As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list for more info. “Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet. Here is sample steps and configuration. (This is the equivalent configuration…
Tag: <span>Juniper</span>
In routing world, Administrative Distance refers to the reliability of the routing protocol. It is equivalent to Juniper’s Route Preference and Huawei’s Preference. It is important to consider these values as in the scenario that there are multiple routes to a destination (with same prefix length), the route (learned via the routing protocol) with the lowest value is preferred. Table below will show the values for respective platform. Routing Protocol Cisco(AD) Juniper (RP) Huawei(P) Connected Interface 0 0 0…
Static Route Configuration Examples in Juniper for BGP aggregated prefix advertisements In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that’s the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0. Configuration: routing-options { graceful-restart; rib inet6.0 { static { route fd41:c8be:2153:f400::/64 discard; route ::0/0 { discard; no-install; static {…
Originating BGP advertisement can be configured to any iBGP peer router. Here’s the sample configuration of originating BGP routes and community tagging in Juniper. Assuming these are the summarized prefixes that you want to advertise via BGP. 111.111.0.0/16 222.222.0.0/16 Configuration: routing-options { graceful-restart; router-id 1.1.1.1; autonomous-system 11111; protocols { bgp { group RR-IBGP { type internal; description RR-IPv4; local-address 192.168.100.6; family inet { unicast; } authentication-key “$1$N3tBioBwfdFsFVwgoGDh.3C0oL”; ## SECRET-DATA export bgp-statement; neighbor 192.168.100.5 { description iBGP to Route Reflector; }…
Here’s some Best practices that you can implement in Juniper devices in securing your SSH. 1.Remote access should be via SSH and telnet is disabled delete system services telnet 2. SSH should be version 2 or higher. Do not run v1 set system services ssh protocol-version v2 3. Configure Login Banner set system login message “\n*************************************************************************\n UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and…
Here’s a sample IPv4 and IPv6 Static Route Configuration in Juniper Routers Configuration: IPv4: Route the block (1.1.1.0/24) to next hop 2.2.2.1 with metric 255 user@MX-re0>configure #set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1 #set routing-options static route 1.1.1.0/24 metric 255 Optional: Set comment using annotate command #edit routing-options static #annotate route 1.1.1.0/24 “/* STATIC ROUTE IPv4*/” Commit #commit It will look something like this: user@MX-re0>> show configuration routing-options static /* STATIC ROUTE IPv4*/ route 1.1.1.0/24 { next-hop 2.2.2.1; …
100G transceivers have been around for few years already and it is getting affordable since 2016 I guess, and it is now practical to shift to 100G instead of burning N x 10GEs. To see more info about 100G transmission principles, I find this link very informative -> https://community.fs.com/blog/understand-100g-transceivers-transmission-principles.html Here are sample 100G transceivers we deployed in our datacenters, it really depends on what type of vendor or hardware you have, but the most popular now is the QSFPs Juniper QSFP-100GBASE-LR4…
Configuring Juniper to authenticate (also including authorization and accounting) to Tacacs+ server 10.10.10.10 – Tacacs+ AAA server 20.20.20.2 – Loopback IP Juniper: system { host-name JUNIPER-ROUTER1; } authentication-order [ tacplus password ]; root-authentication { encrypted-password “$r00tp44sw0rdh3r3/1”; ## SECRET-DATA } tacplus-server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } accounting { events interactive-commands; destination { tacplus { server { 10.10.10.10 { secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”; ## SECRET-DATA single-connection; source-address 20.20.20.2; } } firewall { family inet { filter FIREWALL-RE…
SSH Configuration Examples in Juniper(JunOS) Here are the configuration examples: whereas: 192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device) system { services { ssh { root-login deny; protocol-version v2; connection-limit 5; rate-limit 5; policy-options { prefix-list PERMIT-SSH { 192.168.100.100/32; } firewall { family inet { filter PROTECT-ENGINE { term PERMIT-SSH { from { source-prefix-list { ALLOWED-IP; } protocol tcp; port [ ssh ]; } then { count PERMIT-SSH; accept; } } term DENY-SSH { from { protocol…
Leave a Comment