 1
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0xa17310+0xdbc54 syms=[0x4+0x7f730+0x4+0xb6cd4]
www.juniper.net
Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [/kernel] in 1 second...
Type '?' for a list of commands, 'help' for more detailed help.
loader>
Step 4.3
At the prompt, first disable the watchdog process by using the watchdog
disable command. Secondly, type boot -s and press Enter to boot the Junos OS
in single-user mode.
loader> watchdog disable
loader> boot -s
Kernel entry at 0x801000d8 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 512 Size 128 Asso 8
...TRIMMED...
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN
for /bin/sh:
Step 4.4
When prompted to enter a pathname for shell or recovery for root password
recovery, type recovery and press Enter.
Enter full pathname of shell or 'recovery' for root password recovery or RETURN
for /bin/sh: recovery
Performing system setup ...
...TRIMMED...
Performing initialization of management services ...
Performing checkout of management services ...
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
NOTE:
Once in the CLI, you will need to enter configuration mode using
the 'configure' command to make any required changes. For example,
to reset the root password, type:
configure
set system root-authentication plain-text-password
(enter the new password when asked)
commit
exit
exit
When you exit the CLI, you will be asked if you want to reboot
the system
Starting CLI ...

root@srxA-1>
www.juniper.net
Step 4.5
Once the prompt is available, enter configuration mode and set a new root password
of lab123. Commit the configuration and return to configuration mode. Use the
exit command to leave operational mode, the software prompts you about
rebooting. Type y and press Enter to reboot the system.
[edit]
root@srxA-1# set system root-authentication plain-text-password
New password:
[edit]
commit complete
lab@srxA-1> exit
Reboot the system? [y/n] y
Waiting (max 60 seconds) for system
Syncing disks, vnodes remaining...1
process
process
process
1 1 1 0
`vnlru' to stop...done
`bufdaemon' to stop...done
`syncer' to stop...
0 done
syncing disks... All buffers synced.

Uptime: 11m53s
Rebooting...
...TRIMMED...
Thu Oct 21 08:46:40 PDT 2010
srxA-1 (ttyu0)
login:
Step 4.6
Once the system boots, verify the root password recovery by logging in with the new
root password.
srxA-1 (ttyu0)
login: root
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
root@srxA-1%
www.juniper.net
Question: Were you successfully authenticated

using the new root password?
Answer: You should now be successfully

authenticated as root using the new root password.
This successful authentication verifies that the
access recovery process worked.
Step 4.7
Start the CLI and enter configuration mode.
root@srxA-1% cli
[edit]
root@srxA-1#
Step 4.8
Restore the lab4-part4-start configuration using the load override /
var/home/lab/ijos/lab4-part4-start.config command. Activate the
configuration and log out of the system.
[edit]
root@srxA-1# load override /var/home/lab/ijos/lab4-part4-start.config
load complete
[edit]
commit complete
root@srxA-1> exit
root@srxA-1% exit
logout
srxA-1 (ttyu0)
login:
STOP
www.juniper.net
www.juniper.net
Lab 5 (Optional)
The J-Web Interface (Detailed)
Overview
This lab introduces you to the J-Web graphical user interface (GUI). In this lab, you will
familiarize yourself with various J-Web features and capabilities.
The lab is available in two formats: a high-level format that is designed to make you think
through each step and a detailed format that offers step-by-step instructions complete
with sample output from most commands.
www.juniper.net
Log in to the J-Web interface.
Explore J-Web monitoring options.
Explore J-Web configuration and diagnose options.
The J-Web Interface (Detailed) Lab 51

12.a.12.1R1.9
Part 1: Logging In to and Exploring the J-Web Interface

In this lab part, you will familiarize yourself with the access details for your teams
station and log in through the J-Web interface. You will also familiarize yourself with
the various monitoring capabilities available in the J-Web user interface.
Note
Depending on the specifics of your class,

you might be accessing a router that is
remote from your physical location. The
instructor will inform you as to the nature of
your access and will provide you with the
details needed to access your router.
Step 1.1

Step 1.2
Lab 52 The J-Web Interface (Detailed)
www.juniper.net
Step 1.3
loaded, commit the changes and return to operational mode.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
[edit]
load complete
[edit]
commit complete
lab@srxA-1>
Step 1.4
Open a Web browser on your PC.
From a Web browser on your PC. navigate to the management address of your
device. Refer to the management network diagram for the IP address associated
with your teams station.
Step 1.5
Log in as user lab with the password supplied by your instructor.
www.juniper.net
Step 1.6
After logging in click on the Dashboard tab in the upper left corner. Use the
information found in your browser to answer the following questions.
www.juniper.net
Question: What is the current system up time in

days?
Answer: The answers can vary. The capture taken

from srxA-1 shows an up time of 48 minutes.
Question: What is the current memory and CPU
usage on your assigned station?
Answer: The answer can vary. The capture taken

from srxA-1 shows memory and CPU utilization of
56% and 12% respectively for the control side and
67% and 0% respectively for the data side.
Step 1.7
Edit the Dashboard Preferences to display the Chassis Status.
www.juniper.net
1.
Click Open Preferences Dialog in the upper right corner of the

screen.
2.
Scroll down the list of available Panels, and select Chassis Status,
then click OK.
Question: What is the Routing Engine (RE)

temperature, and is this temperature considered
normal?
Answer: The capture taken from srxA-1 indicates

that the RE temperature is considered to be normal
at 44 degrees Celsius.
Question: How can you display the serial number

and model of the Routing Engine?
Answer: You can navigate directly to Monitor >

System View > Chassis Information by
clicking on the View chassis status link on
the newly created Dashboard panel:
www.juniper.net
Step 1.8
Navigate to Monitor > Interfaces and view the ge-0/0/0.0 interface.
Question: What is the status of the ge-0/0/0.0

interface?
Answer: The interface should indicate an

administrative and operational status of up, and it
should be configured with the management IP
address.
Question: How can you gain additional information
on a given interface?
Answer: Highlight the selected interface and click

Details to open a new window.
www.juniper.net
Step 1.9
Navigate to Monitor > Routing > Route Information to view the current
static routes.
Part 2: Exploring J-Web Configuration and Diagnostic Capabilities

In this lab part, you will familiarize yourself with the configuration and diagnostic
capabilities available in the J-Web interface. You will also identify the key pages that
relate to those capabilities.
Step 2.1
Access the J-Web configuration page by clicking the Configure tab.
www.juniper.net
Question: How do you display your stations current

configuration?
Answer: Click CLI Tools, then click the CLI

Viewer link. This example is taken from srxA-1.
Step 2.2
Navigate to Configure > System Properties > User Management.
Step 2.3
Click Edit. In the Edit User Management window, click Add and create the
user Jweb. Use the password lab123 and fullname Jweb User. Keep the login
class as read-only. Leave the User ID field blank. Click OK when complete.
www.juniper.net
Step 2.4
Commit the new user by clicking on Actions in the upper right corner, then click
Commit.
Step 2.5
Return to User Management and remove the Jweb user created earlier.
1.
Navigate to Configure > System Properties > User

Management.
2.
Click Edit.
3.
Highlight the Jweb user and click Delete.
4.
Click OK.
Step 2.6
Click Actions, then click Compare to display changes in the configuration.
www.juniper.net
Step 2.7
Commit the changes by clicking on Actions then Commit.
Step 2.8
Navigate to Troubleshoot > Ping Host. Enter the IP address of the server in
the management network and click Start to begin the ping.
www.juniper.net
Question: Does the ping succeed?
Answer: Yes. As shown in the capture, the ping does

succeed.
Step 2.9
Logout of your J-Web session. Return to the cli session opened to your device and
log out using the exit command.
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP
www.juniper.net
Introduction to the Junos

Operating System
Appendix A: Lab Diagrams
A2 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A3
A4 Lab Diagrams
www.juniper.net

JNAA IJOS 12.a - LGD

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JNAA IJOS 12.a - LGD

Uploaded by

Copyright:

Available Formats

Juniper Networks Academic Series

Introduction to the Junos

Detailed Lab Guide

Worldwide Education Services

This document is produced by Juniper Networks, Inc.

The Junos CLI (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Secondary System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Operational Monitoring and Maintenance (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

The J-Web Interface (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Describe the basic design architecture of the Junos OS.

Identify and provide a brief overview of Junos devices.

Navigate within the Junos CLI.

Perform tasks within the CLI operational and configuration modes.

Restore a Junos device to its factory-default state.

Perform initial configuration tasks.

Configure and monitor network interfaces.

Describe user configuration and authentication options.

Monitor basic operation for the Junos OS and devices.

Identify and use network utilities.

Upgrade the Junos OS.

Perform file system maintenance and password recovery on a Junos device.

Navigate within the Junos OS J-Web interface.

Junos Operating System Fundamentals

User Interface Options

Secondary System Configuration

Operational Monitoring and Maintenance

Appendix A: Interface Configuration Examples

Most of what you read in the Lab Guide

GUI text elements:

Input Text Versus Output Text

View configuration history by clicking

lab@San_Jose> show route

Defined and Undefined Syntax Variables

Text where variable value is

Click my-peers in the dialog.

Text where the variables value

Type set policy policy-name.

Document Conventions vii

About This Publication

Juniper Networks Support

viii Additional Information

The Junos CLI (Detailed) Lab 11

Part 1: Logging In and Exploring the CLI

Depending on the class, the lab equipment

Answer: The answer varies; in the example used

Lab 12 The Junos CLI (Detailed)

Show AMT Protocol information

Clear chassis information

Lab 14 The Junos CLI (Detailed)

learned Layer 2 MAC address information

Question: Which command do you use to clear the

Answer: Use the clear log log-filename

Inter Chassis Control Protocol information

You can return to the command prompt

The Junos CLI (Detailed) Lab 15

536 bps (0 pps)

Logical interface ge-0/0/0.0 (Index 68) (SNMP ifIndex 509)

Question: What do you think the resulting display

Answer: The display indicates that the command

Lab 16 The Junos CLI (Detailed)

Question: What happens when you try to enter this