In this Lab, I use Olive to finish the JNCIP study guide chapter 1 case study Lab.
I use one Olive and runing logical-system R1-7 to simulate Router 1-7
So Router 1 is the logical-system r1.
Before we start the lab, we need to setup some default configuration.
root# load factory-default
root# set system root-authentication plain-text-password
root# set system host-name JNCIP
root# commit
root@JNCIP_LAB# run request system reboot
Requirements
1. Assign each router a hostname of the form rn, where n is a router number in the range of 1 through 7 inclusive.
2. Configure the fxp0 network according to Figure 1.1, and ensure that you and the proctor station will have telnet access to all seven routers using the OoB management network.
3. Modify the syslog parameters to log all interactive CLI commands to a file called rn-cli, where n is equal to the router number.
Configure the CLI log to permit four archived copies that will be no larger than 128K,
and ensure that CLI-related logging is also sent to 10.0.200.2, which is providing a remote syslog service.
All other syslog parameters should be left at their default setting.
4. Create user accounts and permissions based on Table 1.2.
T A B L E 1 . 2 Case Study User Accounts
User/Password Permissions Notes
lab superuser Telnet, SSH version 2 only with password, and console
root superuser Console only
noc View only Telnet, SSH version 2 only with password, and console
5. Ensure that all users are first authenticated through RADIUS, and that the local password database
is not automatically consulted should the RADIUS server become unreachable. The RADIUS secret is juniper.
6. Allow SNMP access from all IP addresses, but only allow SNMP request over the fxp0 interface.
Use a community value of public for read-only access and private for read/write access.
Send only version 1 authentication–related traps to the SNMP server.
7. Configure all routers as broadcast NTP clients, and authenticate all messages using MD5, key ID 200, and key value juniper.
Ensure that manual clock synchronization steps are not required.
For this example, the NTP service is provided by 10.0.1.102.
8. Ensure that all routers display the correct value for local time. You should assume that you are testing in Sunnyvale, California.
9. Without using DNS, ensure that you can ping the proctor workstation using the name proctor.
10. Configure the router to ignore management interface link status and enable the auxiliary console port for vt100 terminals.
Configuration:
1. Assign each router a hostname of the form rn, where n is a router number in the range of 1 through 7 inclusive.
Note: This Command should be root@JNCIP# set system host-name r1, but we using logical-system to do this lab.
So Commands are
root@JNCIP# set logical-systems r1
root@JNCIP# set logical-systems r2
root@JNCIP# set logical-systems r3
root@JNCIP# set logical-systems r4
root@JNCIP# set logical-systems r5
root@JNCIP# set logical-systems r6
root@JNCIP# set logical-systems r7
2. Configure the fxp0 network according to Figure 1.1, and ensure that you and the proctor station will have telnet access to all seven routers using the OoB management network.
Note: We use interface em0 to do the OoB management network.
root@JNCIP# set system services telnet
root@JNCIP# set interfaces em0 unit 0 family inet address 10.0.1.1/24
root@JNCIP# set routing-options static route 10.0.200.0/24 next-hop 10.0.1.102 no-readvertise
3. Modify the syslog parameters to log all interactive CLI commands to a file called rn-cli, where n is equal to the router number.
Configure the CLI log to permit four archived copies that will be no larger than 128K,
and ensure that CLI-related logging is also sent to 10.0.200.2, which is providing a remote syslog service.
All other syslog parameters should be left at their default setting.
==========================================================
root@JNCIP# set system syslog file r1-cli interactive-commands any
root@JNCIP# set system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set system syslog file r1-cli archive files 4
==========================================================
or
==========================================================
root@JNCIP# set logical-systems r1 system syslog file r1-cli interactive-commands any
root@JNCIP# set logical-systems r1 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r1 system syslog file r1-cli archive files 4 <= This command do not support on the logical-systems. so skip it.
root@JNCIP# set logical-systems r2 system syslog file r2-cli interactive-commands any
root@JNCIP# set logical-systems r2 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r3 system syslog file r3-cli interactive-commands any
root@JNCIP# set logical-systems r3 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r4 system syslog file r4-cli interactive-commands any
root@JNCIP# set logical-systems r4 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r5 system syslog file r5-cli interactive-commands any
root@JNCIP# set logical-systems r5 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r6 system syslog file r6-cli interactive-commands any
root@JNCIP# set logical-systems r6 system syslog host 10.0.200.2 interactive-commands any
root@JNCIP# set logical-systems r7 system syslog file r7-cli interactive-commands any
root@JNCIP# set logical-systems r7 system syslog host 10.0.200.2 interactive-commands any
==========================================================
4. Create user accounts and permissions based on Table 1.2.
Note: The command do not support in the logical-systems level!!
username/PW: lab/lab123, root/root123, noc/noc123
root@JNCIP# set system login user lab authentication plain-text-password
root@JNCIP# set system login user lab class super-user
root@JNCIP# set system services ssh protocol-version v2
root@JNCIP# set system root-authentication plain-text-password
root@JNCIP# set system services ssh root-login deny
root@JNCIP# set system login user noc authentication plain-text-password
==========================================================
root@JNCIP# set system login user noc class read-only
or
root@JNCIP# set system login user noc class NOC
root@JNCIP# set system login class NOC permissions view
==========================================================
Check command:
root@JNCIP> telnet 10.0.1.1
root@JNCIP> ssh noc@10.0.1.1
5. Ensure that all users are first authenticated through RADIUS, and that the local password database
is not automatically consulted should the RADIUS server become unreachable. The RADIUS secret is juniper.
Note: The command do not support in the logical-systems level!!
root@JNCIP# set system authentication-order radius
root@JNCIP# set system radius-server 10.0.200.2 secret juniper
6. Allow SNMP access from all IP addresses, but only allow SNMP request over the fxp0 interface.
Use a community value of public for read-only access and private for read/write access.
Send only version 1 authentication–related traps to the SNMP server.
Note: In this lab, the fxp0 interface is the em0 interface.
root@JNCIP# set snmp interface em0
root@JNCIP# set snmp community public authorization read-only
root@JNCIP# set snmp community private authorization read-write
root@JNCIP# set snmp trap-group FOO version v1 targets 10.0.200.2
root@JNCIP# set snmp trap-group FOO categories authentication
7. Configure all routers as broadcast NTP clients, and authenticate all messages using MD5, key ID 200, and key value juniper.
Ensure that manual clock synchronization steps are not required.
For this example, the NTP service is provided by 10.0.1.102.
root@JNCIP# set system ntp broadcast-client
root@JNCIP# set system ntp authentication-key 200 type md5 value juniper
root@JNCIP# set system ntp trusted-key 200
root@JNCIP# set system ntp boot-server 10.0.1.102
8. Ensure that all routers display the correct value for local time. You should assume that you are testing in Sunnyvale, California.
root@JNCIP# set system time-zone Asia/Taipei
9. Without using DNS, ensure that you can ping the proctor workstation using the name proctor.
root@JNCIP# set system static-host-mapping proctor inet 10.0.200.1
10. Configure the router to ignore management interface link status and enable the auxiliary console port for vt100 terminals.
root@JNCIP# set chassis alarm management-ethernet link-down ignore
root@JNCIP# set system ports auxiliary type vt100
Final configuration:
root@JNCIP# show | display set
set version 12.1R1.9
set system host-name JNCIP
set system time-zone Asia/Taipei
set system authentication-order radius
set system ports auxiliary type vt100
set system root-authentication encrypted-password "$1$9xaCfeIA$DoMiHW7akhvyMpAHebr/R0"
set system radius-server 10.0.200.2 secret "$9$-DbYoDi.z39JG39ApREdbs"
set system login class NOC permissions view
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password "$1$q0M9ehlx$9XZkXwUuPJK1bVFie2FCS."
set system login user noc uid 2001
set system login user noc class NOC
set system login user noc authentication encrypted-password "$1$nutuTWm9$j40sAjOFPTImr7tm/6/pE1"
set system static-host-mapping proctor inet 10.0.200.1
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services telnet
set system syslog user * any emergency
set system syslog host 10.0.200.2 interactive-commands any
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file r1-cli interactive-commands any
set system syslog file r1-cli archive files 4
set system ntp boot-server 10.0.1.102
set system ntp authentication-key 200 type md5
set system ntp authentication-key 200 value "$9$PTF/uORlK8CtK8X7sYfTz"
set system ntp broadcast-client
set system ntp trusted-key 200
set logical-systems r1
set logical-systems r2
set logical-systems r3
set logical-systems r4
set logical-systems r5
set logical-systems r6
set logical-systems r7
set chassis alarm management-ethernet link-down ignore
set interfaces em0 unit 0 family inet address 10.0.1.1/24
set snmp interface em0.0
set snmp community public authorization read-only
set snmp community private authorization read-write
set snmp trap-group FOO version v1
set snmp trap-group FOO categories authentication
set snmp trap-group FOO targets 10.0.200.2
set routing-options static route 10.0.200.0/24 next-hop 10.0.1.102
set routing-options static route 10.0.200.0/24 no-readvertise
[edit]
root@JNCIP#
Reference:
Juniper Networks Certified Internet Professional Study Guide
Chapter 1 Case Study (p.42)
最初發表 / 最後更新: 2014.05.15 / 2018.06.15
0 comments:
張貼留言