8/12/2019 BD Link IIG LLD v1.0[1]
1/76
CO-CONFIDENTIAL - 1 - BD Link IIG Low Level Design
Low Level Design IIG(BD Link Communication Ltd.)
Version 1.0
8/12/2019 BD Link IIG LLD v1.0[1]
2/76
CO-CONFIDENTIAL - 2 - BD Link IIG Low Level Design
Page 2
Document Title
Customer: BD Link Communication Ltd.
Title: Low Level Design IIG
Document Name: Low Level Design IIG v1.0
Document ControlAuthor(s), quality control and client sign-offCompany Name Signature
Author(s):Gazi
Communications
Aziz Uddin Mahmud
Md. Imdadul Islam
Swapan Gupta
Review And
Verification :
Gazi
CommunicationsMd. Wahid Uz Zaman
ReleaseVersion Date Released Change Notice Pages
AffectedRemarks/Changes
1.0 18.10.2012 N/A N/A 1stRelease
Distribution List
Copy Number Name01 BD LINKTeam
02 GAZI Technical Team
03 GAZI Project Repository
8/12/2019 BD Link IIG LLD v1.0[1]
3/76
CO-CONFIDENTIAL - 3 - BD Link IIG Low Level Design
Page 3
Copyright and other intellectual property rightsCopyright and other Intellectual property rights in any original programs, specifications, reportsor other items arising in the course of, or resulting from the project shall remain the property ofGazi Communication although BD LINK shall have a non-exclusive and non-transferablelicense to all such items for its own purposes. Nothing in this agreement shall enable eitherparty to make use of any intellectual property rights vested in the other party prior to thecommencement of this assignment.
8/12/2019 BD Link IIG LLD v1.0[1]
4/76
CO-CONFIDENTIAL - 4 - BD Link IIG Low Level Design
Page 4
Contents
1. Executive Summary .................... ......................... ......................... ......................... ............... 72. Proposed Design Overview ...................... ......................... ...................... ......................... .... 8
2.1. Design Summary .......................................................................................................... 92.2. Solution Detail ............................................................................................................ 102.2.1.Logical Topology ................. ......................... ......................... ......................... ............. 112.2.2.BGP Routing Topology ......................................... ......................... ......................... .... 132.2.3.OSPF Routing Topology ............................................ ...................... ......................... .. 152.2.4.Dhaka Main POP Design (Phase -1 Deployment) ..................... ......................... .......... 17
3. Device Naming, Port Connectivity & IP Addressing ............................................ ............. 193.1. Devices Naming Convention ...................... ........................ ....................... .................. 193.2. Physical Connectivity Mapping & IP Addressing .................... ......................... ............. 20
4. Device Configuration ........................ ......................... ...................... ......................... .......... 214.1. Initial JONOS Configuration .................................. ......................... ........................ ..... 214.1.1.Login via Console ..................... ......................... ...................... ......................... .......... 214.1.2.Set Root Password ...................... ......................... ......................... ......................... .... 214.1.3.Enable System Services .................................... ...................... ......................... .......... 224.1.4.Configuring Local username ...................................... ...................... ......................... .. 224.2. Dhaka Core Router -1 Configuration .................................. ....................... .................. 224.2.1.System Basic Configuration .................................. ......................... ........................ ..... 224.2.2.Management Interface Configuration ... ......................... ......................... ..................... 234.2.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 234.2.4.Interface Configuration ...................... ......................... ...................... ......................... .. 234.2.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 244.2.6.BGP Configuration ....................... ......................... ......................... ......................... .... 254.2.7.Sample RE filter Configuration ..................... ......................... ......................... ............. 254.2.8.SNMP Configuration .......................................... ...................... ......................... .......... 274.3. Dhaka Core Router -2 Configuration .................................. ....................... .................. 284.3.1.System Basic Configuration .................................. ......................... ........................ ..... 284.3.2.Management Interface Configuration ... ......................... ......................... ..................... 284.3.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 284.3.4.Interface Configuration ...................... ......................... ...................... ......................... .. 294.3.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 304.3.6.BGP Configuration ....................... ......................... ......................... ......................... .... 314.3.7.Sample RE filter Configuration ..................... ......................... ......................... ............. 314.3.8.SNMP Configuration .......................................... ...................... ......................... .......... 334.4. Dhaka Aggregation Router -1 Configuration ....................... ....................... .................. 34
8/12/2019 BD Link IIG LLD v1.0[1]
5/76
CO-CONFIDENTIAL - 5 - BD Link IIG Low Level Design
Page 5
4.4.1.System Basic Configuration .................................. ......................... ........................ ..... 344.4.2.Management Interface Configuration ... ......................... ......................... ..................... 344.4.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 344.4.4.Interface Configuration ...................... ......................... ...................... ......................... .. 354.4.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 364.4.6.BGP Configuration ....................... ......................... ......................... ......................... .... 374.4.7.Bandwidth Configuration ...................... ......................... ......................... ..................... 374.4.8.Sample RE filter Configuration ..................... ......................... ......................... ............. 374.4.9.SNMP Configuration .......................................... ...................... ......................... .......... 394.5.
Dhaka Aggregation Router -2 Configuration ....................... ....................... .................. 39
4.5.1.System Basic Configuration .................................. ......................... ........................ ..... 394.5.2.Management Interface Configuration ... ......................... ......................... ..................... 404.5.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 404.5.4.Interface Configuration ...................... ......................... ...................... ......................... .. 414.5.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 424.5.6.BGP Configuration ....................... ......................... ......................... ......................... .... 424.5.7.Sample Bandwidth Configuration .......................... ......................... ......................... .... 434.5.8.Sample RE filter Configuration ..................... ......................... ......................... ............. 434.5.9.SNMP Configuration .......................................... ...................... ......................... .......... 454.6. Dhaka Data Center Switch-1 Configuration .................................... ......................... .... 454.6.1.System Basic Configuration .................................. ......................... ........................ ..... 454.6.2.VLAN &Trunk Configuration ......................... ......................... ......................... ............. 464.6.3.SNMP Configuration .......................................... ...................... ......................... .......... 514.7. Dhaka Data Center Switch-2 Configuration .................................... ......................... .... 514.7.1.System Basic Configuration .................................. ......................... ........................ ..... 514.7.2.VLAN &Trunk Configuration ......................... ......................... ......................... ............. 524.7.3.SNMP Configuration .......................................... ...................... ......................... .......... 574.8. IDP Configuration ....................................................................................................... 584.8.1.OS Up gradation through CLI ..................... ........................ ....................... .................. 584.8.2.System Basic Configuration through Web GUI (ACM) ............................................. .... 584.8.3.
NSM Server Configuration .................................... ......................... ......................... .... 58
4.8.3.1. REDHAT 5 OS Installation ........................ ...................... ......................... .......... 584.8.3.2. NSM server 2010.4 OS Installation .................... ...................... ......................... .. 594.8.3.3. NSM client Installation for configuration the NSM server ......................... ............. 594.8.3.4. IDP device adding into NSM server .................... ...................... ......................... .. 594.8.3.5. Policy implementation ......................................................................................... 634.8.3.6. Log view and reporting, custom report generation ..................... ......................... .. 674.9. DC Firewall 1 & 2 Configuration ......................... ...................... ......................... .......... 704.9.1.OS Upgrade ...................... ........................ .......................... ...................... .................. 704.9.2.System Basic Configuration .................................. ......................... ........................ ..... 704.9.3.Interface Configuration ...................... ......................... ...................... ......................... .. 71
8/12/2019 BD Link IIG LLD v1.0[1]
6/76
CO-CONFIDENTIAL - 6 - BD Link IIG Low Level Design
Page 6
4.9.4.HA Configuration ........................................................................................................ 734.9.5.Security Policy Configuration ............... ......................... ......................... ..................... 74
5. LLD v 1.0 Signoff ................................................................................................................ 76
8/12/2019 BD Link IIG LLD v1.0[1]
7/76
CO-CONFIDENTIAL - 7 - BD Link IIG Low Level Design
Page 7
1. Executive Summary
Government of Bangladesh has taken initiative to increase the penetration rate of Internetusage; as a result its legal entity BTRC issued new IIG licenses to qualified Service Provider.BD LINK Communication Limited has been awarded a license to provide International InternetGateway (IIG) services for ISPs and Broadband Wireless Access providers (BWAs). IIG willserve as an Internet Exchange for routing International Incoming and Outgoing Internet baseddata traffic. The Exchange will be connected with the existing Submarine cable as main link andwith Satellite Earth Station / VSAT as backup until another ILDC is available. All ISPs shall be
connected to global Internet through IIGs. IIG licensee will arrange both ILDC and bandwidthand Satellite bandwidth. The licensee may arrange ILDC bandwidth from tier-1 overseas serviceprovider after taking prior permission from the commission.
BD LINK has the vision to become the preferred partner for all ISPs and BWAs in Bangladesh.To fulfil its requirement of pioneering the IIG market BD LINK selected the best IP NetworkEquipment Vendor Juniper Network with state of art technology and solution. GaziCommunication limited is the only Elite partner of Juniper Network in Bangladesh will help BDLINK in building its IIG solution with Equipment and Solution from Juniper with its world class in-house resources.
Gazi Communication will provide design and implementation service to BD LINK to build an IIG
based on Industry best practices. Juniper Network offers devices that provide innovativefeatures and functionality and offer massive scalability. The proposed solution from Juniper,combine cost containment and scalability. Juniper Series Routers offer service providersindustry-leading performance, service capabilities, reliability, and efficiencies in a compact formfactor.
8/12/2019 BD Link IIG LLD v1.0[1]
8/76
CO-CONFIDENTIAL - 8 - BD Link IIG Low Level Design
Page 8
2. Proposed Design Overview
8/12/2019 BD Link IIG LLD v1.0[1]
9/76
CO-CONFIDENTIAL - 9 - BD Link IIG Low Level Design
Page 9
2.1. Design Summary
There will be data Centre at Dhaka and will also be acting as the primary
International internet gateway site.
WAN network will be three layer architecture i.e. Core, Aggregation & Access.
WAN network will be enabled with OSPF hierarchical protocol.
There will be no single point of failure in data Centre network.
Core routers will run EBGP session with Upstream Provider.
In the Internet Gateway layer redundant routers has been considered for 1 + 1
box redundancy.
Each Core/Internet gateway router has been dimensioned with redundant power
supply.
Upstream connectivity with tier-1 ISPs will be in STM-1.
Downstream connectivity with Aggregation router will be on GE.
Aggregation routers will aggregate all the traffic from the domestic ISPs and will
pass it to Internet gateway Routers.
In the Aggregation layer redundant routers has been considered for 1 + 1 box
level redundancy.
Each aggregation router has been dimensioned with redundant power supply.
Downstream connectivity with Access switches will be on GE.
Core routers will have connectivity with BTRC and NMC/LEA.
Access switches will be connected to both Aggregation routers through dual
uplink GE ports for uplink redundancy.
ISPs will be connected to Aggregation Routers or access switches.
ISPs will be connected to TX/FX ports.
8/12/2019 BD Link IIG LLD v1.0[1]
10/76
CO-CONFIDENTIAL - 10 - BD Link IIG Low Level Design
Page 10
2.2. Solution Detail
As per guideline from the authority IIG will be connected to the Global Internet throughexisting Submarine cable as the main link and they can have backup connectivitythrough VSAT. It will connect all ISPs through its distribution network initially from Dhakaand will expand as per demand and regularity requirement. The related information andassumptions considered for design are as follows:
BD LINK will install one single PoP (Main PoP) with device level redundancy at
Gateway and Aggregation level and will be located at Dhaka.
BD LINK will connect to one upstream provider initially and will go for redundant
link, provision for link level should be considered in the design.
There will be one DPI to filter traffic as per regularity requirement and also based
on BD LINK policy.
This design will consider two types of PoPs; one for distribution only which
means to connect ISPs to the main PoP and other type is with Gateway and DPI
services to ensure redundancy. BD LINK will make rollout plan considering
business justification and customer & regularity requirement.
This design will emphasize on Main PoP deployment and its related configuration
and also considering scalability to accommodate future growth of new gateway
and distribution network.
8/12/2019 BD Link IIG LLD v1.0[1]
11/76
CO-CONFIDENTIAL - 11 - BD Link IIG Low Level Design
Page 11
2.2.1. Logical Topology
The above topology diagram considers the full deployment of BD LINK IIG. We haveshown the four Major components in the diagram:
Main PoP
IIG Perimeter and Monitoring Zone
Type-1 PoP: PoP with Gateway & DPI
Type-2 PoP: PoP to connect Clients to the Main PoP.
8/12/2019 BD Link IIG LLD v1.0[1]
12/76
CO-CONFIDENTIAL - 12 - BD Link IIG Low Level Design
Page 12
The Main PoP will be deployed immediately and act as the HUB of IIG. MainPoPs Gateway Routers will be connected to the upstream provider, in case ofsingle connectivity to the upstream one Gateway Router will be configured witheBGP and the second one will be treated as the backup for Gateway Router-1 toensure device level redundancy. And after having the second upstream link VSAT/Terrestrial/Submarine the Gateway Router-2 will be configured usingeBGP with the upstream and iBGP with Gateway Router-1.
Interior Gateway Protocol OSPF will be configured between all Gateway and
Aggregation Routers. All those will be placed in backbone area including all theirconnected interfaces.
The Aggregation Routers will have iBGP session with the Gateway Routers andeBGP with each ISP or BWA clients. These routers will have different policiesbased on BD LINK requirement.
The IIG perimeter firewalls will be connected to Aggregation Routers. TheFirewall will have three zones Outside, DMZ, and Inside. Outside zone will beconnected with the Aggregation Routers, DMZ will be created to place to offerany value added service for the clients and internal servers, application andadministration zone will be placed in Inside Zone.
In future if BD LINK deploy Type-1 PoP with Gateway and DPI functionality werecommend to connect the Gateway Router of Type-1 PoP with Main PoPsGateway Routers to ensure link level redundancy of local transmission vendor.The Gateway and Aggregation Router will be configured in similar fashion likeMain PoPs GW & Aggregation Router. And will have IGP & EGP neighbor shipbetween PoPs Gateway Routers.
In case of Type-2 PoP we recommend to go with layer-2 connectivity withAggregation Router of Main PoP which will be similar configuration of distributinglink from Main PoPs Access Switch with eBGP neighbor ship with ISP or BWAclients router at Aggregation level of Main PoP.
We have given detail of each segments description and IGP & EGP routingtopology in different section of this document.
8/12/2019 BD Link IIG LLD v1.0[1]
13/76
CO-CONFIDENTIAL - 13 - BD Link IIG Low Level Design
Page 13
2.2.2. BGP Routing Topology
The main requirement for the routing is to accommodate redundancy, loadbalancing but with symmetry. The BGP routing for IIG will be as follows:
The Gateway Routers will be connected through STM-1/STM-4 to
upstream provider in a point-to-point topology due to TDM interface.
Gateway Router-1 will be connected to one tier-1 service provider and will
have eBGP peering and receive full routing table. (Only default route can
be taken till implementation of second Gateway). Gateway Router-2 will
be connected to another tier-1 service provider through STM-1/STM-4
8/12/2019 BD Link IIG LLD v1.0[1]
14/76
CO-CONFIDENTIAL - 14 - BD Link IIG Low Level Design
Page 14
and will have eBGP peering and take full routing table. There will be iBGP
session with Gateway Router-1 and Gateway Router-2.
The DPI Juniper IDP-8200 will be deployed in transparent mode to
filter unwanted traffic and to allow only legitimate traffic.
There will be iBGP session with Aggregation Router-1 and both the
Gateway Routers and receive full routing table from both the Gateway.
There will be iBGP session with Aggregation Router-2 and both the
Gateway Routers and receive full routing table from both the Gateway.
Different ISPs will connect directly or through access switch to the
Aggregation Routers. Aggregation Routers will have eBGP session withISPs Gateway Routers. But based on requirement for small ISPs
connectivity can be arranged using alternate routing.
We have classified PoP into below category:
Type-1: PoP with Gateway and DPI
Type-2: PoP to connect ISPs. Will be part of distribution/access
network.
The Gateway Router of Main PoP will be connected to PoP type-1s
Gateway Router to provide link redundancy. There will be iBGP session
between Main PoP and Type-1 PoPs gateway router.
8/12/2019 BD Link IIG LLD v1.0[1]
15/76
CO-CONFIDENTIAL - 15 - BD Link IIG Low Level Design
Page 15
2.2.3. OSPF Routing Topology
The IGP protocol of BD LINK IIG solution should be OSPF. OSPF is a link stateand hierarchical protocol, it requires to have one backbone area (Area 0) andothers areas which should be connected directly (physically or logically throughvirtual link) with backbone area. As BD LINK will have Main PoP and Type 1 &Type 2 PoPs in its solution. We suggest to define the Backbone Area consistingGateway & Aggregation Router of Main PoP and Type-1 PoP. (As defined in thediagram).
8/12/2019 BD Link IIG LLD v1.0[1]
16/76
CO-CONFIDENTIAL - 16 - BD Link IIG Low Level Design
Page 16
We will configure OSPF backbone area in Main PoP, IGP domain will containGateway Routers and Aggregation Routers. Gateway Router 1 & 2 andAggregation Router 1 & 2 will be in backbone area. And the DPI will beconfigured to pass through all BGP & OSPF route update packets. As this will bea Ethernet/Broadcast network the role for DR & BDR can be given to eitherGateway Router or Aggregation Router considering device with lessresponsibility in other part.
All the links in Gateway Router like Interfaces connected to Upstream, Interfacesconnected to Aggregation and Interfaces between Gateways should be declaredin the same area to avoid static routing or redistribution. But except Linksconnected to Aggregation Routers all others links should be configured not tosend routing updates as there will be no IGP neighbour.Both the Aggregation Routers will be configured with OSPF and all its directlyconnected interfaces will be declared in backbone area to avoid static routing orredistribution. But in case of client connectivity all the links with ISPs and BWAscan be redistributed to ensure better management but it is highly recommendedto create ACL with the customer connected point-to-point IPs. In case of additionof a customer the ACL can be modified by adding one permit entry in the ACLwhich has already been redistributed in OSPF. Using these ACL in the route mapfor redistribution will give better visibility and manageability for the administrator.
In future if BD LINK setup new type-1 PoP, the Gateway and Aggregation Router
of those PoP will be configured similar to Main PoPs IGP configuration and willhave OSPF neighbour ship between Gateways of Main PoP and Type-1 PoP.
8/12/2019 BD Link IIG LLD v1.0[1]
17/76
CO-CONFIDENTIAL - 17 - BD Link IIG Low Level Design
Page 17
2.2.4. Dhaka Main POP Design (Phase -1 Deployment)
The scope of this phase is to install and commission devices only at the MainPoP. The Core Component of Main PoP or Phase-I deployment are two GatewayRouters, two Aggregation Routers and one DPI. Both the Gateway Routers willbe connected with two separate upstream providers and will be configured usingeBGP. And will take entire routing table from both upstream providers. These twoRouters will have iBGP peering.
8/12/2019 BD Link IIG LLD v1.0[1]
18/76
CO-CONFIDENTIAL - 18 - BD Link IIG Low Level Design
Page 18
The Aggregation Routers will be configured using iBGP with both the GatewayRouter and take full routing table from both which ultimately ensure the facility fortraffic engineering.
In case of Single Link Gateway Routers can be configured to pass only defaultroutes to the aggregation as it will have only one path to forward traffic. But theGateway Router should take entire routing table as its a requirement to complywith the guideline provided by the authority.
The connectivity for the ISPs and BWAs will be from the Aggregation Routerdirectly or through access switch based on clients requirement and businessguideline.
8/12/2019 BD Link IIG LLD v1.0[1]
19/76
8/12/2019 BD Link IIG LLD v1.0[1]
20/76
CO-CONFIDENTIAL - 20 - BD Link IIG Low Level Design
Page 20
3.2. Physical Connectivity Mapping & IP Addressing
*** Pls. follow the Device Connectivity & IP Addressing Xls file for detail.
8/12/2019 BD Link IIG LLD v1.0[1]
21/76
CO-CONFIDENTIAL - 21 - BD Link IIG Low Level Design
Page 21
4. Device Configuration
This section captures the configuration of Juniper devices being deployed in BDLINKnetwork in Dhaka to provide IP transit services towards International Upstream InternetService Providers to local ISP customers.
4.1. Initial JONOS Configuration
This section captures the initial configuration to be done on Juniper routers usingConsole to make the routers reachable across WAN for further configuration.
4.1.1. Login via Console
Connect to console and login with username root. (Initially no password will beprompted)root% prompt will be seen.Type cli and root> prompt will be seen.
Type configure and root# prompt will be seen, which is the configuration mode.root% cliroot> ##Operational Moderoot> configureroot# ##Configuration Mode
4.1.2. Set Root Password
JUNOS does not allow to commit configuration unless password for root isconfigured. This can be tested if we try to commit while setting up router initially.
root# commit[edit]'system'Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
If you see this error, it means that root authentication needs to be configured.Please use the below CLI to configure root authentication.
root# set system root-authentication plain-text-passwordNew password:Retype new password:
8/12/2019 BD Link IIG LLD v1.0[1]
22/76
8/12/2019 BD Link IIG LLD v1.0[1]
23/76
CO-CONFIDENTIAL - 23 - BD Link IIG Low Level Design
Page 23
router-id 103.12.236.40;autonomous-system 58668;
}
4.2.2. Management Interface Configuration
interfaces {fxp0 {unit 0 {
family inet {address 10.100.102.2/24;
}}}
4.2.3. Chassis Configuration
fpc 0 {pic 1 {
tunnel-services {bandwidth 1g;
}}
}aggregated-devices {
ethernet {device-count 2;
}}alarm {
management-ethernet {link-down ignore;
}}
}
4.2.4. Interface Configuration
interfaces {ge1/0/0 {
8/12/2019 BD Link IIG LLD v1.0[1]
24/76
CO-CONFIDENTIAL - 24 - BD Link IIG Low Level Design
Page 24
description "Connected to AGG1 via IDP-01 port ge-0 ";unit 0 {family inet {address 103.12.236.17/30;
}}ge1/0/1 {description "Connected to DHK_GW_RTR_02";unit 0 {family inet {address 103.12.236.25/30;
}}
so-1/2/0 {description "Connected to Upstream1"unit 0 {family inet {address x.x.x.x/30;}}
}lo0 {unit 0 {family inet {address 103.12.236.40/32;}}}
4.2.5. OSPF Configuration
protocols {ospf {
area 0.0.0.0 {interface ge-1/0/0.0;interface ge-1/0/1.0;interface lo0.0;interface so-0/2/0
{passive;
}}
8/12/2019 BD Link IIG LLD v1.0[1]
25/76
CO-CONFIDENTIAL - 25 - BD Link IIG Low Level Design
Page 25
}}
4.2.6. BGP Configuration
protocols {bgp {
group BGP-Internal {type internal;local-address 103.12.236.40/32;export redistribute-to-ibgp;
neighbor103. 12.236.41;neighbor103. 12.236.42;neighbor103. 12.236.43;
}group BGP-External {
type external;export redistributed-connected;
neighbor X.X.X.X {peer-as XX;
}}
}
4.2.7. Sample RE filter Configuration
firewall {filter PROTECT-RE-FILTER {
term ROUTER-ACCESS {from {
source-address {A.A.A.0/24;}destination-address {
F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];
}
then accept;}term PERMIT-BGP {
from {protocol tcp;source-address B.B.B.B/32; /* Add addresses from
8/12/2019 BD Link IIG LLD v1.0[1]
26/76
CO-CONFIDENTIAL - 26 - BD Link IIG Low Level Design
Page 26
port bgp;}then accept;
}term PERMIT-OSPF {
from {protocol ospf;
}then accept;
}term PERMIT-DNS {
from {protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDport domain;
}then accept;
}term PERMIT-NTP {
from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDport ntp;
}then accept;
}term PERMIT-UDP-TRACEROUTE {
from {protocol udp;destination-port 33434-33534;
}then {
count traceroute;accept;
}
}term PERMIT-TACACS+ {
from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVERsource-port 49;
}then accept;
}term PERMIT-ICMP {
from {
8/12/2019 BD Link IIG LLD v1.0[1]
27/76
CO-CONFIDENTIAL - 27 - BD Link IIG Low Level Design
Page 27
protocol icmp;icmp-type [ echo-request echo-reply unreachable ti
}then accept;
}term PERMIT-TCP-ESTABLISHED {
from {protocol tcp;
tcp-established;}then accept;
}term DENY-OTHERS {
then {discard;
}}
}}
interfaces {lo0 {
unit 0 {
family inet {filter {
input PROTECT-RE-FILTER;}
}}
}}
}}
4.2.8. SNMP Configuration
snmp {location "Location Name";community test123 {
authorization read-only;clients {
103.12.236.3/32;103.12.236.4/32;
}}
8/12/2019 BD Link IIG LLD v1.0[1]
28/76
CO-CONFIDENTIAL - 28 - BD Link IIG Low Level Design
Page 28
}
4.3. Dhaka Core Router -2 Configuration
This section captures the configuration of Dhaka Core router-2.
4.3.1. System Basic Configuration
system {
host-name DHK_GW_RTR_02;time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;
ports {console {
log-out-on-disconnect;type vt100;}
}routing-options {
router-id 103.12.236.41;autonomous-system 58668;}
4.3.2. Management Interface Configuration
interfaces {fxp0 {unit 0family inet {
address 10.100.102.2/24;}}
4.3.3. Chassis Configuration
fpc 0 {pic 1 {
tunnel-services {bandwidth 1g;
8/12/2019 BD Link IIG LLD v1.0[1]
29/76
CO-CONFIDENTIAL - 29 - BD Link IIG Low Level Design
Page 29
}}
}aggregated-devices {
ethernet {device-count 2;
}}alarm {
management-ethernet {link-down ignore;
}}
}
4.3.4. Interface Configuration
interfaces {
ge1/0/0 {description "Connected to DHK_GW_RTR_01";
unit 0 {family inet {address 103.12.236.21/30;
}}
ge1/0/1 {unit 0 {family inet {address 103.12.236.26/30;
}}
ge1/0/2 {unit 0 {family inet {}
ge1/0/3 {unit 0 {
8/12/2019 BD Link IIG LLD v1.0[1]
30/76
CO-CONFIDENTIAL - 30 - BD Link IIG Low Level Design
Page 30
family inet {}}
ge-1/0/4 {unit 0 {family inet}}
ge-1/0/5 {unit 0 {family inet}}
so-0/2/0 {description "Connected to Upstream1"unit 0 {family inet {address x.x.x.x/30;
}}}lo0 {unit 0 {family inet {address 103.12.236.41;}}}
4.3.5. OSPF Configuration
protocols {ospf {
area 0.0.0.0 {interface ge-1/0/0;interface ge-1/0/1;interface so-0/2/0;{passive;}
8/12/2019 BD Link IIG LLD v1.0[1]
31/76
CO-CONFIDENTIAL - 31 - BD Link IIG Low Level Design
Page 31
interface lo0.0;}
}}
4.3.6. BGP Configuration
protocols {bgp {
group BGP-Internal {type internal;
local-address 103.12.236.41;export redistribute-to-ibgp;
neighbor 103.12.236.40;neighbor 103.12.236.42;neighbor 103.12.236.43;
}group BGP-External {
type external;export redistributed-connected;
neighbor X.X.X.X {peer-as XX;
}
}}
4.3.7. Sample RE filter Configuration
firewall {filter PROTECT-RE-FILTER {
term ROUTER-ACCESS {from {
source-address {
A.A.A.0/24;}destination-address {F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];
}
then accept;}term PERMIT-BGP {
8/12/2019 BD Link IIG LLD v1.0[1]
32/76
CO-CONFIDENTIAL - 32 - BD Link IIG Low Level Design
Page 32
from {protocol tcp;source-address B.B.B.B/32; /* Add addresses fromport bgp;
}then accept;
}term PERMIT-OSPF {
from {protocol ospf;
}then accept;
}term PERMIT-DNS {
from {protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDport domain;
}then accept;
}term PERMIT-NTP {
from {
protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDport ntp;
}then accept;
}term PERMIT-UDP-TRACEROUTE {
from {protocol udp;destination-port 33434-33534;
}then {
count traceroute;accept;
}}term PERMIT-TACACS+ {
from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVERsource-port 49;
}then accept;
8/12/2019 BD Link IIG LLD v1.0[1]
33/76
CO-CONFIDENTIAL - 33 - BD Link IIG Low Level Design
Page 33
}term PERMIT-ICMP {
from {protocol icmp;
icmp-type [ echo-request echo-reply unreachable ti}then accept;
}term PERMIT-TCP-ESTABLISHED {
from {protocol tcp;
tcp-established;}then accept;
}term DENY-OTHERS {
then {discard;
}}
}}
interfaces {lo0 {
unit 0 {family inet {
filter {input PROTECT-RE-FILTER;
}}
}}
}}
}
4.3.8. SNMP Configuration
snmp {location "Location Name";community test123 {
authorization read-only;clients {
103.12.236.3/32;
8/12/2019 BD Link IIG LLD v1.0[1]
34/76
CO-CONFIDENTIAL - 34 - BD Link IIG Low Level Design
Page 34
103.12.236.4/32;}
}}
4.4. Dhaka Aggregation Router -1 Configuration
This section captures the configuration of Dhaka Aggregation router-1.
4.4.1. System Basic Configuration
system {host-name DHK_AGG_RTR_01;time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;
ports {console {
log-out-on-disconnect;
type vt100;}}routing-options {
router-id 103.12.236.42;autonomous-system 58668;
}
4.4.2. Management Interface Configuration
interfaces {
fxp0 {unit 0 {
family inet {address 10.100.102.4/24;
}}}
4.4.3. Chassis Configuration
fpc 0 {
8/12/2019 BD Link IIG LLD v1.0[1]
35/76
CO-CONFIDENTIAL - 35 - BD Link IIG Low Level Design
Page 35
pic 1 {tunnel-services {
bandwidth 1g;}
}}
aggregated-devices {ethernet {
device-count 2;}
}alarm {
management-ethernet {link-down ignore;
}}}
4.4.4. Interface Configuration
interfaces {
ge1/0/0 {description "Connected to DHK_GW_RTR_01 via IDP-01 port ge-1 ";unit 0 {family inet {address 103.12.236.18/30;}}}
ge1/0/1 {description "Connected to DHK_AGG_RTR_02";unit 0 {family inet {address 103.12.236.23/30;}}}
ge1/0/2 {description "Connected to DHK_FW1";unit 0 {family inet {
8/12/2019 BD Link IIG LLD v1.0[1]
36/76
8/12/2019 BD Link IIG LLD v1.0[1]
37/76
CO-CONFIDENTIAL - 37 - BD Link IIG Low Level Design
Page 37
}}
4.4.6. BGP Configuration
protocols {bgp {
group BGP-Internal {type internal;local-address 103.12.236.42;export redistribute-to-ibgp;
neighbor 103.12.236.40;neighbor 103.12.236.41;neighbor 103.12.236.43;
}group BGP-External {
type external;export redistributed-connected;
neighbor X.X.X.X {peer-as XX;
}}
}
4.4.7. Bandwidth Configuration
firewall {policer 3MB {
if-exceeding {bandwidth-limit 3072000;burst-size-limit 384k;
}then discard;
}} ----- Policy May be Changed based on requirement
4.4.8. Sample RE filter Configuration
firewall {filter PROTECT-RE-FILTER {
term ROUTER-ACCESS {from {
source-address {A.A.A.0/24; /* MANAGEMENT STATION ADDRESS RANGE */
8/12/2019 BD Link IIG LLD v1.0[1]
38/76
CO-CONFIDENTIAL - 38 - BD Link IIG Low Level Design
Page 38
}destination-address {F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];
}then accept;
}term PERMIT-BGP {
from {protocol tcp;source-address B.B.B.B/32; /* Add addresses from BGP Peers */port bgp;
}then accept;
}term PERMIT-OSPF {
from {protocol ospf;
}then accept;
}
term PERMIT-DNS {from {
protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */port domain;
}then accept;
}term PERMIT-NTP {
from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDRESS */
port ntp;}then accept;
}term PERMIT-UDP-TRACEROUTE {
from {protocol udp;destination-port 33434-33534;
}then {
count traceroute;
8/12/2019 BD Link IIG LLD v1.0[1]
39/76
CO-CONFIDENTIAL - 39 - BD Link IIG Low Level Design
Page 39
accept;}
}term PERMIT-TACACS+ {
from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */source-port 49;
}then accept;
}term PERMIT-ICMP {
from {protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then accept;
}term PERMIT-TCP-ESTABLISHED {
from {protocol tcp;
tcp-established;
}
4.4.9. SNMP Configuration
snmp {location "Location Name";community test123 {
authorization read-only;clients {
103.12.236.3/32;103.12.236.4/32;
}}
}
4.5. Dhaka Aggregation Router -2 Configuration
This section captures the configuration of Dhaka Aggregation router-2.
4.5.1. System Basic Configuration
system {host-name DHK_AGG_RTR_02;
8/12/2019 BD Link IIG LLD v1.0[1]
40/76
CO-CONFIDENTIAL - 40 - BD Link IIG Low Level Design
Page 40
time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;
ports {console {log-out-on-disconnect;
type vt100;}
}routing-options {
router-id 103.12.236.43;autonomous-system 58668;
}
4.5.2. Management Interface Configuration
interfaces {fxp0 {unit 0 {
family inet {address 10.100.102.5/24;
}
}}
4.5.3. Chassis Configuration
fpc 0 {pic 1 {
tunnel-services {bandwidth 1g;
}}
}
aggregated-devices {ethernet {device-count 2;
}}alarm {
management-ethernet {link-down ignore;
}}
}
8/12/2019 BD Link IIG LLD v1.0[1]
41/76
8/12/2019 BD Link IIG LLD v1.0[1]
42/76
CO-CONFIDENTIAL - 42 - BD Link IIG Low Level Design
Page 42
}
lo0 {unit 0 {family inet {address 103.12.236.43/32;}}}
4.5.5. OSPF Configuration
protocols {ospf {
area 0.0.0.0 {interface ge-1/0/0;interface ge-1/0/1;interface ge-1/0/2;interface lo0.0;
}}}
4.5.6. BGP Configuration
protocols {bgp {
group BGP-Internal {type internal;local-address 103.12.236.43;export redistribute-to-ibgp;
neighbor 103.12.236.40;neighbor 103.12.236.41;neighbor 103.12.236.42;
}group BGP-External {
type external;export redistributed-connected;
neighbor X.X.X.X {peer-as XX;
}}
}
8/12/2019 BD Link IIG LLD v1.0[1]
43/76
8/12/2019 BD Link IIG LLD v1.0[1]
44/76
CO-CONFIDENTIAL - 44 - BD Link IIG Low Level Design
Page 44
protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */port domain;
}then accept;
}term PERMIT-NTP {
from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDRESS */port ntp;
}then accept;
}term PERMIT-UDP-TRACEROUTE {
from {protocol udp;destination-port 33434-33534;
}then {
count traceroute;accept;
}
}term PERMIT-TACACS+ {
from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */source-port 49;
}then accept;
}term PERMIT-ICMP {
from {protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then accept;
}term PERMIT-TCP-ESTABLISHED {
from {protocol tcp;
tcp-established;}
8/12/2019 BD Link IIG LLD v1.0[1]
45/76
CO-CONFIDENTIAL - 45 - BD Link IIG Low Level Design
Page 45
4.5.9. SNMP Configuration
snmp {location "Location Name";community test123 {
authorization read-only;clients {
103.12.236.3/32;103.12.236.4/32;
}}
}
4.6. Dhaka Data Center Switch-1 Configuration
This section captures the configuration of Dhaka Data Center Switch-1.
4.6.1. System Basic Configuration
system {host-name DHK_DC_SW_01;services {
ftp;
ssh;}syslog {
user * {any emergency;
}file messages {
any notice;authorization info;
}file interactive-commands {
interactive-commands any;
}}commit {
factory-settings {reset-chassis-lcd-menu;reset-virtual-chassis-configuration;
}}
}
8/12/2019 BD Link IIG LLD v1.0[1]
46/76
CO-CONFIDENTIAL - 46 - BD Link IIG Low Level Design
Page 46
4.6.2. VLAN &Trunk Configuration
interfaces {ge-0/0/0 {
description "Connected to DHK_FW_01"unit 0 {
family ethernet-switching {port-mode trunk;vlan {
members all;}
}}
}ge-0/0/1 {description "Connected to DNS-server-1"
unit 0 {family ethernet-switching {
vlan {members server;
}}
}}ge-0/0/2 {description "Connected to DNS-server-2"
unit 0 {family ethernet-switching {
vlan {members server;
}}
}}ge-0/0/3 {
description "Connected to NMS-server"unit 0 {
family ethernet-switching {vlan {
members server;}
}}
8/12/2019 BD Link IIG LLD v1.0[1]
47/76
CO-CONFIDENTIAL - 47 - BD Link IIG Low Level Design
Page 47
}}ge-0/0/4 {
description "Connected to MRTG-server"unit 0 {
family ethernet-switching {vlan {
members server;}
}}
}}ge-0/0/5 {
description "Connected to NSM-server"unit 0 {
family ethernet-switching {vlan {
members server;}
}
}}
}ge-0/0/6 {
unit 0 {family ethernet-switching;
}}ge-0/0/7 {
unit 0 {family ethernet-switching;
}
}ge-0/0/8 {
unit 0 {family ethernet-switching;
}}ge-0/0/9 {
unit 0 {family ethernet-switching;
}}
8/12/2019 BD Link IIG LLD v1.0[1]
48/76
CO-CONFIDENTIAL - 48 - BD Link IIG Low Level Design
Page 48
ge-0/0/10 {unit 0 {
family ethernet-switching;}
}ge-0/0/11 {
unit 0 {family ethernet-switching;
}}ge-0/0/12 {
unit 0 {family ethernet-switching;
}}ge-0/0/13 {
unit 0 {family ethernet-switching;
}}ge-0/0/14 {
unit 0 {family ethernet-switching;
}}ge-0/0/15 {
unit 0 {family ethernet-switching;
}}ge-0/0/16 {
unit 0 {family ethernet-switching;
}}
ge-0/0/17 {unit 0 {
family ethernet-switching;}
}ge-0/0/18 {
unit 0 {family ethernet-switching;
}}ge-0/0/19 {
8/12/2019 BD Link IIG LLD v1.0[1]
49/76
CO-CONFIDENTIAL - 49 - BD Link IIG Low Level Design
Page 49
unit 0 {family ethernet-switching;
}}ge-0/0/20 {
unit 0 {family ethernet-switching;
}}ge-0/0/21 {
unit 0 {family ethernet-switching;
}}ge-0/0/22 {
unit 0 {family ethernet-switching;
}}ge-0/0/23 {
unit 0 {family ethernet-switching;
}
}ge-0/1/0 {
description connected to DHK_FW_02unit 0 {
family ethernet-switching {port-mode trunk;
vlan {members all;
}}
}xe-0/1/0 {
unit 0 {family ethernet-switching;
}}ge-0/1/1 {
description Connected to DHK_DC_SW_01;unit 0 {
family ethernet-switching {port-mode trunk;
vlan {members all;
8/12/2019 BD Link IIG LLD v1.0[1]
50/76
8/12/2019 BD Link IIG LLD v1.0[1]
51/76
CO-CONFIDENTIAL - 51 - BD Link IIG Low Level Design
Page 51
ISP1 {vlan-id 2;
}ISP2 {
vlan-id 3;}ISP3 {
vlan-id 4;}
}
4.6.3. SNMP Configuration
snmp {location "Location Name";
community test123 {authorization read-only;clients {
103.12.236.3/32;103.12.236.4/32;
}}
}
4.7. Dhaka Data Center Switch-2 Configuration
This section captures the configuration of Dhaka Data Center Switch-2.
4.7.1. System Basic Configuration
system {host-name DHK_DC_SW_02;services {
ftp;ssh;
}syslog {
user * {any emergency;
}file messages {
any notice;authorization info;
}file interactive-commands {
interactive-commands any;
8/12/2019 BD Link IIG LLD v1.0[1]
52/76
CO-CONFIDENTIAL - 52 - BD Link IIG Low Level Design
Page 52
}}commit {
factory-settings {reset-chassis-lcd-menu;reset-virtual-chassis-configuration;
}}
}
4.7.2. VLAN &Trunk Configuration
interfaces {description "Connected to DHK_FW_02"ge-0/0/0 {
unit 0 {port-mode trunk;family ethernet-switching {
vlan {members all;
}}
}}ge-0/0/1 {
unit 0 {family ethernet-switching {}
}}ge-0/0/2 {
unit 0 {family ethernet-switching {}
}}ge-0/0/3 {description "Connected to NMS"unit 0 {
family ethernet-switching {vlan {
members mgt;}
}
8/12/2019 BD Link IIG LLD v1.0[1]
53/76
CO-CONFIDENTIAL - 53 - BD Link IIG Low Level Design
Page 53
}}
}ge-0/0/4 {
description "Connected to MRTG"unit 0 {
family ethernet-switching {vlan {
members mgt;}
}}
}ge-0/0/5 {
description "Connected to NSMXpress"unit 0 {
family ethernet-switching {vlan {
members mgt;}
}}
}
ge-0/0/6 {description "Connected to DHK_CORE_01"
unit 0 {family ethernet-switching {vlan {
members mgt;}
}}
}ge-0/0/7 {
description "Connected toDHK_CORE_02"
unit 0 {family ethernet-switching {vlan {
members mgt;}
}}
}ge-0/0/8 {
description "Connected to DHK_IDP_01"unit 0 {
8/12/2019 BD Link IIG LLD v1.0[1]
54/76
CO-CONFIDENTIAL - 54 - BD Link IIG Low Level Design
Page 54
family ethernet-switching {vlan {
members mgt;}
}}
}ge-0/0/9 {
description "Connected to DHK_AGG_01"unit 0 {
family ethernet-switching {vlan {
members mgt;}
}}
}ge-0/0/10 {
description "Connected to DHK_AGG_02"unit 0 {
family ethernet-switching {vlan {
members mgt;
}}
}}ge-0/0/11 {
unit 0 {family ethernet-switching;
}}ge-0/0/12 {
unit 0 {family ethernet-switching;
}}ge-0/0/13 {
unit 0 {family ethernet-switching;
}}ge-0/0/14 {
unit 0 {family ethernet-switching;
}
8/12/2019 BD Link IIG LLD v1.0[1]
55/76
CO-CONFIDENTIAL - 55 - BD Link IIG Low Level Design
Page 55
}ge-0/0/15 {
unit 0 {family ethernet-switching;
}}ge-0/0/16 {
unit 0 {family ethernet-switching;
}}ge-0/0/17 {
unit 0 {family ethernet-switching;
}}ge-0/0/18 {
unit 0 {family ethernet-switching;
}}ge-0/0/19 {
unit 0 {
family ethernet-switching;}
}ge-0/0/20 {
unit 0 {family ethernet-switching;
}}ge-0/0/21 {
unit 0 {family ethernet-switching;
}
}ge-0/0/22 {
unit 0 {family ethernet-switching;
}}ge-0/0/23 {
unit 0 {family ethernet-switching;
}}
8/12/2019 BD Link IIG LLD v1.0[1]
56/76
CO-CONFIDENTIAL - 56 - BD Link IIG Low Level Design
Page 56
ge-0/1/0 {description connected to DHK_FW_02unit 0 {
family ethernet-switching {port-mode trunk;
vlan {members all;
}}
}xe-0/1/0 {
unit 0 {family ethernet-switching;
}}ge-0/1/1 {
description Link DHK_DC_SW_01;unit 0 {
family ethernet-switching {port-mode trunk;
vlan {members all;}
}}
}xe-0/1/1 {
unit 0 {family ethernet-switching;
}}ge-0/1/2 {
unit 0 {family ethernet-switching;
}}xe-0/1/2 {
unit 0 {family ethernet-switching;
}}ge-0/1/3 {
unit 0 {family ethernet-switching;
}
8/12/2019 BD Link IIG LLD v1.0[1]
57/76
CO-CONFIDENTIAL - 57 - BD Link IIG Low Level Design
Page 57
}}protocols {igmp-snooping {vlan all;
}rstp;lldp {
interface all;}
lldp-med {interface all;
}}ethernet-switching-options {
storm-control {interface all;
}}
vlans {ISP4 {
vlan-id 4;}ISP5 {
vlan-id 5;}ISP6 {
vlan-id 6;}
}
4.7.3. SNMP Configuration
snmp {location "Location Name";community test123 {
authorization read-only;clients {
103.12.236.3/32;103.12.236.4/32;
}}
}
8/12/2019 BD Link IIG LLD v1.0[1]
58/76
CO-CONFIDENTIAL - 58 - BD Link IIG Low Level Design
Page 58
4.8. IDP Configuration
4.8.1. OS Up gradation through CLI
Following steps to upgrade/install IDP OS:
the following file are required for IDP OS upgradation
+sensor_5_0r1.sh
+sensor_5_1r2.sh
+sensor_5_1r3.sh
[root@idp ~]# cd /tmp
[root@idptmp]# ls -l
-rw-rw-r-- 1 admin admin 474454694 Jul 11 23:04 sensor_5_1r2.sh
to excute the above file with following
[root@idptmp]# sh sensor_5_0r1.sh
[root@idptmp]# sh sensor_5_1r2.sh
[root@idptmp]# sh sensor_5_1r3.sh
4.8.2. System Basic Configuration through Web GUI (ACM)
Step1.Host name configurationStep2.DNS configurationsStep3.IP configuration for MGT accessStep4.default gateway
4.8.3.NSM Server Configuration
4.8.3.1. REDHAT 5 OS Installation
First need to install RedHat Linux before Install NSM.
8/12/2019 BD Link IIG LLD v1.0[1]
59/76
CO-CONFIDENTIAL - 59 - BD Link IIG Low Level Design
Page 59
4.8.3.2. NSM server 2010.4 OS Installation
Following steps to install nsm on a linux server:
Step 1.Following files are required for NSM
+Linux server
+Linux system update utilities
+ Windows Ui client
Step 2.Move all the three files to the nsm server.
Step 3.unzip the systemupdate file
+untar it , will get a folder named rhes4/rhes5.
+move inside this folder and run the script rhes5.sh
Step 4.After this unzip the Linux serverfile(nsm_2010.4s3_linux_servers_x86.zip)
will get the script file nsm_2010.4s3_linux_servers_x86.zip
run this script to perform the installation
tar xvf nsm_2010.4s3_linux_servers_x86.zip
Step 5.nsm client installation on the workstation.
4.8.3.3. NSM client Installation for configuration the NSM server
NSM Client software need to install in a Workstation to configure NSMServer.
4.8.3.4. IDP device adding into NSM server
Following Screenshots shown IDP device adding into a NSM Server.
8/12/2019 BD Link IIG LLD v1.0[1]
60/76
CO-CONFIDENTIAL - 60 - BD Link IIG Low Level Design
Page 60
8/12/2019 BD Link IIG LLD v1.0[1]
61/76
8/12/2019 BD Link IIG LLD v1.0[1]
62/76
CO-CONFIDENTIAL - 62 - BD Link IIG Low Level Design
Page 62
8/12/2019 BD Link IIG LLD v1.0[1]
63/76
CO-CONFIDENTIAL - 63 - BD Link IIG Low Level Design
Page 63
4.8.3.5. Policy implementation
Following Screenshots shown Policy configuration to IDP.
8/12/2019 BD Link IIG LLD v1.0[1]
64/76
CO-CONFIDENTIAL - 64 - BD Link IIG Low Level Design
Page 64
8/12/2019 BD Link IIG LLD v1.0[1]
65/76
CO-CONFIDENTIAL - 65 - BD Link IIG Low Level Design
Page 65
8/12/2019 BD Link IIG LLD v1.0[1]
66/76
CO-CONFIDENTIAL - 66 - BD Link IIG Low Level Design
Page 66
8/12/2019 BD Link IIG LLD v1.0[1]
67/76
CO-CONFIDENTIAL - 67 - BD Link IIG Low Level Design
Page 67
4.8.3.6. Log view and reporting, custom report generation
Following Screenshots shown log view, reporting & custom reportgeneration from NSM server.
8/12/2019 BD Link IIG LLD v1.0[1]
68/76
CO-CONFIDENTIAL - 68 - BD Link IIG Low Level Design
Page 68
8/12/2019 BD Link IIG LLD v1.0[1]
69/76
8/12/2019 BD Link IIG LLD v1.0[1]
70/76
CO-CONFIDENTIAL - 70 - BD Link IIG Low Level Design
Page 70
4.9. DC Firewall 1 & 2 Configuration
4.9.1. OS Upgrade
OS upgradation with JUNOS 10.4R10.7 through command line
Steps: Copy the JUNOS OS file into /var/tmpfrom the pen drive
>request system software add /var/tmp/junos-srxsme-10.0R2.10-domestic.tgzno-copy no-validate reboot.
4.9.2. System Basic Configuration
root@%root@%cliroot>configureroot# set system root authentication plain-text passwordroot# set system host name DHK_FWroot# set system login user test class supper-user authentication plain-textpasswordtest# set system services telnettest# set system services ssh
8/12/2019 BD Link IIG LLD v1.0[1]
71/76
CO-CONFIDENTIAL - 71 - BD Link IIG Low Level Design
Page 71
4.9.3. Interface Configuration
interfaces {ge-0/0/3 {
gigether-options {redundant-parent reth1;
}}ge-0/0/4 {
gigether-options {redundant-parent reth0;
}}ge-0/0/5 {
gigether-options {redundant-parent reth2;
}}ge-5/0/3 {
gigether-options {redundant-parent reth1;
}}ge-5/0/4 {
gigether-options {redundant-parent reth0;
}}ge-5/0/5 {
gigether-options {redundant-parent reth2;
}}fab0 {
fabric-options {member-interfaces {
ge-0/0/2;}
}}fab1 {
fabric-options {member-interfaces {
ge-5/0/2;
8/12/2019 BD Link IIG LLD v1.0[1]
72/76
CO-CONFIDENTIAL - 72 - BD Link IIG Low Level Design
Page 72
}}
}reth0 {
vlan-tagging;redundant-ether-options {
redundancy-group 1;}unit XX {
vlan-id XX;family inet {
address XX.XX.XX.XX/XX;}
}unit 102 {
vlan-id 102;family inet {
address XX.XX.XX.XX/XX;}
}}reth1 {
redundant-ether-options {
redundancy-group 1;}unit 0 {
family inet {address 103.12.236.38/30;
}}
}reth2 {
redundant-ether-options {redundancy-group 1;
}
unit 0 {family inet {
address 10.100.102.8/24;}
}}
}
Interfaces will configure with UNTRUST, TRUST and DMZ zone
security-zone trust {
8/12/2019 BD Link IIG LLD v1.0[1]
73/76
CO-CONFIDENTIAL - 73 - BD Link IIG Low Level Design
Page 73
interfaces {ge-0/0/0.0 {
host-inbound-traffic {system-services {
all;}protocols {
all;}
security-zone untrust {screen untrust-screen;interfaces {
ge-0/0/1.0;}
security-zone DMZ {interfaces {
ge-0/0/2.0 {Host-inbound-traffic {
System-services {all;
}
Protocols {all;
}
4.9.4. HA Configuration
VRRP/JSRP will configure for HA with Active/Standby mode. Device-1 will act asmaster and device-2 will act as standby mode, once master will goes down thendevice-2 will take the full ownership.
groups {node1 {
system {host-name FW2;
}interfaces {
fxp0 {unit 0 {
family inet {address 10.100.102.10/24;
}}
}
8/12/2019 BD Link IIG LLD v1.0[1]
74/76
CO-CONFIDENTIAL - 74 - BD Link IIG Low Level Design
Page 74
}}node0 {
system {host-name FW1;
}interfaces {
fxp0 {unit 0 {
family inet {address 10.100.102.9/24;
}}
}}
}}
chassis {cluster {
reth-count 4;redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;}redundancy-group 1 {
node 0 priority 100;node 1 priority 50;
preempt;interface-monitor {
ge-0/0/3 weight 60;ge-0/0/5 weight 60;ge-0/0/4 weight 60;
}}
}}
4.9.5. Security Policy Configuration
Policy1: TRUST to UNTRUST:permit any any
policies {from-zone trust to-zone untrust {
policy trust-to-untrust {match {
8/12/2019 BD Link IIG LLD v1.0[1]
75/76
CO-CONFIDENTIAL - 75 - BD Link IIG Low Level Design
Page 75
source-address any;destination-address any;application any;
}then {
permit;}
Policy2: UNRUST to TRUST:deny all
policies {
from-zone untrust to-zone trust {policy untrust-to-trust {
match {source-address any;destination-address any;application any;
}then {
deny;}
Policy3: DMZ to UNTRUST:permit any any
policies {from-zone DMZ to-zone untrust {
policy untrust-to-trust {match {
source-address any;destination-address any;application any;
}then {
permit;}
Policy4: UNTRUST to DMZ: only permit particular application services withdedicated port.
Policy5:Screening policy will be configured for UNTRUST zone.
Policy6:ALG policy will configure based on Application /services.
8/12/2019 BD Link IIG LLD v1.0[1]
76/76
5. LLD v 1.0 Signoff
Low Level Design v1.0 Approved - [YES / NO]
With Amendments [YES / NO]
Amendments:
BD LINK LLD v1.0 Approval & Signoff
BD LINK Team
LLD Check:
LLD Verification:
LLD Approval:
GAZI Project Manager
Name:Designation
________________________________
Signature of the GAZI PM
GAZI Implementation Manager
Name:Designation
________________________________Signature of the GAZI IM
Comments:
Top Related