| “We Love Oranges AS Oranges Mean Pure Refreshment” |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thursday, 4 June 2020
BGP Best Path Selection Mnemonic (Old but Gold)
Saturday, 30 May 2020
SNMPv2c and SNMPv3 Polling and Traps Configuration in Juniper
SNMPv2c
community: snmpcomm123
management IP address: 192.168.10.100
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200
Configuration:
set snmp name JUNIPER-SNMP
set snmp description "Juniper SNMP"
set snmp location Datacentre
set snmp community snmp routing-instance mgmt_junos
set snmp community snmpcomm123 clients 192.168.10.100/32
set snmp description "Juniper SNMP"
set snmp location Datacentre
set snmp community snmp routing-instance mgmt_junos
set snmp community snmpcomm123 clients 192.168.10.100/32
Traps Configuration:
set snmp trap-options source-address 192.168.10.100
set snmp trap-options agent-address outgoing-interface
set snmp trap-group JUNOS_GROUP version v2
set snmp trap-group JUNOS_GROUP destination-port 162
set snmp trap-group JUNOS_GROUP categories authentication
set snmp trap-group JUNOS_GROUP categories chassis
set snmp trap-group JUNOS_GROUP categories link
set snmp trap-group JUNOS_GROUP categories remote-operations
set snmp trap-group JUNOS_GROUP categories routing
set snmp trap-group JUNOS_GROUP categories startup
set snmp trap-group JUNOS_GROUP categories rmon-alarm
set snmp trap-group JUNOS_GROUP categories configuration
set snmp trap-group JUNOS_GROUP targets 192.168.20.200
set snmp trap-group JUNOS_GROUP routing-instance mgmt_junos
set snmp routing-instance-access
set snmp trap-options agent-address outgoing-interface
set snmp trap-group JUNOS_GROUP version v2
set snmp trap-group JUNOS_GROUP destination-port 162
set snmp trap-group JUNOS_GROUP categories authentication
set snmp trap-group JUNOS_GROUP categories chassis
set snmp trap-group JUNOS_GROUP categories link
set snmp trap-group JUNOS_GROUP categories remote-operations
set snmp trap-group JUNOS_GROUP categories routing
set snmp trap-group JUNOS_GROUP categories startup
set snmp trap-group JUNOS_GROUP categories rmon-alarm
set snmp trap-group JUNOS_GROUP categories configuration
set snmp trap-group JUNOS_GROUP targets 192.168.20.200
set snmp trap-group JUNOS_GROUP routing-instance mgmt_junos
set snmp routing-instance-access
Verify:
snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Juniper SNMP
snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Juniper SNMP
SNMPv3
user: snmpuser
Security Level: Authpriv with SHA authentication and AES 128bit Privacy
management IP address: 192.168.10.100
AuthPass: authpass123!
PrivPass: privpass123!
View Name: ALLVIEW
Grou Name: SNMPGROUP
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200
Important config:
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key authpass123!
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key
Full config (auth and privacy key output will be encrypted)
set groups SNMPv3-GROUP snmp location CHANGI
set groups SNMPv3-GROUP snmp stats-cache-lifetime 30
set groups SNMPv3-GROUP snmp filter-duplicates
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key "$9$safsafasflvLx7sApORESreKxNwYgJUjbw4ZGUHkTz39CuSreghdhddghAtOF3vWXxdVqmPQ/C0BIcgh"
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key "$9$Hk342df3d.mTGUtu0BEhdbwg4ZiHmzF/wYoGDjq.1REcevXxdsgoRhyKv34343t3i5QF6/tTQxz"
set groups SNMPv3-GROUP snmp v3 vacm security-to-group security-model usm security-name snmpuser group SNMPGROUP
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP tag-list SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP address-mask 255.255.255.255
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP routing-instance mgmt_junos
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP target-parameters SNMPGROUP-parameters
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters message-processing-model v3
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-model usm
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-level privacy
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-name SNMPGROUP
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP type inform
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP tag SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp engine-id local snmpuser
set groups SNMPv3-GROUP snmp view ALLVIEW oid .1.3.6.1 include
set groups SNMPv3-GROUP routing-instances mgmt_junos description SNMP-Management
set apply-groups SNMPv3-GROUP
set groups SNMPv3-GROUP snmp stats-cache-lifetime 30
set groups SNMPv3-GROUP snmp filter-duplicates
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key "$9$safsafasflvLx7sApORESreKxNwYgJUjbw4ZGUHkTz39CuSreghdhddghAtOF3vWXxdVqmPQ/C0BIcgh"
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key "$9$Hk342df3d.mTGUtu0BEhdbwg4ZiHmzF/wYoGDjq.1REcevXxdsgoRhyKv34343t3i5QF6/tTQxz"
set groups SNMPv3-GROUP snmp v3 vacm security-to-group security-model usm security-name snmpuser group SNMPGROUP
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP tag-list SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP address-mask 255.255.255.255
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP routing-instance mgmt_junos
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP target-parameters SNMPGROUP-parameters
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters message-processing-model v3
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-model usm
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-level privacy
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-name SNMPGROUP
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP type inform
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP tag SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp engine-id local snmpuser
set groups SNMPv3-GROUP snmp view ALLVIEW oid .1.3.6.1 include
set groups SNMPv3-GROUP routing-instances mgmt_junos description SNMP-Management
set apply-groups SNMPv3-GROUP
Optional:
Firewall Configuration (to protect RE)
set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-PREFIXES
set firewall family inet filter FIREWALL term SNMP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term SNMP-ALLOW from destination-port snmp
set firewall family inet filter FIREWALL term SNMP-ALLOW then count SNMP-ALLOW
set firewall family inet filter FIREWALL term SNMP-ALLOW then accept
set policy-options prefix-list SNMP-PREFIXES 192.168.20.199/32
set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-PREFIXES
set firewall family inet filter FIREWALL term SNMP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term SNMP-ALLOW from destination-port snmp
set firewall family inet filter FIREWALL term SNMP-ALLOW then count SNMP-ALLOW
set firewall family inet filter FIREWALL term SNMP-ALLOW then accept
set policy-options prefix-list SNMP-PREFIXES 192.168.20.199/32
Here's the Cisco version for SNMPv2c and SNMPv3 configuration --> SNMP Configuration in Cisco IOS-XR
Thursday, 21 May 2020
NTP Configuration via Management Routing Instance in Juniper
In related to configuring management interface in Juniper, NTP traffic should go via the management port and not through the data ports. Pre-requisite configuration can be found here:
https://mynetworkbio.blogspot.com/2020/03/configure-management-interface-in.html
NTP Server1: 192.168.10.101
NTP Server1: 192.168.10.102
Configuration:
set system ntp server 192.168.10.101 routing-instance mgmt_junos
set system ntp server 192.168.10.102 routing-instance mgmt_junos
set system ntp source-address 172.16.0.100 routing-instance mgmt_junos
where: 172.16.0.100 is your management (em0) interface IP
Sample Firewall configuration:
set firewall family inet filter FIREWALL-RE term NTP-PERMIT from source-prefix-list NTP-LIST
set firewall family inet filter FIREWALL-RE term NTP-PERMIT from protocol udp
set firewall family inet filter FIREWALL-RE term NTP-PERMIT from port ntp
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then policer RE-POLICER-256K
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then count NTP-PERMIT
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then accept
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard
set policy-options prefix-list NTP-LIST 172.20.2.100/32
set policy-options prefix-list NTP-LIST 192.168.10.101/32
set policy-options prefix-list NTP-LIST 192.168.10.102/32
where:
172.20.2.100/32 is your loopback0 address
Note: Those highlighted commands in bold font are the most important to make this work.
Verification:
darwin@QFX-re0#run show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
192.168.10.101 .GPS. 1 - - 64 1 1.555 -0.053 0.026
192.168.10.102 .GPS. 1 - 1 64 1 0.901 -0.045 0.031
{master}[edit]
darwin@QFX-re0#run show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Dec 26 20:26:31 2019 (1)", processor="amd64",
system="FreeBSDJNPR-11.0-20191223.5f5c7dc_buil", leap=00, stratum=2,
precision=-23, rootdelay=1.514, rootdispersion=13.291, peer=13884,
refid=192.168.10.101,
reftime=e270e335.ef6c45ca Thu, May 21 2020 19:23:33.935, poll=6,
clock=e270e3fa.23b9d2ce Thu, May 21 2020 19:26:50.139, state=4,
offset=-0.019, frequency=34.239, jitter=0.042, stability=0.000
Additional Tips:
Set timezone (example changing from default UTC to SGT)
darwin@QFX-re0# set system time-zone Asia/Singapore
darwin@QFX-re0# run show system uptime
Current time: 2020-05-21 11:24:09 UTC
Time Source: NTP CLOCK
System booted: 2020-04-19 13:28:11 UTC (4w3d 21:55 ago)
Protocols started: 2020-04-19 13:29:05 UTC (4w3d 21:55 ago)
Last configured: 2020-05-21 11:23:18 UTC (00:00:51 ago) by darwin
11:24AM up 31 days, 21:56, 1 users, load averages: 0.37, 0.28, 0.25
darwin@QFX-re0# run show system uptime
Current time: 2020-05-21 19:25:48 SGT
Time Source: NTP CLOCK
System booted: 2020-04-19 21:28:11 SGT (4w3d 21:57 ago)
Protocols started: 2020-04-19 21:29:05 SGT (4w3d 21:56 ago)
Last configured: 2020-05-21 19:25:29 SGT (00:00:19 ago) by darwin
7:25PM up 31 days, 21:58, 1 users, load averages: 0.39, 0.30, 0.26
Wednesday, 8 April 2020
Friday, 27 March 2020
Upgrading Field Programmable Device (FPD) in CIsco IOS-XR
As per Cisco official site definition of FPD:
An FPD refers to any programmable hardware device on a router, which includes a Field Programmable Gate Array (FPGA) and Read Only Memory Monitor (ROMMON). Cisco IOS® XR routers use a number of FPDs that are crucial for the function of route processors, line cards, shared port adapters (SPAs), SPA Interface Processors (SIPs), and fan trays.
Sample of upgrading fpd in ASR9000 running in IOS-XR. Linecard used is 24x10GE Tomahawk linecard.
A. Check first the linecards installed
RP/0/RSP0/CPU0:ASR9K-BOX#show platform
Fri Mar 27 09:00:23.066 SGP
Node Type State Config State
-----------------------------------------------------------------------------
0/4/CPU0 A9K-24X10GE-1G-SE IOS XR RUN PWR,NSHUT,MON
B. See if need to upgrade , it will indicate Yes if need to upgrade.
Show it using this command "admin show hw-module fpd location all"
It will tell below that one of the FPDs need an upgrade. Type "yes" to reload"
RP/0/RSP0/CPU0:ASR9K-BOX#admin show hw-module fpd location all
===================================== ==========================================
Existing Field Programmable Devices
==========================================
HW Current SW Upg/
Location Card Type Version Type Subtype Inst Version Dng?
============ ======================== ======= ==== ======= ==== =========== ====
0/4/CPU0 A9K-24X10GE-1G-SE 1.0 lc cbc 0 47.03 No
lc rommon 0 18.24 Yes
lc fpga2 0 1.87 Yes
lc fsbl 0 1.104 Yes
lc lnxfw 0 1.104 Yes
lc fpga3 0 1.00 No
lc fpga4 0 1.09 Yes
--------------------------------------------------------------------------------
NOTES:
1. One or more FPD needs an upgrade. This can be accomplished
using the "admin> upgrade hw-module fpd <fpd> location <loc>" CLI.
2. ^ One or more FPD will be intentionally skipped from upgrade using CLI with option "all" or during "Auto fpd".
It can be upgraded only using the "admin> upgrade hw-module fpd <fpd> location <loc>" CLI with exact location.
C. Upgrade the FPD using the command "admin> upgrade hw-module fpd <fpd> location <loc>"
RP/0/RSP0/CPU0:ASR9K-BOX#admin
RP/0/RSP0/CPU0:ASR9K-BOX(admin)#upgrade hw-module fpd all location 0/4/CPU0
***** UPGRADE WARNING MESSAGE: *****
* This upgrade operation has a maximum timout of 90 minutes. *
* If you are executing the cmd for one specific location and *
* card in that location reloads or goes down for some reason *
* you can press CTRL-C to get back the RP's prompt. *
* If you are executing the cmd for _all_ locations and a node *
* reloads or is down please allow other nodes to finish the *
* upgrade process before pressing CTRL-C. *
% RELOAD REMINDER:
- The upgrade operation of the target module will not interrupt its normal
operation. However, for the changes to take effect, the target module
will need to be manually reloaded after the upgrade operation. This can
be accomplished with the use of "hw-module <target> reload" command.
- If automatic reload operation is desired after the upgrade, please use
the "reload" option at the end of the upgrade command.
- The output of "show hw-module fpd location" command will not display
correct version information after the upgrade if the target module is
not reloaded.
NOTE: Chassis CLI will not be accessible while upgrade is in progress.
Continue ? [no]: yes
FPD upgrade in progress on some hardware, reload/configuration change
on those is not recommended as it might cause HW programming failure
and result in RMA of the hardware.
Starting the upgrade/download of following FPDs:
=========== ==== ======= ======= =========== =========
Current Upg/Dng
Location Type Subtype Upg/Dng Version Version
=========== ==== ======= ======= =========== =========
0/4/CPU0 lc rommon upg 18.24 18.27
lc fpga2 upg 1.87 1.88
lc fsbl upg 1.104 1.110
lc lnxfw upg 1.104 1.110
lc fpga4 upg 1.09 1.11
------------------------------------------------------
FPD upgrade in progress. Max timeout remaining 89 min.
FPD upgrade in progress. Max timeout remaining 88 min.
FPD upgrade in progress. Max timeout remaining 87 min.
FPD upgrade in progress. Max timeout remaining 86 min.
FPD upgrade in progress. Max timeout remaining 85 min.
Successfully upgraded rommon for A9K-24X10GE-1G-SE on location 0/4/CPU0 from 18.24 to 18.27
Successfully upgraded fpga2 for A9K-24X10GE-1G-SE on location 0/4/CPU0 from 1.87 to 1.88
Successfully upgraded fsbl for A9K-24X10GE-1G-SE on location 0/4/CPU0 from 1.104 to 1.110
Successfully upgraded lnxfw for A9K-24X10GE-1G-SE on location 0/4/CPU0 from 1.104 to 1.110
Successfully upgraded fpga4 for A9K-24X10GE-1G-SE on location 0/4/CPU0 from 1.09 to 1.11
FPD upgrade has ended.
D. Reload the linecard that was upgraded using the command "hw-module location <loc> reload". Press y to reload.
RP/0/RSP0/CPU0:ASR9K-BOX(admin)#hw-module location 0/4/CPU0 reload
WARNING: This will take the requested node out of service.
Do you wish to continue?[confirm(y/n)]y
RP/0/RSP0/CPU0:ASR9K-BOX(admin)#
E. Verify again after reload. "No" means no longer need to upgrade , and it was successfully upgraded.
RP/0/RSP0/CPU0:ASR9K-BOX(admin)#show hw-module fpd location all
===================================== ==========================================
Existing Field Programmable Devices
==========================================
HW Current SW Upg/
Location Card Type Version Type Subtype Inst Version Dng?
============ ======================== ======= ==== ======= ==== =========== ====
0/4/CPU0 A9K-24X10GE-1G-SE 1.0 lc cbc 0 47.03 No
lc rommon 0 18.27 No
lc fpga2 0 1.88 No
lc fsbl 0 1.110 No
lc lnxfw 0 1.110 No
lc fpga3 0 1.00 No
lc fpga4 0 1.11 No
Wednesday, 25 March 2020
Configure Management Interface in Juniper
One of the best security practices in networking is separation of management traffic and data/control traffic. One way to achieve this is to use the management ports of Juniper devices to physically connect it preferably to different network.
The management Ethernet interface is usually em0 or fxp0 in Juniper, and provides out-of-band(OOB)management network of the device.
Assuming UTP cables are already connected to both management ports of both routing engine (RE) of the Juniper devices, here are the steps to follow:
1. Configure the following management IP address.
e.g.
re0 = 192.168.1.20
re1 = 192.168.1.21
vip = 192.168.1.22
configure:
#set groups re0 system host-name JUNOS-BOX-re0
#set groups re0 interfaces em0 unit 0 family inet address 192.168.1.22/26 master-only
#set groups re0 interfaces em0 unit 0 family inet address 192.168.1.20/26
#set groups re1 system host-name JUNOS-BOX-re1
#set groups re1 interfaces em0 unit 0 family inet address 192.168.1.22/26 master-only
#set groups re1 interfaces em0 unit 0 family inet address 192.168.1.21/26
It will be something like this when use show command
networkbio@JUNOS-BOX-re0# show groups re0
system {
host-name JUNOS-BOX-re0;
}
interfaces {
em0 {
unit 0 {
family inet {
address 192.168.1.22/26 {
master-only;
}
address 192.168.1.20/26;
}
}
}
}
networkbio@JUNOS-BOX-re0# show groups re1
system {
host-name JUNOS-BOX-re1;
}
interfaces {
em0 {
unit 0 {
family inet {
address 192.168.1.22/26 {
master-only;
}
address 192.168.1.21/26;
}
}
}
}
The management Ethernet interface is usually em0 or fxp0 in Juniper, and provides out-of-band(OOB)management network of the device.
Assuming UTP cables are already connected to both management ports of both routing engine (RE) of the Juniper devices, here are the steps to follow:
1. Configure the following management IP address.
e.g.
re0 = 192.168.1.20
re1 = 192.168.1.21
vip = 192.168.1.22
configure:
#set groups re0 system host-name JUNOS-BOX-re0
#set groups re0 interfaces em0 unit 0 family inet address 192.168.1.22/26 master-only
#set groups re0 interfaces em0 unit 0 family inet address 192.168.1.20/26
#set groups re1 system host-name JUNOS-BOX-re1
#set groups re1 interfaces em0 unit 0 family inet address 192.168.1.22/26 master-only
#set groups re1 interfaces em0 unit 0 family inet address 192.168.1.21/26
It will be something like this when use show command
networkbio@JUNOS-BOX-re0# show groups re0
system {
host-name JUNOS-BOX-re0;
}
interfaces {
em0 {
unit 0 {
family inet {
address 192.168.1.22/26 {
master-only;
}
address 192.168.1.20/26;
}
}
}
}
networkbio@JUNOS-BOX-re0# show groups re1
system {
host-name JUNOS-BOX-re1;
}
interfaces {
em0 {
unit 0 {
family inet {
address 192.168.1.22/26 {
master-only;
}
address 192.168.1.21/26;
}
}
}
}
2. Configure Routing instance for management. The name of the dedicated management instance is reserved and hardcoded as mgmt_junos.
The name of the dedicated management instance is reserved and hardcoded as mgmt_junos
As per Juniper official website:
Once the mgmt_junos routing instance is deployed, management traffic no longer shares a routing table (that is, the default.inet.0 table) with other control or protocol traffic in the system, nor is configuring dynamic protocols on the management interface supported.
#set system management-instance
3. Configure the next-hop (192.168.1.1 is the gateway)
#set routing-instances mgmt_junos routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
Commands to verify:
show route
show route protocol static
show route forwarding-table
Commands to verify:
show route
show route protocol static
show route forwarding-table
Sunday, 25 August 2019
SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR) and Juniper(JunOS)
Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)
Juniper
system {services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
policy-options {
prefix-list PERMIT-SSH {
192.168.100.100/32;
}
firewall {
family inet {
filter PROTECT-ENGINE {
term PERMIT-SSH {
from {
source-prefix-list {
ALLOWED-IP;
}
protocol tcp;
port [ ssh ];
}
then {
count PERMIT-SSH;
accept;
}
}
term DENY-SSH {
from {
protocol tcp;
destination-port ssh;
}
then {
count DENY-SSH;
discard;
}
}
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input PROTECT-ENGINE;
Set format:
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 5
set policy-options prefix-list ALLOWED-IP 192.168.100.100/32
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from port ssh
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then count PERMIT-SSH
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then accept
set firewall family inet filter PROTECT-ENGINE term DENY-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term DENY-SSH from destination-port ssh
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then count DENY-SSH
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-ENGINE
Cisco:
Prerequisites in configuring SSH for Cisco devices include SSH key generation, please refer to Cisco Official Documentation.command: crypto key generate rsa
Preferably, RSA key bits at least 2048, else use 1024 for better security
IOS:
ip ssh version 2
line vty 0 4
access-class 101 in
exec-timeout 5 0
password 7 01234ABC
login authentication VTY
transport input ssh
access-list 101 permit tcp host 192.168.100.100 any eq 22
IOS-XE:
ip ssh version 2
login quiet-mode access-class SSH-ACL
ip access-list extended SSH-ACL
permit tcp host 192.168.100.100 any eq 22
deny tcp any any eq 22
line vty 0 4
access-class SSH-ACL in
exec-timeout 5 0
password 7 01234ABCDEF
login authentication VTY
transport input ssh
NEXUS OS:
feature ssh
interface mgmt0
ip access-group acl_101 in
vrf member management
ip access-list acl_101
10 permit tcp 192.168.100.100/32 any eq 22
20 deny ip any any log
IOS-XR:
ssh client source-interface Loopback0
ssh server v2
!
line template VTYTEMPLATE
secret 5 $encrpytedlocalpass
users group root-system
users group cisco-support
accounting exec VTY
accounting commands VTY
authorization exec VTY
authorization commands VTY
login authentication VTY
exec-timeout 5 0
access-class ingress SSH-VTY
transport input ssh
vty-pool default 0 4 line-template VTYTEMPLATE
or (simpler)
line default
secret 5 $encrpytedlocalpass
login authentication default
timestamp
exec-timeout 5 0
access-class ingress SSH-VTY
session-timeout 5
transport input ssh
!
!
ipv4 access-list SSH-VTY
10 permit tcp host 192.168.100.100 any eq ssh
20 deny ipv4 any any log
!
control-plane
management-plane
inband
interface all
allow SSH peer
address ipv4 192.168.100.100
!
Subscribe to:
Posts (Atom)
-
Taking Cisco's Sample Legal Banner message from their Network Security Baseline page. Sample Legal Banner Notification Configuration !... -
1.Remote access should be via SSH and telnet is disabled IOS-XR: no telnet ipv4 server Nexus OS: no feature telnet feature ssh feature tacac...
-
Assumption: JunOS is downloaded and stored in an FTP server. Step1: Download the necessary image from the FTP server. Save it in the /var/tm...