Vous êtes sur la page 1sur 19

Nokia Academy

IP Backbone Network Planning with


Juniper
Learning Element 6 General Network
Design Recommendations

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Copyright and confidentiality

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Objectives
After completing this learning element, participant should be able to:
- Identify the basic steps for configuring a router.
- Deploy best practices for router configuration.
- Apply configuration of network services.
- Describe basic security issues in deploying a router configuration.

CN10566EN03GLA1

Nokia Solutions and Networks 2015

General Steps to configure a router


Set router hostname
Configure loopback interface for router identification
Configure AAA with TACACS or RADIUS
Set banners
Configure servers NTP, Syslog and DNS
Configure SNMP
Configure interfaces
Configure routing protocols
Secure routing protocols

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Router Access

Remote access
protocol

Local accounts
Root password
Access levels
-Admin
-Operator
-Read-only

SSH, SFTP
Telnet, FTP

User/pasword
Authentication

RADIUS
TACACS
Router

Validation of
credentials

Authentication
Server

Secure access protocols (SSH, SFTP) should ONLY be employed


An external authentication server is always recommended
Local accounts should be available for last resort access

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Router access
Device name
set groups re0 system host-name <device_name-re0>
set groups re1 system host-name <device_name-re1>
set apply-groups [re0 re1]

Root authentication
set system root-authentication encrypted-password <PASSWORD>
set system services ssh root-login deny

User authentication
set system authentication-order [<radius|tacplus> password]
set system login user <name> class super-user
set system login user <name> full-name <Local Admin User>
set system login user <name> authentication encrypted-password <PASSWD>

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Out of Band (OoB) Management interface


fxp0 interface
[edit groups re0 interfaces fxp0]
unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.132/25;
}
}
[edit groups re1 interfaces fxp0]
unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.133/25;
}
}

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Remote access
Enable SSH and SFTP
set system services ssh
set system services ssh connection-limit <value>
set system services protocol-version [v2 v1]

Login banner
set system login message <text>

CN10566EN03GLA1

Nokia Solutions and Networks 2015

RADIUS authentication
RADIUS server
set system radius-server <IP_RADIUS_1> secret <RADIUS_secret>
set system radius-server <IP_RADIUS_1> retry <value_retries>
set system radius-server <IP_RADIUS_1> timeout <value_timeout>
set system radius-server <IP_RADIUS_1> source-address <IP_lo0>
set system radius-server <IP_RADIUS_2> secret <RADIUS_secret>
set system radius-server <IP_RADIUS_2> retry <value_retries>
set system radius-server <IP_RADIUS_2> timeout <value_timeout>
set system radius-server <IP_RADIUS_2> source-address <IP_lo0>

10

CN10566EN03GLA1

Nokia Solutions and Networks 2015

TACACS authentication
TACACS server
set system tacplus-server <IP_TACACS_1> secret <TACACS_secret>
set system tacplus-server <IP_TACACS_1> retry <value_retries>
set system tacplus-server <IP_TACACS_1> timeout <value_timeout>
set system tacplus-server <IP_TACACS_1> source-address <IP_lo0>
set system tacplus-server <IP_TACACS_2> secret <TACACS_secret>
set system tacplus-server <IP_TACACS_2> retry <value_retries>
set system tacplus-server <IP_TACACS_2> timeout <value_timeout>
set system tacplus-server <IP_TACACS_2> source-address <IP_lo0>

11

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Network services

SNMP

NTP

Manage and collect


statistics from a
router remotely
Send notifications
or traps after events

DNS

Time synchronization Resolution of


of router from central
server

router hostname
to IP address

Syslog
Log historical and real
time events about
router operations
Local storage and/or
remote syslog server

Network management and administration tools/services


are critical for the correct operation, monitoring and
troubleshooting of a network

12

CN10566EN03GLA1

Nokia Solutions and Networks 2015

NTP and DNS


Network Time Protocol (NTP)
set system ntp boot-server <IP_NTP_SERVER_1>
set system ntp server <IP_NTP_SERVER_1> prefer
set system ntp server <IP_NTP_SERVER_2>
set system ntp source-address <IP_lo0>

Domain Name System (DNS)


set system name-server <IP_DNS_SERVER_1>
set system name-server <IP_DNS_SERVER_2>
set system domain-name <global_domain>

13

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Simple Network Management Protocol (SNMP)


set snmp description <hostname>
set snmp location <location_identifier>
set snmp contact <contact_text>
set snmp community <com_name> authorization read-write
set snmp community <com_name> version v2
set snmp community <com_name> clients <IP_SNMP_SERVER_1>
set snmp community <com_name> clients <IP_SNMP_SERVER_1>
set snmp trap-group <tg_name> categories authentication
set snmp trap-group <tg_name> categories chassis
set snmp trap-group <tg_name> categories link
set snmp trap-group <tg_name> categories routing
set snmp trap-group <tg_name> categories configuration
set snmp trap-group <tg_name> version v2
set snmp trap-group <tg_name> targets <IP_SNMP_SERVER_1>
set snmp trap-group <tg_name> targets <IP_SNMP_SERVER_2>

14

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Logging - Syslog
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

15

system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system

syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog

user
host
host
host
host
host
host
host
host
host
host
file
file
file
file
file
file
file
file
file
file
file

* any emergency
<IP_LOG_SERVER_1> any notice
<IP_LOG_SERVER_1> interactive-commands info
<IP_LOG_SERVER_1> facility-override local0
<IP_LOG_SERVER_1> log-prefix <hostname>
<IP_LOG_SERVER_1> explicit-priority
<IP_LOG_SERVER_2> any notice
<IP_LOG_SERVER_2> interactive-commands info
<IP_LOG_SERVER_2> facility-override local0
<IP_LOG_SERVER_2> log-prefix <hostname>
<IP_LOG_SERVER_2> explicit-priority
messages any any
messages interactive-commands none
messages archive size 1m
messages archive files 10
messages explicit-priority
cli-commands authorization info
cli-commands change-log info
cli-commands interactive-commands info
cli-commands archive size 1m
cli-commands archive files 10
cli-commands explicit-priority

CN10566EN03GLA1

Nokia Solutions and Networks 2015

JUNOS system-config example


system {
authentication-order [ ];
Set authentication
root-authentication [ ];
radius-server { }
RADIUS/TACACS parameters
login {
message "TEXT\n";
Login banner
user admin {

Define local accounts


}
}
name server {

DNS parameters
}
services {
ssh {

SSH parameters
}
syslog {

}
Syslog parameters
ntp {

}
}
NTP parameters
snmp {

SNMP parameters
16

CN10566EN03GLA1

Nokia Solutions and Networks 2015

Router security
Objectives
- Protection from external attacks
- Restrict router access to authorized users only
- Discard unknown traffic types and sources

RE Protection Filter
List of protocols allowed
- Management (SSH, NTP, SNMP, etc)

Security mechanisms
- Control physical access to device
- User authentication
- Login banner
- Password encryption
- Routing engine protection filter

- Routing (OSPF, BGP, LDP, etc)

Only allow IP addresses of known


peers/sources
Deny rest of traffic

Security is a critical component of every network and all available


protection mechanisms should be applied. Specially critical in
Junos is the Routing Engine protection filter

17

CN10566EN03GLA1

Nokia Solutions and Networks 2015

RE protection filter
set firewall family inet filter <Protection-RE> term <name> from protocol <protocol>
set firewall family inet filter <Protection-RE> term <name> from destination-port <port>
set firewall family inet filter <Protection-RE> term <name> from source-prefix-list
<name_prefix_list>
set firewall family inet filter <Protection-RE> term <name> then <accept|discard>

set interfaces lo0 unit 0 family inet filter input <Protection-RE>


Description
RADIUS Allowed
RADIUS Denied
SSH Allowed
SSH Denied
SNMP Allowed
SNMP Denied
BGP Allowed
BGP Denied
NTP Allowed
NTP Denied
LDP Allowed
LDP Denied
DNS Allowed
DNS Denied

Deny rest
18

Term
1
2
3
4
5
6
7
8
9
10
11
12
13
14

15

CN10566EN03GLA1

Protocol
UDP
UDP
TCP
TCP
UDP
UDP
TCP
TCP
UDP
UDP
UDP TCP
UDP TCP
UDP
UDP

--

Port
SRC 1812,1813
SRC 1812,1813
DST 22
DST 22
DST 161
DST 161
DST 179
DST 179
SRC 123
SRC 123
DST 646
DST 646
SRC 53
SRC 53

--

Prefix List
<From_RADIUS_servers>
-<From_SSH_hosts>
-<From_SNMP_hosts>
-<From_BGP_peers>
-<From_NTP_servers>
-<From_LDP_neighbors>
-<From_DNS_servers>
-
--

Nokia Solutions and Networks 2015

Action
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard

Discard

JUNOS RE protection filter example


interfaces {
lo0 {
unit 0 {
family inet {
filter {
input protection_RE;
}
}
}
}
firewall {
family inet {
filter protection_RE {
term SSH-Allowed { }
term SSH-Denied { }
term BGP-Allowed { }
term BGP-Denied { }

term Deny_all { }
}
}

19

CN10566EN03GLA1

Apply Routing Engine protection


filter to loopback interface

Nokia Solutions and Networks 2015