Friday, November 29, 2013

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges

Here is how you do it..

Add IP address to Loopback interface

set interface lo0 unit 0 family inet address 127.0.0.1/32

Create a filter with allowed hosts or subnets

Term "SSH" permits Source Managements addresses

set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept

Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box

set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard

and then a permit all rule

set firewall family inet filter RE_MANAGEMENT term default then accept

In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.

set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT

You can see the couters using below command

show firewall filter RE_MANAGEMENT    

Filter: RE_MANAGEMENT                                          
Counters:
Name                                                Bytes              Packets
allow.ssh                                           38023                  370
discard.ssh                                             0                    0

and thats it !! you're  done...and your switch's ssh access is now protected.

Wednesday, October 30, 2013

Auto Voice/VoIP VLAN and Data Vlan assignment to Phone and Desktop on Extreme Switch using LLDP

There are cases where one needs to deploy the VoIP phones in the existing network and due to lack of internal cabling you cant connect IPphones separately to switches.

The VoIP phones are usually connected to the switch and a Desktop is connected to IPphone as show below




In this scenario we can use LLDP ( Link layer discovery protocol) to advertise the Voice vlan details to IPphone so that we can get IP addresses on VoIP LAN and can add priority to the VoIP traffic. 

Basic requirement : The VoIP phone should be LLDP capable

Below is the configuration required on Extreme Switch

Create Voice Vlan and we will use default Vlan for the Data Network

create vlan "VOICE"
configure vlan VOICE tag 100
configure vlan Default add ports 1:1 untagged
configure vlan VOICE add ports 1:1 tagged

Configure LLDP on the interface

configure lldp transmit-interval 5
enable lldp ports 1:1
configure lldp port 1:1 advertise port-description
configure lldp port 1:1 advertise system-name
configure lldp port 1:1 advertise system-capabilities
configure lldp port 1:1 advertise management-address


configure lldp port 1:1 advertise vendor-specific dot1 vlan-name vlan VOICE
configure lldp port 1:1 advertise vendor-specific med policy application voice vlan VOICE dscp 46

This is it and switch is now configured to advertise Voice Vlan via LLDP to the phone and Data Vlan will be sent as untagged

Happy Calling..!!

Wednesday, September 4, 2013

Routing Instaces VRF on Juniper EX2200 is now Supported..!!

I have just learned that routing instances are now supported on Juniper EX-2200 series switches from Junos 12.3R1 version onwards. It is very handy feature and is analogous to Cisco's VRF-Lite.


Tuesday, September 3, 2013

VPN between Fortigate and vmWare vShield Edge

Here is the step by step configuration of VPN between Fortigate and vShield Edge

Fortigate configuration

Create addresses on the Fortigate


Create Phase-1 and Phase-2 on Fortigate



Add VPN policy on Fortigate


Now Configure vShield Edge from vShield Manager

Enable VPN



Add default configuration


Add Site 


Add Site details



Check the status as shown




Enjoy..!!