juniper.md 6.5 KB

JUNIPER FIREWALL:

global navigatoin

show | display set

up

modification

set replace pattern A with B delete

USERS AND PASSWORDS

show users

show system login | display set

create new user and give a role

set system login user (username) full-name (FULL_username) set system login user (username) class super-user/operator

set password, when already encrypted (copying pass from one switch to another"

set system login user (username) authentication encrypted-password "(crypted_pass)"

when entering in _plaintext, pass will be asked and encrypted

set system login user (username) authentication plain-text-password New password: (enter new pass)

enabling SSH, generate keys

set system services ssh set system services ssh root-login deny

set system services ssh protocol-version v2 set system services ssh client-alive-count-max 5 set system services ssh client-alive-interval 12 ? set system services ssh ciphers 3des-cbc

add A record on DNS servers

add rancid user

set system login class rancid permissions view set system login class rancid permissions view-configuration set system login user rancid class rancid set system login user rancid authentication plain-text-password New password: (enter pass)

if authentication with keys, then

set system login user rancid authentication ssh-ecdsa (plain_password)

on rancid server, add host to

do not use ";"c for commenting

vi router.db su - rancid

add key and check that rancid can login

ssh-keygen -R xxx.xxx.196.155 ssh rancid@(new-device) vi ./cloginrc bin/clogin (host)

show configuration

show configuration | display set | match show ethernet-switching interface brief

INTERFACES

list interfaces

show interfaces descriptions show interfaces terse

disable interface (=clean conf + administatively down)

delete interfaces (interface) set interfaces (interface) disable

set interfaces ge-0/0/44 unit 0 family inet address xxx.xxx.196.159/26

set routing-options static route default next-hop xxx.xxx.196.129 set interface ge-0/0/34 description "(host)"

trunk port

set interfaces ge-0/0/44 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members mgmt (128)

access port

set interfaces ge-0/0/44 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members mgmt (128)

VLANs

show ethernet-switching interface set vlans mgmt vlan-id 128 ##set interfaces xe-0/0/44 unit 0s family ethernet-switching vlan members mgmt set interfaces vlan unit 128 enable set interfaces irb unit 40 family inet set interfaces irb unit 40 family inet address xxx.xxx.196.159/26 set vlans snic-public vlan-id 96 l3-interface irb.96 set interfaces irb unit 96 set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members [ snic-admin snic-public ] set interface vlan unit 96 enable

CONFIGURING RULES

show existing config

show configuration | display set | match (ip)

configure mode

configure run show configuration | display set | match (ip) run show configuration | display set | match TCPPort(number)
run show configuration security policies from-zone untrust to-zone (zone) policy (policy-name) | display set

add new rule

set security policies from-zone (zone) to-zone (zone) policy (number) match source-address Host_(ip)
set security policies from-zone (zone) to-zone (zone) policy (number) match destination-address (ip)
set security policies from-zone (zone) to-zone (zone) policy (number) match application TCPPort(number)/(name of app) set security policies from-zone (zone) to-zone (zone) policy (number) then permit

add new application (port)

set applications application TCPPort(number) destination-port (number) set applications application TCPPort(number) protocol tcp

add new host to set of hosts in address book

set security zones security-zone (zone) address-book address-set (name_ofhosts) address Host(ip) set security zones security-zone (zone) address-book address Host(ip) (ip)/32 set security zones security-zone (zone) address-book address Host(ip) (ip)/32

checking and commiting

show | compare commit check commit

show history of commits

request system software rollback

checking that policy is in use

show security policies hit-count | match (number)

MAINTENANCE

backup/restore configuration to file

stop commit server, that somebody will not commit config

request system commit server pause

delete old, save rescue configuration, check timestamp

request system configuration rescue delete request system configuration rescue save show system configuration rescue show system rollback 0

at this point, configuration could be restored with "rollback" command

?? request system software rollback

save config, check

save dhcp-security-snoop config.dhcp-security-snoop.2019073 save dhcp-snooping config.dhcp-snooping.20190731.1024

error: the ethernet-switching subsystem is not running

save dhcpv6-security-snoop config.dhcpv6-security-snoop.20190731.1025 file list detail

resume commit server, when ready

request system commit server pause start

copy from switch to usb memory

scp from switch

save scp://user@hostname/path/filename routing-instance instance-name source-address address

copy from ftp to switch

file copy ftp://anonymous:geg@test.jnpr.net/pub/junos/7.5R2.8/jinstall-7.5R2.8-domestic-signed.tgz /var/tmp/

copy from usb memory to switch

scp from local host to switch

restore configuration file

test configuration (file) load (filename)

insert configuration into terminal, finish with C-D

test configuration terminal

JUNOS UPGRADE

show version status

show version show chassis firmware

attach USB and take a snapshot (flash will be repartitioned and content of USB memory will be erased)

request system snapshot

upload from usb memory

start shell user root mkdir /var/tmp/usb mkdir /var/tmp/downloads

connect usb

ls /dev/da* mount_msdosfs /dev/da0s1 /var/tmp/usb cp /var/tmp/usb(new-file) /var/tmp/downloads umount /var/tmp/usb

upload via scp

validate package first

request system software validate /var/tmp/(new-filename)

applying new version

request system software add /var/tmp/(new-filename) validate

at this point last change to cancel upgrade by deliting jinstall, otherwise reboot

request system reboot