Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Template-Juniper_SRX300_RETH-BASIC-IPoE
## version 15.1X49-D45;
groups {
node0 {
system {
host-name srx-a;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
}
}
node1 {
system {
host-name srx-b;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "大元をコピー";
}
time-zone Asia/Tokyo;
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ fxp0.0 reth3.0 reth4.0 reth5.0 ];
}
https {
system-generated-certificate;
}
}
dhcp {
router {
192.168.100.1;
}
pool 192.168.100.0/24 {
address-range low 192.168.100.101 high 192.168.100.200;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 10;
max-configuration-rollbacks 10;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 64.99.80.121;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 6;
redundancy-group 1 {
node 0 priority 200;
node 1 priority 1;
interface-monitor {
ge-0/0/5 weight 255;
ge-3/0/5 weight 255;
}
}
redundancy-group 0 {
node 0 priority 200;
node 1 priority 1;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone [ DMZ LAN junos-host ];
to zone WAN;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone LAN to-zone WAN {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone LAN {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth5.0;
}
}
security-zone WAN {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
reth3.0;
}
}
security-zone DMZ {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth4.0;
}
}
}
}
interfaces {
ge-0/0/3 {
gigether-options {
redundant-parent reth3;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth4;
}
}
ge-0/0/5 {
gigether-options {
redundant-parent reth5;
}
}
ge-3/0/3 {
gigether-options {
redundant-parent reth3;
}
}
ge-3/0/4 {
gigether-options {
redundant-parent reth4;
}
}
ge-3/0/5 {
gigether-options {
redundant-parent reth5;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-3/0/2;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
reth4 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.200.1/24;
}
}
}
reth5 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.254;
route 10.0.0.0/8 next-hop 192.168.100.254;
route 172.16.0.0/12 next-hop 192.168.100.254;
route 192.168.0.0/16 next-hop 192.168.100.254;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.