Juniper SRX – default configuration

22 02 2012

A friend of mine has just loaned me an SRX210 with an ADSL2/2+ module in it, so I thought I’d dump the default configuration here with notes before I start configuring it.   Interestingly, JTAC are recommending 10.4R8.5 (released on the 5th Jan 2012) but the box has arrived with 11.1R1.0.  Undaunted, I think I’ll put 11.4R1.6 on it and see how things go.  Might as well live on the edge, eh?


Use “show configuration | no-more” to display the configuration without doing so page by page – useful for dumping things to a text file. If you can’t get the hang of native Junos syntax, you can put “| display set” on the end as well to see the commands as you would type them.

show configuration | no-more  
## Last commit: 2012-01-11 02:36:28 UTC by root 
version 11.1R1.10; 

The autoinstallation section is something that sets the box up to get an IP address on the first ethernet port so that you can configure the box via the web browser for the first time. This part of the configuration deletes itself upon the first commit of changes, so you won’t see this going forward.

system { 
    autoinstallation { 
        delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit 
        traceoptions { 
            level verbose; 
            flag { 
                all; 
            } 
        } 
        interfaces { 
            ge-0/0/0 { 
                bootp; 
            } 
        } 
    }

Set up some DNS servers (these are public ones at opendns.com) so the unit can resolve names

    name-server { 
        208.67.222.222; 
        208.67.220.220; 
    }

Still under the system stanza, enable SSH, Telnet, unencrypted XNM and web for managing the unit. Web management is tied down to the VLAN interface only:

    services { 
        ssh; 
        telnet; 
        xnm-clear-text; 
        web-management { 
            http { 
                interface vlan.0; 
            } 
            https { 
                system-generated-certificate; 
                interface vlan.0; 
            } 
        } 

Set up a DHCP server that will hand out IP addresses and default gateway to any clients in vlan.0. Inherit the settings from ge-0/0/0 (which is configured to get an IP address automatically from an upstream device):

        dhcp { 
            router { 
                192.168.1.1; 
            } 
            pool 192.168.1.0/24 { 
                address-range low 192.168.1.2 high 192.168.1.254; 
            } 
            propagate-settings ge-0/0/0.0; 
        } 
    }

Logging – create logs that are 100kB in size. Send emergency-level messages to all logged-in users and log less-critical ones to the messages file. Interactive errors are logged to a file called interactive-commands:

    syslog { 
        archive size 100k files 3; 
        user * { 
            any emergency; 
        } 
        file messages { 
            any critical; 
            authorization info; 
        } 
        file interactive-commands { 
            interactive-commands error; 
        } 
    }

Keep 5 previous rollback images and get licence keys from the Juniper URL specified. Since this is a fresh box, there is no root-authentication config yet:

    max-configurations-on-flash 5; 
    max-configuration-rollbacks 5; 
    license { 
        autoupdate { 
            url https://ae1.juniper.net/junos/key_retrieval; 
        } 
    } 
    ## Warning: missing mandatory statement(s): 'root-authentication' 
} 

The ge-0/0/0 becomes a “WAN” port as it were – it is a routed port and gets an IP address from a DHCP server:

interfaces { 
    ge-0/0/0 { 
        unit 0; 
    }

The other interfaces are ethernet switching interfaces, and all members of a vlan called “vlan-trust”:

    ge-0/0/1 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/2 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/3 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/4 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/5 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/6 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    } 
    fe-0/0/7 { 
        unit 0 { 
            family ethernet-switching { 
                vlan { 
                    members vlan-trust; 
                } 
            } 
        } 
    }

Create a VLAN interface (sometimes called a Routed Virtual Interface or RVI) with an IP address on it. Note that this is the IP address handed out as default gateway in the DHCP section above:

    vlan { 
        unit 0 { 
            family inet { 
                address 192.168.1.1/24; 
            } 
        } 
    } 
} 

We’re running old skool spanning-tree here, which I’m surprised about – I thought Junos defaulted to RSTP:

protocols { 
    stp; 
} 

Now we get into the security stuff – below are some default screens that are applied to protect the device:

security { 
    screen { 
        ids-option untrust-screen { 
            icmp { 
                ping-death; 
            } 
            ip { 
                source-route-option; 
                tear-drop; 
            } 
            tcp { 
                syn-flood { 
                    alarm-threshold 1024; 
                    attack-threshold 200; 
                    source-threshold 1024; 
                    destination-threshold 2048; 
                    timeout 20; 
                } 
                land; 
            } 
        } 
    }

Create a NAT rule-set to source-NAT from the 192.168.1/24 network outbound. All hosts will be translated to the interface address of ge-0/0/0:

    nat { 
        source { 
            rule-set trust-to-untrust { 
                from zone trust; 
                to zone untrust; 
                rule source-nat-rule { 
                    match { 
                        source-address 0.0.0.0/0; 
                    } 
                    then { 
                        source-nat { 
                            interface; 
                        } 
                    } 
                } 
            } 
        } 
    }

Since this is a security device, we need policies to make it do anything at all – this first one matches on anything going from the trust (vlan.0) to untrust (ge-0/0/0) zones and permits it. There’s no untrust to trust policy, so by default all inbound traffic is blocked:

    policies { 
        from-zone trust to-zone untrust { 
            policy trust-to-untrust { 
                match { 
                    source-address any; 
                    destination-address any; 
                    application any; 
                } 
                then { 
                    permit; 
                } 
            } 
        } 
    }

We define the zones here. The trust zone has vlan.0 in it, and permits all traffic that is destined to the SRX (rather than through the SRX) – this enables us to connect via SSH or web on the trust side. That’s not the case with the untrust zone – only DHCP and TFTP are permitted:

    zones { 
        security-zone trust { 
            host-inbound-traffic { 
                system-services { 
                    all; 
                } 
                protocols { 
                    all; 
                } 
            } 
            interfaces { 
                vlan.0; 
            } 
        } 
        security-zone untrust { 
            screen untrust-screen; 
            interfaces { 
                ge-0/0/0.0 { 
                    host-inbound-traffic { 
                        system-services { 
                            dhcp; 
                            tftp; 
                        } 
                    } 
                } 
            } 
        } 
    } 
} 

PoE is enabled here – turns out my unit has four PoE ports, which is a bonus…

poe { 
    interface all; 
} 

Now we make the actual layer-2 VLAN, give it an ID and put the vlan.0 layer-3 interface into it:

vlans { 
    vlan-trust { 
        vlan-id 3; 
        l3-interface vlan.0; 
    } 
} 
root>

And that’s it. All I’ve got to do is modify this to use the ADSL interface instead. Inspired by Robert Juric’s useful post, I want to get a tunnel to SixXS up – I seem to have millions of IPv6 addresses and not got round to using them yet.

Advertisements

Actions

Information

3 responses

3 09 2013
Firearm Tutorials

Good stuff. I like how you explained it by sections.

25 01 2014
Christopher Ayers

One question, why is TFTP allowed? Is that necessary?

9 05 2014
enable telnet linux redhat 5 download

Hi, i think that i saw you visited my site so i came to “return the favor”.I am attempting to find things to enhance
my site!I suppose its ok to use some of your ideas!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: