[[juniper:routerconfiguration]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
juniper:routerconfiguration [2009/02/04 18:12]
a created 		juniper:routerconfiguration [2009/05/25 00:35] (current)
Line 4: Line 4:
  
 <code> <code>
- root# cli  +root# cli  
- root@> +root@> 
- cli> configure  +cli> configure  
- [edit] +[edit] 
- root@# set system host-name juniper +root@# set system host-name juniper 
- root@# set system domain-name x83.net +root@# set system domain-name x83.net 
- root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24  +root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24  
- root@# set system backup-router 10.2.2.1  +root@# set system backup-router 10.2.2.1  
- root@# set system name-server 10.2.2.1 +root@# set system name-server 10.2.2.1 
- root@# set system root-authentication plain-text-password  +root@# set system root-authentication plain-text-password  
- New password: +New password: 
- Retype password: +Retype password: 
- root@ show  +root@ show  
- system { +system { 
-     host-name juniper; +    host-name juniper; 
-     domain-name x83.net;  +    domain-name x83.net;  
-     backup-router 10.2.2.1;  +    backup-router 10.2.2.1;  
-     root-authentication { +    root-authentication { 
-          encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveEq."; ## SECRET-DATA +         encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveEq."; ## SECRET-DATA 
-     +    
-     name-server { +    name-server { 
-          10.2.2.1;  +         10.2.2.1;  
-+
- interfaces { +interfaces { 
-     fxp0 { +    fxp0 { 
-         unit 0 { +        unit 0 { 
-             family inet { +            family inet { 
-                 address 10.2.2.2/24; +                address 10.2.2.2/24; 
-             +            
-         +        
-     +    
-+
- root@# commit  +root@# commit  
- root@juniper# exit  +root@juniper# exit  
- root@juniper>+root@juniper>
 </code> </code>
  
 Other config params : Other config params :
-</code>+<code>
 root@juniper# set system ntp server  192.168.2.100  root@juniper# set system ntp server  192.168.2.100 
 root@juniper# set system time-zone Europe/Ljubljana root@juniper# set system time-zone Europe/Ljubljana
Line 173: Line 173:
 root@juniper# set system login password password minimum-changes 3   // 3 case changes root@juniper# set system login password password minimum-changes 3   // 3 case changes
 </code> </code>
 +
 +
 +**Set idle-timeout so after a while a user will get disconnect:**
 +<code>
 +login
 +     class admin {
 +          idle-timeout 4;
 +          permissions all;
 +}
 +user test {
 +     class admin
 +}
 +</code>
 +
 +**On terminal you will get smth like that:**
 +
 +   test@br0> Warning: session will be closed in 1 minute if there is no activity
 +   Warning: session will be closed in 10 seconds if there is no activity
 +   Idle timeout exceeded: closing session
 +   
 +   Connection closed by foreign host.
 +
 +
  
 ==== Tacacs ==== ==== Tacacs ====
Line 184: Line 207:
 root@juniper# set tacacs-server 10.2.2.1 secret aaaaa root@juniper# set tacacs-server 10.2.2.1 secret aaaaa
 </code> </code>
 +
 +
 +
  
  
Line 213: Line 239:
  
 set interfaces fxp0 unit 0 family inet filter input re-filter         //apply filter set interfaces fxp0 unit 0 family inet filter input re-filter         //apply filter
 +</code>
 +
 +<code>
 +set policy-options prefix-list NETWORK/24
 +    policy-options {
 +        prefix-list telnet-ssh-sessions {
 +        NETWORK/24;
 +    }
 +}
 +
 +firewall {
 +    filter re-filter {
 +        term police-ssh {
 +            from {
 +                source-prefix-list {
 +                    telnet-ssh-sessions;
 +                    }
 +            protocol tcp;
 +            port [ ssh telnet ];
 +            tcp-initial;
 +            }
 +        then {
 +            policer 1m-bw-limit;
 +            accept;
 +        }
 +    }
 +}
 </code> </code>
  
Line 223: Line 276:
 request message user giany message "Log out immediately" request message user giany message "Log out immediately"
 </code> </code>
 +
 +===== Syslog =====
 +<code>
 +root@juniper# show system syslog | display set 
 +set system syslog archive size 1000k
 +set system syslog archive files 10
 +set system syslog archive world-readable
 +set system syslog user * any emergency
 +set system syslog file messages any notice
 +set system syslog file messages authorization info
 +set system syslog file interactive-commands interactive-commands any
 +set system syslog file security authorization any
 +set system syslog file security interactive-commands any
 +set system syslog console authorization info
 +</code>
 +
 +**To stop recording system messages :**
 +
 +   deactivate system syslog file messages
 +
 +**and to start recording :**
 +
 +   activate system syslog file messages
 +
 +
 +**To turn of logging :**
 +
 +   delete system syslog file messages 
 +
 +
 +===== SNMP =====
 +<code>
 +set snmp location "My home Network"
 +set snmp contact "admin at mynoc dot tld"
 +set snmp community nMSuser authorization read-only
 +set snmp community nMSuser clients 10.2.2.1/32
 +set snmp community nMSuser clients 10.0.9.0/24
 +</code>
 +
 +<code>
 +[root@box ~]# snmpwalk -v 1 -c 'nMSuser' 10.2.2.2 | head
 +SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. olive internet router, kernel JUNOS 7.4R2.6 #0: 2006-01-20 14 Build date: 2006-01-20 14:19:29 UTC Copyright (c) 1996-2006 Juniper Networks, Inc.
 +SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.1
 +DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158417) 0:26:24.17
 +...
 +</code>
 +
 +Its a good policy to restrict to only a few clients. If I use snmpwalk from a restricted ip /var/log/security prints:
 +
 +<code>
 +Aug  1 16:45:59  juniper snmpd[2658]: SNMPD_AUTH_RESTRICTED_ADDRESS: validate_SNMP_community: request from address 10.1.1.1 not allowed
 +</code>
 +
 +===== Restrict VTY Access on JunOS =====
 +Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet. I want only one host from a specific ip to do remote SSH, the rest will be rejected. <note warning>**!!! Warning!!! You need to understand that if you dont configure well you might stop all traffic from being forwarded through your RE.**</note>
 +
 +First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core.
 +<code>
 +lo0 {
 +    description "br0 loopback";
 +    unit 0 {
 +        family inet {
 +            filter {
 +                    input re-filter;
 +            }
 +            address 127.0.0.1/32;
 +            address 172.16.9.1/32 {
 +                primary;
 +            }
 +        }
 +    }
 +}
 +</code>
 +
 +And then the policy filter:
 +<code>
 +
 +filter lo-filter {
 +    term ssh {
 +        from {
 +            source-address { 
 +            10.0.1.254/32 except;
 +             }
 +            destination-port ssh;
 +        }
 +        then {
 +            discard
 +        }
 +    }
 +    term no-ssh {
 +         then {
 +             accept
 +          }
 +    }
 +
 +</code>
 +
 +
juniper/routerconfiguration.1233767529.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready