Introduction to the Junos Operating System
Question: How does the CLI respond when you try to enter configuration mode?
Answer: The CLI does not let user walter enter configuration mode. It responds by stating that the command is unknown.
Step 1.9
Enter a question mark (?) at the prompt to view the permitted operational mode command options for the user walter.
walter@srxA-1> ? |
|
|
|
Possible completions: |
|
|
|
file |
Perform file operations |
||
help |
Provide help information |
||
load |
|
|
|
monitor |
Show real-time debugging information |
||
op |
Invoke an operation script |
||
quit |
Exit the management session |
||
request |
Make system-level requests |
||
restart |
Restart software process |
||
save |
|
|
|
set |
Set CLI properties, date/time, craft interface message |
||
show |
Show system information |
||
start |
Start shell |
||
test |
Perform diagnostic debugging |
||
|
|
Question: Why is the user walter unable to enter |
|
|
|
configuration mode? |
|
|
|
|
|
|
|
|
|
Answer: The custom login class defined for the user walter does not give permission for entering configuration mode.
Step 1.10
Verify that the user walter can view the configuration and other operational outputs such as interface information.
walter@srxA-1> show configuration
## Last commit: 2012-04-18 12:14:08 PDT by lab version 12.1R1.9;
system {
host-name srxA-1;
time-zone America/Los_Angeles; root-authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA ssh-dsa /* SECRET-DATA */;
Lab 3–6 • Secondary System Configuration (Detailed) |
www.juniper.net |
Introduction to the Junos Operating System
}
login {
class juniper {
permissions [ reset view view-configuration ];
}
user lab { uid 2000;
class super-user; authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA
}
}
user nancy { uid 2001;
class read-only; authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA
}
}
user walter { uid 2002;
class juniper; authentication {
encrypted-password /* SECRET-DATA */; ## SECRET-DATA
}
}
}
...TRIMMED...
walter@srxA-1> show interfaces
Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 508
Description: MGMT Interface - DO NOT DELETE
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags |
: |
Present Running |
Interface flags: |
SNMP-Traps Internal: 0x0 |
|
Link flags |
: |
None |
CoS queues |
: |
8 supported, 8 maximum usable queues |
Current address: |
f8:c0:01:8f:8f:80, Hardware address: f8:c0:01:8f:8f:80 |
|
Last flapped |
: |
2012-04-18 10:27:06 PDT (01:57:39 ago) |
Input rate |
: |
976 bps (2 pps) |
Output rate |
: |
1280 bps (1 pps) |
Active alarms |
: |
None |
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/0.0 (Index 70) (SNMP ifIndex 512) Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 157 Output packets: 81
...TRIMMED...
www.juniper.net |
Secondary System Configuration (Detailed) • Lab 3–7 |
Introduction to the Junos Operating System
Question: Can the user walter view the root password within the configuration? Why?
Answer: No. The Junos OS hides certain configuration elements that it determines to be security risks and notates them with a SECRET-DATA tag. In this case, the user walter does not have the secret permission defined for his login class. The secret permission is required to view configuration elements with the
SECRET-DATA tag.
Step 1.11
Restart the routing process using the restart routing command. This command restarts the routing protocol daemon (rpd), which can be useful when troubleshooting routing problems.
walter@srxA-1> restart routing
Routing protocols process started, pid 9777
Question: Which permission allows the user walter to perform this command?
Answer: The reset permission allows a user to restart software processes and certain hardware components. This permission will not, however, allow the user to reboot the system.
Step 1.12
Log out from the user walter and initiate a new Telnet session to the management interface for the user nancy. (Hint: Use the reconnect option on your terminal client.) Attempt to restart the routing protocol process using the restart routing command.
walter@srxA-1> exit
srxA-1 (ttyp0)
login: nancy Password:
--- JUNOS 11.1R1.10 built 2011-03-16 08:20:26 UTC nancy@srxA-1> restart
^
unknown command.
Lab 3–8 • Secondary System Configuration (Detailed) |
www.juniper.net |
Introduction to the Junos Operating System
Question: Can nancy successfully issue the restart command?
Answer: As shown in the output, the user nancy cannot issue the operational mode restart command.
Question: What is a quick way to view the top-level operational mode commands available to nancy?
Answer: Use the question mark (?) to view available commands anywhere within a command line. Commands that are not permitted due to user permissions do not display.
Question: Can the user nancy view the configuration?
Answer: The user nancy can issue the command show configuration, but the contents are hidden. The following is a sample capture, taken from the srxA-1 device:
nancy@srxA-1> show configuration
## Last commit: 2012-04-18 12:14:08 PDT by lab version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ }; interfaces { /* ACCESS-DENIED */ }; routing-options { /* ACCESS-DENIED */ };
Step 1.13
Attempt to clear interface statistics for the ge-0/0/0 interface using the clear interfaces statistics ge-0/0/0 command.
nancy@srxA-1> clear
^
unknown command.
www.juniper.net |
Secondary System Configuration (Detailed) • Lab 3–9 |