srx320 config 2024-09-23
Jean-luc KRIKER
Owned by Jean-luc KRIKER
Sept 23, 2024
7 min read
Loading data...
config Expand source
root@srx3200> show configuration | display set | no-more set version 21.4R1.12 set system host-name srx3200 set system root-authentication encrypted-password "$6$J9oOI9gG$9ZqQAis6G5.sZeibdQSQ5UoYhY/LPQCn0iAFVN2c5bBNJ5JBUL.8sSHOYDv0xvyNtUA67y0jmmXWssXrwZEu/0" set system commit synchronize set system scripts language python3 set system scripts synchronize set system services ssh root-login allow set system services ssh protocol-version v2 set system services netconf ssh set system services web-management http set system services web-management https system-generated-certificate set system time-zone Europe/London set system authentication-order password set system name-server 8.8.8.8 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set chassis fpc 0 pic 0 tunnel-services set services application-identification set security log mode event set security pki set security ike proposal IKE-PROP authentication-method pre-shared-keys set security ike proposal IKE-PROP dh-group group5 set security ike proposal IKE-PROP authentication-algorithm sha1 set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc set security ike proposal IKE-PROP lifetime-seconds 3600 set security ike policy IKE-POL mode main set security ike policy IKE-POL proposals IKE-PROP set security ike policy IKE-POL pre-shared-key ascii-text "$9$U3iqf36A1RSTzRSreXxDik" set security ike gateway IKE-GW1 ike-policy IKE-POL set security ike gateway IKE-GW1 address 192.168.227.2 set security ike gateway IKE-GW1 external-interface ge-0/0/3 set security ike gateway IKE-GW2 ike-policy IKE-POL set security ike gateway IKE-GW2 address 192.168.137.2 set security ike gateway IKE-GW2 external-interface ge-0/0/4 set security ipsec proposal IPSEC-PROP protocol esp set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC-PROP lifetime-seconds 3600 set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5 set security ipsec policy IPSEC-POL proposals IPSEC-PROP set security ipsec vpn IPSEC-VPN1 bind-interface st0.1 set security ipsec vpn IPSEC-VPN1 vpn-monitor set security ipsec vpn IPSEC-VPN1 ike gateway IKE-GW1 set security ipsec vpn IPSEC-VPN1 ike ipsec-policy IPSEC-POL set security ipsec vpn IPSEC-VPN1 establish-tunnels immediately set security ipsec vpn IPSEC-VPN2 bind-interface st0.2 set security ipsec vpn IPSEC-VPN2 vpn-monitor set security ipsec vpn IPSEC-VPN2 ike gateway IKE-GW2 set security ipsec vpn IPSEC-VPN2 ike ipsec-policy IPSEC-POL set security ipsec vpn IPSEC-VPN2 establish-tunnels immediately set security address-book global address Network-1 10.10.137.0/24 set security address-book global address Network-2 10.10.227.0/24 set security policies from-zone trust1 to-zone VPN1 policy Trust1-to-VPN1 match source-address Network-1 set security policies from-zone trust1 to-zone VPN1 policy Trust1-to-VPN1 match destination-address Network-2 set security policies from-zone trust1 to-zone VPN1 policy Trust1-to-VPN1 match application any set security policies from-zone trust1 to-zone VPN1 policy Trust1-to-VPN1 then permit set security policies from-zone VPN1 to-zone trust1 policy VPN1-to-Trust1 match source-address Network-2 set security policies from-zone VPN1 to-zone trust1 policy VPN1-to-Trust1 match destination-address Network-1 set security policies from-zone VPN1 to-zone trust1 policy VPN1-to-Trust1 match application any set security policies from-zone VPN1 to-zone trust1 policy VPN1-to-Trust1 then permit set security policies from-zone trust2 to-zone VPN2 policy Trust2-to-VPN2 match source-address Network-2 set security policies from-zone trust2 to-zone VPN2 policy Trust2-to-VPN2 match destination-address Network-1 set security policies from-zone trust2 to-zone VPN2 policy Trust2-to-VPN2 match application any set security policies from-zone trust2 to-zone VPN2 policy Trust2-to-VPN2 then permit set security policies from-zone VPN2 to-zone trust2 policy VPN2-to-Trust2 match source-address Network-1 set security policies from-zone VPN2 to-zone trust2 policy VPN2-to-Trust2 match destination-address Network-2 set security policies from-zone VPN2 to-zone trust2 policy VPN2-to-Trust2 match application any set security policies from-zone VPN2 to-zone trust2 policy VPN2-to-Trust2 then permit set security policies from-zone vr-11 to-zone vr-11 policy permitALL match source-address any set security policies from-zone vr-11 to-zone vr-11 policy permitALL match destination-address any set security policies from-zone vr-11 to-zone vr-11 policy permitALL match application any set security policies from-zone vr-11 to-zone vr-11 policy permitALL then permit set security policies from-zone vr-12 to-zone vr-12 policy permitALL match source-address any set security policies from-zone vr-12 to-zone vr-12 policy permitALL match destination-address any set security policies from-zone vr-12 to-zone vr-12 policy permitALL match application any set security policies from-zone vr-12 to-zone vr-12 policy permitALL then permit set security policies from-zone vr-11-clone to-zone vr-11-clone policy permitALL match source-address any set security policies from-zone vr-11-clone to-zone vr-11-clone policy permitALL match destination-address any set security policies from-zone vr-11-clone to-zone vr-11-clone policy permitALL match application any set security policies from-zone vr-11-clone to-zone vr-11-clone policy permitALL then permit set security policies from-zone vr-12-clone to-zone vr-12-clone policy permitALL match source-address any set security policies from-zone vr-12-clone to-zone vr-12-clone policy permitALL match destination-address any set security policies from-zone vr-12-clone to-zone vr-12-clone policy permitALL match application any set security policies from-zone vr-12-clone to-zone vr-12-clone policy permitALL then permit set security policies default-policy deny-all set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services all set security zones security-zone trusted interfaces ge-0/0/5.0 host-inbound-traffic system-services any-service set security zones security-zone trusted interfaces ge-0/0/4.0 host-inbound-traffic system-services any-service deactivate security zones security-zone trusted interfaces ge-0/0/4.0 set security zones security-zone vr-11 host-inbound-traffic system-services any-service set security zones security-zone vr-11 interfaces ge-0/0/3.11 set security zones security-zone vr-11 interfaces lo0.11 set security zones security-zone vr-MPLS interfaces ge-0/0/1.0 host-inbound-traffic system-services any-service set security zones security-zone vr-MPLS interfaces ge-0/0/2.0 host-inbound-traffic system-services any-service set security zones security-zone vr-12 host-inbound-traffic system-services any-service set security zones security-zone vr-12 interfaces ge-0/0/4.12 set security zones security-zone VPN1 interfaces st0.1 set security zones security-zone VPN2 interfaces st0.2 set security zones security-zone trust1 host-inbound-traffic system-services any-service set security zones security-zone trust1 interfaces lo0.1 set security zones security-zone trust2 host-inbound-traffic system-services any-service set security zones security-zone trust2 interfaces lo0.2 set security zones security-zone vr-21 host-inbound-traffic system-services any-service set security zones security-zone vr-21 host-inbound-traffic protocols all set security zones security-zone vr-21 interfaces ge-0/0/3.21 set security zones security-zone vr-21 interfaces lo0.21 set security zones security-zone vr-22 host-inbound-traffic system-services any-service set security zones security-zone vr-22 interfaces ge-0/0/4.22 set security zones security-zone vr-11-clone host-inbound-traffic system-services any-service set security zones security-zone vr-11-clone interfaces ge-0/0/3.119 set security zones security-zone vr-11-clone interfaces lo0.119 set security zones security-zone vr-12-clone host-inbound-traffic system-services any-service set security zones security-zone vr-12-clone interfaces ge-0/0/4.129 set security zones security-zone vr-13 host-inbound-traffic system-services any-service set security zones security-zone vr-13 interfaces ge-0/0/3.13 set security zones security-zone vr-13b host-inbound-traffic system-services any-service set security zones security-zone vr-13b interfaces ge-0/0/4.13 set interfaces ge-0/0/0 disable set interfaces lt-0/0/0 unit 91 encapsulation ethernet set interfaces lt-0/0/0 unit 91 peer-unit 2 set interfaces lt-0/0/0 unit 91 family inet address 10.10.90.1/30 set interfaces lt-0/0/0 unit 92 encapsulation ethernet set interfaces lt-0/0/0 unit 92 peer-unit 1 set interfaces lt-0/0/0 unit 92 family inet address 10.10.90.2/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.191.1/30 set interfaces ge-0/0/2 unit 0 family inet address 192.168.192.1/30 set interfaces ge-0/0/3 description "to Lanner1 port7 192.168.137-network" set interfaces ge-0/0/3 flexible-vlan-tagging set interfaces ge-0/0/3 unit 0 vlan-id 1111 set interfaces ge-0/0/3 unit 0 family inet address 192.168.137.2/24 set interfaces ge-0/0/3 unit 11 vlan-id 11 set interfaces ge-0/0/3 unit 11 family inet address 10.100.11.2/24 set interfaces ge-0/0/3 unit 11 family inet address 10.100.11.3/24 set interfaces ge-0/0/3 unit 13 vlan-id 0 set interfaces ge-0/0/3 unit 13 family inet address 10.100.13.2/24 set interfaces ge-0/0/3 unit 21 vlan-id 21 set interfaces ge-0/0/3 unit 21 family inet address 10.200.21.2/24 set interfaces ge-0/0/3 unit 119 vlan-id 119 set interfaces ge-0/0/3 unit 119 family inet address 10.100.11.2/24 set interfaces ge-0/0/4 description "to Lanner2 port7 192.168.227-network" set interfaces ge-0/0/4 flexible-vlan-tagging set interfaces ge-0/0/4 unit 0 vlan-id 11 deactivate interfaces ge-0/0/4 unit 0 family inet dhcp set interfaces ge-0/0/4 unit 0 family inet address 192.168.227.2/24 set interfaces ge-0/0/4 unit 12 vlan-id 12 set interfaces ge-0/0/4 unit 12 family inet address 10.100.12.2/24 set interfaces ge-0/0/4 unit 12 family inet address 10.100.12.3/24 set interfaces ge-0/0/4 unit 13 vlan-id 0 set interfaces ge-0/0/4 unit 13 family inet address 10.100.13.1/24 set interfaces ge-0/0/4 unit 22 vlan-id 22 set interfaces ge-0/0/4 unit 22 family inet address 10.200.22.2/24 set interfaces ge-0/0/4 unit 129 vlan-id 129 set interfaces ge-0/0/4 unit 129 family inet address 10.100.12.2/24 set interfaces ge-0/0/5 description "EoSVR to madrid port5" set interfaces ge-0/0/5 unit 0 family inet address 192.168.10.1/24 set interfaces ge-0/0/6 description "to mgmt network UPlink" deactivate interfaces ge-0/0/6 unit 0 family inet dhcp set interfaces ge-0/0/6 unit 0 family inet address 192.168.0.2/24 set interfaces ge-0/0/7 disable set interfaces lo0 unit 1 family inet address 10.10.137.10/32 set interfaces lo0 unit 2 family inet address 10.10.227.20/32 set interfaces lo0 unit 11 family inet address 10.100.110.11/32 set interfaces lo0 unit 12 family inet address 10.100.110.12/32 set interfaces lo0 unit 21 family inet address 10.200.210.21/32 set interfaces lo0 unit 91 family inet address 192.168.91.1/32 set interfaces lo0 unit 92 family inet address 192.168.92.1/32 set interfaces lo0 unit 119 family inet address 10.100.110.11/32 set interfaces st0 unit 1 family inet set interfaces st0 unit 2 family inet set policy-options policy-statement advertise-lo0 term 10 from route-filter 10.100.110.11/32 exact set policy-options policy-statement advertise-lo0 term 10 then accept set policy-options policy-statement advertise-lo0-12 term 10 from route-filter 10.100.110.12/32 exact set policy-options policy-statement advertise-lo0-12 term 10 then accept set routing-instances VPN1 interface lo0.1 set routing-instances VPN1 instance-type virtual-router set routing-instances VPN1 routing-options static route 0.0.0.0/0 next-hop st0.1 set routing-instances VPN2 interface lo0.2 set routing-instances VPN2 instance-type virtual-router set routing-instances VPN2 routing-options static route 0.0.0.0/0 next-hop st0.2 set routing-instances vr-11 protocols bgp group eBGP export advertise-lo0 set routing-instances vr-11 protocols bgp group eBGP peer-as 65110 set routing-instances vr-11 protocols bgp group eBGP neighbor 10.100.11.1 set routing-instances vr-11 protocols bgp local-as 65111 set routing-instances vr-11 interface ge-0/0/3.11 set routing-instances vr-11 interface lo0.11 set routing-instances vr-11 instance-type virtual-router set routing-instances vr-11 routing-options router-id 10.100.110.1 set routing-instances vr-11 routing-options autonomous-system 65111 set routing-instances vr-11 routing-options static route 0.0.0.0/0 next-hop 10.100.11.1 set routing-instances vr-11-clone protocols bgp group eBGP export advertise-lo0 set routing-instances vr-11-clone protocols bgp group eBGP peer-as 65110 set routing-instances vr-11-clone protocols bgp group eBGP neighbor 10.100.11.1 set routing-instances vr-11-clone protocols bgp local-as 65111 set routing-instances vr-11-clone interface ge-0/0/3.119 set routing-instances vr-11-clone interface lo0.119 set routing-instances vr-11-clone instance-type virtual-router set routing-instances vr-11-clone routing-options router-id 10.100.110.1 set routing-instances vr-11-clone routing-options autonomous-system 65111 set routing-instances vr-11-clone routing-options static route 0.0.0.0/0 next-hop 10.100.11.1 set routing-instances vr-11-clonebside interface ge-0/0/4.129 set routing-instances vr-11-clonebside instance-type virtual-router set routing-instances vr-11-clonebside routing-options static route 0.0.0.0/0 next-hop 10.100.12.1 set routing-instances vr-11bside interface ge-0/0/4.12 set routing-instances vr-11bside instance-type virtual-router set routing-instances vr-11bside routing-options static route 0.0.0.0/0 next-hop 10.100.12.1 set routing-instances vr-21 protocols ospf area 0.0.0.0 interface ge-0/0/3.21 interface-type p2p set routing-instances vr-21 protocols ospf area 0.0.0.0 interface lo0.21 set routing-instances vr-21 interface ge-0/0/3.21 set routing-instances vr-21 interface lo0.21 set routing-instances vr-21 instance-type virtual-router set routing-instances vr-21 routing-options static route 0.0.0.0/0 next-hop 10.200.21.1 set routing-instances vr-22 interface ge-0/0/4.22 set routing-instances vr-22 instance-type virtual-router set routing-instances vr-22 routing-options static route 0.0.0.0/0 next-hop 10.200.22.1 set routing-instances vr-EoSVR-DC1 interface ge-0/0/4.13 set routing-instances vr-EoSVR-DC1 instance-type virtual-router set routing-instances vr-EoSVR-branch interface ge-0/0/3.13 set routing-instances vr-EoSVR-branch instance-type virtual-router set routing-instances vr-MPLS interface ge-0/0/1.0 set routing-instances vr-MPLS interface ge-0/0/2.0 set routing-instances vr-MPLS instance-type virtual-router set routing-instances vr91 interface lt-0/0/0.91 set routing-instances vr91 interface lo0.91 set routing-instances vr91 instance-type virtual-router set routing-instances vr92 interface lt-0/0/0.92 set routing-instances vr92 interface lo0.92 set routing-instances vr92 instance-type virtual-router set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1 set routing-options static route 10.1.4.0/24 next-hop 192.168.127.1 set routing-options static route 10.10.12.0/24 next-hop 192.168.127.1 set routing-options static route 10.0.0.0/8 next-hop 192.168.127.1 set routing-options static route 192.168.128.0/24 next-hop 192.168.227.1 set routing-options static route 192.168.126.0/24 next-hop 192.168.227.1 set routing-options static route 192.168.124.0/24 next-hop 192.168.227.1 set routing-options static route 192.168.125.0/24 next-hop 192.168.227.1 set routing-options static route 192.168.228.0/24 next-hop 192.168.227.1 set routing-options static route 192.168.226.0/24 next-hop 192.168.227.1 set routing-options static route 10.10.137.0/24 next-hop st0.1 set routing-options static route 10.10.227.0/24 next-hop st0.2 | |