Tuesday, April 21, 2015

Basic BGP Configuration in Juniper Device (SRX 100)

DNS configuration 

set system name-server 202.83.21.12
set system name-server 202.83.20.102



Policy Command Equal to cisco network command
------------------------

We are publishing  103.42.115.0/24 and 103.50.32.0/23 network subnet to out side world(internet)

set policy-options policy-statement export_Network term t1 from protocol direct
set policy-options policy-statement export_Network term t1 from route-filter 103.42.115.0/24 exact
set policy-options policy-statement export_Network term t1 from route-filter 103.50.32.0/23  exact
set policy-options policy-statement export_Network term t1 then accept
set policy-options policy-statement export_Network term t2 from protocol bgp
set policy-options policy-statement export_Network term t2 then reject


set policy-options policy-statement Import _Network term t1 from protocol bgp
set policy-options policy-statement Import _Network term t1 then next-hop-self
set policy-options policy-statement Import _Network term t1 then accept






BGP

Router bgp 133668 (Cisco command)
network 103.42.115.0 mask 255.255.255.0(cisco command)


set routing-options autonomous-system 133668
set protocols bgp group ISP_PEER type Internal (Bgp type)
set protocols bgp group ISP_PEER export export_Network (Like route-map in cisco. Devices in juniper we cannot directly put network command, We need create policies to import and export network subnets )
set protocols bgp group ISP_PEER Import Import _Network
set protocols bgp group ISP_PEER peer-as 133668 (Ibgp peer)
set protocols bgp group ISP_PEER neighbor 106.51.230.137 (bgp Peer)



Default route command
----------------------

set routing-options static route 0.0.0.0/0 next-hop 106.51.230.137 (default route)


Interface configuration
----------------------------------


set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description "****Connected To ISP ****"
set interfaces ge-0/0/1 per-unit-scheduler
set interfaces ge-0/0/1 unit 0 family inet address 106.51.230.138/30 (IP address assigned to interface)



Security zone configuration in SRX.

By default the port and zone will communicate to all (ALL to ALL)

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all




Show commands for verification
----------------------------------

show bgp summary

show bgp neighbor

clear bgp neighbor

show route table

show interfaces terse
show security zones

Friday, April 10, 2015

Power shutdown Process For MX and EX switches





1, For MX480 and Ex switches Devices need take the configuration files backup


#show configuration |display set .
#show configuration


2, For MX480 and Ex Switches devices need take the Firmware /IOS Backup.

#show system software backup mostly it will be available in (Var/Tmp/ folder) (using Winscp)


3, For Mx480 and Ex  switches take the snapshot and shutdown the devices.

#Request system Power-off (This for Mx480)/Request system halt
(Do the graceful start and power off the devices)

On the external management device connected to the Routing Engine, issue the request system

halt both-routing-engines operational mode command. The command shuts down the Routing

Engines cleanly, so their state information is preserved. (If the router contains only one Routing

Engine, issue the request system halt command.)

              user@host> request system halt both-routing-engines
 Wait until a message appears on the console confirming that the operating system has halted.


4. Attach an ESD grounding strap to your bare wrist and connect the strap to one of the ESD points
on the chassis.



5. Move the AC input switch on each AC power supply or the DC circuit breaker on each DC power
supply to the off (O)









Thursday, April 2, 2015

Case study/Proof of concepts for MPLS/IPSEC/BGP on Juniper srx240 (with 8 port ethernet)




Case study :- Client requirement is for DMVPN but in Juniper did not supporting the DMVPN technology, So I configured the IPSEC tunnel with bgp configuration .   





Bangalore router configuration

root@ASR-POC-BLR>
root@ASR-POC-BLR> show configuration | no-more     |display set
set version 12.1X44.3
set system host-name ASR-POC-BLR
set system root-authentication encrypted-password "$1$hoZBA2FZ$42.mWXY0yAmlCOfNUZmYg."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description "****Connected To BSNL ****"
set interfaces ge-0/0/1 per-unit-scheduler
set interfaces ge-0/0/1 unit 0 family inet filter input packet-mode
set interfaces ge-0/0/1 unit 0 family inet address 10.240.41.21/30
set interfaces ge-0/0/2 description "***** connected to reliances"
set interfaces ge-0/0/2 per-unit-scheduler
set interfaces ge-0/0/2 unit 0 family inet filter input packet-mode
deactivate interfaces ge-0/0/2 unit 0 family inet filter
set interfaces ge-0/0/2 unit 0 family inet address 10.240.45.21/30
set interfaces ge-0/0/3 per-unit-scheduler
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 0 vlan-id 0
set interfaces ge-0/0/3 unit 61 description "***** Video vrf*****"
set interfaces ge-0/0/3 unit 61 vlan-id 61
set interfaces ge-0/0/3 unit 61 family inet address 10.240.46.2/30
set interfaces ge-0/0/3 unit 62 description "******VOIP traffic*****"
set interfaces ge-0/0/3 unit 62 vlan-id 62
set interfaces ge-0/0/3 unit 62 family inet address 10.240.46.6/30
set interfaces ge-0/0/3 unit 63 description "******DATA TRAFFIC*****"
set interfaces ge-0/0/3 unit 63 vlan-id 63
set interfaces ge-0/0/3 unit 63 family inet address 10.240.46.10/30
set interfaces ge-0/0/6 unit 0 family inet address 10.240.45.217/30
set interfaces lo0 unit 0 family inet address 10.240.45.100/32
set interfaces lo0 unit 61 family inet address 10.240.45.101/32
set interfaces lo0 unit 62 family inet address 10.240.45.102/32
set interfaces lo0 unit 63 family inet address 10.240.45.103/32
set interfaces st0 unit 61 family inet mtu 1400
set interfaces st0 unit 61 family inet address 10.240.45.61/30
set interfaces st0 unit 62 family inet mtu 1400
set interfaces st0 unit 62 family inet address 10.240.45.65/30
set interfaces st0 unit 63 family inet mtu 1400
set interfaces st0 unit 63 family inet address 10.240.45.69/30
set interfaces st0 unit 610 family inet mtu 1400
set interfaces st0 unit 610 family inet address 10.240.45.161/30
set interfaces st0 unit 620 family inet mtu 1400
set interfaces st0 unit 620 family inet address 10.240.45.165/30
set interfaces st0 unit 630 family inet mtu 1400
set interfaces st0 unit 630 family inet address 10.240.45.169/30
set routing-options autonomous-system 65010
set protocols bgp path-selection cisco-non-deterministic
set protocols bgp traceoptions file bgp_trace
set protocols bgp traceoptions flag normal
set protocols bgp log-updown
set protocols bgp group BSNL_ISP_PEER type external
set protocols bgp group BSNL_ISP_PEER export export_lo0
set protocols bgp group BSNL_ISP_PEER peer-as 9829
set protocols bgp group BSNL_ISP_PEER neighbor 10.240.41.22
set protocols bgp group RIL_ISP_PEER type external
set protocols bgp group RIL_ISP_PEER export export_lo0
set protocols bgp group RIL_ISP_PEER peer-as 18101
set protocols bgp group RIL_ISP_PEER neighbor 10.240.45.22
set protocols bgp group AIRTEL_ISP_PEER type external
set protocols bgp group AIRTEL_ISP_PEER export export_lo0
set protocols bgp group AIRTEL_ISP_PEER peer-as 9498
set protocols bgp group AIRTEL_ISP_PEER neighbor 10.240.45.218
set protocols stp
set policy-options policy-statement AS_PATH_BLOCK term accept-term from as-path AS_PATH_BLOCK-accept
set policy-options policy-statement AS_PATH_BLOCK term accept-term then accept
set policy-options policy-statement AS_PATH_BLOCK term reject-term from as-path AS_PATH_BLOCK-reject
set policy-options policy-statement AS_PATH_BLOCK term reject-term then reject
set policy-options policy-statement AS_PATH_BLOCK term ios-implicit-deny then reject
set policy-options policy-statement DATA_Export term Export from protocol direct
set policy-options policy-statement DATA_Export term Export then community add RT-DATA-Export
set policy-options policy-statement DATA_Export term Export then accept
set policy-options policy-statement DATA_Export term Reject then reject
set policy-options policy-statement DELETE_AS_PATH term strip-communities then community delete all
set policy-options policy-statement DELETE_AS_PATH term strip-communities then next term
set policy-options policy-statement DELETE_AS_PATH term explicit-default-action then next policy
set policy-options policy-statement Data_Import term Import from protocol bgp
set policy-options policy-statement Data_Import term Import from community RT-DATA-Export
set policy-options policy-statement Data_Import term Import from community RT-DATA-Import
set policy-options policy-statement Data_Import term Import then accept
set policy-options policy-statement Data_Import term Reject then reject
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.21/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.13/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.6/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.21/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.13/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.6/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 then accept
set policy-options policy-statement ISP_OUT_FILTER term ios-implicit-deny then reject
set policy-options policy-statement VDO_Export term Export from protocol direct
set policy-options policy-statement VDO_Export term Export then community add RT-VDO-Export
set policy-options policy-statement VDO_Export term Export then accept
set policy-options policy-statement VDO_Export term Reject then reject
set policy-options policy-statement VDO_Import term Import from protocol bgp
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Export
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Import
set policy-options policy-statement VDO_Import term Import then accept
set policy-options policy-statement VDO_Import term Reject then reject
set policy-options policy-statement VOIP_Export term Export from protocol direct
set policy-options policy-statement VOIP_Export term Export then community add RT-VOIP-Export
set policy-options policy-statement VOIP_Export term Export then accept
set policy-options policy-statement VOIP_Export term Reject then reject
set policy-options policy-statement VOIP_Import term Import from protocol bgp
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Export
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Import
set policy-options policy-statement VOIP_Import term Import then accept
set policy-options policy-statement VOIP_Import term Reject then reject
set policy-options policy-statement export_lo0 term t1 from protocol direct
set policy-options policy-statement export_lo0 term t1 from route-filter 10.240.45.100/32 exact
set policy-options policy-statement export_lo0 term t1 then accept
set policy-options policy-statement export_lo0 term t2 from protocol bgp
set policy-options policy-statement export_lo0 term t2 then reject
set policy-options policy-statement ri_export then accept
set policy-options community RT-DATA-Export members target:65010:68
set policy-options community RT-DATA-Import members target:65010:68
set policy-options community RT-VDO-Export members target:65010:103
set policy-options community RT-VDO-Import members target:65010:103
set policy-options community RT-VOIP-Export members target:65010:101
set policy-options community RT-VOIP-Import members target:65010:101
set policy-options community all members *:*
set policy-options as-path AS_PATH_BLOCK-accept ".*(65010|9829|18101).*"
set policy-options as-path AS_PATH_BLOCK-reject .*
set class-of-service classifiers dscp dscp-class forwarding-class NC loss-priority high code-points dscp-cs7
set class-of-service classifiers dscp dscp-class forwarding-class NC loss-priority low code-points dscp-cs6
set class-of-service classifiers dscp dscp-class forwarding-class VIDEO loss-priority low code-points dscp-af11
set class-of-service classifiers dscp dscp-class forwarding-class VIDEO loss-priority high code-points dscp-af12
set class-of-service classifiers dscp dscp-class forwarding-class VOIP loss-priority low code-points dscp-ef
set class-of-service classifiers dscp dscp-class forwarding-class DATA loss-priority high code-points dscp-be
set class-of-service code-point-aliases dscp dscp-cs6 110000
set class-of-service code-point-aliases dscp dscp-ef 101110
set class-of-service code-point-aliases dscp dscp-af11 001010
set class-of-service code-point-aliases dscp dscp-be 000000
set class-of-service code-point-aliases dscp dscp-af12 001100
set class-of-service code-point-aliases dscp dscp-cs7 111000
set class-of-service drop-profiles SIG-Tail-Drop fill-level 100 drop-probability 100
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 70
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 80
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 90
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 0
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 25
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 100
set class-of-service drop-profiles low-drop interpolate fill-level 75
set class-of-service drop-profiles low-drop interpolate fill-level 95
set class-of-service drop-profiles low-drop interpolate drop-probability 10
set class-of-service drop-profiles low-drop interpolate drop-probability 40
set class-of-service drop-profiles high-drop interpolate fill-level 25
set class-of-service drop-profiles high-drop interpolate fill-level 50
set class-of-service drop-profiles high-drop interpolate drop-probability 50
set class-of-service drop-profiles high-drop interpolate drop-probability 90
set class-of-service forwarding-classes queue 0 DATA
set class-of-service forwarding-classes queue 1 VOIP
set class-of-service forwarding-classes queue 2 VIDEO
set class-of-service forwarding-classes queue 3 NC
set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/1 unit 0 classifiers dscp dscp-class
set class-of-service interfaces ge-0/0/1 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/2 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/2 unit 0 classifiers dscp dscp-class
set class-of-service interfaces ge-0/0/2 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/3 unit 0 forwarding-class VIDEO
set class-of-service interfaces ge-0/0/3 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/3 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/4 unit 0 forwarding-class VOIP
set class-of-service interfaces ge-0/0/4 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/4 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/5 unit 0 forwarding-class DATA
set class-of-service interfaces ge-0/0/5 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/5 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class NC loss-priority high code-point dscp-cs7
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class NC loss-priority low code-point dscp-cs6
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class VOIP loss-priority low code-point dscp-ef
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class VIDEO loss-priority low code-point dscp-af11
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class DATA loss-priority high code-point dscp-be
set class-of-service scheduler-maps s_map forwarding-class DATA scheduler DATA
set class-of-service scheduler-maps s_map forwarding-class NC scheduler NC
set class-of-service scheduler-maps s_map forwarding-class VIDEO scheduler VIDEO
set class-of-service scheduler-maps s_map forwarding-class VOIP scheduler VOIP
set class-of-service schedulers DATA transmit-rate percent 19
set class-of-service schedulers DATA buffer-size percent 19
set class-of-service schedulers VIDEO transmit-rate percent 40
set class-of-service schedulers VIDEO buffer-size percent 40
set class-of-service schedulers VIDEO priority high
set class-of-service schedulers VOIP transmit-rate percent 40
set class-of-service schedulers VOIP buffer-size percent 40
set class-of-service schedulers VOIP priority high
set class-of-service schedulers NC transmit-rate percent 1
set class-of-service schedulers NC buffer-size percent 1
set class-of-service schedulers NC priority high
set security ike traceoptions file ike.trace
set security ike traceoptions flag all
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$uaI5BRSvWxwYoreYoJGq.0BIEreM8X-bs"
set security ike gateway gw-MYSORE ike-policy ike-phase1-policy
set security ike gateway gw-MYSORE address 10.240.45.110
set security ike gateway gw-MYSORE dead-peer-detection interval 10
set security ike gateway gw-MYSORE dead-peer-detection threshold 2
set security ike gateway gw-MYSORE external-interface lo0.0
set security ike gateway gw-RAMANAGAR ike-policy ike-phase1-policy
set security ike gateway gw-RAMANAGAR address 10.240.45.120
set security ike gateway gw-RAMANAGAR dead-peer-detection interval 10
set security ike gateway gw-RAMANAGAR dead-peer-detection threshold 2
set security ike gateway gw-RAMANAGAR external-interface lo0.0
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn MYSORE-data bind-interface st0.63
set security ipsec vpn MYSORE-data df-bit clear
set security ipsec vpn MYSORE-data vpn-monitor
set security ipsec vpn MYSORE-data ike gateway gw-MYSORE
set security ipsec vpn MYSORE-data ike proxy-identity local 10.240.45.69/32
set security ipsec vpn MYSORE-data ike proxy-identity remote 10.240.45.70/32
set security ipsec vpn MYSORE-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-data establish-tunnels immediately
set security ipsec vpn MYSORE-VDO bind-interface st0.61
set security ipsec vpn MYSORE-VDO df-bit clear
set security ipsec vpn MYSORE-VDO vpn-monitor
set security ipsec vpn MYSORE-VDO ike gateway gw-MYSORE
set security ipsec vpn MYSORE-VDO ike proxy-identity local 10.240.45.61/32
set security ipsec vpn MYSORE-VDO ike proxy-identity remote 10.240.45.62/32
set security ipsec vpn MYSORE-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-VDO establish-tunnels immediately
set security ipsec vpn MYSORE-VOIP bind-interface st0.62
set security ipsec vpn MYSORE-VOIP df-bit clear
set security ipsec vpn MYSORE-VOIP vpn-monitor
set security ipsec vpn MYSORE-VOIP ike gateway gw-MYSORE
set security ipsec vpn MYSORE-VOIP ike proxy-identity local 10.240.45.65/32
set security ipsec vpn MYSORE-VOIP ike proxy-identity remote 10.240.45.66/32
set security ipsec vpn MYSORE-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-VOIP establish-tunnels immediately
set security ipsec vpn RAMANAGAR-data bind-interface st0.630
set security ipsec vpn RAMANAGAR-data df-bit clear
set security ipsec vpn RAMANAGAR-data vpn-monitor
set security ipsec vpn RAMANAGAR-data ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-data ike proxy-identity local 10.240.45.169/32
set security ipsec vpn RAMANAGAR-data ike proxy-identity remote 10.240.45.170/32
set security ipsec vpn RAMANAGAR-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-data establish-tunnels immediately
set security ipsec vpn RAMANAGAR-VDO bind-interface st0.610
set security ipsec vpn RAMANAGAR-VDO df-bit clear
set security ipsec vpn RAMANAGAR-VDO vpn-monitor
set security ipsec vpn RAMANAGAR-VDO ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VDO ike proxy-identity local 10.240.45.161/32
set security ipsec vpn RAMANAGAR-VDO ike proxy-identity remote 10.240.45.162/32
set security ipsec vpn RAMANAGAR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VDO establish-tunnels immediately
set security ipsec vpn RAMANAGAR-VOIP bind-interface st0.620
set security ipsec vpn RAMANAGAR-VOIP df-bit clear
set security ipsec vpn RAMANAGAR-VOIP vpn-monitor
set security ipsec vpn RAMANAGAR-VOIP ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VOIP ike proxy-identity local 10.240.45.165/32
set security ipsec vpn RAMANAGAR-VOIP ike proxy-identity remote 10.240.45.166/32
set security ipsec vpn RAMANAGAR-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VOIP establish-tunnels immediately
set security alg sql disable
set security flow tcp-mss all-tcp mss 1436
set security flow tcp-mss ipsec-vpn mss 1380
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security policies from-zone trust to-zone DATA policy all match source-address any
set security policies from-zone trust to-zone DATA policy all match destination-address any
set security policies from-zone trust to-zone DATA policy all match application any
set security policies from-zone trust to-zone DATA policy all then permit
set security policies from-zone trust to-zone VOIP policy all match source-address any
set security policies from-zone trust to-zone VOIP policy all match destination-address any
set security policies from-zone trust to-zone VOIP policy all match application any
set security policies from-zone trust to-zone VOIP policy all then permit
set security policies from-zone trust to-zone VIDEO policy all match source-address any
set security policies from-zone trust to-zone VIDEO policy all match destination-address any
set security policies from-zone trust to-zone VIDEO policy all match application any
set security policies from-zone trust to-zone VIDEO policy all then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone DATA host-inbound-traffic system-services all
set security zones security-zone DATA host-inbound-traffic protocols all
set security zones security-zone DATA interfaces ge-0/0/3.63
set security zones security-zone DATA interfaces lo0.63
set security zones security-zone DATA interfaces st0.63
set security zones security-zone DATA interfaces st0.630
set security zones security-zone VOIP host-inbound-traffic system-services all
set security zones security-zone VOIP host-inbound-traffic protocols all
set security zones security-zone VOIP interfaces ge-0/0/3.62
set security zones security-zone VOIP interfaces lo0.62
set security zones security-zone VOIP interfaces st0.62
set security zones security-zone VOIP interfaces st0.620
set security zones security-zone VIDEO host-inbound-traffic system-services all
set security zones security-zone VIDEO host-inbound-traffic protocols all
set security zones security-zone VIDEO interfaces ge-0/0/3.61
set security zones security-zone VIDEO interfaces lo0.61
set security zones security-zone VIDEO interfaces st0.61
set security zones security-zone VIDEO interfaces st0.610
set firewall family inet filter packet-mode term t1 from source-address 10.240.45.108/32
set firewall family inet filter packet-mode term t1 from destination-address 10.240.45.110/32
set firewall family inet filter packet-mode term t1 then packet-mode
set firewall family inet filter packet-mode term t1 then accept
set firewall family inet filter packet-mode term t1-rev from source-address 10.240.45.110/32
set firewall family inet filter packet-mode term t1-rev from destination-address 10.240.45.108/32
set firewall family inet filter packet-mode term t1-rev then packet-mode
set firewall family inet filter packet-mode term t1-rev then accept
set firewall family inet filter packet-mode term t2 from source-address 10.240.45.103/32
set firewall family inet filter packet-mode term t2 from destination-address 10.240.45.101/32
set firewall family inet filter packet-mode term t2 then packet-mode
set firewall family inet filter packet-mode term t2 then accept
set firewall family inet filter packet-mode term t2-rev from source-address 10.240.45.101/32
set firewall family inet filter packet-mode term t2-rev from destination-address 10.240.45.103/32
set firewall family inet filter packet-mode term t2-rev then packet-mode
set firewall family inet filter packet-mode term t2-rev then accept
set firewall family inet filter packet-mode term t3 from source-address 10.240.45.104/32
set firewall family inet filter packet-mode term t3 from destination-address 10.240.45.102/32
set firewall family inet filter packet-mode term t3 then packet-mode
set firewall family inet filter packet-mode term t3 then accept
set firewall family inet filter packet-mode term t3-rev from source-address 10.240.45.102/32
set firewall family inet filter packet-mode term t3-rev from destination-address 10.240.45.104/32
set firewall family inet filter packet-mode term t3-rev then packet-mode
set firewall family inet filter packet-mode term t3-rev then accept
set routing-instances DATA description For-data-traffic
set routing-instances DATA instance-type vrf
set routing-instances DATA interface ge-0/0/3.63
set routing-instances DATA interface lo0.63
set routing-instances DATA interface st0.63
set routing-instances DATA interface st0.630
set routing-instances DATA route-distinguisher 65010:68
set routing-instances DATA vrf-import Data_Import
set routing-instances DATA vrf-export DATA_Export
set routing-instances DATA vrf-target target:65010:68
set routing-instances DATA routing-options static route 172.17.1.0/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.3.0/24 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.32.0/24 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 10.10.30.140/32 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.64/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.128/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.192/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.4.64/26 next-hop 10.240.46.9
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.69
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.70
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.169
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.170
set routing-instances VDO description " Video traffic "
set routing-instances VDO instance-type vrf
set routing-instances VDO interface ge-0/0/3.61
set routing-instances VDO interface lo0.61
set routing-instances VDO interface st0.61
set routing-instances VDO interface st0.610
set routing-instances VDO route-distinguisher 65010:103
set routing-instances VDO vrf-import VDO_Import
set routing-instances VDO vrf-export VDO_Export
set routing-instances VDO vrf-target target:65010:103
set routing-instances VDO routing-options static route 10.96.151.0/24 next-hop 10.240.46.1
set routing-instances VDO routing-options static route 10.96.95.224/28 next-hop 10.240.46.1
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.61
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.62
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.161
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.162
set routing-instances VOIP description " VOIP traffic "
set routing-instances VOIP instance-type vrf
set routing-instances VOIP interface ge-0/0/3.62
set routing-instances VOIP interface lo0.62
set routing-instances VOIP interface st0.62
set routing-instances VOIP interface st0.620
set routing-instances VOIP route-distinguisher 65010:101
set routing-instances VOIP vrf-import VOIP_Import
set routing-instances VOIP vrf-export VOIP_Export
set routing-instances VOIP vrf-target target:65010:101
set routing-instances VOIP routing-options static route 10.240.4.0/24 next-hop 10.240.46.5
set routing-instances VOIP routing-options static route 10.240.5.0/24 next-hop 10.240.46.5
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.65
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.66
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.165
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.166

root@ASR-POC-BLR>



Mysore site  configuration 




show |display set |match        |no-more
set version 11.2R4.3
set system host-name ASR-POC-MYSORE
set system root-authentication encrypted-password "$1$hoZBA2FZ$42.mWXY0yAmlCOfNUZmYg."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 description "****Connected To BSNL ****"
set interfaces fe-0/0/1 unit 0 family inet address 10.240.41.13/30
set interfaces fe-0/0/2 description "***** connected to reliance"
set interfaces fe-0/0/2 unit 0 family inet address 10.240.45.13/30
set interfaces fe-0/0/3 vlan-tagging
set interfaces fe-0/0/3 unit 0 vlan-id 0
set interfaces fe-0/0/3 unit 41 description "***** Video vrf*****"
set interfaces fe-0/0/3 unit 41 vlan-id 41
set interfaces fe-0/0/3 unit 41 family inet address 10.240.48.2/30
set interfaces fe-0/0/3 unit 42 description "******VOIP traffic*****"
set interfaces fe-0/0/3 unit 42 vlan-id 42
set interfaces fe-0/0/3 unit 42 family inet address 10.240.48.6/30
set interfaces fe-0/0/3 unit 43 description "******DATA TRAFFIC*****"
set interfaces fe-0/0/3 unit 43 vlan-id 43
set interfaces fe-0/0/3 unit 43 family inet address 10.240.48.10/30
set interfaces lo0 unit 0 family inet address 10.240.45.110/32
set interfaces lo0 unit 61 family inet address 10.240.45.111/32
set interfaces lo0 unit 62 family inet address 10.240.45.112/32
set interfaces lo0 unit 63 family inet address 10.240.45.113/32
set interfaces st0 unit 61 family inet mtu 1400
set interfaces st0 unit 61 family inet address 10.240.45.62/30
set interfaces st0 unit 62 family inet mtu 1400
set interfaces st0 unit 62 family inet address 10.240.45.66/30
set interfaces st0 unit 63 family inet mtu 1400
set interfaces st0 unit 63 family inet address 10.240.45.70/30
set interfaces st0 unit 610 family inet
set interfaces st0 unit 620 family inet
set interfaces st0 unit 630 family inet
set routing-options autonomous-system 65010
set protocols bgp group BSNL_ISP_PEER type external
set protocols bgp group BSNL_ISP_PEER export loopback
set protocols bgp group BSNL_ISP_PEER peer-as 9829
set protocols bgp group BSNL_ISP_PEER neighbor 10.240.41.14
set protocols bgp group RIL_ISP_PEER type external
set protocols bgp group RIL_ISP_PEER export loopback
set protocols bgp group RIL_ISP_PEER peer-as 18101
set protocols bgp group RIL_ISP_PEER neighbor 10.240.45.14
set protocols stp
set policy-options policy-statement DATA_Export term Export from protocol direct
set policy-options policy-statement DATA_Export term Export then community add RT-DATA-Export
set policy-options policy-statement DATA_Export term Export then accept
set policy-options policy-statement DATA_Export term Reject then reject
set policy-options policy-statement Data_Import term Import from protocol bgp
set policy-options policy-statement Data_Import term Import from community RT-DATA-Export
set policy-options policy-statement Data_Import term Import from community RT-DATA-Import
set policy-options policy-statement Data_Import term Import then accept
set policy-options policy-statement Data_Import term Reject then reject
set policy-options policy-statement VDO_Export term Export from protocol direct
set policy-options policy-statement VDO_Export term Export then community add RT-VDO-Export
set policy-options policy-statement VDO_Export term Export then accept
set policy-options policy-statement VDO_Export term Reject then reject
set policy-options policy-statement VDO_Import term Import from protocol bgp
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Export
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Import
set policy-options policy-statement VDO_Import term Import then accept
set policy-options policy-statement VDO_Import term Reject then reject
set policy-options policy-statement VOIP_Export term Export from protocol direct
set policy-options policy-statement VOIP_Export term Export then community add RT-VOIP-Export
set policy-options policy-statement VOIP_Export term Export then accept
set policy-options policy-statement VOIP_Export term Reject then reject
set policy-options policy-statement VOIP_Import term Import from protocol bgp
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Export
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Import
set policy-options policy-statement VOIP_Import term Import then accept
set policy-options policy-statement VOIP_Import term Reject then reject
set policy-options policy-statement loopback term t1 from protocol direct
set policy-options policy-statement loopback term t1 from route-filter 10.240.45.110/32 exact
set policy-options policy-statement loopback term t1 then accept
set policy-options policy-statement ri_export then accept
set policy-options community RT-DATA-Export members target:65010:68
set policy-options community RT-DATA-Import members target:65010:68
set policy-options community RT-VDO-Export members target:65010:103
set policy-options community RT-VDO-Import members target:65010:103
set policy-options community RT-VOIP-Export members target:65010:101
set policy-options community RT-VOIP-Import members target:65010:101
set security ike traceoptions file ike.trace
set security ike traceoptions flag all
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$uaI5BRSvWxwYoreYoJGq.0BIEreM8X-bs"
set security ike gateway gw-RAMANAGAR ike-policy ike-phase1-policy
set security ike gateway gw-RAMANAGAR address 10.240.45.120
set security ike gateway gw-RAMANAGAR dead-peer-detection interval 10
set security ike gateway gw-RAMANAGAR dead-peer-detection threshold 2
set security ike gateway gw-RAMANAGAR external-interface lo0.0
set security ike gateway gw-BLR ike-policy ike-phase1-policy
set security ike gateway gw-BLR address 10.240.45.100
set security ike gateway gw-BLR dead-peer-detection interval 10
set security ike gateway gw-BLR dead-peer-detection threshold 2
set security ike gateway gw-BLR external-interface lo0.0
set security ipsec traceoptions flag all
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn RAMANAGAR-data bind-interface st0.630
set security ipsec vpn RAMANAGAR-data df-bit clear
set security ipsec vpn RAMANAGAR-data vpn-monitor
set security ipsec vpn RAMANAGAR-data ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VDO bind-interface st0.610
set security ipsec vpn RAMANAGAR-VDO df-bit clear
set security ipsec vpn RAMANAGAR-VDO vpn-monitor
set security ipsec vpn RAMANAGAR-VDO ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VOIP bind-interface st0.620
set security ipsec vpn RAMANAGAR-VOIP df-bit clear
set security ipsec vpn RAMANAGAR-VOIP vpn-monitor
set security ipsec vpn RAMANAGAR-VOIP ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-DATA bind-interface st0.63
set security ipsec vpn BLR-DATA df-bit clear
set security ipsec vpn BLR-DATA vpn-monitor
set security ipsec vpn BLR-DATA ike gateway gw-BLR
set security ipsec vpn BLR-DATA ike proxy-identity local 10.240.45.70/32
set security ipsec vpn BLR-DATA ike proxy-identity remote 10.240.45.69/32
set security ipsec vpn BLR-DATA ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-VDO bind-interface st0.61
set security ipsec vpn BLR-VDO df-bit clear
set security ipsec vpn BLR-VDO vpn-monitor
set security ipsec vpn BLR-VDO ike gateway gw-BLR
set security ipsec vpn BLR-VDO ike proxy-identity local 10.240.45.62/32
set security ipsec vpn BLR-VDO ike proxy-identity remote 10.240.45.61/32
set security ipsec vpn BLR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-VOIP bind-interface st0.62
set security ipsec vpn BLR-VOIP df-bit clear
set security ipsec vpn BLR-VOIP vpn-monitor
set security ipsec vpn BLR-VOIP ike gateway gw-BLR
set security ipsec vpn BLR-VOIP ike proxy-identity local 10.240.45.66/32
set security ipsec vpn BLR-VOIP ike proxy-identity remote 10.240.45.65/32
set security ipsec vpn BLR-VOIP ike ipsec-policy ipsec-phase2-policy
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone DATA policy all match source-address any
set security policies from-zone trust to-zone DATA policy all match destination-address any
set security policies from-zone trust to-zone DATA policy all match application any
set security policies from-zone trust to-zone DATA policy all then permit
set security policies from-zone trust to-zone VOIP policy all match source-address any
set security policies from-zone trust to-zone VOIP policy all match destination-address any
set security policies from-zone trust to-zone VOIP policy all match application any
set security policies from-zone trust to-zone VOIP policy all then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone untrust host-inbound-traffic system-services any-service
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone DATA host-inbound-traffic system-services all
set security zones security-zone DATA host-inbound-traffic protocols all
set security zones security-zone DATA interfaces fe-0/0/3.43
set security zones security-zone DATA interfaces lo0.63
set security zones security-zone DATA interfaces st0.63
set security zones security-zone VOIP host-inbound-traffic system-services all
set security zones security-zone VOIP host-inbound-traffic protocols all
set security zones security-zone VOIP interfaces lo0.62
set security zones security-zone VOIP interfaces st0.62
set security zones security-zone VOIP interfaces fe-0/0/3.42
set security zones security-zone VDO interfaces st0.61
set security zones security-zone VDO interfaces lo0.61
set routing-instances DATA description For-data-traffic
set routing-instances DATA instance-type vrf
set routing-instances DATA interface fe-0/0/3.43
set routing-instances DATA interface lo0.63
set routing-instances DATA interface st0.63
set routing-instances DATA route-distinguisher 65010:68
set routing-instances DATA vrf-import Data_Import
set routing-instances DATA vrf-export DATA_Export
set routing-instances DATA vrf-target target:65010:68
set routing-instances DATA protocols bgp group IBGP_PEER_BLR type internal
set routing-instances DATA protocols bgp group IBGP_PEER_BLR local-address 10.240.45.70
set routing-instances DATA protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.69
set routing-instances VDO description " Video traffic "
set routing-instances VDO instance-type vrf
set routing-instances VDO interface fe-0/0/3.41
set routing-instances VDO interface lo0.61
set routing-instances VDO interface st0.61
set routing-instances VDO route-distinguisher 65010:103
set routing-instances VDO vrf-import VDO_Import
set routing-instances VDO vrf-export VDO_Export
set routing-instances VDO vrf-target target:65010:103
set routing-instances VDO protocols bgp group IBGP_PEER_BLR type internal
set routing-instances VDO protocols bgp group IBGP_PEER_BLR local-address 10.240.45.62
set routing-instances VDO protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.61
set routing-instances VOIP description " VOIP traffic "
set routing-instances VOIP instance-type vrf
set routing-instances VOIP interface fe-0/0/3.42
set routing-instances VOIP interface lo0.62
set routing-instances VOIP interface st0.62
set routing-instances VOIP route-distinguisher 65010:101
set routing-instances VOIP vrf-import VOIP_Import
set routing-instances VOIP vrf-export VOIP_Export
set routing-instances VOIP vrf-target target:65010:101
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR local-address 10.240.45.66
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.65













Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...