Thursday, April 2, 2015

Case study/Proof of concepts for MPLS/IPSEC/BGP on Juniper srx240 (with 8 port ethernet)




Case study :- Client requirement is for DMVPN but in Juniper did not supporting the DMVPN technology, So I configured the IPSEC tunnel with bgp configuration .   





Bangalore router configuration

root@ASR-POC-BLR>
root@ASR-POC-BLR> show configuration | no-more     |display set
set version 12.1X44.3
set system host-name ASR-POC-BLR
set system root-authentication encrypted-password "$1$hoZBA2FZ$42.mWXY0yAmlCOfNUZmYg."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description "****Connected To BSNL ****"
set interfaces ge-0/0/1 per-unit-scheduler
set interfaces ge-0/0/1 unit 0 family inet filter input packet-mode
set interfaces ge-0/0/1 unit 0 family inet address 10.240.41.21/30
set interfaces ge-0/0/2 description "***** connected to reliances"
set interfaces ge-0/0/2 per-unit-scheduler
set interfaces ge-0/0/2 unit 0 family inet filter input packet-mode
deactivate interfaces ge-0/0/2 unit 0 family inet filter
set interfaces ge-0/0/2 unit 0 family inet address 10.240.45.21/30
set interfaces ge-0/0/3 per-unit-scheduler
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 0 vlan-id 0
set interfaces ge-0/0/3 unit 61 description "***** Video vrf*****"
set interfaces ge-0/0/3 unit 61 vlan-id 61
set interfaces ge-0/0/3 unit 61 family inet address 10.240.46.2/30
set interfaces ge-0/0/3 unit 62 description "******VOIP traffic*****"
set interfaces ge-0/0/3 unit 62 vlan-id 62
set interfaces ge-0/0/3 unit 62 family inet address 10.240.46.6/30
set interfaces ge-0/0/3 unit 63 description "******DATA TRAFFIC*****"
set interfaces ge-0/0/3 unit 63 vlan-id 63
set interfaces ge-0/0/3 unit 63 family inet address 10.240.46.10/30
set interfaces ge-0/0/6 unit 0 family inet address 10.240.45.217/30
set interfaces lo0 unit 0 family inet address 10.240.45.100/32
set interfaces lo0 unit 61 family inet address 10.240.45.101/32
set interfaces lo0 unit 62 family inet address 10.240.45.102/32
set interfaces lo0 unit 63 family inet address 10.240.45.103/32
set interfaces st0 unit 61 family inet mtu 1400
set interfaces st0 unit 61 family inet address 10.240.45.61/30
set interfaces st0 unit 62 family inet mtu 1400
set interfaces st0 unit 62 family inet address 10.240.45.65/30
set interfaces st0 unit 63 family inet mtu 1400
set interfaces st0 unit 63 family inet address 10.240.45.69/30
set interfaces st0 unit 610 family inet mtu 1400
set interfaces st0 unit 610 family inet address 10.240.45.161/30
set interfaces st0 unit 620 family inet mtu 1400
set interfaces st0 unit 620 family inet address 10.240.45.165/30
set interfaces st0 unit 630 family inet mtu 1400
set interfaces st0 unit 630 family inet address 10.240.45.169/30
set routing-options autonomous-system 65010
set protocols bgp path-selection cisco-non-deterministic
set protocols bgp traceoptions file bgp_trace
set protocols bgp traceoptions flag normal
set protocols bgp log-updown
set protocols bgp group BSNL_ISP_PEER type external
set protocols bgp group BSNL_ISP_PEER export export_lo0
set protocols bgp group BSNL_ISP_PEER peer-as 9829
set protocols bgp group BSNL_ISP_PEER neighbor 10.240.41.22
set protocols bgp group RIL_ISP_PEER type external
set protocols bgp group RIL_ISP_PEER export export_lo0
set protocols bgp group RIL_ISP_PEER peer-as 18101
set protocols bgp group RIL_ISP_PEER neighbor 10.240.45.22
set protocols bgp group AIRTEL_ISP_PEER type external
set protocols bgp group AIRTEL_ISP_PEER export export_lo0
set protocols bgp group AIRTEL_ISP_PEER peer-as 9498
set protocols bgp group AIRTEL_ISP_PEER neighbor 10.240.45.218
set protocols stp
set policy-options policy-statement AS_PATH_BLOCK term accept-term from as-path AS_PATH_BLOCK-accept
set policy-options policy-statement AS_PATH_BLOCK term accept-term then accept
set policy-options policy-statement AS_PATH_BLOCK term reject-term from as-path AS_PATH_BLOCK-reject
set policy-options policy-statement AS_PATH_BLOCK term reject-term then reject
set policy-options policy-statement AS_PATH_BLOCK term ios-implicit-deny then reject
set policy-options policy-statement DATA_Export term Export from protocol direct
set policy-options policy-statement DATA_Export term Export then community add RT-DATA-Export
set policy-options policy-statement DATA_Export term Export then accept
set policy-options policy-statement DATA_Export term Reject then reject
set policy-options policy-statement DELETE_AS_PATH term strip-communities then community delete all
set policy-options policy-statement DELETE_AS_PATH term strip-communities then next term
set policy-options policy-statement DELETE_AS_PATH term explicit-default-action then next policy
set policy-options policy-statement Data_Import term Import from protocol bgp
set policy-options policy-statement Data_Import term Import from community RT-DATA-Export
set policy-options policy-statement Data_Import term Import from community RT-DATA-Import
set policy-options policy-statement Data_Import term Import then accept
set policy-options policy-statement Data_Import term Reject then reject
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.21/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.13/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.45.6/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.21/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.13/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 from route-filter 10.240.41.6/30 exact
set policy-options policy-statement ISP_OUT_FILTER term T1 then accept
set policy-options policy-statement ISP_OUT_FILTER term ios-implicit-deny then reject
set policy-options policy-statement VDO_Export term Export from protocol direct
set policy-options policy-statement VDO_Export term Export then community add RT-VDO-Export
set policy-options policy-statement VDO_Export term Export then accept
set policy-options policy-statement VDO_Export term Reject then reject
set policy-options policy-statement VDO_Import term Import from protocol bgp
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Export
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Import
set policy-options policy-statement VDO_Import term Import then accept
set policy-options policy-statement VDO_Import term Reject then reject
set policy-options policy-statement VOIP_Export term Export from protocol direct
set policy-options policy-statement VOIP_Export term Export then community add RT-VOIP-Export
set policy-options policy-statement VOIP_Export term Export then accept
set policy-options policy-statement VOIP_Export term Reject then reject
set policy-options policy-statement VOIP_Import term Import from protocol bgp
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Export
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Import
set policy-options policy-statement VOIP_Import term Import then accept
set policy-options policy-statement VOIP_Import term Reject then reject
set policy-options policy-statement export_lo0 term t1 from protocol direct
set policy-options policy-statement export_lo0 term t1 from route-filter 10.240.45.100/32 exact
set policy-options policy-statement export_lo0 term t1 then accept
set policy-options policy-statement export_lo0 term t2 from protocol bgp
set policy-options policy-statement export_lo0 term t2 then reject
set policy-options policy-statement ri_export then accept
set policy-options community RT-DATA-Export members target:65010:68
set policy-options community RT-DATA-Import members target:65010:68
set policy-options community RT-VDO-Export members target:65010:103
set policy-options community RT-VDO-Import members target:65010:103
set policy-options community RT-VOIP-Export members target:65010:101
set policy-options community RT-VOIP-Import members target:65010:101
set policy-options community all members *:*
set policy-options as-path AS_PATH_BLOCK-accept ".*(65010|9829|18101).*"
set policy-options as-path AS_PATH_BLOCK-reject .*
set class-of-service classifiers dscp dscp-class forwarding-class NC loss-priority high code-points dscp-cs7
set class-of-service classifiers dscp dscp-class forwarding-class NC loss-priority low code-points dscp-cs6
set class-of-service classifiers dscp dscp-class forwarding-class VIDEO loss-priority low code-points dscp-af11
set class-of-service classifiers dscp dscp-class forwarding-class VIDEO loss-priority high code-points dscp-af12
set class-of-service classifiers dscp dscp-class forwarding-class VOIP loss-priority low code-points dscp-ef
set class-of-service classifiers dscp dscp-class forwarding-class DATA loss-priority high code-points dscp-be
set class-of-service code-point-aliases dscp dscp-cs6 110000
set class-of-service code-point-aliases dscp dscp-ef 101110
set class-of-service code-point-aliases dscp dscp-af11 001010
set class-of-service code-point-aliases dscp dscp-be 000000
set class-of-service code-point-aliases dscp dscp-af12 001100
set class-of-service code-point-aliases dscp dscp-cs7 111000
set class-of-service drop-profiles SIG-Tail-Drop fill-level 100 drop-probability 100
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 70
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 80
set class-of-service drop-profiles BG-RED-Drop interpolate fill-level 90
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 0
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 25
set class-of-service drop-profiles BG-RED-Drop interpolate drop-probability 100
set class-of-service drop-profiles low-drop interpolate fill-level 75
set class-of-service drop-profiles low-drop interpolate fill-level 95
set class-of-service drop-profiles low-drop interpolate drop-probability 10
set class-of-service drop-profiles low-drop interpolate drop-probability 40
set class-of-service drop-profiles high-drop interpolate fill-level 25
set class-of-service drop-profiles high-drop interpolate fill-level 50
set class-of-service drop-profiles high-drop interpolate drop-probability 50
set class-of-service drop-profiles high-drop interpolate drop-probability 90
set class-of-service forwarding-classes queue 0 DATA
set class-of-service forwarding-classes queue 1 VOIP
set class-of-service forwarding-classes queue 2 VIDEO
set class-of-service forwarding-classes queue 3 NC
set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/1 unit 0 classifiers dscp dscp-class
set class-of-service interfaces ge-0/0/1 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/2 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/2 unit 0 classifiers dscp dscp-class
set class-of-service interfaces ge-0/0/2 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/3 unit 0 forwarding-class VIDEO
set class-of-service interfaces ge-0/0/3 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/3 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/4 unit 0 forwarding-class VOIP
set class-of-service interfaces ge-0/0/4 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/4 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service interfaces ge-0/0/5 unit 0 forwarding-class DATA
set class-of-service interfaces ge-0/0/5 unit 0 scheduler-map s_map
set class-of-service interfaces ge-0/0/5 unit 0 rewrite-rules dscp dscp-rewrite
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class NC loss-priority high code-point dscp-cs7
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class NC loss-priority low code-point dscp-cs6
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class VOIP loss-priority low code-point dscp-ef
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class VIDEO loss-priority low code-point dscp-af11
set class-of-service rewrite-rules dscp dscp-rewrite forwarding-class DATA loss-priority high code-point dscp-be
set class-of-service scheduler-maps s_map forwarding-class DATA scheduler DATA
set class-of-service scheduler-maps s_map forwarding-class NC scheduler NC
set class-of-service scheduler-maps s_map forwarding-class VIDEO scheduler VIDEO
set class-of-service scheduler-maps s_map forwarding-class VOIP scheduler VOIP
set class-of-service schedulers DATA transmit-rate percent 19
set class-of-service schedulers DATA buffer-size percent 19
set class-of-service schedulers VIDEO transmit-rate percent 40
set class-of-service schedulers VIDEO buffer-size percent 40
set class-of-service schedulers VIDEO priority high
set class-of-service schedulers VOIP transmit-rate percent 40
set class-of-service schedulers VOIP buffer-size percent 40
set class-of-service schedulers VOIP priority high
set class-of-service schedulers NC transmit-rate percent 1
set class-of-service schedulers NC buffer-size percent 1
set class-of-service schedulers NC priority high
set security ike traceoptions file ike.trace
set security ike traceoptions flag all
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$uaI5BRSvWxwYoreYoJGq.0BIEreM8X-bs"
set security ike gateway gw-MYSORE ike-policy ike-phase1-policy
set security ike gateway gw-MYSORE address 10.240.45.110
set security ike gateway gw-MYSORE dead-peer-detection interval 10
set security ike gateway gw-MYSORE dead-peer-detection threshold 2
set security ike gateway gw-MYSORE external-interface lo0.0
set security ike gateway gw-RAMANAGAR ike-policy ike-phase1-policy
set security ike gateway gw-RAMANAGAR address 10.240.45.120
set security ike gateway gw-RAMANAGAR dead-peer-detection interval 10
set security ike gateway gw-RAMANAGAR dead-peer-detection threshold 2
set security ike gateway gw-RAMANAGAR external-interface lo0.0
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn MYSORE-data bind-interface st0.63
set security ipsec vpn MYSORE-data df-bit clear
set security ipsec vpn MYSORE-data vpn-monitor
set security ipsec vpn MYSORE-data ike gateway gw-MYSORE
set security ipsec vpn MYSORE-data ike proxy-identity local 10.240.45.69/32
set security ipsec vpn MYSORE-data ike proxy-identity remote 10.240.45.70/32
set security ipsec vpn MYSORE-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-data establish-tunnels immediately
set security ipsec vpn MYSORE-VDO bind-interface st0.61
set security ipsec vpn MYSORE-VDO df-bit clear
set security ipsec vpn MYSORE-VDO vpn-monitor
set security ipsec vpn MYSORE-VDO ike gateway gw-MYSORE
set security ipsec vpn MYSORE-VDO ike proxy-identity local 10.240.45.61/32
set security ipsec vpn MYSORE-VDO ike proxy-identity remote 10.240.45.62/32
set security ipsec vpn MYSORE-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-VDO establish-tunnels immediately
set security ipsec vpn MYSORE-VOIP bind-interface st0.62
set security ipsec vpn MYSORE-VOIP df-bit clear
set security ipsec vpn MYSORE-VOIP vpn-monitor
set security ipsec vpn MYSORE-VOIP ike gateway gw-MYSORE
set security ipsec vpn MYSORE-VOIP ike proxy-identity local 10.240.45.65/32
set security ipsec vpn MYSORE-VOIP ike proxy-identity remote 10.240.45.66/32
set security ipsec vpn MYSORE-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn MYSORE-VOIP establish-tunnels immediately
set security ipsec vpn RAMANAGAR-data bind-interface st0.630
set security ipsec vpn RAMANAGAR-data df-bit clear
set security ipsec vpn RAMANAGAR-data vpn-monitor
set security ipsec vpn RAMANAGAR-data ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-data ike proxy-identity local 10.240.45.169/32
set security ipsec vpn RAMANAGAR-data ike proxy-identity remote 10.240.45.170/32
set security ipsec vpn RAMANAGAR-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-data establish-tunnels immediately
set security ipsec vpn RAMANAGAR-VDO bind-interface st0.610
set security ipsec vpn RAMANAGAR-VDO df-bit clear
set security ipsec vpn RAMANAGAR-VDO vpn-monitor
set security ipsec vpn RAMANAGAR-VDO ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VDO ike proxy-identity local 10.240.45.161/32
set security ipsec vpn RAMANAGAR-VDO ike proxy-identity remote 10.240.45.162/32
set security ipsec vpn RAMANAGAR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VDO establish-tunnels immediately
set security ipsec vpn RAMANAGAR-VOIP bind-interface st0.620
set security ipsec vpn RAMANAGAR-VOIP df-bit clear
set security ipsec vpn RAMANAGAR-VOIP vpn-monitor
set security ipsec vpn RAMANAGAR-VOIP ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VOIP ike proxy-identity local 10.240.45.165/32
set security ipsec vpn RAMANAGAR-VOIP ike proxy-identity remote 10.240.45.166/32
set security ipsec vpn RAMANAGAR-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VOIP establish-tunnels immediately
set security alg sql disable
set security flow tcp-mss all-tcp mss 1436
set security flow tcp-mss ipsec-vpn mss 1380
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security policies from-zone trust to-zone DATA policy all match source-address any
set security policies from-zone trust to-zone DATA policy all match destination-address any
set security policies from-zone trust to-zone DATA policy all match application any
set security policies from-zone trust to-zone DATA policy all then permit
set security policies from-zone trust to-zone VOIP policy all match source-address any
set security policies from-zone trust to-zone VOIP policy all match destination-address any
set security policies from-zone trust to-zone VOIP policy all match application any
set security policies from-zone trust to-zone VOIP policy all then permit
set security policies from-zone trust to-zone VIDEO policy all match source-address any
set security policies from-zone trust to-zone VIDEO policy all match destination-address any
set security policies from-zone trust to-zone VIDEO policy all match application any
set security policies from-zone trust to-zone VIDEO policy all then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone DATA host-inbound-traffic system-services all
set security zones security-zone DATA host-inbound-traffic protocols all
set security zones security-zone DATA interfaces ge-0/0/3.63
set security zones security-zone DATA interfaces lo0.63
set security zones security-zone DATA interfaces st0.63
set security zones security-zone DATA interfaces st0.630
set security zones security-zone VOIP host-inbound-traffic system-services all
set security zones security-zone VOIP host-inbound-traffic protocols all
set security zones security-zone VOIP interfaces ge-0/0/3.62
set security zones security-zone VOIP interfaces lo0.62
set security zones security-zone VOIP interfaces st0.62
set security zones security-zone VOIP interfaces st0.620
set security zones security-zone VIDEO host-inbound-traffic system-services all
set security zones security-zone VIDEO host-inbound-traffic protocols all
set security zones security-zone VIDEO interfaces ge-0/0/3.61
set security zones security-zone VIDEO interfaces lo0.61
set security zones security-zone VIDEO interfaces st0.61
set security zones security-zone VIDEO interfaces st0.610
set firewall family inet filter packet-mode term t1 from source-address 10.240.45.108/32
set firewall family inet filter packet-mode term t1 from destination-address 10.240.45.110/32
set firewall family inet filter packet-mode term t1 then packet-mode
set firewall family inet filter packet-mode term t1 then accept
set firewall family inet filter packet-mode term t1-rev from source-address 10.240.45.110/32
set firewall family inet filter packet-mode term t1-rev from destination-address 10.240.45.108/32
set firewall family inet filter packet-mode term t1-rev then packet-mode
set firewall family inet filter packet-mode term t1-rev then accept
set firewall family inet filter packet-mode term t2 from source-address 10.240.45.103/32
set firewall family inet filter packet-mode term t2 from destination-address 10.240.45.101/32
set firewall family inet filter packet-mode term t2 then packet-mode
set firewall family inet filter packet-mode term t2 then accept
set firewall family inet filter packet-mode term t2-rev from source-address 10.240.45.101/32
set firewall family inet filter packet-mode term t2-rev from destination-address 10.240.45.103/32
set firewall family inet filter packet-mode term t2-rev then packet-mode
set firewall family inet filter packet-mode term t2-rev then accept
set firewall family inet filter packet-mode term t3 from source-address 10.240.45.104/32
set firewall family inet filter packet-mode term t3 from destination-address 10.240.45.102/32
set firewall family inet filter packet-mode term t3 then packet-mode
set firewall family inet filter packet-mode term t3 then accept
set firewall family inet filter packet-mode term t3-rev from source-address 10.240.45.102/32
set firewall family inet filter packet-mode term t3-rev from destination-address 10.240.45.104/32
set firewall family inet filter packet-mode term t3-rev then packet-mode
set firewall family inet filter packet-mode term t3-rev then accept
set routing-instances DATA description For-data-traffic
set routing-instances DATA instance-type vrf
set routing-instances DATA interface ge-0/0/3.63
set routing-instances DATA interface lo0.63
set routing-instances DATA interface st0.63
set routing-instances DATA interface st0.630
set routing-instances DATA route-distinguisher 65010:68
set routing-instances DATA vrf-import Data_Import
set routing-instances DATA vrf-export DATA_Export
set routing-instances DATA vrf-target target:65010:68
set routing-instances DATA routing-options static route 172.17.1.0/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.3.0/24 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.32.0/24 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 10.10.30.140/32 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.64/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.128/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.31.192/26 next-hop 10.240.46.9
set routing-instances DATA routing-options static route 172.17.4.64/26 next-hop 10.240.46.9
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.69
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.70
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.169
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.170
set routing-instances VDO description " Video traffic "
set routing-instances VDO instance-type vrf
set routing-instances VDO interface ge-0/0/3.61
set routing-instances VDO interface lo0.61
set routing-instances VDO interface st0.61
set routing-instances VDO interface st0.610
set routing-instances VDO route-distinguisher 65010:103
set routing-instances VDO vrf-import VDO_Import
set routing-instances VDO vrf-export VDO_Export
set routing-instances VDO vrf-target target:65010:103
set routing-instances VDO routing-options static route 10.96.151.0/24 next-hop 10.240.46.1
set routing-instances VDO routing-options static route 10.96.95.224/28 next-hop 10.240.46.1
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.61
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.62
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.161
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.162
set routing-instances VOIP description " VOIP traffic "
set routing-instances VOIP instance-type vrf
set routing-instances VOIP interface ge-0/0/3.62
set routing-instances VOIP interface lo0.62
set routing-instances VOIP interface st0.62
set routing-instances VOIP interface st0.620
set routing-instances VOIP route-distinguisher 65010:101
set routing-instances VOIP vrf-import VOIP_Import
set routing-instances VOIP vrf-export VOIP_Export
set routing-instances VOIP vrf-target target:65010:101
set routing-instances VOIP routing-options static route 10.240.4.0/24 next-hop 10.240.46.5
set routing-instances VOIP routing-options static route 10.240.5.0/24 next-hop 10.240.46.5
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE local-address 10.240.45.65
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_MYSORE neighbor 10.240.45.66
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR local-address 10.240.45.165
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_RAMANAGAR neighbor 10.240.45.166

root@ASR-POC-BLR>



Mysore site  configuration 




show |display set |match        |no-more
set version 11.2R4.3
set system host-name ASR-POC-MYSORE
set system root-authentication encrypted-password "$1$hoZBA2FZ$42.mWXY0yAmlCOfNUZmYg."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 description "****Connected To BSNL ****"
set interfaces fe-0/0/1 unit 0 family inet address 10.240.41.13/30
set interfaces fe-0/0/2 description "***** connected to reliance"
set interfaces fe-0/0/2 unit 0 family inet address 10.240.45.13/30
set interfaces fe-0/0/3 vlan-tagging
set interfaces fe-0/0/3 unit 0 vlan-id 0
set interfaces fe-0/0/3 unit 41 description "***** Video vrf*****"
set interfaces fe-0/0/3 unit 41 vlan-id 41
set interfaces fe-0/0/3 unit 41 family inet address 10.240.48.2/30
set interfaces fe-0/0/3 unit 42 description "******VOIP traffic*****"
set interfaces fe-0/0/3 unit 42 vlan-id 42
set interfaces fe-0/0/3 unit 42 family inet address 10.240.48.6/30
set interfaces fe-0/0/3 unit 43 description "******DATA TRAFFIC*****"
set interfaces fe-0/0/3 unit 43 vlan-id 43
set interfaces fe-0/0/3 unit 43 family inet address 10.240.48.10/30
set interfaces lo0 unit 0 family inet address 10.240.45.110/32
set interfaces lo0 unit 61 family inet address 10.240.45.111/32
set interfaces lo0 unit 62 family inet address 10.240.45.112/32
set interfaces lo0 unit 63 family inet address 10.240.45.113/32
set interfaces st0 unit 61 family inet mtu 1400
set interfaces st0 unit 61 family inet address 10.240.45.62/30
set interfaces st0 unit 62 family inet mtu 1400
set interfaces st0 unit 62 family inet address 10.240.45.66/30
set interfaces st0 unit 63 family inet mtu 1400
set interfaces st0 unit 63 family inet address 10.240.45.70/30
set interfaces st0 unit 610 family inet
set interfaces st0 unit 620 family inet
set interfaces st0 unit 630 family inet
set routing-options autonomous-system 65010
set protocols bgp group BSNL_ISP_PEER type external
set protocols bgp group BSNL_ISP_PEER export loopback
set protocols bgp group BSNL_ISP_PEER peer-as 9829
set protocols bgp group BSNL_ISP_PEER neighbor 10.240.41.14
set protocols bgp group RIL_ISP_PEER type external
set protocols bgp group RIL_ISP_PEER export loopback
set protocols bgp group RIL_ISP_PEER peer-as 18101
set protocols bgp group RIL_ISP_PEER neighbor 10.240.45.14
set protocols stp
set policy-options policy-statement DATA_Export term Export from protocol direct
set policy-options policy-statement DATA_Export term Export then community add RT-DATA-Export
set policy-options policy-statement DATA_Export term Export then accept
set policy-options policy-statement DATA_Export term Reject then reject
set policy-options policy-statement Data_Import term Import from protocol bgp
set policy-options policy-statement Data_Import term Import from community RT-DATA-Export
set policy-options policy-statement Data_Import term Import from community RT-DATA-Import
set policy-options policy-statement Data_Import term Import then accept
set policy-options policy-statement Data_Import term Reject then reject
set policy-options policy-statement VDO_Export term Export from protocol direct
set policy-options policy-statement VDO_Export term Export then community add RT-VDO-Export
set policy-options policy-statement VDO_Export term Export then accept
set policy-options policy-statement VDO_Export term Reject then reject
set policy-options policy-statement VDO_Import term Import from protocol bgp
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Export
set policy-options policy-statement VDO_Import term Import from community RT-VDO-Import
set policy-options policy-statement VDO_Import term Import then accept
set policy-options policy-statement VDO_Import term Reject then reject
set policy-options policy-statement VOIP_Export term Export from protocol direct
set policy-options policy-statement VOIP_Export term Export then community add RT-VOIP-Export
set policy-options policy-statement VOIP_Export term Export then accept
set policy-options policy-statement VOIP_Export term Reject then reject
set policy-options policy-statement VOIP_Import term Import from protocol bgp
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Export
set policy-options policy-statement VOIP_Import term Import from community RT-VOIP-Import
set policy-options policy-statement VOIP_Import term Import then accept
set policy-options policy-statement VOIP_Import term Reject then reject
set policy-options policy-statement loopback term t1 from protocol direct
set policy-options policy-statement loopback term t1 from route-filter 10.240.45.110/32 exact
set policy-options policy-statement loopback term t1 then accept
set policy-options policy-statement ri_export then accept
set policy-options community RT-DATA-Export members target:65010:68
set policy-options community RT-DATA-Import members target:65010:68
set policy-options community RT-VDO-Export members target:65010:103
set policy-options community RT-VDO-Import members target:65010:103
set policy-options community RT-VOIP-Export members target:65010:101
set policy-options community RT-VOIP-Import members target:65010:101
set security ike traceoptions file ike.trace
set security ike traceoptions flag all
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$uaI5BRSvWxwYoreYoJGq.0BIEreM8X-bs"
set security ike gateway gw-RAMANAGAR ike-policy ike-phase1-policy
set security ike gateway gw-RAMANAGAR address 10.240.45.120
set security ike gateway gw-RAMANAGAR dead-peer-detection interval 10
set security ike gateway gw-RAMANAGAR dead-peer-detection threshold 2
set security ike gateway gw-RAMANAGAR external-interface lo0.0
set security ike gateway gw-BLR ike-policy ike-phase1-policy
set security ike gateway gw-BLR address 10.240.45.100
set security ike gateway gw-BLR dead-peer-detection interval 10
set security ike gateway gw-BLR dead-peer-detection threshold 2
set security ike gateway gw-BLR external-interface lo0.0
set security ipsec traceoptions flag all
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn RAMANAGAR-data bind-interface st0.630
set security ipsec vpn RAMANAGAR-data df-bit clear
set security ipsec vpn RAMANAGAR-data vpn-monitor
set security ipsec vpn RAMANAGAR-data ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-data ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VDO bind-interface st0.610
set security ipsec vpn RAMANAGAR-VDO df-bit clear
set security ipsec vpn RAMANAGAR-VDO vpn-monitor
set security ipsec vpn RAMANAGAR-VDO ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn RAMANAGAR-VOIP bind-interface st0.620
set security ipsec vpn RAMANAGAR-VOIP df-bit clear
set security ipsec vpn RAMANAGAR-VOIP vpn-monitor
set security ipsec vpn RAMANAGAR-VOIP ike gateway gw-RAMANAGAR
set security ipsec vpn RAMANAGAR-VOIP ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-DATA bind-interface st0.63
set security ipsec vpn BLR-DATA df-bit clear
set security ipsec vpn BLR-DATA vpn-monitor
set security ipsec vpn BLR-DATA ike gateway gw-BLR
set security ipsec vpn BLR-DATA ike proxy-identity local 10.240.45.70/32
set security ipsec vpn BLR-DATA ike proxy-identity remote 10.240.45.69/32
set security ipsec vpn BLR-DATA ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-VDO bind-interface st0.61
set security ipsec vpn BLR-VDO df-bit clear
set security ipsec vpn BLR-VDO vpn-monitor
set security ipsec vpn BLR-VDO ike gateway gw-BLR
set security ipsec vpn BLR-VDO ike proxy-identity local 10.240.45.62/32
set security ipsec vpn BLR-VDO ike proxy-identity remote 10.240.45.61/32
set security ipsec vpn BLR-VDO ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn BLR-VOIP bind-interface st0.62
set security ipsec vpn BLR-VOIP df-bit clear
set security ipsec vpn BLR-VOIP vpn-monitor
set security ipsec vpn BLR-VOIP ike gateway gw-BLR
set security ipsec vpn BLR-VOIP ike proxy-identity local 10.240.45.66/32
set security ipsec vpn BLR-VOIP ike proxy-identity remote 10.240.45.65/32
set security ipsec vpn BLR-VOIP ike ipsec-policy ipsec-phase2-policy
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone DATA policy all match source-address any
set security policies from-zone trust to-zone DATA policy all match destination-address any
set security policies from-zone trust to-zone DATA policy all match application any
set security policies from-zone trust to-zone DATA policy all then permit
set security policies from-zone trust to-zone VOIP policy all match source-address any
set security policies from-zone trust to-zone VOIP policy all match destination-address any
set security policies from-zone trust to-zone VOIP policy all match application any
set security policies from-zone trust to-zone VOIP policy all then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone untrust host-inbound-traffic system-services any-service
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone DATA host-inbound-traffic system-services all
set security zones security-zone DATA host-inbound-traffic protocols all
set security zones security-zone DATA interfaces fe-0/0/3.43
set security zones security-zone DATA interfaces lo0.63
set security zones security-zone DATA interfaces st0.63
set security zones security-zone VOIP host-inbound-traffic system-services all
set security zones security-zone VOIP host-inbound-traffic protocols all
set security zones security-zone VOIP interfaces lo0.62
set security zones security-zone VOIP interfaces st0.62
set security zones security-zone VOIP interfaces fe-0/0/3.42
set security zones security-zone VDO interfaces st0.61
set security zones security-zone VDO interfaces lo0.61
set routing-instances DATA description For-data-traffic
set routing-instances DATA instance-type vrf
set routing-instances DATA interface fe-0/0/3.43
set routing-instances DATA interface lo0.63
set routing-instances DATA interface st0.63
set routing-instances DATA route-distinguisher 65010:68
set routing-instances DATA vrf-import Data_Import
set routing-instances DATA vrf-export DATA_Export
set routing-instances DATA vrf-target target:65010:68
set routing-instances DATA protocols bgp group IBGP_PEER_BLR type internal
set routing-instances DATA protocols bgp group IBGP_PEER_BLR local-address 10.240.45.70
set routing-instances DATA protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances DATA protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances DATA protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.69
set routing-instances VDO description " Video traffic "
set routing-instances VDO instance-type vrf
set routing-instances VDO interface fe-0/0/3.41
set routing-instances VDO interface lo0.61
set routing-instances VDO interface st0.61
set routing-instances VDO route-distinguisher 65010:103
set routing-instances VDO vrf-import VDO_Import
set routing-instances VDO vrf-export VDO_Export
set routing-instances VDO vrf-target target:65010:103
set routing-instances VDO protocols bgp group IBGP_PEER_BLR type internal
set routing-instances VDO protocols bgp group IBGP_PEER_BLR local-address 10.240.45.62
set routing-instances VDO protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances VDO protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances VDO protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.61
set routing-instances VOIP description " VOIP traffic "
set routing-instances VOIP instance-type vrf
set routing-instances VOIP interface fe-0/0/3.42
set routing-instances VOIP interface lo0.62
set routing-instances VOIP interface st0.62
set routing-instances VOIP route-distinguisher 65010:101
set routing-instances VOIP vrf-import VOIP_Import
set routing-instances VOIP vrf-export VOIP_Export
set routing-instances VOIP vrf-target target:65010:101
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR type internal
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR local-address 10.240.45.66
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR export ri_export
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR peer-as 65010
set routing-instances VOIP protocols bgp group IBGP_PEER_BLR neighbor 10.240.45.65













By -
Labels:

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...