Académique Documents
Professionnel Documents
Culture Documents
Lab 4:
O p e r a t i o n a l M o n i to r i n g a n d
M a i n te n a n c e
In this activity, you you will perform the following tasks:
Part 1: Monitor chassis, system, and interface operation.
Part 2: Use network utilities.
Part 3: Recover the root password.
Page 1
Question:
Answer:
The answer can vary. In the sample output taken from SRXP, the weighted
CPU usage is 0%. The weighted CPU column represents the CPU usage over a
period of time.
Step 1.2
Issue the show system statistics command to view protocol statistics related to your
SRX device.
admin@SRXP> show system statistics
Tcp:
2111 packets sent
393 data packets (27298 bytes)
0 data packets retransmitted (0 bytes)
0 resends initiated by MTU discovery
174 ack only packets (135 packets delayed)
0 URG only packets
0 window probe packets
Page 2
Question:
How many TCP packets did your assigned device send since the last clearing of
the system statistics?
____________________________________________________________________________
Answer:
The answer can vary. In the previous example taken from SRXP, the device sent
2111 TCP packets.
Step 1.3
Issue the show system storage command to view information regarding the device
storage space.
admin@SRXP> show system storage
Filesystem
Size
Used
/dev/da0s1a
292M
156M
devfs
1.0K
1.0K
/dev/md0
431M
431M
/cf
292M
156M
devfs
1.0K
1.0K
procfs
4.0K
4.0K
/dev/bo0s3e
24M
44K
/dev/bo0s3f
342M
6.7M
/dev/md1
168M
17M
/cf/var/jail
342M
6.7M
/cf/var/log
342M
6.7M
devfs
1.0K
1.0K
/dev/md2
39M
4.0K
/dev/md3
1.8M
4.0K
1.7M
0% /jail/mfs
Question:
Answer:
The answer can vary. In the sample output taken from SRXP, 113 Megabytes
are available.
Step 1.4
Issue the show system uptime command to view the current system time.
admin@SRXP> show system uptime
Current time: 2012-05-05 20:05:31 CST
System booted: 2012-05-05 17:47:34 CST (02:17:57 ago)
Protocols started: 2012-05-05 18:54:33 CST (01:10:58 ago)
Last configured: 2012-05-05 19:47:07 CST (00:18:24 ago) by admin
8:05PM up 2:18, 2 users, load averages: 0.03, 0.06, 0.07
Question:
Answer:
The answer will vary. In the example taken from SRXP, you can see that the
system booted 2 hours and 18 minutes ago
Step 1.5
Access to your INSIDE-PA, open another terminal window and use Telnet to access your
INSIDE IP address(10.0.P.1). If needed, refer to the diagram. Log in with the username
walter and the password walter123.
Page 4
Step 1.6
Return to the console session and issue the show system users command to view
information about users logged in to your teams device.
admin@SRXP> show system users
8:14PM up 2:27, 2 users, load averages: 0.09, 0.04, 0.06
USER
TTY
FROM
LOGIN@ IDLE WHAT
admin
u0
7:52PM
- -cli (cli)
walter p0
10.0.P.10
8:14PM
- -cli (cli)
Question:
What is the source IP address of the Telnet session established by the user
walter?
____________________________________________________________________________
Answer:
The answer will vary. In the following example taken from SRXP, the source IP
address of the telnet session established by the user walter is 10.0.P.10.
Step 1.7
Issue the request system logout user walter command to force a log out for the user
walter. Next, issue the show system users command to verify
that the user session for walter was terminated.
admin@SRXP> request system logout user walter
logout-user: done
admin@SRXP> show system users
8:18PM up 2:31, 1 user, load averages: 0.16, 0.11, 0.08
USER
TTY
FROM
LOGIN@ IDLE WHAT
admin
u0
7:52PM
- -cli (cli)
Question:
Answer:
As shown in the sample output, the Telnet session for the user walter should
now be closed.
Step 1.8
Check the environmental status of your teams device by issuing the show chassis
environment command.
admin@SRXP> show chassis environment
Class Item
Status
Measurement
Temp Routing Engine
OK
49 degrees C / 120
Routing Engine CPU
OK
49 degrees C / 120
Fans SRX240 PowerSupply fan 1
OK
Spinning at normal
SRX240 PowerSupply fan 2
OK
Spinning at normal
SRX240 CPU fan 1
OK
Spinning at normal
SRX240 CPU fan 2
OK
Spinning at normal
SRX240 IO fan 1
OK
Spinning at normal
SRX240 IO fan 2
OK
Spinning at normal
Power Power Supply 0
OK
degrees F
degrees F
speed
speed
speed
speed
speed
speed
Question:
Answer:
Question:
Answer:
User
Background
Kernel
Interrupt
Idle
Model
Serial ID
Start time
Uptime
Last reboot reason
Load averages:
5
0
1
0
94
percent
percent
percent
percent
percent
RE-SRX240H
AAAL3327
2012-05-05 17:47:27 CST
2 hours, 36 minutes, 8 seconds
0x200:normal shutdown
1 minute 5 minute 15 minute
0.21
0.13
0.09
Step 1.9
Issue the show chassis temperature-thresholds command
admin@SRXP> show chassis temperature-thresholds
Fan speed
Yellow alarm
Red alarm
Fire Shutdown
(degrees C)
(degrees C)
(degrees C)
(degrees C)
Item
Normal High Normal Bad fan Normal Bad fan
Normal
Chassis default
35
45
50
40
75
65
100
Routing Engine
35
45
50
40
75
65
10
Question:
Answer:
Assuming the fans are operational, the system raises a red alarm when the RE
reaches 75 degrees Celsius. These threshold values can vary between different
Junos devices.
Step 1.10
View details about your systems hardware components using the show chassis
hardware command.
admin@SRXP> show chassis hardware
Hardware inventory:
Item
Version Part number Serial number
Chassis
AG3809AA0008
Routing Engine REV 36 750-021793 AAAL3327
FPC 0
PIC 0
Page 7
Description
SRX240H
RE-SRX240H
FPC
16x GE Base PIC
Power Supply 0
Question:
Answer:
The answer will vary depending on your assigned device. In the example, the
chassis serial number is AG3809AA0008
Step 1.11
Issue the show interface terse command to quickly verify the administrative and link
state for your devices interfaces.
admin@SRXP> show interfaces terse
Interface
Admin Link Proto
Local
ge-0/0/0
up
down
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up inet
sp-0/0/0.16383
up
up inet
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
ge-0/0/1
up
up
ge-0/0/2
up
up
ge-0/0/2.0
up
up inet
192.168.P.2/24
ge-0/0/3
up
up
ge-0/0/3.0
up
up inet
172.16.P.1/24
ge-0/0/4
up
down
ge-0/0/5
up
up
ge-0/0/5.0
up
up inet
10.0.P.1/24
ge-0/0/6
up
down
ge-0/0/7
up
up
ge-0/0/8
up
up
ge-0/0/9
up
up
ge-0/0/10
up
up
ge-0/0/11
up
up
ge-0/0/12
up
up
ge-0/0/13
up
up
ge-0/0/14
up
up
Page 8
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
tnp
0x1
inet
inet
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
Question:
What are the Admin and Link states for all configured interfaces?
____________________________________________________________________________
Answer:
All configured interfaces should show Admin and Link states of up. If your
output shows otherwise, please contact your instructor.
Step 1.12
Issue the show interfaces ge-0/0/5 extensive command and answer the questions that
follow:
admin@SRXP> show interfaces ge-0/0/5 extensive
Physical interface: ge-0/0/5, Enabled, Physical link is Up
Interface index: 139, SNMP ifIndex: 512, Generation: 142
Description: INSIDE INTERFACE
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Page 9
Page 10
Question:
What is the SNMP ifIndex for ge-0/0/5? What about for ge-0/0/5.0?
____________________________________________________________________________
Answer:
The SNMP ifIndex values vary between student devices. In the example, the
SNMP ifIndex for ge-0/0/5 and ge-0/0/5.0 are 512 and 542, respectively.
Question:
Answer:
The current hardware address for the ge-0/0/5 interface varies between
student devices. In the example, the current hardware address is
00:26:88:e1:60:05.
Question:
Answer:
Although it is possible that input errors exist, the answer to this question
should typically be no.
Question:
Does the ge-0/0/5 interface show input and output traffic statistics? How are
those statistics counted?
____________________________________________________________________________
Answer:
The interface should show input and output traffic statistics. The system counts
traffic statistics as both bytes and packets as shown in the sample capture.
Step 1.13
Issue the clear interfaces statistics ge-0/0/5 command followed by the show
interfaces ge-0/0/5 extensive | find "traffic" command.
admin@SRXP> clear interfaces statistics ge-0/0/5
admin@SRXP> show interfaces ge-0/0/5 extensive | find "traffic"
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Page 11
Input packets:
0
0 pps
Output packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
0
0
0
1 expedited-fo
0
0
0
2 assured-forw
0
0
0
3 network-cont
0
0
0
Queue number:
Mapped forwarding classes
0
best-effort
1
expedited-forwarding
2
assured-forwarding
3
network-control
---(more)---
Question:
Answer:
Although your statistics might not show all zeros, as the sample capture does,
the interface statistics should clear
508
508
508
508
508
508
508
508
bytes
bytes
bytes
bytes
bytes
bytes
bytes
bytes
from
from
from
from
from
from
from
from
172.26.26.P:
172.26.26.P:
172.26.26.P:
172.26.26.P:
172.26.26.P:
172.26.26.P:
172.26.26.P:
172.26.26.P:
icmp_seq=0
icmp_seq=1
icmp_seq=2
icmp_seq=3
icmp_seq=4
icmp_seq=5
icmp_seq=6
icmp_seq=7
ttl=127
ttl=127
ttl=127
ttl=127
ttl=127
ttl=127
ttl=127
ttl=127
time=4.105
time=2.182
time=2.064
time=1.781
time=2.030
time=1.886
time=1.924
time=1.895
ms
ms
ms
ms
ms
ms
ms
ms
<Output Omitted>
Question:
Answer:
As shown in the sample output, you do not need an extra command option to
make the ping continuous. Echo requests send continuously by default. You
can use the count option to send a defined amount of packets.
Note: You can stop the ping operation by using the Ctrl+c keystroke combination. You
should, however, let the ping operation continue at this time for the subsequent
monitoring step.
From INSIDE-PA PC, open a new terminal session to your SRX device. Use Telnet to access
the INSIDE IP address(10.0.P.1), log in with the admin user. You will use this separate terminal
session to monitor ping traffic generation.
Step 2.2
Use the monitor traffic interface ge-0/0/2 command to begin monitoring the ge0/0/2 INSIDE interface.
Note: You can stop the monitoring operation by using the Ctrl+c keystroke combination.
You can also increase the capture size using the size option to avoid truncated packets
Page 13
Question:
Answer:
Yes, you should see ICMP echoes and replies from your ping operation,
amongst other traffic .
Question:
How can you filter the output to show only the ICMP traffic?
____________________________________________________________________________
Answer:
Page 14
Question:
What command option allows you to view source and destination MAC
addresses for the captured packets?
____________________________________________________________________________
Answer:
Note: The monitor traffic command captures only packets that are local to the device. It does
Page 15
Step 2.3
In preparation for the next lab part, stop both the ping and monitor operations using
the Ctrl+c keystroke combination, and close the extra terminal session that you
opened
Page 16
stop...done
to stop...done
to stop...done
stop...
Loading /boot/defaults/loader.conf
/kernel data=0xae0e24+0x133964 syms=[0x4+0x89cb0+0x4+0xc7a56]
Type '?' for a list of commands, 'help' for more detailed help.
loader>
Step 3.2
At the prompt, first disable the watchdog process by using the watchdog disable
command. Secondly, type boot -s and press Enter to boot the Junos OS in single-user
mode.
loader> watchdog disable
loader> boot -s
Kernel entry at 0x801000d8 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 512 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2012, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
<Output Omitted>
Trying to mount root from ufs:/dev/da0s1a
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md0...
Booting single-user
** /dev/da0s1a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 69624 free (40 frags, 8698 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
Page 18
Step 3.3
When prompted to enter a pathname for shell or recovery for root password recovery,
type recovery and press Enter.
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
recovery
Performing system setup ...
Checking integrity of BSD labels:
s1: Passed
s2: Passed
s3: Passed
s4: Passed
** /dev/bo0s3e
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 12416 free (16 frags, 1550 blocks, 0.1% fragmentation)
** /dev/bo0s3f
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 171911 free (151 frags, 21470 blocks, 0.1% fragmentation)
Checking integrity of licenses:
JUNOS345637.lic: No recovery data
JUNOS345638.lic: No recovery data
JUNOS345639.lic: No recovery data
JUNOS345640.lic: No recovery data
JUNOS387415.lic: No recovery data
JUNOS387416.lic: No recovery data
JUNOS387417.lic: No recovery data
JUNOS387418.lic: No recovery data
JUNOS387419.lic: No recovery data
Checking integrity of configuration:
rescue.conf.gz: No recovery data
Loading configuration ...
mgd: commit complete
Setting initial options: .
Starting optional daemons: usbd.
Doing initial network setup:.
Initial interface configuration:
additional daemons: eventd.
Additional routing options:kern.module_path: /boot//kernel;/boot/modules ->
/boot/modules;/modules/ifpfe_drv;kldload: Unsupported file type
/modules;
kld netpfe drv: ifpfed_dialer.
Doing additional network setup: ntpdate.
Starting final network daemons:.
Page 19
Once in the CLI, you will need to enter configuration mode using
the 'configure' command to make any required changes. For example,
to reset the root password, type:
configure
set system root-authentication plain-text-password
(enter the new password when asked)
commit
exit
exit
When you exit the CLI, you will be asked if you want to reboot
the system
Step 3.4
Once the prompt is available, enter configuration mode and set a new root password of
juniper123. Commit the configuration. After you exit out of configuration mode and
exit out of operational mode, the software prompts you about rebooting. Type y and
press Enter to reboot the system.
root@SRXP> configure
Page 20
<Output Omitted>
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 70193 free (9 frags, 8773 blocks, 0.0% fragmentation)
Sat May 5 21:43:01 CST 2012
SRXP (ttyu0)
login:
Step 3.5
Once the system boots, verify the root password recovery by logging in with the new
root password.
SRXP (ttyu0)
login: root
Password: juniper123
Page 21
Question:
Answer:
You should now be successfully authenticated as root using the new root
password. This successful authentication verifies that the access recovery
process worked.
Step 3.6
Log out and Log in as admin user..
root@SRXP% exit
logout
SRXP (ttyu0)
login: admin
Password: juniper123
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
admin@SRXP>
Step 3.7
Save the current configuration to admins home directory.
admin@SRXP> file list
/cf/var/home/admin/:
.ssh/
IJOS.LAB1
IJOS.LAB2
IJOS.LAB3
admin@SRXP> configure
Entering configuration mode
[edit]
Page 22
Page 23