Category: <span>Juniper</span>

Static Route Configuration Examples in Juniper for BGP aggregated prefix advertisements In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that’s the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0. Configuration: routing-options { graceful-restart; rib inet6.0 { static { route fd41:c8be:2153:f400::/64 discard; route ::0/0 { discard; no-install; static {…

Juniper

Originating BGP advertisement can be configured to any iBGP peer router. Here’s the sample configuration of originating BGP routes and community tagging in Juniper. Assuming these are the summarized prefixes that you want to advertise via BGP. 111.111.0.0/16 222.222.0.0/16 Configuration: routing-options { graceful-restart; router-id 1.1.1.1; autonomous-system 11111; protocols { bgp { group RR-IBGP { type internal; description RR-IPv4; local-address 192.168.100.6; family inet { unicast; } authentication-key “$1$N3tBioBwfdFsFVwgoGDh.3C0oL”; ## SECRET-DATA export bgp-statement; neighbor 192.168.100.5 { description iBGP to Route Reflector; }…

Juniper

Checking TX / RX optical power for Juniper Routers For checking transmission links, it is good to know how to find out the optical power for troubleshooting and making sure the desired or optimal range is meet. Here is the sample command for checking the TX/RX optical power show interfaces diagnostics optics <interface-name> Sample Output for 10GE interface: darwin@JUNOS-re0> show interfaces diagnostics optics xe-3/0/1 Physical interface: xe-3/0/16 Laser bias current : 41.590 mA Laser output power : 0.7150 mW /…

Juniper

Here’s some Best practices that you can implement in Juniper devices in securing your SSH. 1.Remote access should be via SSH and telnet is disabled delete system services telnet   2. SSH should be version 2 or higher. Do not run v1 set system services ssh protocol-version v2   3. Configure Login Banner set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and…

Juniper

The “traceoptions” statement in Juniper let you debug BGP protocol issues. If cannot connect BGP peering, you can set the “traceoptions” to understand further about the issue. 1. Configure “traceoptions” and name the log as debug-bgp set protocols bgp group BGP-GROUP1 traceoptions file debug-bgp set protocols bgp group BGP-GROUP1traceoptions file size 1m set protocols bgp group BGP-GROUP1 traceoptions file files 2 set protocols bgp group BGP-GROUP1 traceoptions flag all commit where: max trace file size = 1m max trace files…

Juniper

Here’s a sample IPv4 and IPv6 Static Route Configuration in Juniper Routers Configuration: IPv4: Route the block (1.1.1.0/24) to next hop  2.2.2.1 with metric 255 user@MX-re0>configure #set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1 #set routing-options static route 1.1.1.0/24 metric 255 Optional: Set comment using annotate command #edit routing-options static #annotate route  1.1.1.0/24  “/* STATIC ROUTE IPv4*/” Commit #commit It will look something like this: user@MX-re0>> show configuration routing-options static /* STATIC ROUTE IPv4*/ route 1.1.1.0/24  {     next-hop 2.2.2.1;    …

Juniper

Configuring Juniper to authenticate (also including authorization and accounting) to Tacacs+ server 10.10.10.10 – Tacacs+ AAA server 20.20.20.2 –  Loopback IP Juniper: system { host-name JUNIPER-ROUTER1; } authentication-order [ tacplus password ]; root-authentication { encrypted-password “$r00tp44sw0rdh3r3/1”; ## SECRET-DATA } tacplus-server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } accounting { events interactive-commands; destination { tacplus { server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } firewall { family inet { filter FIREWALL-RE…

Juniper

SSH Configuration Examples in  Juniper(JunOS) Here are the configuration examples: whereas: 192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device) system { services { ssh { root-login deny; protocol-version v2; connection-limit 5; rate-limit 5; policy-options { prefix-list PERMIT-SSH { 192.168.100.100/32; } firewall { family inet { filter PROTECT-ENGINE { term PERMIT-SSH { from { source-prefix-list { ALLOWED-IP; } protocol tcp; port [ ssh ]; } then { count PERMIT-SSH; accept; } } term DENY-SSH { from { protocol…

Juniper

Juniper darwin@vMX-1>configure darwin@vMX-1#set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n” darwin@vMX-1#commit As per Juniper website, message can be formatted using these following characters: \n—New line \t—Horizontal tab \’—Single quotation mark \”—Double quotation mark \\—Backslash Sample output:

Juniper

Step1. Configure EXPORTER MAP set services flow-monitoring version9 template NETFLOW_MONITOR template-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR option-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR ipv4-template Step2. Configure MONITOR MAP set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 port 9991 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 source-address 192.168.1.100 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 version9 template NETFLOW_MONITOR set forwarding-options sampling instance NETFLOW_INSTANCE family inet output inline-jflow source-address…

Juniper