Network Configuration Example

Similar documents
Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Junos OS Multiple Instances for Label Distribution Protocol Feature Guide Release 11.4 Published: Copyright 2011, Juniper Networks, Inc.

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Network Configuration Example

Solution Guide. Infrastructure as a Service: EVPN and VXLAN. Modified: Copyright 2016, Juniper Networks, Inc.

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Network Configuration Example

Juniper JN0-647 Exam. Volume: 65 Questions. Question: 1 Which protocol is a multicast routing protocol? A. OSPF B. BGP C. PIM D. IS-IS.

Network Configuration Example

Network Configuration Example

Junos OS Release 12.1X47 Feature Guide

Network Configuration Example

Network Configuration Example

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Technology Overview. Retrieving VLAN Information Using SNMP on an EX Series Ethernet Switch. Published:

Network Configuration Example

J-series Advanced Switching Configuration

Viewing IP and MPLS Multicast Configurations

Network Configuration Example

Juniper.Selftestengine.jn0-694.v by.KIM-HL.52q

Financial Services Design for High Availability

Network Configuration Example

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

Implementing Multicast Service Reflection

Multicast Technology White Paper

Network Configuration Example

Layer 3 Routing (UI 2.0) User s Manual

Network Configuration Example

BRANCH SRX SERIES AND J SERIES CHASSIS CLUSTERING

Junos OS. Designing and Implementing a Junos Node Unifier Network. Release 1.4J1. Published: Copyright 2015, Juniper Networks, Inc.

Table of Contents 1 MSDP Configuration 1-1

Network Configuration Example

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

Cloud Data Center Architecture Guide

Network Configuration Example

IMPLEMENTING A LAYER 2 ENTERPRISE INFRASTRUCTURE WITH VIRTUAL CHASSIS TECHNOLOGY

Introduction xvii. Assessment Test xxxiii

Junos Security. Chapter 11: High Availability Clustering Implementation

Configuring MSDP. MSDP overview. How MSDP works. MSDP peers

Hierarchical Fabric Designs The Journey to Multisite. Lukas Krattiger Principal Engineer September 2017

Table of Contents 1 MSDP Configuration 1-1

Junos Reference Guide. JUNOsReference. 1 P a g e

Configuring VXLAN EVPN Multi-Site

JN0-343 Q&As. Juniper Networks Certified Internet Specialist (JNCIS-ENT) Pass Juniper JN0-343 Exam with 100% Guarantee

WAN Edge MPLSoL2 Service

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

Multicast overview. Introduction to multicast. Information transmission techniques. Unicast

Network Configuration Example

Juniper Secure Analytics

Using IPsec with Multiservices MICs on MX Series Routers

VXLAN Design with Cisco Nexus 9300 Platform Switches

Traffic Load Balancing in EVPN/VXLAN Networks. Tech Note

Flow Monitoring Feature Guide for EX9200 Switches

JN0-346 juniper

J-series High Availability

Virtual Route Reflector

Example: Conditionally Generating Static Routes

Multicast overview. Introduction to multicast. Information transmission techniques. Unicast

JUNIPER JN0-643 EXAM QUESTIONS & ANSWERS

Juniper JN Enterprise Routing and Switching Support Professional (JNCSP-ENT)

Technology Overview. Frequently Asked Questions: MX Series 3D Universal Edge Routers Quality of Service. Published:

Supported Standards. Class of Service Tagging for Ethernet frames. Multiple Spanning Tree Protocol. Rapid Spanning Tree Protocol

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Configuring MSDP. Overview. How MSDP operates. MSDP peers

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1

Router Lab Reference

Network Configuration Example

CCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)

Configuring PIM. Information About PIM. Send document comments to CHAPTER

C. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO.

CCIE Routing & Switching

Configuring SSM. Finding Feature Information. Prerequisites for Configuring SSM

Cisco Service Advertisement Framework Deployment Guide

Intelligent WAN Multiple VRFs Deployment Guide

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Configuring multicast VPN

Accurate study guides, High passing rate! Testhorse provides update free of charge in one year!

Introduction to routing

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Transcription:

Network Configuration Example Deploying Secure Multicast Market Data Services for Financial Services Environments Modified: 2016-07-29

Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Network Configuration Example Deploying Secure Multicast Market Data Services for Financial Services Environments All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

Table of Contents Chapter 1 Deploying Secure Multicast Market Data Services for Financial Services Environments...................................................... 5 About This Network Configuration Example............................... 5 Use Case Overview................................................... 5 Optimizing Multicast Delivery: An Overview........................... 6 Platforms....................................................... 6 Benefits........................................................ 6 Technical Overview................................................... 7 Design Considerations............................................ 9 Example: Configuring Multicast in a Financial Services Environment........... 9 iii

Deploying Secure Multicast Market Data Services for Financial Services Environments iv

CHAPTER 1 Deploying Secure Multicast Market Data Services for Financial Services Environments About This Network Configuration Example on page 5 Use Case Overview on page 5 Technical Overview on page 7 Example: Configuring Multicast in a Financial Services Environment on page 9 About This Network Configuration Example This network configuration example (NCE) provides an overview and a step-by-step example for configuring and deploying multicast in a financial services environment. This NCE defines multicast deployment for market data delivery and illustrates how multiple feeds flow through an active/active SRX Series Services Gateway cluster. The instructions in this example cover configuring protocols such as PIM sparse mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and BGP on QFX and SRX Series devices. The instructions also cover configuring two SRX Series devices in active/active cluster mode to provide high-availability for multicast traffic. This document is intended for security and IT engineers, as well as network architects. Related Documentation Technical Overview on page 7 Use Case Overview on page 5 Example: Configuring Multicast in a Financial Services Environment on page 9 Use Case Overview Financial trading enterprises such as stock exchanges, futures exchanges, brokerage houses, and software integrators typically deploy multicast for market data delivery. 5

Deploying Secure Multicast Market Data Services for Financial Services Environments Optimizing Multicast Delivery: An Overview Multicast is the most effective and efficient carrier of market data feeds from a network standpoint. Financial organizations deploy large-scale multicast infrastructures to enable trading and e-commerce. In the current world, multicast is used for market data delivery as it is proven that multicast can scale. Due to the inherently unreliable nature of multicast, packets might be lost in the transmission network. Hence, two feeds (primary and backup) are used to ensure that no data is lost. All market data provided from the exchange is supported in various market data formats. If data is missing on the primary feed, it can be recovered from the backup feed. In financial enterprises deploying multicast for market data delivery, devices such as QFX Series devices are used to connect multicast sources (servers) and receivers (clients), and SRX Series devices are used to connect QFX devices securely. The requirements of optimizing multicast delivery include: Quick convergence Secure forwarding Efficient forwarding Efficient debugging High availability Platforms Juniper Networks QFX Series switches are designed to be high-performance, high-density platforms that satisfy the needs of today s most demanding financial enterprise environments. QFX5100 switches are low-latency, high-performance 10GbE/40GbE switches that act as a flexible building block for fabric architectures and are designed for top-of-rack, end-of-row, and spine-and-leaf aggregation deployments. Juniper Networks SRX Series Services Gateways are high-performance, highly scalable, carrier-class security devices with multiprocessor architecture. SRX5600 devices are ideal for securing financial trading enterprises and aggregating security services through the use of security policies. Benefits In this network configuration example, we describe the scenario where QFX5100 switches, together with an SRX5600 chassis cluster and firewall security policies, provide the basis for the deployment of the market data delivery environment. This deployment enables the quick failover of traffic during link failures and provides network security, redundancy, and network efficiency. A clustered SRX firewall point of delivery supports IP multicast to bring market data feeds into a corporate network from external sources. The primary and backup market data feeds are routed through separate SRX Series devices in the cluster. 6

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Related Documentation Multicast Feature Guide for Security Devices Multicast Protocols Feature Guide for the QFX Series Technical Overview Multicast delivers application source market data feeds to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth. In this configuration example for multicast deployment, the QFX5100 devices serve as the last-hop router (LHR) and first-hop router (FHR). Figure 1: Multicast Architecture Used in This NCE Multicast Receiver Multicast Receiver QFX5100-3 Switch LHR OSPF, BFD, IBGP, PIM EBGP, BFD, PIM QFX5100-4 Switch LHR/RP/MSDP SRX5600-1 Security Chassis Cluster - Active Fabric Link Control Link EBGP, BFD, PIM SRX5600-2 Security Chassis Cluster - Active QFX5100-1 Switch FHR/RP/MSDP Feed-A Primary OSPF, BFD, IBGP, PIM QFX5100-2 Switch FHR Feed-B Backup Multicast Source Multicast Source LHR FHR MSDP Last Hop Router Fast Hop Router g043033 Multicast source: Each multicast source sends a data feed to a multicast group address. FHR: The QFX5100 device to which the multicast sources connect is the FHR. The FHR forwards the multicast group ID and source to the next-hop multicast router toward the predefined rendezvous point (RP). LHR: The QFX5100 device to which the multicast receivers connect serves as an LHR. The LHR forwards data feeds to the multicast receiver. Rendezvous point (RP): The RP serves as the information exchange point for the other routers. All routers in a PIM domain must provide mapping to an RP. Only the RP must be aware of the active multicast sources. Multicast receiver: The multicast receiver requests data feeds from the multicast source by sending an IGMP join message to the LHR. IGMP snooping is enabled on QFX5100 devices to monitor the Internet Group Management Protocol (IGMP) messages from the hosts and multicast source. This helps in conserving bandwidth by enabling the 7

Deploying Secure Multicast Market Data Services for Financial Services Environments switch to send multicast data feeds only to the interfaces connected to devices that need to receive the multicast traffic. Market data feed: Market data feeds are typically applications wherein several multicast sources send data to groups. Market data is delivered through dual multicast streams (primary and backup feeds). In most cases, even if a single data packet is lost on one feed, it can be recovered from the other feed. Multicast data feeds are replicated by routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols, The replication occurs in the network at the point of primary and backup divergence. This results in the most efficient delivery of market data to multiple receivers. High availability cluster: Chassis clustering provides network node redundancy by grouping a pair of the same type of supported SRX Series devices into a cluster. The SRX5600 Services Gateway serves as a cluster. The multicast feeds go through the SRX chassis cluster configured to work in active/active mode for redundancy and efficiency purposes. A chassis cluster in active/active mode has transit data feeds passing through both nodes of the cluster all the time. Even if one of the nodes goes down, impacting the corresponding feed, the other node or feed will be still active. The configuration uses four redundant Ethernet (reth) interfaces. Each reth has ports from both nodes, and every reth connects to a QFX5100. All reths are assigned a unique subnet, which helps to avoid PIM asserts. Security: Firewall security policies enable authentication of the PIM neighbors. QFX devices also support distributed denial of service (DDoS) for policing the control plane feeds. For more information on DDoS, see Understanding Distributed Denial-of-Service Protection on QFX Series Switches. SRX Series devices are also used for creating security policies to allow traffic between zones. Statically configured anycast RP provides the greatest level of protection against malicious or misconfigured devices. Table 1 on page 8 describes the network type, platforms, technologies, and the protocols used in this configuration. Table 1: Network Elements Used in Multicast Configuration Network Type Platforms Technologies Protocols Multicast source and receiver LANs QFX5100 1G, 10G, 40G (Gigabit Ethernet Interfaces), SRX Chassis Cluster PIM-SM, MSDP, OSPF, IBGP, EBGP, BFD, RTG Chassis cluster SRX5600 1G, 10G, 40G, SRX Chassis Cluster, Firewall Security Policies PIM-SM, EBGP, BFD Table 2: Supported Protocols The multicast deployment configured with the protocols intable 2 on page 8 provides the financial trading environment with an edge to optimize its market data delivery. Protocols Description 8

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Table 2: Supported Protocols (continued) PIM sparse mode (PIM-SM) PIM-SM as the multicast delivery protocol works well for both one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. Also, the PIM-SM protocol is very well deployed and understood. For more information on PIM-SM, see PIM-SM. Anycast RP and MSDP Anycast RP and MSDP enable sharing the load on the RP, as well as for redundancy purposes. You can configure anycast RP for the purpose of load balancing and redundancy. When an RP fails, sources and receivers are taken to a new RP by means of unicast routing. When you configure anycast RP, you bypass the restriction of having one active RP per multicast group, and instead deploy multiple RPs for the same group range. The RP routers share one unicast IP address. Sources from one RP are known to other RPs that use the Multicast Source Discovery Protocol (MSDP). Sources and receivers use the closest RP, as determined by the interior gateway protocol (IGP). MSDP interconnects multiple IPv4 PIM-SM domains, which enables PIM-SM to have RP redundancy and inter-domain multicasting. For more information, see Anycast RP with or without MSDP. Open Shortest Path First (OSPF) OSPF detects changes in the topology, such as link failures, and converges on a new loop-free routing structure within seconds. OSPF computes the shortest path tree for each route using a method based on a shortest-path-first algorithm. OSPF is used within an autonomous system (AS). For more information, see OSPF. Border Gateway Protocol (BGP) BGP is an exterior gateway protocol (EGP) that is used to exchange routing information among devices in different ASs. For more information, see BGP. Bidirectional Forwarding Detection (BFD) BFD is used to detect link failures and reroute traffic quickly. For more information, see BFD. Redundant Trunk Group (RTG) RTG is enabled on LHR and FHR devices to enable quick failover of traffic during link failures. For more information, see RTG. Design Considerations PIM-SM is known not to work well for intermittent multicast sources. If there are known intermittent multicast sources, use PIM SSM to avoid initial multicast loss. Complicated behaviors in PIM are encountered in multiaccess topologies rather than simpler point-point topologies. Related Documentation About This Network Configuration Example on page 5 Use Case Overview on page 5 Example: Configuring Multicast in a Financial Services Environment on page 9 Example: Configuring Multicast in a Financial Services Environment This example illustrates how to configure QFX Series switches and SRX Services Gateways to deploy secure multicast market data services for financial services environments. Requirements on page 10 Overview and Topology on page 10 9

Deploying Secure Multicast Market Data Services for Financial Services Environments Configuration on page 12 Verification on page 38 Requirements This example uses the following hardware and software components: Two SRX5600 Services Gateways running Junos OS Release 12.1X47-D10 or later Four QFX5100 switches running Junos OS Release 14.1X53-D30 or later Before you begin: Confirm that the two SRX5600 Services Gateways have identical hardware configurations. Physically connect the two SRX devices (back-to-back for the fabric and control ports) and ensure that they are the same models. Confirm that the software on both standalone SRX devices is the same Junos OS version. Confirm that the license keys on both SRX devices are the same. Before the SRX cluster is formed, you must configure control ports for each device, as well as assign a cluster ID and node ID to each device, and then reboot. When the system boots, both nodes come up as a cluster. For more information, see Chassis Cluster Feature Guide for security Devices. If virtual chassis or virtual chassis fabric (VC/VCF) is required, ensure that all the devices are running the same Junos OS version. For more information, see Virtual Chassis Fabric Feature Guide. Overview and Topology This network configuration example provides an overview and a step-by-step example for deploying multicast in a financial services environment and illustrates how multiple feeds flow through an active/active SRX cluster. This example illustrates how to configure PIM sparse mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), BGP, and other related technologies on QFX and SRX Series devices. In this configuration example for multicast deployment, the QFX5100 devices serve as the last-hop router (LHR) and first-hop router (FHR). The SRX5600 Services Gateways serve as a cluster. The multicast feeds go through the SRX chassis cluster configured to work in active/active mode for redundancy and efficiency purposes. The topology for this example is shown in Figure 2 on page 11. 10

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments Figure 2: Deploying Secure Multicast Market Data Services for Financial Services Environments Multicast Receiver Multicast Receiver AS-64514 QFX5100-3 Switch ae1 ae2 OSPF, IBGP, BFD ae100 ae2 ae1 QFX5100-4 Switch reth2 reth3 AS-65535 Fabric Link SRX5600-1 Firewall Cluster Control Link SRX5600-2 Firewall Cluster reth0 reth1 AS-64512 QFX5100-1 Switch ae1 ae2 OSPF, IBGP, BFD ae100 ae2 ae1 QFX5100-2 Switch Feed-A Primary Feed-B Backup Multicast Source Multicast Source g043032 Table 3 on page 11 shows the details on devices and IP addresses used in this configuration. Table 3: Devices and IP Addresses Devices Interfaces IP Addresses Hostname QFX5100-1 (10.5.5.1) irb.2 irb.21 irb.100 lo0.0 172.16.2.1/24 172.16.21.2/24 192.168.100.1/24 10.5.5.1 QFX-10.5.5.1 QFX5100-2 (10.5.5.2) irb.2 irb.31 irb.101 lo0.0 172.16.2.2/24 172.16.31.2/24 192.168.101.1/24 10.5.5.2 QFX-10.5.5.2 QFX5100-3 (10.5.5.3) irb.2 irb.21 irb.102 lo0.0 172.17.2.1/24 172.17.21.2/24 192.168.102.1/24 10.5.5.3 QFX-10.5.5.3 QFX5100-4 (10.5.5.4) irb.2 irb.31 irb.103 lo0.0 172.17.2.2/24 172.17.31.2/24 192.168.103.1/24 10.5.5.4 QFX-10.5.5.4 SRX Series Devices: SRX5600-1 and SRX5600-2 reth0.0 reth1.0 reth2.0 reth3.0 lo0.0 192.168.100.2/24 192.168.101.2/24 192.168.102.2/24 192.168.102.3/24 10.5.5.5 SRX5600-mcast-a SRX5600-mcast-b 11

Deploying Secure Multicast Market Data Services for Financial Services Environments Configuration This section provides step-by-step instructions for: Configuring SRX5600 (SRX5600-mcast-a and SRX5600-mcast-b) on page 12 Configuring the Security Policies, Zones, Virtual Routers, and Protocols on page 16 Configuring QFX5100 QFX_10.5.5.1 on page 20 Configuring QFX5100 QFX_10.5.5.2 on page 25 Configuring QFX5100 QFX_10.5.5.3 on page 29 Configuring QFX5100 QFX_10.5.5.4 on page 33 Configuring SRX5600 (SRX5600-mcast-a and SRX5600-mcast-b) CLI Quick Configuration Apply this configuration to both SRX Series devices. SRX5600-mcast-a configuration is shown here: To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. [edit] set groups node0 system host-name srx5600-mcast-a set groups node0 system backup-router 10.204.191.254 set groups node0 system backup-router destination 10.0.0.0/8 set groups node0 interfaces fxp0 unit 0 family inet address 10.219.29.157/26 set groups node1 system host-name srx5600-mcast-b set groups node1 system backup-router 10.204.191.254 set groups node1 system backup-router destination 10.0.0.0/8 set groups node1 interfaces fxp0 unit 0 family inet address 10.219.29.159/26 set groups flow-type security forwarding-options family inet6 mode flow-based set apply-groups ${node} flow-type security forwarding-process application-services session-distribution-mode hash-based set system name-server 172.17.28.100 set system ntp server 172.17.28.5 set system ntp server 10.204.37.156 set chassis cluster reth-count 8 set chassis cluster redundancy-group 1 node 0 priority 250 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 preempt set chassis cluster redundancy-group 1 interface-monitor xe-4/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-10/0/1 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-10/0/2 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-4/0/3 weight 255 set chassis cluster redundancy-group 2 node 0 priority 100 set chassis cluster redundancy-group 2 node 1 priority 250 set chassis cluster redundancy-group 2 preempt set chassis cluster redundancy-group 2 interface-monitor xe-10/0/0 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-4/0/1 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-4/0/2 weight 255 set chassis cluster redundancy-group 2 interface-monitor xe-10/0/3 weight 255 set interfaces xe-4/0/3 gigether-options redundant-parent reth2 set interfaces xe-10/0/2 gigether-options redundant-parent reth2 set interfaces xe-4/0/2 gigether-options redundant-parent reth3 set interfaces xe-10/0/3 gigether-options redundant-parent reth3 12

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set interfaces lo0 unit 0 family inet address 10.5.5.5/32 primary set interfaces xe-4/0/0 gigether-options redundant-parent reth0 set interfaces xe-10/0/0 gigether-options redundant-parent reth1 set interfaces xe-4/0/1 gigether-options redundant-parent reth1 set interfaces xe-10/0/1 gigether-options redundant-parent reth0 set interfaces reth2 vlan-tagging set interfaces reth2 mtu 9192 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 redundant-ether-options lacp active set interfaces reth2 redundant-ether-options lacp periodic fast set interfaces reth2 unit 0 vlan-id 102 set interfaces reth2 unit 0 family inet mtu 9120 set interfaces reth2 unit 0 family inet address 192.168.102.2/24 set interfaces reth3 vlan-tagging set interfaces reth3 mtu 9192 set interfaces reth3 redundant-ether-options redundancy-group 2 set interfaces reth3 redundant-ether-options lacp active set interfaces reth3 redundant-ether-options lacp periodic fast set interfaces reth3 unit 0 vlan-id 103 set interfaces reth3 unit 0 family inet mtu 9120 set interfaces reth3 unit 0 family inet address 192.168.103.2/24 set interfaces reth0 vlan-tagging set interfaces reth0 mtu 9192 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 redundant-ether-options lacp active set interfaces reth0 redundant-ether-options lacp periodic fast set interfaces reth0 unit 0 vlan-id 100 set interfaces reth0 unit 0 family inet mtu 9120 set interfaces reth0 unit 0 family inet address 192.168.100.2/24 set interfaces reth1 vlan-tagging set interfaces reth1 mtu 9192 set interfaces reth1 redundant-ether-options redundancy-group 2 set interfaces reth1 redundant-ether-options lacp active set interfaces reth1 redundant-ether-options lacp periodic fast set interfaces reth1 unit 0 vlan-id 101 set interfaces reth1 unit 0 family inet mtu 9120 set interfaces reth1 unit 0 family inet address 192.168.101.2/24 13

Deploying Secure Multicast Market Data Services for Financial Services Environments Step-by-Step Procedure To configure the hostnames, NTP server, reth interfaces, loopback interfaces, redundancy groups and management IP addresses to the specific nodes: 1. Configure the name of node 0 and node 1 and assign management IP addresses. Because the SRX5600 Services Gateway chassis cluster configuration is contained within a single common configuration, to assign some elements of the configuration to a specific member only, you must use the Junos OS node-specific configuration method called groups. The set apply-groups ${node} command uses the node variable to define how the groups are applied to the nodes; each node recognizes its number and accepts the configuration accordingly. You must also configure out-of-band management on the fxp0 interface of the SRX5600 Services Gateway using separate IP addresses for the individual control planes of the cluster. [edit] user@host# set apply-groups ${node} user@host# set groups node0 system host-name srx5600-mcast-a user@host# set groups node0 system backup-router 10.204.191.254 user@host# set groups node0 system backup-router destination 10.0.0.0/8 user@host# set groups node0 interfaces fxp0 unit 0 family inet address 10.219.29.157/26 user@host# set groups node1 system host-name srx5600-mcast-b user@host# set groups node1 system backup-router 10.204.191.254 user@host# set groups node1 system backup-router destination 10.0.0.0/8 user@host# set groups node1 interfaces fxp0 unit 0 family inet address 10.219.29.159/26 2. Configure flow-type. [edit] user@host# set groups flow-type security forwarding-options family inet6 mode flow-based user@host# set apply-groups ${node} flow-type security forwarding-process application-services session-distribution-mode hash-based 3. Configure the NTP server address for node 0 and node 1. [edit] user@host# set system name-server 172.17.28.100 user@host# set system ntp server 172.17.28.5 user@host# set system ntp server 10.204.37.156 4. Specify the number of redundant Ethernet interfaces. [edit] user@host# set chassis cluster reth-count 8 5. To create a reth interface, configure the physical interfaces independently. Because reth interfaces are pseudointerfaces, you must define the number of reth interfaces in a cluster by configuring reth-count. The reth interfaces are assigned into redundancy groups. [edit] user@host# set interfaces xe-4/0/3 gigether-options redundant-parent reth2 user@host# set interfaces xe-10/0/2 gigether-options redundant-parent reth2 user@host# set interfaces xe-4/0/2 gigether-options redundant-parent reth3 user@host# set interfaces xe-10/0/3 gigether-options redundant-parent reth3 user@host# set interfaces xe-4/0/0 gigether-options redundant-parent reth0 user@host# set interfaces xe-10/0/0 gigether-options redundant-parent reth1 user@host# set interfaces xe-4/0/1 gigether-options redundant-parent reth1 user@host# set interfaces xe-10/0/1 gigether-options redundant-parent reth0 6. Configure chassis cluster redundancy groups by specifying a redundancy group's priority for primacy on each node of the cluster. The higher number takes precedence. Also specify whether a node with a higher priority can initiate a failover to become primary for the redundancy group. 14

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments [edit] user@host# set chassis cluster redundancy-group 1 node 0 priority 250 user@host# set chassis cluster redundancy-group 1 node 1 priority 100 user@host# set chassis cluster redundancy-group 1 preempt user@host# set chassis cluster redundancy-group 1 interface-monitor xe-4/0/0 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-10/0/1 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-10/0/2 weight 255 user@host# set chassis cluster redundancy-group 1 interface-monitor xe-4/0/3 weight 255 user@host# set chassis cluster redundancy-group 2 node 0 priority 100 user@host# set chassis cluster redundancy-group 2 node 1 priority 250 user@host# set chassis cluster redundancy-group 2 preempt user@host# set chassis cluster redundancy-group 2 interface-monitor xe-10/0/0 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-4/0/1 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-4/0/2 weight 255 user@host# set chassis cluster redundancy-group 2 interface-monitor xe-10/0/3 weight 255 7. Configure the loopback interfaces. user@host#set interfaces lo0 unit 0 family inet address 10.5.5.5/32 primary 8. Configure the reth interfaces and include the Link Aggregation Control Protocol (LACP). [edit] user@host# set interfaces reth2 vlan-tagging user@host# set interfaces reth2 mtu 9192 user@host# set interfaces reth2 redundant-ether-options redundancy-group 1 user@host# set interfaces reth2 redundant-ether-options lacp active user@host# set interfaces reth2 redundant-ether-options lacp periodic fast user@host# set interfaces reth2 unit 0 vlan-id 102 user@host# set interfaces reth2 unit 0 family inet mtu 9120 user@host# set interfaces reth2 unit 0 family inet address 192.168.102.2/24 user@host# set interfaces reth3 vlan-tagging user@host# set interfaces reth3 mtu 9192 user@host# set interfaces reth3 redundant-ether-options redundancy-group 2 user@host# set interfaces reth3 redundant-ether-options lacp active user@host# set interfaces reth3 redundant-ether-options lacp periodic fast user@host# set interfaces reth3 unit 0 vlan-id 103 user@host# set interfaces reth3 unit 0 family inet mtu 9120 user@host# set interfaces reth3 unit 0 family inet address 192.168.103.2/24 user@host# set interfaces reth0 vlan-tagging user@host# set interfaces reth0 mtu 9192 user@host# set interfaces reth0 redundant-ether-options redundancy-group 1 user@host# set interfaces reth0 redundant-ether-options lacp active user@host# set interfaces reth0 redundant-ether-options lacp periodic fast user@host# set interfaces reth0 unit 0 vlan-id 100 user@host# set interfaces reth0 unit 0 family inet mtu 9120 user@host# set interfaces reth0 unit 0 family inet address 192.168.100.2/24 user@host# set interfaces reth1 vlan-tagging user@host# set interfaces reth1 mtu 9192 user@host# set interfaces reth1 redundant-ether-options redundancy-group 2 user@host# set interfaces reth1 redundant-ether-options lacp active user@host# set interfaces reth1 redundant-ether-options lacp periodic fast user@host# set interfaces reth1 unit 0 vlan-id 101 15

Deploying Secure Multicast Market Data Services for Financial Services Environments user@host# set interfaces reth1 unit 0 family inet mtu 9120 user@host# set interfaces reth1 unit 0 family inet address 192.168.101.2/24 9. When you are done configuring the device, commit the configuration. [edit] user@host# commit Configuring the Security Policies, Zones, Virtual Routers, and Protocols CLI Quick Configuration Apply this configuration to both SRX Series devices. SRX5600-mcast-a configuration is shown here: To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. set security policies from-zone TRUST to-zone TRUST policy default-permit match source-address any set security policies from-zone TRUST to-zone TRUST policy default-permit match destination-address any set security policies from-zone TRUST to-zone TRUST policy default-permit match application junos-bgp set security policies from-zone TRUST to-zone TRUST policy default-permit match application PIM set security policies from-zone TRUST to-zone TRUST policy default-permit then permit set security policies from-zone TRUST to-zone TRUST policy P1 match source-address MULTI set security policies from-zone TRUST to-zone TRUST policy P1 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P1 match application any set security policies from-zone TRUST to-zone TRUST policy P1 then permit set security policies from-zone TRUST to-zone TRUST policy P2 match source-address MULTI1 set security policies from-zone TRUST to-zone TRUST policy P2 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P2 match application any set security policies from-zone TRUST to-zone TRUST policy P2 then permit set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK1 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK2 set securitypoliciesfrom-zonetrustto-zonetrustpolicyp3 matchsource-addressnetwork3 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK4 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK7 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK8 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK10 set security policies from-zone TRUST to-zone TRUST policy P3 match source-address NETWORK11 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK1 set security policies from-zone TRUST to-zone TRUST policy P1 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK2 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK3 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK4 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK5 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK7 16

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK8 set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address NETWORK10 set security policies from-zone TRUST to-zone TRUST policy P3 match application any set security policies from-zone TRUST to-zone TRUST policy P3 then permit set security zones security-zone TRUST address-book address NETWORK1 192.168.0.0/24 set security zones security-zone TRUST address-book address NETWORK2 10.5.5.0/24 set security zones security-zone TRUST address-book address MULTI 172.16.21.0/24 set security zones security-zone TRUST address-book address MULTI1 172.16.31.0/24 set security zones security-zone TRUST address-book address NETWORK3 172.16.2.0/24 set security zones security-zone TRUST address-book address NETWORK7 172.16.21.0/24 set security zones security-zone TRUST address-book address NETWORK8 172.16.31.0/24 set security zones security-zone TRUST address-book address NETWORK4 172.17.2.0/24 set security zones security-zone TRUST address-book address NETWORK10 172.17.21.0/24 set security zones security-zone TRUST address-book address NETWORK11 172.17.31.0/24 set security zones security-zone TRUST address-book address NETWORK5 224.0.0.0/4 set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic protocols all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic system-services all set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic protocols all set protocols bgp group fsi_feeda export BGP set protocols bgp group fsi_feeda local-as 65535 set protocols bgp group fsi_feeda bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_feeda bfd-liveness-detection multiplier 3 set protocols bgp group fsi_feeda neighbor 192.168.100.1 local-address 192.168.100.2 set protocols bgp group fsi_feeda neighbor 192.168.100.1 peer-as 64512 set protocols bgp group fsi_feeda neighbor 192.168.102.1 local-address 192.168.102.2 set protocols bgp group fsi_feeda neighbor 192.168.102.1 peer-as 64514 set protocols bgp group fsi_feedb export BGP set protocols bgp group fsi_feedb local-as 65535 set protocols bgp group fsi_feedb bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_feedb bfd-liveness-detection multiplier 3 set protocols bgp group fsi_feedb neighbor 192.168.101.1 local-address 192.168.101.2 set protocols bgp group fsi_feedb neighbor 192.168.101.1 peer-as 64512 set protocols bgp group fsi_feedb neighbor 192.168.103.1 local-address 192.168.103.2 set protocols bgp group fsi_feedb neighbor 192.168.103.1 peer-as 64514 set protocols pim rp bootstrap family inet priority 0 set protocols pim rp static address 10.5.5.254 set protocols pim interface lo0.0 set protocols pim interface reth0.0 hello-interval 1 set protocols pim interface reth0.0 neighbor-policy Neighbor_Policy_reth0 set protocols pim interface reth1.0 hello-interval 1 set protocols pim interface reth1.0 neighbor-policy Neighbor_Policy_reth1 set protocols pim interface reth2.0 hello-interval 1 set protocols pim interface reth2.0 neighbor-policy Neighbor_Policy_reth2 set protocols pim interface reth3.0 hello-interval 1 set protocols pim interface reth3.0 neighbor-policy Neighbor_Policy_reth3 set policy-options prefix-list Neighbor_Grp_reth0 192.168.100.1/32 set policy-options prefix-list Neighbor_Grp_reth1 192.168.101.1/32 set policy-options prefix-list Neighbor_Grp_reth2 192.168.102.1/32 17

Deploying Secure Multicast Market Data Services for Financial Services Environments set policy-options prefix-list Neighbor_Grp_reth3 192.168.103.1/32 set policy-options policy-statement BGP term Mgmt from interface fxp0.0 set policy-options policy-statement BGP term Mgmt then reject set policy-options policy-statement BGP term direct from protocol direct set policy-options policy-statement BGP term direct then accept set policy-options policy-statement BGP term BGP from protocol bgp set policy-options policy-statement BGP term BGP then accept set policy-options policy-statement Neighbor_Policy_reth0 from prefix-list Neighbor_Grp_reth0 set policy-options policy-statement Neighbor_Policy_reth0 then accept set policy-options policy-statement Neighbor_Policy_reth1 from prefix-list Neighbor_Grp_reth1 set policy-options policy-statement Neighbor_Policy_reth1 then accept set policy-options policy-statement Neighbor_Policy_reth2 from prefix-list Neighbor_Grp_reth2 set policy-options policy-statement Neighbor_Policy_reth2 then accept set policy-options policy-statement Neighbor_Policy_reth3 from prefix-list Neighbor_Grp_reth3 set policy-options policy-statement Neighbor_Policy_reth3 then accept Step-by-Step Procedure To configure a security policy to permit all traffic: 1. Create a policy and specify the match criteria for that policy. The match criteria specifies that the device can allow traffic from any source, to any destination, and on any application. [edit security policies from-zone TRUST to-zone TRUST] user@host# set policy default-permit match source-address any user@host# set policy default-permit match destination-address any user@host# set policy default-permit match application junos-bgp user@host# set policy default-permit match application PIM user@host# set policy default-permit then permit user@host# set policy P1 match source-address MULTI user@host# set policy P1 match destination-address NETWORK5 user@host# set policy P1 match application any user@host# set policy P1 then permit user@host# set policy P2 match source-address MULTI user@host# set policy P2 match destination-address NETWORK5 user@host# set policy P2 match application any user@host# set policy P2 then permit user@host# set policy P3 match source-address NETWORK1 user@host# set policy P3 match source-address NETWORK2 user@host# set policy P3 match source-address NETWORK3 user@host# set policy P3 match source-address NETWORK4 user@host# set policy P3 match source-address NETWORK7 user@host# set policy P3 match source-address NETWORK8 user@host# set policy P3 match source-address NETWORK10 user@host# set policy P3 match source-address NETWORK11 user@host# set policy P3 match destination-address NETWORK1 user@host# set policy P3 match destination-address NETWORK5 user@host# set policy P3 match destination-address NETWORK7 user@host# set policy P3 match destination-address NETWORK8 user@host# set policy P3 match destination-address NETWORK10 user@host# set policy P3 match application any user@host# set policy P3 then permit 2. Configure a security zone and specify the types of traffic and protocols that are allowed on the reth interface. [edit security zones] user@host# set security zones security-zone TRUST address-book address NETWORK1 192.168.0.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK2 10.5.5.0/24 18

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments user@host# set security zones security-zone TRUST address-book address MULTI 172.16.21.0/24 user@host# set security zones security-zone TRUST address-book address MULTI1 172.16.31.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK3 172.16.2.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK7 172.16.21.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK8 172.16.31.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK4 172.17.2.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK10 172.17.21.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK11 172.17.31.0/24 user@host# set security zones security-zone TRUST address-book address NETWORK5 224.0.0.0/4 user@host# set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic system-services all user@host# set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic protocols all user@host# set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic system-services all user@host# set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic protocols all user@host# set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic system-services all user@host# set security zones security-zone TRUST interfaces reth2.0 host-inbound-traffic protocols all user@host# set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic system-services all user@host# set security zones security-zone TRUST interfaces reth3.0 host-inbound-traffic protocols all 3. Configure BGP. [edit] user@host# set protocols bgp group fsi_feeda export BGP user@host# set protocols bgp group fsi_feeda local-as 65535 user@host# set protocols bgp group fsi_feeda bfd-liveness-detection minimum-interval 300 user@host# set protocols bgp group fsi_feeda bfd-liveness-detection multiplier 3 user@host# set protocols bgp group fsi_feeda neighbor 192.168.100.1 local-address 192.168.100.2 user@host# set protocols bgp group fsi_feeda neighbor 192.168.100.1 peer-as 64512 user@host# set protocols bgp group fsi_feeda neighbor 192.168.102.1 local-address 192.168.102.2 user@host# set protocols bgp group fsi_feeda neighbor 192.168.102.1 peer-as 64514 user@host# set protocols bgp group fsi_feedb export BGP user@host# set protocols bgp group fsi_feedb local-as 65535 user@host# set protocols bgp group fsi_feedb bfd-liveness-detection minimum-interval 300 user@host# set protocols bgp group fsi_feedb bfd-liveness-detection multiplier 3 user@host# set protocols bgp group fsi_feedb neighbor 192.168.101.1 local-address 192.168.101.2 user@host# set protocols bgp group fsi_feedb neighbor 192.168.101.1 peer-as 64512 user@host# set protocols bgp group fsi_feedb neighbor 192.168.103.1 local-address 192.168.103.2 user@host# set protocols bgp group fsi_feedb neighbor 192.168.103.1 peer-as 64514 4. Configure routing policy. 19

Deploying Secure Multicast Market Data Services for Financial Services Environments [edit] user@host# set policy-options prefix-list Neighbor_Grp_reth0 192.168.100.1/32 user@host# set policy-options prefix-list Neighbor_Grp_reth1 192.168.101.1/32 user@host# set policy-options prefix-list Neighbor_Grp_reth2 192.168.102.1/32 user@host# set policy-options prefix-list Neighbor_Grp_reth3 192.168.103.1/32 user@host# set policy-options policy-statement BGP term Mgmt from interface fxp0.0 user@host# set policy-options policy-statement BGP term Mgmt then reject user@host# set policy-options policy-statement BGP term direct from protocol direct user@host# set policy-options policy-statement BGP term direct then accept user@host# set policy-options policy-statement BGP term BGP from protocol bgp user@host# set policy-options policy-statement BGP term BGP then accept user@host# set policy-options policy-statement Neighbor_Policy_reth0 from prefix-list Neighbor_Grp_reth0 user@host# set policy-options policy-statement Neighbor_Policy_reth0 then accept user@host# set policy-options policy-statement Neighbor_Policy_reth1 from prefix-list Neighbor_Grp_reth1 user@host# set policy-options policy-statement Neighbor_Policy_reth1 then accept user@host# set policy-options policy-statement Neighbor_Policy_reth2 from prefix-list Neighbor_Grp_reth2 user@host# set policy-options policy-statement Neighbor_Policy_reth2 then accept user@host# set policy-options policy-statement Neighbor_Policy_reth3 from prefix-list Neighbor_Grp_reth3 user@host# set policy-options policy-statement Neighbor_Policy_reth3 then accept user@host# set policy-options policy-statement BGP term Mgmt then reject 5. Configure the static rendezvous point and PIM. [edit] user@host# set protocols pim rp bootstrap family inet priority 0 user@host# set protocols pim rp static address 10.5.5.254 user@host# set protocols pim interface lo0.0 user@host# set protocols pim interface reth0.0 hello-interval 1 user@host# set protocols pim interface reth0.0 neighbor-policy Neighbor_Policy_reth0 user@host# set protocols pim interface reth1.0 hello-interval 1 user@host# set protocols pim interface reth1.0 neighbor-policy Neighbor_Policy_reth1 user@host# set protocols pim interface reth2.0 hello-interval 1 user@host# set protocols pim interface reth2.0 neighbor-policy Neighbor_Policy_reth2 user@host# set protocols pim interface reth3.0 hello-interval 1 user@host# set protocols pim interface reth3.0 neighbor-policy Neighbor_Policy_reth3 Configuring QFX5100 QFX_10.5.5.1 CLI Quick Configuration To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. [edit] set system host-name QFX_10.5.5.1 set system name-server 172.17.28.100 set system ntp server 172.17.28.5 set system ntp server 10.204.37.156 set chassis aggregated-devices ethernet device-count 4 set security authentication-key-chains key-chain fsi key 0 secret "$9$xCvdVsUDkfQn4aQF" set security authentication-key-chains key-chain fsi key 0 start-time "2016-1-1.00:00:00 +0000" set security authentication-key-chains key-chain fsi key 1 secret "$9$1tWhcrx7V2oGvWaZ" set security authentication-key-chains key-chain fsi key 1 start-time "2016-1-1.00:01:00 +0000" set interfaces xe-0/0/0 ether-options 802.3ad ae1 set interfaces xe-0/0/1 ether-options 802.3ad ae2 set interfaces ae2 mtu 9192 20

Chapter 1: Deploying Secure Multicast Market Data Services for Financial Services Environments set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic fast set interfaces ae2 unit 0 family ethernet-switching interface-mode trunk set interfaces ae2 unit 0 family ethernet-switching vlan members 100 set interfaces ae1 mtu 9192 set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members 100 set interfaces irb mtu 9192 set interfaces irb unit 100 family inet mtu 9120 set interfaces irb unit 100 family inet address 192.168.100.1/24 set interfaces irb unit 2 family inet address 172.16.2.1/24 vrrp-group 0 virtual-address 172.16.2.254 set interfaces irb unit 2 family inet address 172.16.2.1/24 vrrp-group 0 accept-data set interfaces irb unit 21 family inet address 172.16.21.2/24 vrrp-group 0 virtual-address 172.16.21.254 set interfaces irb unit 21 family inet address 172.16.21.2/24 vrrp-group 0 accept-data set interfaces lo0 unit 0 family inet address 10.5.5.1/32 primary set interfaces lo0 unit 0 family inet address 10.5.5.254/32 set interfaces em0 unit 0 family inet address 10.219.29.188/26 set interfaces ge-0/0/13 ether-options 802.3ad ae100 set interfaces ae100 aggregated-ether-options lacp active set interfaces ae100 aggregated-ether-options lacp periodic fast set interfaces ae100 unit 0 family ethernet-switching interface-mode trunk set interfaces ae100 unit 0 family ethernet-switching vlan members 2 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members 21 set protocols bgp group fsi export BGP set protocols bgp group fsi bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi bfd-liveness-detection multiplier 3 set protocols bgp group fsi neighbor 192.168.100.2 local-address 192.168.100.1 set protocols bgp group fsi neighbor 192.168.100.2 peer-as 65535 set protocols bgp group fsi neighbor 192.168.100.2 local-as 64512 set protocols bgp group fsi_ibgp type internal set protocols bgp group fsi_ibgp local-address 10.5.5.1 set protocols bgp group fsi_ibgp export BGP set protocols bgp group fsi_ibgp local-as 64512 set protocols bgp group fsi_ibgp bfd-liveness-detection minimum-interval 300 set protocols bgp group fsi_ibgp bfd-liveness-detection multiplier 3 set protocols bgp group fsi_ibgp neighbor 10.5.5.2 set protocols msdp peer 10.5.5.4 local-address 10.5.5.1 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface irb.2 set protocols ospf area 0.0.0.0 interface irb.21 passive set protocols pim rp local family inet address 10.5.5.254 set protocols pim interface irb.100 hello-interval 1 set protocols pim interface irb.100 neighbor-policy Neighbor_Policy set protocols pim interface irb.2 set protocols pim interface irb.21 set protocols pim interface lo0.0 set protocols igmp-snooping vlan V_21 set policy-options prefix-list Neighbor_Grp 192.168.100.2/32 set policy-options policy-statement BGP term Mgmt from interface em0.0 set policy-options policy-statement BGP term Mgmt then reject set policy-options policy-statement BGP term direct from protocol direct set policy-options policy-statement BGP term direct then accept set policy-options policy-statement BGP term BGP from protocol bgp set policy-options policy-statement BGP term BGP then accept set policy-options policy-statement BGP term Last then reject set policy-options policy-statement Neighbor_Policy from prefix-list Neighbor_Grp set policy-options policy-statement Neighbor_Policy then accept 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback