How Do You Apply Changes You've Made?
You can make all kinds of changes to the switch, but remember they are not actually active until you run the "commit" command. This means adding or deleting config options will not have any effect until you run "commit".
Under configure mode:
root# commit
commit complete
Reboot:
request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 59765]
How Can You Get Info About the Hardware /model/serial number?
In CLI mode:
show chassis hardware
Set Default Config:
load factory-default
warning: activating factory configuration
#if you already have DHCP on the network, I recommend deleting the DHCP service which may start handing out IPs by default
delete system services dhcp
#
in most firmware you'll need to set a root password before you can commit
Find the IP
By default most JunOS devices will try to get a DHCP address from the network on vlan 0.
In CLI mode type this:
show interfaces vlan.0
root# set system root-authentication plain-text-password
New password:
Retype new password:
In conf mode:
set system services ssh
SSH to the device doesn't work as root by default, you should create a separate user. It doesn't allow the user to attempt password authentication.
Received disconnect from 192.168.1.205 port 22:2: Too many authentication failures for root
Disconnected from 192.168.1.205 port 22
If it still doesn't work, you may need to manually recreate the server rsa and dsa keys
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
This will fix the root access by password (which should only be done for testing/non-production!)
set system services ssh root-login allow
How To Disable STP (RSTP):
RSTP is normally enabled by default to avoid loops, however, if the switch may be connected to other uplinks that will disable the port for sending BPDU packets, it may be wise to disable RSTP in this circumstance in conf mode:
delete protocols rstp
See what protocols are enabled on the switch:
show protocols
protocols {
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
How To Check Logs:
In cli mode:
show log ?
authd_libstats Size: 0, Last changed: Nov 17 21:43:30
authd_profilelib Size: 0, Last changed: Nov 17 21:43:30
authd_sdb.log Size: 0, Last changed: Nov 17 21:43:30
chassisd Size: 350470, Last changed: Nov 18 01:06:32
cosd Size: 64148, Last changed: Nov 17 22:00:19
dcd Size: 339433, Last changed: Nov 18 01:42:56
default-log-messages Size: 0, Last changed: Nov 18 01:14:51
dfwc Size: 0, Last changed: Nov 17 21:43:14
dhcp_logfile Size: 60198, Last changed: Nov 18 01:43:03
dhcp_logfile.0.gz Size: 8135, Last changed: Nov 18 01:35:31
dhcp_logfile.1.gz Size: 7401, Last changed: Nov 18 01:18:27
eccd Size: 0, Last changed: Nov 17 21:43:12
erp-default Size: 100197, Last changed: Nov 18 01:41:26
ext/ Last changed: Nov 17 21:40:09
flowc/ Last changed: Nov 17 21:40:09
ggsn/ Last changed: Nov 17 21:40:09
gres-tp Size: 8193, Last changed: Nov 17 22:00:19
interactive-commands Size: 48350, Last changed: Nov 18 01:43:03
interactive-commands.0.gz Size: 9672, Last changed: Nov 17 22:30:01
inventory Size: 5266, Last changed: Nov 18 01:05:53
license Size: 0, Last changed: Nov 17 21:44:44
license_subs_trace.log Size: 4354, Last changed: Nov 17 22:01:21
mastership Size: 1014, Last changed: Nov 17 22:00:19
messages Size: 23596, Last changed: Nov 18 01:41:31
messages.0.gz Size: 24441, Last changed: Nov 17 22:00:00
messages.1.gz Size: 22618, Last changed: Nov 17 22:00:00
pgmd Size: 336, Last changed: Nov 17 21:59:04
snapshot Size: 2926, Last changed: Nov 17 21:59:40
user Show recent user logins
wtmp Size: 20772, Last changed: Nov 17 22:11:52
wtmp.0.gz Size: 96, Last changed: Nov 17 21:44:46
show log messages
Work with a range:
With Juniper you need to create a "range" membership list first.
For example below you can use a wildcard on ge-0/0/* or even ge-*/*/* or even ge-0/0/[0-15] etc..
set interfaces interface-range rttall member-range ge-0/0/0 to ge-0/0/15
set interfaces interface-range rttall member ge-0/0/*
Examples of working with the range:
delete interfaces interface-range rtt unit 0
set interfaces interface-range rttall unit 0 family bridge
Backup Firmware:
root@t1test> request system snapshot media internal
error: Cannot snapshot to current boot device
If you just want the factory firmware/settings backed up:
request system snapshot factory slice alternate
If you get that error just put the snapshot on the alternative partition in this case /dev/da0s2a
root@t1test> request system snapshot slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived: /
Mount the backup like this:
mkdir /var/mtp/da0s2a
mount -t ufs /dev/da0s2a /var/tmp/da0s2a/
Change SSH Timeout time:
The default is just 1800 seconds, which means after 30 minutes you will be kicked out of SSH. Let's say you wanto to stay logged in for much longer. Conversely, you can also set it to be much lower.
You an also set "never" as the timeout time.
You just use this command to set the time in seconds for time out.
set applications application junos-ssh inactivity-timeout 4294967295
The number above is the highest value you can set which works out to be about 49710 days!
Show MAC Addresses:
These commands are done from "cli" mode.
show ethernet-switching table brief
On a firewall you would use this to show mac addresses:
show bridge mac-table
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned
SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Routing instance : default-switch
Bridging domain : rtt138, VLAN : 5
MAC MAC Logical
address flags interface
00:24:2c:00:ef:01 D ge-0/0/1.0
Check system snapshot
show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Sep 30 18:41:52 2021
JUNOS version on snapshot:
junos : 12.1X46-D77.1-domestic
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Sep 30 22:08:07 2021
JUNOS version on snapshot:
junos : 12.1X46-D77.1-domestic
Upgrade Firwmare:
request system software add no-copy /var/tmp/junos-srxsme-15-domestic.tgz
#
apply the update by rebooting
request system reboot
How To Set Which Devices can physically use a port
Say you don't want someone plugging in another device to their port, maybe the port the user is plugged into is the company workstation and only the MAC of that workstation should be allowed to use the port. Or maybe it's a VOIP phone and only the MAC of that VOIP phone should have access.
You can use the mac "source-address-filter" option:
edit interfaces ge-0/0/0
In the option above we set the interface ge-0/0/0 to only allow the device with MAC "00:21:1e:00:ae:11" to use the port. You could also add more than one MAC address if there are multiple MACs that would be allowed to use the port.
set gigether-options source-address-filter
ge-0/0/0 {
gigether-options {
source-address-filter {
00:21:1e:00:ae:11;
}
}
Set Transparent Mode on Juniper SRX Firewall:
set interfaces interface-range ge0/0/[0-15] unit 0 family bridge
[edit interfaces ge-0/0/12 unit 0 family]
'bridge'
family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/13 unit 0 family]
'bridge'
family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/14 unit 0 family]
'bridge'
family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/15 unit 0 family]
'bridge'
family bridge and rest of the families are mutually exclusive
error: commit failed: (statements constraint check failed)
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
#
after this the interfaces will not be shown under "show"
#delete vlans and all security or it will break things when we try to enable bridging/we have interfaces that are assgined to vlans that no longer exist
delete vlans
delete interfaces vlan
delete security
#now we enable transparent mode by setting the interfaces as family type bridge, we create a vlan for them and associate them with an irb for layer 3 routing
#for now we just add port 0 and 1 to vlan 5 and make those ports transparent
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access vlan-id 5
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access vlan-id 5
#
now we have to assign the relevant interfaces to our security zone and allow our security zone to talk to itself (otherwise nothing works as in you can't DHCP from your LAN, you can't ping out or do anything
#in this mode we will be leaving everything open, this is a good way to analyze traffic and slowly restrict unnecessary services and applications for security reasons
#
notice we use the same vlan we assigned to ge0/0/0 and ge0/0/1 we also made irb.1 as the interface which we'll have to configure next
set bridge-domains rtt138 domain-type bridge vlan-id 5 routing-interface irb.1
#set the IP on your IRB interface to 10.25.20.200 (change to what suits you)
set interfaces irb unit 1 family inet address 10.25.20.200/24
#after committing and to actually enable transparent mode you must reboot
root# commit
warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster!
commit complete
Juniper SRX failure to update firmware:
This normally happens if you go from old firmware on a unit that you have never used. For example JunOS 10, you should upgrade to the latest version of 10, then go to 11, and then go to version 12 etc..
root> ... add no-copy /cf/var/junos-srxsme-12.3X48-D75.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.3X48-D75.4-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152608, 305184, 457760
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 150096 free (24 frags, 18759 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R3.10-domestic signed by PackageProduction_10_0_0
Using junos-12.3X48-D75.4-domestic from /altroot/cf/packages/install-tmp/junos-12.3X48-D75.4-domestic
Copying package ...
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libslax.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_bit.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_curl.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_xutil.so.3: No such file or directory
Verified manifest signed by PackageProductionRSA_2018
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Chassis control process:
Chassis control process:
Chassis control process:
Chassis control process:
Connectivity fault management process: rtslib: FATAL ERROR interface version mismatch: kernel=97 library=98,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: error: configuration check-out failed
Validation failed
WARNING: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-12.3X48-D75.4-domestic
juniper, junos, overview, howtos, router, firewall, tutorial, guidehow, ve, active, quot, adding, deleting, config, configure, mode, reboot, shutdown, pid, default, factory, activating, configuration, dhcp, handing, ips, delete, firmware, ll, password, authentication, text, retype, membership, wildcard, ge, etc, interfaces, interface, rttall, examples, rtt, snapshot, settings, slice, alternate, partition, dev, formatting, copying, filesystems, archived, mount, mkdir, var, mtp, ufs, tmp, addresses, commands, cli, ethernet, switching, flags, static, dynamic, locally, se, statistics, enabled, nm, configured, pe, routing, bridging, domain, vlan, ef, primary, creation, sep, domestic, upgrade, firwmare, software, srxsme, tgz, update, rebooting, devices, plugging, user, plugged, workstation, voip, filter, edit, gigether, ae, multiple, macs, transparent, srx, mutually, exclusive, statements, constraint, vlans, enable, assgined, irb, layer, ports, assign, relevant, lan, ping, analyze, restrict, unnecessary, applications, assigned, domains, ip, inet, committing, nodes, cluster, cf, validating, validate, desired, mb, sectors, fragment, cylinder, groups, blks, inodes, backups, fsck, altroot, skipping, frags, fragmentation, compatibility, initializing, verified, manifest, packageproduction_, _, packages, install, veriexec, chroot, usr, lib, libcurl, directory, libslax, libext_bit, libext_curl, libext_xutil, packageproductionrsa_, hardware, database, regeneration, succeeded, conf, gz, cp, resolv, identical, copied, hosts, chassis, chassisd, realtime, ukernel, disable, connectivity, rtslib, fatal, mismatch, kernel, mgd, validation, compatible,