Configuring Juniper to authenticate (also including authorization and accounting) to Tacacs+ server 10.10.10.10 – Tacacs+ AAA server 20.20.20.2 – Loopback IP Juniper: system { host-name JUNIPER-ROUTER1; } authentication-order [ tacplus password ]; root-authentication { encrypted-password “$r00tp44sw0rdh3r3/1”; ## SECRET-DATA } tacplus-server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } accounting { events interactive-commands; destination { tacplus { server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } firewall { family inet { filter FIREWALL-RE…
Category: <span>Juniper</span>
SSH Configuration Examples in Juniper(JunOS) Here are the configuration examples: whereas: 192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device) system { services { ssh { root-login deny; protocol-version v2; connection-limit 5; rate-limit 5; policy-options { prefix-list PERMIT-SSH { 192.168.100.100/32; } firewall { family inet { filter PROTECT-ENGINE { term PERMIT-SSH { from { source-prefix-list { ALLOWED-IP; } protocol tcp; port [ ssh ]; } then { count PERMIT-SSH; accept; } } term DENY-SSH { from { protocol…
Juniper darwin@vMX-1>configure darwin@vMX-1#set system login message “\n*************************************************************************\n UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n” darwin@vMX-1#commit As per Juniper website, message can be formatted using these following characters: \n—New line \t—Horizontal tab \’—Single quotation mark \”—Double quotation mark \\—Backslash Sample output:
Step1. Configure EXPORTER MAP set services flow-monitoring version9 template NETFLOW_MONITOR template-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR option-refresh-rate seconds 15 set services flow-monitoring version9 template NETFLOW_MONITOR ipv4-template Step2. Configure MONITOR MAP set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 port 9991 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 source-address 192.168.1.100 set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 version9 template NETFLOW_MONITOR set forwarding-options sampling instance NETFLOW_INSTANCE family inet output inline-jflow source-address…
Here’s sample firewall configuration in protecting the box and its services. ICMP: ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to IANA ICMP Parameters for the list or if you want to learn more details about ICMP can refer to RFC792. Here’s the 4 types I consider useful for troubleshooting and need to be allowed.Type 0 — Echo Reply –> response from target to host Type 8 — Echo Request–>…
These are the steps in upgrading Juniper Routers. This was tested using the JunOS SRX router. Assumption: JunOS is downloaded and stored in an FTP server. Step1: Download the necessary image from the FTP server. Save it in the /var/tmp folder. user1@SRX-Router1> file copy ftp://user1@172.25.11.254/junos-vsrx-x86-64-19.2R1.8.tgz /var/tmp/ Password for user1@172.25.11.254: /var/home/user1/…transferring.file………ush100% of 1127 MB 5426 kBps 00m00s Step2: Verify the software package user1@SRX-Router1> file list /var/tmp | match junos junos-vsrx-x86-64-19.2R1.8.tgz user1@SRX-Router1> file list detail /var/tmp | match junos -rw-r–r– 1 user1 …
Objective: To configure port-channel and associate it to vlan. Servers will use Juniper-Router as their gateway and uplink to Internet. Server-switch have Layer 2 (access mode) connectivity to Juniper-Router. (see Fig.1) Fig.1 1. Configure the Vlan (interface vlan will be the server’s gateway) Juniper-Router# configure set vlans VLAN-8 description Server-Farm set vlans VLAN-8 vlan-id 8 set vlans VLAN-8 l3-interface irb.8 set interfaces irb unit 8 description “Server Farm Vlan” set interfaces irb unit 8 family inet address 192.168.8.1/24 2. Configure…
By default in Juniper, LACP timer is fast which is 1 sec, while in Cisco the default setting is slow which is 30 secs. If connecting Juniper devices to non-Juniper routers or switches, the LACP timer will have mismatch thus it can cause LACP timing out due to not receiving PDU packets in a timely manner. show log messages | match lacp Sample error logs: user1@QFX-Router1-re0> show log messages | match lacp Sep 6 08:23:10.002 2020 QFX-Router1-re0 lacpd[7292]: %DAEMON-5-LACPD_TIMEOUT: xe-0/0/0:…
Tacacs/AAA/ISE Server: 192.168.10.222 Tacacs Password: tacpassword1 Router’s Management IP: 192.168.0.4 (under mgmt_junos routing instance) Assumption: There’s an existing local account e.g. “user1” set system login user user1 class super-user set system login user user1 authentication plain-text-password (passwordhere) 1. Configure the tacacs server IP set system tacplus-server 192.168.10.222 routing-instance mgmt_junos set system tacplus-server 192.168.10.222 secret tacpassword1 set system tacplus-server 192.168.10.222 single-connection set system tacplus-server 192.168.10.222 source-address 192.168.0.4 2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1) set system…
Here are the steps of configuring Equal cost multipath (ECMP) in Juniper routers for Load balancing purposes. Step1:Configure ECMP routing policy set policy-options policy-statement LBPOLICY then load-balance per-packet Step2: Export the policy to forwarding table set routing-options forwarding-table export LBPOLICY Verification: (Use the command “show route forwarding-table”) user1@QFX-re0> show route forwarding-table Routing table: default.inet Internet: Enabled protocols: Bridging, Destination Type RtRef Next hop Type Index NhRef Netif 192.168.200.0/24 user 0 …
2 Comments