[j-nsp] Sample configuration of Juniper M7i
Saku Ytti
saku+juniper-nsp at ytti.fi
Mon Jun 12 10:23:23 EDT 2006
On (2006-06-12 16:15 +0300), George Yalamov wrote:
AFI jumping doesn't make JNPR very happy.
apply-path "protocols bgp group <*> neighbor <*.*>";
apply-path "protocols bgp group <*> neighbor <*:*>";
Is probably slightly better way to go.
> prefix-list LDP-Neighbor {
> apply-path "protocols ldp session <*>";
> }
> prefix-list LDP-Neighbor-L2-Circ {
> apply-path "protocols l2circuit neighbor <*>";
> }
> prefix-list BGP-Neighbor-Routing-Instance {
> apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>";
> }
> prefix-list BGP-Neighbor {
> apply-path "protocols bgp group <*> neighbor <*>";
> }
>
>
>
> show firewall
>
> family inet {
> filter Permit-To-RE {
> term icmp-policer {
> from {
> protocol icmp;
> }
> then policer icmp-10m;
> }
> term tcp-control-protection {
> from {
> source-address {
> 0.0.0.0/0;
> }
> protocol tcp;
> tcp-flags "(syn & !ack) | fin | rst";
> }
> then policer tcp-control-1m;
> }
> term Permit-NOC-SSH {
> from {
> source-prefix-list {
> SSH-Permit-Addresses;
> }
> protocol tcp;
> destination-port ssh;
> }
> then accept;
> }
> term Deny-SSH {
> from {
> protocol tcp;
> destination-port ssh;
> }
> then {
> count Deny-SSH-Packets;
> log;
> syslog;
> discard;
> }
> }
> term Permit-NOC-SNMP {
> from {
> source-prefix-list {
> SNMP-Permit-Addresses;
> }
> protocol udp;
> destination-port snmp;
> }
> then accept;
> }
> term Deny-SNMP {
> from {
> protocol udp;
> destination-port snmp;
> }
> then {
> count Deny-SNMP-Packets;
> log;
> syslog;
> discard;
> }
> }
> term Permit-NTP-Server {
> from {
> source-prefix-list {
> NTP-Servers;
> }
> protocol [ udp tcp ];
> port ntp;
> }
> then accept;
> }
> term Deny-NTP {
> from {
> protocol [ udp tcp ];
> port ntp;
> }
> then {
> count Deny-NTP-Packets;
> log;
> syslog;
> discard;
> }
> }
> term Permit-TACACS-Servers {
> from {
> source-prefix-list {
> TACACS-Servers;
> }
> protocol tcp;
> port tacacs;
> }
> then accept;
> }
> term Deny-TACACS {
> from {
> protocol tcp;
> port tacacs;
> }
> then {
> count Deny-TACACS-Packets;
> log;
> syslog;
> discard;
> }
> }
> term Permited-BGP-Neighbor {
> from {
> source-prefix-list {
> BGP-Neighbor;
> BGP-Neighbor-Routing-Instance;
> }
> protocol tcp;
> destination-port bgp;
> }
> then accept;
> }
> term Deny-BGP-Neighbor {
> from {
> protocol tcp;
> destination-port bgp;
> }
> then {
> count Deny-BGP-Packet;
> log;
> syslog;
> discard;
> }
> }
> term Permited-LDP-Neighbor {
> from {
> source-prefix-list {
> LDP-Neighbor;
> LDP-Neighbor-L2-Circ;
> }
> protocol tcp;
> destination-port ldp;
> }
> then accept;
> }
> term Deny-LDP {
> from {
> protocol tcp;
> destination-port ldp;
> }
> then {
> count Deny-LDP-Packets;
> log;
> syslog;
> discard;
> }
> }
> term Permit-All {
> then {
> count All-Permitted-Packets-to-RE;
> accept;
> }
> }
> }
> }
>
>
> show interfaces lo0
> unit 0 {
> family inet {
> filter {
> input Permit-To-RE;
> }
> address y.y.y.y/32 {
> primary;
> }
> address 127.0.0.1/32;
> }
> family iso {
> address 49.0000.1111.2222.3333.00;
> }
> }
>
>
> Regards,
> George
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
--
++ytti
More information about the juniper-nsp
mailing list