Initial configuration of Juniper SRX routers
- Tutorial
In this article I will try to maximally intelligibly talk about how to configure the Juniper SRX series out of the box. An article of this kind already exists: habrahabr.ru/post/144218 , but mine is more complete and detailed settings.
Why precisely Juniper SRX, and not some specific model like SRX100 or SXR240? Yes, simply because the settings will be completely identical, due to the complete same platform - Junos OS. This is very convenient when devices seemingly different in price and performance are configured in exactly the same way. This is just one of the advantages of Junos OS.
First, we need to get into the Juniper console. There is, of course, the option of initial configuration via the web interface, but for some reason it does not always work adequately in the old firmware (version 10). And in general, get used to the fact that there is a web interface, but we want to become real system administrators? And then imagine the situation, you are driving in a car, standing in a traffic jam, and they call you and ask you to urgently configure something on the gateway. You have only slow mobile Internet at your fingertips. If you undertake to configure something through the GUI of the web-muzzle, then it will take a very long time. This is not counting the fact that the web snout outside the network should be closed for security reasons.
You can join the console through the console port. How it looks is shown in the figure:
At first glance, this is a regular RJ-45, but it is not. In fact, this connector has nothing to do with the ethernet port. This connector is for control use only and not for anything else. Included with Juniper is always an adapter for connecting the console port to the computer's COM port. So we need to do.
Next, download the Putty client from the site www.putty.org.ru and launch it. A window appears in which we need to put the Serial and port. The port number can be viewed in the “Device Manager” of Windows after you connect the router to the computer. In our example, this is COM3.
By clicking “Open”, we will connect to Juniper. By the way, if we first turn it on, and then (after waiting for the OS to load), connect to it through the console port, then we will not see any invitation, but simply a black screen. This is normal. You just need to enter your login and password and we will get into the system.
If we first connect to Juniper with wires, and then turn on its power, we will see the Junos OS boot process in the console. At some point, the system will ask us: “Hit Enter to boot immediately or space bar for command prompt”. If we press the space bar (it takes one second), then we get into the recovery console. This may come in handy if we forget the root password. But better not to forget. Password recovery procedure is described here.www.juniper.net/techpubs/software/junos-security/junos-security11.1/junos-security-admin-guide/index.html?user-auth-recover-root-pwd-srx.html
When we first time If you configure Juniper, you need to log in as root with an empty password. In the future, the system will definitely require you to specify a root password for it.
After entering the login-password, the command line prompt appears:
In Junos OS there are three operating modes:
1. Unix went (sh), has a prompt like “root @ srx%”. Since Junos OS is based on FreeBSD, the first place we get after the login is Unix. It’s better not to do anything on Juniper. We enter cli, press Enter and we get actually in the shell of Junos OS.
2. Operational mode, has the prompt “root @ srx>”. This is by and large a debug and monitoring mode. You can view important parameters of the router in it, also in this mode, for example, a software update and operations such as reboot-shutdown are performed. If we introduce edit or configure, we get into the most important mode of operation.
3. Configuration mode, has the prompt “root @ srx #”. In this mode, the router is configured, i.e. editing and applying the config. This mode is the main mode in which you have to work. Also, from here, for convenience, you can run operating mode commands using the run command. For example, you cannot start ping from the configuration mode, but you can use the run command:
run ping 1.2.3.4.
Hereinafter, I will mention the names of interfaces of the form ge-0/0 / x. These are gigabit interfaces. However, the Juniper SRX100 has 100 Mbps interfaces, they are called fe-0/0 / x. In fact, the config will be exactly the same up to the interface names, keep in mind.
Let's start the initial configuration of the Juniper from the command line. Our tasks:
1. Configure root authentication and other important parameters (DNS, DHCP).
2. Configure switch ports (what are called LAN ports in SOHO routers) on ge-0/0/1 through ge-0/0/7 interfaces.
3. Configure the Internet on the ge-0/0/0 interface. Two options: either the provider gives us the IP address directly, or we get it through PPPoE (cable Internet or ADSL). Options for getting the Internet through VLAN and L2TP will not be considered here.
4. Configure security zones and policies.
5. Configure NAT to distribute the Internet to the local network.
There are two ways to do this: manually or through the initial setup wizard. The wizard can be launched from the shell with the command:
root@srx% config-wizard
The initial setup wizard is described here: www.juniper.net/techpubs/hardware/junos-jseries/junos-jseries96/junos-jseries-hardware-guide/jd0e12614.html . In general, if you know English and are guided in terms, then you can configure everything yourself without any manuals, but just in case, I will give a table with an explanation of the settings.Enter host name: | Here we enter the name of Juniper. It will appear at the command prompt. It plays a purely visual role. |
Please enter root password: Retype root password: | Here we enter the password of the super-root user (required) |
Would you like to configure a domain name? [yes, no] (no): Enter domain name: | Enter the domain name here (optional) |
Would you like to configure name server? [yes, no] (no): Enter IP address for the name server: Would you like to configure alternative name server? [yes, no] (no): Enter IP address for the name server: | Here we enter the address of the primary DNS server (highly desirable) And here the address of the secondary (optional) |
Configure the following network interfaces Identifier ... Interface .... 1 ........ ge-0/0/0 .... 2 ........ ge-0/0/1 .... 3 ........ ge-0/0/2 Please select interface identifiers: IP address for this interface: Subnet mask bit length for this interface [1–32] (32): Enter a security zone name to associate this interface to: | This is a list of the physical interfaces of the router. If we want to configure this or that interface, then we need to select its number in the list Here we enter the interface number Here we enter its new IP address Here we indicate the subnet mask And here we indicate the security zone to which the interface belongs (for example, trust for the internal network, untrust for the Internet) |
Would you like to configure default gateway? [yes, no] (no): Enter IP address for the default gateway: | Here we enter the address of the main gateway that the provider gave us. |
Would you like to create a new user account? [yes, no] (no): Enter a new user name: Enter user password Retype the password: | Here you can create a new user in addition to root (optional). It may be useful if more than one administrator will configure the router. |
Would you like to configure SNMP Network Management? [yes, no] (no): Enter community string [public]: | Here you can assign a community name for monitoring via SNMP (optional) |
After the configuration is completed, the system displays the final configuration and asks for permission to apply the settings (commit). After the commit, we will again see the command prompt and can enter cli.
And now the same thing, but more deeply and in the form of teams. Various examples of initial configuration can be viewed here: www.juniper.net/us/en/local/pdf/app-notes/3500153-en.pdf
We enter the configuration mode:
Enter the name of Juniper:root@srx% cli
root@srx> edit
root@srx# set system host-name Имя_роутера
The name of the router does not affect its operation. This is a purely visual parameter so as not to get confused if we have not one, but several Junipers.root@srx# set system root-authentication plain-text-password
After pressing Enter, the system will ask you to enter a new password for the root twice. Next, we need to configure the Internet interface. Here we will consider the simplest case when the provider gives us a static white IP address explicitly. Setting up the Internet through PPPoE will be discussed later. Suppose the provider gave us the address 1.2.3.4 with a mask of 255.255.255.240 == / 28 (subnet prefix). It should be noted that the juniper does not understand the subnet mask in its classic octet record, but only in the form of a prefix . You can read more about subnet prefixes here: en.wikipedia.org/wiki/%D0%91%D0%B5%D1%81%D0%BA%D0%BB%D0%B0%D1%81%D1%81%D0 % BE% D0% B2% D0% B0% D1% 8F_% D0% B0% D0% B4% D1% 80% D0% B5% D1% 81% D0% B0% D1% 86% D0% B8% D1% 8F
root@srx# set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/28
We configure the main gateway of the provider. Suppose in our case it is 1.2.3.1Now let's set up Juniper's web interface. We need to make it accessible only from the internal network and not accessible from the Internet:root@srx# set routing-options static route 0/0 next-hop 1.2.3.1
Turn on ssh access to the router:root@srx# set system services web-management http interface vlan.0
root@srx# set system services ssh
Now you need to configure the switch interfaces (LAN ports), i.e. those interfaces that will be connected to our local network. Again, options are possible: we can assign one interface, for example, to ge-0/0/1, as described above, an address of type 192.168.1.1 and connect corporate switches to this interface, but in this case we won’t be able to use other ports of Juniper Connect client computers to the 192.168.1.0/24 subnet. Specifically for our task, it turns out to be a little uneconomical and inflexible, although in other cases this option is normal.A much more convenient option for our task is to make all other Juniper ports equal in rights, which will allow you to connect network devices to any port, by analogy with conventional unmanaged switches. To do this, make all other ports members of the same virtual local area network (VLAN).
With this command, we created an interface-range, i.e. a set of interfaces called interfaces-trust included ports 1 through 7 in this range. This type of interface grouping saves us time, because fewer commands need to be entered.root@srx# set interfaces interface-range interfaces-trust member-range ge-0/0/1 to ge-0/0/7
root@srx# set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
With this command, we said that the interfaces in this set are the ports of the switch (family ethernet-swtiching) and collectively belong to the same VLAN called vlan-trust.Here we create the actual vlan-trust itself and say that this vlan is terminated (has an IP address) on the vlan interfaceroot@srx# set vlans vlan-trust vlan-id 3
root@srx# set vlans vlan-trust l3-interface vlan.0
root@srx# set interfaces vlan unit 0 family inet address 192.168.1.1/24
And finally, create the vlan.0 interface and assign it the address 192.168.1.1/24. Whose address is this? This is the Juniper address in this vlan and it will be the main gateway for client computers connected to the switch ports. In essence, what have we done? We have grouped physical interfaces from ge-0/0/1 to ge 0/0/7 into one logical vlan.0. Now all the network devices that we connect to these ports will see each other in the same broadcast domain 192.168.1.0/24. Next, you need to configure the DNS server address (in this example, Google Public DNS):
Configure a DHCP server on the vlan.0 interface (so that client devices receive network settings via DHCP)root@srx# set system name-server 8.8.8.8
root@srx# set system name-server 8.8.4.4
Configure security zones. Zone names can be any, you can have a large number of zones and configure the transitions between zones in the form of policies. This is a very convenient way to configure security. In this example, we will have two zones: trust (local area network) and untrust (Internet).root@srx# set system services dhcp router 192.168.1.1
root@srx# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
root@srx# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.100
root@srx# set system services dhcp propagate-settings vlan.0
Here we create an untrust security zone and attach the ge-0/0/0 interface, which we have Internet access to, to this zone. The host-inbound-traffic zone parameter indicates which services and protocols, depending on, can access the Juniper itself . For example, in this example, we allowed to ping our Juniper from the outside, and also connect to it via ssh. If we want to get the Internet address via DHCP, then we need to enable the dhcp service. If we want to use IPsec tunnels between Junipers, we need to enable the IKE service, and so on. The same applies to routing protocols. For example, to allow the exchange of OSPF routes, you need to enter the host-inboubd-traffic protocols ospf option.root@srx# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
root@srx# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
Configure the trust zone:
To the trust zone, we have a virtual interface vlan.0, whose members now, you guessed it, are physical interfaces from ge-0/0/1 to ge-0/0/7 . For the trust zone, we are allowed any services and protocols, for example HTTP, that is, the Juniper web interface. You cannot access the web interface from the Internet, as indicated in the untrust zone settings.root@srx# set security zones security-zone trust host-inbound-traffic system-services all
root@srx# set security zones security-zone trust host-inbound-traffic protocols all
root@srx# set security zones security-zone trust interfaces vlan.0
Read the last two paragraphs carefully and try to understand the purpose of the host-inbound-traffic command, as it directly affects the security of our network. If we do not want users of our network to be able to access the Juniper web interface, we can leave everything as it is, but prohibit it in the policies. I’ll write a separate article in more detail about politicians, as this is a very broad topic of discussion
Configuring zones displays their interfaces and allows traffic addressed to the router itself. Policies for transit traffic (passing through the Juniper) are described elsewhere in the form of transitions between zones.
This describes the traffic policy when moving from a trust zone to an untrust zone. In this example, all requests are allowed from the local network to the Internet. If we want to somehow limit the users of our network in the use of the Internet (for example, to prohibit communication via ICQ or IRC), then we can create the corresponding prohibiting rules.root@srx# set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
root@srx# set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
root@srx# set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
root@srx# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
root@srx# set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
root@srx# set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
root@srx# set security policies from-zone trust to-zone trust policy trust-to-trust match application any
root@srx# set security policies from-zone trust to-zone trust policy trust-to-trust then permit
This describes the policy from the trust zone to the trust zone. Again, all transitions are allowed.
We will not describe the policy from the untrust zone (Internet) to the trust zone (local area network) here. Why? Because the default policy is deny-all, i.e. everything that is clearly not allowed is forbidden, and hosts from the global network should not have access to hosts protected by Juniper, right? In general, if we did not create a policy, this does not mean that it does not exist at all. It is, only it is empty, and therefore responds to all transitions with a ban.
The last number in our program today will be setting up NAT to distribute the Internet to users of the local network.
With this, we configured Source NAT between the local network and the Internet. Now users of LAN can safely use the services of the global network.root@srx# set security nat source rule-set trust-to-untrust from zone trust
root@srx# set security nat source rule-set trust-to-untrust to zone untrust
root@srx# set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
root@srx# set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
Also, it is advisable to include an intrusion detection prevention system. Its basic settings are given here:
You can read more about the advanced features of Junos IDP in the Junos Security book. You can download it for example here: www.bookarchive.ru/computer/network/kompjuternaja_bezopasnost/101776-junos-security.htmlroot@srx# set security zones security-zone untrust screen untrust-screen
root@srx# set security screen ids-option untrust-screen icmp ping-death
root@srx# set security screen ids-option untrust-screen ip source-route-optiont
root@srx# set security screen ids-option untrust-screen ip tear-drop
root@srx# set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
root@srx# set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
root@srx# set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
root@srx# set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
root@srx# set security screen ids-option untrust-screen tcp syn-flood timeout 20
root@srx# set security screen ids-option untrust-screen tcp land
After entering all the commands, you need to check them for syntax and logic with the command:
root@srx# commit check
If there are any typos in our config or something is missing, the system will always let us know. Read the console output carefully, for Junos OS explains in great detail and accurately what we need to fix! If the console issues a commit check succeded, then everything is in order and you can write:root@srx# commit
After that, our settings are saved in the memory of the router and become relevant. Now you can connect client devices, check pings and the Internet. If we suddenly noticed that we used something completely wrong and you need to return to the previous config, then you can write:root@srx# rollback 0
This command will return us to the previous config, which, by the way, also needs to be committed. The number of possible rollbacks back in time to the maximum is 49 and can be configured with the commandroot@srx# set system max-configuration-rollbacks 49
If you enter root@srx# rollback ?
then the system will give us the date and time of previous commits (maximum 49). If we perform remote configuration of the Juniper and are afraid that applying the next policy or configuring the interface may lead to loss of communication with the device, then we can use the commit in the following form:
root@srx# commit confirmed число_минут
This command applies the current config, but only for a certain number of minutes specified in the command (10 by default). If during this time you do not enter just commit, then after the time has passed, Juniper will automatically return to the previous config. It is very convenient for remote configuration! The final config is shown under the spoiler
Final config
## Last changed: 2013-01-24 12:09:10 UTC version 12.1R4.7; system { host-name JuniperSRX; root-authentication { encrypted-password "$ 1 $ 2bWkMZhh $ mdsdcqRN71Pa7Wmb9VGSn /"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } services { ssh; web-management { http { interface vlan.0; } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.100; } propagate-settings vlan.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 49; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member-range ge-0/0/1 to ge-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/0 { unit 0 { family inet { address 1.2.3.4/28; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } routing-options { static { route 0.0.0.0/0 next-hop 1.2.3.1; } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0 / 0.0 { host-inbound-traffic { system-services { ssh; ping; } } } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }
That is where I will end the article on initial configuration of the Juniper SRX. I will be very glad to questions and comments! Further articles are planned on Junos CLI, PPPoE, policies, IPsec and routing basics in Junos OS.