AJSEC Lab1 Layer2 security

set protocols l2-learning global-mode transparent-bridge

set protocols l2-learning global-mode switching

show protocol l2-learning

show ethernet-switching global-information
Global Configuration:

MAC aging interval    : 0
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 0
MAC limit hit         : Disabled
MAC packet action drop: Disabled
MAC+IP aging interval : IPv4 - 0 seconds
                        IPv6 - 0 seconds
MAC+IP limit Count    : 0
MAC+IP limit reached  : No
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Not set  <<<<<<<<<<<<<<<<<<<
RE state              : Master


	security group and global policy Expand source lab@vSRX-1> show configuration interfaces ge-0/0/4 \| display set set interfaces ge-0/0/4 unit 0 family ethernet-switching lab@vSRX-1> show configuration interfaces ge-0/0/5 \| display set set interfaces ge-0/0/5 unit 0 family ethernet-switching lab@vSRX-1> show configuration security \| display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0 lab@vSRX-1> show configuration vlans \| display set set vlans vlanL2 vlan-id 20 set vlans vlanL2 interface ge-0/0/4.0 set vlans vlanL2 interface ge-0/0/5.0
	VR Juniper-SV & ACME-SV Expand source lab@vSRX-VR> show configuration interfaces ge-0/0/2 \| display set set interfaces ge-0/0/2 unit 0 family inet address 172.20.101.10/24 set interfaces ge-0/0/2 unit 0 family inet6 address 2001:db8::10/64 lab@vSRX-VR> show configuration interfaces ge-0/0/3 \| display set set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 primary set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 preferred lab@vSRX-VR> show configuration routing-instances Juniper-SV \| display set set routing-instances Juniper-SV instance-type virtual-router set routing-instances Juniper-SV interface ge-0/0/2.0 set routing-instances Juniper-SV interface lo0.5 set routing-instances Juniper-SV routing-options rib Juniper-SV.inet6.0 static route 0::/0 next-hop 2001:db8::1 set routing-instances Juniper-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface ge-0/0/2.0 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface lo0.5 passive lab@vSRX-VR> show configuration routing-instances ACME-SV \| display set set routing-instances ACME-SV instance-type virtual-router set routing-instances ACME-SV interface ge-0/0/3.0 set routing-instances ACME-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1
Part 3	part 3 Expand source lab@vSRX-1> show configuration interfaces ge-0/0/4 \| display set set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration interfaces ge-0/0/5 \| display set set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration vlans \| display set set vlans vlanL2 vlan-id 101 set vlans vlanL2 l3-interface irb.0 lab@vSRX-1> show configuration security \| display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0
Part 4	part4 Expand source lab@vSRX-1> show configuration interfaces \| display set set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members SW set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SW lab@vSRX-1> show configuration vlans \| display set set vlans SW vlan-id 50 lab@vSRX-1> show configuration security zones \| display set set security zones security-zone SW interfaces ge-0/0/1.0 set security zones security-zone SW interfaces ge-0/0/3.0 lab@vSRX-1> show configuration security policies global \| display set set security policies global policy SW-permit match source-address any set security policies global policy SW-permit match destination-address any set security policies global policy SW-permit match application junos-ssh set security policies global policy SW-permit match from-zone SW set security policies global policy SW-permit match to-zone SW set security policies global policy SW-permit then permit set security policies global policy SW-deny match source-address any set security policies global policy SW-deny match destination-address any set security policies global policy SW-deny match application junos-telnet set security policies global policy SW-deny match from-zone SW set security policies global policy SW-deny match to-zone SW set security policies global policy SW-deny then deny set security policies global policy SW-deny then log session-init VR Internet Expand source lab@vSRX-VR> show configuration interfaces ge-0/0/1 \| display set set interfaces ge-0/0/1 description "srx1 WAN connection" set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.1/30 set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db1::100/64 lab@vSRX-VR> show configuration routing-instances Internet instance-type virtual-router; interface lt-0/0/0.0; interface lt-0/0/0.2; interface lt-0/0/0.4; interface lt-0/0/0.12; interface lt-0/0/0.16; interface ge-0/0/1.0; interface ge-0/0/5.0; interface ge-0/0/8.0; interface lo0.1; routing-options { static { route 172.20.101.0/24 next-hop 172.18.1.2; route 172.20.202.0/24 next-hop 172.18.2.2; route 192.168.1.0/30 next-hop 172.18.1.2; route 192.168.2.0/30 next-hop 172.18.2.2; route 0.0.0.0/0 next-hop 172.18.1.2; route 172.20.201.0/24 next-hop 172.18.1.2; route 172.20.102.0/24 next-hop 172.18.2.2; route 192.168.50.1/32 next-hop 172.18.1.2; route 172.16.10.0/24 next-hop 172.18.1.2; route 172.16.40.0/24 next-hop 10.14.14.2; route 172.16.20.0/24 next-hop 172.18.1.2; route 172.16.30.0/24 next-hop 172.18.2.2; route 203.0.113.0/24 next-hop 172.18.1.2; route 192.168.33.0/24 next-hop 172.18.1.2; } }


	security group and global policy Expand source lab@vSRX-1> show configuration interfaces ge-0/0/4 \| display set set interfaces ge-0/0/4 unit 0 family ethernet-switching lab@vSRX-1> show configuration interfaces ge-0/0/5 \| display set set interfaces ge-0/0/5 unit 0 family ethernet-switching lab@vSRX-1> show configuration security \| display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0 lab@vSRX-1> show configuration vlans \| display set set vlans vlanL2 vlan-id 20 set vlans vlanL2 interface ge-0/0/4.0 set vlans vlanL2 interface ge-0/0/5.0
	VR Juniper-SV & ACME-SV Expand source lab@vSRX-VR> show configuration interfaces ge-0/0/2 \| display set set interfaces ge-0/0/2 unit 0 family inet address 172.20.101.10/24 set interfaces ge-0/0/2 unit 0 family inet6 address 2001:db8::10/64 lab@vSRX-VR> show configuration interfaces ge-0/0/3 \| display set set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 primary set interfaces ge-0/0/3 unit 0 family inet address 172.20.101.100/24 preferred lab@vSRX-VR> show configuration routing-instances Juniper-SV \| display set set routing-instances Juniper-SV instance-type virtual-router set routing-instances Juniper-SV interface ge-0/0/2.0 set routing-instances Juniper-SV interface lo0.5 set routing-instances Juniper-SV routing-options rib Juniper-SV.inet6.0 static route 0::/0 next-hop 2001:db8::1 set routing-instances Juniper-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface ge-0/0/2.0 set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface lo0.5 passive lab@vSRX-VR> show configuration routing-instances ACME-SV \| display set set routing-instances ACME-SV instance-type virtual-router set routing-instances ACME-SV interface ge-0/0/3.0 set routing-instances ACME-SV routing-options static route 0.0.0.0/0 next-hop 172.20.101.1
Part 3	part 3 Expand source lab@vSRX-1> show configuration interfaces ge-0/0/4 \| display set set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration interfaces ge-0/0/5 \| display set set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlanL2 lab@vSRX-1> show configuration vlans \| display set set vlans vlanL2 vlan-id 101 set vlans vlanL2 l3-interface irb.0 lab@vSRX-1> show configuration security \| display set set security address-book global address Juniper-SV 172.20.101.0/24 set security address-book global address ACME-SV 172.20.201.0/24 set security address-book global address vSRX-2 172.18.2.0/30 set security address-book global address Internet-host 172.31.15.1/32 set security address-book global address isp-int 172.18.1.1/32 set security policies global policy L2 match source-address any set security policies global policy L2 match destination-address any set security policies global policy L2 match application any set security policies global policy L2 match from-zone L2 set security policies global policy L2 match to-zone L2 set security policies global policy L2 then permit set security zones security-zone Juniper-SV host-inbound-traffic system-services ping set security zones security-zone ACME-SV set security zones security-zone L2 host-inbound-traffic system-services ssh set security zones security-zone L2 host-inbound-traffic system-services ping set security zones security-zone L2 interfaces ge-0/0/4.0 set security zones security-zone L2 interfaces ge-0/0/5.0
Part 4	part4 Expand source lab@vSRX-1> show configuration interfaces \| display set set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members SW set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SW lab@vSRX-1> show configuration vlans \| display set set vlans SW vlan-id 50 lab@vSRX-1> show configuration security zones \| display set set security zones security-zone SW interfaces ge-0/0/1.0 set security zones security-zone SW interfaces ge-0/0/3.0 lab@vSRX-1> show configuration security policies global \| display set set security policies global policy SW-permit match source-address any set security policies global policy SW-permit match destination-address any set security policies global policy SW-permit match application junos-ssh set security policies global policy SW-permit match from-zone SW set security policies global policy SW-permit match to-zone SW set security policies global policy SW-permit then permit set security policies global policy SW-deny match source-address any set security policies global policy SW-deny match destination-address any set security policies global policy SW-deny match application junos-telnet set security policies global policy SW-deny match from-zone SW set security policies global policy SW-deny match to-zone SW set security policies global policy SW-deny then deny set security policies global policy SW-deny then log session-init VR Internet Expand source lab@vSRX-VR> show configuration interfaces ge-0/0/1 \| display set set interfaces ge-0/0/1 description "srx1 WAN connection" set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.1/30 set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db1::100/64 lab@vSRX-VR> show configuration routing-instances Internet instance-type virtual-router; interface lt-0/0/0.0; interface lt-0/0/0.2; interface lt-0/0/0.4; interface lt-0/0/0.12; interface lt-0/0/0.16; interface ge-0/0/1.0; interface ge-0/0/5.0; interface ge-0/0/8.0; interface lo0.1; routing-options { static { route 172.20.101.0/24 next-hop 172.18.1.2; route 172.20.202.0/24 next-hop 172.18.2.2; route 192.168.1.0/30 next-hop 172.18.1.2; route 192.168.2.0/30 next-hop 172.18.2.2; route 0.0.0.0/0 next-hop 172.18.1.2; route 172.20.201.0/24 next-hop 172.18.1.2; route 172.20.102.0/24 next-hop 172.18.2.2; route 192.168.50.1/32 next-hop 172.18.1.2; route 172.16.10.0/24 next-hop 172.18.1.2; route 172.16.40.0/24 next-hop 10.14.14.2; route 172.16.20.0/24 next-hop 172.18.1.2; route 172.16.30.0/24 next-hop 172.18.2.2; route 203.0.113.0/24 next-hop 172.18.1.2; route 192.168.33.0/24 next-hop 172.18.1.2; } }

Juniper Security

AJSEC Lab1 Layer2 security

Analytics

Related content