Juniper SRX Simple Internet Gateway Setup Guide

This guide was written for someone that wants to configure a Juniper SRX firewall as a simple home or business Internet gateway. You will need some tech savvy since I have written the instructions for the CLI and not J-Web, by doing it this way I can keep the instructions short and to the point.

SRXEnviroment

General Configuration

Thse are things that we need to take care of before getting to far into things.
set system host-name Internet_Gateway
set system root-authentication plain-text-password

#I like to have domain name services so that I do name resolution although this is not really needed and can be omitted.

set system name-server 8.8.8.8

#Setup a user other than root for administration, this is a good practice since it is never good for root to login remotely.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password

#For accurate date and time in logs configure an NTP server, in my case I used a publicly available server.

 set system ntp server 192.95.20.208

Interface Configuration

#This is our internet facing link and it will pull IP configuration via DHCP from our provider.

 set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

#I would like interface fe-0/0/2 to 0/0/7 to be a member of vlan 100 and behave like a switch.

set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7

#Family ethernet-switching will allow the range of ports to behave like a switch while belonging to vlan-trust which is where they will find the gateway IP.

set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust

#This will be the gateway for the LAN devices on fe-0/0/2 to 0/0/7.

set interfaces vlan unit 100 family inet address 192.168.1.1/24

#Let’s create the vlan-trust and attache vlan.100 which was the L3 interface we created above.

set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Test

To see if DHCP is working on ge-0/0/0 issue the following command, you should see IP information from you Internet Service Provider.
admin@Internet_Gateway show system services dhcp client

Logical Interface name         ge-0/0/0.0
Hardware address        80:71:1f:b4:07:c0
Client status           bound
Address obtained        10.5.5.5
Update server           enabled
Lease obtained at       2013-05-08 19:14:06 UTC
Lease expires at        2013-05-08 23:14:06 UTC

DHCP options:
Name: server-identifier, Value: 10.5.5.254
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: router, Value: [ 10.5.5.1 ]
Name: domain-name, Value: corp.test.com
Name: name-server, Value: [ 10.5.5.253 ]

LAN DHCP

Since we just finished configuring the LAN we should setup DHCP which will provide local addresses to devices in vlan-trust.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

#This statement propagate-settings will take configuration from the client DHCP on ge-0/0/0 if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0

Test

Lets see if the PC(s) connected to ports fa-0/02 to 0/0/7 are getting DHCP leases.
admin@Internet_Gateway> show system services dhcp binding
IP address       Hardware address   Type     Lease expires at
192.168.1.50     32:aa:a7:5e:17:45  dynamic  2013-05-08 20:14:02 UTC

Security Zones

We are going configure a zone for the LAN (Trust) and for our Internet (Untrust)

set security zones security-zone untrust description "Internet Link - DHCP Configured"

#Note we are allowing DHCP since the Internet facing interface will be a client.

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

#Allow any service/protocol to the internal interface. (Should be safe in our case)

set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

#Attach vlan.100 to the trust zone.

set security zones security-zone trust interfaces vlan.100

Source NAT

Since 19.168.1.0/24 is private and won’t be routed on the Internet we will need to source NAT this internal subnet to our Internet facing egress interface.
set security nat source rule-set internal-to-internet description “NAT anything from trust zone to untrust (LAN to Internet)”

set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

Policies

Allow anything from trust to untrust (LAN to Internet) Since there is an implicit deny by default traffic from trust to untrust will automatically be dropped and doesn’t need a policy.

set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit

Management

This is a simple Internet gateway so lets enable SSH and HTTPS access from the inside LAN only.

set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100

Full Configuration

For those who would just like to copy and paste the entire configuration into the SRX.

set system host-name Serenity
set system root-authentication encrypted-password "$1$QgzUP4DH$dbmMYIKqw.I0b2KSIK1gB0"
set system name-server 8.8.8.8
set system login user lleroux uid 2000
set system login user lleroux class super-user
set system login user lleroux authentication encrypted-password "$1$FKKuZxhz$j0Yu8AYMW0x4JbH0CxkVZ1"
set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system ntp server 192.95.20.208
set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7
set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit
set security zones security-zone untrust description "Internet Link - DHCP Configured"
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Virtual Chassis on EX2200 switches

The Juniper Virtual Chassis technology allows you to combine multiple physical switches into one logical switch stack, which reduces the management overhead of dealing with many switches. Because all members are acting as a single device, with a proprietary control protocol underneath, there is no need for Spanning Tree and its blocked links. It also has dual routing engine support, albeit with some feature limitations on the EX2200 platform.

Continue reading “Virtual Chassis on EX2200 switches”

Setting up a virtual lab topology with Juniper vSRX

Up until now, I’ve been doing most of my studies on real hardware. This was okay with Cisco gear, but Juniper hardware isn’t as cheap on the second hand market. Second, I always loose vast amounts of time reconfiguring appliances on the console, cabling them up, reconfiguring switchports and installing physical or virtual test machines. I recently installed an ESXi whitebox, with loads of RAM and compute power idle, so why not start virtualizing my labs?

The Juniper vSRX Integrated Virtual Firewall, formerly known as Firefly Perimeter, is a virtual appliance that brings all the features of the SRX firewalls to your virtual layer. Even better, you can use the full-featured trial version of the appliance for 60 days. Perfect for labbing purposes!

In this post, I will go through the steps of setting up the virtual appliance and giving it a basic configuration. Below is the topology I will be implementing and using for some parts of my JNCIS-SEC studies. I haven’t found an “official” installation guide from Juniper -although I haven’t really looked either- but the below scenario works for me.

Continue reading “Setting up a virtual lab topology with Juniper vSRX”

Useful Brocade FOS CLI Commands

Below is a list of useful Brocade CLI commands that I keep at my desk for reference.  They’re divided up into categories for Zoning, Show, Port, Time/Date, License, Banner, Password, SNMP, User Config, Firmware, and Miscellaneous.

Zoning Commands

alicreate “Name”, “domain,port#” Used to create an alias
alicreate “Name”,”portname1; portname2″ To create multiple ports under a single alias
alidelete “Name” To delete an alias
aliadd “Name”, “domain,port#” To add additional ports to an alias
aliremove “Name”, “domain,port#” To remove a port from the alias
alishow “AliName” To show the alias configuration on the switch
zonecreate “Zone Name”, “alias1; alias2″ To create zones based on alias
zonedelete “ZoneName” To delete a zone
zoneadd “ZoneName”, “alias name” To add additional alias into the zone
zoneremove “ZoneName”, “alias name” To remove an alias from the zone
zoneshow “zoneName” To show the zone configuration information
cfgcreate “Configname”, “Zone1; Zone2″ To create configurations by adding in zones
cfgdelete “ConfigName” To delete a configuration
cfgadd “ConfigName”, “Zone3″ To add additional zones in the configuration
cfgremove “ConfigName”, “Zone3″ To remove a zone from the configuration
cfgshow “ConfigName” To show the details of that configuration
cfgenable “ConfigName” To enable a configuration on the switch
cfgsave To have the effective configuration to be written into the flash memory

Show Commands

 psshow Displays the status of the power supply
fansshow Displays the status of the fans
tempshow Displays the status of the temperature readings
sensorshow Displays the status of the sensor readings
nsshow Displays information in the name server
nsshow -t Displays information in the name server
nsshow -r Displays the information in the name server along with the state change registration details
nscamshow Displays detailed information of all the devices connected to all the switches in the fabric (Remote Name Servers)
nsallshow Displays the 24 bit address of all devices that are in the fabric
licenseshow Displays all the licenses that have been added in the switch
date Displays the current date set on the switch
bannershow Displays the banner that will appear when logging in using the CLI or web tools
httpcfgshow Displays the JAVA version the switch expects at the management console
switchname Displays the name of the switch
fabricshow Displays information of all the switches in the fabric
userconfig –show -a Displays the account information like role , description , password exp date , locked status
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
portshow To show the port status
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
configshow fabric.ops Displays the parameters of the switch. Ensure all switches in a fabric have the same parameters in order to communicate
configshow fabric.ops.pidFormat Displays the PID set for a switch Core , Native or Extended edge
switchuptime OR uptime Displays the uptime for the switch
firmwareshow Displays the firmware on the switch
version Displays the current firmware version on the switch
hashow Displays the status of local and remote CP’s. High availability , heartbeat and synchronization

Port Settings

portcfgshow Displays the port settings
portcfg rscnsupr [slot/port] –enable A registered state change registration is suppressed when a state change occurs on the port
portcfg rscnsupr [slot/port] –disable A registered state change registration is sent when a state change occurs on the port
portname To assign a name for a port
portdisable To disable a port or slot
portenable To enable a port or slot
portcfgpersistentdisable To disable a port , status would not change even after rebooting the switch
portcfgpersistentenable To enable a port , status would not change even after rebooting the switch
portshow To show the port status
portcfgspeed , To set speed for a port#te – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
portcfgdefault To set the port settings to default
portcfglongdistance To set the long distance mode . Default is L0(Normal), as per distance will display LE <=10 kms , L0.5 <=25kms , L1 <=50 kms, L2<=100kms , LD=auto , LS = Static
portcfgeport Used to disable a port from being a E port

Time and Date Settings

date Displays the current date set on the switch
tsclockserver 10.10.1.1 Instruction for the principal switch to synchronize time with the NTP server (specify the  ip address of the NTP server)
tsclockserver LOCL Instruction to stop NTP server synchronization (Local time of the switch)
date mmddhhmmyy To set the time of the switch when the NTP server synchronization is cancelled
tstimezone -5 To set the time zone for individual switches

License Commands

licenseshow Displays all the licenses that are added in the switch
licenseadd To add a new license to the switch
licenseremove To remove a license from the switch
licenseidshow Based on Switch WWN

Banner Commands

bannershow Displays the banner that will appear when logging in using the CLI or web tools
bannerset To set the banner which will appear when logging in using the CLI or web tools
bannerset “” To remove the bannerset (two quotes)

Password commands

passwd To change the password for that particular login
passwdcfg –set -lowercase 3 uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3 To set the password rules
passwdcfg –set -minpasswordage 1 To set the minimum password age in Days
passwdcfg –set -maxpasswordage 30 To set the maximum password age in Days
passwdcfg –set -warning 23 To set a warning for the expiration Days remaining
passwdcfg –set -lockoutthreshold 5 To set the account lockout thresh hold
passwdcfg –set -lockoutduration 30 To set the account lockout duration in Minutes
passwdcfg –setdefault To restore the password policy to Factory settings (min length – 8, history -1 , lockoutduration – 30)

SNMP Commands

snmpconfig snmpconfig for 5.0 above fos
agtcfgset snmp config for fos below 5.0
snmpmibcapset for choosing the MIB’s for the snmp settings

User Configuration

userconfig –show -a / userconfig –show Displays all the account information like role , description , password expiration date , locked status
userconfig –add john -r admin -d “John Doe” To add a new account -r = role , -d = description
userconfig –show john Displays all the information for the account john
userconfig –change -e no To Disable an account , usually default a/cs like admin and user . But ensure before disabling the admin a/c there is another a/c with admin rights
userconfig –change -e yes To Enable an account

Firmware commands

configupload Saves the switch config as an ASCII text file to an FTP server
configdownload To restore a switch configuration from ASCII text file Note – Need to disable the switch before downloading the config file
configure => cfgload attributes : [y] => Ensure secure config upload / download : [y] Fabric OS v 4.4 & above provides Secure File Copy Protocol (SCP) during upload or download of configurations
firmwaredownload To download the firmware to be installed on the switch
firmwareshow To be run after installing the firmware on the switch
version Displays the current firmware version on the switch
fastboot Needs to be run after installing the firmware. This does not include the post.
reboot Needs to be run after installing the firmware. This includes the post.

Miscellaneous commands

killtelnet To kill a particular session which is using telnet
configure To configure a switch
quietmode To switch off the quiet mode
quietmode 1 To suppress messages to the console
switchname Displays the switch name
switchname “EXAMPLE” To assign a switch name
bannerset To set the banner which will appear when logging in using the CLI or web tools
timeout Displays the timeout time set for Telnet session on the switch
timeout 10 To set a specific timeout time for the Telnet session
switchuptime or uptime Displays the uptime for the switch
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
fastboot To reboot the switch without post
reboot To reboot the switch with the post
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
switchstatuspolicyset To change the policy set for the switch regarding Marginal(Yellow) or Down(Red) error status

 

Basic commands on Alcatel Omniswitch

Introduction

This page is based on the notes I took when managing Alcatel Omniswitchs 6600, 6800 in 2007 and later 6850. The full documentation can be found on Alcatel-Lucent website.

Managing the configuration files

Alcatel Omniswitchs can operate in two modes: working and certified (show running-directory to know in which mode the switch is). In working mode, the configuration can be modified, while it is no possible in certified mode (well, actually, it is). When booting, if working and certified configuration files are different, the switch will boot in certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg (they can be directly edited with “vi”).

Continue reading “Basic commands on Alcatel Omniswitch”

Policy Based Routing on Cisco Catalyst 3750

I want to share how I configured basic configuration Policy Based Routing (PBR) on Cisco.

To give you an idea here is a sample diagram how the PBR works.

This is a setup of network with 2 ISP, if you want to separate the users for using different ISP.

Config on cataly 3750

STEP 1. First set your Vlan SVI’s
!

interface Vlan2
ip address 10.2.0.1 255.255.0.0
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
!

STEP 2. Create Access-list, for filtering
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255

STEP 3. Now create Route-map;

route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

and now for here put the MAGIC!

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
 ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
 ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
 ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
 ip policy route-map routetoISP2
!

Here is the final config.

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
ip policy route-map routetoISP2
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255
route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

Cấu hình DHCP trên Cisco

I : Cấu Hình DHCP Server

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service dhcp
Router1(config)#ip dhcp pool 192.168.6.128/25
Router1(dhcp-config)#network 192.168.6.128 255.255.255.128
Router1(dhcp-config)#default-router 192.168.6.200
Router1(dhcp-config)#dns-server 210.245.31.130
Router1(dhcp-config)#lease 2
Router1(dhcp-config)#exit
Router1(config)#ip dhcp excluded-address 192.168.6.129 192.168.6.140
Router1(config)#ip dhcp excluded-address 192.168.6.200 192.168.6.254
Router1(config)#end
Router1#

Continue reading “Cấu hình DHCP trên Cisco”

Upgrade Software Nortel ERS 8600

Here’s a question that I’ve been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It’s actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn’t be reading this. I’ll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You’ll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

Continue reading “Upgrade Software Nortel ERS 8600”

AP Conversion using MODE Button

If you already read one of my previous post (Lightweight to Autonomous (vice versa) Conversion…) you may konw one way of doing this AP conversion.

In this post we will see how to do the same task using Mode/Reset button of the Access point. Number 1 in the below diagram shows this Reset button of the given AP.

Continue reading “AP Conversion using MODE Button”