Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
juniper:routerconfiguration [2009/02/04 18:12] a created |
juniper:routerconfiguration [2009/05/25 00:35] (current) |
||
---|---|---|---|
Line 4: | Line 4: | ||
< | < | ||
- | root# cli | + | root# cli |
- | root@> | + | root@> |
- | cli> configure | + | cli> configure |
- | [edit] | + | [edit] |
- | root@# set system host-name juniper | + | root@# set system host-name juniper |
- | root@# set system domain-name x83.net | + | root@# set system domain-name x83.net |
- | root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24 | + | root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24 |
- | root@# set system backup-router 10.2.2.1 | + | root@# set system backup-router 10.2.2.1 |
- | root@# set system name-server 10.2.2.1 | + | root@# set system name-server 10.2.2.1 |
- | root@# set system root-authentication plain-text-password | + | root@# set system root-authentication plain-text-password |
- | New password: | + | New password: |
- | Retype password: | + | Retype password: |
- | root@ show | + | root@ show |
- | system { | + | system { |
- | | + | host-name juniper; |
- | | + | domain-name x83.net; |
- | | + | backup-router 10.2.2.1; |
- | | + | root-authentication { |
- | encrypted-password " | + | |
- | | + | } |
- | | + | name-server { |
- | 10.2.2.1; | + | |
- | } | + | } |
- | interfaces { | + | interfaces { |
- | | + | fxp0 { |
- | | + | unit 0 { |
- | | + | family inet { |
- | | + | address 10.2.2.2/ |
- | | + | } |
- | | + | } |
- | | + | } |
- | } | + | } |
- | root@# commit | + | root@# commit |
- | root@juniper# | + | root@juniper# |
- | root@juniper> | + | root@juniper> |
</ | </ | ||
Other config params : | Other config params : | ||
- | </code> | + | < |
root@juniper# | root@juniper# | ||
root@juniper# | root@juniper# | ||
Line 173: | Line 173: | ||
root@juniper# | root@juniper# | ||
</ | </ | ||
+ | |||
+ | |||
+ | **Set idle-timeout so after a while a user will get disconnect: | ||
+ | < | ||
+ | login | ||
+ | class admin { | ||
+ | idle-timeout 4; | ||
+ | permissions all; | ||
+ | } | ||
+ | user test { | ||
+ | class admin | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | **On terminal you will get smth like that:** | ||
+ | |||
+ | | ||
+ | | ||
+ | Idle timeout exceeded: closing session | ||
+ | |||
+ | | ||
+ | |||
+ | |||
==== Tacacs ==== | ==== Tacacs ==== | ||
Line 184: | Line 207: | ||
root@juniper# | root@juniper# | ||
</ | </ | ||
+ | |||
+ | |||
+ | |||
Line 213: | Line 239: | ||
set interfaces fxp0 unit 0 family inet filter input re-filter | set interfaces fxp0 unit 0 family inet filter input re-filter | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | set policy-options prefix-list NETWORK/24 | ||
+ | policy-options { | ||
+ | prefix-list telnet-ssh-sessions { | ||
+ | NETWORK/24; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | firewall { | ||
+ | filter re-filter { | ||
+ | term police-ssh { | ||
+ | from { | ||
+ | source-prefix-list { | ||
+ | telnet-ssh-sessions; | ||
+ | } | ||
+ | protocol tcp; | ||
+ | port [ ssh telnet ]; | ||
+ | tcp-initial; | ||
+ | } | ||
+ | then { | ||
+ | policer 1m-bw-limit; | ||
+ | accept; | ||
+ | } | ||
+ | } | ||
+ | } | ||
</ | </ | ||
Line 223: | Line 276: | ||
request message user giany message "Log out immediately" | request message user giany message "Log out immediately" | ||
</ | </ | ||
+ | |||
+ | ===== Syslog ===== | ||
+ | < | ||
+ | root@juniper# | ||
+ | set system syslog archive size 1000k | ||
+ | set system syslog archive files 10 | ||
+ | set system syslog archive world-readable | ||
+ | set system syslog user * any emergency | ||
+ | set system syslog file messages any notice | ||
+ | set system syslog file messages authorization info | ||
+ | set system syslog file interactive-commands interactive-commands any | ||
+ | set system syslog file security authorization any | ||
+ | set system syslog file security interactive-commands any | ||
+ | set system syslog console authorization info | ||
+ | </ | ||
+ | |||
+ | **To stop recording system messages :** | ||
+ | |||
+ | | ||
+ | |||
+ | **and to start recording :** | ||
+ | |||
+ | | ||
+ | |||
+ | |||
+ | **To turn of logging :** | ||
+ | |||
+ | | ||
+ | |||
+ | |||
+ | ===== SNMP ===== | ||
+ | < | ||
+ | set snmp location "My home Network" | ||
+ | set snmp contact "admin at mynoc dot tld" | ||
+ | set snmp community nMSuser authorization read-only | ||
+ | set snmp community nMSuser clients 10.2.2.1/32 | ||
+ | set snmp community nMSuser clients 10.0.9.0/24 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [root@box ~]# snmpwalk -v 1 -c ' | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | DISMAN-EVENT-MIB:: | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Its a good policy to restrict to only a few clients. If I use snmpwalk from a restricted ip / | ||
+ | |||
+ | < | ||
+ | Aug 1 16: | ||
+ | </ | ||
+ | |||
+ | ===== Restrict VTY Access on JunOS ===== | ||
+ | Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet. I want only one host from a specific ip to do remote SSH, the rest will be rejected. <note warning> | ||
+ | |||
+ | First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core. | ||
+ | < | ||
+ | lo0 { | ||
+ | description "br0 loopback"; | ||
+ | unit 0 { | ||
+ | family inet { | ||
+ | filter { | ||
+ | input re-filter; | ||
+ | } | ||
+ | address 127.0.0.1/ | ||
+ | address 172.16.9.1/ | ||
+ | primary; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | And then the policy filter: | ||
+ | < | ||
+ | |||
+ | filter lo-filter { | ||
+ | term ssh { | ||
+ | from { | ||
+ | source-address { | ||
+ | 10.0.1.254/ | ||
+ | } | ||
+ | destination-port ssh; | ||
+ | } | ||
+ | then { | ||
+ | discard | ||
+ | } | ||
+ | } | ||
+ | term no-ssh { | ||
+ | then { | ||
+ | | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ |