Juniper GRE tunnel example

juniper@R1> show configuration interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
gre {
unit 0 {
tunnel {
source 1.1.1.1;
destination 1.1.1.2;
}
family inet {
address 12.12.12.1/24;
}
}
}

juniper@R2> show configuration interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces gre unit 0 tunnel source 1.1.1.2
set interfaces gre unit 0 tunnel destination 1.1.1.1
set interfaces gre unit 0 family inet address 12.12.12.2/24

Advertisements

Juniper SRX sample Internet screen configuration

Configuration for Screen and Flow Option Sample Deployment
This configuration would look as follows:

root@SRX5800> show configuration security screen
ids-option Internet-Screen {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 300;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-flood {
alarm-threshold 750;
attack-threshold 2000;
source-threshold 50;
destination-threshold 1000;
timeout 30;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
udp {
flood threshold 1000;
udp-sweep threshold 1000;
}
limit-session {
source-ip-based 100;
destination-ip-based 25000;
}
}

root@SRX5800> show configuration security flow
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 2;
low-watermark 66;
high-watermark 80;
}
tcp-session {
strict-syn-check;
}

–From Juniper SRX Series – Sample Deployment

Juniper firewall log

root@R3> show configuration firewall | display set
set firewall filter BLOCK_ICMP term 1 from source-address 11.11.11.1/32
set firewall filter BLOCK_ICMP term 1 from destination-address 33.33.33.3/32
set firewall filter BLOCK_ICMP term 1 from protocol icmp
set firewall filter BLOCK_ICMP term 1 from icmp-type echo-request
set firewall filter BLOCK_ICMP term 1 then count BLOCK_ICMP_Counter_1
set firewall filter BLOCK_ICMP term 1 then log
set firewall filter BLOCK_ICMP term 1 then reject
set firewall filter BLOCK_ICMP term 9999 then count BLOCK_ICMP_Counter_9999
set firewall filter BLOCK_ICMP term 9999 then accept

root@R3> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
21:22:39 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:38 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:38 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:37 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:36 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:21:08 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:20:22 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:20:21 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3

root@R3> show firewall log detail
Time of Log: 2013-11-10 21:22:39 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:38 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:38 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:37 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:36 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:21:08 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:20:22 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:20:21 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0

Juniper Junos basic BGP and firewall filter

R1:
root@R1> show configuration | display set
set version 10.1R1.8
set system host-name R1
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/24
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set routing-options static route 0.0.0.0/0 next-hop 12.12.12.2
set routing-options autonomous-system 100
set protocols bgp group EXT export LOOPS_to_BGP
set protocols bgp group EXT peer-as 200
set protocols bgp group EXT neighbor 12.12.12.2
set policy-options policy-statement LOOPS_to_BGP term 1 from protocol direct
set policy-options policy-statement LOOPS_to_BGP term 1 then accept

R2:
root@R2> show configuration | display set
set version 10.1R1.8
set system host-name R2
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.2/24
set interfaces em5 unit 0 family inet address 23.23.23.2/24
set routing-options generate route 0.0.0.0/0
set routing-options autonomous-system 200
set protocols bgp traceoptions file BGP
set protocols bgp traceoptions flag route
set protocols bgp export DEFAULT
set protocols bgp group EXT neighbor 12.12.12.1 peer-as 100
set protocols bgp group EXT neighbor 23.23.23.3 peer-as 300
set policy-options policy-statement DEFAULT term 1 from protocol aggregate
set policy-options policy-statement DEFAULT term 1 then accept

R3:
root@R3> show configuration | display set
set version 10.1R1.8
set system host-name R3
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em5 unit 0 family inet filter input BLOCK_ICMP
set interfaces em5 unit 0 family inet address 23.23.23.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/24
set interfaces lo0 unit 0 family inet address 33.33.33.3/24
set routing-options autonomous-system 300
set protocols bgp group EXT export LOOPS_to_BGP
set protocols bgp group EXT neighbor 23.23.23.2 peer-as 200
set policy-options policy-statement LOOPS_to_BGP term 1 from protocol direct
set policy-options policy-statement LOOPS_to_BGP term 1 then accept
set firewall filter BLOCK_ICMP term 1 from source-address 11.11.11.1/32
set firewall filter BLOCK_ICMP term 1 from destination-address 33.33.33.3/32
set firewall filter BLOCK_ICMP term 1 from protocol icmp
set firewall filter BLOCK_ICMP term 1 from icmp-type echo-request
set firewall filter BLOCK_ICMP term 1 then count BLOCK_ICMP_Counter_1
set firewall filter BLOCK_ICMP term 1 then reject
set firewall filter BLOCK_ICMP term 9999 then count BLOCK_ICMP_Counter_9999
set firewall filter BLOCK_ICMP term 9999 then accept

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_1

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_1 9240 110

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_9999

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_9999 2316 34

root@R3> clear firewall counter BLOCK_ICMP_Counter_1 filter BLOCK_ICMP

root@R3> clear firewall counter BLOCK_ICMP_Counter_9999 filter BLOCK_ICMP

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_1

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_1 0 0

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_9999

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_9999 0 0

root@R3>

Juniper load balance per packet

set version 10.1R1.8
set system host-name olive
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.1/24
set interfaces em0 unit 0 family iso
set interfaces em5 unit 0 family inet address 21.21.21.1/24
set interfaces em5 unit 0 family iso
set interfaces lo0 unit 0 family iso address 49.0001.0000.ffff.00
set routing-options forwarding-table export LOAD_BALANCE_PER_PACKET
set protocols isis interface em0.0
set protocols isis interface em5.0
set protocols isis interface lo0.0
set policy-options policy-statement LOAD_BALANCE_PER_PACKET then load-balance per-packet

 

set version 10.1R1.8
set system host-name olive2
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.2/24
set interfaces em0 unit 0 family iso
set interfaces em5 unit 0 family inet address 21.21.21.2/24
set interfaces em5 unit 0 family iso
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set interfaces lo0 unit 0 family iso address 49.0001.2222.2222.00
set protocols isis interface em0.0
set protocols isis interface em5.0
set protocols isis interface lo0.0

root@olive# run ping 2.2.2.2 count 10
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.004 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.033 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=1.180 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.816 ms
64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=0.812 ms
64 bytes from 2.2.2.2: icmp_seq=5 ttl=64 time=1.279 ms
64 bytes from 2.2.2.2: icmp_seq=6 ttl=64 time=1.009 ms
64 bytes from 2.2.2.2: icmp_seq=7 ttl=64 time=1.040 ms
64 bytes from 2.2.2.2: icmp_seq=8 ttl=64 time=1.006 ms
64 bytes from 2.2.2.2: icmp_seq=9 ttl=64 time=1.361 ms

Send 10 pings and look for the “REQUEST” on the other side, will see 5 of them:

root@olive2# run monitor traffic matching icmp interface em0 verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay. Address resolution timeout is 4s. Listening on em0, capture size 96 bytes

Reverse lookup for 2.2.2.2 failed (check DNS reachability). Other reverse lookup failures will not be reported. Use <no-resolve> to avoid reverse lookups on IP addresses.

11:39:20.169725  In IP truncated-ip – 24 bytes missing! 12.12.12.1 > 2.2.2.2: ICMP echo request, id 17672, seq 0, length 64 11:39:20.169903 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 0, length 64 11:39:21.591419 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 1, length 64 11:39:22.978427  In IP truncated-ip – 24 bytes missing! 12.12.12.1 > 2.2.2.2: ICMP echo request, id 17672, seq 2, length 64 11:39:22.978598 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 2, length 64 11:39:24.366346  In IP truncated-ip – 24 bytes missing! 12.12.12.1 > 2.2.2.2: ICMP echo request, id 17672, seq 3, length 64 11:39:24.366503 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 3, length 64 11:39:25.773527 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 4, length 64 11:39:27.175892 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 5, length 64 11:39:28.592626  In IP truncated-ip – 24 bytes missing! 12.12.12.1 > 2.2.2.2: ICMP echo request, id 17672, seq 6, length 64 11:39:28.592788 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 6, length 64 11:39:30.000321 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 7, length 64 11:39:31.392799 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 8, length 64 11:39:32.798325  In IP truncated-ip – 24 bytes missing! 12.12.12.1 > 2.2.2.2: ICMP echo request, id 17672, seq 9, length 64 11:39:32.798489 Out IP truncated-ip – 24 bytes missing! 2.2.2.2 > 12.12.12.1: ICMP echo reply, id 17672, seq 9, length 64