3.3.1 Logging into the System and Authentication When you first log into a router running JUNOS, the first difference you see from IOS is that the system prompts you in a UNIX fashion for a username and a password: (20:45 hannes@unixbox:ϳ) telnet frankfurt Trying 192.168.77.12 Connected to frankfurt. Escape character is ‘^]’. Frankfurt (ttyp0) login: hannes Password: ********* JUNOS 5.3R2.4 built 2002-06-03 18:59:57 UTC hannes@Frankfurt> This is because the underlying base OS for JUNOS is a heavily modified FreeBSD. FreeBSD is a free UNIX clone just like the more popular Linux UNIX. Your can get fur- ther information about FreeBSD at http://www.freebsd.org/. But make no mistake: JUNOS and the original FreeBSD are different OSs, and large parts of the networking-related kernel routines have been changed. FreeBSD is targeted for a host operating system environment, much like a networked PC. Typically, host operating systems have: • A single routing table • 1–3 network interfaces • Tens of routes to handle An operating system targeted for both edge and core routing functions has to handle many more of each. Specifically, these needs are: • Hundreds of routing tables • Thousands of interfaces • 100,000s of routes However, there are still lots of things that remained in JUNOS, such as all the net- working tools (telnet, SSH, ping and traceroute utilities) or, as in the previous example, the login procedure. Once you are logged in with your username, you have a set of privileges that are asso- ciated with your username, similar to IOS. You can display those privileges by issuing a show cli authorization command. hannes@Frankfurt> show cli authorization Current user: ‘hannes’ class ‘super-user’ Permissions: admin Can view user accounts admin-control Can modify user accounts clear Can clear learned network information Juniper Networks JUNOS CLI 57 configure Can enter configuration mode control Can modify any configuration edit Can edit full files field Special for field (debug) support floppy Can read and write from the floppy interface Can view interface configuration interface-control Can modify interface configuration [ … ] security –- Can view security configuration security-control –- Can modify security configuration This is one of the improvements that JUNOS offers. Instead of having a privilege level of 1–15 assigned to the user-profile with each IOS command mapped to a minimum privilege-level, each user profile in JUNOS is now associated with a set of flags that control which parts of the system the user can access or even modify. The system is so flexible that you can even break down which user can control what configuration lines of the router’s configuration file. Using this, you could implement authorization schemes, such as Operator A can only modify BGP, and Operator B can only configure IS-IS. However, explaining the full extent of the authorization sub-system is beyond the scope of this book. The only time you need to check that the network administrator has assigned the necessary privileges is when a certain IS-IS-related keyword does not show up where it should. In JUNOS there is the concept of user interface views. If you do not have sufficient privileges then you do not even see the commands and keyword in the user interface – they simply do not exist for that user – and neither auto- complete nor entering a question mark reveals those missing commands because they are not part of this user’s access profile. Consider the following example. User hannes has been given superuser privileges. As a superuser, he can access the request system reboot command, which will shut down all server processes and then reboot the router. If the user frank logs in and is associated with the read-only profile and wants to issue the same request, the command does not exist: frank@Frankfurt> request ? Possible completions: message Send a text message to other users For the user frank only the request message command exists, which would send a mes- sage to all the connected users terminal session. Auto complete (pressing the TAB key) does not produce any other completions beside the message keyword. Even if you try to manually enter the request system reboot command the system acts as if it does not know the command. frank@Frankfurt> request system reboot ^ syntax error, expecting <command>. frank@Frankfurt> Please keep this concept in mind when exploring the IS-IS commands shown in the rest of this book on a functioning router. If a certain command does not show up as 58 3. Introduction to the IOS and JUNOS Command Line Interface expected, it could be that the network administrator has not granted you the access level required to reveal one of the commands you might be looking for. 3.3.2 IS-IS-related Show Commands Once you are logged into the JUNOS system, you are first placed into operational mode, as in IOS. You know that you are in operational mode by looking at the prompt. If the prompt is terminated using a “Ͼ” character then you are in operational mode, just as in IOS: hannes@Frankfurt> Figure 3.7 shows the commands that are available in operational mode. Unlike the Cisco implementation of the IS-IS Protocol, the JUNOS version was written only to transport IP and not CLNP reachability information. Therefore all operational commands are accommodated under the show isis branch of the CLI tree. Almost Juniper Networks JUNOS CLI 59 route show interfacesisis adjacency database interface route spf statistics brief detail extensive instance brief detail extensive instance level brief detail extensive instance instance topology unicast multicast brief log results instance chassis cli topology topology topology ipv6-unicast unicast multicast ipv6-unicast unicast multicast ipv6-unicast unicast multicast ipv6-unicast logical-router logical-router logical-router logical-router logical-router inet inet6 instance level logical-router instance level logical-router instance level logical-router logical-router hostname FIGURE 3.7. The JUNOS CLI tree for IS-IS-related operational commands every command in the hierarchy has a command-modifier as the last argument. Command modifiers control the level of output that the command provides to the user. For example, if you issue a show isis interface brief command, then the output shows you all interfaces that have IS-IS configured. The keyword brief at the end of the command tells the router that you only wish to see-minimal information available for the interface: hannes@Frankfurt> show isis interface brief IS-IS interface database: Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric so-2/1/0.0 2 0x2 Disabled Point to Point 10/3500 so-3/0/0.0 2 0x1 Disabled Point to Point 10/240 [ … ] The extensive command modifier tells the router that you wish to see all information that the router maintains for a given interface including timers and much more: hannes@Frankfurt> show isis interface extensive IS-IS interface database: so-2/1/0.0 Index: 16, State: 0x6, Circuit id: 0x1, Circuit type: 2 LSP interval: 100 ms, CSNP interval: disabled Level 2 Adjacencies: 1, Priority: 64, Metric: 3500 Hello Interval: 9 s, Hold Time: 27 s so-3/0/0.0 Index: 14, State: 0x6, Circuit id: 0x1, Circuit type: 2 LSP interval: 100 ms, CSNP interval: disabled Level 2 Adjacencies: 1, Priority: 64, Metric: 240 Hello Interval: 9 s, Hold Time: 27 s [ … ] JUNOS interface names, like so-3/0/0.0, are also different than in IOS. In JUNOS there is an underlying interface naming convention that has to be learned to correctly configure the router and interpret the CLI output. 3.3.3 Interface Name-space JUNOS has four types of interfaces: • Logical interfaces • Permanent interfaces • Virtual interfaces • Physical interfaces The only logical interfaces inside JUNOS are instances of the loopback (lo0) inter- face, used for terminating control traffic like BGP, MSDP, management protocols like the Simple Network Management Protocol (SNMP), Telnet and Secure Shell (SSH). There is no NULL interface as in IOS that can be used to trash traffic. Instead, JUNOS has a special next-hop type for trashing traffic. JUNOS also has a special aggregate facility for 60 3. Introduction to the IOS and JUNOS Command Line Interface the announcement of aggregate routes. However, a detailed explanation of these is beyond the scope of this book. The two permanent interfaces are the fxp0 and the fxp1 interfaces. Juniper Networks Routing Engines (REs) are off-the-shelf, industry-standard PCs that take care of the care and feeding of the Packet Forwarding Engine (PFE). The REs have two Fast-Ethernet Interfaces, one of them exposed to the outside world and one of them connected to the packet-forwarding complex. Those Fast Ethernet Interfaces are based on Intel chipsets and, in good FreeBSD tradition, those interfaces are referred to using the name fxp. You can configure the fxp0 interface (the one exposed to the outside world) only. Don’t attempt to configure the fxp1 interfaces: your configuration change might very well interfere with internal RE to PFE communication. The typical application of the fxp0 interface is to use it for out-of-band (OOB) management access. This interface can be used to send out all kinds of routing and signalling information, however, it cannot be used to carry transit traffic. Figure 3.8 shows why JUNOS does not allow this. Traffic entering the router would have to be squeezed through the fxp1 interface (the internal Fast Ethernet Segment), which is dedicated to carrying control traffic only. Whenever the PFE realizes that a route should use the fxp1 port as a next-hop for transit traffic, then the fab- ric generates an ICMP unreachable packet back to the sender. Because of this design choice, you get a modest amount of security for your management segment, which now cannot be accessed from the Internet. JUNOS makes a clear distinction between physical interfaces and logical interfaces. On the physical interface level you can control properties of OSI Reference Model Layer 1 and 2. Examples of such properties are: • Link MTU size • Encapsulation method • Frame checksum computation • Layer 1 framing format • Full/Half duplex operation Juniper Networks JUNOS CLI 61 Internet 172.16.13/24 RE fxp0fxp1 PFE 172.16.13/24 via FXP1 -> REJECT FIGURE 3.8. Sub-nets connected to the fxp0 management port are not reachable from the Internet Logical interfaces typically have properties from OSI Reference Model Layer 3. Examples of such properties are: • IP addresses/Prefix lengths • ISO NETs • Filters • ICMP behaviour (redirect suppression) • And many more… First, consider the interface naming for the physical interfaces. (The logical interfaces are a superset of the physical interfaces, so we start with the simple things first). JUNOS has a structure similar to IOS as far as the interface naming is concerned: the first two letters always describe what media type the interface is. Table 3.1 shows the two-letter abbreviations and the corresponding fully specified interface media types. What follows (after a dash) are three numbers separated by slashes. The three numbers represent the FPC Slot, the PIC slot and the port number. If you are not familiar with Juniper Networks hardware don’t worry: the FPC card is a carrier card like the VIP card for the Cisco 7500 Series. The FPC mostly contains buffering memory as well as classification and queuing hardware. The PIC card is then mounted on top of the FPC card. This is how the FPC got its name of Flexible PIC Concentrator. PIC is an abbreviation for Physical Interface Connector. It is the place where the fibre and copper lines are connected to the router. The reason the physical lines do not directly connect to the FPC is flexibility. You can populate your FPC with PICs of arbitrary media- types like Ethernet, Packet over SONET/SDH and ATM in a mix-and-match fashion. Figure 3.9 shows how a physical port is referenced in JUNOS. The first part is the interface media type: “at” stands for an ATM interface. It is inserted into FPC chassis slot Number 3 (counting starts at 0, so the first slot is slot #0 and slot #3 is the fourth slot) on the second PIC slot (#1) and finally on the third port (#2). The good news about the JUNOS interface-naming scheme is that it is consistent throughout all the platforms (M- and T-Series). On every platform from the little M5 up to the T640, the interface naming stays consistent: FPC, then PIC, and finally the port number. Below is an example of how the status of an interface is displayed using the show interface Ͻinterface-nameϾ command: hannes@Pennsauken> show interfaces so-0/0/0 Physical interface: so-0/0/0, Enabled, Physical link is Up 62 3. Introduction to the IOS and JUNOS Command Line Interface TABLE 3.1. JUNOS uses two-letter names for its different interface media types. JUNOS interface abbreviation Interface media/type at ATM over SONET/SDH ports e1 E1 ports e3 E3 ports fe Fast Ethernet ports so SONET/SDH ports t1 T1 ports t3 DS-3 ports ge Gigabit Ethernet ports t3 Aggregated Ethernet ports Interface index: 11, SNMP ifIndex: 14 Description: to-New-York-so-7/0/1 Link-level type: Cisco-HDLC, MTU: 4474, Clocking: Internal, SDH mode, Speed: OC3, FCS: 16, Payload scrambler: Disabled Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Link flags : Keepalives Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 507921 (00:00:06 ago), Output: 510818 (00:00:05 ago) Last flapped : 2002-08-07 13:58:35 CEST (2d 08:58 ago) Input rate : 42783824 bps (21297 pps) Output rate : 58047120 bps (15777 pps) SONET alarms : None SONET defects : None 3.3.4 IS-IS-related Configuration Commands Like IOS, JUNOS has a configuration mode. You need to get into configuration mode first (if you have the related privileges to do so) to modify the router’s central configuration file. You can get into configuration mode by issuing the configure command: hannes@Frankfurt>] configure Entering configuration mode [edit] hannes@Frankfurt# You know you are in configuration mode in two ways – first the prompt terminates with the hash (#) sign, and second the line before the prompt displays the configuration level (or context) you are in. In JUNOS there is a multi-level hierarchy of configuration commands. This is unlike Cisco IOS where the configuration file is only structured into two levels. Figure 3.10 shows a full overview of the IS-IS-related configuration options available in JUNOS configuration mode. All options are under the protocols isis {} branch. When you want to configure the protocols isis {} context you have to change to that context first using the edit command. Juniper Networks JUNOS CLI 63 Physical interfaces have standard names – Type – FPC slot – PIC slot – Port number at 3 2 1 F IGURE 3.9. JUNOS interface names are notated in interface-type/FPC slot/PIC slot/port number order bgp protocols policy-options isis disable export graceful-restart level multicast-topology no-ipv6-routing overload disable helper-disable restart-duration timeout <lsp-name> interfaces chassis ignore-attached-bit interface label-switched-path no-authentication-check lsp-lifetime no-ipv4-routing reference-bandwidth rib-group spf-delay traffic-engineering <interface> disable csnp-interval <interval> disable checksum level point-to-point <level> disable hello-authentication-key hello-authentication-type hello-interval hold-time passive priority te-metric level <level> disable shortcuts disable metric <level> disable authentication-key authentication-type external-preference no-csnp-authentication no-psnp-authentication no-hello-authentication preference wide-metrics-only F IGURE 3.10. The JUNOS CLI tree for IS-IS-related configuration commands 64 [edit] hannes@Frankfurt# edit protocols isis [edit protocols isis] hannes@Frankfurt# The context displayed between the brackets changes to the protocols isis context. Imagine the configuration hierarchy as a file system, and the different contexts are the directories. The edit command behaves like the UNIX cd command, which is used for changing directories. If you want to go from there and edit the IS-IS Level-2 configuration then you simply enter the following command: [edit protocols isis] hannes@Frankfurt# edit level 2 [edit protocols isis level 2] hannes@Frankfurt# You can go back to the top level using the top command. The top command compares best to the UNIX cd / command which puts you at the root of a UNIX file system tree: [edit protocols isis level 2] hannes@Frankfurt# top [edit] hannes@Frankfurt# If you want to exit the configuration mode, type at any level exit configuration- mode, which puts you back in operation mode. The prompt then changes back to “Ͼ”. [edit protocols isis level 2] hannes@Frankfurt# exit configuration-mode Exiting configuration mode hannes@Frankfurt> Using the edit and top command, you can move around in the configuration hier- archy without altering any configuration elements. 3.3.5 Changing the Configuration The file system analogy explains the JUNOS configuration concept most clearly. The cd command is used to move around in the file system hierarchy but it does not change any of the files. In a UNIX file system, you create new files (for example) by using text edi- tors like Emacs or Vi. But you do not need to learn the often cryptic Emacs and Vi key- board sequences to configure a JUNOS router. This is just an analogy. The text editor equivalents in JUNOS are the set and delete commands. With the set command you do actually set a flag in the configuration hierarchy. Reconsider Figure 3.10. If you want to configure an interface to perform checksum- ming, in the protocols isis {} context you would type: [edit protocols isis] hannes@Frankfurt# set interface so-3/0/0.0 checksum Juniper Networks JUNOS CLI 65 [edit protocols isis] hannes@Frankfurt# Going back to the file-system analogy, this command simply sets the checksum flag in the protocols isis interface so-3/0/0.0 folder. One of the most interesting concepts in JUNOS is that you can display the configuration any time you are in configuration mode by using the show command. In IOS, this is not possible, and you would have to exit configuration mode and type a show running- configuration command to verify that your command has been properly accepted and is part of the configuration file. Most network administrators compensate by having two IOS terminal sessions open for each Cisco router. On the first you put yourself into configuration mode, and on the second you stay in operational mode and issue the show running-configuration commands to check your configuration changes. But in JUNOS, the show command displays the configuration file at this context level and all levels below: [edit protocols isis] hannes@Frankfurt# show interface so-3/0/0.0 { checksum; } [edit protocols isis] Don’t get scared by the curly braces. They are just another representation of the folder- like structure, and are very familiar to C-language programmers. They just help to visu- alize the configuration hierarchy, as their use in programs helps to visualize coding levels. For instance, if we change the editing context back to the top-level, then we would see the folder structure (plus more curly braces) from the top-level perspective: [edit protocols isis] hannes@Frankfurt# top [edit] hannes@Frankfurt# show [ … ] protocols { isis { interface so-3/0/0.0 { checksum; } } } [ … ] [edit] hannes@Frankfurt# 66 3. Introduction to the IOS and JUNOS Command Line Interface . configure IS-IS. However, explaining the full extent of the authorization sub-system is beyond the scope of this book. The only time you need to check that the network administrator has assigned the. provides to the user. For example, if you issue a show isis interface brief command, then the output shows you all interfaces that have IS-IS configured. The keyword brief at the end of the command tells. isis] hannes@Frankfurt# The context displayed between the brackets changes to the protocols isis context. Imagine the configuration hierarchy as a file system, and the different contexts are the directories. The edit