Juniper how-to for newbies.
Author: admin1 jan
Hi,
Many people ask me how to configure a Juniper Networks Router, the simple and fast way, and not to forget for newbies so no complicated things.
Ok most people that ask me are new to the routers and they have a single router config. So in this document I keep it very simple and plain how to configure a single Juniper Router with bgp 2 uplinks on gigabit ethernet, 1 bgp internet exchange and 2 static customers.
So we have the router and I hope you can connect the router to serial port of your pc/laptop, with a simpel terminal program like Tera Term Pro on your windows based laptop/pc we login into the router with root, most of the times it’s a clean install so no password is required.
root@router%
Now we type in at the command line prompt: cli
You are now in the correct cli for the Juniper. From here we start configuring the router.
Please now type in show interfaces and find your interfaces a normal response would be a lot of crap, but look for the interfaces marked GE-*/*/* or FE-*/*/*:
example:Physical interface: ge-0/2/0, Enabled, Physical link is Up
Interface index: 137, SNMP ifIndex: 51
Description: Darkfiber to (removed it 
)
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0×4000
Link flags : None
CoS queues : 4 supported, 4 maximum usable queues
Current address: 00:90:69:8a:90:3e, Hardware address: 00:90:69:8a:90:3e
Last flapped : 2006-10-10 12:43:28 UTC (7w5d 00:55 ago)
Input rate : 367776992 bps (54079 pps)
Output rate : 44145280 bps (43714 pps)
Active alarms : None
Active defects : None
You need to write down or remember these interfaces, if you read the manual that will explain how the interfaces are numbered on the box. So if you connect for example Level3 to one of your interfaces please write this down we need it for later reference .
First of all we start configuring the system. Just follow me with following commands on your juniper:
*
192.168.0.1 level3 router
192.168.0.2 our router
mask /30 or 255.255.255.252192.168.1.1 ntt/verio router
192.168.1.2 our router
mask /30 or 255.255.255.252192.168.2.1 our router
192.168.2.2 friendly peer we call it upc AS 110
192.168.2.3 friendly peer we call it true AS 120
192.168.2.4 frienldy peer we call it bt AS 130
192.168.2.5 friendly peer we call it nerdnet AS 140
mask /24 or 255.255.255.0192.168.10.1/23 is for our customers, our netblock we send out.
*(please note all commands that are written in capitals you need to give it a name). configure (enter)
edit system (enter)
set host-name HOSTNAME (enter)
set arp aging-timer 240 (enter) * needed for most internet exchanges
set root-authentication plain-text-password (enter)
* Please enter your password for the root user twice.
set name-server IP_ADDRESS_OF_NAMESERVER (enter) *repeat this step to add more nameservers.
set login class manager permissions all (enter)
set login user USERNAME uid 2001 class manager authentication plain-text-password (enter)
* Please enter your user password for the manager of the router twice.
edit services (enter)
set ssh root-login deny (enter)
set ssh protocol-verion v2 (enter)
set ssh connection-limit 5 (enter)
set ssh rate-limit 10 (enter)
exit (enter)
edit syslog (enter)
set user * any emergency (enter)
set file messages any notice authorization info (enter)
exit (enter)
set ntp server IP_NTPSERVER prefer (enter)
exit (enter)
edit interfaces (enter)
* for you move any further please have your ip plan ready. I have made on that is based on fiction, you will need to replace all ip addresses with your own.
IP PLAN
set interface ge-0/0/0 vlan-tagging (enter)
set interface ge-0/0/0 description “Customer Interface” (enter)
set interface ge-0/0/0 unit 0 description “Customer 1″ vlan-id 10 family inet no-redirect address 192.168.10.1/24 (enter)
* Now you have a vlan on vlan 10 connected to our customer switch, customer 1 has a full /24 and can use ip adres 2 upto 254.
set interface ge-0/0/0 description “Customer Interface” (enter)
set interface ge-0/0/0 unit 1 description “Customer 2″ vlan-id 11 family inet no-redirect address 192.168.11.1/24 (enter)
* Now you also have a vlan for customer 2 with vlan-id 11 to your switch, he has also a /24 in this example you can add more then 200 vlan’s on one interface to your switch, please read your switch manual about vlan-tagging 802.1q.
set interface ge-0/1/0 description “Level 3″ (enter)
set interface ge-0/1/0 unit 0 family inet address 192.168.0.2/30 (enter)
set interface ge-1/1/0 description “NTT/Verio” (enter)
set interface ge-1/1/0 unit 0 family inet address 192.168.1.2/30 (enter)
set interface ge-1/2/0 description “Peering Exchange” (enter)
set interface ge-1/2/0 unit 0 family inet address 192.168.2.1/24 (enter)
* Now we have setup the interfaces for our external connections, we will return to them later on if we have some firewall filters on our external connections towards the public exchange and the transit providers. Only one interface needs to be set.
set interface lo0 unit 0 family inet no-redirects address 127.0.0.1 (enter)
exit (enter)
set snmp description “YOUR DESCRIPTION OF THE ROUTER” (enter)
set snmp location “WHERE YOUR ROUTER IS LOCATED” (enter)
set snmp contact “YOUR CONTACT DETAILS” (enter)
set snmp community YOUR_COMMUNITY authorization read-only (enter)
set snmp community YOUR_COMMUNITY clients IP_ADDRESS_MRTG/SNMPSERVER (enter)
set routing-options static route 192.168.10.0/23 no-install discard community YOUR_ASNUMBER:100 (enter)
set routing-options aggregate route 192.168.10.0/23 active (enter)
set routing-options router-id 192.168.10.1 (enter)
set routing-options autonomous-system YOUR_AS_NUMBER (enter)
* Now we have setup the most of the router in the most simple way, we now need to configure some filters before we bring the router active with bgp sessions.
edit policy-options (enter)
edit policy-statement export (enter)
set term 1 from route-filter 192.168.10.0/23 exact (enter)
set term 1 then next-hop self (enter)
set term 1 then accept (enter)
set term 2 then reject (enter) * Very important
exit (enter)
exit (enter)
edit protocols bgp (enter)
set path-selection always-compare-med (enter)
edit group peering (enter)
set local-address 192.168.2.1 (enter)
set export export (enter) * Do not forget this one!
set remove-private (enter)
set neighbour 192.168.2.2 description “upc” peer-as 110 (enter)
set neighbour 192.168.2.3 description “true” peer-as 120 (enter)
set neighbour 192.168.2.4 description “bt” peer-as 130 (enter)
set neighbour 192.168.2.5 description “nerdnet” peer-as 140 (enter)
exit (enter)
edit group level3 (enter)
set local-address 192.168.0.2 (enter)
set export export (enter) * Do not forget this one!
set remove-private (enter)
set neighbour 192.168.0.1 description “Level 3″ peer-as 3356 (enter)
exit (enter)
edit group ntt-verio (enter)
set local-address 192.168.1.2 (enter)
set export export (enter) * Do not forget this one!
set remove-private (enter)
set neighbour 192.168.1.1 description “NTT/Verio” peer-as 5060 (enter)
exit (enter)
exit (enter)
* So now we have traffic over our newly installed Juniper, we are now going to secure it to let you in only, so you can configure more peers or other stuff if you are more into Juniper from the confort of your own home or office, ofcourse you will also add your management machine that will generate mrtg’s or other snmp stuff from your router in the filter.
edit firewall (enter)
edit filter protect-engine (enter)
set term 10 from source-address YOUR_IPADDRESS/32 (enter) * you can add as many ip’s you want.
set term 10 destination-port [ ssh snmp ] (enter)
set term 10 then accept (enter)
set term 20 from destination-port [ ftp telnet ssh snmp snmptrap ] (enter)
set term 20 then reject (enter)
set term 30 then accept (enter)
exit (enter)
edit filter protect-customers (enter)
set term 1 from protocol [ tcp udp ] (enter)
set term 1 from port [ netbios-dgm netbios-ssn nfsd 135 69 4444 1900 netbios-ns ] (enter)
set term 1 then discard (enter) * Never use reject in firewall statements
set term 2 from packet-length 404 protocol udp port 1434 (enter)
set term 2 then discard (enter)
set term 3 then accept (enter)
exit (enter)
exit (enter)
* Now we will put the firewall filters on the interfaces, we need to protect our management access, so no one can try from a valid ip address to hack in to the box, it will just drop the packet on the interface, and second of all we have closed down some ports to protect our customers in the simple way. You can extend or remove ports if you want.
set interface ge-0/1/0 unit 0 family inet filter input protect-customers (enter)
set interface ge-1/1/0 unit 0 family inet filter input protect-customers (enter)
set interface ge-1/2/0 unit 0 family inet filter input protect-customers (enter)
set interface lo0 unit 0 family inet filter input protect-engine (enter)
* Ok now you are ready, you have fully configured the box, we need to commit it to activate in on the router, please check your total config with the command:
show conf (enter)
* And recheck the document, you don’t want to bug your peers with unwanted addresses, now if everything is correct, please fill in the command:
commit (enter)
* Now you are in bussines. For most people like Juniper experts this document is way to simple, I only have written this document to help new people on Juniper routers to not make a mistake with their router if they don’t have the money/resources to get an engineer to configure it for them. It also is the safest way to configure it so they won’t crash full tables on exchanges, and keeping their router in a simple way safe.
If you have any questions, you can surf to my homepage at www.ponne.nu and try to email me or msn me, if you are hoping for an answer, yes, that could take a while, or it’s burried in spam. Have a nice day and for always, Google is your friend.
Some simple commands if you login with SSH with your username and password on your new juniper box:
show bgp summary (enter)
show chassis hardware (enter)
show route IP_ADDRESS (enter)
And many more… Please also check your vendors site (Juniper) for more examples, the one that reads, is the one that has the knowledge.
Categories
- Private
- TechInfo
Welcome to www.ponne.nu, configurations for different routing hardware, simple php/sql programming and lots of other stuff business or personal, please take a look around.
If you are dutch and you want to buy a used car then never buy at Damenautos in Nieuwendijk, they really suck ass! Check my story (it's in dutch) CLICK
Some keywords for this site are Juniper configuration, cisco configuration, person search, technical, routing, vpn, php, mysql.
Click on TechInfo above if you are searching for Juniper or other vendor configurations explained by me.
Person Search
Above search is my optimized person searcher powered by google! Try it now!
Latest image from my live webcam on my fishtank, click on the image to see the live feed.
Links
- Antoinette Eimers-Ponne
- Andries Ponne
- Dennis Snoek
- Hinko Kielman
- De Vissenkom
- True BV
- Schildersbedrijf Eimers
- ZusenZo
- Reiki
- Kevin van Zonneveld
- MuntInternet BV
- Slickeel's Starcraft Manual!! Nice!
- Damen autos zuigt
- Damenautos verschrikkelijk
Archives
- Brein vs The Pirate Bay
- Running Dropbox on your Ubuntu server.
- Solaris handy’s
- Opensolaris and ZFS as a home NAS server
- Cisco VPN vlanning PPTP
- Cisco Wireless VLANNING!
- Got a new camera
- 49
- World of warcraft.. or Windows 7.
- Christmas Tree
- Your Favourite place.
- It’s friday!
- Howto’s
- Cisco VPN
- Crap…
- Here is my new page!
- PHP and Mysql for beginners.
- Juniper how-to for newbies.
Leave a reply
You must be logged in to post a comment.