Beruflich Dokumente
Kultur Dokumente
Version 1.0
CO-CONFIDENTIAL
-1-
Document Title
Customer: Title: Document Name: BD Link Communication Ltd. Low Level Design IIG Low Level Design IIG v1.0
Document Control
Author(s), quality control and client sign-off Company Author(s): Review And Verification : Gazi Communications Gazi Communications Name Aziz Uddin Mahmud Md. Imdadul Islam Swapan Gupta Md. Wahid Uz Zaman Signature
Release
Version
1.0
Date Released
18.10.2012
Change Notice
N/A
Pages Affected
N/A
Remarks/Changes
1st Release
Distribution List
Copy Number 01 02 03 Name BD LINKTeam GAZI Technical Team GAZI Project Repository
CO-CONFIDENTIAL
-2-
Page 2
Copyright and other intellectual property rights Copyright and other Intellectual property rights in any original programs, specifications, reports or other items arising in the course of, or resulting from the project shall remain the property of Gazi Communication although BD LINK shall have a non-exclusive and non-transferable license to all such items for its own purposes. Nothing in this agreement shall enable either party to make use of any intellectual property rights vested in the other party prior to the commencement of this assignment.
CO-CONFIDENTIAL
-3-
Page 3
Contents
1. 2. Executive Summary.............................................................................................................. 7 Proposed Design Overview .................................................................................................. 8 2.1. Design Summary .......................................................................................................... 9 2.2. Solution Detail ............................................................................................................ 10 2.2.1. Logical Topology......................................................................................................... 11 2.2.2. BGP Routing Topology ............................................................................................... 13 2.2.3. OSPF Routing Topology ............................................................................................. 15 2.2.4. Dhaka Main POP Design (Phase -1 Deployment)........................................................ 17 Device Naming, Port Connectivity & IP Addressing ......................................................... 19 3.1. Devices Naming Convention ....................................................................................... 19 3.2. Physical Connectivity Mapping & IP Addressing .......................................................... 20 Device Configuration .......................................................................................................... 21 4.1. Initial JONOS Configuration ........................................................................................ 21 4.1.1. Login via Console ....................................................................................................... 21 4.1.2. Set Root Password ..................................................................................................... 21 4.1.3. Enable System Services ............................................................................................. 22 4.1.4. Configuring Local username ....................................................................................... 22 4.2. Dhaka Core Router -1 Configuration ........................................................................... 22 4.2.1. System Basic Configuration ........................................................................................ 22 4.2.2. Management Interface Configuration .......................................................................... 23 4.2.3. Chassis Configuration ................................................................................................. 23 4.2.4. Interface Configuration ................................................................................................ 23 4.2.5. OSPF Configuration .................................................................................................... 24 4.2.6. BGP Configuration ...................................................................................................... 25 4.2.7. Sample RE filter Configuration .................................................................................... 25 4.2.8. SNMP Configuration ................................................................................................... 27 4.3. Dhaka Core Router -2 Configuration ........................................................................... 28 4.3.1. System Basic Configuration ........................................................................................ 28 4.3.2. Management Interface Configuration .......................................................................... 28 4.3.3. Chassis Configuration ................................................................................................. 28 4.3.4. Interface Configuration ................................................................................................ 29 4.3.5. OSPF Configuration .................................................................................................... 30 4.3.6. BGP Configuration ...................................................................................................... 31 4.3.7. Sample RE filter Configuration .................................................................................... 31 4.3.8. SNMP Configuration ................................................................................................... 33 4.4. Dhaka Aggregation Router -1 Configuration ................................................................ 34
-4BD Link IIG Low Level Design
3.
4.
CO-CONFIDENTIAL
Page 4
4.4.1. System Basic Configuration ........................................................................................ 34 4.4.2. Management Interface Configuration .......................................................................... 34 4.4.3. Chassis Configuration ................................................................................................. 34 4.4.4. Interface Configuration ................................................................................................ 35 4.4.5. OSPF Configuration .................................................................................................... 36 4.4.6. BGP Configuration ...................................................................................................... 37 4.4.7. Bandwidth Configuration ............................................................................................. 37 4.4.8. Sample RE filter Configuration .................................................................................... 37 4.4.9. SNMP Configuration ................................................................................................... 39 4.5. Dhaka Aggregation Router -2 Configuration ................................................................ 39 4.5.1. System Basic Configuration ........................................................................................ 39 4.5.2. Management Interface Configuration .......................................................................... 40 4.5.3. Chassis Configuration ................................................................................................. 40 4.5.4. Interface Configuration ................................................................................................ 41 4.5.5. OSPF Configuration .................................................................................................... 42 4.5.6. BGP Configuration ...................................................................................................... 42 4.5.7. Sample Bandwidth Configuration ................................................................................ 43 4.5.8. Sample RE filter Configuration .................................................................................... 43 4.5.9. SNMP Configuration ................................................................................................... 45 4.6. Dhaka Data Center Switch-1 Configuration ................................................................. 45 4.6.1. System Basic Configuration ........................................................................................ 45 4.6.2. VLAN &Trunk Configuration ........................................................................................ 46 4.6.3. SNMP Configuration ................................................................................................... 51 4.7. Dhaka Data Center Switch-2 Configuration ................................................................. 51 4.7.1. System Basic Configuration ........................................................................................ 51 4.7.2. VLAN &Trunk Configuration ........................................................................................ 52 4.7.3. SNMP Configuration ................................................................................................... 57 4.8. IDP Configuration ....................................................................................................... 58 4.8.1. OS Up gradation through CLI ...................................................................................... 58 4.8.2. System Basic Configuration through Web GUI (ACM) ................................................. 58 4.8.3. NSM Server Configuration .......................................................................................... 58 4.8.3.1. REDHAT 5 OS Installation ................................................................................. 58 4.8.3.2. NSM server 2010.4 OS Installation ..................................................................... 59 4.8.3.3. NSM client Installation for configuration the NSM server ...................................... 59 4.8.3.4. IDP device adding into NSM server ..................................................................... 59 4.8.3.5. Policy implementation ......................................................................................... 63 4.8.3.6. Log view and reporting, custom report generation ................................................ 67 4.9. DC Firewall 1 & 2 Configuration .................................................................................. 70 4.9.1. OS Upgrade................................................................................................................ 70 4.9.2. System Basic Configuration ........................................................................................ 70 4.9.3. Interface Configuration ................................................................................................ 71
CO-CONFIDENTIAL -5BD Link IIG Low Level Design
Page 5
4.9.4. HA Configuration ........................................................................................................ 73 4.9.5. Security Policy Configuration ...................................................................................... 74 5. LLD v 1.0 Signoff ................................................................................................................ 76
CO-CONFIDENTIAL
-6-
Page 6
1. Executive Summary
Government of Bangladesh has taken initiative to increase the penetration rate of Internet usage; as a result its legal entity BTRC issued new IIG licenses to qualified Service Provider. BD LINK Communication Limited has been awarded a license to provide International Internet Gateway (IIG) services for ISPs and Broadband Wireless Access providers (BWAs). IIG will serve as an Internet Exchange for routing International Incoming and Outgoing Internet based data traffic. The Exchange will be connected with the existing Submarine cable as main link and with Satellite Earth Station / VSAT as backup until another ILDC is available. All ISPs shall be connected to global Internet through IIGs. IIG licensee will arrange both ILDC and bandwidth and Satellite bandwidth. The licensee may arrange ILDC bandwidth from tier-1 overseas service provider after taking prior permission from the commission. BD LINK has the vision to become the preferred partner for all ISPs and BWAs in Bangladesh. To fulfil its requirement of pioneering the IIG market BD LINK selected the best IP Network Equipment Vendor Juniper Network with state of art technology and solution. Gazi Communication limited is the only Elite partner of Juniper Network in Bangladesh will help BD LINK in building its IIG solution with Equipment and Solution from Juniper with its world class inhouse resources. Gazi Communication will provide design and implementation service to BD LINK to build an IIG based on Industry best practices. Juniper Network offers devices that provide innovative features and functionality and offer massive scalability. The proposed solution from Juniper, combine cost containment and scalability. Juniper Series Routers offer service providers industry-leading performance, service capabilities, reliability, and efficiencies in a compact form factor.
CO-CONFIDENTIAL
-7-
Page 7
CO-CONFIDENTIAL
-8-
Page 8
2.1.
Design Summary
There will be data Centre at Dhaka and will also be acting as the primary International internet gateway site. WAN network will be three layer architecture i.e. Core, Aggregation & Access. WAN network will be enabled with OSPF hierarchical protocol. There will be no single point of failure in data Centre network. Core routers will run EBGP session with Upstream Provider. In the Internet Gateway layer redundant routers has been considered for 1 + 1 box redundancy. Each Core/Internet gateway router has been dimensioned with redundant power supply. Upstream connectivity with tier-1 ISPs will be in STM-1. Downstream connectivity with Aggregation router will be on GE. Aggregation routers will aggregate all the traffic from the domestic ISPs and will pass it to Internet gateway Routers. In the Aggregation layer redundant routers has been considered for 1 + 1 box level redundancy. Each aggregation router has been dimensioned with redundant power supply. Downstream connectivity with Access switches will be on GE. Core routers will have connectivity with BTRC and NMC/LEA. Access switches will be connected to both Aggregation routers through dual uplink GE ports for uplink redundancy. ISPs will be connected to Aggregation Routers or access switches. ISPs will be connected to TX/FX ports.
CO-CONFIDENTIAL
-9-
Page 9
2.2.
Solution Detail
As per guideline from the authority IIG will be connected to the Global Internet through existing Submarine cable as the main link and they can have backup connectivity through VSAT. It will connect all ISPs through its distribution network initially from Dhaka and will expand as per demand and regularity requirement. The related information and assumptions considered for design are as follows: BD LINK will install one single PoP (Main PoP) with device level redundancy at Gateway and Aggregation level and will be located at Dhaka. BD LINK will connect to one upstream provider initially and will go for redundant link, provision for link level should be considered in the design. There will be one DPI to filter traffic as per regularity requirement and also based on BD LINK policy. This design will consider two types of PoPs; one for distribution only which means to connect ISPs to the main PoP and other type is with Gateway and DPI services to ensure redundancy. BD LINK will make rollout plan considering business justification and customer & regularity requirement. This design will emphasize on Main PoP deployment and its related configuration and also considering scalability to accommodate future growth of new gateway and distribution network.
CO-CONFIDENTIAL
- 10 -
Page 10
The above topology diagram considers the full deployment of BD LINK IIG. We have shown the four Major components in the diagram: Main PoP IIG Perimeter and Monitoring Zone Type-1 PoP: PoP with Gateway & DPI Type-2 PoP: PoP to connect Clients to the Main PoP.
CO-CONFIDENTIAL - 11 BD Link IIG Low Level Design
Page 11
The Main PoP will be deployed immediately and act as the HUB of IIG. Main PoPs Gateway Routers will be connected to the upstream provider, in case of single connectivity to the upstream one Gateway Router will be configured with eBGP and the second one will be treated as the backup for Gateway Router-1 to ensure device level redundancy. And after having the second upstream link VSAT/Terrestrial/Submarine the Gateway Router-2 will be configured using eBGP with the upstream and iBGP with Gateway Router-1. Interior Gateway Protocol OSPF will be configured between all Gateway and Aggregation Routers. All those will be placed in backbone area including all their connected interfaces. The Aggregation Routers will have iBGP session with the Gateway Routers and eBGP with each ISP or BWA clients. These routers will have different policies based on BD LINK requirement. The IIG perimeter firewalls will be connected to Aggregation Routers. The Firewall will have three zones Outside, DMZ, and Inside. Outside zone will be connected with the Aggregation Routers, DMZ will be created to place to offer any value added service for the clients and internal servers, application and administration zone will be placed in Inside Zone. In future if BD LINK deploy Type-1 PoP with Gateway and DPI functionality we recommend to connect the Gateway Router of Type-1 PoP with Main PoPs Gateway Routers to ensure link level redundancy of local transmission vendor. The Gateway and Aggregation Router will be configured in similar fashion like Main PoPs GW & Aggregation Router. And will have IGP & EGP neighbor ship between PoPs Gateway Routers. In case of Type-2 PoP we recommend to go with layer-2 connectivity with Aggregation Router of Main PoP which will be similar configuration of distributing link from Main PoPs Access Switch with eBGP neighbor ship with ISP or BWA clients router at Aggregation level of Main PoP. We have given detail of each segments description and IGP & EGP routing topology in different section of this document.
CO-CONFIDENTIAL
- 12 -
Page 12
The main requirement for the routing is to accommodate redundancy, load balancing but with symmetry. The BGP routing for IIG will be as follows: The Gateway Routers will be connected through STM-1/STM-4 to upstream provider in a point-to-point topology due to TDM interface. Gateway Router-1 will be connected to one tier-1 service provider and will have eBGP peering and receive full routing table. (Only default route can be taken till implementation of second Gateway). Gateway Router-2 will be connected to another tier-1 service provider through STM-1/STM-4
CO-CONFIDENTIAL - 13 BD Link IIG Low Level Design
Page 13
and will have eBGP peering and take full routing table. There will be iBGP session with Gateway Router-1 and Gateway Router-2. The DPI Juniper IDP-8200 will be deployed in transparent mode to filter unwanted traffic and to allow only legitimate traffic. There will be iBGP session with Aggregation Router-1 and both the Gateway Routers and receive full routing table from both the Gateway. There will be iBGP session with Aggregation Router-2 and both the Gateway Routers and receive full routing table from both the Gateway. Different ISPs will connect directly or through access switch to the Aggregation Routers. Aggregation Routers will have eBGP session with ISPs Gateway Routers. But based on requirement for small ISPs connectivity can be arranged using alternate routing. We have classified PoP into below category: Type-1: PoP with Gateway and DPI Type-2: PoP to connect ISPs. Will be part of distribution/access network. The Gateway Router of Main PoP will be connected to PoP type-1s Gateway Router to provide link redundancy. There will be iBGP session between Main PoP and Type-1 PoPs gateway router.
CO-CONFIDENTIAL
- 14 -
Page 14
The IGP protocol of BD LINK IIG solution should be OSPF. OSPF is a link state and hierarchical protocol, it requires to have one backbone area (Area 0) and others areas which should be connected directly (physically or logically through virtual link) with backbone area. As BD LINK will have Main PoP and Type 1 & Type 2 PoPs in its solution. We suggest to define the Backbone Area consisting Gateway & Aggregation Router of Main PoP and Type-1 PoP. (As defined in the diagram).
CO-CONFIDENTIAL
- 15 -
Page 15
We will configure OSPF backbone area in Main PoP, IGP domain will contain Gateway Routers and Aggregation Routers. Gateway Router 1 & 2 and Aggregation Router 1 & 2 will be in backbone area. And the DPI will be configured to pass through all BGP & OSPF route update packets. As this will be a Ethernet/Broadcast network the role for DR & BDR can be given to either Gateway Router or Aggregation Router considering device with less responsibility in other part. All the links in Gateway Router like Interfaces connected to Upstream, Interfaces connected to Aggregation and Interfaces between Gateways should be declared in the same area to avoid static routing or redistribution. But except Links connected to Aggregation Routers all others links should be configured not to send routing updates as there will be no IGP neighbour. Both the Aggregation Routers will be configured with OSPF and all its directly connected interfaces will be declared in backbone area to avoid static routing or redistribution. But in case of client connectivity all the links with ISPs and BWAs can be redistributed to ensure better management but it is highly recommended to create ACL with the customer connected point-to-point IPs. In case of addition of a customer the ACL can be modified by adding one permit entry in the ACL which has already been redistributed in OSPF. Using these ACL in the route map for redistribution will give better visibility and manageability for the administrator. In future if BD LINK setup new type-1 PoP, the Gateway and Aggregation Router of those PoP will be configured similar to Main PoPs IGP configuration and will have OSPF neighbour ship between Gateways of Main PoP and Type-1 PoP.
CO-CONFIDENTIAL
- 16 -
Page 16
The scope of this phase is to install and commission devices only at the Main PoP. The Core Component of Main PoP or Phase-I deployment are two Gateway Routers, two Aggregation Routers and one DPI. Both the Gateway Routers will be connected with two separate upstream providers and will be configured using eBGP. And will take entire routing table from both upstream providers. These two Routers will have iBGP peering.
CO-CONFIDENTIAL
- 17 -
Page 17
The Aggregation Routers will be configured using iBGP with both the Gateway Router and take full routing table from both which ultimately ensure the facility for traffic engineering. In case of Single Link Gateway Routers can be configured to pass only default routes to the aggregation as it will have only one path to forward traffic. But the Gateway Router should take entire routing table as its a requirement to comply with the guideline provided by the authority. The connectivity for the ISPs and BWAs will be from the Aggregation Router directly or through access switch based on clients requirement and business guideline.
CO-CONFIDENTIAL
- 18 -
Page 18
CO-CONFIDENTIAL
- 19 -
Page 19
3.2.
*** Pls. follow the Device Connectivity & IP Addressing Xls file for detail.
CO-CONFIDENTIAL
- 20 -
Page 20
4. Device Configuration
This section captures the configuration of Juniper devices being deployed in BDLINK network in Dhaka to provide IP transit services towards International Upstream Internet Service Providers to local ISP customers.
4.1.
CO-CONFIDENTIAL
- 21 -
Page 21
4.2.
Page 22
CO-CONFIDENTIAL
- 23 -
Page 23
description "Connected to AGG1 via IDP-01 port ge-0 "; unit 0 { family inet { address 103.12.236.17/30; } } ge1/0/1 { description "Connected to DHK_GW_RTR_02"; unit 0 { family inet { address 103.12.236.25/30; } } so-1/2/0 { description "Connected to Upstream1" unit 0 { family inet { address x.x.x.x/30; } } } lo0 { unit 0 { family inet { address 103.12.236.40/32; } } }
CO-CONFIDENTIAL
- 24 -
Page 24
} }
Page 25
port bgp; } then accept; } term PERMIT-OSPF { from { protocol ospf; } then accept; } term PERMIT-DNS { from { protocol udp; source-address D.D.D.D/32; /* DNS-SERVER ADD port domain; } then accept; } term PERMIT-NTP { from { protocol [ udptcp ]; source-address N.N.N.N/32; /* NTP SERVER ADD port ntp; } then accept; } term PERMIT-UDP-TRACEROUTE { from { protocol udp; destination-port 33434-33534; } then { count traceroute; accept; } } term PERMIT-TACACS+ { from { protocol tcp; source-address T.T.T.T/32; /* TACACS SERVER source-port 49; } then accept; } term PERMIT-ICMP { from {
CO-CONFIDENTIAL
- 26 -
Page 26
protocol icmp; icmp-type [ echo-request echo-reply unreachable ti } then accept; } term PERMIT-TCP-ESTABLISHED { from { protocol tcp; tcp-established; } then accept; } term DENY-OTHERS { then { discard; } } } } interfaces { lo0 { unit 0 { family inet { filter { input PROTECT-RE-FILTER; } } } } } } }
CO-CONFIDENTIAL
- 27 -
Page 27
4.3.
Page 28
CO-CONFIDENTIAL
- 29 -
Page 29
family inet { } }
ge-1/0/4 { unit 0 { family inet } } ge-1/0/5 { unit 0 { family inet } } so-0/2/0 { description "Connected to Upstream1" unit 0 { family inet { address x.x.x.x/30; } } } lo0 { unit 0 { family inet { address 103.12.236.41; } } }
CO-CONFIDENTIAL
- 30 -
Page 30
interface lo0.0; } } }
Page 31
from { protocol tcp; source-address B.B.B.B/32; /* Add addresses from port bgp; } then accept; } term PERMIT-OSPF { from { protocol ospf; } then accept; } term PERMIT-DNS { from { protocol udp; source-address D.D.D.D/32; /* DNS-SERVER ADD port domain; } then accept; } term PERMIT-NTP { from { protocol [ udptcp ]; source-address N.N.N.N/32; /* NTP SERVER ADD port ntp; } then accept; } term PERMIT-UDP-TRACEROUTE { from { protocol udp; destination-port 33434-33534; } then { count traceroute; accept; } } term PERMIT-TACACS+ { from { protocol tcp; source-address T.T.T.T/32; /* TACACS SERVER source-port 49; } then accept;
CO-CONFIDENTIAL
- 32 -
Page 32
} term PERMIT-ICMP { from { protocol icmp; icmp-type [ echo-request echo-reply unreachable ti } then accept; } term PERMIT-TCP-ESTABLISHED { from { protocol tcp; tcp-established; } then accept; } term DENY-OTHERS { then { discard; } } } } interfaces { lo0 { unit 0 { family inet { filter { input PROTECT-RE-FILTER; } } } } } } }
CO-CONFIDENTIAL
- 33 -
Page 33
103.12.236.4/32; } } }
4.4.
Page 34
pic 1 { tunnel-services { bandwidth 1g; } } } aggregated-devices { ethernet { device-count 2; } } alarm { management-ethernet { link-down ignore; } } }
ge1/0/0 { description "Connected to DHK_GW_RTR_01 via IDP-01 port ge-1 "; unit 0 { family inet { address 103.12.236.18/30; } } } ge1/0/1 { description "Connected to DHK_AGG_RTR_02"; unit 0 { family inet { address 103.12.236.23/30; } } } ge1/0/2 { description "Connected to DHK_FW1"; unit 0 { family inet {
CO-CONFIDENTIAL - 35 BD Link IIG Low Level Design
Page 35
address 103.12.236.29/30; } } } ge1/0/3 { unit 0 { family inet { } } } ge-1/0/4 { unit 0 { family inet { } } } ge-1/0/5 { unit 0 { family inet { } } }
Page 36
} }
firewall { policer 3MB { if-exceeding { bandwidth-limit 3072000; burst-size-limit 384k; } then discard; } } ----- Policy May be Changed based on requirement
CO-CONFIDENTIAL
- 37 -
Page 37
} destination-address { F.F.F.F/32; /* fxp0 IP address */ } protocol tcp; destination-port [ ssh telnet ]; } then accept; } term PERMIT-BGP { from { protocol tcp; source-address B.B.B.B/32; /* Add addresses from BGP Peers */ port bgp; } then accept; } term PERMIT-OSPF { from { protocol ospf; } then accept; } term PERMIT-DNS { from { protocol udp; source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */ port domain; } then accept; } term PERMIT-NTP { from { protocol [ udptcp ]; source-address N.N.N.N/32; /* NTP SERVER ADDRESS */ port ntp; } then accept; } term PERMIT-UDP-TRACEROUTE { from { protocol udp; destination-port 33434-33534; } then { count traceroute;
CO-CONFIDENTIAL
- 38 -
Page 38
accept; } } term PERMIT-TACACS+ { from { protocol tcp; source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */ source-port 49; } then accept; } term PERMIT-ICMP { from { protocol icmp; icmp-type [ echo-request echo-reply unreachable time-exceeded ]; } then accept; } term PERMIT-TCP-ESTABLISHED { from { protocol tcp; tcp-established; }
4.5.
CO-CONFIDENTIAL
- 39 -
Page 39
time-zone Asia/Dhaka; no-source-route; commit synchronize; name-server 103.12.236.1; ports { console { log-out-on-disconnect; type vt100; } } routing-options { router-id 103.12.236.43; autonomous-system 58668; }
CO-CONFIDENTIAL
- 40 -
Page 40
Page 41
CO-CONFIDENTIAL
- 42 -
Page 42
firewall { policer 3MB { if-exceeding { bandwidth-limit 3072000; burst-size-limit 384k; } then discard; } } -----Policy May be Changed based on requirement
Page 43
protocol udp; source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */ port domain; } then accept; } term PERMIT-NTP { from { protocol [ udptcp ]; source-address N.N.N.N/32; /* NTP SERVER ADDRESS */ port ntp; } then accept; } term PERMIT-UDP-TRACEROUTE { from { protocol udp; destination-port 33434-33534; } then { count traceroute; accept; } } term PERMIT-TACACS+ { from { protocol tcp; source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */ source-port 49; } then accept; } term PERMIT-ICMP { from { protocol icmp; icmp-type [ echo-request echo-reply unreachable time-exceeded ]; } then accept; } term PERMIT-TCP-ESTABLISHED { from { protocol tcp; tcp-established; }
CO-CONFIDENTIAL
- 44 -
Page 44
4.6.
CO-CONFIDENTIAL
- 45 -
Page 45
CO-CONFIDENTIAL
- 46 -
Page 46
} } ge-0/0/4 { description "Connected to MRTG-server" unit 0 { family ethernet-switching { vlan { members server; } } } } } ge-0/0/5 { description "Connected to NSM-server" unit 0 { family ethernet-switching { vlan { members server; } } } } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } }
CO-CONFIDENTIAL
- 47 -
Page 47
ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 {
CO-CONFIDENTIAL
- 48 -
Page 48
unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/1/0 { description connected to DHK_FW_02 unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { description Connected to DHK_DC_SW_01; unit 0 { family ethernet-switching { port-mode trunk; vlan { members all;
CO-CONFIDENTIAL
- 49 -
Page 49
} } } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } xe-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } }
vlans {
CO-CONFIDENTIAL
- 50 -
Page 50
4.7.
CO-CONFIDENTIAL
- 51 -
Page 51
CO-CONFIDENTIAL
- 52 -
Page 52
} } } ge-0/0/4 { description "Connected to MRTG" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/5 { description "Connected to NSMXpress" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/6 { description "Connected to DHK_CORE_01" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/7 { description "Connected to DHK_CORE_02" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/8 { description "Connected to DHK_IDP_01" unit 0 {
CO-CONFIDENTIAL
- 53 -
Page 53
family ethernet-switching { vlan { members mgt; } } } } ge-0/0/9 { description "Connected to DHK_AGG_01" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/10 { description "Connected to DHK_AGG_02" unit 0 { family ethernet-switching { vlan { members mgt; } } } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; }
CO-CONFIDENTIAL
- 54 -
Page 54
} ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } }
CO-CONFIDENTIAL
- 55 -
Page 55
ge-0/1/0 { description connected to DHK_FW_02 unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { description Link DHK_DC_SW_01; unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } xe-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; }
CO-CONFIDENTIAL
- 56 -
Page 56
} } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } }
CO-CONFIDENTIAL
- 57 -
Page 57
4.8.
IDP Configuration
the following file are required for IDP OS upgradation +sensor_5_0r1.sh +sensor_5_1r2.sh +sensor_5_1r3.sh
[root@idp ~]# cd /tmp [root@idptmp]# ls -l -rw-rw-r-- 1 admin admin 474454694 Jul 11 23:04 sensor_5_1r2.sh
to excute the above file with following [root@idptmp]# sh sensor_5_0r1.sh [root@idptmp]# sh sensor_5_1r2.sh [root@idptmp]# sh sensor_5_1r3.sh
CO-CONFIDENTIAL
- 58 -
Page 58
4.8.3.2.
Step 4. After this unzip the Linux server file(nsm_2010.4s3_linux_servers_x86.zip) will get the script file nsm_2010.4s3_linux_servers_x86.zip run this script to perform the installation tar xvf nsm_2010.4s3_linux_servers_x86.zip Step 5.nsm client installation on the workstation.
4.8.3.3.
4.8.3.4.
CO-CONFIDENTIAL
- 59 -
Page 59
CO-CONFIDENTIAL
- 60 -
Page 60
CO-CONFIDENTIAL
- 61 -
Page 61
CO-CONFIDENTIAL
- 62 -
Page 62
4.8.3.5.
Policy implementation
Following Screenshots shown Policy configuration to IDP.
CO-CONFIDENTIAL
- 63 -
Page 63
CO-CONFIDENTIAL
- 64 -
Page 64
CO-CONFIDENTIAL
- 65 -
Page 65
CO-CONFIDENTIAL
- 66 -
Page 66
4.8.3.6.
CO-CONFIDENTIAL
- 67 -
Page 67
CO-CONFIDENTIAL
- 68 -
Page 68
CO-CONFIDENTIAL
- 69 -
Page 69
4.9.
4.9.1. OS Upgrade
OS upgradation with JUNOS 10.4R10.7 through command line Steps: Copy the JUNOS OS file into /var/tmpfrom the pen drive >request system software add /var/tmp/junos-srxsme-10.0R2.10-domestic.tgz no-copy no-validate reboot.
Page 70
CO-CONFIDENTIAL
- 71 -
Page 71
} } } reth0 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit XX { vlan-id XX; family inet { address XX.XX.XX.XX/XX; } } unit 102 { vlan-id 102; family inet { address XX.XX.XX.XX/XX; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 103.12.236.38/30; } } } reth2 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.100.102.8/24; } } } } Interfaces will configure with UNTRUST, TRUST and DMZ zone security-zone trust {
CO-CONFIDENTIAL
- 72 -
Page 72
interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/1.0; } security-zone DMZ { interfaces { ge-0/0/2.0 { Host-inbound-traffic { System-services { all; } Protocols { all; }
4.9.4. HA Configuration
VRRP/JSRP will configure for HA with Active/Standby mode. Device-1 will act as master and device-2 will act as standby mode, once master will goes down then device-2 will take the full ownership. groups { node1 { system { host-name FW2; } interfaces { fxp0 { unit 0 { family inet { address 10.100.102.10/24; } } }
CO-CONFIDENTIAL - 73 BD Link IIG Low Level Design
Page 73
} } node0 { system { host-name FW1; } interfaces { fxp0 { unit 0 { family inet { address 10.100.102.9/24; } } } } } } chassis { cluster { reth-count 4; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 50; preempt; interface-monitor { ge-0/0/3 weight 60; ge-0/0/5 weight 60; ge-0/0/4 weight 60; } } } }
CO-CONFIDENTIAL
- 74 -
Page 74
source-address any; destination-address any; application any; } then { permit; } Policy2: UNRUST to TRUST: deny all policies { from-zone untrust to-zone trust { policy untrust-to-trust { match { source-address any; destination-address any; application any; } then { deny; } Policy3: DMZ to UNTRUST: permit any any policies { from-zone DMZ to-zone untrust { policy untrust-to-trust { match { source-address any; destination-address any; application any; } then { permit; }
Policy4: UNTRUST to DMZ: only permit particular application services with dedicated port. Policy5: Screening policy will be configured for UNTRUST zone. Policy6: ALG policy will configure based on Application /services.
CO-CONFIDENTIAL
- 75 -
Page 75
BD LINK LLD v1.0 Approval & Signoff BD LINK Team GAZI Project Manager
LLD Check:
Name: Designation
LLD Verification:
LLD Approval:
Name: Designation
Comments:
Please Call to Gazi Project Manager on + 8801711-992626 If this form is not returned within three (3) days, Gazi Communication will assume full acceptance of this document without modification.
CO-CONFIDENTIAL
- 76 -
Page 76