Network Configuration Example

Transcription

1 Network Configuration Example Deploying Secure Multicast Market Data Services for Financial Services Environments Modified:

2 Juniper Networks, Inc Innovation Way Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Network Configuration Example Deploying Secure Multicast Market Data Services for Financial Services Environments All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents Chapter 1 Deploying Secure Multicast Market Data Services for Financial Services Environments About This Network Configuration Example Use Case Overview Optimizing Multicast Delivery: An Overview Platforms Benefits Technical Overview Design Considerations Example: Configuring Multicast in a Financial Services Environment iii

4 Deploying Secure Multicast Market Data Services for Financial Services Environments iv

5 CHAPTER 1 Deploying Secure Multicast Market Data Services for Financial Services Environments About This Network Configuration Example on page 5 Use Case Overview on page 5 Technical Overview on page 7 Example: Configuring Multicast in a Financial Services Environment on page 9 About This Network Configuration Example This network configuration example (NCE) provides an overview and a step-by-step example for configuring and deploying multicast in a financial services environment. This NCE defines multicast deployment for market data delivery and illustrates how multiple feeds flow through an active/active SRX Series Services Gateway cluster. The instructions in this example cover configuring protocols such as PIM sparse mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and BGP on QFX and SRX Series devices. The instructions also cover configuring two SRX Series devices in active/active cluster mode to provide high-availability for multicast traffic. This document is intended for security and IT engineers, as well as network architects. Related Documentation Technical Overview on page 7 Use Case Overview on page 5 Example: Configuring Multicast in a Financial Services Environment on page 9 Use Case Overview Financial trading enterprises such as stock exchanges, futures exchanges, brokerage houses, and software integrators typically deploy multicast for market data delivery. 5

6 Deploying Secure Multicast Market Data Services for Financial Services Environments Optimizing Multicast Delivery: An Overview Multicast is the most effective and efficient carrier of market data feeds from a network standpoint. Financial organizations deploy large-scale multicast infrastructures to enable trading and e-commerce. In the current world, multicast is used for market data delivery as it is proven that multicast can scale. Due to the inherently unreliable nature of multicast, packets might be lost in the transmission network. Hence, two feeds (primary and backup) are used to ensure that no data is lost. All market data provided from the exchange is supported in various market data formats. If data is missing on the primary feed, it can be recovered from the backup feed. In financial enterprises deploying multicast for market data delivery, devices such as QFX Series devices are used to connect multicast sources (servers) and receivers (clients), and SRX Series devices are used to connect QFX devices securely. The requirements of optimizing multicast delivery include: Quick convergence Secure forwarding Efficient forwarding Efficient debugging High availability Platforms Juniper Networks QFX Series switches are designed to be high-performance, high-density platforms that satisfy the needs of today s most demanding financial enterprise environments. QFX5100 switches are low-latency, high-performance 10GbE/40GbE switches that act as a flexible building block for fabric architectures and are designed for top-of-rack, end-of-row, and spine-and-leaf aggregation deployments. Juniper Networks SRX Series Services Gateways are high-performance, highly scalable, carrier-class security devices with multiprocessor architecture. SRX5600 devices are ideal for securing financial trading enterprises and aggregating security services through the use of security policies. Benefits In this network configuration example, we describe the scenario where QFX5100 switches, together with an SRX5600 chassis cluster and firewall security policies, provide the basis for the deployment of the market data delivery environment. This deployment enables the quick failover of traffic during link failures and provides network security, redundancy, and network efficiency. A clustered SRX firewall point of delivery supports IP multicast to bring market data feeds into a corporate network from external sources. The primary and backup market data feeds are routed through separate SRX Series devices in the cluster. 6

7 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Related Documentation Multicast Feature Guide for Security Devices Multicast Protocols Feature Guide for the QFX Series Technical Overview Multicast delivers application source market data feeds to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth. In this configuration example for multicast deployment, the QFX5100 devices serve as the last-hop router (LHR) and first-hop router (FHR). Figure 1: Multicast Architecture Used in This NCE Multicast Receiver Multicast Receiver QFX Switch LHR OSPF, BFD, IBGP, PIM EBGP, BFD, PIM QFX Switch LHR/RP/MSDP SRX Security Chassis Cluster - Active Fabric Link Control Link EBGP, BFD, PIM SRX Security Chassis Cluster - Active QFX Switch FHR/RP/MSDP Feed-A Primary OSPF, BFD, IBGP, PIM QFX Switch FHR Feed-B Backup Multicast Source Multicast Source LHR FHR MSDP Last Hop Router Fast Hop Router g Multicast source: Each multicast source sends a data feed to a multicast group address. FHR: The QFX5100 device to which the multicast sources connect is the FHR. The FHR forwards the multicast group ID and source to the next-hop multicast router toward the predefined rendezvous point (RP). LHR: The QFX5100 device to which the multicast receivers connect serves as an LHR. The LHR forwards data feeds to the multicast receiver. Rendezvous point (RP): The RP serves as the information exchange point for the other routers. All routers in a PIM domain must provide mapping to an RP. Only the RP must be aware of the active multicast sources. Multicast receiver: The multicast receiver requests data feeds from the multicast source by sending an IGMP join message to the LHR. IGMP snooping is enabled on QFX5100 devices to monitor the Internet Group Management Protocol (IGMP) messages from the hosts and multicast source. This helps in conserving bandwidth by enabling the 7

8 Deploying Secure Multicast Market Data Services for Financial Services Environments switch to send multicast data feeds only to the interfaces connected to devices that need to receive the multicast traffic. Market data feed: Market data feeds are typically applications wherein several multicast sources send data to groups. Market data is delivered through dual multicast streams (primary and backup feeds). In most cases, even if a single data packet is lost on one feed, it can be recovered from the other feed. Multicast data feeds are replicated by routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols, The replication occurs in the network at the point of primary and backup divergence. This results in the most efficient delivery of market data to multiple receivers. High availability cluster: Chassis clustering provides network node redundancy by grouping a pair of the same type of supported SRX Series devices into a cluster. The SRX5600 Services Gateway serves as a cluster. The multicast feeds go through the SRX chassis cluster configured to work in active/active mode for redundancy and efficiency purposes. A chassis cluster in active/active mode has transit data feeds passing through both nodes of the cluster all the time. Even if one of the nodes goes down, impacting the corresponding feed, the other node or feed will be still active. The configuration uses four redundant Ethernet (reth) interfaces. Each reth has ports from both nodes, and every reth connects to a QFX5100. All reths are assigned a unique subnet, which helps to avoid PIM asserts. Security: Firewall security policies enable authentication of the PIM neighbors. QFX devices also support distributed denial of service (DDoS) for policing the control plane feeds. For more information on DDoS, see Understanding Distributed Denial-of-Service Protection on QFX Series Switches. SRX Series devices are also used for creating security policies to allow traffic between zones. Statically configured anycast RP provides the greatest level of protection against malicious or misconfigured devices. Table 1 on page 8 describes the network type, platforms, technologies, and the protocols used in this configuration. Table 1: Network Elements Used in Multicast Configuration Network Type Platforms Technologies Protocols Multicast source and receiver LANs QFX5100 1G, 10G, 40G (Gigabit Ethernet Interfaces), SRX Chassis Cluster PIM-SM, MSDP, OSPF, IBGP, EBGP, BFD, RTG Chassis cluster SRX5600 1G, 10G, 40G, SRX Chassis Cluster, Firewall Security Policies PIM-SM, EBGP, BFD Table 2: Supported Protocols The multicast deployment configured with the protocols intable 2 on page 8 provides the financial trading environment with an edge to optimize its market data delivery. Protocols Description 8

9 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Table 2: Supported Protocols (continued) PIM sparse mode (PIM-SM) PIM-SM as the multicast delivery protocol works well for both one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. Also, the PIM-SM protocol is very well deployed and understood. For more information on PIM-SM, see PIM-SM. Anycast RP and MSDP Anycast RP and MSDP enable sharing the load on the RP, as well as for redundancy purposes. You can configure anycast RP for the purpose of load balancing and redundancy. When an RP fails, sources and receivers are taken to a new RP by means of unicast routing. When you configure anycast RP, you bypass the restriction of having one active RP per multicast group, and instead deploy multiple RPs for the same group range. The RP routers share one unicast IP address. Sources from one RP are known to other RPs that use the Multicast Source Discovery Protocol (MSDP). Sources and receivers use the closest RP, as determined by the interior gateway protocol (IGP). MSDP interconnects multiple IPv4 PIM-SM domains, which enables PIM-SM to have RP redundancy and inter-domain multicasting. For more information, see Anycast RP with or without MSDP. Open Shortest Path First (OSPF) OSPF detects changes in the topology, such as link failures, and converges on a new loop-free routing structure within seconds. OSPF computes the shortest path tree for each route using a method based on a shortest-path-first algorithm. OSPF is used within an autonomous system (AS). For more information, see OSPF. Border Gateway Protocol (BGP) BGP is an exterior gateway protocol (EGP) that is used to exchange routing information among devices in different ASs. For more information, see BGP. Bidirectional Forwarding Detection (BFD) BFD is used to detect link failures and reroute traffic quickly. For more information, see BFD. Redundant Trunk Group (RTG) RTG is enabled on LHR and FHR devices to enable quick failover of traffic during link failures. For more information, see RTG. Design Considerations PIM-SM is known not to work well for intermittent multicast sources. If there are known intermittent multicast sources, use PIM SSM to avoid initial multicast loss. Complicated behaviors in PIM are encountered in multiaccess topologies rather than simpler point-point topologies. Related Documentation About This Network Configuration Example on page 5 Use Case Overview on page 5 Example: Configuring Multicast in a Financial Services Environment on page 9 Example: Configuring Multicast in a Financial Services Environment This example illustrates how to configure QFX Series switches and SRX Services Gateways to deploy secure multicast market data services for financial services environments. Requirements on page 10 Overview and Topology on page 10 9

10 Deploying Secure Multicast Market Data Services for Financial Services Environments Configuration on page 12 Verification on page 38 Requirements This example uses the following hardware and software components: Two SRX5600 Services Gateways running Junos OS Release 12.1X47-D10 or later Four QFX5100 switches running Junos OS Release 14.1X53-D30 or later Before you begin: Confirm that the two SRX5600 Services Gateways have identical hardware configurations. Physically connect the two SRX devices (back-to-back for the fabric and control ports) and ensure that they are the same models. Confirm that the software on both standalone SRX devices is the same Junos OS version. Confirm that the license keys on both SRX devices are the same. Before the SRX cluster is formed, you must configure control ports for each device, as well as assign a cluster ID and node ID to each device, and then reboot. When the system boots, both nodes come up as a cluster. For more information, see Chassis Cluster Feature Guide for security Devices. If virtual chassis or virtual chassis fabric (VC/VCF) is required, ensure that all the devices are running the same Junos OS version. For more information, see Virtual Chassis Fabric Feature Guide. Overview and Topology This network configuration example provides an overview and a step-by-step example for deploying multicast in a financial services environment and illustrates how multiple feeds flow through an active/active SRX cluster. This example illustrates how to configure PIM sparse mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), BGP, and other related technologies on QFX and SRX Series devices. In this configuration example for multicast deployment, the QFX5100 devices serve as the last-hop router (LHR) and first-hop router (FHR). The SRX5600 Services Gateways serve as a cluster. The multicast feeds go through the SRX chassis cluster configured to work in active/active mode for redundancy and efficiency purposes. The topology for this example is shown in Figure 2 on page

11 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Figure 2: Deploying Secure Multicast Market Data Services for Financial Services Environments Multicast Receiver Multicast Receiver AS QFX Switch ae1 ae2 OSPF, IBGP, BFD ae100 ae2 ae1 QFX Switch reth2 reth3 AS Fabric Link SRX Firewall Cluster Control Link SRX Firewall Cluster reth0 reth1 AS QFX Switch ae1 ae2 OSPF, IBGP, BFD ae100 ae2 ae1 QFX Switch Feed-A Primary Feed-B Backup Multicast Source Multicast Source g Table 3 on page 11 shows the details on devices and IP addresses used in this configuration. Table 3: Devices and IP Addresses Devices Interfaces IP Addresses Hostname QFX ( ) irb.2 irb.21 irb.100 lo / / / QFX QFX ( ) irb.2 irb.31 irb.101 lo / / / QFX QFX ( ) irb.2 irb.21 irb.102 lo / / / QFX QFX ( ) irb.2 irb.31 irb.103 lo / / / QFX SRX Series Devices: SRX and SRX reth0.0 reth1.0 reth2.0 reth3.0 lo / / / / SRX5600-mcast-a SRX5600-mcast-b 11

12 Deploying Secure Multicast Market Data Services for Financial Services Environments Configuration This section provides step-by-step instructions for: Configuring SRX5600 (SRX5600-mcast-a and SRX5600-mcast-b) on page 12 Configuring the Security Policies, Zones, Virtual Routers, and Protocols on page 16 Configuring QFX5100 QFX_ on page 20 Configuring QFX5100 QFX_ on page 25 Configuring QFX5100 QFX_ on page 29 Configuring QFX5100 QFX_ on page 33 Configuring SRX5600 (SRX5600-mcast-a and SRX5600-mcast-b) CLI Quick Configuration Apply this configuration to both SRX Series devices. SRX5600-mcast-a configuration is shown here: To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. [edit] set groups node0 system host-name srx5600-mcast-a set groups node0 system backup-router set groups node0 system backup-router destination /8 set groups node0 interfaces fxp0 unit 0 family inet address /26 set groups node1 system host-name srx5600-mcast-b set groups node1 system backup-router set groups node1 system backup-router destination /8 set groups node1 interfaces fxp0 unit 0 family inet address /26 set groups flow-type security forwarding-options family inet6 mode flow-based set apply-groups ${node} flow-type security forwarding-process application-services session-distribution-mode hash-based set system name-server set system ntp server set system ntp server set chassis cluster reth-count 8 set chassis cluster redundancy-group 1 node 0 priority 250 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 preempt set chassis cluster redundancy-group 1 interface-monitor xe-4/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-10/0/1 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-10/0/2 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-4/0/3 weight 255 set chassis cluster redundancy-group 2 node 0 priority 100 set chassis cluster redundancy-group 2 node 1 priority 250 set chassis cluster redundancy-group 2 preempt set chassis cluster redundancy-group 2 interface-monitor xe-10/0/0 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-4/0/1 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-4/0/2 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-10/0/3 weight 255 set interfaces xe-4/0/3 gigether-options redundant-parent reth2 set interfaces xe-10/0/2 gigether-options redundant-parent reth2 set interfaces xe-4/0/2 gigether-options redundant-parent reth3 set interfaces xe-10/0/3 gigether-options redundant-parent reth3 12

13 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set interfaces lo0 unit 0 family inet address /32 primary set interfaces xe-4/0/0 gigether-options redundant-parent reth0 set interfaces xe-10/0/0 gigether-options redundant-parent reth1 set interfaces xe-4/0/1 gigether-options redundant-parent reth1 set interfaces xe-10/0/1 gigether-options redundant-parent reth0 set interfaces reth2 vlan-tagging set interfaces reth2 mtu 9192 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 redundant-ether-options lacp active set interfaces reth2 redundant-ether-options lacp periodic fast set interfaces reth2 unit 0 vlan-id 102 set interfaces reth2 unit 0 family inet mtu 9120 set interfaces reth2 unit 0 family inet address /24 set interfaces reth3 vlan-tagging set interfaces reth3 mtu 9192 set interfaces reth3 redundant-ether-options redundancy-group 2 set interfaces reth3 redundant-ether-options lacp active set interfaces reth3 redundant-ether-options lacp periodic fast set interfaces reth3 unit 0 vlan-id 103 set interfaces reth3 unit 0 family inet mtu 9120 set interfaces reth3 unit 0 family inet address /24 set interfaces reth0 vlan-tagging set interfaces reth0 mtu 9192 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 redundant-ether-options lacp active set interfaces reth0 redundant-ether-options lacp periodic fast set interfaces reth0 unit 0 vlan-id 100 set interfaces reth0 unit 0 family inet mtu 9120 set interfaces reth0 unit 0 family inet address /24 set interfaces reth1 vlan-tagging set interfaces reth1 mtu 9192 set interfaces reth1 redundant-ether-options redundancy-group 2 set interfaces reth1 redundant-ether-options lacp active set interfaces reth1 redundant-ether-options lacp periodic fast set interfaces reth1 unit 0 vlan-id 101 set interfaces reth1 unit 0 family inet mtu 9120 set interfaces reth1 unit 0 family inet address /24 13

14 Deploying Secure Multicast Market Data Services for Financial Services Environments Step-by-Step Procedure To configure the hostnames, NTP server, reth interfaces, loopback interfaces, redundancy groups and management IP addresses to the specific nodes: 1. Configure the name of node 0 and node 1 and assign management IP addresses. Because the SRX5600 Services Gateway chassis cluster configuration is contained within a single common configuration, to assign some elements of the configuration to a specific member only, you must use the Junos OS node-specific configuration method called groups. The set apply-groups ${node} command uses the node variable to define how the groups are applied to the nodes; each node recognizes its number and accepts the configuration accordingly. You must also configure out-of-band management on the fxp0 interface of the SRX5600 Services Gateway using separate IP addresses for the individual control planes of the cluster. [edit] user@host# set apply-groups ${node} user@host# set groups node0 system host-name srx5600-mcast-a user@host# set groups node0 system backup-router user@host# set groups node0 system backup-router destination /8 user@host# set groups node0 interfaces fxp0 unit 0 family inet address /26 user@host# set groups node1 system host-name srx5600-mcast-b user@host# set groups node1 system backup-router user@host# set groups node1 system backup-router destination /8 user@host# set groups node1 interfaces fxp0 unit 0 family inet address /26 2. Configure flow-type. [edit] user@host# set groups flow-type security forwarding-options family inet6 mode flow-based user@host# set apply-groups ${node} flow-type security forwarding-process application-services session-distribution-mode hash-based 3. Configure the NTP server address for node 0 and node 1. [edit] user@host# set system name-server user@host# set system ntp server user@host# set system ntp server Specify the number of redundant Ethernet interfaces. [edit] user@host# set chassis cluster reth-count 8 5. To create a reth interface, configure the physical interfaces independently. Because reth interfaces are pseudointerfaces, you must define the number of reth interfaces in a cluster by configuring reth-count. The reth interfaces are assigned into redundancy groups. [edit] user@host# set interfaces xe-4/0/3 gigether-options redundant-parent reth2 user@host# set interfaces xe-10/0/2 gigether-options redundant-parent reth2 user@host# set interfaces xe-4/0/2 gigether-options redundant-parent reth3 user@host# set interfaces xe-10/0/3 gigether-options redundant-parent reth3 user@host# set interfaces xe-4/0/0 gigether-options redundant-parent reth0 user@host# set interfaces xe-10/0/0 gigether-options redundant-parent reth1 user@host# set interfaces xe-4/0/1 gigether-options redundant-parent reth1 user@host# set interfaces xe-10/0/1 gigether-options redundant-parent reth0 6. Configure chassis cluster redundancy groups by specifying a redundancy group's priority for primacy on each node of the cluster. The higher number takes precedence. Also specify whether a node with a higher priority can initiate a failover to become primary for the redundancy group. 14

15 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments [edit] set chassis cluster redundancy-group 1 node 0 priority 250 user@host# set chassis cluster redundancy-group 1 node 1 priority 100 user@host# set chassis cluster redundancy-group 1 preempt user@host# set chassis cluster redundancy-group 1 interface-monitor xe-4/0/0 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-10/0/1 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-10/0/2 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-4/0/3 weight 255 user@host# set chassis cluster redundancy-group 2 node 0 priority 100 user@host# set chassis cluster redundancy-group 2 node 1 priority 250 user@host# set chassis cluster redundancy-group 2 preempt user@host# set chassis cluster redundancy-group 2 interface-monitor xe-10/0/0 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-4/0/1 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-4/0/2 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-10/0/3 weight Configure the loopback interfaces. user@host#set interfaces lo0 unit 0 family inet address /32 primary 8. Configure the reth interfaces and include the Link Aggregation Control Protocol (LACP). [edit] user@host# set interfaces reth2 vlan-tagging user@host# set interfaces reth2 mtu 9192 user@host# set interfaces reth2 redundant-ether-options redundancy-group 1 user@host# set interfaces reth2 redundant-ether-options lacp active user@host# set interfaces reth2 redundant-ether-options lacp periodic fast user@host# set interfaces reth2 unit 0 vlan-id 102 user@host# set interfaces reth2 unit 0 family inet mtu 9120 user@host# set interfaces reth2 unit 0 family inet address /24 user@host# set interfaces reth3 vlan-tagging user@host# set interfaces reth3 mtu 9192 user@host# set interfaces reth3 redundant-ether-options redundancy-group 2 user@host# set interfaces reth3 redundant-ether-options lacp active user@host# set interfaces reth3 redundant-ether-options lacp periodic fast user@host# set interfaces reth3 unit 0 vlan-id 103 user@host# set interfaces reth3 unit 0 family inet mtu 9120 user@host# set interfaces reth3 unit 0 family inet address /24 user@host# set interfaces reth0 vlan-tagging user@host# set interfaces reth0 mtu 9192 user@host# set interfaces reth0 redundant-ether-options redundancy-group 1 user@host# set interfaces reth0 redundant-ether-options lacp active user@host# set interfaces reth0 redundant-ether-options lacp periodic fast user@host# set interfaces reth0 unit 0 vlan-id 100 user@host# set interfaces reth0 unit 0 family inet mtu 9120 user@host# set interfaces reth0 unit 0 family inet address /24 user@host# set interfaces reth1 vlan-tagging user@host# set interfaces reth1 mtu 9192 user@host# set interfaces reth1 redundant-ether-options redundancy-group 2 user@host# set interfaces reth1 redundant-ether-options lacp active user@host# set interfaces reth1 redundant-ether-options lacp periodic fast user@host# set interfaces reth1 unit 0 vlan-id

16 Deploying Secure Multicast Market Data Services for Financial Services Environments set interfaces reth1 unit 0 family inet mtu 9120 user@host# set interfaces reth1 unit 0 family inet address /24 9. When you are done configuring the device, commit the configuration. [edit] user@host# commit Configuring the Security Policies, Zones, Virtual Routers, and Protocols CLI Quick Configuration Apply this configuration to both SRX Series devices. SRX5600-mcast-a configuration is shown here: To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. set security policies from-zone TRUST to-zone TRUST policy default-permit match source-address any set security policies from-zone TRUST to-zone TRUST policy default-permit match destination-address any set security policies from-zone TRUST to-zone TRUST policy default-permit match application junos-bgp set security policies from-zone TRUST to-zone TRUST policy default-permit match application PIM set security policies from-zone TRUST to-zone TRUST policy default-permit then permit set security policies from-zone TRUST to-zone TRUST policy P1 match source-address MULTI set security policies from-zone TRUST to-zone TRUST policy P1 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P1 match application any set security policies from-zone TRUST to-zone TRUST policy P1 then permit set security policies from-zone TRUST to-zone TRUST policy P2 match source-address MULTI1 set security policies from-zone TRUST to-zone TRUST policy P2 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P2 match application any set security policies from-zone TRUST to-zone TRUST policy P2 then permit set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK1 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK2 set securitypoliciesfrom-zonetrustto-zonetrustpolicyp3 matchsource-addressnetwork3 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK4 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK7 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK8 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK10 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK11 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK1 set security policies from-zone TRUST to-zone TRUST policy P1 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK2 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK3 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK4 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK7 16

17 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK8 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK10 set security policies from-zone TRUST to-zone TRUST policy P3 match application any set security policies from-zone TRUST to-zone TRUST policy P3 then permit set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address MULTI /24 set security zones security-zone TRUST address-book address MULTI /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /4 set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic protocols all set protocols bgp group fsi_feeda export BGP set protocols bgp group fsi_feeda local-as set protocols bgp group fsi_feeda bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_feeda bfd-liveness-detection multiplier 3 set protocols bgp group fsi_feeda neighbor local-address set protocols bgp group fsi_feeda neighbor peer-as set protocols bgp group fsi_feeda neighbor local-address set protocols bgp group fsi_feeda neighbor peer-as set protocols bgp group fsi_feedb export BGP set protocols bgp group fsi_feedb local-as set protocols bgp group fsi_feedb bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_feedb bfd-liveness-detection multiplier 3 set protocols bgp group fsi_feedb neighbor local-address set protocols bgp group fsi_feedb neighbor peer-as set protocols bgp group fsi_feedb neighbor local-address set protocols bgp group fsi_feedb neighbor peer-as set protocols pim rp bootstrap family inet priority 0 set protocols pim rp static address set protocols pim interface lo0.0 set protocols pim interface reth0.0 hello-interval 1 set protocols pim interface reth0.0 neighbor-policy Neighbor_Policy_reth0 set protocols pim interface reth1.0 hello-interval 1 set protocols pim interface reth1.0 neighbor-policy Neighbor_Policy_reth1 set protocols pim interface reth2.0 hello-interval 1 set protocols pim interface reth2.0 neighbor-policy Neighbor_Policy_reth2 set protocols pim interface reth3.0 hello-interval 1 set protocols pim interface reth3.0 neighbor-policy Neighbor_Policy_reth3 set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options prefix-list Neighbor_Grp_reth /32 17

18 Deploying Secure Multicast Market Data Services for Financial Services Environments set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options policy-statement BGP term Mgmt from interface fxp0.0 set policy-options policy-statement BGP term Mgmt then reject set policy-options policy-statement BGP term direct from protocol direct set policy-options policy-statement BGP term direct then accept set policy-options policy-statement BGP term BGP from protocol bgp set policy-options policy-statement BGP term BGP then accept set policy-options policy-statement Neighbor_Policy_reth0 from prefix-list Neighbor_Grp_reth0 set policy-options policy-statement Neighbor_Policy_reth0 then accept set policy-options policy-statement Neighbor_Policy_reth1 from prefix-list Neighbor_Grp_reth1 set policy-options policy-statement Neighbor_Policy_reth1 then accept set policy-options policy-statement Neighbor_Policy_reth2 from prefix-list Neighbor_Grp_reth2 set policy-options policy-statement Neighbor_Policy_reth2 then accept set policy-options policy-statement Neighbor_Policy_reth3 from prefix-list Neighbor_Grp_reth3 set policy-options policy-statement Neighbor_Policy_reth3 then accept Step-by-Step Procedure To configure a security policy to permit all traffic: 1. Create a policy and specify the match criteria for that policy. The match criteria specifies that the device can allow traffic from any source, to any destination, and on any application. [edit security policies from-zone TRUST to-zone TRUST] user@host# set policy default-permit match source-address any user@host# set policy default-permit match destination-address any user@host# set policy default-permit match application junos-bgp user@host# set policy default-permit match application PIM user@host# set policy default-permit then permit user@host# set policy P1 match source-address MULTI user@host# set policy P1 match destination-address NETWORK5 user@host# set policy P1 match application any user@host# set policy P1 then permit user@host# set policy P2 match source-address MULTI user@host# set policy P2 match destination-address NETWORK5 user@host# set policy P2 match application any user@host# set policy P2 then permit user@host# set policy P3 match source-address NETWORK1 user@host# set policy P3 match source-address NETWORK2 user@host# set policy P3 match source-address NETWORK3 user@host# set policy P3 match source-address NETWORK4 user@host# set policy P3 match source-address NETWORK7 user@host# set policy P3 match source-address NETWORK8 user@host# set policy P3 match source-address NETWORK10 user@host# set policy P3 match source-address NETWORK11 user@host# set policy P3 match destination-address NETWORK1 user@host# set policy P3 match destination-address NETWORK5 user@host# set policy P3 match destination-address NETWORK7 user@host# set policy P3 match destination-address NETWORK8 user@host# set policy P3 match destination-address NETWORK10 user@host# set policy P3 match application any user@host# set policy P3 then permit 2. Configure a security zone and specify the types of traffic and protocols that are allowed on the reth interface. [edit security zones] user@host# set security zones security-zone TRUST address-book address NETWORK /24 user@host# set security zones security-zone TRUST address-book address NETWORK /24 18

19 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set security zones security-zone TRUST address-book address MULTI /24 set security zones security-zone TRUST address-book address MULTI /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /24 set security zones security-zone TRUST address-book address NETWORK /4 set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic protocols all 3. Configure BGP. [edit] set protocols bgp group fsi_feeda export BGP set protocols bgp group fsi_feeda local-as set protocols bgp group fsi_feeda bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_feeda bfd-liveness-detection multiplier 3 user@host# set protocols bgp group fsi_feeda neighbor local-address user@host# set protocols bgp group fsi_feeda neighbor peer-as user@host# set protocols bgp group fsi_feeda neighbor local-address user@host# set protocols bgp group fsi_feeda neighbor peer-as user@host# set protocols bgp group fsi_feedb export BGP user@host# set protocols bgp group fsi_feedb local-as user@host# set protocols bgp group fsi_feedb bfd-liveness-detection minimum-interval 300 user@host# set protocols bgp group fsi_feedb bfd-liveness-detection multiplier 3 user@host# set protocols bgp group fsi_feedb neighbor local-address user@host# set protocols bgp group fsi_feedb neighbor peer-as user@host# set protocols bgp group fsi_feedb neighbor local-address user@host# set protocols bgp group fsi_feedb neighbor peer-as Configure routing policy. 19

20 Deploying Secure Multicast Market Data Services for Financial Services Environments [edit] set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options prefix-list Neighbor_Grp_reth /32 set policy-options policy-statement BGP term Mgmt from interface fxp0.0 set policy-options policy-statement BGP term Mgmt then reject set policy-options policy-statement BGP term direct from protocol direct set policy-options policy-statement BGP term direct then accept set policy-options policy-statement BGP term BGP from protocol bgp set policy-options policy-statement BGP term BGP then accept set policy-options policy-statement Neighbor_Policy_reth0 from prefix-list Neighbor_Grp_reth0 set policy-options policy-statement Neighbor_Policy_reth0 then accept set policy-options policy-statement Neighbor_Policy_reth1 from prefix-list Neighbor_Grp_reth1 set policy-options policy-statement Neighbor_Policy_reth1 then accept set policy-options policy-statement Neighbor_Policy_reth2 from prefix-list Neighbor_Grp_reth2 set policy-options policy-statement Neighbor_Policy_reth2 then accept set policy-options policy-statement Neighbor_Policy_reth3 from prefix-list Neighbor_Grp_reth3 set policy-options policy-statement Neighbor_Policy_reth3 then accept set policy-options policy-statement BGP term Mgmt then reject 5. Configure the static rendezvous point and PIM. [edit] set protocols pim rp bootstrap family inet priority 0 user@host# set protocols pim rp static address user@host# set protocols pim interface lo0.0 user@host# set protocols pim interface reth0.0 hello-interval 1 user@host# set protocols pim interface reth0.0 neighbor-policy Neighbor_Policy_reth0 user@host# set protocols pim interface reth1.0 hello-interval 1 user@host# set protocols pim interface reth1.0 neighbor-policy Neighbor_Policy_reth1 user@host# set protocols pim interface reth2.0 hello-interval 1 user@host# set protocols pim interface reth2.0 neighbor-policy Neighbor_Policy_reth2 user@host# set protocols pim interface reth3.0 hello-interval 1 user@host# set protocols pim interface reth3.0 neighbor-policy Neighbor_Policy_reth3 Configuring QFX5100 QFX_ CLI Quick Configuration To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. [edit] set system host-name QFX_ set system name-server set system ntp server set system ntp server set chassis aggregated-devices ethernet device-count 4 set security authentication-key-chains key-chain fsi key 0 secret "$9$xCvdVsUDkfQn4aQF" set security authentication-key-chains key-chain fsi key 0 start-time " :00: " set security authentication-key-chains key-chain fsi key 1 secret "$9$1tWhcrx7V2oGvWaZ" set security authentication-key-chains key-chain fsi key 1 start-time " :01: " set interfaces xe-0/0/0 ether-options 802.3ad ae1 set interfaces xe-0/0/1 ether-options 802.3ad ae2 set interfaces ae2 mtu

21 Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic fast set interfaces ae2 unit 0 family ethernet-switching interface-mode trunk set interfaces ae2 unit 0 family ethernet-switching vlan members 100 set interfaces ae1 mtu 9192 set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members 100 set interfaces irb mtu 9192 set interfaces irb unit 100 family inet mtu 9120 set interfaces irb unit 100 family inet address /24 set interfaces irb unit 2 family inet address /24 vrrp-group 0 virtual-address set interfaces irb unit 2 family inet address /24 vrrp-group 0 accept-data set interfaces irb unit 21 family inet address /24 vrrp-group 0 virtual-address set interfaces irb unit 21 family inet address /24 vrrp-group 0 accept-data set interfaces lo0 unit 0 family inet address /32 primary set interfaces lo0 unit 0 family inet address /32 set interfaces em0 unit 0 family inet address /26 set interfaces ge-0/0/13 ether-options 802.3ad ae100 set interfaces ae100 aggregated-ether-options lacp active set interfaces ae100 aggregated-ether-options lacp periodic fast set interfaces ae100 unit 0 family ethernet-switching interface-mode trunk set interfaces ae100 unit 0 family ethernet-switching vlan members 2 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members 21 set protocols bgp group fsi export BGP set protocols bgp group fsi bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi bfd-liveness-detection multiplier 3 set protocols bgp group fsi neighbor local-address set protocols bgp group fsi neighbor peer-as set protocols bgp group fsi neighbor local-as set protocols bgp group fsi_ibgp type internal set protocols bgp group fsi_ibgp local-address set protocols bgp group fsi_ibgp export BGP set protocols bgp group fsi_ibgp local-as set protocols bgp group fsi_ibgp bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_ibgp bfd-liveness-detection multiplier 3 set protocols bgp group fsi_ibgp neighbor set protocols msdp peer local-address set protocols ospf area interface lo0.0 set protocols ospf area interface irb.2 set protocols ospf area interface irb.21 passive set protocols pim rp local family inet address set protocols pim interface irb.100 hello-interval 1 set protocols pim interface irb.100 neighbor-policy Neighbor_Policy set protocols pim interface irb.2 set protocols pim interface irb.21 set protocols pim interface lo0.0 set protocols igmp-snooping vlan V_21 set policy-options prefix-list Neighbor_Grp /32 set policy-options policy-statement BGP term Mgmt from interface em0.0 set policy-options policy-statement BGP term Mgmt then reject set policy-options policy-statement BGP term direct from protocol direct set policy-options policy-statement BGP term direct then accept set policy-options policy-statement BGP term BGP from protocol bgp set policy-options policy-statement BGP term BGP then accept set policy-options policy-statement BGP term Last then reject set policy-options policy-statement Neighbor_Policy from prefix-list Neighbor_Grp set policy-options policy-statement Neighbor_Policy then accept 21