Interface Overview
fxp0 e me0 para management
fxp1 e em0 para a internal (interligação entre o Control e Forwarding Plane)
Interface Naming
es: Encryption interface;
gr: Generic route encapsulation tunnel interface;
ip: IP-over-IP encapsulat ion tunnel interface;
ls: Link services interface;
ml: Multilink interface;
mo: Passive monitoring interface;
mt: Multicast tunnel interface;
sp: Adaptive services interface;
vt: Virtual loopback tunnel interface.
lo0 : Loopback interface;
ae: Aggregated Ethernet interface;
as : Aggregated SONET interface;
vlan : VLAN interface
Algumas das interfaces internas criadas (não configuráveis)pelo JunOS:
• gre
• mtun
• ipip
• tap
FPC – Flexible PIC Concentrator
Line card (FPC) slot number
Interface card (PIC) slot number
Nota: A numberacao dos slots/portas comeca em 0
ge-0/2/3 = porta 3 na PIC slot 2 na PFC slot 0
Logical Units
Consideradas como subinterfaces, podem ter mais do que uma family pexemplo inet e inet6
Configurar Autenticação
Suporta Radius e Tacacs+
Definir uma class com privilégios
Existem 4 class por defeito operator,read-only,super-user e unauthorized
Um user só pode ser atribuído a uma class
set system login class juniper permissions reset permissions view permissions view-configuration
set system login user walter class juniper
Nota: A permissão de reset permite reiniciar processos, mas não fazer reboot pexemplo
nancy@R1> show configuration
## Last commit: 2014-05-25 17:11:18 WEST by root
version /* ACCESS-DENIED */;
/* nao mudem o NTP */
system { /* ACCESS-DENIED */ };
/* n mudem interface */
interfaces { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };
Definição do Radius Server
root@srxA-1# set system radius-server 10.10.10.10 secret Juniper
[edit]
root@srxA-1# set system authentication-order radius tacplus+
[edit]
root@srxA-1# commit
Pelo menos um dos métodos de authentication-order deve responder (alive), caso contrário é feita autenticação local
R1 (ttyp0)
login: nancy
Password:
Local password:
Logging
By default o ficheiro de logging primário e /var/messages
O syslog pode ser definido através dos comandos:
edit system syslog
edit routing-options options syslog
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file config-changes change-log info
set system syslog host 10.1.1.1 any notice
set system syslog host 10.1.1.1 authorization info
Interpretar as mensagens do syslog
Timestamp, Host , Process ou PID , message code, message text
May 26 14:27:17 R1 mgd[1366]: UI_COMMIT_PROGRESS: Commit operation in progress: notifying eventd(80)
commit complete
Para incluir a Severity é necessário configurar o comando explicit-priority
set system syslog file messages explicit-priority
May 26 14:38:13 R1 mgd[1366]: %INTERACT-6-UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration
É possível obter ajuda na interpretação de uma mensagem de log através da própria CLI
root@R1# help syslog UI_COMMIT_PROGRESS
Name: UI_COMMIT_PROGRESS
Message: Commit operation in progress:
Help: mgd recorded step in commit operation
Description: As it performed a commit operation, the management process (mgd)
recorded its execution of the indicated step.
Type: Event: This message reports an event, not an error
Severity: info
Traceoptions
*Equivalente ao Debug em Cisco*
O JunOS permite enviar o tracing para ficheiro/syslog
Para redefinir um syslog server diferente usar:
set system tracing destination-override syslog host 10.1.1.2
Exemplo Tracing Hello OSPF
O size pode ser representado por K,M,G indicando (KB, MB e GB)
Cao o trace exceda o size, o ficheiro é divido no numero de ficheiros indicados começando em trace-file.0 trace-file.1 …
set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions file size 128m
set protocols ospf traceoptions file files 10
set protocols ospf traceoptions file world-readable
set protocols ospf traceoptions flag hello detail
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail
root@R1# run file show /var/log/ospf-trace
May 26 14:52:47 trace_on: Tracing to “/var/log/ospf-trace” started
May 26 14:52:47.821578 Interface em5.101 area 0.0.0.0 event NeighborChange
May 26 14:52:47.835103 IFL em5.32767 iflchange 0x0
May 26 14:52:47.836167 IFL em5.110 iflchange 0x0
May 26 14:52:47.836334 IFL em5.102 iflchange 0x0
May 26 14:52:47.836498 IFL em5.101 iflchange 0x0
May 26 14:52:47.836643 IFL em5.0 iflchange 0x0
May 26 14:52:47.836793 IFL lo0.16385 iflchange 0x0
May 26 14:52:47.836891 IFL lo0.16384 iflchange 0x0
May 26 14:52:47.837115 IFL lo0.0 iflchange 0x0
*
*(omitido)
*
May 26 14:52:47.867410 OSPF updated PPM interface IFL 84, addr 172.20.110.1, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0
May 26 14:52:47.867614 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.867816 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.868182 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.873156 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
Operadores AND e OR
Operador AND
root@R1# run show log messages | find “May 26” | match “error”
Operador OR
root@R1# run show log messages | match “May 26” | match “error|kernel”
Monitorizar as mensagens de log
user@router> monitor start messages | match fail
Parar de receber mensagens
user@router> monitor stop
NTP
set system ntp server 10.10.10.10
set system ntp boot-server 10.10.10.10
root@R1# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.10.10.10 .INIT. 16 – 395 1024 0 0.000 0.000 4000.00
O * significa que é o host selecionado para sincronização
Archiving
Realizar backups via FTP/SCTP da configuração após commit, o uso de vários destinos permite que caso o site primário falhe seja usado o 2 site e assim em diante
set system archival configuration transfer-on-commit
set system archival configuration archive-sites “ftp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#
set system archival configuration archive-sites “sctp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#
root@R1# commit
root@R1# run show log messages | match ftp
May 26 16:11:40 R1 fetch: %DAEMON-3: fetch: ftp://[email protected]:*: No route to host
As copias dos ficheiros são guardadas em /var/transfer/config
root@R1# run file list /var/transfer/config/ detail
/var/transfer/config/:
total 28
-rw-r—– 1 root wheel 1101 May 26 16:10 R1_juniper.conf.gz_20140526_151053
-rw-r—– 1 root wheel 1101 May 26 16:11 R1_juniper.conf.gz_20140526_151127
-rw-r—– 1 root wheel 1101 May 26 16:12 R1_juniper.conf.gz_20140526_151206
-rw-r—– 1 root wheel 1101 May 26 16:12 R1_juniper.conf.gz_20140526_151254
-rw-r—– 1 root wheel 1187 May 26 16:23 R1_juniper.conf.gz_20140526_152319
Para realizar backups regulares da config usar:
Nota: A cada 24 Horas (1440 minutos)
set system archival configuration transfer-interval 1440
SNMP
set snmp location LISDC-Rack122
set snmp contact “ip@cocheno.com”
set snmp community JUNIPER
set snmp trap-options source-address lo0
set snmp trap-group group-SNMP categories link
set snmp trap-group group-SNMP categories routing
set snmp trap-group group-SNMP targets 10.10.10.10
set snmp trap-group group-SNMP targets 10.10.10.11
set snmp trap-group group-SNMP version v2
set snmp community JUNIPER clients 192.168.20.0/24
Efetuar uma snmp walk (permite fazer decimal e ascii)
lab@srxA-1> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1
Referências:
1 thought on “Notas estudo JNCIA-Junos parte 3”