Friday 22 February 2013

Juniper JNCIA-Junos - Routing Policy and Firewall Filters

We assume you have read chapter 2 of Juniper’s second PDF so that you can practice routing policy and firewall filters. First we are going to start with a simple route redistribution followed by a firewall filter to restrict telnet access.

Exercise 1 – Default route redistribution into OSPF

Create a policy to redistribute the existing default route (0.0.0.0/0) on JunOS1 into OSPF so that other routers can use it.

Solution

[edit]
root@JUNOS1# edit policy-options
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static from protocol static
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static from route-filter 0.0.0.0/0 exact
[edit policy-options]
root@JUNOS1# set policy-statement default-static term accept-default-static then accept
[edit policy-options]
root@JUNOS1# show
policy-statement default-static {
    term accept-default-static {
        from {
              protocol static;
              route-filter 0.0.0.0/0 exact;
             }
    then accept;
    }
}
[edit policy-options]
root@JUNOS1# top edit protocols ospf
[edit protocols ospf]
root@JUNOS1# set export default-static
[edit]
root@JUNOS1# commit
JUNOS1 advertises the default route in OSPF, check that JUNOS3 can actually see it.
root@JUNOS3# run show route protocol ospf
inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[OSPF/150] 00:00:05, metric 0, tag 0
> to 172.30.25.9 via em4.0

Exercise 2 – Firewall filtering

To complete this exercise, we have to activate telnet service on JUNOS1.
[edit]
root@JUNOS1# set system services telnet
[edit]
root@JUNOS1# set system login user junuser class super-user authentication plain-text-password
[edit]
root@JUNOS1# commit
commit complete
Test the service from JUNOS3 using the loopback0 as the source interface.
[edit]
root@JUNOS3# run telnet 10.1.1.1 interface lo0
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.
JUNOS1 (ttyp0)
login: junuser
Password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC

junuser@JUNOS1> exit
Connection closed by foreign host.
Now add a firewall filter to allow telnet access to JUNOS3 loopback0 interface (10.3.3.3) only. You have to define the firewall filter, a prefix list and apply the filter on JUNOS1′s loopback0.

Solution

[edit]
root@JUNOS1# edit firewall filter limit-telnet-access
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-accept from source-prefix-list trusted
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-accept from protocol tcp
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-accept from destination-port telnet
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-accept then accept
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-reject from protocol tcp
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-reject from destination-port telnet
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-reject then discard
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term telnet-reject then log
[edit firewall filter limit-telnet-access]
root@JUNOS1# set term else-accept then accept
[edit firewall filter limit-telnet-access]
root@JUNOS1# show
term telnet-accept {
    from {
        source-prefix-list {
        trusted; ## 'trusted' is not defined
             }
        protocol tcp;
        destination-port telnet;
        }
    then accept;
   }
term telnet-reject {
    from {
         protocol tcp;
         destination-port telnet;
         }
    then {
         discard;
    }
}
term else-accept {
    then accept;
}
[edit firewall filter limit-telnet-access]
root@JUNOS1# top edit policy-options
[edit policy-options]
root@JUNOS1# set prefix-list trusted 10.3.3.3
[edit policy-options]
root@JUNOS1# top set interfaces lo0 unit 0 family inet filter input limit-telnet-access
Let check we can only connect only from JUNOS3′s loopback0 interface. Also have a look at the firewall log on JUNOS1.
root@JUNOS2# run telnet 10.1.1.1 interface lo0
Trying 10.1.1.1...
^C
[edit]
root@JUNOS3# run telnet 10.1.1.1 interface lo0
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.
JUNOS1 (ttyp0)
login:
root@JUNOS1# run show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
01:42:37  limit-telnet-access D em1.0    TCP             10.2.2.2                         10.1.1.1
01:42:33  limit-telnet-access D em1.0    TCP             10.2.2.2                         10.1.1.1
01:42:29  limit-telnet-access D em1.0    TCP             10.2.2.2                         10.1.1.1
01:42:25  limit-telnet-access D em1.0    TCP             10.2.2.2                         10.1.1.1
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)