AJSEC Lab1 Layer2 security
Jean-luc KRIKER
Owned by Jean-luc KRIKER
set protocols l2-learning global-mode transparent-bridge
set protocols l2-learning global-mode switching
show protocol l2-learning Expand source
show ethernet-switching global-information
Global Configuration:
MAC aging interval : 0
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 0
MAC limit hit : Disabled
MAC packet action drop: Disabled
MAC+IP aging interval : IPv4 - 0 seconds
IPv6 - 0 seconds
MAC+IP limit Count : 0
MAC+IP limit reached : No
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Not set <<<<<<<<<<<<<<<<<<<
RE state : Master
security group and global policy Expand source
lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set set interfaces ge-0/0/4 unit 0 family ethernet-switching lab@vSRX-1> show configuration interfaces ge-0/0/5 | display set set interfaces ge-0/0/5 unit 0 family ethernet-switching lab@vSRX-1> show configuration security | display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0 lab@vSRX-1> show configuration vlans | display set set vlans vlanL2 vlan-id 20 set vlans vlanL2 interface ge-0/0/4.0 set vlans vlanL2 interface ge-0/0/5.0 | |
VR Juniper-SV & ACME-SVÂ Expand source
lab@vSRX-VR> show configuration interfaces ge-0/0/2 | display set set interfaces ge-0/0/2 unit 0 family inet address 172.20.101.10/24 set interfaces ge-0/0/2 unit 0 family inet6 address 2001:db8::10/64 lab@vSRX-VR> show configuration interfaces ge-0/0/3 | display set set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 primary set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 preferred lab@vSRX-VR> show configuration routing-instances Juniper-SV | display set set routing-instances Juniper-SV instance-type virtual-router set routing-instances Juniper-SV interface ge-0/0/2.0 set routing-instances Juniper-SV interface lo0.5 set routing-instances Juniper-SV routing-options rib Juniper-SV.inet6.0 static route 0::/0 next-hop 2001:db8::1 set routing-instances Juniper-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface ge-0/0/2.0 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface lo0.5 passive lab@vSRX-VR> show configuration routing-instances ACME-SV | display set set routing-instances ACME-SV instance-type virtual-router set routing-instances ACME-SV interface ge-0/0/3.0 set routing-instances ACME-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1 | |
| Part 3 |
part 3Â Expand source
lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration interfaces ge-0/0/5 | display set set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration vlans | display set set vlans vlanL2 vlan-id 101 set vlans vlanL2 l3-interface irb.0 lab@vSRX-1> show configuration security | display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0 |
| Part 4 |
part4Â Expand source
lab@vSRX-1> show configuration interfaces | display set set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members SW set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SW lab@vSRX-1> show configuration vlans | display set set vlans SW vlan-id 50 lab@vSRX-1> show configuration security zones | display set set security zones security-zone SW interfaces ge-0/0/1.0 set security zones security-zone SW interfaces ge-0/0/3.0 lab@vSRX-1> show configuration security policies global | display set set security policies global policy SW-permit match source-address any set security policies global policy SW-permit match destination-address any set security policies global policy SW-permit match application junos-ssh set security policies global policy SW-permit match from-zone SW set security policies global policy SW-permit match to-zone SW set security policies global policy SW-permit then permit set security policies global policy SW-deny match source-address any set security policies global policy SW-deny match destination-address any set security policies global policy SW-deny match application junos-telnet set security policies global policy SW-deny match from-zone SW set security policies global policy SW-deny match to-zone SW set security policies global policy SW-deny then deny set security policies global policy SW-deny then log session-init
VR Internet Expand source
lab@vSRX-VR> show configuration interfaces ge-0/0/1 | display set
set interfaces ge-0/0/1 description "srx1 WAN connection"
set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.1/30
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db1::100/64
lab@vSRX-VR> show configuration routing-instances Internet
instance-type virtual-router;
interface lt-0/0/0.0;
interface lt-0/0/0.2;
interface lt-0/0/0.4;
interface lt-0/0/0.12;
interface lt-0/0/0.16;
interface ge-0/0/1.0;
interface ge-0/0/5.0;
interface ge-0/0/8.0;
interface lo0.1;
routing-options {
static {
route 172.20.101.0/24 next-hop 172.18.1.2;
route 172.20.202.0/24 next-hop 172.18.2.2;
route 192.168.1.0/30 next-hop 172.18.1.2;
route 192.168.2.0/30 next-hop 172.18.2.2;
route 0.0.0.0/0 next-hop 172.18.1.2;
route 172.20.201.0/24 next-hop 172.18.1.2;
route 172.20.102.0/24 next-hop 172.18.2.2;
route 192.168.50.1/32 next-hop 172.18.1.2;
route 172.16.10.0/24 next-hop 172.18.1.2;
route 172.16.40.0/24 next-hop 10.14.14.2;
route 172.16.20.0/24 next-hop 172.18.1.2;
route 172.16.30.0/24 next-hop 172.18.2.2;
route 203.0.113.0/24 next-hop 172.18.1.2;
route 192.168.33.0/24 next-hop 172.18.1.2;
}
}
|
 | |