Differences
This shows you the differences between two versions of the page.
juniper:routerconfiguration [2009/02/04 18:43] a |
juniper:routerconfiguration [2009/05/25 00:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Configure the router ===== | ||
- | |||
- | Use the following commands to configure the router: | ||
- | |||
- | < | ||
- | root# cli | ||
- | root@> | ||
- | cli> configure | ||
- | [edit] | ||
- | root@# set system host-name juniper | ||
- | root@# set system domain-name x83.net | ||
- | root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/ | ||
- | root@# set system backup-router 10.2.2.1 | ||
- | root@# set system name-server 10.2.2.1 | ||
- | root@# set system root-authentication plain-text-password | ||
- | New password: | ||
- | Retype password: | ||
- | root@ show | ||
- | system { | ||
- | host-name juniper; | ||
- | domain-name x83.net; | ||
- | backup-router 10.2.2.1; | ||
- | root-authentication { | ||
- | | ||
- | } | ||
- | name-server { | ||
- | | ||
- | } | ||
- | interfaces { | ||
- | fxp0 { | ||
- | unit 0 { | ||
- | family inet { | ||
- | address 10.2.2.2/ | ||
- | } | ||
- | } | ||
- | } | ||
- | } | ||
- | root@# commit | ||
- | root@juniper# | ||
- | root@juniper> | ||
- | </ | ||
- | |||
- | Other config params : | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | |||
- | root@juniper> | ||
- | root@juniper> | ||
- | root@juniper> | ||
- | </ | ||
- | |||
- | The '' | ||
- | |||
- | ===== Add comments ===== | ||
- | |||
- | |||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | /* MESH routers */ | ||
- | area 0.0.0.0 { | ||
- | | ||
- | } | ||
- | </ | ||
- | |||
- | To delete a comment, use the annotate command with an empty string: | ||
- | |||
- | | ||
- | |||
- | |||
- | ===== Check syntax (commit) ===== | ||
- | |||
- | |||
- | After configuring issue commit command. | ||
- | |||
- | root@juniper# | ||
- | |||
- | |||
- | If there are no errors you recieve : configuration check succeeds | ||
- | |||
- | To debug commit : | ||
- | |||
- | | ||
- | |||
- | |||
- | To exit from a lower level to operational mode : ' | ||
- | |||
- | |||
- | ===== Backing up configuration ===== | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | To backup every time you **commit**: | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | ===== Rollback ===== | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | ===== View logs ===== | ||
- | |||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | ===== Install different jinstall ===== | ||
- | |||
- | | ||
- | |||
- | Or copy the file to /var/tmp | ||
- | |||
- | | ||
- | | ||
- | |||
- | and then reboot: | ||
- | |||
- | | ||
- | |||
- | ===== Gather system informations ===== | ||
- | |||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | < | ||
- | root@juniper# | ||
- | |||
- | | ||
- | USER | ||
- | root | ||
- | |||
- | root@juniper# | ||
- | |||
- | Current time: 2008-05-24 13:52:15 EEST | ||
- | System booted: 2008-05-24 04:29:05 EEST (09:23:10 ago) | ||
- | Protocols started: 2008-05-24 04:34:42 EEST (09:17:33 ago) | ||
- | Last configured: 2008-05-24 13:38:28 EEST (00:13:47 ago) by root | ||
- | | ||
- | </ | ||
- | |||
- | ===== Accounts ===== | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | |||
- | |||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | |||
- | **Set idle-timeout so after a while a user will get disconnect: | ||
- | < | ||
- | login | ||
- | class admin { | ||
- | idle-timeout 4; | ||
- | permissions all; | ||
- | } | ||
- | user test { | ||
- | class admin | ||
- | } | ||
- | </ | ||
- | |||
- | **On terminal you will get smth like that:** | ||
- | |||
- | | ||
- | | ||
- | Idle timeout exceeded: closing session | ||
- | |||
- | | ||
- | |||
- | |||
- | |||
- | ==== Tacacs ==== | ||
- | |||
- | To allow authentification of users : | ||
- | < | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | root@juniper# | ||
- | </ | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ===== SSH/Telnet Filter ===== | ||
- | |||
- | You want to filter incoming ssh/telnet connections to a set of ips. First create a prefix-list with allowed ips then create a policer that will discard all incoming connections. After that create the policer that will allow your prefix-list. In the end create the filters for discard/ | ||
- | |||
- | < | ||
- | set policy-options prefix-list telnet-ssh-sessions 10.2.2.1/32 | ||
- | set firewall policer 1m-bw-limit if-exceeding bandwidth-limit 1m | ||
- | set firewall policer 1m-bw-limit if-exceeding burst-size-limit 15k | ||
- | set firewall policer 1m-bw-limit then discard | ||
- | set firewall policer 20m-bw-limit if-exceeding bandwidth-limit 20m | ||
- | set firewall policer 20m-bw-limit if-exceeding burst-size-limit 1m | ||
- | set firewall policer 20m-bw-limit then discard | ||
- | set firewall filter re-filter term police-ssh from source-prefix-list telnet-ssh-sessions | ||
- | set firewall filter re-filter term police-ssh from protocol tcp | ||
- | set firewall filter re-filter term police-ssh from port ssh | ||
- | set firewall filter re-filter term police-ssh from port telnet | ||
- | set firewall filter re-filter term police-ssh from tcp-initial | ||
- | set firewall filter re-filter term police-ssh then policer 1m-bw-limit | ||
- | set firewall filter re-filter term police-ssh then accept | ||
- | set firewall filter re-filter term ssh-telnet from source-prefix-list telnet-ssh-sessions | ||
- | set firewall filter re-filter term ssh-telnet from protocol tcp | ||
- | set firewall filter re-filter term ssh-telnet from port ssh | ||
- | set firewall filter re-filter term ssh-telnet from port telnet | ||
- | set firewall filter re-filter term ssh-telnet then policer 20m-bw-limit | ||
- | set firewall filter re-filter term ssh-telnet then accept | ||
- | |||
- | set interfaces fxp0 unit 0 family inet filter input re-filter | ||
- | </ | ||
- | |||
- | < | ||
- | set policy-options prefix-list NETWORK/24 | ||
- | policy-options { | ||
- | prefix-list telnet-ssh-sessions { | ||
- | NETWORK/24; | ||
- | } | ||
- | } | ||
- | |||
- | firewall { | ||
- | filter re-filter { | ||
- | term police-ssh { | ||
- | from { | ||
- | source-prefix-list { | ||
- | telnet-ssh-sessions; | ||
- | } | ||
- | protocol tcp; | ||
- | port [ ssh telnet ]; | ||
- | tcp-initial; | ||
- | } | ||
- | then { | ||
- | policer 1m-bw-limit; | ||
- | accept; | ||
- | } | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | ===== Sending messages ===== | ||
- | |||
- | < | ||
- | request message all message "Log out immediately" | ||
- | request system logout terminal p0 | ||
- | request system logout user giany | ||
- | request message user giany message "Log out immediately" | ||
- | </ | ||
- | |||
- | ===== Syslog ===== | ||
- | < | ||
- | root@juniper# | ||
- | set system syslog archive size 1000k | ||
- | set system syslog archive files 10 | ||
- | set system syslog archive world-readable | ||
- | set system syslog user * any emergency | ||
- | set system syslog file messages any notice | ||
- | set system syslog file messages authorization info | ||
- | set system syslog file interactive-commands interactive-commands any | ||
- | set system syslog file security authorization any | ||
- | set system syslog file security interactive-commands any | ||
- | set system syslog console authorization info | ||
- | </ | ||
- | |||
- | **To stop recording system messages :** | ||
- | |||
- | | ||
- | |||
- | **and to start recording :** | ||
- | |||
- | | ||
- | |||
- | |||
- | **To turn of logging :** | ||
- | |||
- | | ||
- | |||
- | |||
- | ===== SNMP ===== | ||
- | < | ||
- | set snmp location "My home Network" | ||
- | set snmp contact "admin at mynoc dot tld" | ||
- | set snmp community nMSuser authorization read-only | ||
- | set snmp community nMSuser clients 10.2.2.1/32 | ||
- | set snmp community nMSuser clients 10.0.9.0/24 | ||
- | </ | ||
- | |||
- | < | ||
- | [root@box ~]# snmpwalk -v 1 -c ' | ||
- | SNMPv2-MIB:: | ||
- | SNMPv2-MIB:: | ||
- | DISMAN-EVENT-MIB:: | ||
- | ... | ||
- | </ | ||
- | |||
- | Its a good policy to restrict to only a few clients. If I use snmpwalk from a restricted ip / | ||
- | |||
- | < | ||
- | Aug 1 16: | ||
- | </ | ||
- | |||
- | ===== Restrict VTY Access on JunOS ===== | ||
- | Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet. I want only one host from a specific ip to do remote SSH, the rest will be rejected. <note warning> | ||
- | |||
- | First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core. | ||
- | < | ||
- | lo0 { | ||
- | description "br0 loopback"; | ||
- | unit 0 { | ||
- | family inet { | ||
- | filter { | ||
- | input re-filter; | ||
- | } | ||
- | address 127.0.0.1/ | ||
- | address 172.16.9.1/ | ||
- | primary; | ||
- | } | ||
- | } | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | And then the policy filter: | ||
- | < | ||
- | |||
- | filter lo-filter { | ||
- | term ssh { | ||
- | from { | ||
- | source-address { | ||
- | 10.0.1.254/ | ||
- | } | ||
- | destination-port ssh; | ||
- | } | ||
- | then { | ||
- | discard | ||
- | } | ||
- | } | ||
- | term no-ssh { | ||
- | then { | ||
- | | ||
- | } | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||