/* ============================================================ * VantagePoint Networks — Juniper EX4400 Distribution Switch * Hardened Baseline · CIS Level 1 Compliant * Junos 23.x * ============================================================ * DEPLOYMENT NOTES: * 1. Replace all with your site values * 2. Load via: load merge terminal / load replace terminal * 3. Always commit check before commit * 4. Use commit confirmed 5 for safety * ============================================================ */ system { host-name DIST-01; domain-name ; time-zone UTC; root-authentication { encrypted-password ""; /* Generate: openssl passwd -6 */ } login { retry-options { tries-before-disconnect 3; backoff-threshold 1; backoff-factor 6; minimum-time 30; } class ADMIN-CLASS { permissions all; idle-timeout 10; } class READONLY-CLASS { permissions [ view view-configuration ]; idle-timeout 15; } user { uid 2001; class ADMIN-CLASS; authentication { encrypted-password ""; ssh-rsa ""; } } user { uid 2002; class READONLY-CLASS; authentication { encrypted-password ""; } } message "\n===============================================================\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.\nAll activities are monitored and logged.\n===============================================================\n"; } services { ssh { root-login deny; protocol-version v2; max-sessions-per-connection 3; client-alive-count-max 3; client-alive-interval 120; connection-limit 5; rate-limit 3; ciphers [ aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com ]; macs [ hmac-sha2-256 hmac-sha2-512 ]; key-exchange [ curve25519-sha256 ecdh-sha2-nistp521 ]; hostkey-algorithm { ssh-ed25519; ecdsa-sha2-nistp521; } } netconf { ssh { port 830; } } /* Disable insecure services */ /* no telnet */ /* no ftp */ /* no web-management http */ web-management { https { system-generated-certificate; port 8443; interface vme; } } } syslog { user * { any emergency; } host { any warning; authorization info; change-log any; interactive-commands info; facility-override local7; source-address ; } host { any warning; authorization info; source-address ; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } file default-log-messages { any info; match "(requested 'commit' operation)|(copying juniper.conf)|(login attempt)"; structured-data; } time-format year millisecond; } ntp { server prefer; server ; authentication-key 1 type md5 value ""; trusted-key 1; } name-server { ; ; } archival { configuration { transfer-on-commit; archive-sites { "scp://@/configs/" password ""; } } } commit { synchronize; } } /* --- Chassis --- */ chassis { alarm { management-ethernet { link-down ignore; } } aggregated-devices { ethernet { device-count 8; } } } /* --- VLANs --- */ vlans { MGMT { vlan-id 10; l3-interface irb.10; description "Management VLAN"; } USERS { vlan-id 20; l3-interface irb.20; description "User workstations"; } SERVERS { vlan-id 30; l3-interface irb.30; description "Server network"; } VOICE { vlan-id 40; l3-interface irb.40; description "VoIP network"; } PRINTERS { vlan-id 50; l3-interface irb.50; description "Printer network"; } QUARANTINE { vlan-id 999; description "Quarantine - no routing"; } NATIVE-UNUSED { vlan-id 1000; description "Unused native VLAN"; } } /* --- IRB (SVI) Interfaces --- */ interfaces { irb { unit 10 { family inet { address /24; } description "MGMT Gateway"; } unit 20 { family inet { address /24; } description "Users Gateway"; } unit 30 { family inet { address /24; } description "Servers Gateway"; } unit 40 { family inet { address /24; } description "Voice Gateway"; } unit 50 { family inet { address /24; } description "Printers Gateway"; } } /* --- Uplinks to Core (LAG) --- */ xe-0/0/0 { description "== UPLINK TO CORE-SW-01 Te1/0/2 =="; ether-options { 802.3ad ae0; } } xe-0/0/1 { description "== UPLINK TO CORE-SW-02 Te1/0/2 =="; ether-options { 802.3ad ae0; } } ae0 { description "== LAG TO CORE SWITCHES =="; aggregated-ether-options { lacp { active; periodic fast; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ MGMT USERS SERVERS VOICE PRINTERS ]; } native-vlan-id 1000; } } } /* --- Access Ports: Users --- */ ge-0/0/2 { description "User port - Bldg A Floor 1 - Desk 01"; unit 0 { family ethernet-switching { interface-mode access; vlan { members USERS; } } } } ge-0/0/3 { description "User port - Bldg A Floor 1 - Desk 02"; unit 0 { family ethernet-switching { interface-mode access; vlan { members USERS; } } } } /* Repeat pattern for ge-0/0/4 through ge-0/0/23 */ /* --- Access Ports: Servers --- */ ge-0/0/24 { description "Server port - Rack A - U22"; unit 0 { family ethernet-switching { interface-mode access; vlan { members SERVERS; } } } } ge-0/0/25 { description "Server port - Rack A - U24"; unit 0 { family ethernet-switching { interface-mode access; vlan { members SERVERS; } } } } /* --- Access Ports: Voice (dual VLAN) --- */ ge-0/0/30 { description "IP Phone + PC - Desk 01"; unit 0 { family ethernet-switching { interface-mode access; vlan { members USERS; } } } } /* --- Unused Ports (shutdown & quarantine) --- */ ge-0/0/40 { description "== UNUSED - DISABLED =="; disable; unit 0 { family ethernet-switching { interface-mode access; vlan { members QUARANTINE; } } } } ge-0/0/41 { description "== UNUSED - DISABLED =="; disable; unit 0 { family ethernet-switching { interface-mode access; vlan { members QUARANTINE; } } } } /* Repeat for all unused ports */ /* --- Management Ethernet --- */ vme { unit 0 { family inet { address /24; } } } } /* --- Protocols --- */ protocols { rstp { bridge-priority 8192; /* Distribution priority */ interface ae0 { edge; } bpdu-block-on-edge; } lldp { interface all; port-id-subtype interface-name; port-description-type interface-description; } lldp-med { interface all; } /* --- OSPF (if doing L3 at distribution) --- */ ospf { area 0.0.0.0 { interface irb.10 { passive; } interface irb.20 { passive; } interface irb.30 { passive; } interface ae0.0 { interface-type p2p; authentication { md5 1 key ""; } bfd-liveness-detection { minimum-interval 300; multiplier 3; } } } reference-bandwidth 100g; } } /* --- DHCP Relay --- */ forwarding-options { helpers { bootp { server ; interface irb.20; interface irb.40; } } storm-control-profiles STORM-CTRL { all { bandwidth-percentage 5; } } } /* --- Security: Port Security --- */ protocols { dot1x { authenticator { authentication-profile-name DOT1X-PROFILE; interface { ge-0/0/2.0 { supplicant multiple; retries 3; quiet-period 30; transmit-period 15; mac-radius; server-fail use-cache; } /* Apply to all user-facing ports */ } } } } /* --- Firewall Filters (ACLs) --- */ firewall { family inet { filter MGMT-PROTECT { term ALLOW-SSH { from { source-address { /24; } protocol tcp; destination-port ssh; } then accept; } term ALLOW-SNMP { from { source-address { /32; } protocol udp; destination-port snmp; } then accept; } term ALLOW-NTP { from { source-address { /32; /32; } protocol udp; source-port ntp; } then accept; } term ALLOW-OSPF { from { protocol ospf; } then accept; } term ALLOW-BFD { from { protocol udp; destination-port 3784-3785; } then accept; } term ALLOW-ICMP { from { protocol icmp; icmp-type [ echo-reply echo-request time-exceeded unreachable ]; } then { policer ICMP-POLICER; accept; } } term DENY-ALL { then { log; discard; } } } } policer ICMP-POLICER { if-exceeding { bandwidth-limit 1m; burst-size-limit 15k; } then discard; } } /* --- Apply Loopback Filter --- */ interfaces { lo0 { unit 0 { family inet { filter { input MGMT-PROTECT; } address /32; } } } } /* --- SNMP --- */ snmp { name "DIST-01"; description "Juniper EX4400 Distribution - Building A"; location ""; contact ""; v3 { usm { local-engine { user { authentication-sha { authentication-key ""; } privacy-aes128 { privacy-key ""; } } } } vacm { security-to-group { security-model usm { security-name { group SNMPV3-RO; } } } access { group SNMPV3-RO { default-context-prefix { security-model usm { security-level privacy { read-view ALL-VIEW; } } } } } } } view ALL-VIEW { oid .1 include; } trap-group TRAP-RECEIVERS { version v3; targets { ; } } } /* --- Routing Options --- */ routing-options { router-id ; autonomous-system ; static { route 0.0.0.0/0 { next-hop ; preference 200; /* Backup to OSPF */ } } } /* ============================================================ * END OF CONFIGURATION * VantagePoint Networks · vantagepointnetworks.com * ============================================================ */