Juniper config snippets

Juniper makes really nice network hardware. I’ve collected some configuration snippets here that are often useful. I use them in my daily work.

When IKE/IPsec doesn’t work on loopback interface, even when it’s in the external zone as it should be:

set security policies global policy global match source-address any
set security policies global policy global match destination-address any
set security policies global policy global match application junos-ike
set security policies global policy global match application junos-ike-nat
set security policies global policy global then permit

Every Juniper device should have that, so it will survive consecutive power failures:

set system auto-snapshot

Bunch of NTP servers from PTB in Germany:

set system ntp server 192.53.103.108
set system ntp server 192.53.103.104
set system ntp server 192.53.103.103

Some options for BGP to make it more resistant:

set protocols bgp path-selection cisco-non-deterministic
set protocols bgp path-selection always-compare-med
set protocols bgp path-selection external-router-id
set protocols bgp mtu-discovery
set protocols bgp bgp-error-tolerance
set protocols bgp graceful-restart

Options for LLDP to make it more secure and convenient:

set protocols lldp port-id-subtype interface-name
set protocols lldp port-description-type interface-alias
set protocols lldp neighbour-port-info-display port-id
set protocols lldp tlv-select system-name
set protocols lldp tlv-select link-aggregation
set protocols lldp tlv-select maximum-frame-size
set protocols lldp tlv-select vlan-name
set protocols lldp interface all

Some IP options:

set system default-address-selection
set system no-redirects
set system internet-options icmpv4-rate-limit packet-rate 200
set system internet-options icmpv4-rate-limit bucket-size 5
set system internet-options path-mtu-discovery
set system internet-options tcp-drop-synfin-set

Options to ease the usability:

set security flow enhanced-routing-mode
set security flow allow-dns-reply
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

Flow-based routing (firewall):

set security forwarding-options family inet6 mode flow-based
set security forwarding-options family mpls mode flow-based
set security forwarding-options family iso mode packet-based

Packet-based routing (router):

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based

Better traffic balancing with multipath:

set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-4

Leave a Reply

Your email address will not be published. Required fields are marked *

Filtered by Akismet. (privacy info).