[j-nsp] Sample configuration of Juniper M7i
George Yalamov
georgi.yalamov at btc-net.bg
Mon Jun 12 09:15:41 EDT 2006
ganesh nagpure wrote:
>Hi all,
>
>
>Does any one have sample configuration of Juniper M7i
>router. I required configuraion for Protecting
>Ethernet and fxp ip from telnet and ftp.
>
>
>Thanks & Regards
>Ganesh
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
Hi, hope this will help
show policy-options
prefix-list SSH-Permit-Addresses {
x.x.x.x/16;
}
prefix-list SNMP-Permit-Addresses {
x.x.x.x/16;
}
prefix-list NTP-Servers {
127.0.0.1/32;
x.x.x.x/16;
}
prefix-list TACACS-Servers {
x.x.x.x/16;
}
prefix-list DNS-Servers {
x.x.x.x/16;
}
prefix-list LDP-Neighbor {
apply-path "protocols ldp session <*>";
}
prefix-list LDP-Neighbor-L2-Circ {
apply-path "protocols l2circuit neighbor <*>";
}
prefix-list BGP-Neighbor-Routing-Instance {
apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>";
}
prefix-list BGP-Neighbor {
apply-path "protocols bgp group <*> neighbor <*>";
}
show firewall
family inet {
filter Permit-To-RE {
term icmp-policer {
from {
protocol icmp;
}
then policer icmp-10m;
}
term tcp-control-protection {
from {
source-address {
0.0.0.0/0;
}
protocol tcp;
tcp-flags "(syn & !ack) | fin | rst";
}
then policer tcp-control-1m;
}
term Permit-NOC-SSH {
from {
source-prefix-list {
SSH-Permit-Addresses;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term Deny-SSH {
from {
protocol tcp;
destination-port ssh;
}
then {
count Deny-SSH-Packets;
log;
syslog;
discard;
}
}
term Permit-NOC-SNMP {
from {
source-prefix-list {
SNMP-Permit-Addresses;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term Deny-SNMP {
from {
protocol udp;
destination-port snmp;
}
then {
count Deny-SNMP-Packets;
log;
syslog;
discard;
}
}
term Permit-NTP-Server {
from {
source-prefix-list {
NTP-Servers;
}
protocol [ udp tcp ];
port ntp;
}
then accept;
}
term Deny-NTP {
from {
protocol [ udp tcp ];
port ntp;
}
then {
count Deny-NTP-Packets;
log;
syslog;
discard;
}
}
term Permit-TACACS-Servers {
from {
source-prefix-list {
TACACS-Servers;
}
protocol tcp;
port tacacs;
}
then accept;
}
term Deny-TACACS {
from {
protocol tcp;
port tacacs;
}
then {
count Deny-TACACS-Packets;
log;
syslog;
discard;
}
}
term Permited-BGP-Neighbor {
from {
source-prefix-list {
BGP-Neighbor;
BGP-Neighbor-Routing-Instance;
}
protocol tcp;
destination-port bgp;
}
then accept;
}
term Deny-BGP-Neighbor {
from {
protocol tcp;
destination-port bgp;
}
then {
count Deny-BGP-Packet;
log;
syslog;
discard;
}
}
term Permited-LDP-Neighbor {
from {
source-prefix-list {
LDP-Neighbor;
LDP-Neighbor-L2-Circ;
}
protocol tcp;
destination-port ldp;
}
then accept;
}
term Deny-LDP {
from {
protocol tcp;
destination-port ldp;
}
then {
count Deny-LDP-Packets;
log;
syslog;
discard;
}
}
term Permit-All {
then {
count All-Permitted-Packets-to-RE;
accept;
}
}
}
}
show interfaces lo0
unit 0 {
family inet {
filter {
input Permit-To-RE;
}
address y.y.y.y/32 {
primary;
}
address 127.0.0.1/32;
}
family iso {
address 49.0000.1111.2222.3333.00;
}
}
Regards,
George
More information about the juniper-nsp
mailing list