Zenuncl Wiki

Genius only means hard-working all one's life...
Zenuncl
[email protected]
Independent Software Developer DevOps | Open Source
Homepage
Changelog
Database
Backup PostgreSQL
Git
Git Commit Style Git Branching Model
Gaming
Don't Starve Together
Virtualization
ESXi
Hardware
HPE-ssacli iLO-SSH Juniper
Linux & MacOS
Shell
Security
Let's Encrypt
Networking
UniFi BGP NAT IP Address & ASN iptables Packet Flow
Sysadmin
Server Backup
Server
SSH crontab ethtool Hostname Conventions NGINX
Hardware

Juniper

/ hardware / Juniper

This Wiki only include some initial setup for Juniper device, Include but may not limited to:

  • MX204
  • EX4400

# Inital Setup with new device

You will need to enter configuration mode

cli
configure

And you will need to commit changes afterward

commit
commit and-quit

You can verify your configuration

show configuration
show configuration | no-more

# Setup

Set up the root authentication by adding a password:

set system root-authentication plain-text-password

(Optional) Add new super-user account:

set system login user <username> authentication plain-text-password
set system login user <username> class super-user

# If you want to use ssh-key authentication, please add following
set system login user <username> authentication ssh-ed25519 "<content from ~/.ssh/id_ed25519.pub>"

Setup hostname:

set system host-name <hostname>

Set the management interface IP address:

Note: Only work for the MGMT port

(MX204 Router)

set interfaces fxp0 unit 0 family inet address <address>/<prefix-length>

(EX4400 Switch)

set interfaces me0 unit 0 family inet address <address>/<prefix-length>

Set up a DNS & NTP server:

set system name-server <dns-server-address>
set system ntp server <ntp-server-address>

Enable SSH:

set system services ssh port 10022

# If Allow root-login
set system services ssh root-login allow
# If Disallow root-login
set system services ssh root-login deny

# Logging

set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any

# MX204 Specific Setup

set chassis fpc 0 pic 0 port 0 speed 40g
set chassis fpc 0 pic 0 port 1 speed 40g
set chassis fpc 0 pic 0 port 2 speed 40g
set chassis fpc 0 pic 0 port 3 speed 100g # From real configureation, only set speed to 100g will make interface name to `et-0/0/3` otherwise it will be `xe-0/0/3`
set chassis fpc 0 pic 1 port 0 speed 10g
set chassis fpc 0 pic 1 port 1 speed 10g
set chassis fpc 0 pic 1 port 2 speed 10g
set chassis fpc 0 pic 1 port 3 speed 10g
set chassis fpc 0 pic 1 port 4 speed 10g
set chassis fpc 0 pic 1 port 5 speed 10g
set chassis fpc 0 pic 1 port 6 speed 10g
set chassis fpc 0 pic 1 port 7 speed 10g

Port Number

| Port Type                     |  Number of Ports   |  Interface Name |
| ----------------------------- | ------------------ | --------------- |
| QSFP28 / QSFP+ (100Gb / 40Gb) |  4                 |  `et-0/0/[0-3]` |
| SFP+ (10Gb)                   |  8                 |  `xe-0/1/[0-7]` |
| Management Port               |  1                 |  `fxp0`         |

# EX4400 Specific Setup

Configure the default gateway:

set routing-options static route 0/0 next-hop <gateway-address>

Port Number

| Port Type                      |  Number of Ports   | Interface Name  |
| ------------------------------ | ------------------ | --------------- |
| SFP+ (10Gb) / Ethernet (10G)   |  Up to 48          | `xe-0/0/[0-47]` |
| QSFP28 / QSFP+ (100Gb / 40Gb)  |  2                 | `et-0/1/[0-1]`  |

(or ge-0/0/[0-47] if it’s 1Gbps network port)

# Advence Setting based on Networks and Purpose of the router / switch

Note:

  • <interface-name> will be:
    • xe-0/1/0 for upstream
    • et-0/0/0 for downlink to EX4400 (on MX204)
    • et-0/1/0 for uplink to MX204 (on EX4400)
    • sometime need to use <interface-name>.N for specific interface unit number.

# Setup Firewall

Allow SSH on specific port and Disable Telnet

set firewall filter MANAGEMENT_FILTER term ALLOW-SSH from protocol tcp
set firewall filter MANAGEMENT_FILTER term ALLOW-SSH from destination-port 10022
set firewall filter MANAGEMENT_FILTER term ALLOW-SSH then accept
set firewall filter MANAGEMENT_FILTER term DENY-TELNET from protocol tcp
set firewall filter MANAGEMENT_FILTER term DENY-TELNET from destination-port telnet
set firewall filter MANAGEMENT_FILTER term DENY-TELNET then discard

Then remember to add the filter to interface

show interfaces <interface-name> unit 0 family inet filter <input | output | input-list | output-list> <filter-name>

# Connect to Internet

set interfaces <interface-name> description "<description-name>"
set interfaces <interface-name> unit 0 family inet address <ip-address>/<prefix-length>
set interfaces <interface-name> unit 0 family inet6 address <ipv6-address>/<ipv6-prefix-length>


# Static route (default route) for default network
set routing-options static route 0.0.0.0/0 next-hop <upstream-geteway-ip-address>
set routing-options rib inet6.0 static route ::/0 next-hop <upstream-gateway-ipv6-address>

# Connet MX204 to EX4400 (router to switch)

MX204

set interfaces <interface-name> description "40G downlink to EX4400"
set interfaces <interface-name> mtu 9192
set interfaces <interface-name> unit 0 family inet address <private-ip-address>/24

set protocols ospf area 0.0.0.0 interface <interface-name>

# MX204 Advance Interface and Protocols setup if needed
set interfaces <interface-name> unit 0 family iso
set interfaces <interface-name> unit 0 family mpls
set protocols isis interface <interface-name>
set protocols ldp interface <interface-name>

# If VLAN 
set interfaces <interface-name> native-vlan-id <vlan-id>

EX4400

set interfaces <interface-name> description "40G uplink to MX204"
set interfaces <interface-name> mtu 9192
set interfaces <interface-name> unit 0 family inet address <private-ip-address>/24

# If VLAN

set vlans <VLAN-NAME> vlan-id <vlan-tag>

set interfaces <interface-name> unit 0 family ethernet-switching interface-mode trunk
set interfaces <interface-name> unit 0 family ethernet-switching vlan members [<vlan-name | vlan-tag>]

# BGP

set routing-options autonomous-system <OWN-AS-NUMBER>

set protocols bgp group <bgp-group-name> type external
set protocols bgp group <bgp-group-name> peer-as <UPSTREAM-AS-NUMBER>
set protocols bgp group <bgp-group-name> neighbor <neighbor-ip-address>
set protocols bgp group <bgp-group-name> neighbor <neighbor-ipv6-address>

BGP Filter

set policy-options prefix-list <announce-prefix-list-name> <ip-address>/<prefix-length>
set protocols bgp group <bgp-group-name> export <export-policy-name>
set policy-options policy-statement <export-policy-name> term announce-subnet from prefix-list <announce-prefix-list-name>
set policy-options policy-statement <export-policy-name> term announce-subnet then accept
set policy-options policy-statement <export-policy-name> then reject

Reference:

Last Update: 2024-12-18 15:39:55 Source File

Copyright © Zenuncl Wiki Porwered By MinoriWiki