Network Configuration Example Validated Reference - Business Edge Solution - Device R-10 Release 1.0 Published: 2014-03-31
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Network Configuration Example Validated Reference - Business Edge Solution - Device R-10 NCE0129 All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii
Table of Contents Introduction......................................................... 1 Business Edge Overview............................................... 1 Business Edge Solution Lab Testing and Validation Architecture.............. 2 Related Business Edge Validated Reference NCEs.......................... 3 Device R-10 Chassis Hardware......................................... 4 Device R-10 Business Edge Solution Test Lab Configuration.................. 5 iii
Validated Reference NCE - Business Edge Solution - Device R-10 iv
Introduction Business Edge Overview This document provides a validated reference network configuration example (NCE) for Device R-10 as used in various configurations detailed in the Business Edge Solution 1.0 Design Guide. Device R-10 is a Juniper Networks SRX240 Services Gateway functioning as a firewall. A validated reference NCE is a direct presentation of a tested, validated, and working configuration. This document is intended for experienced engineers who possess a working knowledge of Junos operating system (Junos OS) software configurations in a hierarchal format. The Juniper Networks business edge solution provides design guidance and configurations that enable the provisioning of services to business customers and that support other carrier services to residential and mobile operating units. The solution provides a proven path to service convergence using common IP infrastructure so that the provider can quickly, safely, and conveniently realize the benefits of a fully verified Juniper Networks-based reference architecture. The solution is a complete and deployable network architecture designed to intelligently leverage the variety of advanced and often overlooked technologies inherent in Juniper Networks software and hardware. Juniper Networks has developed this solution with the goal of enabling a streamlined business edge that can create new areas for monetization and help prevent erosion of service margins. By accelerating time to revenue at the business edge, the solution is the first step in streamlining the provider edge and creates new areas for expansion and consolidation. The next step in this transformation is the introduction of the Juniper Networks universal edge. The universal edge is a consolidation of business services, residential services, and wireless edge onto a common IP infrastructure that reduces the need for redundant networks and network elements, enabling expense reduction and optimizing traffic flow to support a complete footprint of service provider offerings. Service providers constantly look to extract additional value from the network by positioning themselves to profitably leverage converging services and network functionality. A performance focused, highly reliable business edge is needed to cost-effectively meet the extraordinary growth in subscribers, services, and traffic driven by an increasingly connected workforce, and business requirements that leverage the network as a commodity rather than a luxury. Transformation to a universal edge solution starts with the adoption of a complete business edge architecture that enables a smooth transition to an edge that supports not only business, but residential subscribers and mobility networks. 1
Validated Reference NCE - Business Edge Solution - Device R-10 Business Edge Solution Lab Testing and Validation Architecture This validated reference NCE is part of a complete, tested, and validated business edge solution topology. This document focuses specifically on Device R-10 as shown in Figure 1 on page 2. Device R-10 is a Juniper Networks SRX240 Services Gateway functioning as a firewall. Figure 1: Business Edge Solution Lab Testing Architecture 2
Related Business Edge Validated Reference NCEs For configurations of the other routing devices used in the Business Edge solution test lab topology, refer to the following: Validated Reference - Business Edge Solution - Device P-0 Validated Reference - Business Edge Solution - Device P-1 Validated Reference - Business Edge Solution - Device PE-2 Validated Reference - Business Edge Solution - Device PE-3 Validated Reference - Business Edge Solution - Device PE-4 Validated Reference - Business Edge Solution - Device PE-5 Validated Reference - Business Edge Solution - Device PE-6 Validated Reference - Business Edge Solution - Device R7 Validated Reference - Business Edge Solution - Device CE-1 Validated Reference - Business Edge Solution - Device R9 3
Validated Reference NCE - Business Edge Solution - Device R-10 Device R-10 Chassis Hardware The Juniper Networks Business Edge Solution Design Guide makes reference to several configuration scenarios. The scenarios described contain various routers that were configured and tested in the Juniper Networks test lab. Device R-10 is a Juniper Networks SRX240 Services Gateway functioning as a firewall. Table 1 on page 4 lists the hardware contained in this router. Table 1: Chassis Hardware (R-10) Chassis Component Version Part Number FRU Model Number Chassis SRX240H Routing Engine REV 47 750-021793 RE-SRX240H FPC 0 FPC PIC 0 16x GE Base PIC FPC 1 REV 07 750-023367 FPC PIC 0 1x T1E1 mpim FPC 2 REV 07 750-023367 FPC PIC 0 1x T1E1 mpim Power Supply 4
Device R-10 Business Edge Solution Test Lab Configuration The following configuration was used for Device R-10 in Release 1.0 of the Business Edge test lab configuration: CAUTION: The following configuration contains values specific to the Juniper Networks test lab environment. This configuration is intended for use as an example router configuration and not for actual network deployment without first making the modifications necessary to suit an external deployment scenario. version 12.1R6-S2; groups { global { system { domain-name juniper.net; time-zone America/Los_Angeles; authentication-order [ password radius tacplus ]; root-authentication { encrypted-password <password removed>; ## SECRET-DATA name-server { 192.168.5.68; 192.168.60.131; radius-server { 192.168.69.162 secret <password removed>; ## SECRET-DATA 192.168.60.52 secret <password removed>; ## SECRET-DATA tacplus-server { 192.168.5.73 { secret <password removed>; ## SECRET-DATA timeout 15; single-connection; login { class readonly { permissions [ interface network routing system trace view ]; user remote { uid 9999; class superuser; shell csh; services { finger; ftp; rlogin; rsh; ssh; 5
Validated Reference NCE - Business Edge Solution - Device R-10 telnet; xnm-clear-text; netconf { ssh; web-management { http; syslog { host log { kernel info; any notice; pfe info; interactive-commands any; file messages { kernel info; any notice; authorization info; pfe info; archive world-readable; file security { interactive-commands any; archive world-readable; ntp { boot-server 172.17.28.5; server 172.17.28.5; chassis { interfaces { lo0 { unit 0 { family inet { address 127.0.0.1/32; address 10.255.50.205/32 { primary; family iso { address 47.0005.80ff.f800.0000.0108.0001.0102.5505.0205.00; family inet6 { address abcd::10:255:50:205/128 { primary; snmp { 6
location "Business Edge Solution Lab"; contact "Business Edge Lab Admin"; interface ge-0/0/0.0; community public { authorization read-only; community private { authorization read-write; routing-options { static { route 172.16.0.0/12 { next-hop 192.168.50.254; retain; no-readvertise; route 192.168.0.0/16 { next-hop 192.168.50.254; retain; no-readvertise; router-id 10.255.50.205; security { forwarding-options { family { inet6 { mode flow-based; zones { security-zone HOST { host-inbound-traffic { system-services { any-service; protocols { all; interfaces { ge-0/0/0.0; applications { application junos-telnet inactivity-timeout never; application junos-ssh inactivity-timeout never; re0 { system { 7
Validated Reference NCE - Business Edge Solution - Device R-10 host-name pdt-srxwan-b; backup-router 192.168.50.254; interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.50.205/25; apply-groups [ global re0 ]; system { no-redirects; ports { console log-out-on-disconnect; interfaces { ge-0/0/12 { vlan-tagging; unit 1 { vlan-id 1; family inet { address 1.0.0.90/30; family inet6 { address 2002::1.0.0.90/126; unit 2 { vlan-id 2; family inet { address 1.0.0.94/30; family inet6 { address 2002::1.0.0.94/126; unit 3 { vlan-id 3; family inet { address 1.0.0.102/30; family inet6 { address 2002::1.0.0.102/126; unit 4 { vlan-id 4; family inet { address 1.0.0.110/30; 8
routing-options { autonomous-system 64513; policy-options { policy-statement dst-nat-pool { term a { from { protocol static; rib vr1.inet.0; route-filter 1.1.1.96/28 exact; condition fwnat-active-device; then accept; term b { then reject; policy-statement export-beacon { from { protocol static; route-filter 2.2.2.2/32 exact; then accept; policy-statement fwservice-conditional-export { term a { from { protocol bgp; condition fwnat-active-device; then accept; term b { from { protocol bgp; rib vr1.inet6.0; condition fwnat-active-device; then accept; term c { then reject; policy-statement set-preference-based-on-community { term primary { from community c-primary; preference 171; term secondary { 9
Validated Reference NCE - Business Edge Solution - Device R-10 from community c-secondary; preference 172; policy-statement use-static-beacon-only { term accept-static-beacon { from { protocol static; route-filter 2.2.2.2/32 exact; then accept; term reject-the-rest { then reject; community c-primary members 900:1; community c-secondary members 1000:1; condition fwnat-active-device { if-route-exists { 0.0.0.0/0; table RedundTrack.inet.0; security { screen { ids-option trust-screen { limit-session { source-ip-based 300; destination-ip-based 310; ids-option untrust-screen { tcp { syn-ack-ack-proxy threshold 1000; limit-session { source-ip-based 10; destination-ip-based 5; nat { source { pool NAT-range-v4 { routing-instance { vr1; address { 76.129.250.10/32 to 76.129.250.20/32; pool NAT-range-v6 { 10
routing-instance { vr1; address { 2002::76.129.250.10/128 to 2002::76.129.250.20/128; rule-set internet-access { from zone [ hubs spokes ]; to zone untrust; rule customer-a { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; source-nat { pool { NAT-range-v4; rule customer-a-v6 { source-address 0::0/0; destination-address 0::0/0; source-nat { pool { NAT-range-v6; destination { pool dst-nat-pool-1 { routing-instance { vr1; address 100.10.10.1/32; pool dst-nat-pool-2 { routing-instance { vr1; address 110.10.10.1/32; pool dst-nat-pool-3 { routing-instance { vr1; address 120.10.10.1/32; 11
Validated Reference NCE - Business Edge Solution - Device R-10 pool dst-nat-pool-4 { routing-instance { vr1; address 200.10.10.1/32; rule-set server-access { from zone untrust; rule server1 { destination-address 1.1.1.100/32; destination-nat pool dst-nat-pool-1; rule server2 { destination-address 1.1.1.101/32; destination-nat pool dst-nat-pool-2; rule server3 { destination-address 1.1.1.102/32; destination-nat pool dst-nat-pool-3; rule server4 { destination-address 1.1.1.103/32; destination-nat pool dst-nat-pool-4; proxy-arp { interface ge-0/0/12.1 { address { 1.1.1.100/32 to 1.1.1.103/32; policies { from-zone spokes to-zone spokes { policy permit-all { source-address any; 12
destination-address any; application any; permit; from-zone spokes to-zone hubs { policy permit-all { source-address any; destination-address any; application any; permit; from-zone hubs to-zone spokes { policy permit-all { source-address any; destination-address any; application any; permit; from-zone untrust to-zone spokes { policy server-access { source-address any; destination-address [ spoke-site1 spoke-site2 spoke-site3 ]; application any; permit; policy server-accessv6 { source-address any; destination-address spoke-site1-v6; application any; permit; from-zone untrust to-zone hubs { policy server-access { 13
Validated Reference NCE - Business Edge Solution - Device R-10 source-address any; destination-address hub-site1; application any; permit; from-zone spokes to-zone redundancy { policy permit-all { source-address any; destination-address any; application any; permit; from-zone hubs to-zone redundancy { policy permit-all { source-address any; destination-address any; application any; permit; from-zone spokes to-zone untrust { policy server-access { source-address any; destination-address any; application any; permit; from-zone hubs to-zone untrust { policy server-access { source-address any; destination-address any; application any; permit; 14
zones { security-zone untrust { screen untrust-screen; interfaces { ge-0/0/12.1; security-zone redundancy { host-inbound-traffic { system-services { all; interfaces { ge-0/0/12.4; security-zone spokes { tcp-rst; address-book { address spoke-site1 100.10.10.1/32; address spoke-site2 110.10.10.1/32; address spoke-site3 120.10.10.1/32; address spoke-site1-v6 2002::100.10.10.1/128; screen trust-screen; host-inbound-traffic { system-services { all; interfaces { ge-0/0/12.2; security-zone hubs { tcp-rst; address-book { address hub-site1 200.10.10.1/32; screen trust-screen; host-inbound-traffic { system-services { all; interfaces { ge-0/0/12.3; routing-instances { 15
Validated Reference NCE - Business Edge Solution - Device R-10 RedundTrack { instance-type virtual-router; interface ge-0/0/12.4; routing-options { static { route 2.2.2.2/32 { discard; preference 172; community 1000:1; aggregate { route 0.0.0.0/0 policy use-static-beacon-only; protocols { bgp { group ebgp-l3vpn { metric-out 172; import set-preference-based-on-community; export export-beacon; peer-as 70; neighbor 1.0.0.109; vr1 { instance-type virtual-router; interface ge-0/0/12.1; interface ge-0/0/12.2; interface ge-0/0/12.3; routing-options { rib vr1.inet6.0 { static { route 2002::1.1.1.96/124 discard; static { route 1.1.1.96/28 discard; autonomous-system 64513; protocols { bgp { group DIA-PE { export [ dst-nat-pool fwservice-conditional-export ]; peer-as 70; neighbor 1.0.0.89 { as-override; neighbor 2002::1.0.0.89 { family inet6 { unicast; as-override; 16
group L3VPN-PE { export fwservice-conditional-export; peer-as 70; neighbor 1.0.0.93 { as-override; neighbor 1.0.0.101 { as-override; neighbor 2002::1.0.0.93 { family inet6 { unicast; as-override; neighbor 2002::1.0.0.101 { family inet6 { unicast; as-override; 17
Validated Reference NCE - Business Edge Solution - Device R-10 18