5.1 Communicating with the Router

Out-of- band communications with the router, which is the concept of communicating with the router without using resources reserved for customer traffic, is accomplished through one of three connections that are built into the craft interface on all Juniper Networks M-Series routers. During initial installation and startup, it is necessary to configure the router through the console port as this is the only interface enabled by default. Once the auxiliary port and management Ethernet connections have been configured, they also can be used to access the router's CLI. These interfaces are shown on a Juniper Networks M40 router in Figure 5-1.

There is some variation in the layout of the craft interface within the Juniper Networks M-Series router family. As is shown in Figures 5-2 and 5-3, the craft interface for the M160 has no management interface ports. The management interfaces for the M160 are built into the connector interface panel (CIP), which inhabits a slot running down the left side of the chassis, parallel to the bank of FPCs.

Figure 5-4 shows the craft interface of the Juniper Networks M20 router. Notice that there are two complete sets of management interfaces, including two console ports, two auxiliary ports, and two management Ethernet connections, because this router has redundant routing engines, and each engine has its own set of management interfaces. The craft interface used for Juniper Networks M5 and M10 routers is very similar to that of the M40. They each have only a single set of management interfaces due to the fact that they do not possess redundant routing engines. Figures 5-5 and 5-6 show the craft interfaces of the M5 and M10. Regardless of the variation in layout, the primary purpose of these connections is to give administrative access to the CLI. From the CLI it is possible to make configuration changes, run diagnostic commands, upgrade software, and perform graceful shutdowns. If more detail is needed on the variations between models in the Juniper Networks M-Series line, see Chapter 3.

5.1.1 Changing the Settings for the Console Port

Of the three connections previously described, the console port is unique in that it is always used for the initial steps needed in configuration because it is by default the only interface that can be used to access the CLI on a Juniper Networks router. All other interfaces lack a functional configuration at initial startup. The console port is an RS232 male 9-pin connection on the craft interface of every Juniper Networks M-Series router. Refer to Figures 5-1 through 5-6 to identify the location of the console port connection on the craft interfaces of the routers.

By default the console port is considered to be secure in that it is permissible to log into the router as the root user through this connection. Those familiar with UNIX will recall that the root user has special permissions. In the Juniper Networks world, the root user is capable of accessing the UNIX kernel, as well as the core of JUNOS. Under normal conditions, root access should be permitted through the console. However, should a network engineer find it necessary, the console port can be blocked from allowing root access. The following example shows how to disable the root login on the console port:

 [edit system ports console]  lab@Chicago# set insecure 

The default speed for the console connection is 9,600 baud. The following example shows the command completions for setting the connection speeds. By using the question mark, the valid completions for any command string can be accessed from any point within the JUNOS CLI.

 [edit system ports console]  lab@Chicago# set speed ? Possible completions:   115200               Standard terminal at 115200 baud   19200                Standard terminal at 19200 baud   38400                Standard terminal at 38400 baud   4800                 Standard terminal at 4800 baud   57600                Standard terminal at 57600 baud   9600                 Standard terminal at 9600 baud 

If the baud rate on the console port is changed, any user logged in through that port will immediately be disconnected once the change is committed. The configuration sample below shows how to set the link speed for the console port to 19.2Kbps. It also shows user lab being logged off once the change is committed:

 [edit system ports console]  lab@Chicago# set speed 19200 [edit system ports console] lab@Chicago# show speed 19200; [edit system ports console] lab@Chicago# commit Chicago (ttyd0) login: 

By default the terminal type is unknown and in the JUNOS world this setting is compatible with most vt100 emulators. Depending on the type of terminal being used to configure the router, it may be necessary to change the default terminal type. In situations where something other than a vt100 emulator is being used, use the set type command at the [edit system ports console] hierarchy level to change the terminal type setting. The options for terminal type are ansi , vt100 , and smallterm . If one of these three is specified, the screen size is set at 80 columns by 24 rows. It is also possible to specify xterm , which will change the screen size to 80 columns by 65 rows. The configuration sample below shows the terminal type set to xterm :

 [edit system ports console]  lab@Chicago# set type ? Possible completions:   ansi                 ANSI-compatible terminal   small-xterm          Small (24 line) xterm window   vt100                VT100-compatible terminal   xterm                Large (65 line) xterm window [edit system ports console] lab@Chicago# set type xterm [edit system ports console] lab@Chicago# show insecure; speed 19200; type xterm; 

5.1.2 Configuring the Auxiliary Port

Because it lacks a configuration, by default the auxiliary port on a Juniper Networks router is not usable. Once enabled, it can be configured to serve the same purpose as the console port. However, in many implementations , the auxiliary port is connected to a modem to permit remote users to configure the router by dialing into it. Like the console port, the auxiliary port is an RS232 male 9-pin connection. Routers with multiple routing engines, specifically the Juniper Networks M160 and M20, will have multiple auxiliary ports. Refer to Figures 5-1 through 5-6 to identify the location of the auxiliary port connection on the craft interface.

All commands used for configuring the auxiliary port are executed at the [edit system ports auxiliary] hierarchy level. The command structure is similar to that used for changing the default settings for the console port.

 [edit system ports auxiliary]  lab@Chicago# set speed 19200 [edit system ports auxiliary] lab@Chicago# set type xterm [edit system ports auxiliary] lab@Chicago# set insecure [edit system ports auxiliary] lab@Chicago# show insecure; speed 19200; type xterm; 

The configuration sample below gives us the output from a show command executed at the [edit system ports] level of the JUNOS hierarchy. Notice that the auxiliary port has a configuration, but the console port does not. As was mentioned previously, the console port is active by default and has predefined settings. If it is necessary to change the default settings on the console port, as was done in a previous example, then a configuration can be added for it. If configuration statements for the console port are added, then they will be visible; otherwise , no configuration for the console port is seen. In this example you can see that the port is insecure, so root can't access it, the baud rate is 19.2Kbps, and the terminal type is xterm .

 [edit system ports]  lab@Chicago# show auxiliary {            insecure;            speed 19200;            type xterm;            } 

5.1.3 Configuring the Management Ethernet

Every Juniper Networks M-Series router has at least two interfaces that have been defined by Juniper Networks as permanent. They are named fxp1 and fxp0 . Fxp1 is an internal interface that is used to connect the routing engine to the PFE and is not configurable by conventional means through the CLI in JUNOS. The connection between the routing engine and the PFE runs Trivial Network Protocol (TNP). TNP uses IP at the network layer (Layer 3), but because it is not connection-oriented, it has less overhead than traditional TCP/IP. Because of the nature of the connections within the router chassis (highly reliable, nodes in close proximity), TNP is more appropriate than TCP/IP for this application. fxp0 is an external interface known as the management Ethernet interface. The fxp0 interface accommodates a standard RJ45 connection and can be configured to run the TCP/IP, ISO, or MPLS protocols. The configuration of the fxp0 interface is discussed in detail in Sections 5.1.3.1 and 5.1.3.2 of this chapter.

As was mentioned previously, it is possible for a Juniper Networks M-Series router to have more than two permanent interfaces. The Juniper Networks M20 and M160 can both support multiple routing engines and therefore require an extra permanent interface, known as fxp2 , to connect the extra routing engine to the TNP network that runs between the routing engines and the PFE. The management Ethernet connection is referred to as fxp0 on both routing engines.

The console port is always used for initial configuration; however, following the initial installation and completion of a base configuration, the most common method of configuring a router is through a carefully controlled and protected management network. This arrangement is called a management LAN, to which the Juniper Networks router would connect through the aforementioned fxp0 interface. Due to the popularity of the IP protocol, the management LAN is the most commonly used method of accessing a Juniper Networks router. The out-of-band management network, if it is well designed, will usually have its own resources provisioned. In other words, it will not consume the same bandwidth that is reserved for customer traffic. Refer to Figures 5-1 through 5-6 to identify the location of the management Ethernet connection on the craft interface. Juniper Networks routers that support redundant routing engines will have two management Ethernet connections on the craft interface.

Like the auxiliary port, the management Ethernet connection is disabled by default. To enable this interface, it is necessary to build a configuration for it. This configuration is built under the [edit interfaces fxp0] hierarchy level and is described in the following sections. It is important to note that configuration of the management Ethernet ( fxp0 ) connection is a prerequisite for accessing the router through Telnet sessions, SSH, or FTP across the management LAN. These protocols and their use in relation to a Juniper Networks router will be discussed later in this chapter. Sections 5.1.3.1 and 5.1.3.2 describe the physical and logical components of configuring the management Ethernet connection.

5.1.3.1 Physical Characteristics

All interface characteristics that precede the unit number are considered physical characteristics. If a physical characteristic is changed, it will affect all logical interfaces that are configured for the physical interface. What this means is that if there are multiple logical interfaces enabled on fxp0 ”a virtual LAN (VLAN), or multiple subnetworks connected to a single physical interface, for example ”changes made to the physical characteristics of the interface will affect all of the subnetwork connections.

It is possible to disable the fxp0 interface physically without removing its configuration. You might want to disable it during various testing or troubleshooting situations to bring down the link temporarily. The following configuration sample shows how to disable the fxp0 interface without deleting its configuration by using the disable command at the [edit interfaces fxp0] hierarchy level:

 [edit interfaces fxp0]  lab@Chicago# set disable [edit interfaces fxp0] lab@Chicago# show disable; 

Once troubleshooting steps have been completed, it is necessary to delete the disable setting from the fxp0 port; otherwise, it will not be able to send and receive packets. Use the command syntax below to delete the disable setting from the interface configuration:

 [edit interfaces fxp0]  lab@Chicago# delete disable [edit interfaces fxp0] lab@Chicago# show 

When configuring the management interface it is sometimes necessary to change physical characteristics. In some cases, the default autonegotiate settings do not work with other vendors ' products. In those situations, JUNOS software has provisions that allow specification of a link speed or link mode as needed. By default the fxp0 interface uses autonegotiation to determine whether to operate at 10Mbps or 100Mbps. In other words, it readily adapts to the speed of the device that it is connected to. As mentioned previously, it is sometimes necessary to deactivate the autonegotiate default setting and specify a set link speed. To do this, use a configuration statement to force the interface to operate at either 10 or 100Mbps. To configure the management Ethernet interface to operate at a set speed, use the speed command at the [edit interfaces fxp0] hierarchy level. The configuration sample below shows how to set the link speed to 100Mbps:

 [edit interfaces fxp0]         lab@Chicago# set speed 100m [edit interfaces fxp0]        lab@Chicago# show        speed 100m; 

By default, the management interface autonegotiates the link mode. In other words, it will adapt to the link mode of the device at the other end of the wire, be it full- or half-duplex. As was the case with link speed, some vendor products do not readily adapt to the autonegotiation of link mode. Therefore, to configure either full- or half-duplex mode explicitly, use the set link-mode command at the [edit interfaces fxp0] hierarchy level. The example below shows how to set the link mode to full-duplex :

 [edit interfaces fxp0]  lab@Chicago# set link-mode full-duplex [edit interfaces fxp0] lab@Chicago# show        speed 100m; link-mode full-duplex; 

It is possible to include a relevant description of the interface using the set description command under the [edit interfaces fxp0] hierarchy level. Any description added is visible using the show interfaces command, but will have no impact on the functionality or the performance of the fxp0 interface. In other words, it will be treated as a comment on the interface. If the description contains spaces, then it must be enclosed in quotation marks. The following example shows how to set the description "Management link to London" on the management interface.

 [edit interfaces fxp0]  lab@Chicago# set description "Management link to London" [edit interfaces fxp0] lab@Chicago# show speed 100m; link-mode full-duplex; description "Management link to London"; 

By default, the router's management Ethernet interface ( fxp0 ) uses the MAC address that is hard-coded into its Ethernet card. To see this address, use the show chassis mac-address operational-mode command. To change the management Ethernet interface's MAC address, use the set mac command at the [edit interfaces fxp0] hierarchy level. When a MAC address is added, it must be in one of the two following hexadecimal formats: 00:99:88:77:66:55 or 00.99.88.77.66.55 . In the configuration sample below, the default MAC address, which is burned into the NIC of fxp0 , is being overridden and set to 12:d4:23:5a:aa:87 .

 [edit interfaces fxp0]  lab@Chicago# set mac 12:d4:23:5a:aa:87 [edit interfaces fxp0]        lab@Chicago# show description "Management link to London"; speed 100m; link-mode full-duplex; mac 12:d4:23:5a:aa:87; 

The output from the show command above is cumulative in that it gives us the settings for all the changes made in this section.

5.1.3.2 Logical Characteristics

For a physical interface to function, at least one logical interface must be configured. All Juniper Networks fast-Ethernet interfaces support multiple logical interfaces; with fxp0 , however, normally only one is used (unless VLAN tagging has been enabled). The following configuration sample contains the statement unit 0 . This identifies logical interface 0. All settings that precede the unit number are pertinent to the physical interface and will therefore affect all logical interfaces. All settings that follow the unit number are pertinent only to the logical interface specified by the unit number. The commands relevant to fxp0 , our management connection, are described in the paragraphs below.

Each logical interface can have multiple protocol families and must have at least one protocol family configured. The management interface will normally be configured with the inet family, as is shown in the following configuration sample. The inet family is the IP protocol stack and includes the major routing protocols, OSPF, BGP, and Routing Information Protocol (RIP), as well as Internet Control Message Protocol (ICMP) messages. To configure the inet family, include the set family command at the [edit interface fxp0 unit <unit #>] hierarchy level. Other protocol families available include iso ”which is needed for running the IS-IS protocol, and mpls ”which is needed to configure MPLS across an interface. The option of configuring protocol families other than inet exists; however, this option is rarely used. Under normal situations, only TCP/IP protocols are utilized across the management LAN. In the following example, the help feature is used to view valid command completions when adding a protocol family to an interface. After viewing the valid options, family inet is chosen to allow IP protocols traffic across logical interface 0 for physical interface fxp0 .

 [edit interfaces fxp0 unit 0]  lab@Chicago# set family ? Possible completions: + apply-groups         Groups from which to inherit configuration data > inet                 Internet protocol (IPv4) parameters > inet6                IPv6 protocol parameters > iso                  OSI ISO protocol parameters > mpls                 MPLS protocol parameters [edit interfaces fxp0 unit 0] lab@Chicago# set family inet [edit interfaces fxp0 unit 0] lab@Chicago# show family inet; 

After the protocol family has been identified, it is necessary to specify an address for the interface. For the inet family, we will use an IP address and subnet mask (if no subnet mask is specified, JUNOS software will default to /32 ).

To specify an address, use the set address <address/subnet mask> command at the [edit interfaces fxp0 unit <unit #> family <protocol>] level of the JUNOS hierarchy. In the configuration sample below, we have set an IP address of 192.168.151.10 with a 24-bit subnet mask:

 [edit interfaces fxp0]  lab@Chicago# set unit 0 family inet address 192.168.151.10/24 

The following example shows the settings for all the changes made in this section.

 [edit interfaces fxp0]  lab@Chicago# show description "Management link to London"; speed 100m; link-mode full-duplex; mac 12:d4:23:5a:aa:87; unit 0 {     family inet {         address 192.168.151.10/24;     } }