Monthly Archives: May 2015

Securing Webpages with .htaccess

You will need to have following installed or available:

sudo and/or root privilages
text editor (nano or vi)
apache2-utils

Firstly you will need to enable apache to allow overrides. You will need to edit your apache config file.

sudo nano /etc/apache2/sites-available/exmaple.co.conf

You will need to add the AllowOverride All within the section. You have to manual set the directory section to the folder you want to protect. In this example, I just wanted to protect anything within the html folder


 AllowOverride All

Normally (from my experience) their isn’t a Directory section, so you can just copy and paste the code into your file. In the end it should look something like this:

<VirtualHost *:80>
ServerName example.co
ServerAlias example.co
ServerAdmin [email protected]
DocumentRoot /var/www/example.co/html
 <Directory /var/www/example.co/html/>
   AllowOverride All
 </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Once you have saved and closed, you will need to apply the change via an apache restart

sudo service apache2 restart

Next, create the .htaccess

touch .htaccess

Within the .htaccess, you will need to add the following details:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/example/.htpasswd
Require valid-user

Save and close, once the details have been added.

Finally, we will need to add users that can have access to the newly restricted folder

sudo htpasswd -c /home/example/.htpasswd {username}

You will prompted to enter a password that will not be shown.

If you wanted to additional users, you will use the same command without -c

sudo htpasswd /home/example/.htpasswd {username}

Now you should be able to browser to the website/folder and be greeted with login prompt 😀

For more in-depth detail and explanation visit Digital Ocean’s htaccess guide

Share this:
Share

JNCIA Refresher #4 – Routing Fundamentals

Packet Forwarding Concepts
Routing Tables
Routing vs. Forwarding Tables
Route Preference
Routing Instances
Static Routing
Dynamic Routing Protocols

Packet Forwarding Concepts

Packet forwarding is the movement of data packets from device to device. This is key for any network, as if the networking devices don’t know how to move a packet outside of its own segment/area, the packet will be dropped and the reason we have networks is to move data/information from one place to another. With that being said, a device doesn’t need to know whole Internet or even a whole network. The most important information; a switch, router or any layer 2/3 device needs to know is the next-hop address. The next-hop provides an exit for the device if the destination of the packet isn’t located on the device, it will pass the packet on to “the next hop” device and that device will do the same thing until the destination of the packet is located. This is basis of packet forwarding.

A Juniper device (or any network device in fact) will have Routing Engine (RE) and Packet Forwarding Engine (PFE). These engines (software or hardware based) are what will used to move packets and ultimately controls the routing on the device.

The Routing Engine is the control plane of the device. The control plane is where all the Routing Information Base (RIB) will be stored and from the RE the creation of the packet forwarding switching fabric that will be used for the movement of packets. The RE is responsible for providing filtering information, route lookups and determining of what the next-hop address will be. It is important to note, that the RE does not control how the packets are moved, it is where the RIB is stored. The Packet Forwarding Engine uses this information.

The Packet Forwarding Engine is the where the forwarding of transit traffic is processed. The PFE directly affects the packets. The PFE will use the information from the RE and apply the information to the packets by applying any firewall filters, routing and/or security policies before forwarding the packet onto the next-hop destination.

Routing Tables

With Junos, it is different compared to other vendors when it comes to see information within the Routing Table. Other vendors will have multiple commands that you use will use to see different tables (i.e. the routing table for IPv4 and IPv6). In Junos, we just need to use the show route command we will see the multiple routing tables under the single command. Each of the tables are populated with routes as and when they are needed, you can say each of table is a database of information for it’s particular routing type.

As you can see, my router only has IPv4 currently configured, so it will only have the inet.0 table

[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 1d 23:54:16
                    > to 10.1.0.1 via ge-0/0/7.0
10.1.0.0/24        *[Direct/0] 1d 23:54:16
                    > via ge-0/0/7.0
10.1.0.207/32      *[Local/0] 1d 23:54:20
                      Local via ge-0/0/7.0
172.31.100.2/31    *[Direct/0] 1d 23:54:16
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 1d 23:54:20
                      Local via ge-0/0/1.0

It is important to note, that I have 5 routes and they all active. When looking at the routing table ideally you would like to have Active routes. Routes in holddown state are in pending state before declared inactive. Hidden routes are not in the routing table because of a routing policy.

Juniper’s definition on Routing Tables

Junos OS automatically creates and maintains several routing tables. Each routing table is used for a specific purpose. In addition to these automatically created routing tables, you can create your own routing tables. Each routing table populates a portion of the forwarding table. Thus, the forwarding table is partitioned based on routing tables. This allows for specific forwarding behaviour for each routing table.

The table below shows, all the tables that are created by default by Junos. At the JNCIA level you will only need to worry about the inet.0 and inet6.0 tables. However it’s always good to have bit more info to look into later 😀

Junos Default Routing Tables
Routing Table Description
inet.0 IPv4 unicast routes. This table stores interface local and direct routes, static routes, and dynamically learned routes.
inet.2 This table is created when multiprotocol BGP (MBGP) is enabled. This table stores unicast routes that are used for multicast reverse-path-forwarding (RPF) lookup. You can import routes from inet.0 into inet.2 using routing information base (RIB) groups, or install routes directly into inet.2 from a multicast routing protocol.
inet.3 IPv4 MPLS routes. This table stores the egress address of an MPLS label-swiched path (LSP), the LSP name, and the outgoing interface name. This routing table is used only when the local device is the ingress node to an LSP.
inet6.0 IPv6 unicast routes. This table stores interface local and direct routes, static routes, and dynamically learned routes.
instance-name.inet.0 This table is created when you configure a routing instance, Junos OS creates the default unicast routing table.
instance-name.inet.2 This table is created when you configure routing-instances instance-name protocols bgp family inet multicast in a routing instance of type VRF, Junos OS creates the instance-name.inet.2 table
bgp.l2vpn.0 This table is created for Layer 2 VPN routes learned from BGP. This table stores routes learned from other provider edge (PE) routers. The Layer 2 routing information is copied into Layer 2 VPN routing and forwarding instances (VRFs) based on target communities.
bgp.l3vpn.0 IPv4 unicast routes. This table is created for Layer 3 VPN routes learned from BGP. This table stores routes learned from other PE routers. R.stores interface local and direct routes, static routes, and dynamically learned routes.
mpls.0 This table is created for MPLS label switching operations. This table is used when the local device is a transit router.
iso.0 This table is for IS-IS routes. When you are using IS-IS to support IP routing, this table contains only the local device’s network entity title (NET)
juniper_private For Junos OS to communicate internally between the Routing Engine and PIC hardware.

Routing vs. Forwarding Tables

The Routing Information Base (RIB) is located within with the Routing Table (RT). As stated in the packet forwarding concepts, the RIB are stored in the Control Plane, this would makes the Routing Table is part of the Control Plane within Junos. As such, the RT has information about all available routes that the router could use, but critically doesn’t make forwarding decisions.

The Forwarding Table (FT) has all the information from the RT, creates the best path for transit traffic and only keeps the best/active paths in compressed or pre-complied format for optimised route lookups. Therefore, the FT is both Control and Forwarding Plane. This makes the relationship between the RT and FT important, as without one, the other will fail.

In essence, the process packet movement would be:

Packet In --> Routing Information Base --> Routing Table --> Forwarding Table --> Packet Out

We can see the different between the Routing and Forwarding Tables. We can view the routing Table by running the show route command. As we can see from the ‘show route’ tab, there is some detail however not a great deal, when compared to the forwarding table.

To see the forwarding table, we will need to run show route forwarding-table. We can see from ‘show route forwarding-table’ tab, the level of detail is greater. In addition, from the forwarding-table the key thing you will need to know for the JNCIA exam are the two different types (Destination Types and Next-Hop Types) and what their type variables mean. This is shown below on Destination and Next-Hop Types tabs.

show routeshow route forwarding-tableDestination TypesNext-Hop Types
[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 20:13:19
                    > to 10.1.0.1 via ge-0/0/7.0
10.1.0.0/24        *[Direct/0] 3d 20:13:19
                    > via ge-0/0/7.0
10.1.0.207/32      *[Local/0] 3d 20:13:23
                      Local via ge-0/0/7.0
172.31.100.2/31    *[Direct/0] 3d 20:13:19
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 3d 20:13:23
                      Local via ge-0/0/1.0
[email protected]_SRX> show route forwarding-table    
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     0 ac:4b:c8:79:41:10  ucst   554     3 ge-0/0/7.0
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
10.1.0.0/24        intf     0                    rslv   547     1 ge-0/0/7.0
10.1.0.0/32        dest     0 10.1.0.0           recv   545     1 ge-0/0/7.0
10.1.0.1/32        dest     0 ac:4b:c8:79:41:10  ucst   554     3 ge-0/0/7.0
10.1.0.17/32       dest     1 18:a9:5:40:1a:0    ucst   556     2 ge-0/0/7.0
10.1.0.207/32      intf     0 10.1.0.207         locl   546     2
10.1.0.207/32      dest     0 10.1.0.207         locl   546     2
10.1.0.255/32      dest     0 10.1.0.255         bcst   544     1 ge-0/0/7.0
172.31.100.2/31    intf     0                    rslv   543     1 ge-0/0/1.0
172.31.100.2/32    intf     0 172.31.100.2       locl   542     2
172.31.100.2/32    dest     0 172.31.100.2       locl   542     2
172.31.100.3/32    dest     1 10:e:7e:4e:f:80    ucst   555     2 ge-0/0/1.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1
{omitted output}
Destination Type Description
intf (Interface) This is where an interface has been manually configured
dest (Destination) The destination of an address that is directly reachable. You would see an IP address (in the next-hop column) if the address is local or a network address. You would see a mac-address if the address isn’t local
perm (Permanent) This is installed as part of the Junos Kernel and can’t be removed
user (Routing) These are routes learnt via a routing protocol i.e. ISIS, RIP, OSPF, BGP and Static Routes
Next-Hop Type Description
ucst (Unicast) This is where an interface has been manually configured
dscd (Discard) The destination of an address that is directly reachable. You would see an IP address (in the next-hop column) if the address is local or a network address. You would see a mac-address if the address isn’t local
rjct (Reject) This is installed as part of the Junos Kernel and can’t be removed
bcst (Broadcast) These are routes learnt via a routing protocol i.e. ISIS, RIP, OSPF, BGP and Static Routes
locl (Local Address) Local Addresses to the device
mcst (Multicast) Multicast addresses

Route Preference

When we look at the routing table, we can see that see that we have some details about the routes we have learnt:

[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 20:13:19
                    > to 10.1.0.1 via ge-0/0/7.0
{omitted output}
172.31.100.2/31    *[Direct/0] 3d 20:13:19
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 3d 20:13:23
                      Local via ge-0/0/1.0

As you can see from the output, we are told the how the route is connected to the device and given a value. The value would be the Route Preference (Known As Administrative Distance). The preference is taken from the RIB to determine, if you receive a route from two different protocols, which route would make the Routing-Table. Its important to note when we have Direct and Local preference, junos uses the most specific route and where in the example above 172.31.100.2 has been assigned as the local interface address it’s given /32 net mask telling the device that this is their address.

The table below has a summary of the default route preference values.

tr>

Route Preference Number Protocol
0 Direct/Local Address
5 Static Route
10 OSPF (Internal)
100 RIP
130 Aggregate Routes (Summary Routes)
150 OSPF (External)
170 BGP

You can check the full Default Route Preference Values are on the Juniper Website here

Routing Instances

Routing instances (VRFs on cisco) are a way of dividing your switch, firewall or router, to allow the device to have multiple independent Routing Tables within the single device. Each routing-instance will need to have its physical (or logical) interface(s) and its instance-type defined. As you can see below when you have routing-instance configured you will have the each routing-instance has its own routing-table and they are shown as instance-name.inet.0. It important to note, that all configuration for the routing-instance will need to be done under the routing-instance stanza. This is shown on “Routing-Instance Configuration” tab

Instance TypesRouting-Instance ConfigGlobal Routing TableRouting-Instance TrustRouting-Instance Untrust
[email protected]_SRX# set routing-instances untrust instance-type ?
Possible completions:
  forwarding           Forwarding instance
  l2backhaul-vpn       L2Backhaul/L2Wholesale routing instance
  l2vpn                Layer 2 VPN routing instance
  layer2-control       Layer 2 control protocols
  mpls-internet-multicast  Internet Multicast over MPLS routing instance
  no-forwarding        Nonforwarding instance
  virtual-router       Virtual routing instance
  virtual-switch       Virtual switch routing instance
  vpls                 VPLS routing instance
  vrf                  Virtual routing forwarding instance
{master:0}
root> show configuration routing-instances 
trust {
    instance-type virtual-router;
    interface vlan.20;
    routing-options {
        static {
            route 172.16.0.0/24 next-hop 192.168.0.1;
        }
    }
}
untrust {
    instance-type virtual-router;
    interface vlan.10;
    routing-options {
        static {
            route 192.168.0.0/24 next-hop 172.16.0.1;
        }
    }
}
root> show route 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.0.0/24        *[Direct/0] 2w6d 04:28:28
                    > via me0.0
10.1.0.200/32      *[Local/0] 2w6d 04:28:28
                      Local via me0.0
224.0.0.22/32      *[IGMP/0] 2w6d 04:28:29
                      MultiRecv
trust.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24      *[Static/5] 2w2d 01:20:57
                    > to 192.168.0.1 via vlan.20
192.168.0.0/24     *[Direct/0] 2w2d 01:20:57
                    > via vlan.20
192.168.0.2/32     *[Local/0] 2w4d 01:10:24
                      Local via vlan.20
untrust.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24      *[Direct/0] 2w2d 01:26:30
                    > via vlan.10
172.16.0.2/32      *[Local/0] 2w4d 01:10:24
                      Local via vlan.10
192.168.0.0/24     *[Static/5] 2w2d 01:26:30
                    > to 172.16.0.1 via vlan.10

Static Routing

As the name suggests static routing is a route that has been created manually and doesn’t change, unless it’s manually updated. When creating a static route, knowing the next-hop information is key as you are saying I want this IP address/range to go next. For my example below, I have created a static default route on this device. I have used the “no-readvertise” option, so that this route IS NOT readvertised into the routing-table and NOT routable

[email protected]_SRX# show routing-options 
static {
    route 0.0.0.0/0 {
        next-hop 10.1.0.1;
        no-readvertise;
    }
}

When creating static route, there’s a number of different options that are available:

[email protected]_SRX# set routing-options static route 172.31.100.1 ?
Possible completions:
  active               Remove inactive route from forwarding table
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> as-path              Autonomous system path
  backup-pe-group      Multicast source redundancy group
> bfd-liveness-detection  Bidirectional Forwarding Detection (BFD) options
> color                Color (preference) value
> color2               Color (preference) value 2
+ community            BGP community identifier
  discard              Drop packets to destination; send no ICMP unreachables
  install              Install route into forwarding table
> lsp-next-hop         LSP next hop
> metric               Metric value
> metric2              Metric value 2
> metric3              Metric value 3
> metric4              Metric value 4
+ next-hop             Next hop to destination
  next-table           Next hop to another table
  no-install           Don't install route into forwarding table
  no-readvertise       Don't mark route as eligible to be readvertised
  no-resolve           Don't allow resolution of indirectly connected next hops
  no-retain            Don't always keep route in forwarding table
> p2mp-lsp-next-hop    Point-to-multipoint LSP next hop
  passive              Retain inactive route in forwarding table
> preference           Preference value
> preference2          Preference value 2
> qualified-next-hop   Next hop with qualifiers
  readvertise          Mark route as eligible to be readvertised
  receive              Install a receive route for the destination
  reject               Drop packets to destination; send ICMP unreachables
  resolve              Allow resolution of indirectly connected next hops
  retain               Always keep route in forwarding table
> static-lsp-next-hop  Static LSP next hop
> tag                  Tag string
> tag2                 Tag string 2

The key ones to look into for the JNCIA level would:

next-hop: This is set the next-hop address for the subnet to use to leave the local device
qualified-next-hop: This is a secondary next-hop address (Known as a floating IP address). If the first next-hop address is unavailable, the router will use that qualified next-hop address. In addition, you are able to set the route preference for the qualified-next-hop manually
discard: This will silently drop packets, providing no reply
reject: This will drop packets and provide an ICMP reply
no-readvertise

Only using static routing in a network is a lot of manual work and you will have to do this for every device on your network and trying to maintain this would be a ridiculous and is un-scalable. This leads into why the need for Dynamic Routing Protocols in a network is important in conjunction with static routes.

Dynamic Routing Protocols

When talking about dynamic routing, we can break it down into 2 categories Internal Gateway Protocols and External Gateway Protocols.

Internal Gateway Protocols

Internal Gateway Protocols (IGPs) is a type of protocol used for exchanging routing information between gateways within an Autonomous System. With IGPs there two types protocols; Distance-vector routing protocol and Link-state routing protocol

Distance-vector routing protocol each router does not possess information about the full network topology. It advertises its distance value (DV) calculated to other routers and receives similar advertisements from other routers unless changes are done in local network or by neighbours (routers). Using these routing advertisements each router populates its routing table. In the next advertisement cycle, a router advertises updated information from its routing table. This process continues until the routing tables of each router converge to stable values.

Distance Vector Protocols include:

Routing Information Protocol (RIP)
Routing Information Protocol Version 2 (RIPv2)
Routing Information Protocol Next Generation (RIPng), an extension of RIP version 2 with support for IPv6
Interior Gateway Routing Protocol (IGRP)

Whereas, Link-state routing protocols, each router possesses information about the complete network topology. Each router then independently calculates the best next hop from it for every possible destination in the network using local information of the topology. The collection of best-next-hops forms the routing table.

This contrasts with distance-vector routing protocols, which work by having each node share its routing table with its neighbours. In a link-state protocol, the only information passed between the nodes is information used to construct the connectivity maps.

Link-state routing protocols include:

Open Shortest Path First (OSPF)
Intermediate system to intermediate system (IS-IS)
External Gateway Protocols

External Gateway Protocols (EGPs) is a routing protocol used to exchange routing information between autonomous systems. This exchange is crucial for communications across the Internet. Notable exterior gateway protocols include Exterior Gateway Protocol and Border Gateway Protocol.

Share this:
Share

JNCIA Refresher #3 – Operational Monitoring and Maintenance

Show commands
Monitor commands/Real-time performance monitoring (RPM)
Interface statistics and errors
Network tools – ping, traceroute, telnet, SSH, etc.
Junos OS installation/Software upgrades
Powering on and shutting down Junos devices
Root password recovery

Show commands

For the JNCIA level, we will need to know how to check our devices and with Junos these are done using show commands from Operational Mode.

Show Command Options
[email protected]_SRX> show ?
Possible completions:
  accounting           Show accounting profiles and records
  arp                  Show system Address Resolution Protocol table entries
  as-path              Show table of known autonomous system paths
  authentication-whitelist  Show 802.1X White List MAC addresses
  bfd                  Show Bidirectional Forwarding Detection information
  bgp                  Show Border Gateway Protocol information
  bridge               Show bridging information
  chassis              Show chassis information
  class-of-service     Show class-of-service (CoS) information
  cli                  Show command-line interface settings
  configuration        Show current configuration
  connections          Show circuit cross-connect connections
  database-replication  Show database replication information
  dhcp                 Show Dynamic Host Configuration Protocol information
  dhcpv6               Show Dynamic Host Configuration Protocol v6 information
  dialer               Show dialer information
  dot1x                Show 802.1X information
  dvmrp                Show Distance Vector Multicast Routing Protocol information
  dynamic-tunnels      Show dynamic tunnel information information
  esis                 Show end system-to-intermediate system information
  ethernet-switching   Show Ethernet-switching information
  event-options        Show event-options information
  firewall             Show firewall information
  forwarding-options   Show forwarding-options information
  gvrp                 Show Generic VLAN Registration Protocol information
  helper               Show port-forwarding helper information
  host                 Show hostname information from domain name server
  iccp                 Show Inter Chassis Control Protocol information
  igmp                 Show Internet Group Management Protocol information
  igmp-snooping        Show IGMP snooping information
  ingress-replication  Show Ingress-Replication tunnel information
  interfaces           Show interface information
  ipv6                 Show IP version 6 information
  isdn                 Show Integrated Services Digital Network information
  isis                 Show Intermediate System-to-Intermediate System information
  l2-learning          Show l2 learning information
  l2circuit            Show Layer 2 circuit information
  l2vpn                Show Layer 2 VPN information
  lacp                 Show Link Aggregation Control Protocol information
  ldp                  Show Label Distribution Protocol information
  lldp                 Show Link Layer Discovery Protocol information
  log                  Show contents of log file
  mld                  Show multicast listener discovery information
  mld-snooping         Show MLD snooping information
  mpls                 Show mpls information
  msdp                 Show Multicast Source Discovery Protocol information
  multicast            Show multicast information
  mvpn                 Show Multicast Virtual Private Network (MVPN) information
  network-access       Show network-access related information
  ntp                  Show Network Time Protocol information
  oam                  Show OAM-related information
  ospf                 Show Open Shortest Path First information
  ospf3                Show Open Shortest Path First version 3 information
  pfe                  Show Packet Forwarding Engine information
  pgm                  Show Pragmatic Generalized Multicast information
  pim                  Show Protocol Independent Multicast information
  policer              Show interface policer counters and information
  policy               Show policy information
  ppp                  Show PPP process information
  pppoe                Show PPP over Ethernet information
  protection-group     Show protection group information
  r2cp                 Show Radio-to-Router Protocol information
  rip                  Show Routing Information Protocol information
  ripng                Show Routing Information Protocol for IPv6 information
  route                Show routing table information
  rsvp                 Show Resource Reservation Protocol information
  sap                  Show Session Announcement Protocol information
  schedulers           Show the information on one or more schedulers
  security             Show security information
  services             Show services
  smtp                 Show Simple Mail Transfer Protocol information
  snmp                 Show Simple Network Management Protocol information
  spanning-tree        Show Spanning Tree Protocol information
  subscribers          Show subscriber information
  system               Show system information
  task                 Show routing protocol per-task information
  ted                  Show Traffic Engineering Database information
  version              Show software process revision levels
  vlans                Show VLAN information
  vpls                 Show VPLS information
  vrrp                 Show Virtual Router Redundancy Protocol information
  wireless-wan         Show wireless WAN information
  wlan                 Show wireless LAN information

As shown above, we have plenty of options available! But for the important ones for this level will be show system, show chassis and show interface each of these options have their own sub-sections that can be seen using “?”

show system

Under the show system option as shown below, we have a lot of different options available. These command provide any operational issues and/or check that you would what to do on your device.

show system options
[email protected]_SRX> show system ?
Possible completions:
  alarms               Show system alarm status
  audit                Show file system MD5 hash and permissions
  auto-snapshot        Show auto-snapshot status when system booted from alternate slice
  autoinstallation     Show autoinstallation information
  autorecovery         Show autorecovery information
  boot-messages        Show boot time messages
  buffers              Show buffer statistics
  certificate          Show installed X509 certificates
  commit               Show pending commit requests (if any) and commit history
  configuration        Show configuration information
  connections          Show system connection activity
  core-dumps           Show system core files
  directory-usage      Show local directory information
  download             Show status of downloads
  firmware             Show all firmware version information
  health               Show online diagnostic status
  license              Show feature licenses information
  login                Show system login state
  memory               Show system memory usage
  processes            Show system process table
  queues               Show queue statistics
  reboot               Show any pending halt or reboot requests
  resource-cleanup     Show resource cleanup information
  rollback             Show rolled back configuration
  services             Show service applications information
  snapshot             Show snapshot information
  software             Show loaded JUNOS extensions
  statistics           Show statistics for protocol
  storage              Show local storage data
  subscriber-management  Show Subscriber management information
  threads              Show system threads table
  uptime               Show time since system and processes started
  users                Show users who are currently logged in
  virtual-memory       Show kernel dynamic memory usage

The important one for JNCIA will be the alarms. As this will show any software based alarms that are currently on the device, they are either Minor or Major. I have two Minor alarms but as this is in the lab I don’t care however if this was production do something about it!

[email protected]_SRX> show system alarms 
2 alarms currently active
Alarm time               Class  Description
2015-04-30 17:23:40 UTC  Minor  Autorecovery information needs to be saved
2015-04-30 17:23:40 UTC  Minor  Rescue configuration is not set
Fix the above lol
To fix this issue you will need to run request system autorecovery state save. This will need to run command once you have configuration that you know working and if in an emergency, you would be happy to recover to!

[email protected]_SRX> request system autorecovery state save    
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information

[email protected]_SRX> show system alarms 
No alarms currently active

show chassis

Under the show chassis option as shown below, we have a lot of different options available. These command provide information on hardware/physical status of the device.

show chassis options
[email protected]_SRX> show chassis ?
Possible completions:
  alarms               Show alarm status
  cluster              Show chassis cluster information
  craft-interface      Show craft interface status
  environment          Show component status and temperature, cooling system speeds
  fan                  Show fan and fan tray information
  firmware             Show firmware and operating system version for components
  forwarding           Show forwarding process (fwdd) status
  fpc                  Show Flexible PIC Concentrator status
  hardware             Show installed hardware components
  location             Show physical location of chassis
  mac-addresses        Show media access control addresses
  pic                  Show Physical Interface Card state, type, and uptime
  routing-engine       Show Routing Engine status
  temperature-thresholds  Show chassis temperature threshold settings
  usb                  Show chassis USB status

From my experience the key commands that you will use mostly would be alarms, hardware and environment. All are pretty self explanatory from when you look at the output of the commands

show chassis alarmsshow chassis hardwareshow chassis environment
[email protected]_SRX> show chassis alarms 
No alarms currently active
[email protected]_SRX> show chassis hardware  
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                CF4713AK0219      SRX220H2
Routing Engine   REV 04   750-048778   ACKS2263          RE-SRX220H2
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0
[email protected]_SRX> show chassis environment 
Class Item                           Status     Measurement
Temp  Routing Engine                 OK         47 degrees C / 116 degrees F
      Routing Engine CPU             Absent    
Fans  SRX220 Chassis fan 0           OK         Spinning at normal speed
      SRX220 Chassis fan 1           OK         Spinning at normal speed
Power Power Supply 0                 OK

Monitor commands/Real-time performance monitoring (RPM)

If we wanted to do some monitoring checks we will be will be able to do, real time monitor on a single interface or on all the interface by using the monitor interface {interface|traffic}. Using the monitor interface traffic we will see the traffic passing through every physical and logical interface. If you want a specific interface you will just need enter the interface number, for my example I used ge-/0/0/6 (my management interface)

monitor interface trafficmonitor interface ge-0/0/6
[email protected]_SRX> monitor interface traffic    

Top_SRX                           Seconds: 10                  Time: 22:24:29

Interface    Link  Input packets        (pps)     Output packets        (pps)
 ge-0/0/0      Up         185692          (0)           185742          (0)
 gr-0/0/0      Up              0          (0)                0          (0)
 ip-0/0/0      Up              0          (0)                0          (0)
 lsq-0/0/0     Up              0          (0)                0          (0)
 lt-0/0/0      Up              0          (0)                0          (0)
 mt-0/0/0      Up              0          (0)                0          (0)
 sp-0/0/0      Up              0          (0)                0          (0)
 ge-0/0/1      Up              0          (0)            78439          (0)
 ge-0/0/2      Up              0          (0)                0          (0)
 ge-0/0/3      Up              0          (0)                0          (0)
 ge-0/0/4    Down              0          (0)                0          (0)
 ge-0/0/5    Down              0          (0)                0          (0)
 ge-0/0/6      Up        1281474          (3)            31748          (1)
 ge-0/0/7    Down              0          (0)                0          (0)
 fxp2          Up              0                        622845
 gre           Up              0                             0
 ipip          Up              0                             0
 irb           Up              0                             0
 lo0           Up        2153221                       2153221
 lsi           Up              0                             0
 mtun          Up              0                             0
 pimd          Up              0                             0
 pime          Up              0                             0
 pp0           Up              0          (0)                0          (0)
 ppd0          Up              0          (0)                0          (0)

Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D
[email protected]_SRX> monitor interface ge-0/0/6    

Top_SRX                           Seconds: 9                   Time: 22:25:34
                                                           Delay: 4/0/4
Interface: ge-0/0/6, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                           Current delta
  Input bytes:                  83186459 (1576 bps)                  [3193]
  Output bytes:                  6025770 (2544 bps)                  [9050]
  Input packets:                 1281671 (3 pps)                       [50]
  Output packets:                  31828 (1 pps)                       [25]
Error statistics:
  Input errors:                        0                                [0]
  Input drops:                         0                                [0]
  Input framing errors:                0                                [0]
  Policed discards:                    0                                [0]
  L3 incompletes:                      0                                [0]
  L2 channel errors:                   0                                [0]
  L2 mismatch timeouts:                0                                [0]
  Carrier transitions:                 1                                [0]
  Output errors:                       0                                [0]
  Output drops:                        0                                [0]
  Aged packets:                        0                                [0]
Active alarms : None
Active defects: NoneInput MAC/Filter statistics:  Unicast              [28]   

Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

Interface statistics and errors

With the show interface command, you can get a lot of information about the interface. You will get important information about errors, flags or alarms that could affect the switch port or the physical cable that is connected to the port.

If you use the terse option, you will see if the link is up or down and what the local IP address on that device is. It will also show the physical and logical interfaces you have available

If you use the extensive option you will see everything that could affect the physical port from Input/Output details, CoS, SNMP-traps etc. If you were to get any question during your JNCIA about checking an interface, using the extensive option would give everything but you would need to search! If you check the outputs below, you will see where I’m going with it all 🙂

Show interface outputs
show interfaces terseshow interfacesshow interfaces extensive
[email protected]_SRX> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up  
ge-0/0/0.0              up    up   inet     172.31.100.3/31 
gr-0/0/0                up    up  
ip-0/0/0                up    up  
lsq-0/0/0               up    up  
lt-0/0/0                up    up  
mt-0/0/0                up    up  
sp-0/0/0                up    up  
sp-0/0/0.0              up    up   inet    
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up  
ge-0/0/2                up    up  
ge-0/0/3                up    up  
ge-0/0/4                up    down
ge-0/0/5                up    down
ge-0/0/6                up    up  
ge-0/0/6.0              up    up   inet     10.1.0.201/24   
ge-0/0/7                up    down
fxp2                    up    up  
fxp2.0                  up    up   tnp      0x1             
gre                     up    up        
ipip                    up    up  
irb                     up    up  
lo0                     up    up  
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up  
mtun                    up    up  
pimd                    up    up  
pime                    up    up  
pp0                     up    up  
ppd0                    up    up  
ppe0                    up    up  
st0                     up    up  
tap                     up    up  
vlan                    up    up 
[email protected]_SRX> show interfaces ge-0/0/6              
Physical interface: ge-0/0/6, Enabled, Physical link is Up
  Interface index: 140, SNMP ifIndex: 516
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None,
  Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 10:0e:7e:4e:0f:86, Hardware address: 10:0e:7e:4e:0f:86
  Last flapped   : 2015-04-30 17:24:26 UTC (1w0d 03:54 ago)
  Input rate     : 1448 bps (2 pps)
  Output rate    : 1544 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/6.0 (Index 76) (SNMP ifIndex 528) 
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 374622 
    Output packets: 12463
    Security: Zone: Null
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.1.0/24, Local: 10.1.0.201, Broadcast: 10.1.0.255
[email protected]_SRX> show interfaces ge-0/0/6 extensive 
Physical interface: ge-0/0/6, Enabled, Physical link is Up
  Interface index: 140, SNMP ifIndex: 516, Generation: 143
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None,
  Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: 10:0e:7e:4e:0f:86, Hardware address: 10:0e:7e:4e:0f:86
  Last flapped   : 2015-04-30 17:24:26 UTC (1w0d 03:55 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :             82627263                 4968 bps
   Output bytes  :              5838121                 5048 bps
   Input  packets:              1273025                    8 pps
   Output packets:                30984                    3 pps
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0,
    L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0,
    Resource errors: 0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                 9215                 9215                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont               21769                21769                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort 
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  Active alarms  : None
  Active defects : None
  MAC statistics:                      Receive         Transmit
    Total octets                      93421178          5639424
    Total packets                      1288676            30983
    Unicast packets                      17785             8706
    Broadcast packets                   919434              508
    Multicast packets                   351457            21769
    CRC/Align errors                         0                0
    FIFO errors                              0                0
    MAC control frames                       0                0
    MAC pause frames                         0                0
    Oversized frames                         0
    Jabber frames                            0
    Fragment frames                          0
    VLAN tagged frames                       0
    Code violations                          0
  Filter statistics:
    Input packet count                       0
    Input packet rejects                     0
    Input DA rejects                         0
    Input SA rejects                         0
    Output packet count                                       0
    Output packet pad count                                   0
    Output packet error count                                 0
    CAM destination filters: 2, CAM source filters: 0
  Autonegotiation information:
    Negotiation status: Complete
    Link partner:
        Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps
    Local resolution:                   
        Flow control: None, Remote fault: Link OK
  Packet Forwarding Engine configuration:
    Destination slot: 0
  CoS information:
    Direction : Output 
    CoS transmit queue               Bandwidth               Buffer Priority   Limit
                              %            bps     %           usec
    0 best-effort            95      950000000    95              0      low    none
    3 network-control         5       50000000     5              0      low    none
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/6.0 (Index 76) (SNMP ifIndex 528) (Generation 142)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :             24369749
     Output bytes  :              2236064
     Input  packets:               374912
     Output packets:                12563
    Local statistics:
     Input  bytes  :             24343129
     Output bytes  :              2236064
     Input  packets:               374115
     Output packets:                12563
    Transit statistics:
     Input  bytes  :                26620                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                  797                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: Null
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        0 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  0 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0 
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 159, Route table: 0
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.1.0/24, Local: 10.1.0.201, Broadcast: 10.1.0.255, Generation: 160

Network tools

We are able to use a number network tools to help with troubleshooting and end-to-end connectivity. We will mostly use the ping, traceroute, ssh and telnet commands. We would use ping to check end-to-end connectivity testing and we would use traceroute to check the path that we are using to get from one device to another, whether that is on our internal LAN or across the internet. With Junos if we are using a DNS name (i.e. google.co.uk), it will by default use IPv6 AAAA record to try and get find the host in question. If you don’t have IPv6 configured on your network this is no help at all!

ping inet outputtraceroute inet output
[email protected]_SRX> ping google.co.uk 
PING6(56=40+8+8 bytes) :: --> 2a00:1450:4009:80c::2003
ping: sendmsg: No route to host
ping6: wrote google.co.uk 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote google.co.uk 16 chars, ret=-1
^C
--- google.co.uk ping6 statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
[email protected]_SRX> traceroute google.co.uk  
traceroute: connect: No route to host

We can around this by doing adding the option {ping|traceroute} inet we will be able to force the ping or traceroute to use an IPv4 A record to the destination.

ping inet outputtraceroute inet output
[email protected]_SRX> ping inet google.co.uk 
PING google.co.uk (216.58.210.3): 56 data bytes
64 bytes from 216.58.210.3: icmp_seq=0 ttl=56 time=2.923 ms
64 bytes from 216.58.210.3: icmp_seq=1 ttl=56 time=3.154 ms
^C
--- google.co.uk ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.923/3.038/3.154/0.115 ms
[email protected]_SRX> traceroute inet google.co.uk 
traceroute to google.co.uk (216.58.210.3), 30 hops max, 40 byte packets
 1  10.1.0.1 (10.1.0.1)  2.420 ms  2.186 ms  2.095 ms
 2  ge1-0-4.er01.bc.bbc.co.uk (132.185.254.173)  2.595 ms  3.739 ms  3.656 ms
 3  * * *
 4  * * *
 5  ae0.pr01.thdow.bbc.co.uk (132.185.254.77)  3.952 ms ae1.pr01.thdow.bbc.co.uk (132.185.254.81)  3.657 ms  3.429 ms
 6  125-126-245-83.packetexchange.net (83.245.126.125)  3.757 ms  3.993 ms  3.374 ms
 7  209.85.246.244 (209.85.246.244)  3.864 ms  3.507 ms  3.772 ms
 8  209.85.250.169 (209.85.250.169)  4.200 ms  3.486 ms  3.338 ms
 9  lhr08s06-in-f3.1e100.net (216.58.210.3)  4.054 ms  3.689 ms  4.188 ms

Note: Traceroute uses UDP and sends out 3 probes (why you see 3 responses) whereas ping uses TCP

Note
This is only if we are using DNS names, if we are using the IP address then the above doesn’t apply

With both ping and traceroute, you have additional options be more in-depth or specific on how you would like to testing

Additional Ping and Traceroute Option
traceroute optionsping options
[email protected]_SRX> traceroute inet google.co.uk ?  
Possible completions:
  <[Enter]>            Execute this command
  as-number-lookup     Look up AS numbers for each hop
  bypass-routing       Bypass routing table, use specified interface
  gateway              Address of router gateway to route through
  inet6                Force traceroute to IPv6 destination
  interface            Name of interface to use for outgoing traffic
  no-resolve           Don't attempt to print addresses symbolically
  propagate-ttl        Enable propagate-ttl for locally sourced RE traffic
  routing-instance     Name of routing instance for traceroute attempt
  source               Source address to use in outgoing traceroute packets
  tos                  IP type-of-service field (IPv4) (0..255)
  ttl                  IP maximum time-to-live value (or IPv6 maximum hop-limit value)
  wait                 Number of seconds to wait for response (seconds)
  |                    Pipe through a command
[email protected]_SRX> ping inet google.co.uk ?                                    
Possible completions:
  <[Enter]>            Execute this command
  bypass-routing       Bypass routing table, use specified interface
  count                Number of ping requests to send (1..2000000000 packets)
  detail               Display incoming interface of received packet
  do-not-fragment      Don't fragment echo request packets (IPv4)
  inet6                Force ping to IPv6 destination
  interface            Source interface (multicast, all-ones, unrouted packets)
  interval             Delay between ping requests (seconds)
+ loose-source         Intermediate loose source route entry (IPv4)
  mac-address          MAC address of the nexthop in xx:xx:xx:xx:xx:xx format
  no-resolve           Don't attempt to print addresses symbolically
  pattern              Hexadecimal fill pattern
  rapid                Send requests rapidly (default count of 5)
  record-route         Record and report packet's path (IPv4)
  routing-instance     Routing instance for ping attempt
  size                 Size of request packets (0..61580 bytes)
  source               Source address of echo request
  strict               Use strict source route option (IPv4)
+ strict-source        Intermediate strict source route entry (IPv4)
  tos                  IP type-of-service value (0..255)
  ttl                  IP time-to-live value (IPv6 hop-limit value) (1..255 hops)
  verbose              Display detailed output
  wait                 Maximum wait time after sending final packet (seconds)
  |                    Pipe through a command

Junos OS installation/Software upgrades

For Junos OS installations and Software upgrades, I have already done a post on how do a software upgrade 🙂 You can take a look on here

Powering on and shutting down Junos devices

With Juniper devices, you have different methods of remotely rebooting and shutting down a device.

[email protected]_SRX> request system reboot

We see that there two ways we could shutdown our juniper device remotely. We can either halt or power-off. The differences between the two is that, if you do a system halt it is basically as graceful shutdown of the device, where we have the option to reboot, the device, back up if necessary.

[email protected]_SRX> request system halt
Request System Halt Output
[email protected]_SRX> request system halt             
Halt the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 1404]

[email protected]_SRX>                                                                                
*** FINAL System shutdown message from [email protected]_SRX ***                   

System going down IMMEDIATELY                                                  

                                                                               
MWaiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 done

syncing disks... All buffers synced.
Uptime: 1h8m28s

The operating system has halted.
Please press any key to reboot.

Note: You will need to have a console connection to reboot, as you will get kicked off, if you have a ssh or telnet session

Whereas the system power-off would just turn off the device completely and you will to physically go to the device and remove and replug the PSU to power-on the device.

[email protected]_SRX> request system power-off

Additionally, we have extra options, if we wanted to sequence a reboot or shutdown. If you hit the “?”, after your command, you can see the extra options available:

[email protected]_SRX> request system reboot ?                                    
Possible completions:
  <[Enter]>            Execute this command
  at                   Time at which to perform the operation
  in                   Number of minutes to delay before operation
  media                Boot media for next boot
  message              Message to display to all users
  |                    Pipe through a command

Root password recovery

If you have forgotten your password onto your Junos device, you are able to recover it by using the recovery password process. Note: with this method you will need to have console access onto the device and this will be request a few reboots, so if its in a lab it doesn’t matter, if its production you will need to do this in an outage window or you can take do the reboot and explain how and why you managed to forget an important password 😀

When doing the reboot you will need to watch the reboot process, as you will need to check for a particular point in the process to break. Once the autoboot been completed:

Autoboot process
PCI Status: PCI 32-bit
PCI BAR 0: 0xf8000000, PCI BAR 1: Memory 0x00000000  PCI 0x00000000
Warning!!!Last reboot reason 0x0 abnormal
Boot Media: usb internal-compact-flash 
Net:   octeth0

  ide 0: Model: CF 2GB Firm: 20100924 Ser#: 2013C     0000093572
            Type: Removable Disk
            Capacity: 2000.7 MB = 1.9 GB (4097520 x 512)
POST Passed
Press SPACE to abort autoboot in 1 seconds
ELF file is 32 bit

You will need to hit spacebar to break the boot process and you will enter into the boot loader

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.5
([email protected], Tue Apr  2 12:36:46 PDT 2013)
Memory: 2048MB
[0]Booting from internal-compact-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf 
/kernel data=0xb05a8c+0x134484 syms=[0x4+0x8aaa0+0x4+0xc903f]

Hit [Enter] to boot immediately, or space bar for command prompt.

Type '?' for a list of commands, 'help' for more detailed help.
loader>

Once in the boot loader you will need to end the single user mode by entering boot -s

loader> boot -s

The device will boot into single user mode and you will need to enter recovery to start the root password recovery

Mounted junos package on /dev/md0...
Booting single-user
** /dev/ad0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 247818 free (42 frags, 30972 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

You are given instructions on what you will need to do to change the root password on the device

NOTE: Once in the CLI, you will need to enter configuration mode using
NOTE: the 'configure' command to make any required changes. For example,
NOTE: to reset the root password, type:
NOTE:    configure
NOTE:    set system root-authentication plain-text-password
NOTE:    (enter the new password when asked)
NOTE:    commit
NOTE:    exit
NOTE:    exit
NOTE: When you exit the CLI, you will be asked if you want to reboot
NOTE: the system
Re-set password commands
Starting CLI ... 
[email protected]_SRX> edit

[edit]
[email protected]_SRX# set system root-authentication plain-text-password 
New password: lab123
Retype new password:

[email protected]_SRX# commit and-quit

Once you’re back in Operational mode, you will need to reboot the device and then you’re done!

[email protected]_SRX> request system reboot 
Reboot the system ? [yes,no] (no) y
Share this:
Share

JNCIA Refresher #2 – Junos OS Fundamentals

Junos device portfolio – product families, general functionality
Software architecture and Protocol daemons
Control and Forwarding planes
Routing Engine and Packet Forwarding Engine
Transit and Exception traffic

Junos device portfolio – product families, general functionality

Juniper has a number of the products that span across a number of different environments now. In the most part you are able to categories the devices into a four networking areas. These areas are: Enterprise, Service Provider, Data Centre and Security. Of course you will be able to put whatever device into your network as you wish, but you will have devices that would be more effective and efficient in a particular environment compared to overs. The tabs show the different model Series that Juniper provide (descriptions are taken from the Juniper product pages)

M SeriesT SeriesMX SeriesEX SeriesQFX SeriesSRX Series
M Series is a Multiservice Edge Router, on the edge of your network connecting to the external peers and transit providers. These would seen in Service Providers or Medium to Large Enterprise networks. M Series can provide up to 320Gbps of throughput.

Model Juniper’s Description
M7i M7i Multiservice Edge Router is compact with 10 Gbps throughput.
M10i M10i Multiservice Edge Router is compact and fully redundant with 16 Gbps throughput.
M120 M120 Multiservice Edge Router is highly redundant with 120 Gbps throughput.
M320 M320 Multiservice Edge Router is a 320 Gbps high-performance routing platform.
T series provides from 320Gbps up to 1.6Tbps of throughput on a single chassis and up to 25Tbps in a multi-chassis configuration. These routers would be used within an IP/MPLS Core Service Provider or Large Enterprise networks.

Model Juniper’s Description
T640 T640 Core Router delivers 50 Gbps forwarding on each of its 8 slots, and is ideal for powering small core applications.
T1600 T1600 Core Router offers scalable, high-performance, core routing in a small package.
T4000 T4000 Core Router delivers 4 Tbps of traffic in a single half rack routing node.
MX Series allows the flexibility between have router that has a throughput of 80Tbps with the switching capabilities. The MX Series can be used as both an Edge/Core device in Service Provider/Enterprise environment and has the stability through interchangeable line cards and software licensing.

Model Juniper’s Description
MX5 The MX5 is a compact 20 Gbps upgradeable router for enterprise applications, space/power constrained service provider facilities and CPEs.
MX10 The MX10 is a compact 40 Gbps router ideal for enterprise applications and space/power-constrained service provider facilities.
MX40 The MX40 is a compact 60 Gbps router ideal for enterprise applications and space/power-constrained service provider facilities.
MX80 The MX80 is a compact 80 Gbps router ideal for enterprise applications and space/power constrained service provider facilities.
MX104 The 80 Gbps MX104 offers control plane redundancy and is optimized for Ethernet aggregation and enterprise applications.
MX240 The modular MX240 offers almost 2 Tbps of system capacity for cloud, campus and enterprise data center, service provider edge, and mobile service core deployments.
MX480 The modular MX480 delivers over 5 Tbps of system capacity for cloud, campus and enterprise data center, service provider edge, and mobile service core deployments.
MX960 The modular MX960 delivers over 10 Tbps of system capacity for cloud and large enterprise data center, service provider edge, and mobile service core deployments.
MX2010 The modular MX2010 offers over 17 Tbps of system capacity to help service providers scale long-term for broadband traffic, subscribers, and services.
MX2020 The modular MX2020 is the industry’s highest-capacity, single-chassis edge router, supporting 10/100 Gbps interfaces and scaling up to 80 Tbps.
EX Series is a Layer 2/3 switch largely (not exclusively) used in Enterprise Networks. These switches can be used within a Virtual Chassis configuration, to provide Aggregation Layer, High Availability and Port Capacity.

Model Juniper’s Description
2200 EX2200 switches are low power, low acoustic 1 U devices, offering an economical solution for branch offices and campus networks.
3200 The EX3300 is a compact switch for demanding converged enterprise access.
4200 The EX4200 is a flexible, stackable switching solution for data centers and campuses.
4300 The EX4300 supports branch, campus, and data center access and aggregation deployments.
4500/4550 The EX4500 and EX4550 are a compact, high-performance platform for data center, campus, and service provider deployments.
4600 The EX4600 delivers a scalable 10GbE solution for high-density campus and data center top-of-rack deployments.
6200 The EX6200 is a scalable, resilient, high-performance wiring closet solution.
8200 The EX8200 provides the port densities, scalability, and high availability required for today’s data center and campus core environments.
9200 The EX9200 is SDN-ready and offers the flexibility and scalability required for business agility and growth.
QFX Series are switches that are fairly new product from Juniper. These switches are used in Data Centre environment.

Model Juniper’s Description
QFX3500 The QFX3500 Switch is a high-performance, low-latency, feature-rich 10GbE Layer 2 and Layer 3 switch designed and optimized for virtualized data centers.
QFX3600 The QFX3600 Switch is a 40GbE, high-performance, Layer 2 and Layer 3 switch designed and optimized for virtualized data centers
QFX5100 The QFX5100 Switches are low-latency, high-performance 10GbE/40GbE switches that act as a flexible building block for multiple data center fabric architectures.
QFX10000 The QFX10000 Switches are highly scalable, high-density platforms that support a variety of 10GbE/40GbE/100GbE deployments, providing a robust foundation for the most demanding data centers.
SRX Series are Juniper Security Gateways/Firewall devices that will be used to protect your network. These can use be as an Edge Gateway in a number of different environments from Service Provider/Enterprise or Data Centre.

Model Juniper’s Description
100 SRX100 Services Gateway provides high-performance security for small business and distributed enterprise locations.
110 SRX110 consolidates security, routing, switching, and WAN connectivity in a small desktop device, and is ideal for securing small businesses and branch deployments.
210 SRX210 provides robust, enterprise-class security for small distributed enterprise locations.
220 SRX220 provides robust, enterprise-class security for small to midsize businesses and distributed enterprise locations.
240 SRX240 provides robust, enterprise-class security for branch distributed enterprise locations.
550 SRX550 provides robust, enterprise-class security for medium and large branch locations.
650 SRX650 provides robust, enterprise-class security for regional sites and large branch locations
1400 SRX1400 is ideal for securing small to midsize data center environments.
3400 SRX3400 is ideal for securing small and midsize server farms and hosting sites.
3600 SRX3600 is ideal for securing medium to large enterprise data centers, hosted or colocated data centers, and server farms.
5400 SRX5400 is ideal for securing service provider, large enterprise, and public sector networks.
5600 SRX5600 is ideal for securing large enterprise data centers or service provider infrastructures, and aggregating security services.
5800 SRX5800 is ideal for securing large enterprise data centers, hosted or colocated data centers, and service provider infrastructures.

Software architecture and Protocol daemons

Junos unlike other vendors is Unix based system, its underlying operating system is based on the Unix Open Source system FreeBSD. By using an open source approached for the OS, it has allowed Junos to be easily adaptable across the multiple platforms that Juniper offer. The Unix based OS allows Junos to be modular design, where the different modules have their own separate process with it own dedicated memory space. This is important, because if you have an issue with one module, it is not going to break the whole device, as the module has its own separate memory space. You would be able to see the processes being run on device, you would be able run the command show system processes | match /usr/sbin

System Processes and Daemons
[email protected]_SRX> show system processes | match /usr/sbin 
 1257  ??  S      0:00.06 /usr/sbin/tnetd -N
 1259  ??  S     13:15.04 /usr/sbin/chassisd -N
 1260  ??  S     33:39.68 /usr/sbin/alarmd -N
 1261  ??  S      1:53.77 /usr/sbin/craftd -N
 1262  ??  S      0:21.39 /usr/sbin/mgd -N
 1263  ??  S     27:16.26 /usr/sbin/snmpd -N
 1264  ??  S     73:26.45 /usr/sbin/mib2d -N
 1265  ??  S     32:50.53 /usr/sbin/rpd -N
 1266  ??  S     73:08.18 /usr/sbin/l2ald -N
 1267  ??  S      0:00.18 /usr/sbin/inetd -N -w
 1268  ??  S     32:51.30 /usr/sbin/pfed -N
 1269  ??  S      1:45.65 /usr/sbin/cosd
 1270  ??  S     12:34.69 /usr/sbin/kmd -N
 1271  ??  S     15:28.64 /usr/sbin/ppmd -N
 1272  ??  S      0:17.35 /usr/sbin/dfwd -N
 1273  ??  S      7:54.62 /usr/sbin/irsd -N
 1274  ??  S      2:48.90 /usr/sbin/bfdd -N
 1275  ??  S    39659:13.10 /usr/sbin/flowd_octeon_hm
 1277  ??  S      0:00.33 /usr/sbin/pppd -N
 1279  ??  S      0:35.75 /usr/sbin/mplsoamd -N
 1280  ??  S      0:00.25 /usr/sbin/sendd -N
 1281  ??  S      0:00.46 /usr/sbin/wwand -N
 1282  ??  S      3:42.82 /usr/sbin/smid -N
 1283  ??  S      0:00.17 /usr/sbin/relayd -N
 1284  ??  S     55:48.49 /usr/sbin/shm-rtsdbd -N
 1285  ??  S      1:47.37 /usr/sbin/jsrpd -N
 1286  ??  S      2:41.78 /usr/sbin/nsd -N
 1287  ??  S      5:50.36 /usr/sbin/pkid -N
 1288  ??  S      0:00.56 /usr/sbin/appidd -N
 1289  ??  S      3:08.13 /usr/sbin/idpd -N
 1290  ??  S      8:46.55 /usr/sbin/rtlogd -N
 1291  ??  S     38:49.97 /usr/sbin/utmd -N
 1292  ??  S      0:25.08 /usr/sbin/smtpd -N
 1293  ??  S      8:57.92 /usr/sbin/wland -N
 1294  ??  S      8:19.53 /usr/sbin/mcsnoopd -N
 1295  ??  S    110:37.19 /usr/sbin/license-check -U -M -p 10 -i 10
 1296  ??  S      0:00.39 /usr/sbin/sdxd -N
17173  ??  S      7:35.50 /usr/sbin/lldpd -N
  923  u0- S      0:06.23 /usr/sbin/usbd -N
  942  u0- S      0:18.52 /usr/sbin/eventd -N -r -s -A

Control and Forwarding planes

All the functions of the control plane run on the Routing Engine (RE) whether you have a router, switch, or security platform running Junos. The Control plane has a set of modules, with clean interfaces between them. This interface can be different between device models, but largely will be fxp1 or bme0. You can check by running show interface terse. In addition, the kernel has control modules that manage all the needed communication between the components. The kernel handles the RE link between itself and the Packet Forwarding Engine (PFE) and the services. Each of the different modules provides a different control process, such as control for the chassis, Ethernet switching, routing protocols, interfaces, management etc. As stated earlier Junos uses a Unix based kernal from FreeBSD, by using this open-source untying kernal, it can provides many of the essential functions of an operating system, such as the scheduling of resources. Junos to protect the control plane from a security attack, by rate-limit the traffic that reaches your RE and allowing firewall filters to be placed onto the management interfaces

The Packet Forwarding Engine (PFE) is the central processing element of the forwarding plane, systematically moving the packets in and out of the device. In the Junos OS, the PFE has a locally stored forwarding table. The forwarding table is a synchronized copy of all the information from the RE that the forwarding plane needs to handle each packet, including outgoing interfaces, addresses, and so on. Storing a local copy of this information allows the PFE to get its job done without going to the control plane every time that it needs to process a packet. Another benefit to having a local copy is that the PFE can continue forwarding packets, even when a disruption occurs to the control plane, such as when a routing or other process issue happens.

 

Routing Engine and Packet Forwarding Engine

The Packet Forwarding Engine uses application-specific integrated circuits (ASICs) chips, to perform Layer 2 and Layer 3 packet switching, route lookups, and packet forwarding. The Packet Forwarding Engine forwards packets between input and output interfaces.

The Routing Engine controls the routing updates and system management. The Routing Engine consists of routing protocol software processes running inside a protected memory environment on a general-purpose computer platform. The Routing Engine handles all the routing protocol processes and other software processes that control the routing platform’s interfaces, some of the chassis components, system management, and user access to the routing platform. These routing platform and software processes run on top of a kernel that interacts with the Packet Forwarding Engine.

The key functions of the Routing Engine are:

  • Routing protocol packets processing
  • Software modularity—Software functions have been divided into separate processes, so a failure of one process has little or no effect on other software processes.
  • In-depth IP functionality- Each routing protocol is implemented with a complete set of IP features and provides full flexibility for advertising, filtering, and modifying routes. Routing policies are set according to route parameters, such as prefix, prefix lengths, and Border Gateway Protocol (BGP) attributes
  • Management interfaces—System management is possible with a command-line interface (CLI), a craft interface, and Simple Network Management Protocol (SNMP).
  • Storage and change management
  • Monitoring efficiency and flexibility—Alarms can be generated and packets can be counted without adversely affecting packet forwarding performance.
  • Transit and Exception traffic

    Transit Transit is traffic that is sent by an user which isn’t destined for the router, switch or gateway, but the packets have to pass through the device to get its end destination. For example:

    PC1 ---> Switch --> Router --> Internet

    If the PC on the left wanted to get the Internet on the right, the packets would transit the network to get out to the Internet. Transit Traffic is mostly unicast and/or multicast packets. Most of the time, Transit traffic will be largely processed by the PFE as the Forwarding Table will be referenced, to allow quicker movement of traffic. It is important to note, Transit Traffic does not consult the Routing Engine.

    Exception Traffic is traffic that is destined for the local system. For example if you wanted to check if the router up, you would ping its loopback address. This would be regarded as Exception Traffic, as packets destined for a device requires additional processing by the Routing Engine.

    Share this:
    Share

    JNCIA Refresher #1 – User Interface

    Decided to get my act in gear and get started with my journey on becoming a JNCIE engineer, I’ve worked with Junos for a couple years now (using it properly over last 12 months!), I would like to think I know a few bits about it, but when it comes to exams its always good to go over the “basics”

    Before getting into it, I’ve taken a look on the Juniper JNCIA Track page to check the topics that exam takers will be expected to know:

    Networking Fundamentals
    Junos OS Fundamentals
    User Interfaces
    Junos Configuration Basics
    Operational Monitoring and Maintenance
    Routing Fundamentals
    Routing Policy and Firewall Filters

    Having a quick look over these topics, although they are pretty straightforward for me, I always been told, never time to little of a problem! With this in mind, ill be making series a posts to refresh myself in the basic understanding of Junos and Juniper devices. Although I use Junos everyday at work, I’ve said to myself doing a bit of studying will be usefu1 as:

    1. I may learn something new
    2. I’ll (definitely) remember something I’ve forgotten
    3. Most importantly, how things work in the real world and how things are in an exam are COMPLETELY different, so exam techniques are always needed!

    As I was going through the different topics, there were a few things I just looked over, as I was confident enough with! So i wont be going over thing in these posts

    With that being said, let begin 😀

    User Interface

    CLI modes and navigation

    With Junos, there are 3 different levels of access available. The prompt signs show these:

    [email protected]_SRX% <------- the % prompt shows that we are on the Unix kernal level. As Junos is a based on FreeBSD the overall archietecture is Linux based, so you will be able to do a number of linux commands. You can into this Unix kernal level either by logging into your device as root or if you are in Operational mode, you will need to use the command start shell [email protected]_SRX> <------- the > prompt shows that we are on the Operational level. This is where we will be able checks (via show commands), troubleshoot and make system requests. You will enter this mode automatically if you are logged in with a created user. If you are log in as root, to get Operation mode from kernal level, you will need to run the command cli

    Operational Mode Commands
    Most used commands from this level would be:

    [email protected]_SRX> ?      
    Possible completions:
      clear                Clear information in the system
      configure            Manipulate software configuration information
      file                 Perform file operations
      help                 Provide help information
      load                 Load information from file
      monitor              Show real-time debugging information
      mtrace               Trace multicast path from source to receiver
      op                   Invoke an operation script
      ping                 Ping remote target
      quit                 Exit the management session
      request              Make system-level requests
      restart              Restart software process
      save                 Save information to file
      set                  Set CLI properties, date/time, craft interface message
      show                 Show system information
      ssh                  Start secure shell on another host
      start                Start shell
      telnet               Telnet to another host
      test                 Perform diagnostic debugging
      traceroute           Trace route to remote host

    [email protected]_SRX# <------- the # prompt shows we are in configuration level. This is where we can make configure changes on the device. To get the configuration, you will need to be Operational mode and you will need to either run the command configure or edit [su_spoiler title="Configuration Mode Commands" style="fancy"]Most used commands from this level:

    [email protected]_SRX# ?
    Possible completions:
      <[Enter]>            Execute this command
      activate             Remove the inactive tag from a statement
      annotate             Annotate the statement with a comment
      commit               Commit current set of changes
      copy                 Copy a statement
      deactivate           Add the inactive tag to a statement
      delete               Delete a data element
      edit                 Edit a sub-element
      exit                 Exit from this level
      extension            Extension operations
      help                 Provide help information
      insert               Insert a new ordered data element
      load                 Load configuration from ASCII file
      prompt               Prompt for an input
      protect              Protect the statement
      quit                 Quit from this level
      rename               Rename a statement
      replace              Replace character string in configuration
      rollback             Roll back to previous committed configuration
      run                  Run an operational-mode command
      save                 Save configuration to ASCII file
      set                  Set a parameter
      show                 Show a parameter
      status               Show users currently editing configuration
      top                  Exit to top level of configuration
      unprotect            Unprotect the statement
      up                   Exit one level of configuration
      wildcard             Wildcard operations
    [/su_spoiler]

    Junos is organized in a hierarchy model. When we enter configuration mode we see that we are at the top of the edit hierarchy by the [edit]

    [edit]
    [email protected]_SRX#

    From here we are able to drill down into the different hierarchical levels and make changes that will affect that particular level. For an example, if we wanted to configure the interface ge-0/0/3 with the IP address 10.1.10.100/24. We have the ability to drill down the interface hierarchy to make the change, we will use the ‘edit’ command to change levels . It is important to know as well, the different hierarchical levels will have specific commands exclusive for that particular hierarchical level

    Top levelInterface levelPhysical Port level
    [email protected]_SRX# edit ?
    Possible completions:
    > access               Network access configuration
    > access-profile       Access profile for this instance
    > accounting-options   Accounting data configuration
    > applications         Define applications by protocol characteristics
    > bridge-domains       Bridge domain configuration
    > chassis              Chassis configuration
    > class-of-service     Class-of-service configuration
    > ethernet-switching-options  Ethernet-switching configuration options
    > event-options        Event processing configuration
    > firewall             Define a firewall configuration
    > forwarding-options   Configure options to control packet forwarding
    > groups               Configuration groups
    > interfaces           Interface configuration
    > multi-chassis        
    > policy-options       Policy option configuration
    > protocols            Routing protocol configuration
    > routing-instances    Routing instance configuration
    > routing-options      Protocol-independent routing option configuration
    > schedulers           Security scheduler
    > security             Security configuration
    > services             Set services parameters
    > smtp                 Simple Mail Transfer Protocol service configuration
    > snmp                 Simple Network Management Protocol configuration
    > switch-options       Options for default routing-instance of type virtual-switch
    > system               System parameters
    > vlans                VLAN configuration
    > wlan                 Wireless access point configuration
    [edit interfaces]
    [email protected]_SRX# set ?
    Possible completions:
           Interface name
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      ge-0/0/0             Interface name
      ge-0/0/3             Test
      ge-0/0/6             Interface name
    > interface-range      Interface ranges configuration
    > interface-set        Logical interface set configuration
    > traceoptions         Interface trace options
    [edit interfaces ge-0/0/3]
    [email protected]_SRX# set ?
    Possible completions:
      accounting-profile   Accounting profile name
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      description          Text description of interface
      disable              Disable this interface
      encapsulation        Physical link-layer encapsulation
      flexible-vlan-tagging  Support for no tagging, or single and double 802.1q VLAN tagging
    > gigether-options     Gigabit Ethernet interface-specific options
      gratuitous-arp-reply  Enable gratuitous ARP reply
    > hold-time            Hold time for link up and link down
      link-mode            Link operational mode
      mac                  Hardware MAC address
      mtu                  Maximum transmit packet size (256..9192)
      native-vlan-id       Virtual LAN identifier for untagged frames (0..4094)
      no-gratuitous-arp-reply  Don't enable gratuitous ARP reply
      no-gratuitous-arp-request  Ignore gratuitous ARP request
      no-per-unit-scheduler  Don't enable subunit queuing on Frame Relay or VLAN IQ interface
      no-traps             Don't enable SNMP notifications on state changes
      passive-monitor-mode  Use interface to tap packets from another router
      per-unit-scheduler   Enable subunit queuing on Frame Relay or VLAN IQ interface
      promiscuous-mode     Enable promiscuous mode for L3 interface
      speed                Link speed
      stacked-vlan-tagging  Stacked 802.1q VLAN tagging support
    > switch-options       Front end ports configuration
    > traceoptions         Interface trace options
      traps                Enable SNMP notifications on state changes
    > unit                 Logical interface
      vlan-tagging         802.1q VLAN tagging support
    With hierarchical levels you have the option of either drilling down to the bottom of the hierarchy to make change or you can 'set' the full command from the top or any hierarchical level.
    Command SET within interface hierarchy levelCommand SET from top level
    [edit interfaces ge-0/0/3]
    [email protected]_SRX# set unit 0 family inet address 10.1.100.100/24
    [edit]
    [email protected]_SRX# set interface ge-0/0/3 unit 0 family inet address 10.1.100.100/24
    Hierarchy Commands

    edit = Moves you down to the level you need
    up = Moves you one level up from the current hierarchical level
    top = Moves you to the top of the configuration hierarchy

    CLI Help

    One very useful (that I just learnt myself!) is the help command. This command shows you the inbuilt documentation that is on all juniper devices. The command that will be most likely used the reference, apropos and topic.

    [email protected]_SRX# help ?   
    Possible completions:
      <[Enter]>            Execute this command
      apropos              Find help information about a topic
      reference            Reference material
      syslog               System log error messages
      tip                  Tip for the day
      topic                Help for high level topics
      |                    Pipe through a command

    The topic option will give you detail, description and context about particular topic on the device

    Help Topic Example
    [email protected]_SRX# help topic interfaces address   
                           Configuring the Interface Address
    
       You assign an address to an interface by specifying the address when
       configuring the protocol family. For the inet or inet6 family, configure
       the interface IP address. For the iso family, configure one or more
       addresses for the loopback interface. For the ccc, ethernet-switching,
       tcc, mpls, tnp, and vpls families, you never configure an address.
    
       +------------------------------------------------------------------------+
       |       | The point-to-point (PPP) address is taken from the loopback    |
       | Note: | interface address that has the primary attribute. When the     |
       |       | loopback interface is configured as an unnumbered interface,   |
       |       | it takes the primary address from the donor interface.         |
       +------------------------------------------------------------------------+
    
       To assign an address to an interface, include the address statement:
         address address {
             broadcast address;
             destination address;
             destination-profile name;
             eui-64;
             preferred;
             primary;
         }
       You can include these statements at the following hierarchy levels:
         * [edit interfaces interface-name unit logical-unit-number family
           family]
         * [edit logical-systems logical-system-name interfaces interface-name
           unit logical-unit-number family family]
       In the address statement, specify the network address of the interface.
       For each address, you can optionally configure one or more of the
       following:
         * Broadcast address for the interface subnet-Specify this in the
           broadcast statement; this applies only to Ethernet interfaces, such as
           the management interface fxp0, em0, or me0 the Fast Ethernet
           interface, and the Gigabit Ethernet interface.
         * Address of the remote side of the connection (for point-to-point
           interfaces only)-Specify this in the destination statement.
         * PPP properties to the remote end-Specify this in the
           destination-profile statement. You define the profile at the [edit
           access group-profile name ppp] hierarchy level (for point-to-point
           interfaces only).
         * Whether the router or switch automatically generates the host number
           portion of interface addresses-The eui-64 statement applies only to
           interfaces that carry IPv6 traffic, in which the prefix length of the
           address is 64 bits or less, and the low-order 64 bits of the address
           are zero. This option does not apply to the loopback interface (lo0)
           because IPv6 addresses configured on the loopback interface must have
           a 128-bit prefix length.
    
           +-------------------------------------------------------------+
           | Note: | IPv6 is not currently supported for the QFX Series. |
           +-------------------------------------------------------------+
    
         * Whether this address is the preferred address-Each subnet on an
           interface has a preferred local address. If you configure more than
           one address on the same subnet, the preferred local address is chosen
           by default as the source address when you originate packets to
           destinations on the subnet.
    
           By default, the preferred address is the lowest-numbered address on
           the subnet. To override the default and explicitly configure the
           preferred address, include the preferred statement when configuring
           the address.
                                            
         * Whether this address is the primary address-Each interface has a
           primary local address. If an interface has more than one address, the
           primary local address is used by default as the source address when
           you send packets from an interface where the destination provides no
           information about the subnet (for example, some ping commands).
       By default, the primary address on an interface is the lowest-numbered
       non-127 (in other words, non-loopback) preferred address on the interface.
       To override the default and explicitly configure the preferred address,
       include the primary statement when configuring the address.
         * Configuring Interface IPv4 Addresses
         * Configuring Interface IPv6 Addresses
    
      Related-Topics
    
            * Configuring IPCP Options
            * Configuring Default, Primary, and Preferred Addresses and
              Interfaces

    The Reference option is command structure, it is a type of configuration assistances. As it provides all the possible configuration syntax that’s available for that topic

    Help Reference Example
    [email protected]_SRX# help reference interfaces address 
    address
    
      Syntax
    
         address address {
             arp ip-address (mac | multicast-mac) mac-address ;
             broadcast address;
             destination address;
             destination-profile name;
             eui-64;
             master-only;
             multipoint-destination address dlci dlci-identifier;
             multipoint-destination address {
                 epd-threshold cells;
                 inverse-arp;
                 oam-liveness {
                     up-count cells;
                     down-count cells;
                 }
                 oam-period (disable | seconds);
                 shaping {
                     (cbr rate | rtvbr peak rate sustained rate burst length |
         vbr peak rate sustained rate burst length);
                     queue-length number;
                 }
                 vci vpi-identifier.vci-identifier;
             }
             primary;
             preferred;
             (vrrp-group | vrrp-inet6-group) group-number {
                 (accept-data | no-accept-data);
                 advertise-interval seconds;
                 authentication-type authentication;
                 authentication-key key;
                 fast-interval milliseconds;
                 (preempt | no-preempt) {
                     hold-time seconds;
                 }
                 priority-number number;
                 track {
                     priority-cost seconds;
                     priority-hold-time interface-name {
                         interface priority;
                         bandwidth-threshold bits-per-second {
                             priority;
                         }
                     }
                     route ip-address/mask routing-instance instance-name
         priority-cost cost;
                 }
                 virtual-address [ addresses ];
             }
         }
    
      Hierarchy Level
    
         [edit interfaces interface-name unit logical-unit-number family family],
         [edit logical-systems logical-system-name interfaces interface-name unit
         logical-unit-number family family]
    
      Release Information
    
         Statement introduced before Junos OS Release 7.4.
         Statement introduced in Junos OS Release 9.0 for EX Series switches.
         Statement introduced in Junos OS Release 11.1 for QFX Series switches.
    
      Description
    
         Configure the interface address.
    
         +----------------------------------------------------------------------+
         | Note: | The vrrp High Availability functionality is not available    |
         |       | for the QFX Series switches                                  |
         +----------------------------------------------------------------------+
    
      Options
    
         address-Address of the interface.
    
         The remaining statements are explained separately.
    
         +----------------------------------------------------------------------+
         | Note: | The edit logical-systems hierarchy is not available on       |
         |       | QFabric switches.                                            |
         +----------------------------------------------------------------------+
    
      Required Privilege Level
    
         interface-To view this statement in the configuration.
         interface-control-To add this statement to the configuration.
    
      Related-Topics
    
            * Configuring the Protocol Family
            * negotiate-address
            * unnumbered-address (Ethernet)
            * Junos OS System Basics Configuration Guide

    The Apropos option gives you all the commands that have particular word you are looking for. This will include clear, show and help commands if in Operational Mode and the set commands if you're in Configuration Mode.

    Help Apropos Example
    [email protected]_SRX# help apropos lldp  
    set logical-systems  protocols lldp 
        Link Layer Detection Protocol
    set logical-systems  protocols lldp disable 
        Disable LLDP
    set logical-systems  protocols lldp traceoptions 
        Trace options for LLDP
    set logical-systems  protocols lldp management-address  
        LLDP management address
    set logical-systems  protocols lldp advertisement-interval  
        Transmit interval for LLDP messages
    set logical-systems  protocols lldp transmit-delay  
        Transmit delay time interval for LLDP messages
    set logical-systems  protocols lldp hold-multiplier  
        Hold timer interval for LLDP messages
    set logical-systems  protocols lldp lldp-configuration-notification-interval  
        Time interval for LLDP notification
    set logical-systems  protocols lldp interface disable 
        Disable LLDP
    set logical-systems  protocols lldp-med 
        LLDP Media Endpoint Discovery
    set logical-systems  protocols lldp-med disable 
        Disable LLDP
    set logical-systems  protocols lldp-med interface disable 
        Disable LLDP
    set logical-systems  protocols dot1x authenticator interface lldp-med-bypass 
        Bypass dot1x authentication, use lldp-med based authentication
    set protocols lldp 
        Link Layer Detection Protocol
    set protocols lldp disable 
        Disable LLDP
    set protocols lldp traceoptions 
        Trace options for LLDP
    set protocols lldp management-address  
        LLDP management address
    set protocols lldp advertisement-interval  
        Transmit interval for LLDP messages
    set protocols lldp transmit-delay  
        Transmit delay time interval for LLDP messages
    set protocols lldp hold-multiplier  
        Hold timer interval for LLDP messages
    set protocols lldp lldp-configuration-notification-interval  
        Time interval for LLDP notification
    set protocols lldp interface disable 
        Disable LLDP
    set protocols lldp-med 
        LLDP Media Endpoint Discovery
    set protocols lldp-med disable 
        Disable LLDP
    set protocols lldp-med interface disable 
        Disable LLDP
    set protocols dot1x authenticator interface lldp-med-bypass 
        Bypass dot1x authentication, use lldp-med based authentication
    set vlans  dot1q-tunneling layer2-protocol-tunneling lldp 
        Tunnel LLDP PDUs

    Keyboard shortcuts are useful to know as you will be able to get configure command quicker and have less time looking at the screen (which is always nice :D)

    Keyboard Commands
    ctrl + b = moves the cursor one to the left (backward)
    ctrl + f = moves the cursor one to the right (forward)
    ctrl + a = moves the cursor to the beginning of the line
    ctrl + e = moves the cursor to the end of the line
    ctrl + d = deletes the character that the cursor is on
    ctrl + w = deletes the word left of the cursor
    ctrl + k = deletes everything on the right of the cursor
    ctrl + u = deletes the whole line
    Share this:
    Share