implementing ha at the enterprise data center edge to connect

Application Note

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089 USA408.745.20001.888 JUNIPERwww.juniper.net

Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesIntegrating Dynamic Routing into an NSRP Cluster Containing Terminating Interfaces

Part Number: 350105-001 July 2007

2

Implementing HA at the Enterprise Data Center Edge

Copyright ©2007, Juniper Networks, Inc.

Table of ContentsIntroduction ............................................................................................................3

Scope.................................................................................................................3

Design Considerations ............................................................................................4

Internet Layer ....................................................................................................4

Firewall Layer ....................................................................................................4

Private WAN Layer .............................................................................................4

Shared Services Layer ........................................................................................4

High Availability .................................................................................................4

Hardware Requirements .........................................................................................5

Software Version .....................................................................................................5

Internet Firewall Configuration ................................................................................5

Internet Firewall NSRP .......................................................................................6

Internet Firewall Virtual Routing Configuration ..................................................6

Internet Firewall Policy ......................................................................................7

Internet Firewall Screen Configuration ...............................................................7

VPN Firewall Configuration .....................................................................................7

VPN Firewall NSRP Configuration ......................................................................8

VPN Firewall VR Configuration ...........................................................................8

VPN Firewall Policy ............................................................................................9

Edge Router Configuration .....................................................................................9

Edge Router Configuration – M-series-A ...........................................................10

Edge Router Configuration – M-series-B ...........................................................10

Summary ..............................................................................................................10

Appendix 1. SSG Configuration ............................................................................. 11

SSG Configuration – Internet Firewall NSRP ..................................................... 11

SSG Configuration – Internet Firewall VR ........................................................12

SSG Configuration – Internet Firewall Policy ....................................................13

SSG Configuration – Internet Firewall Screening ..............................................14

Appendix 2. ISG Configuration ..............................................................................16

ISG Configuration – VPN Firewall NSRP ..........................................................16

ISG Configuration – VPN Firewall VR ..............................................................16

ISG Configuration – VPN Firewall Policy ...........................................................20

Appendix 3. M-series Edge Router Configuration. .................................................23

Edge Router Configuration – M-series A ..........................................................23

Edge Router Configuration – M-series B Edge Router .......................................26

Glossary ................................................................................................................29

About Juniper Networks ........................................................................................29

Copyright ©2007, Juniper Networks, Inc. 3


IntroductionThis application note outlines the uses of a NetScreen Redundancy Protocol (NSRP) cluster with dynamic routing. In many environments there is a need for both dynamic routing and a unique terminating interface. A terminating interface is an interface that needs to be made available to enable service delivery. This includes an interface that would provide a gateway for a host or an interface upon which IPsec VPNs are terminated. It is possible to accomplish this in a myriad of ways. However, in a network where availability is of utmost importance, dynamic routing is often your best choice.

This paper will review the problem of creating a network where the dynamic availability of services is of critical importance. It explains how to deploy a highly available, fully working cluster by taking the design considerations from the section below and applying them to an actual deployment. The subsequent sections include configuration bits, diagrams and detailed discussions of how to accomplish a High Availability (HA) data center deployment.

Figure 1. Enterprise Network for the Data Center

Scope

This application note provides a real world deployment and takes the design considerations from the section below and applies this to an actual deployment. The subsequent sections include configuration bits, diagrams and detailed discussions of how to accomplish a High Availability (HA) Data Center deployment.

SSG ISGSSG ISG

Internet Provider WAN

AREA 0

AREA 1

M-series-E

M-series-BM-series-AIo0.0

172.18.8.41

J-series-AIo0.0

172.18.8.160

SSG-Aloopback.1172.18.8.42

SSG-Bloopback.1172.18.8.43

ISG-Eloopback.10172.18.8.161

ISG-Floopback.10172.18.8.163

Io0.0172.18.8.40

Data Center A

600

1000

ethernet4/1 - HAethernet4/2 - HA

ethernet2/2 - HAethernet2/3 - HA

1000

500

500 10 5 1000500 10 1000

5

500

5

1

510

10

50005000

M-seriesM-series

Server VLAN2001IXIA J-eMIX

HSRP – 172.18.11.1/24

Servers VLAN2002Re�ector

HSRP – 172.18.12.1/24

Servers VLAN2003Real Servers

HSRP – 172.18.13.1/24

Client VLAN2000IXIA J-IMIX

HSRP – 172.18.10.1/24

NOC-OBMe2/0:1 – 192.168.3.135/24

OSPF - Passive

NOC-OBMe2/1:1 – 192.168.4.1/24

OSPF - Passive

M-series

1

J-series

Cat4506-B

VRF 40Router-ID

172.16.255.251

VRF 40Router-ID

172.16.255.252

4



Design ConsiderationsLet’s begin by looking at the key design considerations for each of the layers in an HA data center deployment.

Internet Layer

• ThedesignmustemployaminimumoftwoInternetlinks

• Theedgeconnectingroutersneedtoprovideredundancyaswellasensureserviceaccessibility

• Theactive/activeInternetconnectionrequirestwoedgerouterstoprovideresilientInternet connectivity

• ABGPfeedisrequiredfromeachoftheproviderstoenablefailover

• RatelimitingoftraffictothefirewallisneededsothatafloodoftrafficfromtheInternetdoes not affect the network

• Statelessinspectionorpacketfilteringmustbeused

Firewall Layer

• Internetfirewallsneedtohostthenetworkoperationscenter(NOC)

• FirewallsmustconnecttotheInternetlayerandreceiveroutinginformationfromtheInternet layer edge routers

• IPsecvirtualprivatenetwork(VPN)firewallsprovidetheconnectivityhubforallremotesites and they terminate IPsec VPNs from the Internet as well as private WANs

• IPsecfirewallsmustterminateVPNtunnelsforalloftheremotebranchesoverthe private WAN

• Redundanthardware,dynamicroutingprotocols(DRP)andfullymeshedlinksmustbeemployed

• ThedesignmustallowforahighlyscalableVPNservicesinfrastructurewithoutbeingdependant on the availability of Internet firewalls

Private WAN Layer

• Privatecircuitsmustbeeitherpoint-to-pointconnectionsorconnectoveraprovider-provisioned MPLS network

• Alltrafficthatoriginatesfromthebranchthatisdestinedforthedatacentermustbeencrypted

• TheprivateWANlayerisdeployedoffoftheVPNfirewalls

Shared Services Layer

• TheInternetfirewallsmustbeprovidedadefaultroute(obtainedfromtheInternetedgerouters) into the shared services layer

• Theconnectivitytothetothefirewallsmustbeinameshdeployment

• Routingonthesharedservicescoremustintegratewiththefirewalls

High Availability

• Designmustuseameshedsolutiontoprovideredundantpathsoneachredundantdevice



Hardware RequirementsJuniper Networks Secure Services Gateways (SSG), Juniper Networks M-series Multiservice Edge Routing Portfolio (M-series) routers, Juniper Networks J-series Services Routers (J-series) and Juniper Networks Integrated Security Gateways (ISG)

Software VersionJuniperNetworksScreenOSversion5.4,r4orgreater

JuniperNetworksJUNOSversion8.2,r4orgreater

Internet Firewall ConfigurationTheInternetfirewallshosttheNOC.TheNOCisdeployedoffofthefirewallslikeatraditionalDMZ.ThisensuresthatthedatacollectedbytheNOCissecuredandunalteredbyattackers.Secondly, the firewalls connect to the Internet layer and receive routing information from the edge routers. This routing information is then passed to the shared services core that is connected behind the Internet firewalls.

The SSG 550 firewalls, employed in the test configuration, use eight Ethernet interfaces each –fouronboardgigabitEthernetinterfacesandfour10/100interfaces.Thefirewallsaredeployedin an NSRP cluster and they use two of the interfaces to cross-connect to each other (both are 10/100).Oneinterfaceisdedicatedasanout-of-bandmanagementport.Thisinterfacedoesnotpassanytrafficandisonlyusedformanagementpurposes.TheNOChasonlyoneinterfacefromeachfirewallandisnotafullmesh.ThisinterfaceisoperateslikeatraditionalNSRPactive/passive interface.

Each of the two firewalls has its own unique IP address on the physical interface. However, they both share a Virtual Security Interface (VSI). This VSI, however, is part of Virtual Security Device 1(VSD1)andnotthetypicalVSD0thatisusedinanactive/passiveinterface.ThisinterfaceisapassiveOSPF,whichallowsonlythefirewallthathasthisinterfaceinanactivestatetosendoutaLinkStateAdvertisement(LSA)forthisnetwork.TheVSIallowsallofthehostsintheNOCtouse this interface as a default route. In the event of a device failure, the backup device will take over with the same VSI interface.

The other four interfaces are deployed into two separate networks as a full mesh and are all gigabit Ethernet. Two of the Interfaces connect into the Internet layer routers. The other two interfaces connect into the shared services layer. The network interfaces are illustrated in figure 2.

Figure 2. Internet Firewalls

SSG SSG

SSG-Aloopback.1172.18.8.42

SSG-Bloopback.1172.18.8.43

ethernet2/3 - HA

ethernet2/2 - HA

ethe

rnet

0/0

172.1

8.8

.2/3

0O

SPF

Cos

t - 5

ethern

et0/1

172.18.8.8/30

OSPF Cos

t - 10

ethernet0/3

172.18.8.38/30

OSPF Cost - 1000

ethernet0/3172.18.8.30/30OSPF Cost - 10

ethernet0/2

172.18.8.26/30

OSPF Cost - 5

ethernet2/0

192.168.3.128/24

ethe

rnet

2/1

192.1

68.4

.2/2

4

ethe

rnet

2/0

192.1

68.3

.127/2

4

ethernet2/1

192.168.4.3/24

ethernet0/0

172.18.8.10/30

OSPF Cost - 500

ethe

rnet

0/0

172.

18.8

.34/

30O

SPF

Cos

t - 5

00

ethe

rnet

0/1

172.

18.8

.14/

30

OSPF

Cos

t - 1

000

6



Internet Firewall NSRP

TheNSRPconfigurationusedfortheInternetfirewallsprovidesamixofactive/activeandactive/passive.First,VSD0isunset.ThismakesallofthephysicalinterfaceshaveuniqueIPaddresses on them. The interface IP addresses are not synced amongst cluster members. Doing thisallowsbothfirewallstomaintaintheirownOSPFneighborrelationships.Intheeventofafailover, the firewall does not need to build its own relationships and cause downtime during the transition. This solution requires the use of terminating interfaces for two separate purposes. The first is used for Network Address Translation (NAT), both source and destination. The other terminatinginterfaceisusedasagatewayforthehostsontheNOC.Todothis,theclusteractsasatraditionalactive/passiveNSRPcluster.

To have the firewall also provide these terminating interfaces, a VSD 1 was created. This allows foraVSDtooverlayontopofthefirewallsandimplementatraditionalactive/passiveclusterwith one firewall being the primary owner of the cluster. Two VSI interfaces are created to accomplish this.

TheNSRPdesignusesamixofVSIandnon-VSIinterfaces.ThisflexibilityallowstheclustertoofferterminatinginterfacesonlywhereneededandintegratewithOSPFatthesametime.ItispossibletoformOSPFneighborrelationshipsonVSIinterfaces.However,intheeventofafailover,excessivetrafficlosswilloccurbecausetheOSPFneighborrelationshipmustbereestablished.InthissolutionfouroftheinterfaceshaveOSPFneighborsestablishedonthem.This includes Internet and shared services interfaces. Similar to the edge routers, these links arealsoweightedsooneispreferredovertheother.Figure2detailstheOSPFinterfacecosting.UsingtheroutinginformationobtainedoverOSPF,thefirewallswilllearnhowtoaccessremotenetworks.

This VSI is active on only one device at a time. In this case it’s primarily active on the “A” firewall asseeninfigure3.Onlythefirewallthathastheactiveloopbackinterfacewillpass-sendthelink state acknowledgement containing the route to the network contained on the loopback interface. In the event of a failover, the secondary firewall will activate the loopback interface and then send out the LSA for that network. This makes failover quick and there will be only a few seconds of traffic loss. This will be nearly as fast as an active passive firewall cluster.

The parameters for configuring the Internet firewall NSRP on the SSG gateways are provided in Appendix 1.

Internet Firewall Virtual Routing Configuration

The Untrust virtual router is configured to share some routes that it learns and export them to the trust Virtual Router (VR). First, if the firewalls receive a default route from the Internet edge routers, then that default route is sent to the trust VR. This notifies the trust VR of where to send all of its traffic. Secondly, the loopback IP addresses of the routers and the Internet firewalls are passed to the trust VR. This is done for monitoring purposes as the loopback IP addresses are used for monitoring only. The loopbacks from the routers are exported via a route map that looksfortheroutesinOSPF.Theloopbacksonthefirewallsthemselvesareexportedviaaroutemap as a connected route only. This prevents the firewalls from exporting each others’ loopback IP address for monitoring.

IfthefirewallsweretoredistributetheirownloopbacksfromOSPF,thentheywouldonlysendout the loopback from the other firewall. This results in asymmetric routing, as the firewall only sees the other cluster members’ route (and exports it). The traffic enters the opposite cluster member and then enters the proper cluster member on the wrong interface. This causes monitoring to fail as the firewall routes the traffic to the wrong interface.

The parameters for configuring the Internet firewall VR on the SSG gateways are provided in Appendix 1.



Internet Firewall Policy

The firewall policy that is deployed on the firewalls is fairly simple. It allows for a minimal amount of access through the firewall. The firewall is configured to secure monitoring traffic as it entersandexitstheNOC.ThefirewallallowstrafficfromtheInternettoaccessthetwoManagedIPs (MIPs) that are configured. These MIPs are for the remote branch firewalls to be managed via Juniper Networks Netscreen-Security Manager (NSM). The firewall also allows traffic to exit the datacenter for a minimal amount of services. These are primarily used for update services for the servers in the datacenter. This outbound traffic is NATed via Dynamic IP (DIP) located on the loopback VSI.

The Internet firewall policy configuration bits for the SSG gateways are provided in Appendix 1.

Internet Firewall Screen Configuration

The Internet firewalls are configured with screening to reduce the threat from network-based trafficfloods.ThescreeningparametersontheSSGgatewaysaresetusingtheconfigurationsbitsprovided in Appendix 1.

VPN Firewall ConfigurationThe IPsec VPN firewalls are the connectivity hubs for all remote sites. They terminate IPsec VPNs from both the Internet and the private WAN. These firewalls connect to the Internet layer and receive routing information. This allows for connectivity to the Internet and provides access for the remote branches to connect and terminate their VPNs. The connection to the private WAN layer is very similar to the Internet layer except that the network is private. The IPsec firewalls also terminate VPN tunnels for all of the remote branches over the private WAN as well. To provide services into the remote branches, the IPsec VPN firewalls connect to the shared services core.

The VPN firewalls use a total of eight physical interfaces. Because of the design of the ISG firewall, all but one of the interfaces is card-based. The management interface is an onboard interface andisusedtoconnecttotheout-of-bandmanagementnetwork.Itisimplementedbya10/100Ethernet interface. Two interfaces in slot four are dedicated as HA ports for NSRP. Slot four contains afourport10/100cardandprovidessufficientbandwidthtosupportstatesyncforNSRP.

The connection to the Internet edge routers is done with a pair of gigabit Ethernet ports. These ports are both on the same card in slot number one. Each port connects to a separate router and isweightedinOSPFsothatonelinkispreferredoveranother.Thisensuresthattrafficwillflowas expected. The Internet layer links operate the same as the Internet layer links that are found ontheInternetfirewalls.TheyareinOSPFarea1andareastand-aloneOSPFarea.

The VPN firewalls do not allow for any traffic to pass from the shared services layer to the Untrust network. The only routes that are imported from the Untrust-VR to the Trust-VR are the individual loopback interfaces that are used for network monitoring. These routes are then distributedviaOSPFtothesharedserviceslayersotheNOCsystemsknowhowtoaccesstheloopbacks. There are no firewall policies in place that otherwise allow traffic to leave the data center through the VPN firewalls.

A second card is deployed in slot two also using a pair of gigabit Ethernet ports. These two ports are configured as two individual Ethernet ports in a full mesh to the two switches in the shared services layer. The two links have different costs to ensure a specific link is preferred. Again, as with the Internet layer interfaces, each of the interfaces is weighted so one like is preferred overtheother.TheseinterfacesparticipateinOSPFarea0insideofthesharedserviceslayer.Adiagram representing the port configuration can be found below in figure 3.

8



Figure 3. VPN Firewalls

VPN Firewall NSRP Configuration

The NSRP configuration is similar to that of the Internet firewalls. The VPN firewalls also are amixofactive/activeandactive/passive.Inthiscase,however,thefirewallsemployseveraldifferent terminating interfaces. The focus of these terminating interfaces is on VPNs instead of just NAT or as a default gateway. A total of seven VSI loopbacks are used in this solution. For the VPNfirewalls,VSD0isunsetbecausethefirewallsneedtomaintaintheirownOSPFneighborrelationships. Then two different VSDs are created. By creating two separate VSDs, it allows each of the two firewalls to handle some of the VPN traffic, effectively load balancing that traffic. It is possible to load balance the traffic because of the use of dynamic routing.

The VPN firewall NSRP configuration bits for the ISG gateways are provided in Appendix 2.

VPN Firewall VR Configuration

TheVPNfirewallsareintegratedwithtworoutingprotocols:OSPFandRIP.OSPFistheprimaryrouting protocol that is used throughout the solution. This protocol is used to pass routes betweenallofthedevicesinthesolution.However,OSPFcannotbeusedforalloftheVPNtunnels. Large VPN topologies are not best suited for the use of this protocol. All of the remote devices are small and would be unable to handle all of the routing information. Secondly, one change in the topology would force all of the sites to recalculate Shortest Path First (SPF). It could bepossiblethatthiscouldhappenseveraltimesanhourcausingaflurryofcalculations.OSPFalso does not allow for filtering of routing information except at area borders.

ISG ISG

J-series-AIo0.0

172.18.8.160

ISG-Eloopback.10172.18.8.161

ISG-Floopback.10172.18.8.163

Data Center A

Provider WAN

ethernet4/1 - HA

ethernet4/2 - HA

10

5000

50005000

J-series

ethernet1/2

172.18.8.134/30

OSPF Cost - 1000

ethernet1/1

172.18.8.129/30

OSPF Cost - 500

ethe

rnet

3/1

172.

18.8

.138

/30

OSPF

Cos

t - 5

000

ethern

et2/1

172.18.8

.146/3

0

OSPF C

ost -

5

ethernet1/1

172.18.8.17/30

OSPF Cost - 5

ethernet2/2

172.18.8.154/30

OSPF Cost - 10

ethernet2/1

172.18.8.150/30

OSPF Cost

- 500

ethernet1/2

172.18.8.22/30

OSPF Cost - 10

fe-1

/0/1

.0172.1

8.8

.141/3

0O

SPF

Cos

t - 5

000

ethe

rnet

3/1

172.1

8.8

.142/3

0O

SPF

Cos

t - 5

000

ethe

rnet

0/0

172.1

8.8

.2/3

0O

SPF

Cos

t - 5

fe-1

/0/0

.0

172.

18.8

.137

/30

OSPF

Cos

t - 5

000

eIs-

0/0

/0.0

172.1

8.3

2.2

/30



ScreenOSsupportstwootherroutingprotocols:RIPandBGP.ThissolutionusestheprotocolRIP. While BGP would be better suited for use in a larger deployment, the protocol can be very intimidating to work with. Many customers already also use RIP today. So the decision was made to use RIP for all of the remote branches. RIP is enabled on the tunnel interfaces only. All of the learned routes from the remote branches go into the trust-VR. These routes then are distributed intoOSPFastype-twoexternalOSPFroutes.Thisallowsthedatacentertoknowthelocationfor all of the remote sites. Because there are two firewalls that are active at any time, all of the individual routes must be sent to the entire data center. In appendix eight the configuration for routing is displayed. The RIP preference has been changed that way so that the learned RIP route fortheremotelocationwillbepreferredoverthelearnedOSPFroute.

To set up the VPN firewall VR for the ISG gateways, perform the configuration provided in Appendix 2.

VPN Firewall Policy

The firewall security policy is nearly an identical mirror to what is configured in the branch office(s). The policies are extremely restrictive, allowing access for only the minimum required services. All of the policies on the VPN firewalls have the Juniper intrusion detection and prevention (IDP) inspection enabled on them. A sample view of Intrusion Prevention System (IPS) policy for NSM is shown in figure 4.

Figure 4. VPN Firewall IPS Policy

To set-up VPN firewall policy for the ISG gateways, perform the configuration provided in Appendix 2.

Edge Router ConfigurationThe edge routers contain aggregate routes for all of the public IP addresses used on the firewalls. These routes are then sent out to the edge routes as connected via ISP. This ensures that the routes always are sent out to the Internet via BGP, even in the event that these routes are not beingreceivedviaOSPF.

The edge routers consist of two Juniper Networks M7iDCs, which provide sufficient interface capacity and throughput. As shown in figure 5, each router uses six total links. This allows the addition of interface cards, if needed, because only two PICs are used.

To connect to the firewall layer, as shown in figure 5, a fully meshed network is created. Each router has a single connection to each of the four firewalls. Each router uses a four-port gigabit Ethernet PIC to create this complete mesh. Each of the two edge routers are linked to the other via a single gigabit Ethernet link. This link provides a transit path around a less preferred or failed path. It also provides continuity to the Internet so both Internet connections can be used for the best possible path to the remote networks, and also in case a packet is asymmetrically routed over the Internet and is returned over the less preferred link.

10



Figure 5. M-series Edge Routers

The configuration of the routing protocols is particularity important on the edge routers. It is critical that they are properly configured to ensure that the correct routing occurs throughout the solution. Below is the configuration of the routing protocols for both of the edge routers.

Edge Router Configuration – M-series-A

The following provides the routing configuration for M-series edge routers, which is the router that provides the preferred path. The configuration metrics are configured for it to be selected as the best path. To set up the primary edge router, perform the configuration on devices as provided in Appendix 3.

Edge Router Configuration – M-series-B

The Edge Router B path is the less preferred path through the solution and is deployed by performing the configuration provided in Appendix 3.

SummaryThis application note focuses on creating a dynamically available network and allows the reader to better understand a deployment of what has been traditionally been called a mixed mode NSRP cluster. This solution provides a working example of device configuration and also shows the components around the firewalls as well. It can be fairly simple to create a highly available firewall cluster. But it can be very difficult to also have to create all of the components around them. This application note provides both the configuration and context around the firewalls.

AREA 1

ISP C ISP B

M Series-BM Series-AIo0.0

172.18.8.41Io0.0

172.18.8.40

Data Center A

M-seriesM-series 1

ge-0

/1/0

.01

.25

3.0

.2/3

0O

SPF

- Pa

ssiv

e

so-0

/1/0

.01

.25

4.0

.2/3

0O

SPF

- Pa

ssiv

e

ge-0/0

/0.0

172.18.8.5/30

OSPF Cos

t - 10

ge-0

/0/1

.017

2.18

.8.1

3/30

OSP

F Co

st -

1000

ge-0

/0/0

.01

72

.18

.8.1

/30

OS

PF C

ost

- 5

ge-0/1/3.0172.18.8.25/30

OSPF Cost - 1

ge-0/1/3.0172.18.8.5/30OSPF Cost - 1

ge-0/0/3.0172.18.8.130/30

OSPF Cost - 500ge-0/0/2.0

172.18.8.18/30

OSPF Cost - 5

ge-0/0/1.0

172.18.8.9/30

OSPF Cost - 500

ge-0/0/3.0

172.18.8.133/30

OSPF Cost - 1000

ge-0/0/2.0

172.18.8.21/30

OSPF Cost - 10



Appendix 1. SSG ConfigurationThe following appendix subsections provide the parameters for configuring the Internet Firewall NSRP, Internet Firewall VR, Internet Firewall Policy and Internet Firewall Screening on each SSG device. These configuration parameters are derived from a test configuration that uses the SSG550 as the test gateway. It should be noted that any of the SSG family of products may be configured using this example as the software versions are compatible:

SSG Configuration – Internet Firewall NSRP

The parameters for configuring the Internet firewall NSRP on the SSG gateways are as follows: setinterfaceethernet2/0:1ip192.168.3.135/24setinterfaceethernet2/0:1routesetinterfaceloopback.2:1ip1.2.0.9/29set interface loopback.2:1 routesetinterfaceethernet0/0monitorthreshold255actiondownphysicallysetinterfaceethernet0/1monitorthreshold255actiondownphysicallysetinterfaceethernet0/0monitorinterfaceethernet2/0setinterfaceethernet0/0monitorinterfaceethernet2/1setinterfaceethernet0/1monitorinterfaceethernet2/0setinterfaceethernet0/1monitorinterfaceethernet2/1set nsrp cluster id 1set nsrp rto-mirror syncset nsrp rto-mirror session non-vsiunset nsrp vsd-group id 0set nsrp vsd-group id 1 priority 10set nsrp vsd-group id 1 preemptsetnsrpmonitorinterfaceethernet0/0weight125setnsrpmonitorinterfaceethernet0/1weight125setnsrpmonitorinterfaceethernet2/0setnsrpmonitorinterfaceethernet2/1set nsrp monitor track-ip ipsetnsrpmonitortrack-ipip172.18.8.1interfaceethernet0/0set nsrp monitor track-ip ip 172.18.8.1 weight 125setnsrpmonitortrack-ipip172.18.8.5interfaceethernet0/1set nsrp monitor track-ip ip 172.18.8.5 weight 125set vrouter “untrust-vr”

12



SSG Configuration – Internet Firewall VR

The parameters for configuring the Internet firewall VR on the SSG gateways are as follows:set protocol ospfset enableset area 0.0.0.1 exitset vrouter “untrust-vr”set protocol ospfset enableset area 0.0.0.1 exitexitset vrouter “trust-vr”unset auto-route-exportset protocol ospfset enableset advertise-def-route metric 1 metric-type 2exitexitset vrouter “trust-vr”unset auto-route-exportset protocol ospfset enableset advertise-def-route metric 1 metric-type 2exitset router-id 172.18.8.42set access-list 1set access-list 1 permit default-route 1setaccess-list1permitip172.18.8.0/02setroute-mapname“OSPFexport”permit1set match ip 1exitunset add-default-routeset protocol ospfsetredistributeroute-map“OSPFexport”protocolimportedexitexitsetinterfaceethernet0/0protocolospfarea0.0.0.1setinterfaceethernet0/0protocolospflink-typep2psetinterfaceethernet0/0protocolospfenablesetinterfaceethernet0/0protocolospfcost5setinterfaceethernet0/1protocolospfarea0.0.0.1setinterfaceethernet0/1protocolospflink-typep2psetinterfaceethernet0/1protocolospfenablesetinterfaceethernet0/1protocolospfcost10set interface loopback.1 protocol ospf area 0.0.0.1set interface loopback.1 protocol ospf passiveset interface loopback.1 protocol ospf enableset interface loopback.2:1 protocol ospf area 0.0.0.1set interface loopback.2:1 protocol ospf passiveset interface loopback.2:1 protocol ospf enablesetinterfaceethernet0/2protocolospfarea0.0.0.0setinterfaceethernet0/2protocolospflink-typep2p



setinterfaceethernet0/2protocolospfenablesetinterfaceethernet0/2protocolospfcost5setinterfaceethernet0/3protocolospfarea0.0.0.0setinterfaceethernet0/3protocolospflink-typep2psetinterfaceethernet0/3protocolospfenablesetinterfaceethernet0/3protocolospfcost10setinterfaceethernet2/1:1protocolospfarea0.0.0.0setinterfaceethernet2/1:1protocolospfpassivesetinterfaceethernet2/1:1protocolospfenable

SSG Configuration – Internet Firewall Policy

The Internet firewall policy on the SSG gateways is configured as follows:setpolicyid1from“Datacenter”to“NOC”“Any”“Any”“DNS”permitlogset policy id 1set service “FTP”set service “HTTP”set service “HTTPS”set service “NSM”set service “NTP”set service “PING”set service “RADIUS”set service “SSH”exitsetpolicyid2from“NOC”to“Datacenter”“Any”“Any”“DNS”permitlogset policy id 2set service “HTTP”set service “HTTPS”set service “NSM”set service “NTP”set service “SNMP”set service “SSH”set service “TELNET”set service “TFTP”exitsetpolicyid5from“Untrust”to“NOC”“Any”“MIP(1.2.0.10)”“NSM”permitlogset policy id 5set dst-address “MIP(1.2.0.11)”set service “PING”exitsetpolicyid13from“NOC”to“Untrust”“Any”“Loopbacks-DCA”“PING”natsrcpermitset policy id 13set service “SNMP”exitsetpolicyid7from“NOC”to“Untrust”“Any”“Any”“DNS”natsrcdip-id4permitlogset policy id 7set service “FTP”set service “HTTP”set service “HTTPS”set service “NSM”set service “PING”set service “SSH”set service “TELNET”set log session-initexit

14



set policy id 10 from “Datacenter” to “Untrust” “Any” “Any” “DNS” nat src dip-id 4 permit log set policy id 10set service “FTP”set service “HTTP”set service “HTTPS”set service “ICMP-ANY”set service “IMAP”setservice“POP3”set service “RTSP”set service “SMTP”exit

SSG Configuration – Internet Firewall Screening

The screening parameters on the SSG gateways are set using the following configuration parameters:

setzone“Untrust”screenicmp-floodsetzone“Untrust”screenudp-floodset zone “Untrust” screen winnukeset zone “Untrust” screen port-scanset zone “Untrust” screen tear-dropsetzone“Untrust”screensyn-floodset zone “Untrust” screen ip-spoofingset zone “Untrust” screen ping-deathset zone “Untrust” screen ip-filter-srcset zone “Untrust” screen landset zone “Untrust” screen syn-fragsetzone“Untrust”screentcp-no-flagset zone “Untrust” screen ip-bad-optionset zone “Untrust” screen ip-record-routeset zone “Untrust” screen ip-timestamp-optset zone “Untrust” screen ip-security-optset zone “Untrust” screen ip-loose-src-routeset zone “Untrust” screen ip-strict-src-routeset zone “Untrust” screen ip-stream-optset zone “Untrust” screen icmp-fragmentset zone “Untrust” screen icmp-largeset zone “Untrust” screen syn-finset zone “Untrust” screen fin-no-ackset zone “Untrust” screen icmp-idset zone “V1-Untrust” screen tear-dropsetzone“V1-Untrust”screensyn-floodset zone “V1-Untrust” screen ping-deathset zone “V1-Untrust” screen ip-filter-srcset zone “V1-Untrust” screen landsetzone“Datacenter”screenicmp-floodsetzone“Datacenter”screenudp-floodset zone “Datacenter” screen winnukeset zone “Datacenter” screen port-scanset zone “Datacenter” screen tear-dropsetzone“Datacenter”screensyn-floodset zone “Datacenter” screen ip-spoofingset zone “Datacenter” screen ping-deathset zone “Datacenter” screen ip-filter-src



set zone “Datacenter” screen landset zone “Datacenter” screen syn-fragsetzone“Datacenter”screentcp-no-flagset zone “Datacenter” screen ip-bad-optionset zone “Datacenter” screen ip-record-routeset zone “Datacenter” screen ip-timestamp-optset zone “Datacenter” screen ip-security-optset zone “Datacenter” screen ip-loose-src-routeset zone “Datacenter” screen ip-strict-src-routeset zone “Datacenter” screen ip-stream-optset zone “Datacenter” screen icmp-fragmentset zone “Datacenter” screen icmp-largeset zone “Datacenter” screen syn-finset zone “Datacenter” screen fin-no-ackset zone “Datacenter” screen syn-ack-ack-proxyset zone “Datacenter” screen icmp-idset zone “Untrust” screen ip-sweep threshold 66666set zone “Datacenter” screen ip-sweep threshold 66666set zone “Untrust” screen port-scan threshold 66666set zone “Datacenter” screen port-scan threshold 66666setzone“Untrust”screenudp-flooddst-ip1.2.0.13threshold10000setzone“Untrust”screenudp-flooddst-ip1.3.0.13threshold10000setzone“Datacenter”screenudp-floodthreshold10000set zone “Untrust” screen limit-session source-ip-based 1280set zone “Datacenter” screen limit-session source-ip-based 1280set zone “Untrust” screen limit-session destination-ip-based 1280set zone “Datacenter” screen limit-session destination-ip-based 1280setzone“Untrust”screensyn-floodalarm-threshold1000setzone“Untrust”screensyn-floodattack-threshold1000setzone“Untrust”screensyn-floodsource-threshold150setzone“Untrust”screensyn-flooddestination-threshold10000setzone“Datacenter”screensyn-floodalarm-threshold1000setzone“Datacenter”screensyn-floodattack-threshold1000setzone“Datacenter”screensyn-floodsource-threshold150setzone“Datacenter”screensyn-flooddestination-threshold150

16



Appendix 2. ISG ConfigurationThe following appendix subsections provide the configuration data for configuring the VPN firewall NSRP, VPN firewall VR, and VPN firewall policy on the ISG gateways. These configuration parameters are derived from a test configuration that uses the ISG-2000 as the VPN gateway. It should be noted that any of the ISG family of products may be configured using this example as the software versions are compatible:

ISG Configuration – VPN Firewall NSRP

The VPN firewall NSRP configuration bits for the ISG gateways are provided as follows:

setinterfaceloopback.1:1ip1.2.0.6/32set interface loopback.1:1 routesetinterfaceloopback.2:1ip1.3.0.6/32set interface loopback.2:1 routesetinterfaceloopback.3:2ip1.2.0.7/32set interface loopback.3:2 routesetinterfaceloopback.4:2ip1.3.0.7/32set interface loopback.4:2 routesetinterfaceloopback.5:1ip172.18.8.162/32set interface loopback.5:1 routesetinterfaceloopback.6:2ip172.18.8.164/32set interface loopback.6:2 routesetinterfaceloopback.8:1ip172.18.8.169/29set interface loopback.8:1 routeset nsrp cluster id 2set nsrp rto-mirror syncset nsrp rto-mirror session ageout-ackset nsrp rto-mirror session non-vsiunset nsrp vsd-group id 0set nsrp vsd-group id 1 priority 10set nsrp vsd-group id 1 preemptset nsrp vsd-group id 2 priority 100set nsrp vsd-group id 2 preemptset nsrp monitor zone Untrustset nsrp monitor zone Datacenterset nsrp monitor zone PTP

ISG Configuration – VPN Firewall VR

To set-up the VPN firewall VR for the ISG gateways, perform the following configuration:set vrouter “untrust-vr”set protocol ospfset enableset area 0.0.0.1 exitset router-id 172.18.8.161set access-list 2setaccess-list2permitip172.18.8.0/241set route-map name “permit-loopbacks” permit 1set match ip 2exitset export-to vrouter “trust-vr” route-map “permit-loopbacks” protocol ospfset export-to vrouter “trust-vr” route-map “permit-loopbacks” protocol connectedexit



set vrouter “trust-vr”unset auto-route-exportset protocol ospfset enableexitset protocol ripset enableset default-metric 1set hold-timer 30set poll-timer 10set advertise-def-route metric 10 set reject-default-routeset max-neighbor-count 250set no-source-validationset alt-route 3exitset preference ebgp 250set preference ibgp 40set preference rip 35et max-routes 4000set router-id 172.18.8.161set max-ecmp-routes 4set access-list 1setaccess-list1permitip172.18.0.0/161setaccess-list1permitip192.168.4.0/242set access-list 2setaccess-list2permitip10.140.0.0/161setaccess-list2permitip10.20.0.0/162setaccess-list2permitip10.5.0.0/163setaccess-list2permitip10.6.0.0/164setaccess-list2permitip10.7.0.0/165setaccess-list2permitip10.8.0.0/166setaccess-list2permitip10.9.0.0/167set access-list 3setaccess-list3permitip192.168.4.0/241set access-list 4setaccess-list4permitip172.18.0.0/161setaccess-list4permitip192.168.4.0/242set access-list 4 permit default-route 10set route-map name “aggregateLocals” permit 1set match ip 1set metric 1exitset route-map name “aggregateLocals” deny 2exitset route-map name “remotenetworks” permit 1set match ip 2set metric-type type-2exitset route-map name “remotenetworks” deny 2exitset route-map name “NocNet” permit 1set match ip 3exit

18



set route-map name “rejectDefault” deny 1set match ip 4exitset route-map name “aggregateLocalsAndDefault” permit 1set match ip 4exitunset add-default-routesetroute172.18.0.0/16interfacenullpreference20setroute172.18.8.0/21interfacenullsetroute1.2.0.0/29interfacenullpreference20setroute1.3.0.0/29interfacenullpreference20set protocol ospfset redistribute route-map “remotenetworks” protocol staticset redistribute route-map “remotenetworks” protocol ripexitset protocol ripset redistribute route-map “NocNet” protocol ospfset redistribute route-map “aggregateLocals” protocol staticexitexitsetinterfaceethernet1/1protocolospfarea0.0.0.1setinterfaceethernet1/1protocolospflink-typep2psetinterfaceethernet1/1protocolospfenablesetinterfaceethernet1/1protocolospfcost5setinterfaceethernet1/2protocolospfarea0.0.0.1setinterfaceethernet1/2protocolospflink-typep2psetinterfaceethernet1/2protocolospfenablesetinterfaceethernet1/2protocolospfcost10set interface loopback.10 protocol ospf area 0.0.0.1set interface loopback.10 protocol ospf passiveset interface loopback.10 protocol ospf enableset interface loopback.1:1 protocol ospf area 0.0.0.1set interface loopback.1:1 protocol ospf passiveset interface loopback.1:1 protocol ospf enableset interface loopback.2:1 protocol ospf area 0.0.0.1set interface loopback.2:1 protocol ospf passiveset interface loopback.2:1 protocol ospf enableset interface loopback.3:2 protocol ospf area 0.0.0.1set interface loopback.3:2 protocol ospf passiveset interface loopback.3:2 protocol ospf enableset interface loopback.4:2 protocol ospf area 0.0.0.1set interface loopback.4:2 protocol ospf passiveset interface loopback.4:2 protocol ospf enablesetinterfaceethernet3/1protocolospfarea0.0.0.0setinterfaceethernet3/1protocolospfenablesetinterfaceethernet3/1protocolospfcost5000setinterfaceethernet2/1protocolospfarea0.0.0.0setinterfaceethernet2/1protocolospflink-typep2psetinterfaceethernet2/1protocolospfenablesetinterfaceethernet2/1protocolospfcost5setinterfaceethernet2/2protocolospfarea0.0.0.0setinterfaceethernet2/2protocolospflink-typep2psetinterfaceethernet2/2protocolospfenablesetinterfaceethernet2/2protocolospfcost10



set interface loopback.5:1 protocol ospf area 0.0.0.0set interface loopback.5:1 protocol ospf passiveset interface loopback.5:1 protocol ospf enableset interface loopback.6:2 protocol ospf area 0.0.0.0set interface loopback.6:2 protocol ospf passiveset interface loopback.6:2 protocol ospf enableset interface loopback.8:1 protocol ospf area 0.0.0.0set interface loopback.8:1 protocol ospf passiveset interface loopback.8:1 protocol ospf enableset interface tunnel.1 protocol ripset interface tunnel.1 protocol rip enableset interface tunnel.1 protocol rip route-map “remotenetworks” inset interface tunnel.1 protocol rip route-map “aggregateLocals” outset interface tunnel.1 protocol rip metric 2set interface tunnel.1 protocol rip send-version v2set interface tunnel.1 protocol rip receive-version v2set interface tunnel.1 protocol rip demand-circuitset interface tunnel.2 protocol ripset interface tunnel.2 protocol rip enableset interface tunnel.2 protocol rip route-map “remotenetworks” inset interface tunnel.2 protocol rip route-map “aggregateLocals” outset interface tunnel.2 protocol rip metric 2set interface tunnel.2 protocol rip demand-circuitset interface tunnel.3 protocol ripset interface tunnel.3 protocol rip enableset interface tunnel.3 protocol rip route-map “remotenetworks” inset interface tunnel.3 protocol rip route-map “aggregateLocals” outset interface tunnel.3 protocol rip metric 2set interface tunnel.3 protocol rip demand-circuitset interface tunnel.4 protocol ripset interface tunnel.4 protocol rip enableset interface tunnel.4 protocol rip route-map “remotenetworks” inset interface tunnel.4 protocol rip route-map “aggregateLocals” outset interface tunnel.4 protocol rip metric 2set interface tunnel.4 protocol rip demand-circuitset interface tunnel.5 protocol ripset interface tunnel.5 protocol rip enableset interface tunnel.5 protocol rip route-map “remotenetworks” inset interface tunnel.5 protocol rip route-map “aggregateLocalsAndDefault” outset interface tunnel.5 protocol rip demand-circuitset interface tunnel.6 protocol ripset interface tunnel.6 protocol rip enableset interface tunnel.6 protocol rip route-map “remotenetworks” inset interface tunnel.6 protocol rip route-map “aggregateLocalsAndDefault” outset interface tunnel.6 protocol rip demand-circuitset interface tunnel.7 protocol ripset interface tunnel.7 protocol rip enableset interface tunnel.7 protocol rip route-map “remotenetworks” inset interface tunnel.7 protocol rip route-map “aggregateLocals” outset interface tunnel.7 protocol rip metric 2set interface tunnel.7 protocol rip demand-circuitset interface tunnel.8 protocol ripset interface tunnel.8 protocol rip enableset interface tunnel.8 protocol rip route-map “remotenetworks” in

20



set interface tunnel.8 protocol rip route-map “aggregateLocals” outset interface tunnel.8 protocol rip metric 2set interface tunnel.8 protocol rip demand-circuitset interface tunnel.9 protocol ripset interface tunnel.9 protocol rip enableset interface tunnel.9 protocol rip route-map “remotenetworks” inset interface tunnel.9 protocol rip route-map “aggregateLocals” outset interface tunnel.9 protocol rip metric 2set interface tunnel.9 protocol rip demand-circuitset interface tunnel.10 protocol ripset interface tunnel.10 protocol rip enableset interface tunnel.10 protocol rip route-map “remotenetworks” inset interface tunnel.10 protocol rip route-map “aggregateLocals” outset interface tunnel.10 protocol rip metric 2set interface tunnel.10 protocol rip demand-circuit

ISG Configuration – VPN Firewall Policy

To set-up VPN firewall policy for the ISG gateways, perform the following configuration:

set policy id 1 from “PTP” to “Datacenter” “Any” “MIP(172.18.8.170)” “NSM” permit log set policy id 1set dst-address “MIP(172.18.8.171)”set service “PING”exitset policy id 4 from “Datacenter” to “PTP” “Any” “Any” “PING” permit log set policy id 4exitset policy id 5 from “VPN” to “Datacenter” “Trust-Type-A” “Name-Servers_1” “DNS” permit log set policy id 5set idpexitset policy id 5set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “MS-WIN-DNS”set service “MS-WINS”set service “NBNAME”set service “PING”exitsetpolicyid2from“VPN”to“Datacenter”“Trust-Type-A”“Domain-Servers_1”“MS-NETLOGON”permit log set policy id 2set idpexitset policy id 2set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “MS-RPC-ANY”set service “MS-RPC-EPM”set service “MS-WINS”set service “NBDS”set service “NBNAME”set service “pcnfsd_1”set service “PING”



set service “MS-AD”exitset policy id 6 from “VPN” to “Datacenter” “Trust-Type-A” “Mail Servers_1” “IMAP” permit log set policy id 6set idpexitset policy id 6set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “imap-ssl_1”set service “PING”setservice“POP3”set service “SMTP”set service “MS-EXCHANGE”exitset policy id 7 from “VPN” to “Datacenter” “Trust-Type-A” “Application Servers_1” “HTTP” permit log set policy id 7set idpexitset policy id 7set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “HTTPS”set service “PING”exitset policy id 8 from “VPN” to “Datacenter” “Trust-Type-A” “File Servers_2” “PING” permit log set policy id 8set idpexitset policy id 8set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “netbios-dgm_1”set service “netbios-ns_1”set service “netbios-ssn_1”set service “NFS-ALL_1”exitset policy id 9 from “VPN” to “Datacenter” “Trust-Type-A” “Terminal Servers_2” “ICA” permit log set policy id 9set idpexitset policy id 9set src-address “Trust-Type-B”set src-address “Trust-Type-C”set service “PING”set service “RDP”exitsetpolicyid11from“VPN”to“Datacenter”“Trust-Type-A”“NOC-A”“PING”permitlogset policy id 11set idpexitset policy id 11set src-address “Trust-Type-B”

22



set src-address “Trust-Type-C”setdst-address“NOC-B”set service “RADIUS”setservice“TRACEROUTE”exitsetpolicyid10from“Datacenter”to“VPN”“NOC-A”“Trust-Type-A”“ICA”permitlogset policy id 10set idpexitset policy id 10setsrc-address“NOC-B”set src-address “All-DC-Networks”set dst-address “Trust-Type-B”set dst-address “Trust-Type-C”set service “PING”set service “RDP”set service “SSH”set service “TELNET”set service “PING-ALL”exit



Appendix 3. M-series Edge Router Configuration.The following appendix subsections provide the routing configuration parameters for configuring M-Series A and B edge routers. The configuration parameters are based upon a test configuration that employs M7iDC routers as edge devices. It should be noted that any of the M-series products may be configured using this example as the software versions are compatible.

Edge Router Configuration – M-series A

To set-up the primary edge router, perform the following configuration on the M-series A edge router:

routing-options {

aggregate {

route0.0.0.0/0policyEbgpNeigh;

route1.3.0.0/29;

route1.2.0.0/29;

route1.2.0.8/29;

}

router-id172.18.8.40;

autonomous-system65010;

}

protocols {

bgp {

group Intra-65010 {

typeinternal;

local-address172.18.8.40;

exportbgpExport;

neighbor 172.18.8.41 {

peer-as65010;

}

}

group ISPC {

typeexternal;

traceoptions {

fileISPC-Trace;

flagstate;

}


exportlocalnetwork;

neighbor 1.253.0.1 {

peer-as65002;

}

}

}

ospf {

exportdefaultAggregate;

area 0.0.0.1 {

interface lo0.0 {

passive;

24



}

interfacege-0/0/0.0{

interface-typep2p;

metric5;

}


interface-typep2p;

metric5;

}


interface-typep2p;

metric500;

}


interface-typep2p;

metric500;

}


interface-typep2p;

bfd-liveness-detection {

minimum-interval300;

multiplier3;

}

}


passive;

}

}

}

}

policy-options {

prefix-list ISG-Loopbacks {

1.2.0.6/32;

1.2.0.7/32;

1.3.0.6/32;

1.3.0.7/32;

}

prefix-list eBGP-Peers {

1.253.0.1/32;

}

prefix-list iBGP-Peers {

172.18.8.41/32;

}

policy-statement EbgpNeigh {

term neighborAccept {

from {

protocolbgp;

neighbor1.253.0.1;



route-filter3.0.0.0/8exact;


}

thenaccept;

}

term reject {

thenreject;

}

}

policy-statement bgpExport {

term rejectStatics {

fromprotocolstatic;

thenreject;

}

term rejectConnected {

fromprotocoldirect;

thenreject;

}

term all {

thenaccept;

}

}

policy-statement defaultAggregate {

term defaultRoute {

from {

protocolaggregate;


}

thenaccept;

}

}

policy-statement localnetwork {

term localNet {

from {




}

thenaccept;

}

term rejectAll {

thenreject;

}

}

}

26



Edge Router Configuration – M-series B Edge Router

The M-series B edge router is configured by performing the following configuration parameters.

routing-options {

static {

route1.2.255.255/32next-hop1.254.0.1;

}

aggregate {

route0.0.0.0/0policyEbgpNeigh;

route1.2.0.0/29;

route1.2.0.8/29;

}

router-id172.18.8.41;

autonomous-system65010;

}

protocols {

bgp {

group Intra-65010 {

typeinternal;


exportbgpExport;

neighbor 172.18.8.40 {

peer-as65010;

}

}

group ISPB {

typeexternal;


exportlocalnetwork;

neighbor 1.254.0.1 {

peer-as65001;

}

}

}

ospf {

exportdefaultAggregate;

area 0.0.0.1 {

interface lo0.0 {

passive;

}


interface-typep2p;

metric10;

}


interface-typep2p;

metric10;

}




interface-typep2p;

metric1000;

}


interface-typep2p;

metric1000;

}


interface-typep2p;

metric1;

bfd-liveness-detection {

minimum-interval300;

multiplier3;

}

}

interfaceso-0/1/0.0{

passive;

}

}

}

}

policy-options {

prefix-list ISG-Loopbacks {

1.2.0.6/32;

1.2.0.7/32;

1.3.0.6/32;

1.3.0.7/32;

}

prefix-list eBGP-Peers {

1.254.0.1/32;

}

prefix-list iBGP-Peers {

172.18.8.40/32;

}

policy-statement EbgpNeigh {

term neighborAccept {

from {

protocolbgp;

neighbor1.254.0.1;



}

thenaccept;

}

term reject {

thenreject;

}

}

28



policy-statement bgpExport {

term rejectStatics {

fromprotocolstatic;

thenreject;

}

term rejectConnected {

fromprotocoldirect;

thenreject;

}

term all {

thenaccept;

}

}

policy-statement defaultAggregate {

term defaultRoute {

from {

protocolaggregate;


}

thenaccept;

}

}

policy-statement localnetwork {

term localNet {

from {




}

thenaccept;

}

term rejectAll {

thenreject;

}

}

}



GlossaryBGP Border Gateway Protocol

DIP Dynamic IP

DMZ Demilitarized Zone

DRP Dynamic Routing Protocol

HA High Availability

IDP Intrusion Detection and Prevention

IPSec Internet Protocol Security

ISDN Integrated Services Digital Network

ISG Integrated Services Gateway

LSA Link state Advertisement

MGT Management Interface

MIP Managed Internet Protocol (IP)

MPLS Multi Protocol Label Switching

NAT Network Address Translation

NOC NetworkOperationsCenter

NSM Netscreen Security Manager

NSRP NetScreen Redundancy Protocol

OSPF OpenShortestPathFirst

PIC Physical Interface Card

RIP Routing Information Protocol

SMTP Simple Mail Transfer Protocol

SPF Shortest Path First or Sender Policy Framework

SSG Secure Services Gateway

VPN Virtual Private Network

VR Virtual Routing (or Router)

VSD Virtual Security Device

VSI Virtual Security Interface

WAN Wide Area Network

About Juniper NetworksJuniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net.


Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICAJuniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100www.juniper.net

EAST COAST OFFICEJuniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800

ASIA PACIFIC REGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd. 26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803

EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERSJuniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501

To purchase Juniper Networks solutions, please contact your Juniper Networks sales representative

at 1-866-298-6428 or authorized reseller.

implementing ha at the enterprise data center edge to connect

Documents