Thanks for the clarification.
gigether-options -> loopback is not an interface but a test mode.
The only option here is to have the loopback on or removed.
This is a software version of a physical loopback connector plugged into the physical port. the input is looped to the output of the port.
This is used when the port is the target of a test device on another port or the other end of a service to send traffic generated by a test set back to the test set to validate the configuration.
The logical unit numbers are limited to these ranges:
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]
The logical unit number can be in the range 0 through 65,535 for demux and PPPoE static interfaces only. The logical unit number can be in the range 0 through 16,385 for all other static interface types.
They are only a label and can be selected within that range via any naming convention you want. A typical one is to name the unit the same as the vlan id of the traffic for a trunk port and to use zero if only one connection is on the port.
Hi All,
I have a Juniper SRX 210 that I need some help with. I have a corporate network with a EX2300 with 3 VLANS 100,200,300 which is connected to a dedicated fibre link and a corporate firewall. I have the SRX 210 sitting in my lab with a DSL connection on the AT interface, there has been cases when connections on the corporate network are being blocked by the firewall and the provider can be slow in replying so I have undertaken some bypasses namely to test if the problem is the firewall or something else. My setup is below:
On the EX2300 port 4 setup as access port with VLAN member 200 --> Connected to SRX port 7 setup as access port with VLAN member 200
On the EX2300 port 5 setup as access port with VLAN member 300 --> Connected to SRX port 6 setup as access port with VLAN member 300
My problem is as below:
When I console into the SRX I can't ping anything on VLAN 200 but can ping everything on VLAN 300.
From a machine connected via EX2300 on VLAN 200 can't ping the SRX VLAN interfaces either VLAN200 or VLAN300.
From a machine connected via EX2300 on VLAN 300 I can ping both SRX VLAN interfaces and access the Internet when using the default gateway of the VLAN 300.
When I unplug from the SRX VLAN 300 (port 6) from a machine connected via EX2300 on VLAN 200 ping the SRX VLAN 200 interfaces and access the Internet when using the default gateway of the VLAN 300.
How can I get both working at the same time?
I have even set up static routes for each vlan but same problem. I have also set up a rule to allow all traffic from trust to trust.
SRX 210 Configuration (snippets)
fe-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan3;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan2;
vlan {
unit 2 {
family inet {
address 172.25.199.142/24;
}
}
unit 3 {
family inet {
address 172.25.200.242/24;
zones {
security-zone trust {
interfaces
vlan.2 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.3 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
vlans {
vlan2 {
vlan-id 200;
l3-interface vlan.2;
}
vlan3 {
vlan-id 300;
l3-interface vlan.3;
}
}Thanks for your help all!.
Cheers Jason
We will be supplying SRX300 and SRX340 devices to customers on an ethernet core as an NTE device.
Currently I have everything configured to protect the NTE from any customer access, except one issue:
The customer could easily perform a password recovery by rebooting the device and pressing the spacebar. I have tested this and can confirm that the root password can be reset and then the configuration becomes visible to the customer.
To stop this I have logged onto the SRX340 as "root" and have entered the shell and navigated to "boot/defaults" and then vi "loader.conf" .... I set the line "autoboot_delay="10" " to be -1 as per recommendations, however, when I try and "save and quit" from vi.... I get told that root does not have permission.
Any ideas on how to get around this issue please?
Hi,
Follow the KB to prevent password recovery via console:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB22619&actp=METADATA
I assume you have security policy in place to permit traffic. I see that the zone setup looks correct to allow ping on the interfaces.
I assume your default gateway for both vlans is on the main firewall. This creates some asymmetrical routing when trying to reach traffic on the alternate one. If you change the gateway to be the ip address on the SRX it should work.
Hi, (Edited response)
Yes, already completed this and it does indeed stop console access.
So, I understand that it does not matter what the customer changes the "root" password to, they still cannot access via the console (possibly, this I have not tested), but would still like to stop them being able to change it during boot up.
Is there any chance that the customer changing any passwords during bootup could access the config in anyway at all?
Currently they cannot access the device at all, no SSH or telnet or any other means, but I am concerend about this?
I can test anyway and post results here. I was just wondering why I could not change that file when logged on as root via SSH.
You can try to change the routing-instance type to forwarding and check.
Please follow the below document:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052&actp=METADATA
Hi Steve
Thanks for your reply.
Yes, I have created a "From Trust to zone Trust" rule with permit all thinking that might have been the problem.
I set up a default route for both, 172.25.199.0/24 next-hop 172.25.199.1 and same for 172.25.200.0/24 next-hop to x.x.200.1 but that didn't make any difference so i removed it. My routing currently on the SRX is as follows:
inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 8w2d 07:59:30
> to 203.45.x.1 via at-1/0/0.0
10.1.1.0/24 *[Direct/0] 9w5d 13:10:33> via vlan.1
10.1.1.1/32 *[Local/0] 32w1d 15:01:25
Local via vlan.1
101.187.x.238/32 *[Local/0] 8w2d 07:59:30
Local via at-1/0/0.0
172.25.199.0/24 *[Direct/0] 10:11:49> via vlan.2
172.25.199.142/32 *[Local/0] 32w1d 15:01:25
Local via vlan.2
172.25.200.0/24 *[Direct/0] 08:57:07> via vlan.3
172.25.200.242/32 *[Local/0] 09:54:05
Local via vlan.3
203.45.x.1/32 *[Direct/0] 8w2d 07:59:30> via at-1/0/0.0The static 0.0.0.0/32 is my ISP gateway for internet traffic outwards. The IP 101.187 is my IP
I have also tried removing the static route of the 0.0.0.0 which didn't work.
When you say:
wrote:
If you change the gateway to be the ip address on the SRX it should work.
I have from the PC side changed the default gateway to 172.25.199.142 or 172.25.200.242 respectivity, VLAN 300 (172.25.200.0) works but the VLAN 200 doesn't.
Thanks Jason
I'll close this issue as it's not really an issue, more a pointer in the right direction.
Thanks
I have the following firewall filter in place:
firewall {
filter VPN {
term VPN-Source {
from {
source-address {
xxx.xxx.xxx.xxx/32;
}
destination-port 500;
}
then accept;
}
term IKE-BLOCK {
from {
destination-port 500;
}
then {
reject;
}
}
term else {
then accept;
}
}
}
I'd like to add an additional souce address for 'either or' or 'both' sceanrios, is it simply a case of adding a new line under source-address or is more complicated than that?
Unfortunately, as suspected, this does not work.
So, if you enable the command: "set system ports console insecure", what it does do is secure the Console from root access. This I have tested and it is successful. Now, here is the problem:
I am the customer and I decide to reboot the NTE (SRX340) to see if I can "recover" the password. So, at the point during boot up where it says "Hit [Enter] to boot immediately, or space bar for command prompt." I decide to hit the spacebar. At the "loader >" prompt, I type "boot -s" and it goes through some POST and then comes up woth the following:
"Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:"
So, I type "recovery".... the device then boots to this:
root>
And, guess what.... I can access everything, including the Configuration.
The ability to press the spacebar so that "recovery" cannot be chosen is what I want to stop.
Any ideas please?
By the way, I know the answer is located in changing a line in "/boot/defaults/loader.conf" and I have changed the line but it won't let me save it, even when I'm logged into the shell as root.
Okay, so I know why I can't change it as it is listed as follows:
-r--r--r-- 1 root wheel 16602 May 25 15:57 loader.conf
So, it is read only.
Now I want to change this to "write" as well as read..... so I used "chmod -w loader.conf" --- not working.... Still read only.... any ideas anyone...
Hi,
I understand your main goal is to disable password recovery via console. If you follow the the KB mentioned earlier, this can be achieved. Once you configured "set system ports console insecure" , customer should know the current root password to go recovery mode even after rebooting and executing "boot -s". I tested this and the difference in boot process is given below:
With "set system ports console insecure":
+++++++++++++++++++++++++++++++
.............
System watchdog timer disabled
Enter root password, or ^D to go multi-user <--- Current root password to be provided to go to recover mode
Password:
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:recovery
Without ""set system ports console insecure":-
+++++++++++++++++++++++++++++++++++++
...........
System watchdog timer disabled <----- no root password prompt here
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
Modifying the loader.conf file is not recommeded. This is a system protected file. You can modify the contents using vi (use 'x' key to delete the character and :wq to save the contents) after changing the file permissions (chmod 644 loader.conf). However, system will restore the contents ( more specifically, it will restore the file itself. note file timestamp) to default once you reboot the system. That means, there is no use of modifying the loader.conf file. I tested this multiple times.
Hi,
Adding another source address will work as "either or" scenarios. Both scenario is not valid as a packet will have only one source address( either Source A or Source B, not Source A and Source B)
ssam appears to be the process that handles the configuration changes. And these errors don't seem to be caught with a helpful message.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB24598
You can check the main log file right after they occur to see if something more helpful is present in the area around where this occurs.
show log messages
since the commit does complete whatever the error is is not fatal. I suspect something in the configuration is off. And the surrounding log messages may point where to look if you are not up for the full JTAC ticket process.
Hello,
If You want extreme esecurity to cover all possible cases including reverting the unit to a factory default via Reset button then buy an RJ-45 port lock
https://www.lindy.co.uk/accessories-c9/security-c388/10-x-rj-45-port-blockers-with-key-black-p7393
Otherwise pressing Reset button could revert the SRX340 to a factory-default config without password and if the console is not blocked, then password recovery is not even required to access the root prompt.
HTH
Thx
Alex