Category: <span>Juniper</span>

Configuration: IPv4: Route the block (1.1.1.0/24) to next hop  2.2.2.1 with metric 255 user@MX-re0>configure #set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1 #set routing-options static route 1.1.1.0/24 metric 255 Optional: Set comment using annotate command #edit routing-options static #annotate route  1.1.1.0/24  “/* STATIC ROUTE IPv4*/” Commit #commit It will look something like this: user@MX-re0>> show configuration routing-options static /* STATIC ROUTE IPv4*/ route 1.1.1.0/24  {     next-hop 2.2.2.1;     metric 255; IPv6: Route the block (2000:2000:2000::/56 ) to next hop 2006:3006:1:234:5:6:78:90ab with metric…

Juniper

Configuring Juniper to authenticate (also including authorization and accounting) to Tacacs+ server 10.10.10.10 – Tacacs+ AAA server 20.20.20.2 –  Loopback IP Juniper: system { host-name JUNIPER-ROUTER1; } authentication-order [ tacplus password ]; root-authentication { encrypted-password “$r00tp44sw0rdh3r3/1”; ## SECRET-DATA } tacplus-server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } accounting { events interactive-commands; destination { tacplus { server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } firewall { family inet { filter FIREWALL-RE…

Juniper

SSH Configuration Examples in  Juniper(JunOS) Here are the configuration examples: whereas: 192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device) system { services { ssh { root-login deny; protocol-version v2; connection-limit 5; rate-limit 5; policy-options { prefix-list PERMIT-SSH { 192.168.100.100/32; } firewall { family inet { filter PROTECT-ENGINE { term PERMIT-SSH { from { source-prefix-list { ALLOWED-IP; } protocol tcp; port [ ssh ]; } then { count PERMIT-SSH; accept; } } term DENY-SSH { from { protocol…

Juniper

Juniper darwin@vMX-1>configure darwin@vMX-1#set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n” darwin@vMX-1#commit As per Juniper website, message can be formatted using these following characters: \n—New line \t—Horizontal tab \’—Single quotation mark \”—Double quotation mark \\—Backslash Sample output:

Juniper

Step1. Configure EXPORTER MAP set services flow-monitoring version9 template NETFLOW_MONITOR template-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR option-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR ipv4-template Step2. Configure MONITOR MAP set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 port 9991 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 source-address 192.168.1.100 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 version9 template NETFLOW_MONITOR set forwarding-options sampling instance NETFLOW_INSTANCE family inet output inline-jflow source-address…

Juniper

Here’s sample firewall configuration in protecting the box and its services. ICMP: ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to IANA ICMP Parameters for the list or if you want to learn more details about ICMP can refer to RFC792. Here’s the 4 types I consider useful for troubleshooting and need to be allowed. Type 0 — Echo Reply –> response from target to host Type 8 — Echo…

Juniper

Assumption: JunOS is downloaded and stored in an FTP server. Step1: Download the necessary image from the FTP server. Save it in the /var/tmp folder. user1@SRX-Router1> file copy ftp://user1@172.25.11.254/junos-vsrx-x86-64-19.2R1.8.tgz /var/tmp/  Password for user1@172.25.11.254: /var/home/user1/…transferring.file………ush100% of 1127 MB 5426 kBps 00m00s Step2: Verify the software package user1@SRX-Router1> file list /var/tmp | match junos  junos-vsrx-x86-64-19.2R1.8.tgz user1@SRX-Router1> file list detail /var/tmp | match junos  -rw-r–r–  1 user1   wheel  1182081022 Jun 2  12:57 junos-vsrx-x86-64-19.2R1.8.tgz Step3: Upgrade the device (sample output below) user1@SRX-Router1> request system…

Juniper

Objective: To configure port-channel and associate it to vlan. Servers will use Juniper-Router as their gateway and uplink to Internet. Server-switch have Layer 2 (access mode) connectivity to Juniper-Router. (see Fig.1)  Fig.1 1. Configure the Vlan (interface vlan will be the server’s gateway) Juniper-Router# configure set vlans VLAN-8 description Server-Farm set vlans VLAN-8 vlan-id 8 set vlans VLAN-8 l3-interface irb.8   set interfaces irb unit 8 description “Server Farm Vlan” set interfaces irb unit 8 family inet address 192.168.8.1/24 2.…

Juniper

By default in Juniper, LACP timer is fast which is 1 sec, while in Cisco the default setting is slow which is 30 secs. If connecting Juniper devices to non-Juniper routers or switches, the LACP timer will have mismatch thus it can cause LACP timing out due to not receiving PDU packets in a timely manner. Sample error logs: user1@QFX-Router1-re0> show log messages | match lacp Sep 6 08:23:10.002 2020 QFX-Router1-re0 lacpd[7292]: %DAEMON-5-LACPD_TIMEOUT: xe-0/0/0: lacp current while timer expired current…

Juniper

Tacacs/AAA/ISE Server: 192.168.10.222 Tacacs Password: tacpassword1 Router’s Management IP: 192.168.0.4 (under mgmt_junos routing instance) Assumption: There’s an existing local account e.g. “user1” set system login user user1 class super-user set system login user user1 authentication plain-text-password (passwordhere) 1. Configure the tacacs server IP set system tacplus-server 192.168.10.222 routing-instance mgmt_junos  set system tacplus-server 192.168.10.222 secret tacpassword1 set system tacplus-server 192.168.10.222 single-connection set system tacplus-server 192.168.10.222 source-address 192.168.0.4 2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1) set system…

Juniper