Monday, September 30, 2013

Juniper SRX210 configuration for JNCIA-SP study

Since, out of the box, the SRX210 is for all intents and purposes, a firewall, some adjustments have to be made to make it work for Service provider study. Bear with me, I'm in a bit over my head still and clawing my way out.

This came from Jeremy Merideth's blog, which it doesn't appear that he is currently maintaining, but great info in here and a thanks to him. How to get an SRX out of default Juniper config:

http://runningsecure.blogspot.com/2011/06/screenos-background.html


SRX Default Config


For the purpose of this blog I will be configuring an SRX100.
When either taking an SRX out of the box or entering the following commands, you will get the Juniper default configuration.

root@host# load factory-default
root@host# set system root-authentication plain-text-password
root@host# commit and-quit
root@host> request system reboot

Personally I prefer to work from a blank canvas, so the following commands removes all Juniper applied config, adds a few tweaks and gives us a starting point to build up our configurations.

Remove the interface Ethernet Switching
root@host# delete interfaces fe-0/0/1 unit 0 family ethernet-switching
"Repeat for interfaces range 1-7"
root@host# delete interfaces vlan unit 0 family inet address 192.168.1.1/24
root@host# delete interfaces vlan unit 0 family inet

Remove the fe0/0/0.0 interface from Security Zone
root@host# delete security zones security-zone untrust interfaces fe-0/0/0.0

Remove the Zone Interfaces and Policies
root@host# delete security zones security-zone trust host-inbound-traffic
root@host# delete security zones security-zone trust interfaces vlan.0

Remove Default Policies
root@host# delete security policies from-zone trust to-zone untrust

Remove Default Web Management
root@host# delete system services web-management http interface vlan.0
root@host# delete system services web-management https interface vlan.0

Remove NAT rule
root@host# delete security nat source rule-set trust-to-untrust

Remove Screening on Untrust Zone
root@host# delete security zones security-zone untrust screen

Remove Existing Name Servers and add Google ones
root@host# delete system name-server 208.67.222.222
root@host# delete system name-server 208.67.220.220
root@host# set system name-server 8.8.8.8
root@host# set system name-server 8.8.4.4
root@host# delete system services dhcp

Remove Default Security Zones
root@host# delete security zones security-zone untrust
root@host# delete security zones security-zone trust

root# run show configuration | display set
set version 11.1R2.3
set system root-authentication encrypted-password "$1$sF9Tjm/m$zu6xvdjAUIqeeHSP69Vfm0"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 0
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

And then how to set it up to more closely emulate an MX series SP switch from the Juniper Forums:


Cleaned up the rack some, and added some cable management. The second ADVA (GE206V) is just waiting for some MM fiber jumpers to arrive. (quite literally, possibly, on a slow boat from china)

Need to sell a couple more racks and I'll have enough to pull the trigger on a Juniper EX2200 to more fully simulate the types of circuits we'll be performing break/fix on.



1 comment:

  1. Thanks for sharing the code! It was really helpful. Looking forward for your next post.



    UPS BATTERIES

    ReplyDelete