Configuring the Router for the First Time
Problem
You have just installed and turned on a router and are configuring the JUNOS software for the first time.
Solution
Use the following commands to configure the router:
root# cli root@> cli> configure [edit] root@# set system host-name router1 root@# set system domain-name mynetwork.com root@# set interfaces fxp0 unit 0 family inet address 192.168.15.1/24 root@# set system backup-router 192.168.15.2 root@# set system name-server 192.168.15.3 root@# set system root-authentication plain-text-password New password: Retype password: root@ show system { host-name router1 ; domain-name mynetwork.com; backup-router 192.168.15.2; root-authentication { encrypted-password "$1$ZUlES4dp$OUwWo1g7cLoV/aMWpHUnC/"; ## SECRET-DATA; } name-server { 192.168.15.3; } interfaces { fxp0 { unit 0 { family inet { address 192.168.15.1/24; } } } } root@# commit root@router1# exit root@router1>
Discussion
On most JUNOS routers, the JUNOS software is installed in two places: the flash drive and the hard disk. When you first turn on the router, it runs the version of the software that is installed on the flash drive. The copy on the hard disk is a backup. Another backup copy of the software is provided on removable media, typically a PC card or a compact Flash card.
When you turn on your router for the first time, the JUNOS software automatically boots and starts. On some routers, a script prompts you for basic information about the router. On other routers, you use the J-Web browser to perform the initial configuration. At this point, you need to enter enough basic configuration information so that the router can be on the network and others can log in over the network. To work on the router to perform the initial configuration, you need to connect a terminal or laptop computer to the router through the console port, which is a serial port on the front of the router.
When you first connect to the router's console, you must log in as the user root. The root user is similar to the Unix superuser and has complete access to all functions on the router. Initially, the root account has no password. You can see that you are root because the prompt on the router shows the username root#. Start the JUNOS CLI using the command cli. The prompt root@> shows that you are the user root and that you are in operational mode. Once you have started the CLI, type the command configure to enter configuration mode. The prompt root@# indicates that you are now in configuration mode. If you look at the end of the previous example, you see that after you have activated the configuration with the commit command, the hostname that you configured is added to the end of the prompt, so the prompts become root@router1# in configuration mode and root@router1> in operational mode.
When you first configure the router, you set a number of basic properties for the router:
- Name of the router (the router's hostname), with the set system host-name command.
- Your domain name, with the set system domain command.
- IP address of the router's fxp0 interface, with the set interfaces fxp0 command. fxp0 is an Ethernet management interface that provides a separate out-of-band management network on the router. (The J-series routers do not have a dedicated management interface. You use one of the built-in Fast Ethernet interfaces, fe-0/0/0 or fe-0/0/1, instead.) Juniper Networks recommends that you manage all M-series and T-series routers using the fxp0 interface, which is reserved for managing the router, so no traffic is forwarded through it. As part of the physical setup for the router, you should connect fxp0 to an Ethernet network over which you can perform management tasks. Optimally, the router should also be able to reach its DNS and NTP servers through this network. If you prefer, you can use any other interface router as a management interface. For the remainder of this book, we assume that fxp0 (or fe-0/0/0 on J-series routers) is configured as the management interface.
- IP address of a backup router, with the set system backup-router command. Choose a router that is directly connected to the local router. Your router uses this backup router only when it is booting and only if the JUNOS routing software (called the routing protocol process, or RPD) does not start. If RPD does not start, the router will have no static or default routes, so you will not be able to access it directly but will have to go through the backup router. When the router is booting, it creates a static route to the backup router. This route is removed from the routing table as soon as the routing software starts.
For routers with two Routing Engines, the backup Routing Engine, RE1, still uses the backup router as a default gateway after the router has booted, so you can use the backup router to log in to RE1.(RE0 is the primary, or master, Routing Engine. See Recipe 1.30.)
- IP address of one or more DNS name servers on your network, with the set system name-server command. The router uses the DNS name server to translate hostnames into IP addresses.
- Password for the root account. When you initially start a new router, the root account has no password. To protect the security of the router and your network, it is critical that you configure a root password. The easiest way to configure this is by entering a plain-text (ASCII) password using the plain-text-password statement to configure a password. After you press Enter, the CLI prompts you for the password and then asks you to retype it but does not display what you type. The password you use cannot be all lowercase letters, all uppercase letters, or all numbers. There must be a mixture of cases, letters, digits, and punctuation. If you choose a password that doesn't meet these criteria, you see an error message:
error: require change of case, digits or punctuation
When you display the password with the show command, the CLI never shows the actual text that you type. It immediately encrypts the password string using MD5 and displays the encrypted version in the show command output. The section "Strategies for Choosing Passwords" in the Introduction to Chapter 2 discusses ways to choose secure passwords. Recipe 2.2 explains how to use SSH authentication for the root user.
For the initial router configuration to take effectand in fact for any router configuration or configuration changes to take effectyou use the commit command. This command verifies that there are no syntax errors in the configuration and then activates it.
root@# commit root@router1#
It's worthwhile to take a moment to comment on the style you use to type configuration statements on JUNOS routers. In this recipe, you are at the [edit] configuration hierarchy level, which is the very top level of the hierarchy, so you have to type the full hierarchy to the statement as well as the statement itself. This hierarchy is fairly shallow, so there is not too much extra typing. When you are working in deeper hierarchies, you may find it easier to move to that hierarchy level, both so you have less typing to do and have a better sense of where you are in the configuration. For this recipe, you could type most of the configuration commands from the [edit system] hierarchy level:
root# cli root@> cli> configure [edit] root@# edit system [edit system] root@# set host-name router1 root@# set domain-name mynetwork.com root@# set backup-router 192.168.15.2 root@# set name-server 192.168.15.3 root@# set root-authentication plain-text-password New password: $123poppI Retype password: $123poppI
Then when you use the show command, you see only the statements at the [edit system] level:
[edit system] root@#show host-name router1; domain-name mynetwork.com; backup-router 192.168.15.2; root-authentication { encrypted-password "$1$ZUlES4dp$OUwWo1g7cLoV/aMWpHUnC/"; ## SECRET-DATA; } name-server { 192.168.15.3; }
In portions of the configuration where you are using the same configuration command repeatedly with only minor variations, it is handy to use the keystroke sequences listed in Table 1-1.
While the configuration shown in this recipe provides the minimum needed to access the router from another system on the network, you should add a few other settings to the configuration to provide a more robust level of basic network connectivity:
[edit] root@router1# set system ntp server 192.168.2.100 root@router1# set system time-zone America/Los_Angeles root@router1# set system services ssh root@router1# set interfaces lo0 unit 0 family inet address 207.17.139.42/32 root@router1# set system login user aviva class superuser root@router1# set system log user aviva authentication plain-text-password New password: Retype new password: root@router1# commit
The first command, set system ntp server, configures the IP address of an NTP server so that the router can set its time properly. Because we have already configured DNS on the router, you could specify the name of the time server instead of an IP address and it will be translated to an IP address. To have the router obtain accurate time from the servers, it is good practice to configure a minimum of four NTP servers. You can also optionally configure the time zone in which the router is located (see Recipe 6.2); by default, the time zone is UTC.
To be able to log in to the router over the network using SSH, enable SSH services on the router with the set system services ssh command. For this to work, SSH must also be configured on the network servers. SSH is also used to copy files to and from the router.(The JUNOS SSH uses the Unix scp command.) Note that you can also copy files with FTP or HTTP (see Recipe 2.1), but these are less secure than SSH. On routers with two Routing Engines, you can copy files between the two (see Recipe 1.30).
The set interfaces command sets the router's IP address by configuring an address on the loopback interface (see Recipe 7.3). The last two commands set up a non-root user account so an individual user can log in to the router (see Recipe 2.5).
If your router has two Routing Engines, you also need to configure a hostname and IP address for the second Routing Engine (see Recipe 1.30).
Again, issue the commit command for the configuration changes to take effect:
root@router1# commit
Recipes 1.7, 1.15, and 1.16 explain how the commit operation works, including how to provisionally commit configuration changes.
At this point, you are logged in to the router as the user root, so you have complete control over the router. As root, you can perform operational actions that shut down the router or make it inaccessible to the network. While there are times when you want to legitimately perform these types of operations, you generally want to make sure that the router continues to operate normally, and you want to minimize the chance of accidentally interfering with the router's operation.
At this point in configuring the router, you should either load an existing router configuration file, as described in Recipe 1.12, or add user accounts to the configuration (see Recipe 2.5), including one for yourself, and then log out and log back in to the router using your user ID.
See Also
Recipes 1.7, 1.12, 1.15, 1.16, 1.17, 1.30, 2.1, 2.2, 2.5, 6.2, and 7.3