Using Juniper SRX devices as routers

The SRX series are part of Junipers security line of products and provide firewall among a host of other security features such as IDS and IPS.

However you can effectively use the SRX range as a traditional router by changing the forwarding mode from flow based (stateful inspected) to packet based (stateless per packet inspection.)

You can verify the forwarding mode by issuing:

show security flow status

We should firstly ensure we remove any existing security configuration from the device with:

delete security

and then ensure the forwarding mode is set to 'packet based':

set security forwarding-options family mpls mode packet-based

commit it and then reboot:

commit
run request system reboot

Upon restart check the forwarding mode again with:

show security flow status

Read more

Configuring an Etherchannel (with LACP) between JunOS and Cisco IOS

Juniper JunOS

Firstly create the aggregated interface:

edit chassis
set aggregated-devices ethernet device-count 2

top
edit interfaces
set ae0 aggregated-ether-options

and define the LACP interval period (i.e. the rate at which the device will send / receive LACP protocol messages):

set aex aggregated-ether-options lacp periodic fast

By default the 'lacp periodic fast' sets the transmission rate to 1 second.

Note: It's important that the rate is matched on the other end as well.

We'll now associate our interfaces with the aggregated link we've just configured:

edit interfaces
edit ge-0/0/1
set ether-options 802.3ad ae0
exit
edit ge-0/0/2
set ether-options 802.3ad ae0

Cisco IOS

conf t
int range gi1/0/1-2
channel-protocol lacp
channel-group 1 mode active
lacp rate fast
no shut

int po1
description etherchannel

Read more

Base Junos Configuration

The following template will get the fundamental features setup in Junos and act as a base for building more advanced configurations:

# Enter configuration mode
cli
configure exclusive

# Configure root user key / password
set system root-authentication load-key-file
[OR]
set system root-authentication plain-text-password

# Enable remote management
edit system services
active ssh
ativate web-management https
set web-management https port 443
set web-management https system-generated-certificate
set web-management https interface fxp0.0

# Disable insecure services
deactivate telnet
decativate web-management http

# Setup hostname
top
set system host-name "host01"

# Setup time / date / ntp
set system time-zone Europe/London
exit
set date ntp 1.uk.pool.ntp.org
set cli idle-timeout 10

# Setup new user and assign login class
edit
edit system login
edit user jbloggs
set authentication plain-text-password
set full-name "Joe Bloggs"
set class operator | read-only | super-user

# Create custom login class
set system login class test-class permissions [interface interface-control]
set system login class test-class idle-timeout 10
[OR]
# Configure RADIUS
set system radius-server 10.11.12.254 source-address 10.11.12.1
edit system radius-server 10.11.12.254
set secret <pass-phrase>
set port 1845
# Ensure radius requests originate from the mgmt interface
routing-instance mgmt_junos
exit
set system authentication-order [radius password]
# Assign a default class for remote users
set system login user remote class super-user

### Setup Layer 3 Interface
# Change physical properties
edit interfaces ge-0/0/1
set speed 10m
set link-mode full-duplex

### Create VLAN
set vlans testvlan vlan-id 123
set vlans testvlan2 vlan-id 456

# Change logical properties
edit interfaces ge-0/0/1 unit 0
set vlan-id 50
edit family inet
set address 1.2.3.254/24

### Setup Access Port
# Change logical properties
edit interfaces ge-0/0/2 unit 0
set family ethernet-switching interface-mode access
set family ethernet-switching vlan members 123

### Setup Trunk Port
edit interfaces ge-0/0/3 unit 0
set family ethernet-switching port-mode trunk vlan members [testvlan testvlan2]

### Syslog Forwarding
* This is performed via the local syslog server rather than the Juniper CLI (messages found in /var/log/messages)
* To edit the configuration from the CLI use 'edit system syslog'.

### Commit changes
commit

Read more