Monday, October 21, 2013

Juniper Mini Lab with Virtual-Router v1.0

The mini lab Juniper is template topology and preconfig to test, verify feature or behaviour. This mini lab are contain several router and connected each other. The lab is using one physical router and create several virtual-router. Each virtual-router looks like as logical router, due to virtual-router can separate routing table.

 From today and next I will use this mini lab for topology and preconfig.
Please find the parameter, topology and configuration

 ####
# Project name: Juniper Mini Lab with Virtual-Router
# Version: 1.0
# Code name: JMib_VR
# Short name: JMib_VR_v1.0
# Release date: 2013/10/20
####

 #### The Parameter
# R1
- lt-0/0/0.14 172.16.14.1/24
- lt-0/0/0.15 172.16.15.1/24
# R2
- lt-0/0/0.23 172.16.23.2/24
- lt-0/0/0.24 172.16.24.2/24
# R3
- lt-0/0/0.32 172.16.23.3/24
- lt-0/0/0.35 172.16.35.3/24
# R4
- lt-0/0/0.41 172.16.14.4/24
- lt-0/0/0.42 172.16.24.4/24
# R5
- lt-0/0/0.51 172.16.15.5/24
- lt-0/0/0.53 172.16.35.5/24

 #### The Topology

 R1 -- R4 -- R2 -- R3
R1 -- R5 -------- R3

 #### Configuration
## R1 -- R4
set interfaces lt-0/0/0 unit 14 description "R1.R4"
set interfaces lt-0/0/0 unit 14 encapsulation ethernet
set interfaces lt-0/0/0 unit 14 peer-unit 41
set interfaces lt-0/0/0 unit 14 family inet address 172.16.14.1/24
set interfaces lt-0/0/0 unit 41 description "R1.R4"
set interfaces lt-0/0/0 unit 41 encapsulation ethernet
set interfaces lt-0/0/0 unit 41 peer-unit 14
set interfaces lt-0/0/0 unit 41 family inet address 172.16.14.4/24
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface lt-0/0/0.14
set routing-instances R4 instance-type virtual-router
set routing-instances R4 interface lt-0/0/0.41

 ## R1 -- R5
set interfaces lt-0/0/0 unit 15 description "R1.R5"
set interfaces lt-0/0/0 unit 15 encapsulation ethernet
set interfaces lt-0/0/0 unit 15 peer-unit 51
set interfaces lt-0/0/0 unit 15 family inet address 172.16.15.1/24
set interfaces lt-0/0/0 unit 51 description "R1.R5"
set interfaces lt-0/0/0 unit 51 encapsulation ethernet
set interfaces lt-0/0/0 unit 51 peer-unit 15
set interfaces lt-0/0/0 unit 51 family inet address 172.16.15.5/24
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface lt-0/0/0.15
set routing-instances R5 instance-type virtual-router
set routing-instances R5 interface lt-0/0/0.51

 ## R2 -- R3
set interfaces lt-0/0/0 unit 23 description "R2.R3"
set interfaces lt-0/0/0 unit 23 encapsulation ethernet
set interfaces lt-0/0/0 unit 23 peer-unit 32
set interfaces lt-0/0/0 unit 23 family inet address 172.16.23.2/24
set interfaces lt-0/0/0 unit 32 description "R2.R3"
set interfaces lt-0/0/0 unit 32 encapsulation ethernet
set interfaces lt-0/0/0 unit 32 peer-unit 23
set interfaces lt-0/0/0 unit 32 family inet address 172.16.23.3/24
set routing-instances R2 instance-type virtual-router
set routing-instances R2 interface lt-0/0/0.23
set routing-instances R3 instance-type virtual-router
set routing-instances R3 interface lt-0/0/0.32

 ## R2 -- R4
set interfaces lt-0/0/0 unit 24 description "R2.R4"
set interfaces lt-0/0/0 unit 24 encapsulation ethernet
set interfaces lt-0/0/0 unit 24 peer-unit 42
set interfaces lt-0/0/0 unit 24 family inet address 172.16.24.2/24
set interfaces lt-0/0/0 unit 42 description "R2.R4"
set interfaces lt-0/0/0 unit 42 encapsulation ethernet
set interfaces lt-0/0/0 unit 42 peer-unit 24
set interfaces lt-0/0/0 unit 42 family inet address 172.16.24.4/24
set routing-instances R2 instance-type virtual-router
set routing-instances R2 interface lt-0/0/0.24
set routing-instances R4 instance-type virtual-router
set routing-instances R4 interface lt-0/0/0.42

 ## R3 -- R5
set interfaces lt-0/0/0 unit 35 description "R3.R5"
set interfaces lt-0/0/0 unit 35 encapsulation ethernet
set interfaces lt-0/0/0 unit 35 peer-unit 53
set interfaces lt-0/0/0 unit 35 family inet address 172.16.35.3/24
set interfaces lt-0/0/0 unit 53 description "R5.R3"
set interfaces lt-0/0/0 unit 53 encapsulation ethernet
set interfaces lt-0/0/0 unit 53 peer-unit 35
set interfaces lt-0/0/0 unit 53 family inet address 172.16.35.5/24
set routing-instances R3 instance-type virtual-router
set routing-instances R3 interface lt-0/0/0.35
set routing-instances R5 instance-type virtual-router
set routing-instances R5 interface lt-0/0/0.53

 #### Verify
user@JunOS> #### Verify

 user@JunOS> ping routing-instance R1 172.16.14.4 source 172.16.14.1 rapid 
PING 172.16.14.4 (172.16.14.4): 56 data bytes
!!!!!
--- 172.16.14.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.691/3.303/4.401/0.595 ms

 user@JunOS> ping routing-instance R1 172.16.15.5 source 172.16.15.1 rapid 
PING 172.16.15.5 (172.16.15.5): 56 data bytes
!!!!!
--- 172.16.15.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.730/3.104/3.690/0.335 ms

 user@JunOS> ping routing-instance R2 172.16.23.3 source 172.16.23.2 rapid 
PING 172.16.23.3 (172.16.23.3): 56 data bytes
!!!!!
--- 172.16.23.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.805/5.181/8.782/2.746 ms

 user@JunOS> ping routing-instance R2 172.16.24.4 source 172.16.24.2 rapid 
PING 172.16.24.4 (172.16.24.4): 56 data bytes
!!!!!
--- 172.16.24.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.739/3.290/3.986/0.424 ms

 user@JunOS> ping routing-instance R3 172.16.35.5 source 172.16.35.3 rapid 
PING 172.16.35.5 (172.16.35.5): 56 data bytes
!!!!!
--- 172.16.35.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.495/2.997/3.329/0.308 ms

Posted by Hermawan Widiyanto at 5:26 AM 0 comments

Tuesday, October 1, 2013

Step by Step Juniper SRX Security Zone

I just little add for previous posting about Firewall Juniper SRX Implicit Deny. Sometime you rush to configure the SRX and forget to add policy permit in security zone. Lets remember again about OSI 7 layer and zoom in layer 2, layer 3 and layer 4 if working with firewall.

 The scenario is JunOSRX (192.168.1.1/24) and XYZ server (192.168.1.11/24)

 #### Layer 1 Connect physical cable between JunOSRX and XYZ

 #### Layer 2 Check mac address XYZ in JunOSRX
#### If we can see XYZ mac address, it's mean Layer 1 and layer 2 is pass
user@JunOSRX> show arp 
MAC Address       Address         Name                      Interface     Flags
aa:bb:cc:dd:ee:01 192.168.1.11     192.168.1.11               ge-0/0/1.0    none
Total entries: 1

 #### Layer 3 for XYZ in JunOSRX
user@JunOSRX> show configuration interfaces ge-0/0/1  
unit 0 {
    description "to XYZ";
    family inet {
        address 192.168.1.1/24;
    }
}

 #### Sometime for fast, we skip check/define layer 4 and continue to check application layer with ping
#### Remember again, If play with firewall, layer 2, layer 3 and layer 4 should be pass

 #### Verify Application Layer
user@JunOSRX> ping 192.168.1.11 source 192.168.1.1 rapid
PING 192.168.1.11 (192.168.1.11): 56 data bytes
.....
--- 192.168.1.11 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 #### Layer 4 Define Firewall Security/Rule/Policy
user@JunOSRX# show security zones security-zone TrustServer
interfaces {
    ge-0/0/1.0 {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
    }
}

 #### Repeat verify Application Layer
user@JunOSRX> ping 192.168.1.11 source 192.168.1.1 rapid   
PING 192.168.1.11 (192.168.1.11): 56 data bytes
!!!!!
--- 192.168.1.11 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.002/3.867/4.676/0.686 ms
Posted by Hermawan Widiyanto at 5:29 AM 1 comments
Subscribe to: Posts (Atom)