Preview
Rate this lesson

The initial configuration of Juniper devices is the first step after purchasing a Juniper device. Initial configuration typically means enabling root authentication which is required, configuring a hostname and management IP address, and enabling SSH or Telnet remote access. It can also be a good idea to configure domain names, name servers, time zones and NTP servers.

We will also learn how to revert back to the default factory configuration or erase all configuration and data files to reconfigure the juniper device from scratch.

Juniper Initial Configuration fundamental

Every juniper device depending on the function which can be a switch, router or a firewall has a different factory default configuration.

Default factory configuration is just to have an initial access to the device, but depending on your network topology, initial configuration must be changed. So it can be accessible through your network topology with your own credential.

Juniper Initial Configuration
Juniper Initial Configuration

These are some initial configurations that we will discuss in this section, including setting root authentication. Setup a management IP address. Configure remote SSH/Telnet access. Configure hostname, domain-name, name servers, time zone, NTP servers and cli idle time out.

Finally, we will discuss how to restore the factory default configuration or completely erase the configuration and data files to make juniper device ready for a new configuration.

Setup Junos root authentication

By default, you can log in to all Juniper devices with the user “root” and without a password. But the first step that needs to be configured is setting up a password for the root user, in other words, configuring root authentication.

The easiest way to configure root-authentication is to set a plain-text password.

As you can see there are also some other options for root authentication like “encrypted-password” or password-less SSH public key (ssh-rsa).

Password-less SSH public key authentication is especially useful for network automation. Therefore, our next section is dedicated to configuring the topic, Junos password-less SSH public key authentication.

However, to enable plain-text password authentication, use the “set system root-authentication plain-text-password” command.

[email protected]# set system root-authentication ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  encrypted-password   Encrypted password string
  load-key-file        File (URL) containing one or more ssh keys
  no-public-keys       Disables ssh public key based authentication
  plain-text-password  Prompt for plain text password (autoencrypted)
> ssh-ecdsa            Secure shell (ssh) ECDSA public key string
> ssh-ed25519          Secure shell (ssh) ED25519 public key string
> ssh-rsa              Secure shell (ssh) RSA public key string
[edit]
[email protected]# set system root-authentication plain-text-password    
New password:
Retype new password:

[edit]
[email protected]# 

Configure SRX Management Interface IP Address

Configuring management IP address based on your network topology is required for remote Telnet and SSH access.

With “show interface terse” command, you can see the list of interfaces. the question is which interface is the management interface in the device.

[email protected]# run show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet    
ge-0/0/1                up    up
dsc                     up    up
em0                     up    up
em0.0                   up    up   inet     128.0.0.1/2     
em1                     up    up
em1.32768               up    up   inet     192.168.1.2/24  
em2                     up    down
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.200.100/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

[edit]
[email protected]# 

We will talk about Juniper interfaces in a dedicated video, but just to get a first impression, depending on the device type or device model, management interface can be an em0, me0 or fxp0 interface.

For Juniper SRX firewall and MX routers, fxp0 interface is usually the management interface.

To configure an IP address for management interface, use the command “set interfaces fxp0 unit 0 family inet address 192.168.200.100/24”.

[edit]
[email protected]# set interfaces fxp0 unit 0 family inet address 192.168.200.100/24 

[edit]
rayk[email protected]# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1      

[edit]
[email protected]# 

If you need to configure default gateway for your device to access it remotely, we will talk about static routing in a dedicated video. But for now you can use the command “set routing-options static route 0.0.0.0/0 next-hop 192.168.200.1 ”, if your device is SRX device.

Configure Junos Remote Telnet/SSH Access

Under “system services” context, you can enable easily Telnet, SSH and also web management access.

The only point is that by default the root user does not have permission to login remotely. You can easily create another user for remote access, but if you also want to log in remotely with the root user, don’t forget to grant the permission.

With the commands, under “system services”, we enable Telnet, SSH and web access.

[email protected]# set system services web-management https system-generated-certificate 

[edit]
[email protected]# set system services web-management https interface fxp0.0

[edit]
[email protected]# set system services telnet                                                 

[edit]
[email protected]# set system services ssh root-login allow 

[edit]
[email protected]# 
[email protected]# run show configuration | display set | grep services    
set system services ssh root-login allow
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0

[edit]
[email protected]# 

For HTTPS access, we need a certificate. if we do not have certificate authority or public key infrastructure in the network, then the easiest way is to use “system generated certificate”.

We also enable the access through management interface fxp0.0 interface.

With “root-login allow” under SSH service, we grant the root user the permission to login remotely.

Configure Junos host-name, domain-name and name servers

In the next step, we recommend to configure the hostname and domain-name and also name server for name resolution.

[email protected]# set system host-name vSRX 

[edit]
[email protected]# set system domain-name rayka-co.com 

[edit]
[email protected]# set system name-server 192.168.1.240 

[edit]
[email protected]# set system name-server 8.8.8.8          

[edit]
[email protected]# show | compare 
[edit system]
+  domain-name rayka-co.com;
+  name-server {
+      192.168.1.240;
+      8.8.8.8;
+  }

[edit]
[email protected]# 

Configure Junos time zone and NTP servers

For monitoring and also for security purposes, it is very important to make sure of a correct time in your devices.

With configuring time zone and NTP servers, you can make sure of the correct time in your system.

[edit]
[email protected]# set system ntp server 194.225.150.25 

[edit]
[email protected]# set system time-zone Asia/Tehran          

[edit]
[email protected]# show | compare 
[edit system]
+  time-zone Asia/Tehran;
+  ntp {
+      server 194.225.150.25;
+  }

[edit]
[email protected]# 

Configure Junos CLI idle time-out

With configuring, cli idle time-out, remote session will be automatically disconnected after the specified inactivity time, which is important for security purposes.

If it is configured to 0, then the remote session will never be expired.

Notice that this feature will be configured in operational mode and not in configuration mode.

[email protected]> set cli idle-timeout 5  
Idle timeout set to 5 minutes

[email protected]> Warning: session will be closed in 1 minute if there is no activity


[email protected]> set cli idle-timeout 0    
Idle timeout disabled

[email protected]> 

revert back to default factory configuration

For any reason, you can restore the factory default configuration, especially if your current configuration fails and you want to reconfigure from scratch.

The “load factory-default” command is replaces the current active configuration with the default factory configuration.

Notice that it will not replace the current active configuration, until you commit the changes. Therefore you can check the configuration changes with “show | compare” command to make sure of the changes before applying and replacing the active configuration.

[email protected]# load factory-default       
warning: activating factory configuration

[edit]
[email protected]# show | compare          
[edit]
- version 22.1R1.10;
[edit system]
-  host-name vSRX;
-  root-authentication {
-      encrypted-password "$6$Mm42nQEW$FBVpHM3HM3jTMOhBsS4pbQ8ZnmhmMsx4cQEz05/z0tIED/lF83D45Y8jvgPiCosReDYg.z/Ww4izkNsvS0KrB1"; ## SECRET-DATA
-  }
-  login {
-      user rayka {
-          uid 2000;
-          class super-user;
-          authentication {
-              encrypted-password "$6$q3IzG30w$9C9wXWadnG3bhg.GqSJXREB1YqiPWZ/3Y3aVf3.YKSCBN4rxONm5Czpi4JHrQ8OoeJCk0DZqr3k2rFf8r0g../"; ## SECRET-DATA
-          }
-      }
-  }
+  autoinstallation {
+      delete-upon-commit;
+      traceoptions {
+          level verbose;
+          flag {
+              all;
+          }
+      }
....

erase Junos configuration and data files

You also  have the option to erase Junos configuration files and all data files including log files to reconfigure the device from scratch.

It can be performed with command “request system zeroize” in operational mode.

[email protected]> request system zeroize 
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files?. In case of Dual RE system, both Routing Engines will be zeroized [yes,no] (no) 


[email protected]> 
Back to: Juniper Junos Associate version 22.1R1.10 (JNCIA-Junos) > Junos Configuration Basics

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment