===== Configure the router =====
Use the following commands to configure the router:
root# cli
root@>
cli> configure
[edit]
root@# set system host-name juniper
root@# set system domain-name x83.net
root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24
root@# set system backup-router 10.2.2.1
root@# set system name-server 10.2.2.1
root@# set system root-authentication plain-text-password
New password:
Retype password:
root@ show
system {
host-name juniper;
domain-name x83.net;
backup-router 10.2.2.1;
root-authentication {
encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveEq."; ## SECRET-DATA
}
name-server {
10.2.2.1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.2.2.2/24;
}
}
}
}
root@# commit
root@juniper# exit
root@juniper>
Other config params :
root@juniper# set system ntp server 192.168.2.100
root@juniper# set system time-zone Europe/Ljubljana
root@juniper# set system services ssh
root@juniper# set interfaces lo0 unit 0 family inet address 10.200.200.1/32
root@juniper> configure exclusive //if several people login only you can use "configure"
root@juniper> status
root@juniper> request system logout user john //kick someone out
The ''**show | display set**'' command is a handy way to reverse-engineer a router configuration when you are trying to duplicate portions of a configuration on many routers or when you need to write up configuration, monitoring, or troubleshooting procedures for your network operations staff. This command is especially useful if the configuration is complex and when setting it up involves many long commands and lots of typing.
===== Add comments =====
root@juniper# set area 0.0.0.0 interface fe-0/0/0
root@juniper# annotate area 0.0.0.0 "MESH routers"
root@juniper# show
/* MESH routers */
area 0.0.0.0 {
interface fe-0/0/0.0;
}
To delete a comment, use the annotate command with an empty string:
root@juniper# annotate area 0.0.0.0 ""
===== Check syntax (commit) =====
After configuring issue commit command.
root@juniper# commit check
If there are no errors you recieve : configuration check succeeds
To debug commit :
root@juniper# commit | display detail
To exit from a lower level to operational mode : '**exit configuration-mode**'
===== Backing up configuration =====
root@juniper# file copy /config/juniper.conf.gz box:/root/tmp
root@juniper# save box:configMay
root@juniper# save configMay //copy to a localfile
root@juniper# run file show configMay //to view it
root@juniper# run show system storage // view diskspace
To backup every time you **commit**:
root@juniper# set archival configuration transfer-on-commit
root@juniper# set archival configuration archive-sites ftp: //giany:password@box:/m40configs
===== Rollback =====
root@juniper# rollback 1 //loads other config
root@juniper# show
root@juniper# commit
root@juniper# rollback ? //view rollbacks
===== View logs =====
root@juniper# run show log
root@juniper# run show log messages
===== Install different jinstall =====
root@juniper# request system software add validate box:jinstall-8.4R2.6-domestic-signed.tgz
Or copy the file to /var/tmp
root@juniper# file copy box:jinstall-8.4R2.6-domestic-signed.tgz /var/tmp
root@juniper# request system software add validate /var/tmp/jinstall-8.4R2.6-domestic-signed.tgz //and reboot here
and then reboot:
root@juniper# request system reboot
===== Gather system informations =====
root@juniper# show version
root@juniper# show version detail
root@juniper# show system processes
root@juniper# run show system processes | match /syslogd
root@juniper# run request support information
root@juniper# run file list detail /var/tmp //look for cores
root@juniper# run show system users
2:40PM up 10:12, 1 user, load averages: 0.01, 0.06, 0.07
USER TTY FROM LOGIN@ IDLE WHAT
root p1 10.2.2.1 2:28PM - cli
root@juniper# run show system uptime
Current time: 2008-05-24 13:52:15 EEST
System booted: 2008-05-24 04:29:05 EEST (09:23:10 ago)
Protocols started: 2008-05-24 04:34:42 EEST (09:17:33 ago)
Last configured: 2008-05-24 13:38:28 EEST (00:13:47 ago) by root
1:52PM up 9:23, 1 user, load averages: 0.00, 0.02, 0.00
===== Accounts =====
root@juniper# set system login user giany full-name Foobaruser
root@juniper# set system login user giany uid 1000
root@juniper# set system login user giany class super-user
root@juniper# set system login user giany authentication encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspv32E."
root@juniper# set system login password password maximum-length 18 // max length
root@juniper# set system login password password minimum-length 8 // min lenght
root@juniper# set system login password password minimum-changes 3 // 3 case changes
**Set idle-timeout so after a while a user will get disconnect:**
login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}
**On terminal you will get smth like that:**
test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.
==== Tacacs ====
To allow authentification of users :
root@juniper# set login user operations class super-user
root@juniper# set login user operations full-name "Operations Account"
root@juniper# set login user operations uid 9999
root@juniper# set system authentication-order [ tacplus password ];
root@juniper# set tacacs-server 10.2.2.1 secret aaaaa
===== SSH/Telnet Filter =====
You want to filter incoming ssh/telnet connections to a set of ips. First create a prefix-list with allowed ips then create a policer that will discard all incoming connections. After that create the policer that will allow your prefix-list. In the end create the filters for discard/accept and apply the filter to the specified interface.
set policy-options prefix-list telnet-ssh-sessions 10.2.2.1/32
set firewall policer 1m-bw-limit if-exceeding bandwidth-limit 1m
set firewall policer 1m-bw-limit if-exceeding burst-size-limit 15k
set firewall policer 1m-bw-limit then discard
set firewall policer 20m-bw-limit if-exceeding bandwidth-limit 20m
set firewall policer 20m-bw-limit if-exceeding burst-size-limit 1m
set firewall policer 20m-bw-limit then discard
set firewall filter re-filter term police-ssh from source-prefix-list telnet-ssh-sessions
set firewall filter re-filter term police-ssh from protocol tcp
set firewall filter re-filter term police-ssh from port ssh
set firewall filter re-filter term police-ssh from port telnet
set firewall filter re-filter term police-ssh from tcp-initial
set firewall filter re-filter term police-ssh then policer 1m-bw-limit
set firewall filter re-filter term police-ssh then accept
set firewall filter re-filter term ssh-telnet from source-prefix-list telnet-ssh-sessions
set firewall filter re-filter term ssh-telnet from protocol tcp
set firewall filter re-filter term ssh-telnet from port ssh
set firewall filter re-filter term ssh-telnet from port telnet
set firewall filter re-filter term ssh-telnet then policer 20m-bw-limit
set firewall filter re-filter term ssh-telnet then accept
set interfaces fxp0 unit 0 family inet filter input re-filter //apply filter
set policy-options prefix-list NETWORK/24
policy-options {
prefix-list telnet-ssh-sessions {
NETWORK/24;
}
}
firewall {
filter re-filter {
term police-ssh {
from {
source-prefix-list {
telnet-ssh-sessions;
}
protocol tcp;
port [ ssh telnet ];
tcp-initial;
}
then {
policer 1m-bw-limit;
accept;
}
}
}
===== Sending messages =====
request message all message "Log out immediately"
request system logout terminal p0
request system logout user giany
request message user giany message "Log out immediately"
===== Syslog =====
root@juniper# show system syslog | display set
set system syslog archive size 1000k
set system syslog archive files 10
set system syslog archive world-readable
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file security authorization any
set system syslog file security interactive-commands any
set system syslog console authorization info
**To stop recording system messages :**
deactivate system syslog file messages
**and to start recording :**
activate system syslog file messages
**To turn of logging :**
delete system syslog file messages
===== SNMP =====
set snmp location "My home Network"
set snmp contact "admin at mynoc dot tld"
set snmp community nMSuser authorization read-only
set snmp community nMSuser clients 10.2.2.1/32
set snmp community nMSuser clients 10.0.9.0/24
[root@box ~]# snmpwalk -v 1 -c 'nMSuser' 10.2.2.2 | head
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. olive internet router, kernel JUNOS 7.4R2.6 #0: 2006-01-20 14 Build date: 2006-01-20 14:19:29 UTC Copyright (c) 1996-2006 Juniper Networks, Inc.
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158417) 0:26:24.17
...
Its a good policy to restrict to only a few clients. If I use snmpwalk from a restricted ip /var/log/security prints:
Aug 1 16:45:59 juniper snmpd[2658]: SNMPD_AUTH_RESTRICTED_ADDRESS: validate_SNMP_community: request from address 10.1.1.1 not allowed
===== Restrict VTY Access on JunOS =====
Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet. I want only one host from a specific ip to do remote SSH, the rest will be rejected. **!!! Warning!!! You need to understand that if you dont configure well you might stop all traffic from being forwarded through your RE.**
First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core.
lo0 {
description "br0 loopback";
unit 0 {
family inet {
filter {
input re-filter;
}
address 127.0.0.1/32;
address 172.16.9.1/32 {
primary;
}
}
}
}
And then the policy filter:
filter lo-filter {
term ssh {
from {
source-address {
10.0.1.254/32 except;
}
destination-port ssh;
}
then {
discard
}
}
term no-ssh {
then {
accept
}
}
}