Oh the fun I could have if I had spare time.

http://www.ex-parrot.com/pete/upside-down-ternet.html

First, you cannot do VLAN’s on the onboard ethernet interfaces.  Neither Juniper or CDW pre-sales engineer’s knew this.  It was hinted to me after I dug deep with the Juniper TAC that onboard NIC’s can be used for network traffic, but if you’re doing a lot of things with them they’re better for management and clustering.

Second, VLAN’s are only supported on the addon uPIM cards. Again, neither Juniper or CDW knew this.

Third, and most importantly, VLAN switching happens on the addon uPIM card and is only supported on 1 uPIM at a time, not on the router’s backplane.  So if you need VLAN more than 16 ports, then the Juniper J-Series routers is probably not the product you want to buy.

I should also say that this router is a great product, I’ve been using them for two of my datacenters and running BGP between the two datacenters, with a private fiber connection between them and they run beautifully.  These routers are great for an office or small datacenter.  When talking with Juniper, they couldn’t understand why a company would use them in their datacenter instead of purchasing one of the larger models.  For a smaller company that has traffic under 100Gbits/sec, these are great routers.

Below are two router configs. ge-0/0/0 is the uplink to our internet provider.  Each uplink has a /30.  On our side of the network we’re assigned a public subnet to ge-0/0/1, although you could also configure the router with firewall rules and setup NAT and private IP space and accomplish the same thing.  On the ge-0/0/1, you need to assign a unique IP to each router (2.2.2.2 and 2.2.2.3), then you need a “Virtual” IP (or VIP) that will be used by all devices as the gateway (2.2.2.1).

I also add a section called “track”.  What this does is tells VRRP on the ge-0/0/1 interfaces to watch ge-0/0/0 and if anything happens to that interface, then it should tell the other router it needs to give up controlling the VIP.

Router1

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 2.2.2.2/24 {
                    vrrp-group 1 {
                        virtual-address 2.2.2.1;
                        priority 101;
                        accept-data;
                        track {
                            interface ge-0/0/0 {
                                priority-cost 10;
                            }
                        }
                    }
                }
            }
        }
    }
}

Router 2

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.6/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 2.2.2.3/24 {
                    vrrp-group 1 {
                        virtual-address 2.2.2.1;
                        priority 101;
                        accept-data;
                        track {
                            interface ge-0/0/0 {
                                priority-cost 10;
                            }
                        }
                    }
                }
            }
        }
    }
}

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2

Router#sh run
Building configuration...

Current configuration : 1158 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface FastEthernet0/0
 no ip address
 shutdown
!
interface Serial0/0
 description outside interface
 ip address 100.100.100.1 255.255.255.252
 no ip directed-broadcast
 service-module t1 timeslots 1-24
 set cdp disable
 no shutdown
 no fair-queue
!
interface FastEthernet0/1
 description inside interface
 ip address 200.200.200.1 255.255.255.0
 speed 100
 full-duplex
!
ip default-gateway 100.100.100.2
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.2
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

Router#sh run
Building configuration...

Current configuration : 1158 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface FastEthernet0/0
 description outside interface
 ip address 100.100.100.1 255.255.255.252
 speed 100
 full-duplex
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0/1
 description inside interface
 ip address 200.200.200.1 255.255.255.0
 speed 100
 full-duplex
!
ip default-gateway 100.100.100.2
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.2
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

While most of the attention is paid to exterior threats, there are some steps you can take to prevent unwanted Cisco router access from within your organization.

Whether you want to limit what certain users can do and run on your routers, or prevent unauthorized users in your company from getting to config mode in the first place, here are four important yet simple steps you can take to do so.

Encrypt the passwords in your running configuration.

This is a basic Cisco router security command that is often overlooked. It doesn’t do you any good to set passwords for your ISDN connection or Telnet connections if anyone who can see your router’s running configuration can see the passwords. By default, these passwords are displayed in your running config in clear text.

One simple command takes care of that. In global configuration mode, run service password-encryption. This command will encrypt all clear text passwords in your running configuration.

Set a console password.

If I walked into your network room right now, could I sit down and start configuring your Cisco routers?

If so, you need to set a console password. This password is a basic yet important step in limiting router access in your network. Go into line configuration mode with the command “line con 0″, and set a password with the password command.

Limit user capabilities with privilege level commands.

Not everyone who has access to your routers should be able to do anything they want. With careful use of privilege levels, you can limit the commands given users can run on your routers.

Privilege levels can be a little clumsy at first, but with practice you’ll be tying your routers down as tight as you like. Visit www.cisco.com/univercd for documentation on configuring privilege levels.

Configure an “enable secret” password.

It’s not uncommon for me to see a router that has an enable mode password set, but it’s in clear text.

By using “enable secret”, the enable mode password will automatically be encrypted. Remember, if you have an enable password and enable secret password set on the same router, the enable secret password takes precedence.

These four basic steps will help prevent unwanted router access from inside your network. If only preventing problems from outside your network was as simple!

version 12.0
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface BRI0
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer string (put ISDN phone number here)
dialer-group 1
isdn switch-type basic-net3
no cdp enable
ppp chap hostname (Put username here)
ppp chap password (Put password here)
!
router rip
network 172.16.0.0
!
ip nat translation timeout 180
ip nat inside source list 1 interface BRI0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 BRI0
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 deny ip any host 172.16.255.255
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
alias exec u undebug all
!