Select Page

JNCIE-ENT LAB V1.2
Mock Labs
  • Scroll down for all lab sections…

LAB v1.2

Section 1

– Initial setting
– Authentication
– Syslog
– NTP
– SNMPv3
– Firewall filters
– DHCP

.

NOTE: vSRX (v15) as packet-mode., and vQFX switches (v18) are used for this lab. Some automation tools are used.
MGMT IP's & Port details -- Please check network topology. Login:  root/juniper123     We are using vSRX in packet-mode, therefore few additional commands added to each vSRX to clean and use as pure packet-mode (i-e, switch).
Base Config & Test

——- D1/SRX1
edit
load factory-default
set system root-authentication plain-text-password
set system host-name D1-Mercury
del security screen ids-option untrust-screen
del security policies from-zone trust to-zone trust policy default-permit
del security zones security-zone trust tcp-rst
del security zones security-zone untrust screen untrust-screen
commit
del security zones security-zone trust
del security zones security-zone untrust
del security policies from-zone trust to-zone untrust policy default-permit
commit
del security policies
commit

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
commit

set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.1/24
set system services ssh
set system services netconf ssh
set protocols lldp interface all
commit

——- D2/SRX2
edit
load factory-default
set system root-authentication plain-text-password
set system host-name D2-Venus
del security screen ids-option untrust-screen
del security policies from-zone trust to-zone trust policy default-permit
del security zones security-zone trust tcp-rst
del security zones security-zone untrust screen untrust-screen
commit

del security zones security-zone trust
del security zones security-zone untrust
del security policies from-zone trust to-zone untrust policy default-permit
commit
del security policies
commit

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
commit

set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.2/24
set system services ssh
set system services netconf ssh
set protocols lldp interface all
commit

——- D3/SRX3
edit
load factory-default
set system root-authentication plain-text-password
set system host-name D3-Earth
del security screen ids-option untrust-screen
del security policies from-zone trust to-zone trust policy default-permit
del security zones security-zone trust tcp-rst
del security zones security-zone untrust screen untrust-screen
commit
del security zones security-zone trust
del security zones security-zone untrust
del security policies from-zone trust to-zone untrust policy default-permit
commit
del security policies
commit

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
commit

set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.3/24
set system services ssh
set system services netconf ssh
set protocols lldp interface all
commit

——- D4/SRX4
edit
load factory-default
set system root-authentication plain-text-password
set system host-name D4-Mars
del security screen ids-option untrust-screen
del security policies from-zone trust to-zone trust policy default-permit
del security zones security-zone trust tcp-rst
del security zones security-zone untrust screen untrust-screen
commit
del security zones security-zone trust
del security zones security-zone untrust
del security policies from-zone trust to-zone untrust policy default-permit
commit
del security policies
commit

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
commit

set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.4/24
set system services ssh
set system services netconf ssh
set protocols lldp interface all
commit

——vQFX/EX Switches: D5-Jupiter:
edit
load factory-default
set system root-authentication plain-text-password

set system host-name D5-Jupiter
set system services ssh
set system services netconf ssh
set protocols lldp interface all
set system services ssh root-login allow
set interfaces em2 unit 0 family inet address 10.10.1.11/24

——— D6-Saturn:
edit
load factory-default
set system root-authentication plain-text-password

set system host-name D6-Saturn
set system services ssh
set system services netconf ssh
set protocols lldp interface all
set system services ssh root-login allow
set interfaces em2 unit 0 family inet address 10.10.1.12/24
commit and-quit

——— D7-Uranus:
edit
load factory-default
set system root-authentication plain-text-password

set system host-name D7-Uranus
set system services ssh
set system services netconf ssh
set protocols lldp interface all
set system services ssh root-login allow
set interfaces em2 unit 0 family inet address 10.10.1.13/24
commit and-quit

——— D8-Neptune:
edit
load factory-default
set system root-authentication plain-text-password

set system host-name D8-Neptune
set system services ssh
set system services netconf ssh
set protocols lldp interface all
set system services ssh root-login allow
set interfaces em2 unit 0 family inet address 10.10.1.14/24
commit and-quit

——–SRX_VR-device:
To emulate external system interacting
with your domain.

edit
load factory-default
set system root-authentication plain-text-password
set system host-name VR-device

del security screen ids-option untrust-screen
del security policies from-zone trust to-zone trust policy default-permit
del security zones security-zone trust tcp-rst
del security zones security-zone untrust screen untrust-screen
commit
del security zones security-zone trust
del security zones security-zone untrust
del security policies from-zone trust to-zone untrust policy default-permit
commit
del security policies
commit

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
commit

set system services ssh
set system services netconf ssh
set system ntp boot-server 10.10.10.1
set system ntp server 10.10.10.1
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.9/24
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set routing-options static route 10.10.10.0/24 no-readvertise
set protocols lldp interface all
commit

Simple L2 switch with default config at this point. Cisco IOL L2.

VLAN part is mostly in place already for real lab. For LAB here, following vlan/svi in use to provide LAN connectivity b/w devices and Server (S1).

L2-Switch#show run
Building configuration…

Current configuration : 2744 bytes
!
! Last configuration change at 00:29:48 EST Thu Jan 16 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname L2-Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EST -5 0
!

!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!

!
interface Ethernet0/0
description D1-D4
switchport access vlan 100
switchport mode access
!
interface Ethernet0/1
description D1-D4
switchport access vlan 100
switchport mode access
!
interface Ethernet0/2
description D1-D4
switchport access vlan 100
switchport mode access
!
interface Ethernet0/3
description D1-D4
switchport access vlan 100
switchport mode access
!
interface Ethernet1/0
description D5-D8
switchport access vlan 100
switchport mode access
!
interface Ethernet1/1
description D5-D8
switchport access vlan 100
switchport mode access
!
interface Ethernet1/2
description D5-D8
switchport access vlan 100
switchport mode access
!
interface Ethernet1/3
description D5-D8
switchport access vlan 100
switchport mode access
!
interface Ethernet2/0
switchport access vlan 100
switchport mode access
!
interface Ethernet2/1
description Internet
!
interface Ethernet2/2
!
interface Ethernet2/3
description S1
switchport access vlan 200
switchport mode access
!
!
interface Ethernet9/3
switchport access vlan 300
switchport mode access

!
interface Vlan100
description vSRX_EX_vlan
ip address 10.10.1.254 255.255.255.0
!
interface Vlan200
description S1_server_vlan
ip address 10.10.10.254 255.255.255.0
!
end

L2-Switch#

 

Command Cmds:

cat /etc/systemd/resolved.conf
service bind9 restart
systemctl restart bind9
cat /etc/bind/named.conf.options
dig www.linuxquestions.org @topfreelanceitconsultants.com
nslookup www.cisco.com 10.10.10.1
show host server 10.10.10.1 ubuntu1804-pfne.example.com
view /etc/netplan/01-netcfg.yaml
named-checkzone example.com /etc/bind/db.example.com
named-checkzone 192.168.0.0/32 /etc/bind/db.10
named-checkconf /etc/bind/named.conf.local
named-checkconf /etc/bind/named.conf
cat /etc/bind/named.conf
cat /etc/bind/named.conf.local
sudo ufw allow from any to any port 53
sudo ufw allow 53/tcp
sudo ufw allow 53/udp

S1:

Server (S1) is a linux server for ftp/snmp/syslog/RADIUS/DNS proxy.
IP: 10.10.10.1/24

GW:  10.10.10.254 (For LAN reachability)

[email protected]:~# netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         10.10.10.254    0.0.0.0         UG        0 0          0 ens4

0.0.0.0         192.168.86.1    0.0.0.0         UG        0 0          0 ens3

10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 ens4

192.168.86.0    0.0.0.0         255.255.255.0   U         0 0          0 ens3

192.168.86.1    0.0.0.0         255.255.255.255 UH        0 0          0 ens3

[email protected]:~# 

— If you want S1 to have access to both Internet & Local LAN networks, us following;

# This file describes the network interfaces available on your system

# For more information, see netplan(5).

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      dhcp4: no
      addresses: [192.168.86.221/24]
      gateway4: 192.168.86.1
      nameservers:
           addresses: [8.8.8.8,192.168.86.1]
    ens4:
      dhcp4: no
      addresses: [10.10.10.1/24]
      routes:
      – to: 10.10.1.0/24
        via: 10.10.10.254
      – to: 10.10.10.0/24
        via: 10.10.10.254

~

[email protected]:~# ping google.com

PING google.com (172.217.3.110) 56(84) bytes of data.

64 bytes from lga34s18-in-f14.1e100.net (172.217.3.110): icmp_seq=1 ttl=53 time=17.4 ms

64 bytes from lga34s18-in-f14.1e100.net (172.217.3.110): icmp_seq=2 ttl=53 time=16.4 ms

^C

— google.com ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 16.468/16.968/17.469/0.517 ms

[email protected]:~# ping 10.10.1.9

PING 10.10.1.9 (10.10.1.9) 56(84) bytes of data.

64 bytes from 10.10.1.9: icmp_seq=1 ttl=63 time=1.44 ms

64 bytes from 10.10.1.9: icmp_seq=2 ttl=63 time=1.01 ms

^C

— 10.10.1.9 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 1.012/1.227/1.442/0.215 ms

[email protected]:~#

—- Configure S1 as DNS Server (Using bind9) —

#apt-get install bind9
#apt-get install dnsutils

#vi /etc/bind/named.conf.options
Add the following block to it, here we have used Google’s DNS.
forwarders {
8.8.8.8;
};

[email protected]:~# systemctl stop bind9

[email protected]:~# systemctl start bind9

[email protected]:~# systemctl status bind9

bind9.service – BIND Domain Name Server

   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)

   Active: active (running) since Thu 2020-01-16 19:34:54 PST; 5s ago

     Docs: man:named(8)

  Process: 18627 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)

Main PID: 19052 (named)

    Tasks: 4 (limit: 2321)

   CGroup: /system.slice/bind9.service

           └─19052 /usr/sbin/named -f -u bind

TEST

[email protected]:~# dig google.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25624

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;google.com. IN A

;; ANSWER SECTION:

google.com. 94 IN A 172.217.10.78

;; Query time: 1 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Thu Jan 16 19:00:49 PST 2020

;; MSG SIZE  rcvd: 55

Primary Master

For a primary master server configuration, the DNS gets the data for a zone from a file stored on its host. Also, the DNS has control for that zone. Now let’s say we have a domain called “example.com” we are going to configure the DNS to be the primary master for that domain.

Forward Zone File

Here in the forward zone, the name will map to the IP.

Step 1. Open and edit the /etc/bind/named.conf file.

sudo vi /etc/bind/named.conf

Ensure that it contains the following lines and NOT commented:

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

Step 2. Open and edit the /etc/bind/named.conf.local file to add a DNS zone.

sudo vi /etc/bind/named.conf.local

Add the following block to it:
zone “example.com” {
type master;
file “/etc/bind/db.example.com”;
};

Step 3. Create a zone file from the template one.

sudo cp /etc/bind/db.local /etc/bind/db.example.com

Step 4. Now open the new example zone file.

sudo vi /etc/bind/db.example.com

And change it to look like this:

;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN A 10.10.10.1
;
@ IN NS ns.example.com.
@ IN A 10.10.10.1
@ IN AAAA ::1
ns IN A 10.10.10.1

Please note that you have to increase the Serial Number every time you make changes to the zone files.

Step 5. Restart DNS Service to apply changes.

sudo systemctl restart bind9

Reverse Zone File

Now to map an IP to a name you have to configure the reverse zone file.

Step 1. Edit the /etc/bind/named.conf.local file.

sudo vi /etc/bind/named.conf.local

Add the following block:
zone “10.10.10.in-addr.arpa” {
type master;
file “/etc/bind/db.10”;
};

Where the 10.10.10 is the first three octets of your network.

Step 2. Create the  /etc/bind/db.10 file from template one.

sudo cp /etc/bind/db.127 /etc/bind/db.10

Step 3. Edit the /etc/bind/db.10 file.

sudo vi /etc/bind/db.10

And it should be like this:

;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
1.0.0 IN PTR ns.example.com.

–Restart bind services, and test.

[email protected]:~# named-checkzone example.com /etc/bind/db.example.com

zone example.com/IN: loaded serial 3

OK

[email protected]:~# named-checkzone 192.168.0.0/32 /etc/bind/db.10

zone 192.168.0.0/32/IN: loaded serial 2

OK

[email protected]:~# named-checkconf  /etc/bind/named.conf.local

[email protected]:~# named-checkconf  /etc/bind/named.conf

[email protected]:~# host www.google.com 10.10.10.1

Using domain server:

Name: 10.10.10.1

Address: 10.10.10.1#53

Aliases:

www.google.com has address 172.217.6.228

www.google.com has IPv6 address 2607:f8b0:4006:819::2004

[email protected]:~#

sudo nano /etc/hostname

ubuntu1804-pfne.example.com


sudo nano /etc/hosts

127.0.1.1       ubuntu1804-pfne.example.com hostname localhost

[email protected]:~# hostname
ubuntu1804-pfne.example.com
[email protected]:~# nslookup 10.10.10.1
1.10.10.10.in-addr.arpa name = ubuntu1804-pfne.example.com.
1.10.10.10.in-addr.arpa name = ubuntu1804-pfne.
1.10.10.10.in-addr.arpa name = ubuntu1804-pfne.local.

Authoritative answers can be found from:

[email protected]:~# nslookup –dns-ip=10.10.10.1 google.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: google.com
Address: 172.217.12.206
Name: google.com
Address: 2607:f8b0:4006:81b::200e

NTP Server configuration on Ubuntu 18.04

-Check ntp installation with: #ntpq -pn
# sudo apt install ntp
# ntpq -pn
# sudo service ntp status
# sudo ufw allow from any to any port 123 proto udp

 

[email protected]> ping count 2 10.10.1.1
PING 10.10.1.1 (10.10.1.1): 56 data bytes
64 bytes from 10.10.1.1: icmp_seq=0 ttl=64 time=0.090 ms
64 bytes from 10.10.1.1: icmp_seq=1 ttl=64 time=0.145 ms

[email protected]> ping count 2 10.10.1.2
PING 10.10.1.2 (10.10.1.2): 56 data bytes
64 bytes from 10.10.1.2: icmp_seq=0 ttl=64 time=2.506 ms
64 bytes from 10.10.1.2: icmp_seq=1 ttl=64 time=7.686 ms

[email protected]> ping count 2 10.10.1.3
PING 10.10.1.3 (10.10.1.3): 56 data bytes
64 bytes from 10.10.1.3: icmp_seq=0 ttl=64 time=7.219 ms
64 bytes from 10.10.1.3: icmp_seq=1 ttl=64 time=2.622 ms

[email protected]> ping count 2 10.10.1.4
PING 10.10.1.4 (10.10.1.4): 56 data bytes
64 bytes from 10.10.1.4: icmp_seq=0 ttl=64 time=7.767 ms
64 bytes from 10.10.1.4: icmp_seq=1 ttl=64 time=3.859 ms

[email protected]> ping count 2 10.10.1.11
PING 10.10.1.11 (10.10.1.11): 56 data bytes
64 bytes from 10.10.1.11: icmp_seq=0 ttl=64 time=4.599 ms
64 bytes from 10.10.1.11: icmp_seq=1 ttl=64 time=2.409 ms

[email protected]> ping count 2 10.10.1.12
PING 10.10.1.12 (10.10.1.12): 56 data bytes
64 bytes from 10.10.1.12: icmp_seq=0 ttl=64 time=5.157 ms
64 bytes from 10.10.1.12: icmp_seq=1 ttl=64 time=3.657 ms

[email protected]> ping count 2 10.10.1.13
PING 10.10.1.13 (10.10.1.13): 56 data bytes
64 bytes from 10.10.1.13: icmp_seq=0 ttl=64 time=4.914 ms
64 bytes from 10.10.1.13: icmp_seq=1 ttl=64 time=2.185 ms

[email protected]> ping count 2 10.10.1.14
PING 10.10.1.14 (10.10.1.14): 56 data bytes
64 bytes from 10.10.1.14: icmp_seq=0 ttl=64 time=6.996 ms
64 bytes from 10.10.1.14: icmp_seq=1 ttl=64 time=6.196 ms

[email protected]> ping count 2 10.10.1.9
PING 10.10.1.9 (10.10.1.9): 56 data bytes
64 bytes from 10.10.1.9: icmp_seq=0 ttl=64 time=3.524 ms
64 bytes from 10.10.1.9: icmp_seq=1 ttl=64 time=8.601 ms

[email protected]> ping count 2 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

— 10.10.10.1 ping statistics —
2 packets transmitted, 0 packets received, 100% packet loss

-No routing in place for 10.10.10.0/24 at this point-

[email protected]# edit system

[edit system]
[email protected]# show
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface ge-0/0/0.0;
          }
      }
}

** APPLY ON ALL DEVICES , except switches**

set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set routing-options static route 10.10.10.0/24 no-readvertise
set system backup-router 10.10.10.254

** APPLY ON ALL DEVICES ** In real lab, please check if task is specific to single device..etc.

RPD in Juniper
Within Junos OS, the routing protocol process (rpd) controls the routing protocols that run on the device. The rpd process starts all configured routing protocols and handles all routing messages. It maintains one or more routing tables, which consolidate the routing information learned from all routing protocols.
backup-router is used when RPD not running.

Test PING from S1 server to all devices. ‘ll be using python script, running from S1.

[email protected]:~/python# python3 ping.py

10.10.1.1

active

10.10.1.2

active

10.10.1.3

active

10.10.1.4

active

10.10.1.9

active

10.10.1.11

active

10.10.1.12

active

10.10.1.13

active

10.10.1.14

active

10.10.10.1

active

10.10.10.254

active

10.10.1.254

active

 — Python script & file.

# cat ping.py

import subprocess

import os

with open(‘devices.txt’, ‘r’) as f:

        for ip in f:

            result=subprocess.Popen([“ping”, “-c”, “1”, “-n”, “-W”, “2”,    ip],stdout=f, stderr=f).wait()

            if result:

                print(ip, “inactive”)

            else:

                print(ip, “active”)

# cat devices.txt

10.10.1.1

10.10.1.2

10.10.1.3

10.10.1.4

10.10.1.9

10.10.1.11

10.10.1.12

10.10.1.13

10.10.1.14

10.10.10.1

10.10.10.254

10.10.1.254

[email protected]#
set system time-zone PST8PDT
set system name-server 10.10.10.1
set system domain-name example.com

** APPLY ON ALL DEVICES ** 

–show:
[email protected]# edit system

[edit system]
[email protected]# show |match domain
domain-name example.com;

You can configure external, LAN name-server., however if you don’t have any name-server/DNS server you can configure local device using “Alias” to act as DNS lookup and resolve the names.
S1 is configured as NTP server. Please check S1 base config on how to configure S1/linux server as NTP server.
NTP:
set system ntp boot-server 10.10.10.1 authentication-key 1 type md5 value cloudkod
set system ntp server 10.10.10.1 key 1 
 
[email protected]# edit system ntp 
 
[edit system ntp]
boot-server 10.10.10.1;
authentication-key 1 type md5 value “$9$I8AcSeVb2UjqoJjqfQ9CrevM87”; ## SECRET-DATA
server 10.10.10.1 key 1; ## SECRET-DATA

Name-server /DNS:

[email protected]> show host www.google.com
www.google.com has address 172.217.12.132
www.google.com has IPv6 address 2607:f8b0:4006:815::2004

[email protected]> show host server 10.10.10.1 www.google.com
Using domain server:
Name: 10.10.10.1
Address: 10.10.10.1#53
Aliases:

www.google.com has address 172.217.12.132
www.google.com has IPv6 address 2607:f8b0:4006:815::2004

Logs captured on S1 for DNS Lookup: 

[email protected]:~# tcpdump -i ens4

23:23:19.541611 IP 10.10.1.1.54147 > ubuntu1804-pfne.example.com.domain: 28251+ A? www.google.com. (32)

23:23:19.542470 IP ubuntu1804-pfne.example.com.domain > 10.10.1.1.54147: 28251 1/13/0 A 172.217.10.132 (259)

23:23:19.549687 IP 10.10.1.1.58643 > ubuntu1804-pfne.example.com.domain: 50827+ AAAA? www.google.com. (32)

23:23:19.549831 IP ubuntu1804-pfne.example.com.domain > 10.10.1.1.58643: 50827 1/13/0 AAAA 2607:f8b0:4006:802::2004 (271)

23:23:19.552251 IP 10.10.1.1.51321 > ubuntu1804-pfne.example.com.domain: 19939+ MX? www.google.com. (32)

23:23:19.552372 IP ubuntu1804-pfne.example.com.domain > 10.10.1.1.51321: 19939 0/1/0 (82)

— NTP Test:

show system uptime | match current
show log messages | match ntp
show ntp associations

1)-
[email protected]> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
10.10.10.1 .INIT. 16 – – 1024 0 0.000 0.000 4000.00

2)-
[email protected]> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
10.10.10.1 .STEP. 16 – 114 64 0 0.000 0.000 4000.00

3)-
[email protected]> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
*10.10.10.1 91.189.89.199 3 – 51 64 37 3.064 6.349 16.285

S1 logs:

20:56:57.141906 IP 10.10.1.1.ntp > ubuntu1804-pfne.example.com.ntp: NTPv4, Client, length 48

20:56:57.142350 IP ubuntu1804-pfne.example.com.ntp > 10.10.1.1.ntp: NTPv4, Server, length 48

1- Configure authentication method that tries first RADIUS and if fail, use local password.
RADIUS server (S2) with retry attempts set to 1 and timeout 2 seconds. Use cloudkod as RADIUS shared secret.
2- Create new user name aden, password aden123 with super user privileges.
3- Configure additional users as;
NAME: bala pwd: bala123 privileges: permissions "view", "view-configuration". Authenticated on S2.
NAME: support pwd: sup123 privileges: "all", also can not execute "clear", "configure", "edit" or "start shell".

[edit system]
+ authentication-order [ radius password ];
+ radius-server {
+ 192.168.86.180 {
+ secret “$9$fzF/EhrLxdKMxdsgUDn/CApB”; ## SECRET-DATA
+ timeout 2;
+ retry 1;
+ }
+ }

set system radius-server 192.168.86.180 secret “$9$fzF/EhrLxdKMxdsgUDn/CApB”

set system radius-server 192.168.86.180 timeout 2

set system radius-server 192.168.86.180 retry 1

Cisco ISE for RADIUS Authentication with Juniper

Cisco ISE for RADIUS Authentication with Juniper

Traceoption: (additional stuff for learning)
set system processes general-authentication-service traceoptions file radius
set system processes general-authentication-service traceoptions flag all
run clear log radius

test login then pull logs
show log radius

[edit system login user aden]
[email protected]# show
uid 2000;
class super-user;
authentication {
encrypted-password “$5$hCstaJ71$w7ya1fd/HNOjp5rZ4EkVXmVZiMUr.IUhgm6XBOwk94.”; ## SECRET-DATA
}

[edit system login]
+ class limited {
+ permissions [ view view-configuration ];
+ }
+ class noc {
+ permissions all;
+ deny-commands “(clear) | (configure) | (edit) | (start shell)”;
+ }
[edit system login]
+ user bala {
+ class limited;
+ authentication {
+ encrypted-password “$5$Kox/BU0q$ucc1BPORB2jvz0iZsZLFLPmHgePEDCrmzSg1uXcjYRC”; ## SECRET-DATA
+ }
+ }
[edit system login user remote]
+ uid 2001;
+ class limited;
[edit system login]
+ user support {
+ class noc;
+ authentication {
+ encrypted-password “$5$Mg42WlNl$jQLjWjIWxQ/e/Yynk29VPMlnUGaceKHjwuiDqykZvH6”; ## SECRET-DATA
+ }
+ }

TEST:

$ ssh [email protected]

Password:

— JUNOS 15.1X49-D80.4 built 2017-03-23 15:21:36 UTC

[email protected]> show configuration |display set

[email protected]> edit

                 ^

unknown command.

[email protected]> cli

                 ^

unknown command.

$ ssh [email protected]

Password:

— JUNOS 15.1X49-D80.4 built 2017-03-23 15:21:36 UTC

[email protected]> edit

                    ^

unknown command.

[email protected]> clear

                    ^

unknown command.

[email protected]> start shell

                          ^

syntax error, expecting .

support@d1-mercury>

 

Jan 20 18:42:17 d1-mercury mgd[7373]: UI_AUTH_EVENT: Authenticated user ‘bala’ at permission level ‘j-limited’
Jan 20 18:42:17 d1-mercury mgd[7373]: UI_LOGIN_EVENT: User ‘bala’ login, class ‘j-limited’ [7373], ssh-connection ‘192.168.86.250 61050 192.168.86.185 22’, client-mode ‘cli’
Jan 20 18:42:19 d1-mercury mgd[4135]: UI_CMDLINE_READ_LINE: User ‘root’, command ‘show log messages | last 100 ‘
Jan 20 18:42:42 d1-mercury mgd[7373]: UI_CMDLINE_READ_LINE: User ‘bala’, command ‘show configuration | display set ‘Jan 20 19:11:32 d1-mercury mgd[10371]: UI_LOGIN_EVENT: User ‘support’ login, class ‘j-noc’ [10371], ssh-connection ‘192.168.86.250 61549 192.168.86.185 22’, client-mode ‘cli’

You have to create a separate authorization class because requirement is different, compare to four standard classes.
— Account name “remote” to authenticate users with RADIUS instead of setting up login accounts for them on device.

Sample Local and Remote Authorization Configuration Using Regular Expressions

Local Configuration

 

login {
class local {
permissions configure;
allow-commands “(ping .*)|(traceroute .*)|(show .*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)”;
deny-commands .*;
allow-configuration “(interfaces .* unit 0 family ethernet-switching vlan mem.* .*)|(interfaces .* native.* .*)|(interfaces .* unit 0 family ethernet-switching interface-mo.* .*)|(interfaces .* unit .*)|(interfaces .* disable)|(interfaces .* description .*)|(vlans .* vlan-.* .*)”
deny-configuration .*;
}
}

– All emergency messages regardless of facility are displayed on terminal of all logged users.
– All messages regardless of facility with the severity level of “info” and higher are sent to the default syslog file.
– A file named “interactive-commands” for command audit tracking receive records about the users and commands they execute.
– A separate file named “authorization-file” is used for authorization message with the severity “info” and higher.
– All messages with severity level warning and higher regardless of facility are sent to the S1 syslog server, also use explicit priority tag, JNCIE-ENT as prefix message.
– 100k size of each archive file, the archive size is set to 3.

Using Splunk as Syslog Server

[edit system syslog]
[email protected]#

[edit system syslog]
[email protected]#

[edit system syslog]
[email protected]# show
archive size 100k files 3;
user * {
any emergency;
}
host 10.10.10.1 {
any warning;
log-prefix JNCIE-ENT;
explicit-priority;
}
file messages {
any info;
authorization info;
}
file interactive-commands {
interactive-commands info;
}
file authorization-file {
authorization info;
}

[edit system syslog]

— Configure SNMPv3 for secure NMS interactions using following table.

 

[email protected]# show | compare
[edit]
+ snmp {
+ v3 {
+ usm {
+ local-engine {
+ user S1 {
+ authentication-md5 {
+ authentication-key “$9$Xwo-Yo5T3/A0k.fz6A1IX7-w2a”; ## SECRET-DATA
+ }

+ vacm {
+ security-to-group {
+ security-model usm {
+ security-name S1 {
+ group global;
+ }

+ access {
+ group global {
+ default-context-prefix {
+ security-model usm {
+ security-level authentication {
+ read-view global-info;
+ }

+ view global-info {
+ oid .1 include;
+ }

# set snmp v3 usm local-engine user S1 authentication-md5 authentication-password workbook
–Step-by-step:

Configure the local SNMP engine user with required authentication the NMS will use.

[edit snmp v3]
[email protected]# show
usm {
local-engine {
user S1 {
authentication-md5 {
authentication-key “$9$Xwo-Yo5T3/A0k.fz6A1IX7-w2a”; ## SECRET-DATA
}

Define SNMP view (global SNMP config) and view name is ‘global-info’.

[email protected]# top
[edit]
[email protected]# edit snmp
[edit snmp]
view global-info {
oid .1 include;
}

Configure the VACM access parameters; map a group for security model USM with level authentication to view named ‘global-info’. Group name is global.

[edit snmp v3]
vacm {
access {
group global {
default-context-prefix {
security-model usm {
security-level authentication {
read-view global-info;
}

Configure VACM security to group mapping. Bind user S1 to the group global.

vacm {
security-to-group {
security-model usm {
security-name S1 {
group global;
}

SNMP v3 notification using below table:

[edit snmp v3 usm local-engine user S1 authentication-md5]
– authentication-key “$9$hfWrWxZGiqPQ24JDkP3nhSrv87”; ## SECRET-DATA
+ authentication-key “$9$Xwo-Yo5T3/A0k.fz6A1IX7-w2a”; ## SECRET-DATA
[edit snmp v3]
– target-address S1 {
– address 192.168.86.245;
– tag-list trap-receiver;
– target-parameters S1-parameters;
– }
– target-parameters S1-parameters {
– parameters {
– message-processing-model v3;
– security-model usm;
– security-level authentication;
– security-name S1;
– }
– notify-filter specific-traps;
– }
– notify NMS {
– type trap;
– tag trap-receiver;
– }
– notify-filter specific-traps {
– oid snmpTraps include;
– oid jnxTraps include;
– }

TEST From Nagios XI:

[email protected]:~# snmpwalk -v 3 -l authNopriv -u S1 -a md5 -A workbook 192.168.86.185

—Final Config:

[email protected]# run show configuration |display set |match snmp
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$OZ8dRreLX-Y4aVb4Zjif51REyvW7NbwgoLX.Pf5F3Ap0Iyl7-VbYgN-2aJUHkmfTQ69tuORcyqmz69tOBX7Ndb2JZjfQFNdk.m5F3hSyleWdbsaGD-ds4oJHkRhcrM8-dsoZUg4Gik.zFCtu0hSeK8dwYMWjHk.zFCtu0hSMWx-ds1RNdws4oDikmQF”
set snmp v3 usm local-engine user S1 privacy-none
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 192.168.86.245
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set snmp view global-info oid .1.3.6.1 include

NOTE: Always check the requirements if firewall filtering is required, and make a note of protocols enabled on devices.

1- Configure an IPv4 firewall filter allowing protocols messages from AH, GRE, BFD, VRRP, OSPF, BGP, PIM, IGMP, MSDP protocol.

set firewall filter name:protect-re term ah from protocol ah
set firewall filter name:protect-re term ah then accept
set firewall filter name:protect-re term gre from protocol gre
set firewall filter name:protect-re term gre then accept
set firewall filter name:protect-re term bfd from protocol udp
set firewall filter name:protect-re term bfd from destination-port 3784
set firewall filter name:protect-re term bfd then accept
set firewall filter name:protect-re term vrrp from protocol vrrp
set firewall filter name:protect-re term vrrp then accept
set firewall filter name:protect-re term ospf from protocol ospf
set firewall filter name:protect-re term ospf then accept
set firewall filter name:protect-re term bgp from protocol tcp
set firewall filter name:protect-re term bgp from destination-port bgp
set firewall filter name:protect-re term bgp then accept
set firewall filter name:protect-re term bgp-source from protocol tcp
set firewall filter name:protect-re term bgp-source from source-port bgp
set firewall filter name:protect-re term bgp-source from destination-port bgp
set firewall filter name:protect-re term bgp-source then accept
set firewall filter name:protect-re term pim from protocol pim
set firewall filter name:protect-re term pim then accept
set firewall filter name:protect-re term igmp from protocol igmp
set firewall filter name:protect-re term igmp then accept
set firewall filter name:protect-re term msdp from protocol tcp
set firewall filter name:protect-re term msdp from destination-port msdp
set firewall filter name:protect-re term msdp then accept


2- Configure the firewall to accept NTP, RADIUS, DNS, SNMP management protocols only from the 10.10.10.0/24 network.

[edit firewall filter name:protect-re]
term msdp { … }
term ntp {
from {
source-address {
10.10.10.0/24;
}
protocol udp;
source-port ntp;
}
then accept;
}
term radius {
from {
source-address {
10.10.10.0/24;
}
protocol [ tcp udp ];
source-port radius;
}
then accept;
}
term dns {
from {
source-address {
10.10.10.0/24;
}
protocol [ tcp udp ];
source-port domain;
}
then accept;
}
term snmp {
from {
source-address {
10.10.10.0/24;
}
protocol udp;
source-port snmp;
destination-port snmp;
}
then accept;
}


3- Configure the firewall filter to accept SSH, Telnet, HTTP, and HTTPS protocols from the 10.10.1.0/24 management network.

[edit firewall filter name:protect-re]
term snmp { … }
term ssh {
from {
source-address {
10.10.1.0/24;
}
protocol tcp;
source-port ssh;
}
then accept;
}
term telnet {
from {
source-address {
10.10.1.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term http {
from {
source-address {
10.10.1.0/24;
}
protocol tcp;
destination-port http;
}
then accept;
}
term https {
from {
source-address {
10.10.1.0/24;
}
protocol tcp;
destination-port https;
}
then accept;
}

4- Configure firewall filter to accept ICMP and traceroute messages. Ensure that on the D1-D4 devices the flow of messages is limited with a policier using;
bandwidth limit: 100kbps burst size: 25kB, and excess traffic must be dropped.

/*** Under global config; ***/
[edit firewall]
policer re-policier {
if-exceeding {
bandwidth-limit 100k;
burst-size-limit 25k;
}
then discard;
}

/*** re-filter for ICMP & Traceroute ***/
term icmp {
from {
protocol icmp;
}
then {
policer re-policier;
accept;
}
}
term traceroute {
from {
protocol udp;
}
then {
policer re-policier;
accept;
}
}


5- Configure the firewall filter to discard any other traffic and increment a named drop counter.

[edit firewall filter name:protect-re]
term traceroute { … }
term explicit_discard {
then {
count drooped;
discard;
}
}

6- Apply the firewall filter to ensure that its used for RE protection.
[edit interfaces]
lo0 {
unit 0 {
family inet {
filter {
input name:protect-re;
}
}

—— All together;

set interfaces lo0 unit 0 family inet filter input name:protect-re

set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard
set firewall filter name:protect-re term ah from protocol ah
set firewall filter name:protect-re term ah then accept
set firewall filter name:protect-re term gre from protocol gre
set firewall filter name:protect-re term gre then accept
set firewall filter name:protect-re term bfd from protocol udp
set firewall filter name:protect-re term bfd from destination-port 3784
set firewall filter name:protect-re term bfd then accept
set firewall filter name:protect-re term vrrp from protocol vrrp
set firewall filter name:protect-re term vrrp then accept
set firewall filter name:protect-re term ospf from protocol ospf
set firewall filter name:protect-re term ospf then accept
set firewall filter name:protect-re term bgp from protocol tcp
set firewall filter name:protect-re term bgp from destination-port bgp
set firewall filter name:protect-re term bgp then accept
set firewall filter name:protect-re term bgp-source from protocol tcp
set firewall filter name:protect-re term bgp-source from source-port bgp
set firewall filter name:protect-re term bgp-source from destination-port bgp
set firewall filter name:protect-re term bgp-source then accept
set firewall filter name:protect-re term pim from protocol pim
set firewall filter name:protect-re term pim then accept
set firewall filter name:protect-re term igmp from protocol igmp
set firewall filter name:protect-re term igmp then accept
set firewall filter name:protect-re term msdp from protocol tcp
set firewall filter name:protect-re term msdp from destination-port msdp
set firewall filter name:protect-re term msdp then accept
set firewall filter name:protect-re term ntp from source-address 10.10.10.0/24
set firewall filter name:protect-re term ntp from protocol udp
set firewall filter name:protect-re term ntp from source-port ntp
set firewall filter name:protect-re term ntp then accept
set firewall filter name:protect-re term radius from source-address 10.10.10.0/24
set firewall filter name:protect-re term radius from protocol tcp
set firewall filter name:protect-re term radius from protocol udp
set firewall filter name:protect-re term radius from source-port radius
set firewall filter name:protect-re term radius then accept
set firewall filter name:protect-re term dns from source-address 10.10.10.0/24
set firewall filter name:protect-re term dns from protocol tcp
set firewall filter name:protect-re term dns from protocol udp
set firewall filter name:protect-re term dns from source-port domain
set firewall filter name:protect-re term dns then accept
set firewall filter name:protect-re term snmp from source-address 10.10.10.0/24
set firewall filter name:protect-re term snmp from protocol udp
set firewall filter name:protect-re term snmp from source-port snmp
set firewall filter name:protect-re term snmp from destination-port snmp
set firewall filter name:protect-re term snmp then accept
set firewall filter name:protect-re term ssh from source-address 10.10.1.0/24
set firewall filter name:protect-re term ssh from protocol tcp
set firewall filter name:protect-re term ssh from source-port ssh
set firewall filter name:protect-re term ssh then accept
set firewall filter name:protect-re term telnet from source-address 10.10.1.0/24
set firewall filter name:protect-re term telnet from protocol tcp
set firewall filter name:protect-re term telnet from destination-port telnet
set firewall filter name:protect-re term telnet then accept
set firewall filter name:protect-re term http from source-address 10.10.1.0/24
set firewall filter name:protect-re term http from protocol tcp
set firewall filter name:protect-re term http from destination-port http
set firewall filter name:protect-re term http then accept
set firewall filter name:protect-re term https from source-address 10.10.1.0/24
set firewall filter name:protect-re term https from protocol tcp
set firewall filter name:protect-re term https from destination-port https
set firewall filter name:protect-re term https then accept
set firewall filter name:protect-re term icmp from protocol icmp
set firewall filter name:protect-re term icmp then policer re-policier
set firewall filter name:protect-re term icmp then accept
set firewall filter name:protect-re term traceroute from protocol udp
set firewall filter name:protect-re term traceroute then policer re-policier
set firewall filter name:protect-re term traceroute then accept
set firewall filter name:protect-re term explicit_discard then count drooped
set firewall filter name:protect-re term explicit_discard then discard

———-

TEST SSH from 10.10.10.x network and shoud fail with drop count increase:

[email protected]:~# ifconfig ens4

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.10.10.1

[email protected]> show firewall filter name:protect-re

Filter: name:protect-re
Counters:
Name Bytes Packets
drooped 5560 93
Policers:
Name Bytes Packets
re-policier-icmp 0 0
re-policier-traceroute 0 0

[email protected]:~# ssh 10.10.1.2

ssh: connect to host 10.10.1.2 port 22: Connection timed out

[email protected]> show firewall filter name:protect-re

Filter: name:protect-re
Counters:
Name Bytes Packets
drooped 5800 97
Policers:
Name Bytes Packets
re-policier-icmp 0 0
re-policier-traceroute 0 0

— you can run a pcap capture and read in wireshark..etc;

set firewall filter PCAP term 1 from source-address 10.10.10.1
set firewall filter PCAP term 1 from destination-address 10.10.1.2
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set firewall filter PCAP term 2 from source-address 10.10.1.2
set firewall filter PCAP term 2 from destination-address 10.10.10.1
set firewall filter PCAP term 2 then sample
set firewall filter PCAP term 2 then accept
set firewall filter PCAP term allow-all-else then accept


edit forwarding-options packet-capture
set file filename testpacketcapture
set maximum-capture-size 1500

set interfaces ge-0/0/0 unit 0 family inet filter output PCAP
set interfaces ge-0/0/0 unit 0 family inet filter input PCAP

–Run Test:

[email protected]> file list /var/tmp/ | match testpacketcapture*

  • Configure D4 as DHCP Server using;
    Pool: 192.168.10.0/24
    Assignment:
    low: 192.168.10.10
    high: 192.168.10.100
  • LAN PC will get IP from the pool.
  •  

[edit system services]
+ dhcp-local-server {
+ group lanusers {
+ interface ge-0/0/1.0;
+ }
+ }
[edit interfaces]
+ ge-0/0/1 {
+ unit 0 {
+ family inet {
+ address 192.168.10.1/24;
+ }
+ }
+ }
[edit]
+ access {
+ address-assignment {
+ pool jnciepool {
+ family inet {
+ network 192.168.10.0/24;
+ range poolrange {
+ low 192.168.10.10;
+ high 192.168.10.100;
+ }


set system services dhcp-local-server group lanusers interface ge-0/0/1.0
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set access address-assignment pool jnciepool family inet network 192.168.10.0/24
set access address-assignment pool jnciepool family inet range poolrange low 192.168.10.10
set access address-assignment pool jnciepool family inet range poolrange high 192.168.10.100

DHCP CLIENT / LAN PC:  VPCS> show ip

NAME : VPCS[1]
IP/MASK : 0.0.0.0/0
GATEWAY : 0.0.0.0
DNS :
MAC : 00:50:79:66:68:13
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500

VPCS> ip dhcp
DORA IP 192.168.10.10/24
VPCS> show ip

NAME : VPCS[1]
IP/MASK : 192.168.10.10/24
GATEWAY : 0.0.0.0
DNS :
DHCP SERVER : 192.168.10.1
DHCP LEASE : 86391, 86400/43200/75600
MAC : 00:50:79:66:68:13
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500

VPCS> ping 192.168.10.1

84 bytes from 192.168.10.1 icmp_seq=1 ttl=64 time=0.407 ms
84 bytes from 192.168.10.1 icmp_seq=2 ttl=64 time=0.427 ms

— D4:

[email protected]> show dhcp server binding
IP address Session Id Hardware address Expires State Interface
192.168.10.10 1 00:50:79:66:68:13 85345 BOUND ge-0/0/1.0

[email protected]> show dhcp server binding 192.168.10.10 detail

Client IP Address: 192.168.10.10
Hardware Address: 00:50:79:66:68:13
State: BOUND(LOCAL_SERVER_STATE_BOUND)
Protocol-Used: DHCP
Lease Expires: 2020-01-25 02:35:15 UTC
Lease Expires in: 85133 seconds
Lease Start: 2020-01-24 02:35:14 UTC
Last Packet Received: 2020-01-24 02:35:15 UTC
Incoming Client Interface: ge-0/0/1.0
Server Identifier: 192.168.10.1
Session Id: 1
Client Pool Name: jnciepool

 

Section 2

– AE/LACP
– VRRP
– MSTP
– PVLAN
– L3 VLAN Interfaces
– MAC Filtering
– Storm Control
– 802.1x/MAC radius
– LLDP / LLDP-MED
– Voice VLAN
– VC Virtual Chassis

.

NOTE: vSRX (v15) as packet-mode., and vQFX switches (v18) are used for this lab. Some automation tools are used.
MGMT IP's & Port details -- Please check network topology. Login:  root/juniper123     We are using vSRX in packet-mode, therefore few additional commands added to each vSRX to clean and use as pure packet-mode (i-e, switch).
Base Config & Test

[email protected]> show configuration |display set
set version 15.1X49-D80.4
set system host-name D1-Mercury
set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system root-authentication encrypted-password “$5$/QbhdDQK$3aLBGsodpaXt7msM5E0KNIsms5S2woDvewPKEnzUvh1”
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system services ssh
set system services telnet
set system services netconf ssh
set system services web-management http interface fxp0.0
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 172.30.96.2/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard


Username : root password: juniper123

SRX packet mode:
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
reboot

–Base config:

set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system services ssh
set system services telnet
set system services netconf ssh
set system services web-management http interface fxp0.0
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.2/24
set interfaces ge-0/0/2 unit 0 family inet address 172.30.96.6/30
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard


Username : root password: juniper123

SRX packet mode:
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
reboot

–Base config:

set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system services ssh
set system services telnet
set system services netconf ssh
set system services web-management http interface fxp0.0
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.3/24
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard


Username : root password: juniper123

SRX packet mode:
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
reboot

–Base config:

set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system services ssh
set system services telnet
set system services netconf ssh
set system services web-management http interface fxp0.0
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.4/24
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard

[email protected]> show configuration |display set |except dhcp
set version 18.4R1.8
set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system root-authentication encrypted-password “$6$/vLk0w8u$afC6ILjmuGiuh3E3lhQqxG2.UStiKb/joi41Z6hHnaaGf9dTEvEAoIYRF.8jDyIevN2BStVJAKyiEAK6kxu2.1”
set system services ssh root-login allow
set system services telnet
set system services netconf ssh
set system services web-management http interface em0.0
set system services web-management https system-generated-certificate
set system services web-management https interface em0.0
set system host-name D5-Jupiter
set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces em0 unit 0 family inet address 10.10.1.11/24
set interfaces em1 unit 0 family inet address 169.254.0.2/24
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set forwarding-options storm-control-profiles default all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all
set protocols igmp-snooping vlan default
set vlans default vlan-id 1

{master:0}

set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system root-authentication encrypted-password “$6$/vLk0w8u$afC6ILjmuGiuh3E3lhQqxG2.UStiKb/joi41Z6hHnaaGf9dTEvEAoIYRF.8jDyIevN2BStVJAKyiEAK6kxu2.1”
set system services ssh root-login allow
set system services telnet
set system services netconf ssh
set system services web-management http interface em0.0
set system services web-management https system-generated-certificate
set system services web-management https interface em0.0
set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set forwarding-options storm-control-profiles default all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all

set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system root-authentication encrypted-password “$6$/vLk0w8u$afC6ILjmuGiuh3E3lhQqxG2.UStiKb/joi41Z6hHnaaGf9dTEvEAoIYRF.8jDyIevN2BStVJAKyiEAK6kxu2.1”
set system services ssh root-login allow
set system services telnet
set system services netconf ssh
set system services web-management http interface em0.0
set system services web-management https system-generated-certificate
set system services web-management https interface em0.0
set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set forwarding-options storm-control-profiles default all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all

set system login class limited permissions view
set system login class limited permissions view-configuration
set system login class noc permissions all
set system login class noc deny-commands “(clear)|(configure)|(edit)|(start shell)”
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password workbook
set system login user remote uid 2001
set system login user remote class limited
set system login user remote authentication encrypted-password workbook
set system login user support uid 2002
set system login user support class noc
set system login user support authentication encrypted-password workbook
set system root-authentication encrypted-password “$6$/vLk0w8u$afC6ILjmuGiuh3E3lhQqxG2.UStiKb/joi41Z6hHnaaGf9dTEvEAoIYRF.8jDyIevN2BStVJAKyiEAK6kxu2.1”
set system services ssh root-login allow
set system services telnet
set system services netconf ssh
set system services web-management http interface em0.0
set system services web-management https system-generated-certificate
set system services web-management https interface em0.0
set system backup-router 10.10.1.254
set system time-zone Europe/Amsterdam
set system authentication-order radius
set system authentication-order password
set system name-server 10.10.10.1
set system radius-server 10.10.10.1 secret “$9$4BZHmpu1ESe69tORSMW4aZjkP”
set system radius-server 10.10.10.1 timeout 2
set system radius-server 10.10.10.1 retry 1
set system syslog archive size 100000
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog host 10.10.10.1 explicit-priority
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set interfaces lo0 unit 0 family inet filter input protect-re-inet
set snmp v3 usm local-engine user S1 authentication-md5 authentication-key “$9$3SIS90IXxdw2aKMLNb2GU369pOR”
set snmp v3 vacm security-to-group security-model usm security-name S1 group global
set snmp v3 vacm access group global default-context-prefix security-model usm security-level authentication read-view global-info
set snmp v3 target-address S1 address 10.10.10.1
set snmp v3 target-address S1 tag-list trap-receiver
set snmp v3 target-address S1 target-parameters S1-parameters
set snmp v3 target-parameters S1-parameters parameters message-processing-model v3
set snmp v3 target-parameters S1-parameters parameters security-model usm
set snmp v3 target-parameters S1-parameters parameters security-level authentication
set snmp v3 target-parameters S1-parameters parameters security-name S1
set snmp v3 target-parameters S1-parameters notify-filter specific-traps
set snmp v3 notify NMS type trap
set snmp v3 notify NMS tag trap-receiver
set snmp v3 notify-filter specific-traps oid snmpTraps include
set snmp v3 notify-filter specific-traps oid jnxTraps include
set snmp view global-info oid .1 include
set forwarding-options storm-control-profiles default all
set firewall family inet filter protect-re-inet term ah from protocol ah
set firewall family inet filter protect-re-inet term ah then accept
set firewall family inet filter protect-re-inet term gre from protocol gre
set firewall family inet filter protect-re-inet term gre then accept
set firewall family inet filter protect-re-inet term bfd from protocol udp
set firewall family inet filter protect-re-inet term bfd from destination-port 3784
set firewall family inet filter protect-re-inet term bfd then accept
set firewall family inet filter protect-re-inet term vrrp from protocol vrrp
set firewall family inet filter protect-re-inet term vrrp then accept
set firewall family inet filter protect-re-inet term ospf from protocol ospf
set firewall family inet filter protect-re-inet term ospf then accept
set firewall family inet filter protect-re-inet term bgp-1 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-1 from source-port bgp
set firewall family inet filter protect-re-inet term bgp-1 then accept
set firewall family inet filter protect-re-inet term bgp-2 from protocol tcp
set firewall family inet filter protect-re-inet term bgp-2 from destination-port bgp
set firewall family inet filter protect-re-inet term bgp-2 then accept
set firewall family inet filter protect-re-inet term igmp from protocol igmp
set firewall family inet filter protect-re-inet term igmp then accept
set firewall family inet filter protect-re-inet term pim from protocol pim
set firewall family inet filter protect-re-inet term pim then accept
set firewall family inet filter protect-re-inet term ntp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term ntp from protocol udp
set firewall family inet filter protect-re-inet term ntp from source-port ntp
set firewall family inet filter protect-re-inet term radius from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term radius from protocol tcp
set firewall family inet filter protect-re-inet term radius from protocol udp
set firewall family inet filter protect-re-inet term radius from source-port radius
set firewall family inet filter protect-re-inet term radius then accept
set firewall family inet filter protect-re-inet term dns from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term dns from protocol udp
set firewall family inet filter protect-re-inet term dns from protocol tcp
set firewall family inet filter protect-re-inet term dns from source-port domain
set firewall family inet filter protect-re-inet term dns then accept
set firewall family inet filter protect-re-inet term snmp from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term snmp from protocol udp
set firewall family inet filter protect-re-inet term snmp from destination-port snmp
set firewall family inet filter protect-re-inet term snmp then accept
set firewall family inet filter protect-re-inet term telnet from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term telnet from protocol tcp
set firewall family inet filter protect-re-inet term telnet from destination-port telnet
set firewall family inet filter protect-re-inet term telnet then accept
set firewall family inet filter protect-re-inet term http from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term http from protocol tcp
set firewall family inet filter protect-re-inet term http from destination-port http
set firewall family inet filter protect-re-inet term http then accept
set firewall family inet filter protect-re-inet term https from source-address 10.10.10.0/24
set firewall family inet filter protect-re-inet term https from protocol tcp
set firewall family inet filter protect-re-inet term https from destination-port https
set firewall family inet filter protect-re-inet term https then accept
set firewall family inet filter protect-re-inet term icmp from protocol icmp
set firewall family inet filter protect-re-inet term icmp then policer re-policier
set firewall family inet filter protect-re-inet term icmp then accept
set firewall family inet filter protect-re-inet term traceroute from protocol udp
set firewall family inet filter protect-re-inet term traceroute then policer re-policier
set firewall family inet filter protect-re-inet term traceroute then accept
set firewall family inet filter protect-re-inet term explicit_discard then count dropped
set firewall family inet filter protect-re-inet term explicit_discard then discard
set firewall policer re-policier if-exceeding bandwidth-limit 100k
set firewall policer re-policier if-exceeding burst-size-limit 25k
set firewall policer re-policier then discard
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set protocols lldp interface all

To make things simple, there are two configs and you can use any;

— Config: ONE

[email protected]> show configuration |display set
set version 15.1X49-D80.4
set system host-name VR-device
set system time-zone Europe/Amsterdam
set system root-authentication encrypted-password “$5$nnsHW/bX$h7Gl7yfq.a1.3MxUYp005cZmkYgwjuMXpRhLrZoaAo0”
set system services ssh
set system services netconf ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.9/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 41 description “D4 connection-1”
set interfaces ge-0/0/1 unit 41 vlan-id 41
set interfaces ge-0/0/1 unit 41 family inet address 172.30.3.3/24
set interfaces ge-0/0/1 unit 42 description “D4 connection-2”
set interfaces ge-0/0/1 unit 42 vlan-id 42
set interfaces ge-0/0/1 unit 42 family inet address 172.30.2.4/24
set interfaces ge-0/0/1 unit 51 description “D5 connection-1”
set interfaces ge-0/0/1 unit 51 vlan-id 51
set interfaces ge-0/0/1 unit 51 family inet address 172.30.1.4/24
set interfaces ge-0/0/1 unit 71 description “D7 connection-1”
set interfaces ge-0/0/1 unit 71 vlan-id 71
set interfaces ge-0/0/1 unit 71 family inet address 172.30.1.8/24
set interfaces ge-0/0/1 unit 72 description “D7 connection-2”
set interfaces ge-0/0/1 unit 72 vlan-id 72
set interfaces ge-0/0/1 unit 72 family inet address 172.30.1.7/24
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 31 description “D3 connection-1”
set interfaces ge-0/0/2 unit 31 vlan-id 31
set interfaces ge-0/0/2 unit 31 family inet address 172.30.2.3/24
set interfaces ge-0/0/2 unit 32 description “D3 connection-2”
set interfaces ge-0/0/2 unit 32 vlan-id 32
set interfaces ge-0/0/2 unit 32 family inet address 172.30.1.6/24
set interfaces ge-0/0/2 unit 61 description “D6 connection-1”
set interfaces ge-0/0/2 unit 61 vlan-id 61
set interfaces ge-0/0/2 unit 61 family inet address 172.30.1.5/24
set interfaces ge-0/0/2 unit 81 description “D8 connection-1”
set interfaces ge-0/0/2 unit 81 vlan-id 81
set interfaces ge-0/0/2 unit 81 family inet address 172.30.3.4/24
set interfaces ge-0/0/2 unit 82 description “D8 connection-2”
set interfaces ge-0/0/2 unit 82 vlan-id 82
set interfaces ge-0/0/2 unit 82 family inet address 172.30.1.9/24
set interfaces ge-0/0/3 unit 0 description “D1 connection-1”
set interfaces ge-0/0/3 unit 0 family inet address 172.30.96.1/30
set interfaces ge-0/0/4 unit 0 description “D2 connection-1”
set interfaces ge-0/0/4 unit 0 family inet address 172.30.96.5/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 11 family inet address 192.168.168.168/32
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set routing-options static route 10.10.10.0/24 no-readvertise
set protocols lldp interface all
set routing-instances H1 description “D5 host No.1. Temporary VM replacement”
set routing-instances H1 instance-type virtual-router
set routing-instances H1 interface ge-0/0/1.51
set routing-instances H1 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H10 description “D8 host No.1. Temporary VM replacement”
set routing-instances H10 instance-type virtual-router
set routing-instances H10 interface ge-0/0/2.81
set routing-instances H10 routing-options static route 0.0.0.0/0 next-hop 172.30.3.254
set routing-instances H2 description “D6 host No.1. Temporary VM replacement”
set routing-instances H2 instance-type virtual-router
set routing-instances H2 interface ge-0/0/2.61
set routing-instances H2 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H3 description “D3 host No.2. Temporary VM replacement”
set routing-instances H3 instance-type virtual-router
set routing-instances H3 interface ge-0/0/2.32
set routing-instances H3 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H4 description “D3 host No.1. Temporary VM replacement”
set routing-instances H4 instance-type virtual-router
set routing-instances H4 interface ge-0/0/2.31
set routing-instances H4 routing-options static route 0.0.0.0/0 next-hop 172.30.2.254
set routing-instances H5 description “D4 host No.2. Temporary VM replacement”
set routing-instances H5 instance-type virtual-router
set routing-instances H5 interface ge-0/0/1.42
set routing-instances H5 routing-options static route 0.0.0.0/0 next-hop 172.30.2.254
set routing-instances H6 description “D4 host No.1. Temporary VM replacement”
set routing-instances H6 instance-type virtual-router
set routing-instances H6 interface ge-0/0/1.41
set routing-instances H6 routing-options static route 0.0.0.0/0 next-hop 172.30.3.254
set routing-instances H7 description “D7 host No.2. Temporary VM replacement”
set routing-instances H7 instance-type virtual-router
set routing-instances H7 interface ge-0/0/1.72
set routing-instances H7 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H8 description “D7 host No.1. Temporary VM replacement”
set routing-instances H8 instance-type virtual-router
set routing-instances H8 interface ge-0/0/1.71
set routing-instances H8 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H9 description “D8 host No.2. Temporary VM replacement”
set routing-instances H9 instance-type virtual-router
set routing-instances H9 interface ge-0/0/1.82
set routing-instances H9 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances R1 description “D1 neighbor No.1”
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface ge-0/0/3.0
set routing-instances R1 interface lo0.11
set routing-instances R1 routing-options static route 172.30.0.0/16 next-hop 172.30.96.2
set routing-instances R2 description “D2 neighbor No.1”
set routing-instances R2 instance-type virtual-router
set routing-instances R2 interface ge-0/0/4.0
set routing-instances R2 routing-options static route 172.30.0.0/16 next-hop 172.30.96.6

–Config:2

set version 15.1X49-D80.4
set system host-name VR-device
set system time-zone Europe/Amsterdam
set system root-authentication encrypted-password “$5$nnsHW/bX$h7Gl7yfq.a1.3MxUYp005cZmkYgwjuMXpRhLrZoaAo0”
set system services ssh
set system services netconf ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog host 10.10.10.1 any warning
set system syslog host 10.10.10.1 log-prefix JNCIE-ENT
set system syslog file messages any info
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands info
set system syslog file authorization-file authorization info
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp boot-server 10.10.10.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value “$9$9MWbpIc-dsgaU8XNb2aiH9ApBRS”
set system ntp server 10.10.10.1 key 1
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.9/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 41 description “D4 connection-1”
set interfaces ge-0/0/1 unit 41 vlan-id 41
set interfaces ge-0/0/1 unit 41 family inet
set interfaces ge-0/0/1 unit 42 description “D4 connection-2”
set interfaces ge-0/0/1 unit 42 vlan-id 42
set interfaces ge-0/0/1 unit 42 family inet
set interfaces ge-0/0/1 unit 51 description “D5 connection-1”
set interfaces ge-0/0/1 unit 51 vlan-id 51
set interfaces ge-0/0/1 unit 51 family inet
set interfaces ge-0/0/1 unit 71 description “D7 connection-1”
set interfaces ge-0/0/1 unit 71 vlan-id 71
set interfaces ge-0/0/1 unit 71 family inet
set interfaces ge-0/0/1 unit 72 description “D7 connection-2”
set interfaces ge-0/0/1 unit 72 vlan-id 72
set interfaces ge-0/0/1 unit 72 family inet
set interfaces ge-0/0/1 unit 1000 vlan-id 1000
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.4/24
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.7/24
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.8/24
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.6/24
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.5/24
set interfaces ge-0/0/1 unit 1000 family inet address 172.30.1.9/24
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 31 description “D3 connection-1”
set interfaces ge-0/0/2 unit 31 vlan-id 31
set interfaces ge-0/0/2 unit 31 family inet
set interfaces ge-0/0/2 unit 32 description “D3 connection-2”
set interfaces ge-0/0/2 unit 32 vlan-id 32
set interfaces ge-0/0/2 unit 32 family inet
set interfaces ge-0/0/2 unit 61 description “D6 connection-1”
set interfaces ge-0/0/2 unit 61 vlan-id 61
set interfaces ge-0/0/2 unit 61 family inet
set interfaces ge-0/0/2 unit 81 description “D8 connection-1”
set interfaces ge-0/0/2 unit 81 vlan-id 81
set interfaces ge-0/0/2 unit 81 family inet
set interfaces ge-0/0/2 unit 82 description “D8 connection-2”
set interfaces ge-0/0/2 unit 82 vlan-id 82
set interfaces ge-0/0/2 unit 82 family inet
set interfaces ge-0/0/2 unit 2000 vlan-id 2000
set interfaces ge-0/0/2 unit 2000 family inet address 172.30.2.4/24
set interfaces ge-0/0/2 unit 2000 family inet address 172.30.2.3/24
set interfaces ge-0/0/2 unit 3000 vlan-id 3000
set interfaces ge-0/0/2 unit 3000 family inet address 172.30.3.3/24
set interfaces ge-0/0/2 unit 3000 family inet address 172.30.3.4/24
set interfaces ge-0/0/3 unit 0 description “D1 connection-1”
set interfaces ge-0/0/3 unit 0 family inet address 172.30.96.1/30
set interfaces ge-0/0/4 unit 0 description “D2 connection-1”
set interfaces ge-0/0/4 unit 0 family inet address 172.30.96.5/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 11 family inet address 192.168.168.168/32
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set routing-options static route 10.10.10.0/24 no-readvertise
set protocols lldp interface all
set routing-instances H1 description “D5 host No.1. Temporary VM replacement”
set routing-instances H1 instance-type virtual-router
set routing-instances H1 interface ge-0/0/1.51
set routing-instances H1 interface ge-0/0/1.1000
set routing-instances H1 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H10 description “D8 host No.1. Temporary VM replacement”
set routing-instances H10 instance-type virtual-router
set routing-instances H10 interface ge-0/0/2.81
set routing-instances H10 interface ge-0/0/2.3000
set routing-instances H10 routing-options static route 0.0.0.0/0 next-hop 172.30.3.254
set routing-instances H2 description “D6 host No.1. Temporary VM replacement”
set routing-instances H2 instance-type virtual-router
set routing-instances H2 interface ge-0/0/2.61
set routing-instances H2 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H3 description “D3 host No.2. Temporary VM replacement”
set routing-instances H3 instance-type virtual-router
set routing-instances H3 interface ge-0/0/2.32
set routing-instances H3 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H4 description “D3 host No.1. Temporary VM replacement”
set routing-instances H4 instance-type virtual-router
set routing-instances H4 interface ge-0/0/2.31
set routing-instances H4 routing-options static route 0.0.0.0/0 next-hop 172.30.2.254
set routing-instances H5 description “D4 host No.2. Temporary VM replacement”
set routing-instances H5 instance-type virtual-router
set routing-instances H5 interface ge-0/0/1.42
set routing-instances H5 interface ge-0/0/2.2000
set routing-instances H5 routing-options static route 0.0.0.0/0 next-hop 172.30.2.254
set routing-instances H6 description “D4 host No.1. Temporary VM replacement”
set routing-instances H6 instance-type virtual-router
set routing-instances H6 interface ge-0/0/1.41
set routing-instances H6 routing-options static route 0.0.0.0/0 next-hop 172.30.3.254
set routing-instances H7 description “D7 host No.2. Temporary VM replacement”
set routing-instances H7 instance-type virtual-router
set routing-instances H7 interface ge-0/0/1.72
set routing-instances H7 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H8 description “D7 host No.1. Temporary VM replacement”
set routing-instances H8 instance-type virtual-router
set routing-instances H8 interface ge-0/0/1.71
set routing-instances H8 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances H9 description “D8 host No.2. Temporary VM replacement”
set routing-instances H9 instance-type virtual-router
set routing-instances H9 interface ge-0/0/2.82
set routing-instances H9 routing-options static route 0.0.0.0/0 next-hop 172.30.1.254
set routing-instances R1 description “D1 neighbor No.1”
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface ge-0/0/3.0
set routing-instances R1 interface lo0.11
set routing-instances R1 routing-options static route 172.30.0.0/16 next-hop 172.30.96.2
set routing-instances R2 description “D2 neighbor No.1”
set routing-instances R2 instance-type virtual-router
set routing-instances R2 interface ge-0/0/4.0
set routing-instances R2 routing-options static route 172.30.0.0/16 next-hop 172.30.96.6

[email protected]>

Simple L2 switch with default config at this point. Cisco IOL L2.

Running OOB and other testing, scripts…etc

[email protected]> show configuration |display set
set version 15.1X49-D80.4
set system host-name AS-device
set system root-authentication encrypted-password “$5$R7sNILpo$wgQmoVHen/urLQzhzmb8WbmAQH3RUAqUtuP9sFX2Q61”
set system services ssh
set system services netconf ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp boot-server 10.10.10.1
set system ntp server 10.10.10.1
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.10/24
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 41-42
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 51
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 71-72
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 1000
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 31-32
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 61
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 81-82
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 2000
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 3000
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members all
set interfaces fxp0 unit 0
set interfaces irb unit 1000 family inet
set routing-options static route 10.10.10.0/24 next-hop 10.10.1.254
set routing-options static route 10.10.10.0/24 no-readvertise
set protocols lldp interface all
set vlans Alpha-child-A vlan-id 1001
set vlans Alpha-child-B vlan-id 1002
set vlans Alphas vlan-id 1000
set vlans Beta vlan-id 2000
set vlans Gamma vlan-id 3000
set vlans qinq vlan-id 4000
set vlans v31 vlan-id 31
set vlans v32 vlan-id 32
set vlans v41 vlan-id 41
set vlans v42 vlan-id 42
set vlans v51 vlan-id 51
set vlans v61 vlan-id 61
set vlans v71 vlan-id 71
set vlans v72 vlan-id 72
set vlans v81 vlan-id 81
set vlans v82 vlan-id 82

DOWNLOAD CONFIG FILES & Scripts….

–SCRIPTS:

# python3 D1-load-configuration-from-file-using-pyez.py

 cat D1-load-configuration-from-file-using-pyez.py 

from jnpr.junos import Device

from jnpr.junos.utils.config import Config

from jnpr.junos.exception import ConnectError

from jnpr.junos.exception import LockError

from jnpr.junos.exception import UnlockError

from jnpr.junos.exception import ConfigLoadError

from jnpr.junos.exception import CommitError

 

host = ‘10.10.1.1’

user=’root’

password=’juniper123′

conf_file = ‘configs/d2-base-config.set’

 

 

def main():

    # open a connection with the device and start a NETCONF session

    try:

        dev = Device(host=host,user=user,password=password)

        dev.open()

    except ConnectError as err:

        print (“Cannot connect to device: {0}”.format(err))

        return

 

    dev.bind(cu=Config)

 

    # Lock the configuration, load configuration changes, and commit

    print (“Locking the configuration”)

    try:

        dev.cu.lock()

    except LockError as err:

        print (“Unable to lock configuration: {0}”.format(err))

        dev.close()

        return

 

    print (“Loading configuration changes”)

    try:

        dev.cu.load(path=conf_file, merge=True)

    except (ConfigLoadError, Exception) as err:

        print (“Unable to load configuration changes: {0}”.format(err))

        print (“Unlocking the configuration”)

        try:

                dev.cu.unlock()

        except UnlockError:

            print (“Unable to unlock configuration: {0}”.format(err))

        dev.close()

        return

 

    print (“Committing the configuration”)

    try:

        dev.cu.commit(comment=’Loaded by example.’)

    except CommitError as err:

        print (“Unable to commit configuration: {0}”.format(err))

        print (“Unlocking the configuration”)

        try:

            dev.cu.unlock()

        except UnlockError as err:

            print (“Unable to unlock configuration: {0}”.format(err))

        dev.close()

        return

 

    print (“Unlocking the configuration”)

    try:

        dev.cu.unlock()

    except UnlockError as err:

        print (“Unable to unlock configuration: {0}”.format(err))

 

    # End the NETCONF session and close the connection

    dev.close()

 

if __name__ == “__main__”:

    main()

[email protected]:/python#

Configure aggregated ethernet bundle b/w xe-0/0/10-11 on DC5 & DC6.
Enable LACP continuity check on the AE.
~ [D5 LACP Active, D6 LACP Passive].

Suppose if we have configured LAG on one side and on other side no LAG is configured , in this situation LAG on our side status will be up, this may cause to communication break down if other side single link becomes not functional. To avoid such situation LACP is used , when LACP is enabled on aggregated link , it will only goes to up state when both sides exchanges LACP PDUs on LAG.

Now coming to LACP mode, it can be active or passive, but for LAG to be functional at least one side must be configured with active (by default when configured LACP its mode is passive). Active member sends LACP PDUs to passive member ever one second and passive member also responds by sending PDUs. Now if both members are in active mode then they both will actively transmit LACP PDUs and other side will respond.

LACP is defined in IEEE 802.3ad, Aggregation of Multiple Link Segments.

D5:

set chassis aggregated-devices ethernet device-count 1
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members Alphas
set interfaces ae0 unit 0 family ethernet-switching vlan members Beta
set interfaces ae0 unit 0 family ethernet-switching vlan members Gamma

set interfaces xe-0/0/10 ether-options 802.3ad ae0
set interfaces xe-0/0/11 ether-options 802.3ad ae0

– D6:

set chassis aggregated-devices ethernet device-count 1
set interfaces ae0 aggregated-ether-options lacp passive
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members Alphas
set interfaces ae0 unit 0 family ethernet-switching vlan members Beta
set interfaces ae0 unit 0 family ethernet-switching vlan members Gamma

set interfaces xe-0/0/10 ether-options 802.3ad ae0
set interfaces xe-0/0/11 ether-options 802.3ad ae0

Enable LLDP protocol on all your devices L2 interfaces.
Enable LLDP-MED on all the L2 access interfaces.

-D1 and D2 lldp interfaces: ge-0/0/4 ge-0/0/1
-D3 and D4 interfaces:
     enable lldp all,
     disable for oob interface ge-0/0/0,
     enable lldp-med on access ports ge-0/0/3 and ge-0/0/4

-D5 and D6: enable lldp all, disable on oob em0, enable lldp-med on access port xe-0/0/6

-D7 and D8: enable lldp all, disable on oob emo, enable lldp-med on access ports xe-0/0/3, xe-0/0/4

–Configure as example below;

[email protected]# show |compare
[edit]
protocols {
lldp {
interface ge-0/0/1;
interface ge-0/0/4;
}
}

[email protected]# show |compare
[edit]
protocols {
lldp {
interface all;
interface ge-0/0/0 {
disable;
}
}
lldp-med {
interface ge-0/0/3;
interface ge-0/0/4;
}
}

[email protected]# show |compare
[edit protocols]
lldp {
interface all;
interface em0 {
disable;
}
}
lldp-med {
interface xe-0/0/6;
}

[email protected]# show |compare
[edit protocols]
lldp {
interface all;
interface em0 {
disable;
}
}
lldp-med {
interface xe-0/0/3;
interface xe-0/0/4;
}

Enable BUM Storm control on D5 through D8 devices. Ensure that BUM traffic does not exceed 10mbps on the devices L2 interfaces.
Example below;

[email protected]#

[edit ethernet-switching-options]
storm-control {
interface all {
bandwidth 10000;
}

[email protected]> show interfaces terse |match ae0
xe-0/0/10.0 up up aenet –> ae0.0
xe-0/0/11.0 up up aenet –> ae0.0
ae0 up up
ae0.0 up up eth-switch

[email protected]> show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
xe-0/0/10 Actor No No Yes Yes Yes Yes Fast Active
xe-0/0/10 Partner No No Yes Yes Yes Yes Fast Passive
xe-0/0/11 Actor No No Yes Yes Yes Yes Fast Active
xe-0/0/11 Partner No No Yes Yes Yes Yes Fast Passive
LACP protocol: Receive State Transmit State Mux State
xe-0/0/10 Current Fast periodic Collecting distributing
xe-0/0/11 Current Fast periodic Collecting distributing

LLDP:

[email protected]> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
xe-0/0/10 ae0 02:05:86:71:b6:00 xe-0/0/10 D5-Jupiter
xe-0/0/11 ae0 02:05:86:71:b6:00 xe-0/0/11 D5-Jupiter
xe-0/0/5 – 02:05:86:71:e7:00 xe-0/0/5 D8-Neptune
xe-0/0/2 – 4c:96:14:01:cb:40 ge-0/0/1 D4-Mars
xe-0/0/1 – 4c:96:14:7f:bb:40 ge-0/0/1 D1-Mercury
xe-0/0/3 – 4c:96:14:89:a5:40 ge-0/0/2 D3-Earth
xe-0/0/4 – 4c:96:14:e7:cd:40 ge-0/0/4 D2-Venus

configure D7 and D8 to have them merge into a virtual chassis. Ensure that both backplane VCP ports are used to connect the VC members. Ensure that D7 becomes a master RE with member ID 0 and holds the mastership when it is operational.

[email protected]# set virtual-chassis member 0 mastership-priority 255
[email protected]# set virtual-chassis member 1 mastership-priority 254
set no-split-detection

Neptune> request virtual-chassis vc-port set interface vcp-0
Neptune> request virtual-chassis vc-port set interface vcp-1
Neptune> reques system reboot

–While D8 is being rebooted, add following to D7.

Uranus> request virtual-chassis vc-port set interface vcp-0
Uranus> request virtual-chassis vc-port set interface vcp-1

Uranus> show virtual-chassis

—vqfx:

[email protected]> show virtual-chassis mode
fpc0:
————————————————————————–
Current mode : Virtual Chassis with similar devices
Future mode after reboot : Virtual Chassis with similar devices

show virtual-chassis status

show virtual-chassis vc-port

show virtual-chassis device-topology

Configure the synchronization commit.

[email protected]# set system commit synchronize

Restore the VC non-master member interfaces configuration appropriately.

Uranus>
set interfaces xe-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/3 unit 0 family ethernet-switching vlan members 1000

set interfaces xe-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/4 unit 0 family ethernet-switching vlan members 1000

set interfaces xe-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 1000
set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 2000
set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 3000

–In VC master, so; xe-1/x/x ports as well.

set interfaces xe-1/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces xe-1/0/3 unit 0 family ethernet-switching vlan members 1000

set interfaces xe-1/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces xe-1/0/4 unit 0 family ethernet-switching vlan members 1000

set interfaces xe-1/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-1/0/5 unit 0 family ethernet-switching vlan members 1000
set interfaces xe-1/0/5 unit 0 family ethernet-switching vlan members 2000
set interfaces xe-1/0/5 unit 0 family ethernet-switching vlan members 3000

–On both D7 and D8:
set protocols lldp-med interface xe-0/0/3
set protocols lldp-med interface xe-0/0/4

Configure the vme.0 VC management interface with the IP address set to the master RE OoB
management interface IP address.

D7-Uranus# rename me0 to vme

Task:

Make sure that MVRP is used for VLAN registration on the D7_D8 uplinks to D5 and D6, and on ae0.0 link between D5 and D6.
Make sure that MVRP is not used for dynamic VLAN creation on all three device.

D5-Jupiter>
D6-Saturn>

example:
[email protected]# show |compare
[edit protocols]
+ mvrp {
+ no-dynamic-vlan;
+ interface xe-0/0/5;
+ interface ae0;
+ }

Task:

Configure D3, D4 devices to enable Voice VLAN (666). Make sure that tagged Ethernet frames received on VLAN 2000 and 3000 access ports go to the Voice VLAN.

Example;
[edit vlans]
+ Voice {
+ vlan-id 666;
+ }

[edit ethernet-switching-options]
+ voip {
+ interface access-ports {
vlan Voice;
+ }

Share on print
Print
Share on google
Google+
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a reply

Your email address will not be published. Required fields are marked *

ADENTECH guides

We love to help.

Get our newsletter, join the community: