Tag Archives: TRAPS

Notas estudo JNCIA-Junos parte 3

Interface Overview

fxp0 e me0 para management

fxp1 e em0 para a internal (interligação entre o Control e Forwarding Plane)

Interface Naming

es: Encryption interface;
gr: Generic route encapsulation tunnel interface;
ip: IP-over-IP encapsulat ion tunnel interface;
ls: Link services interface;
ml: Multilink interface;
mo: Passive monitoring interface;
mt: Multicast tunnel interface;
sp: Adaptive services interface;
vt: Virtual loopback tunnel interface.
lo0 : Loopback interface;
ae: Aggregated Ethernet interface;
as : Aggregated SONET interface;
vlan : VLAN interface

Algumas das interfaces internas criadas (não configuráveis)pelo JunOS:
• gre
• mtun
• ipip
• tap

FPC – Flexible PIC Concentrator
Line card (FPC) slot number
Interface card (PIC) slot number
Nota: A numberacao dos slots/portas comeca em 0
ge-0/2/3 = porta 3 na PIC slot 2 na PFC slot 0

Logical Units

Consideradas como subinterfaces, podem ter mais do que uma family pexemplo inet e inet6

Configurar Autenticação

Suporta Radius e Tacacs+

Definir uma class com privilégios

Existem 4 class por defeito operator,read-only,super-user e unauthorized
Um user só pode ser atribuído a uma class

set system login class juniper permissions reset permissions view permissions view-configuration
set system login user walter class juniper

Nota: A permissão de reset permite reiniciar processos, mas não fazer reboot pexemplo

[email protected]> show configuration
## Last commit: 2014-05-25 17:11:18 WEST by root
version /* ACCESS-DENIED */;
/* nao mudem o NTP */
system { /* ACCESS-DENIED */ };
/* n mudem interface */
interfaces { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };

Definição do Radius Server

[email protected]#  set system radius-server 10.10.10.10  secret  Juniper
[edit]
[email protected]#  set system authentication-order radius tacplus+
[edit]
[email protected]#  commit

Pelo menos um dos métodos de authentication-order deve responder (alive), caso contrário é feita autenticação local

R1 (ttyp0)

login: nancy
Password:
Local password:

Logging

By default o ficheiro de logging primário e /var/messages

O syslog pode ser definido através dos comandos:

edit system syslog
edit routing-options options syslog

set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file config-changes change-log info
set system syslog host 10.1.1.1 any notice
set system syslog host 10.1.1.1 authorization info

Interpretar as mensagens do syslog

Timestamp, Host , Process ou PID , message code, message text

May 26 14:27:17  R1 mgd[1366]: UI_COMMIT_PROGRESS: Commit operation in progress:  notifying eventd(80)
commit complete

Para incluir a Severity é necessário configurar o comando explicit-priority
set system syslog file messages explicit-priority

May 26 14:38:13  R1 mgd[1366]: %INTERACT-6-UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration

É possível obter ajuda na interpretação de uma mensagem de log através da própria CLI

[email protected]# help syslog UI_COMMIT_PROGRESS
Name:          UI_COMMIT_PROGRESS
Message:       Commit operation in progress:
Help:          mgd recorded step in commit operation
Description:   As it performed a commit operation, the management process (mgd)
recorded its execution of the indicated step.
Type:          Event: This message reports an event, not an error
Severity:      info

Traceoptions

*Equivalente ao Debug em Cisco*

O JunOS permite enviar o tracing para ficheiro/syslog

Para redefinir um syslog server diferente usar:

set system tracing destination-override syslog host 10.1.1.2

Exemplo Tracing Hello OSPF

O size pode ser representado por K,M,G indicando (KB, MB e GB)
Cao o trace exceda o size, o ficheiro é divido no numero de ficheiros indicados começando em trace-file.0 trace-file.1 …

set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions file size 128m
set protocols ospf traceoptions file files 10
set protocols ospf traceoptions file world-readable
set protocols ospf traceoptions flag hello detail
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail

[email protected]# run file show /var/log/ospf-trace
May 26 14:52:47 trace_on: Tracing to “/var/log/ospf-trace” started
May 26 14:52:47.821578 Interface em5.101 area 0.0.0.0 event NeighborChange
May 26 14:52:47.835103 IFL em5.32767 iflchange 0x0
May 26 14:52:47.836167 IFL em5.110 iflchange 0x0
May 26 14:52:47.836334 IFL em5.102 iflchange 0x0
May 26 14:52:47.836498 IFL em5.101 iflchange 0x0
May 26 14:52:47.836643 IFL em5.0 iflchange 0x0
May 26 14:52:47.836793 IFL lo0.16385 iflchange 0x0
May 26 14:52:47.836891 IFL lo0.16384 iflchange 0x0
May 26 14:52:47.837115 IFL lo0.0 iflchange 0x0
*
*(omitido)
*
May 26 14:52:47.867410 OSPF updated PPM interface IFL 84, addr 172.20.110.1, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0
May 26 14:52:47.867614 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.867816 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.868182 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.873156 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)

Operadores AND e OR

Operador AND
[email protected]# run show log messages | find “May 26” | match “error”

Operador OR
[email protected]# run show log messages | match “May 26” | match “error|kernel”

Monitorizar as mensagens de log
[email protected]>  monitor start messages | match fail

Parar de receber mensagens
[email protected]>  monitor stop

NTP

set system ntp server 10.10.10.10
set system ntp boot-server 10.10.10.10

[email protected]# run show ntp associations
remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.10.10.10         .INIT.          16 –  395 1024    0    0.000    0.000 4000.00

O * significa que é o host selecionado para sincronização
Archiving

Realizar backups via FTP/SCTP da configuração após commit, o uso de vários destinos permite  que caso o site primário falhe seja usado o 2 site e assim em diante

set system archival configuration transfer-on-commit
set system archival configuration archive-sites “ftp:[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#
set system archival configuration archive-sites “sctp:[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#

[email protected]# commit
[email protected]# run show log messages | match ftp
May 26 16:11:40  R1 fetch: %DAEMON-3: fetch: ftp:[email protected]:*: No route to host

As copias dos ficheiros são guardadas em /var/transfer/config

[email protected]# run file list /var/transfer/config/ detail

/var/transfer/config/:
total 28
-rw-r—–  1 root  wheel       1101 May 26 16:10 R1_juniper.conf.gz_20140526_151053
-rw-r—–  1 root  wheel       1101 May 26 16:11 R1_juniper.conf.gz_20140526_151127
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151206
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151254
-rw-r—–  1 root  wheel       1187 May 26 16:23 R1_juniper.conf.gz_20140526_152319

Para realizar backups regulares da config usar:

Nota: A cada 24 Horas (1440 minutos)

set system archival configuration transfer-interval 1440

SNMP

set snmp location LISDC-Rack122
set snmp contact “ip@cocheno.com”
set snmp community JUNIPER
set snmp trap-options source-address lo0
set snmp trap-group group-SNMP categories link
set snmp trap-group group-SNMP categories routing
set snmp trap-group group-SNMP targets 10.10.10.10
set snmp trap-group group-SNMP targets 10.10.10.11
set snmp trap-group group-SNMP version v2
set snmp community JUNIPER clients 192.168.20.0/24

Efetuar uma snmp walk (permite fazer decimal e ascii)

[email protected]> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1

Referências:

Notas estudo JNCIA-Junos parte 1

Notas estudo JNCIA-Junos parte 2

Share