38. Factory-default Configuration
Let’s talk about the factory default configuration found on a Junos device. All platforms running Junos are shipped with a factory default configuration. So when you have a brand new Junos device, it is going to be running a factory default configuration. All factory default configurations allow access using the route account. And by default, the root account does not have a password. Before you can make any configuration changes, a root password must be configured. It is important to keep in mind that factory default configurations are Nazeem for every Junos device.
They can vary from one platform family to another, or even between different models within the same platform family. For example, let’s say we have a Junos device that is supposed to function as a switch and we have another Junos device that is supposed to function as a router or as a firewall. The factory default configuration on these two devices will be different because they are purpose built for different functions. The first one is supposed to function as a switching device, while the second one is supposed to function as a router or as a firewall. So the factory default configuration does not have to be same on every Junos device. Factory default configuration also includes system logging by default system logging is responsible for tracking system events.
And it writes those events to predefined log files. Here’s an example of a system logging configuration found on a device that’s running the factory default configuration. So this is not the entire factory default configuration. This is just the system logging configuration portion within the factory default configuration. Let’s quickly understand this. So this is the edit hierarchy, which is the top of the configuration. And from there, we’ve executed this command show system, sist log. The first configuration is user star. Any emergency. So this command, which is set system syste log users start any emergency, will cause the user to be notified of any emergency level messages generated by any facility. We haven’t talked about facilities yet. But just to give you a preview. A facility is a group of messages that are generated by the same source or concern. A similar situation or a similar condition, like all authentication activities. So this configuration here will notify the user of all emergency level messages generated by any facility. Also under the Saslaw configuration, a file called Messages is defined, which will log messages of any level from any facility, and it will also log messages of info level from the authorization facility.
It also defines another file called Interactive Commands, which will log commands of any level generated by the interactive commands facility, which essentially means any command that you type on the device will be saved in a file called interactive commands. Right now, we do not have to worry about the meaning of this command or the meaning of this configuration. We have another lecture where we’ll talk about the Saslaw configuration. But this is just to give you an idea of what the system logging configuration looks like on a device running factory default configuration. An important thing to keep in mind when you’re running the factory default configuration, the default hostname of the device is amnesiac. This is very, very important for you to remember. So here’s a screenshot of a device that is running factory default configuration. And you can see that at the top. It says amnesiac from the examination perspective. This is very, very important for you to remember on a device that’s running the factory default configuration. You will see the word amnesiac. Also, keep in mind that if you need to return the device to factory default configuration, there’s a command to do that from the configuration mode. We can use the command load factory default. And when we do that, the entire configuration of the device will be reverted back to the factory default configuration.
39. Initial Configuration
Let’s perform some initial configuration on the Junos device. So far, we’ve been looking at the configuration. We’ve been understanding the different ways to configure the Junos device. But starting this section, we’re going to start the configuration of the Junos device. So in this first video called Initial Configuration, we’ll understand how to set the root authentication password. We’ll understand how to set up MSH and Telnet access. We’ll understand how to configure the hostname domain name and name servers. Will then understand how to set the time zone and the date of the device. And then we’ll understand how to configure a logging message. And the CLI idle time out. Let’s get to the Junos terminal and start the configuration SSH to route at the public IP address and I’m locked in. Well, first, enter the selye mode. And let’s start with the root authentication setup. So we need to go to the configuration mode, the command to set up the root authentication is sex system. Question mark. And if I press spacebar here, we see the option called route authentication. An important thing to keep in mind, and we spoke about this earlier, too, on a new Junos device.
You only have the right to use a name without any password. But before you make any configuration changes, you will need to set the root authentication password on this device. I already have a root account password, but we can do it one more time. So let’s do set system root authentication. Let’s start with a question mark. And you’ll notice here we have multiple options to set the password. We can do plain text password, which means we’ll need to typing the password on the terminal. If you’re going to provide an encrypted password, a password that has already been encrypted, you can use this option here called encrypted password. If you want to load a key file that has been generated using the SSH key in command, you can use load key file. If you do not want to allow SSX public key based authentication, you can say no public keys. And if you want to provide a public key for LSH access using any one of these protocols, then we can use these commands over here. We’ve got SSX, RSA, E.S., DSA and EDI to 255 one nine. For this example, I’m going to choose plain text password, so set system, root authentication, plain text password. And now we can press enter here. So we’ll set the password. All right. So that’s completed. Now I’m going to issue a commit command. And I’m going to try and log in using the new password, not the original password. So it’s a root at public IP address. And then I’ll provide the newly configured password. And now I’m locked in. Let’s go to the next configuration. We’re going to understand how to set up SS age and Telnet access for that, we need to go to edit systems services. Let’s start with an Inter and let’s do a show here so we can see that the SS age protocol is already configured over here. But let’s see what options are available. So let’s do SS age set. SS age. Question mark. And you will see we have so many options here. Now we don’t need to worry about all these options at the JNCIA level, but there are some things that you should know. For example, this one here is for root logging. Do you want to permit route logging via SSH or not? The next one is the protocol version. On the new versions of Junos, you only have V two available if you’re using an older version of Junos. You will also see support for V1. V2 is the recommended version. Over here, we have the option to rate limit the number of connections per minute. Here we can set the port number to accept incoming SSH connections. If you’d like to disable password based authentication for SSH, we can use no passwords.
Alternatively, if you want to disable public key based authentication, you can do. No public keys. And if you want to set the maximum number of allowed connections, you can do Conexion limit over here. So there’s a bunch of options that are supported over here. Let’s talk about Telnet. So let’s do set. Question mark. And here we have the option to allow Telnet log-in. Let’s do a question mark. You will notice here we have fewer options. By the way, I should mention here that using Telnet is not a recommended practice because it’s not a secure protocol. So you shouldn’t be using a Sensage as far as possible, but you should know how to configure it. So it’s configured under edit systems services. And when I do set Telnet question mark, there’s a couple of options that I can configure here. The first one is rate limit, which allows you to specify the maximum number of connections per minute and connection limit, which allows you to specify the maximum number of connections allowed. So that’s how you would configure SSH and Telnet. Now let’s understand how to configure hostname domain name and name servers. All of that configuration is under the edit system hierarchy. So we can do edit system here and let’s start weight set. Question mark. The first configuration is for hostname, which can be found over here. So if I wanted to do set hostname, keep in mind that I am under the edit system hierarchy, so I’m only typing the relevant portion of that command. If you’re doing this from the top of the configuration hierarchy, you would have to type the full command, which is set system hostname. So set hostname. And let’s give this a hostname. Let’s call this as SRX remote maybe. Yeah, SRX remote. OK.
The next command is to set the domain name. So if this SRX device is going to be part of a domain, you could do set domain name question mark and then you can provide your domain name over here. Right now, this is a standalone device. It’s not part of a domain. So I’m not going to configure this over here. The next command is to set the name servers so we can do set. Question mark. And here’s the configuration. Name servers are used to resolve RFQ ns to IP addresses. So to set the name server Alsi set name server. And you can see I already have a name server configured which is for two two two. Let’s add one more on top of this. Eight eight eight eight. So now if I do a show, show, name server, I should see two name servers. And by the way, this is how Junos works, unless you delete an element. It’s not gonna replace that. If you can figure an element, it’s going to add as a new configuration like you can see here. So if your intent was to replace this with this, then you would have to first delete this element and then configure this. Or the other option is to rename this element.
So if I can show you an example, let’s do delete for two, two, two. If I do show excuse me. There, delete. Name server four. Two, two, two. Let’s do a show. Well, that’s to show name server. Now, let’s I wanted to replace this with for two, two, two so I could do rename and we can say rename name server. That’s what we’re trying to rename the existing configuration, which is eight eight eight eight. The keyword is to. And then the new address that we want to use, which is for two to two, if I do show now or I should to show name server, you can see that we replaced eight eight eight eight with four two two two. So important thing to keep in mind when you try to replay something, when you try to replace a configuration, you must either delete it and add a new configuration or you must rename the existing configuration.
Now let’s understand how to configure the time zone. So let’s do said question mark. And the option is here, time zone. Make a note that we are still under the edit system hierarchy. That time zone. Question mark. And here you have all the possible time zones. I’m in London, so I’m going to do Europe/London, which can be found over here. The good thing about this is that if your city or if your place is not listed here, you can set the time zone as an offset to GMT. So you could do GMT plus something or GMT minus something, couldn’t you ctrl c from here? And I’m going to set this to Europe, London. And that’s done. Now, let’s commit the configuration. The next thing we’ll understand is how to set the date, the date configuration is not done from the configuration mode. So if I do sex based question mark, you’ll notice I do not have any option to set the date here. The date configuration is performed from the operational mode. So we’ll exit out. And notice that the new hostname has taken effect. Let’s do set space. Question mark. And here we have the option to set the date.
So set date. Now, we have two options here. We can configure the date and time manually or we can sync up with an A.P. server and it will automatically fetch the date and time from the configured A.P. server. We’ll talk about that a bit later on in the course. But right now, we’ll understand how to set that manually. Notice that you have a format to follow. So I’ll do set date 2020 and then the month, which is 04. And then the date, which is one three and then the hour, which is 10 minutes, which is one eight. And the seconds I’ll put that as 0 0. So that’s done. So the date has now been configured. The next thing we’ll understand is how to configure a logging message. In messages are very important, especially in environments where you have multiple users accessing the device. This is usually found in security operation centers where hundreds and possibly thousands of devices are managed and usually you’ll have multiple engineers connecting to the device. So you want to make sure you put out a message or a disclaimer when somebody is trying to log in. Right. So that’s the purpose of configuring a logging message. So we’ll do set system. And this time we are configuring from the top of the configuration mode. EDIT And it’s a system configuration command. So let’s do set system in here. We should see. Log in. So set system log in. And here’s the command message. I’ll start with a question mark so we can start typing the message. I’m going to use double quotes and I’m going to say it all. Loggins are monitored. Exclamation.
And close that quotation, what’s to commit? And let’s try to log in and see if we can see that message. Hit the opera again. And straight away, we can see that message. All Loggins monitor. Back into the device and let’s look at one last configuration, which is setting the C a lie idle time out. That configuration is performed from the operational mode, which is where I am right now. So set space question mark C, a lie. And we have that option here. Idle time out. So here we can see the possible values. You can do 0 all the way up to 100 thousand minutes. If you set it to 0, that means you are disabling the idle time out. I want to set this to ten minutes maybe. And we don’t have to do any commit for this because we are not in the configuration mode. We are just in the operational mode. All right, back over here, so we’ve understood how to configure all of these items. Just keep in mind that these are not the actual set commands that you would type on the device. This is just for us to understand what we had to configure on this video.
40. Login Classes
Let’s talk about a logging class in logging class. Is a set of one or more permissions that can be associated with a user account. All users who can log into a Junos device must have a log in class. So simply put, a logging class is a collection of one or more permissions or a set of one or more permissions that can be associated with a user account. It allows you to define access privileges on the device that commands that users can or cannot execute. And the session idle time for a specific user. On the Junos device, you have some predefined logging classes. In fact, we have four of them. The first one is called super user. So if a user belongs to the super user logging class, he gets all permissions, read, permissions, write, permissions, view, permissions, etc.. The next Log-in class is operator, and this allows clear network reset, trace and view permissions. Third, we have read only if you belong to the read-only logging class. You only get view permissions. And finally, we have unauthorized. This does not allow any permissions at all. So these are the predefined logging classes.
We can associate a user with any of these predefined logging classes. Or we also have the option to define a custom logging class where we can customize everything the way we want to. Let’s take a look at this from the Junos terminal. All right. I’m here at the terminal. I’ll first enter the configuration mode and let’s take a look at the predefined logging classes first. So we’ll do sex system, log in and let’s start by defining a user. Because when you define a user, that’s when you can see the predefined logging class because you need to associate the user with a logging class. OK. So set system logging user and I need to provide a user name. Let’s just call this guy as admin for now. Question mark. And we need to associate the user with a class. So let’s do class. Question mark. And here we can see the predefined logging classes. Super user has all permissions. Operator has clear network reset, said trace and view permissions. Reed only has view permissions and unauthorized has no permissions. An important thing to keep in mind that predefined logging classes cannot be edited. You have to use them as this. But the good part is that we can define custom logging classes.
Let’s try that. So I’ll erase this command here and let’s first enter edit system. Log in. And let’s do set space question mark. And let’s try to define a new class set class. Question mark. We need to give it a name. I’m just going to call a demo for now because I don’t want to define it. I just want to see the options available while defining the class. So question mark. And here we can see the different options that are available for configuration. So within a class, we can define the access start time, the access in time. That means all users that belong to this logging class can only access the device within the defined start and end time. We can define allow commands that the user is allowed to execute. Or we can use allow commands, regular expressions to write a regular expression to match the commands. Or we can do allow configuration if we want to allow specific configuration for the user.
Or we can do allow configuration, regular expression. We can define the days on which the user is allowed to log into the device. And then we can do deny commands, deny commands, regular expression, deny configuration, deny configuration, regular expression. There are many options here. We do not need to worry about all of them at the JNCIA level. We just need to look at the important ones right now. The other option here is idle time out. We can display system alarms when the user logs in. We can choose to execute a script when the user logs in. We can show a tip when the user logs in or we can set specific permissions. Now, when I go into the permissions section here, you will notice if I do a question mark here, every permission has to variations. You’ve got access and then you’ve got access control. You’ve got admin. And then you’ve got admon control. Going down here, you’ve got firewall and firewall control. And then you’ve got interface and interface control.
All of these are top level CLI commands. So if I can exit out from here. And go to the top and Doucet’s based question mark. These are the top level Selye commands. All of these commands will have two variations when you define a class. One is simple, just has the name to it and the other one has hyphen control to it. The difference is, if I can show you this set, let me go back to the command set system, logging class demo permissions question mark. So if you only provide access permission, that means the person can only view that configuration. Whereas if you do access hyphen control, that person can modify that configuration. Same applies for interface if you only provide interface permission. He can only view the interface configuration. But if you provide interface control permission, that person can modify the interface configuration. This is called s permission bits. This is one permission bid. And this is the second permission bid. Just one of those things to keep in mind. So these are the options that are available when configuring a logging class. Now let’s try to configure a logging class together. So I’m going to show you the configuration requirement.
Here it is. We are required to create a logging class which is called as vendors, and that allows logging from 9:00 a.m. to 5:00 p.m.. It only allows logging from Monday to Friday. It allows the ping command from the operational mode. But it does not allow you to perform any command that begins with request. So request commands are not allowed. And it also allows you to perform interface configuration. Let’s see how we can configure this from the terminal. So back over here, let’s do edit system. Log in. And let’s start defining the logging class. So let’s do edit logging class or I should say edit class and the name of the class was venders. OK, so now we are in a specific configuration hierarchy, edit system, logging class vendors. The first requirement was that it should only allow logging from nine a.m. to 5:00 p.m. So let’s do that. Set space, question mark, access start. I’m using this command here or this keyword here, access start. Let’s do a question mark.
We need to provide hours and minutes. So that’s going to be 0 nine. Sorry, there I press the enter commands. I’m just going to leave that delete access start. And I’m going to set that again, set access start 0 nine 0 0. Set access and 17 00, nine a.m. to five p.m. and we only need to allow logging from Monday to Friday, so we’ll do set and we’ll use this key word here. Allowed. Days. Let’s do question mark. So we want to provide five values Monday to Friday. So we’ll we’ll use the square brackets here and we’ll say Monday, Tuesday, Wednesday, Thursday, Friday. Close the bracket press enter. And at this point, let’s do a show. So this is what we’ve configured so far. And what you see here is the time zone on the device. My device is set to the UTC time zone. The other requirement was that it should allow PIN command from the operational mode. So let’s do set space question mark.
And we are going to allow or we are going to say set allow commands. Ping. And it also said that we should deny any request command. So will do set deny commands. And if you do question mark here, you will not actually see any option, you have to type it in. So set the night command’s request. OK, so let’s do a show. So allow command is paying deny command is request. And there there’s one more thing that we need to do. It should allow interface configuration. So we’ll do set permissions. That’s here. Let’s do a question mark. So this is a question for you. Should I use interface? Or should I use interface control? If I use interface, the user will only be allowed to view the interface configuration. But we want the user to be able to configure the interface. So we’ll see a set permissions, interface control. Let’s do a show. And so this is the configuration so far. And there’s one thing that’s missing. We’ve done everything correctly. There’s one thing that’s missing. If I save this right now and if I associate this logging class to a user who can log in, he can log in at these times. He can try these commands from the operational mode. But this will not work.
And the reason is, before the person can perform the configuration of the interfaces, he needs the permissions to be able to enter the configuration boat. If he cannot enter the configuration mode, how would he configure the interfaces? So the last thing that’s missing is set permissions and we need to provide this command here. Can enter the configuration mode. So that was the tricky one there. Set permissions configure. Let’s do a show here. So this is what the configuration looks like. We are defining a new log-in class called Vendors that allows access on Monday to Friday from 9:00 a.m. to. Five p.m., it allows ping commands. It denies request commands. It allows you to enter the configuration mode. And it allows you to configure the interfaces.
