From bdc4ee573d2b4cc8b2301dac54616016e9e45f16 Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Thu, 31 Aug 2023 23:36:49 +0300 Subject: [PATCH] Add more docs --- Juniper.md | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/Juniper.md b/Juniper.md index 39785a9..3e162d6 100644 --- a/Juniper.md +++ b/Juniper.md @@ -54,6 +54,90 @@ commit complete ``` You can directly go to commit step if you are absolutely sure what you are doing, and changes wont lock you out of the switch. +## Users management + +### Changing root password + +``` +set system root-authentication plain-text-password +``` +NEVER set easy passwords, you might lose your device as soon as it is connected to internet. + +### Adding new user + +``` +set system login user USERNAME class super-user authentication plain-text-password +``` +NEVER set easy passwords, you might lose your device as soon as it is connected to internet. + +### Adding new user with SSH key + +``` +set system login user USERNAME class super-user authentication ssh-rsa "USERKEY" +``` + +## Firewall + +### Set firewall for management interface + +``` +set interface lo0 unit 0 family inet filter input MANAGEMENT +set firewall family inet filter MANAGEMENT term MANAGEMENT from source-address x.x.x.x/32 +set firewall family inet filter MANAGEMENT term MANAGEMENT then accept +set firewall family inet filter MANAGEMENT term default then discard +``` + +Make sure to use commit confirmed, otherwise you might lock yourself out of the switch. +You might need to add also BGP of Ogero IP addresses to the firewall, sometimes allow ICMP protocol for troubleshooting. +*THIS IS IMPORTANT STEP TO SECURE THE SWITCH* + + +## Monitoring and misc +### Add SNMP community for monitoring + +``` +set snmp community COMMUNITY authorization read-only +``` +Please make complex name for COMMUNITY, as it can be guessed or bruteforced. + +### Add NTP server + +``` +set system ntp server x.x.x.x +set system time-zone Asia/Beirut +``` +It is highly recommended to have NTP server, as it will help you to troubleshoot problems in the future, as logs will have correct time. + +### Filtering license flood messages + +``` +system { + syslog { + file messages { + any notice; + authorization info; + match "!(.*BGP Routing Protocol usage requires a license.*)"; + } + } +} +``` +This will prevent early wearout of your flash memory, as license messages are written to the log every 10 seconds. + +### syslog audit + +It is recommended to send syslog to remote host, in case of incidents, offender cannot remove them: +``` +system { + syslog { + host x.x.x.x { + any notice; + authorization info; + match "!(.*BGP Routing Protocol usage requires a license.*)"; + } + } +} +``` + ## Tuning After installing switch it is recommended to do certain tuning (which i often forget) to avoid problems in the future. @@ -501,3 +585,28 @@ inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) If you see your prefixes, it means you are sending them to Ogero. You might use also "show bgp neighbor x.x.x.x" to see more detailed information about BGP session. + +### MAC address table size + +Keep an eye on EX4500 and EX4550 and don't exceed ~6000 MAC addresses, as it might cause problems with switch. This switch have 16k MAC addresses, but it have hash collision problems, so it is recommended to keep it below 6k. +If you have more than 6000 MAC addresses, you might need to upgrade to better switch. +There is a trick when you can disable MAC learning on some interfaces, but you have to meet one condition - only TWO interfaces should have this VLAN enabled, otherwise you will have unicast flood problem. +Learning on VLAN can be disabled by following command: + +``` +set vlans VLANNAME no-mac-learning +``` + +Verifying MAC address table size: + +``` +admin@CORE> show ethernet-switching table brief +``` +Attention on header: "Ethernet-switching table: 477 entries, 239 learned, 0 persistent entries" + +### Monitoring routing engine CPU + +``` +admin@CORE> show chassis routing-engine +``` +It is recommended to not have load average values more than 1.0 - 2.0.