BD Link IIG LLD v1.0[1]

8/12/2019 BD Link IIG LLD v1.0[1]

1/76

CO-CONFIDENTIAL - 1 - BD Link IIG Low Level Design

Low Level Design IIG(BD Link Communication Ltd.)

Version 1.0

8/12/2019 BD Link IIG LLD v1.0[1]

2/76


Page 2

Document Title

Customer: BD Link Communication Ltd.

Title: Low Level Design IIG

Document Name: Low Level Design IIG v1.0

Document ControlAuthor(s), quality control and client sign-offCompany Name Signature

Author(s):Gazi

Communications

Aziz Uddin Mahmud

Md. Imdadul Islam

Swapan Gupta

Review And

Verification :

Gazi

CommunicationsMd. Wahid Uz Zaman

ReleaseVersion Date Released Change Notice Pages

AffectedRemarks/Changes

1.0 18.10.2012 N/A N/A 1stRelease

Distribution List

Copy Number Name01 BD LINKTeam

02 GAZI Technical Team

03 GAZI Project Repository

8/12/2019 BD Link IIG LLD v1.0[1]

3/76


Page 3

Copyright and other intellectual property rightsCopyright and other Intellectual property rights in any original programs, specifications, reportsor other items arising in the course of, or resulting from the project shall remain the property ofGazi Communication although BD LINK shall have a non-exclusive and non-transferablelicense to all such items for its own purposes. Nothing in this agreement shall enable eitherparty to make use of any intellectual property rights vested in the other party prior to thecommencement of this assignment.

8/12/2019 BD Link IIG LLD v1.0[1]

4/76


Page 4

Contents

1. Executive Summary .................... ......................... ......................... ......................... ............... 72. Proposed Design Overview ...................... ......................... ...................... ......................... .... 8

2.1. Design Summary .......................................................................................................... 92.2. Solution Detail ............................................................................................................ 102.2.1.Logical Topology ................. ......................... ......................... ......................... ............. 112.2.2.BGP Routing Topology ......................................... ......................... ......................... .... 132.2.3.OSPF Routing Topology ............................................ ...................... ......................... .. 152.2.4.Dhaka Main POP Design (Phase -1 Deployment) ..................... ......................... .......... 17

3. Device Naming, Port Connectivity & IP Addressing ............................................ ............. 193.1. Devices Naming Convention ...................... ........................ ....................... .................. 193.2. Physical Connectivity Mapping & IP Addressing .................... ......................... ............. 20

4. Device Configuration ........................ ......................... ...................... ......................... .......... 214.1. Initial JONOS Configuration .................................. ......................... ........................ ..... 214.1.1.Login via Console ..................... ......................... ...................... ......................... .......... 214.1.2.Set Root Password ...................... ......................... ......................... ......................... .... 214.1.3.Enable System Services .................................... ...................... ......................... .......... 224.1.4.Configuring Local username ...................................... ...................... ......................... .. 224.2. Dhaka Core Router -1 Configuration .................................. ....................... .................. 224.2.1.System Basic Configuration .................................. ......................... ........................ ..... 224.2.2.Management Interface Configuration ... ......................... ......................... ..................... 234.2.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 234.2.4.Interface Configuration ...................... ......................... ...................... ......................... .. 234.2.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 244.2.6.BGP Configuration ....................... ......................... ......................... ......................... .... 254.2.7.Sample RE filter Configuration ..................... ......................... ......................... ............. 254.2.8.SNMP Configuration .......................................... ...................... ......................... .......... 274.3. Dhaka Core Router -2 Configuration .................................. ....................... .................. 284.3.1.System Basic Configuration .................................. ......................... ........................ ..... 284.3.2.Management Interface Configuration ... ......................... ......................... ..................... 284.3.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 284.3.4.Interface Configuration ...................... ......................... ...................... ......................... .. 294.3.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 304.3.6.BGP Configuration ....................... ......................... ......................... ......................... .... 314.3.7.Sample RE filter Configuration ..................... ......................... ......................... ............. 314.3.8.SNMP Configuration .......................................... ...................... ......................... .......... 334.4. Dhaka Aggregation Router -1 Configuration ....................... ....................... .................. 34

8/12/2019 BD Link IIG LLD v1.0[1]

5/76


Page 5

4.4.1.System Basic Configuration .................................. ......................... ........................ ..... 344.4.2.Management Interface Configuration ... ......................... ......................... ..................... 344.4.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 344.4.4.Interface Configuration ...................... ......................... ...................... ......................... .. 354.4.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 364.4.6.BGP Configuration ....................... ......................... ......................... ......................... .... 374.4.7.Bandwidth Configuration ...................... ......................... ......................... ..................... 374.4.8.Sample RE filter Configuration ..................... ......................... ......................... ............. 374.4.9.SNMP Configuration .......................................... ...................... ......................... .......... 394.5.

Dhaka Aggregation Router -2 Configuration ....................... ....................... .................. 39

4.5.1.System Basic Configuration .................................. ......................... ........................ ..... 394.5.2.Management Interface Configuration ... ......................... ......................... ..................... 404.5.3.Chassis Configuration ....................... ......................... ...................... ......................... .. 404.5.4.Interface Configuration ...................... ......................... ...................... ......................... .. 414.5.5.OSPF Configuration ..................... ......................... ......................... ......................... .... 424.5.6.BGP Configuration ....................... ......................... ......................... ......................... .... 424.5.7.Sample Bandwidth Configuration .......................... ......................... ......................... .... 434.5.8.Sample RE filter Configuration ..................... ......................... ......................... ............. 434.5.9.SNMP Configuration .......................................... ...................... ......................... .......... 454.6. Dhaka Data Center Switch-1 Configuration .................................... ......................... .... 454.6.1.System Basic Configuration .................................. ......................... ........................ ..... 454.6.2.VLAN &Trunk Configuration ......................... ......................... ......................... ............. 464.6.3.SNMP Configuration .......................................... ...................... ......................... .......... 514.7. Dhaka Data Center Switch-2 Configuration .................................... ......................... .... 514.7.1.System Basic Configuration .................................. ......................... ........................ ..... 514.7.2.VLAN &Trunk Configuration ......................... ......................... ......................... ............. 524.7.3.SNMP Configuration .......................................... ...................... ......................... .......... 574.8. IDP Configuration ....................................................................................................... 584.8.1.OS Up gradation through CLI ..................... ........................ ....................... .................. 584.8.2.System Basic Configuration through Web GUI (ACM) ............................................. .... 584.8.3.

NSM Server Configuration .................................... ......................... ......................... .... 58

4.8.3.1. REDHAT 5 OS Installation ........................ ...................... ......................... .......... 584.8.3.2. NSM server 2010.4 OS Installation .................... ...................... ......................... .. 594.8.3.3. NSM client Installation for configuration the NSM server ......................... ............. 594.8.3.4. IDP device adding into NSM server .................... ...................... ......................... .. 594.8.3.5. Policy implementation ......................................................................................... 634.8.3.6. Log view and reporting, custom report generation ..................... ......................... .. 674.9. DC Firewall 1 & 2 Configuration ......................... ...................... ......................... .......... 704.9.1.OS Upgrade ...................... ........................ .......................... ...................... .................. 704.9.2.System Basic Configuration .................................. ......................... ........................ ..... 704.9.3.Interface Configuration ...................... ......................... ...................... ......................... .. 71

8/12/2019 BD Link IIG LLD v1.0[1]

6/76


Page 6

4.9.4.HA Configuration ........................................................................................................ 734.9.5.Security Policy Configuration ............... ......................... ......................... ..................... 74

5. LLD v 1.0 Signoff ................................................................................................................ 76

8/12/2019 BD Link IIG LLD v1.0[1]

7/76


Page 7

1. Executive Summary

Government of Bangladesh has taken initiative to increase the penetration rate of Internetusage; as a result its legal entity BTRC issued new IIG licenses to qualified Service Provider.BD LINK Communication Limited has been awarded a license to provide International InternetGateway (IIG) services for ISPs and Broadband Wireless Access providers (BWAs). IIG willserve as an Internet Exchange for routing International Incoming and Outgoing Internet baseddata traffic. The Exchange will be connected with the existing Submarine cable as main link andwith Satellite Earth Station / VSAT as backup until another ILDC is available. All ISPs shall be

connected to global Internet through IIGs. IIG licensee will arrange both ILDC and bandwidthand Satellite bandwidth. The licensee may arrange ILDC bandwidth from tier-1 overseas serviceprovider after taking prior permission from the commission.

BD LINK has the vision to become the preferred partner for all ISPs and BWAs in Bangladesh.To fulfil its requirement of pioneering the IIG market BD LINK selected the best IP NetworkEquipment Vendor Juniper Network with state of art technology and solution. GaziCommunication limited is the only Elite partner of Juniper Network in Bangladesh will help BDLINK in building its IIG solution with Equipment and Solution from Juniper with its world class in-house resources.

Gazi Communication will provide design and implementation service to BD LINK to build an IIG

based on Industry best practices. Juniper Network offers devices that provide innovativefeatures and functionality and offer massive scalability. The proposed solution from Juniper,combine cost containment and scalability. Juniper Series Routers offer service providersindustry-leading performance, service capabilities, reliability, and efficiencies in a compact formfactor.

8/12/2019 BD Link IIG LLD v1.0[1]

8/76


Page 8

2. Proposed Design Overview

8/12/2019 BD Link IIG LLD v1.0[1]

9/76


Page 9

2.1. Design Summary

There will be data Centre at Dhaka and will also be acting as the primary

International internet gateway site.

WAN network will be three layer architecture i.e. Core, Aggregation & Access.

WAN network will be enabled with OSPF hierarchical protocol.

There will be no single point of failure in data Centre network.

Core routers will run EBGP session with Upstream Provider.

In the Internet Gateway layer redundant routers has been considered for 1 + 1

box redundancy.

Each Core/Internet gateway router has been dimensioned with redundant power

supply.

Upstream connectivity with tier-1 ISPs will be in STM-1.

Downstream connectivity with Aggregation router will be on GE.

Aggregation routers will aggregate all the traffic from the domestic ISPs and will

pass it to Internet gateway Routers.

In the Aggregation layer redundant routers has been considered for 1 + 1 box

level redundancy.

Each aggregation router has been dimensioned with redundant power supply.

Downstream connectivity with Access switches will be on GE.

Core routers will have connectivity with BTRC and NMC/LEA.

Access switches will be connected to both Aggregation routers through dual

uplink GE ports for uplink redundancy.

ISPs will be connected to Aggregation Routers or access switches.

ISPs will be connected to TX/FX ports.

8/12/2019 BD Link IIG LLD v1.0[1]

10/76


Page 10

2.2. Solution Detail

As per guideline from the authority IIG will be connected to the Global Internet throughexisting Submarine cable as the main link and they can have backup connectivitythrough VSAT. It will connect all ISPs through its distribution network initially from Dhakaand will expand as per demand and regularity requirement. The related information andassumptions considered for design are as follows:

BD LINK will install one single PoP (Main PoP) with device level redundancy at

Gateway and Aggregation level and will be located at Dhaka.

BD LINK will connect to one upstream provider initially and will go for redundant

link, provision for link level should be considered in the design.

There will be one DPI to filter traffic as per regularity requirement and also based

on BD LINK policy.

This design will consider two types of PoPs; one for distribution only which

means to connect ISPs to the main PoP and other type is with Gateway and DPI

services to ensure redundancy. BD LINK will make rollout plan considering

business justification and customer & regularity requirement.

This design will emphasize on Main PoP deployment and its related configuration

and also considering scalability to accommodate future growth of new gateway

and distribution network.

8/12/2019 BD Link IIG LLD v1.0[1]

11/76


Page 11

2.2.1. Logical Topology

The above topology diagram considers the full deployment of BD LINK IIG. We haveshown the four Major components in the diagram:

Main PoP

IIG Perimeter and Monitoring Zone

Type-1 PoP: PoP with Gateway & DPI

Type-2 PoP: PoP to connect Clients to the Main PoP.

8/12/2019 BD Link IIG LLD v1.0[1]

12/76


Page 12

The Main PoP will be deployed immediately and act as the HUB of IIG. MainPoPs Gateway Routers will be connected to the upstream provider, in case ofsingle connectivity to the upstream one Gateway Router will be configured witheBGP and the second one will be treated as the backup for Gateway Router-1 toensure device level redundancy. And after having the second upstream link VSAT/Terrestrial/Submarine the Gateway Router-2 will be configured usingeBGP with the upstream and iBGP with Gateway Router-1.

Interior Gateway Protocol OSPF will be configured between all Gateway and

Aggregation Routers. All those will be placed in backbone area including all theirconnected interfaces.

The Aggregation Routers will have iBGP session with the Gateway Routers andeBGP with each ISP or BWA clients. These routers will have different policiesbased on BD LINK requirement.

The IIG perimeter firewalls will be connected to Aggregation Routers. TheFirewall will have three zones Outside, DMZ, and Inside. Outside zone will beconnected with the Aggregation Routers, DMZ will be created to place to offerany value added service for the clients and internal servers, application andadministration zone will be placed in Inside Zone.

In future if BD LINK deploy Type-1 PoP with Gateway and DPI functionality werecommend to connect the Gateway Router of Type-1 PoP with Main PoPsGateway Routers to ensure link level redundancy of local transmission vendor.The Gateway and Aggregation Router will be configured in similar fashion likeMain PoPs GW & Aggregation Router. And will have IGP & EGP neighbor shipbetween PoPs Gateway Routers.

In case of Type-2 PoP we recommend to go with layer-2 connectivity withAggregation Router of Main PoP which will be similar configuration of distributinglink from Main PoPs Access Switch with eBGP neighbor ship with ISP or BWAclients router at Aggregation level of Main PoP.

We have given detail of each segments description and IGP & EGP routingtopology in different section of this document.

8/12/2019 BD Link IIG LLD v1.0[1]

13/76


Page 13

2.2.2. BGP Routing Topology

The main requirement for the routing is to accommodate redundancy, loadbalancing but with symmetry. The BGP routing for IIG will be as follows:

The Gateway Routers will be connected through STM-1/STM-4 to

upstream provider in a point-to-point topology due to TDM interface.

Gateway Router-1 will be connected to one tier-1 service provider and will

have eBGP peering and receive full routing table. (Only default route can

be taken till implementation of second Gateway). Gateway Router-2 will

be connected to another tier-1 service provider through STM-1/STM-4

8/12/2019 BD Link IIG LLD v1.0[1]

14/76


Page 14

and will have eBGP peering and take full routing table. There will be iBGP

session with Gateway Router-1 and Gateway Router-2.

The DPI Juniper IDP-8200 will be deployed in transparent mode to

filter unwanted traffic and to allow only legitimate traffic.

There will be iBGP session with Aggregation Router-1 and both the

Gateway Routers and receive full routing table from both the Gateway.

There will be iBGP session with Aggregation Router-2 and both the

Gateway Routers and receive full routing table from both the Gateway.

Different ISPs will connect directly or through access switch to the

Aggregation Routers. Aggregation Routers will have eBGP session withISPs Gateway Routers. But based on requirement for small ISPs

connectivity can be arranged using alternate routing.

We have classified PoP into below category:

Type-1: PoP with Gateway and DPI

Type-2: PoP to connect ISPs. Will be part of distribution/access

network.

The Gateway Router of Main PoP will be connected to PoP type-1s

Gateway Router to provide link redundancy. There will be iBGP session

between Main PoP and Type-1 PoPs gateway router.

8/12/2019 BD Link IIG LLD v1.0[1]

15/76


Page 15

2.2.3. OSPF Routing Topology

The IGP protocol of BD LINK IIG solution should be OSPF. OSPF is a link stateand hierarchical protocol, it requires to have one backbone area (Area 0) andothers areas which should be connected directly (physically or logically throughvirtual link) with backbone area. As BD LINK will have Main PoP and Type 1 &Type 2 PoPs in its solution. We suggest to define the Backbone Area consistingGateway & Aggregation Router of Main PoP and Type-1 PoP. (As defined in thediagram).

8/12/2019 BD Link IIG LLD v1.0[1]

16/76


Page 16

We will configure OSPF backbone area in Main PoP, IGP domain will containGateway Routers and Aggregation Routers. Gateway Router 1 & 2 andAggregation Router 1 & 2 will be in backbone area. And the DPI will beconfigured to pass through all BGP & OSPF route update packets. As this will bea Ethernet/Broadcast network the role for DR & BDR can be given to eitherGateway Router or Aggregation Router considering device with lessresponsibility in other part.

All the links in Gateway Router like Interfaces connected to Upstream, Interfacesconnected to Aggregation and Interfaces between Gateways should be declaredin the same area to avoid static routing or redistribution. But except Linksconnected to Aggregation Routers all others links should be configured not tosend routing updates as there will be no IGP neighbour.Both the Aggregation Routers will be configured with OSPF and all its directlyconnected interfaces will be declared in backbone area to avoid static routing orredistribution. But in case of client connectivity all the links with ISPs and BWAscan be redistributed to ensure better management but it is highly recommendedto create ACL with the customer connected point-to-point IPs. In case of additionof a customer the ACL can be modified by adding one permit entry in the ACLwhich has already been redistributed in OSPF. Using these ACL in the route mapfor redistribution will give better visibility and manageability for the administrator.

In future if BD LINK setup new type-1 PoP, the Gateway and Aggregation Router

of those PoP will be configured similar to Main PoPs IGP configuration and willhave OSPF neighbour ship between Gateways of Main PoP and Type-1 PoP.

8/12/2019 BD Link IIG LLD v1.0[1]

17/76


Page 17

2.2.4. Dhaka Main POP Design (Phase -1 Deployment)

The scope of this phase is to install and commission devices only at the MainPoP. The Core Component of Main PoP or Phase-I deployment are two GatewayRouters, two Aggregation Routers and one DPI. Both the Gateway Routers willbe connected with two separate upstream providers and will be configured usingeBGP. And will take entire routing table from both upstream providers. These twoRouters will have iBGP peering.

8/12/2019 BD Link IIG LLD v1.0[1]

18/76


Page 18

The Aggregation Routers will be configured using iBGP with both the GatewayRouter and take full routing table from both which ultimately ensure the facility fortraffic engineering.

In case of Single Link Gateway Routers can be configured to pass only defaultroutes to the aggregation as it will have only one path to forward traffic. But theGateway Router should take entire routing table as its a requirement to complywith the guideline provided by the authority.

The connectivity for the ISPs and BWAs will be from the Aggregation Routerdirectly or through access switch based on clients requirement and businessguideline.

8/12/2019 BD Link IIG LLD v1.0[1]

19/76

8/12/2019 BD Link IIG LLD v1.0[1]

20/76


Page 20

3.2. Physical Connectivity Mapping & IP Addressing

*** Pls. follow the Device Connectivity & IP Addressing Xls file for detail.

8/12/2019 BD Link IIG LLD v1.0[1]

21/76


Page 21

4. Device Configuration

This section captures the configuration of Juniper devices being deployed in BDLINKnetwork in Dhaka to provide IP transit services towards International Upstream InternetService Providers to local ISP customers.

4.1. Initial JONOS Configuration

This section captures the initial configuration to be done on Juniper routers usingConsole to make the routers reachable across WAN for further configuration.

4.1.1. Login via Console

Connect to console and login with username root. (Initially no password will beprompted)root% prompt will be seen.Type cli and root> prompt will be seen.

Type configure and root# prompt will be seen, which is the configuration mode.root% cliroot> ##Operational Moderoot> configureroot# ##Configuration Mode

4.1.2. Set Root Password

JUNOS does not allow to commit configuration unless password for root isconfigured. This can be tested if we try to commit while setting up router initially.

root# commit[edit]'system'Missing mandatory statement: 'root-authentication'

error: commit failed: (missing statements)

If you see this error, it means that root authentication needs to be configured.Please use the below CLI to configure root authentication.

root# set system root-authentication plain-text-passwordNew password:Retype new password:

8/12/2019 BD Link IIG LLD v1.0[1]

22/76

8/12/2019 BD Link IIG LLD v1.0[1]

23/76


Page 23

router-id 103.12.236.40;autonomous-system 58668;

}

4.2.2. Management Interface Configuration

interfaces {fxp0 {unit 0 {

family inet {address 10.100.102.2/24;

}}}

4.2.3. Chassis Configuration

fpc 0 {pic 1 {

tunnel-services {bandwidth 1g;

}}

}aggregated-devices {

ethernet {device-count 2;

}}alarm {

management-ethernet {link-down ignore;

}}

}

4.2.4. Interface Configuration

interfaces {ge1/0/0 {

8/12/2019 BD Link IIG LLD v1.0[1]

24/76


Page 24

description "Connected to AGG1 via IDP-01 port ge-0 ";unit 0 {family inet {address 103.12.236.17/30;

}}ge1/0/1 {description "Connected to DHK_GW_RTR_02";unit 0 {family inet {address 103.12.236.25/30;

}}

so-1/2/0 {description "Connected to Upstream1"unit 0 {family inet {address x.x.x.x/30;}}

}lo0 {unit 0 {family inet {address 103.12.236.40/32;}}}

4.2.5. OSPF Configuration

protocols {ospf {

area 0.0.0.0 {interface ge-1/0/0.0;interface ge-1/0/1.0;interface lo0.0;interface so-0/2/0

{passive;

}}

8/12/2019 BD Link IIG LLD v1.0[1]

25/76


Page 25

}}

4.2.6. BGP Configuration

protocols {bgp {

group BGP-Internal {type internal;local-address 103.12.236.40/32;export redistribute-to-ibgp;

neighbor103. 12.236.41;neighbor103. 12.236.42;neighbor103. 12.236.43;

}group BGP-External {

type external;export redistributed-connected;

neighbor X.X.X.X {peer-as XX;

}}

}

4.2.7. Sample RE filter Configuration

firewall {filter PROTECT-RE-FILTER {

term ROUTER-ACCESS {from {

source-address {A.A.A.0/24;}destination-address {

F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];

}

then accept;}term PERMIT-BGP {

from {protocol tcp;source-address B.B.B.B/32; /* Add addresses from

8/12/2019 BD Link IIG LLD v1.0[1]

26/76


Page 26

port bgp;}then accept;

}term PERMIT-OSPF {

from {protocol ospf;

}then accept;

}term PERMIT-DNS {

from {protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDport domain;

}then accept;

}term PERMIT-NTP {

from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDport ntp;

}then accept;

}term PERMIT-UDP-TRACEROUTE {

from {protocol udp;destination-port 33434-33534;

}then {

count traceroute;accept;

}

}term PERMIT-TACACS+ {

from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVERsource-port 49;

}then accept;

}term PERMIT-ICMP {

from {

8/12/2019 BD Link IIG LLD v1.0[1]

27/76


Page 27

protocol icmp;icmp-type [ echo-request echo-reply unreachable ti

}then accept;

}term PERMIT-TCP-ESTABLISHED {

from {protocol tcp;

tcp-established;}then accept;

}term DENY-OTHERS {

then {discard;

}}

}}

interfaces {lo0 {

unit 0 {

family inet {filter {

input PROTECT-RE-FILTER;}

}}

}}

}}

4.2.8. SNMP Configuration

snmp {location "Location Name";community test123 {

authorization read-only;clients {

103.12.236.3/32;103.12.236.4/32;

}}

8/12/2019 BD Link IIG LLD v1.0[1]

28/76


Page 28

}

4.3. Dhaka Core Router -2 Configuration

This section captures the configuration of Dhaka Core router-2.

4.3.1. System Basic Configuration

system {

host-name DHK_GW_RTR_02;time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;

ports {console {

log-out-on-disconnect;type vt100;}

}routing-options {

router-id 103.12.236.41;autonomous-system 58668;}


interfaces {fxp0 {unit 0family inet {

address 10.100.102.2/24;}}


fpc 0 {pic 1 {


8/12/2019 BD Link IIG LLD v1.0[1]

29/76


Page 29

}}

}aggregated-devices {

ethernet {device-count 2;

}}alarm {


}}

}


interfaces {

ge1/0/0 {description "Connected to DHK_GW_RTR_01";

unit 0 {family inet {address 103.12.236.21/30;

}}

ge1/0/1 {unit 0 {family inet {address 103.12.236.26/30;

}}

ge1/0/2 {unit 0 {family inet {}

ge1/0/3 {unit 0 {

8/12/2019 BD Link IIG LLD v1.0[1]

30/76


Page 30

family inet {}}

ge-1/0/4 {unit 0 {family inet}}

ge-1/0/5 {unit 0 {family inet}}

so-0/2/0 {description "Connected to Upstream1"unit 0 {family inet {address x.x.x.x/30;

}}}lo0 {unit 0 {family inet {address 103.12.236.41;}}}


protocols {ospf {

area 0.0.0.0 {interface ge-1/0/0;interface ge-1/0/1;interface so-0/2/0;{passive;}

8/12/2019 BD Link IIG LLD v1.0[1]

31/76


Page 31

interface lo0.0;}

}}


protocols {bgp {

group BGP-Internal {type internal;

local-address 103.12.236.41;export redistribute-to-ibgp;

neighbor 103.12.236.40;neighbor 103.12.236.42;neighbor 103.12.236.43;




}

}}




source-address {

A.A.A.0/24;}destination-address {F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];

}

then accept;}term PERMIT-BGP {

8/12/2019 BD Link IIG LLD v1.0[1]

32/76


Page 32

from {protocol tcp;source-address B.B.B.B/32; /* Add addresses fromport bgp;

}then accept;

}term PERMIT-OSPF {


}then accept;

}term PERMIT-DNS {

from {protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDport domain;

}then accept;

}term PERMIT-NTP {

from {

protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDport ntp;

}then accept;



}then {


}}term PERMIT-TACACS+ {

from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVERsource-port 49;

}then accept;

8/12/2019 BD Link IIG LLD v1.0[1]

33/76


Page 33

}term PERMIT-ICMP {

from {protocol icmp;

icmp-type [ echo-request echo-reply unreachable ti}then accept;


from {protocol tcp;

tcp-established;}then accept;

}term DENY-OTHERS {

then {discard;

}}

}}

interfaces {lo0 {

unit 0 {family inet {

filter {input PROTECT-RE-FILTER;

}}

}}

}}

}




103.12.236.3/32;

8/12/2019 BD Link IIG LLD v1.0[1]

34/76


Page 34

103.12.236.4/32;}

}}

4.4. Dhaka Aggregation Router -1 Configuration

This section captures the configuration of Dhaka Aggregation router-1.


system {host-name DHK_AGG_RTR_01;time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;

ports {console {

log-out-on-disconnect;

type vt100;}}routing-options {


}


interfaces {

fxp0 {unit 0 {


}}}


fpc 0 {

8/12/2019 BD Link IIG LLD v1.0[1]

35/76


Page 35

pic 1 {tunnel-services {

bandwidth 1g;}

}}

aggregated-devices {ethernet {

device-count 2;}

}alarm {


}}}


interfaces {

ge1/0/0 {description "Connected to DHK_GW_RTR_01 via IDP-01 port ge-1 ";unit 0 {family inet {address 103.12.236.18/30;}}}

ge1/0/1 {description "Connected to DHK_AGG_RTR_02";unit 0 {family inet {address 103.12.236.23/30;}}}

ge1/0/2 {description "Connected to DHK_FW1";unit 0 {family inet {

8/12/2019 BD Link IIG LLD v1.0[1]

36/76

8/12/2019 BD Link IIG LLD v1.0[1]

37/76


Page 37

}}


protocols {bgp {

group BGP-Internal {type internal;local-address 103.12.236.42;export redistribute-to-ibgp;





}}

}

4.4.7. Bandwidth Configuration

firewall {policer 3MB {

if-exceeding {bandwidth-limit 3072000;burst-size-limit 384k;

}then discard;

}} ----- Policy May be Changed based on requirement




source-address {A.A.A.0/24; /* MANAGEMENT STATION ADDRESS RANGE */

8/12/2019 BD Link IIG LLD v1.0[1]

38/76


Page 38

}destination-address {F.F.F.F/32; /* fxp0 IP address */}protocol tcp;destination-port [ ssh telnet ];

}then accept;

}term PERMIT-BGP {

from {protocol tcp;source-address B.B.B.B/32; /* Add addresses from BGP Peers */port bgp;

}then accept;

}term PERMIT-OSPF {


}then accept;

}

term PERMIT-DNS {from {

protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */port domain;

}then accept;

}term PERMIT-NTP {

from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDRESS */

port ntp;}then accept;



}then {

count traceroute;

8/12/2019 BD Link IIG LLD v1.0[1]

39/76


Page 39

accept;}


from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */source-port 49;

}then accept;

}term PERMIT-ICMP {


icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then accept;


from {protocol tcp;

tcp-established;

}




103.12.236.3/32;103.12.236.4/32;

}}

}

4.5. Dhaka Aggregation Router -2 Configuration

This section captures the configuration of Dhaka Aggregation router-2.


system {host-name DHK_AGG_RTR_02;

8/12/2019 BD Link IIG LLD v1.0[1]

40/76


Page 40

time-zone Asia/Dhaka;no-source-route;commit synchronize;name-server 103.12.236.1;

ports {console {log-out-on-disconnect;

type vt100;}

}routing-options {


}


interfaces {fxp0 {unit 0 {


}

}}


fpc 0 {pic 1 {


}}

}

aggregated-devices {ethernet {device-count 2;

}}alarm {


}}

}

8/12/2019 BD Link IIG LLD v1.0[1]

41/76

8/12/2019 BD Link IIG LLD v1.0[1]

42/76


Page 42

}

lo0 {unit 0 {family inet {address 103.12.236.43/32;}}}


protocols {ospf {

area 0.0.0.0 {interface ge-1/0/0;interface ge-1/0/1;interface ge-1/0/2;interface lo0.0;

}}}


protocols {bgp {

group BGP-Internal {type internal;local-address 103.12.236.43;export redistribute-to-ibgp;





}}

}

8/12/2019 BD Link IIG LLD v1.0[1]

43/76

8/12/2019 BD Link IIG LLD v1.0[1]

44/76


Page 44

protocol udp;source-address D.D.D.D/32; /* DNS-SERVER ADDRESS */port domain;

}then accept;

}term PERMIT-NTP {

from {protocol [ udptcp ];source-address N.N.N.N/32; /* NTP SERVER ADDRESS */port ntp;

}then accept;



}then {


}


from {protocol tcp;source-address T.T.T.T/32; /* TACACS SERVER ADDRESS */source-port 49;

}then accept;

}term PERMIT-ICMP {


icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then accept;


from {protocol tcp;

tcp-established;}

8/12/2019 BD Link IIG LLD v1.0[1]

45/76


Page 45




103.12.236.3/32;103.12.236.4/32;

}}

}

4.6. Dhaka Data Center Switch-1 Configuration

This section captures the configuration of Dhaka Data Center Switch-1.


system {host-name DHK_DC_SW_01;services {

ftp;

ssh;}syslog {

user * {any emergency;

}file messages {

any notice;authorization info;

}file interactive-commands {

interactive-commands any;

}}commit {

factory-settings {reset-chassis-lcd-menu;reset-virtual-chassis-configuration;

}}

}

8/12/2019 BD Link IIG LLD v1.0[1]

46/76


Page 46

4.6.2. VLAN &Trunk Configuration

interfaces {ge-0/0/0 {

description "Connected to DHK_FW_01"unit 0 {

family ethernet-switching {port-mode trunk;vlan {

members all;}

}}

}ge-0/0/1 {description "Connected to DNS-server-1"

unit 0 {family ethernet-switching {

vlan {members server;

}}

}}ge-0/0/2 {description "Connected to DNS-server-2"

unit 0 {family ethernet-switching {

vlan {members server;

}}

}}ge-0/0/3 {

description "Connected to NMS-server"unit 0 {

family ethernet-switching {vlan {

members server;}

}}

8/12/2019 BD Link IIG LLD v1.0[1]

47/76


Page 47

}}ge-0/0/4 {

description "Connected to MRTG-server"unit 0 {


members server;}

}}

}}ge-0/0/5 {

description "Connected to NSM-server"unit 0 {


members server;}

}

}}

}ge-0/0/6 {

unit 0 {family ethernet-switching;

}}ge-0/0/7 {


}

}ge-0/0/8 {


}}ge-0/0/9 {


}}

8/12/2019 BD Link IIG LLD v1.0[1]

48/76


Page 48

ge-0/0/10 {unit 0 {

family ethernet-switching;}

}ge-0/0/11 {


}}ge-0/0/12 {


}}ge-0/0/13 {


}}ge-0/0/14 {


}}ge-0/0/15 {


}}ge-0/0/16 {


}}

ge-0/0/17 {unit 0 {


}ge-0/0/18 {


}}ge-0/0/19 {

8/12/2019 BD Link IIG LLD v1.0[1]

49/76


Page 49


}}ge-0/0/20 {


}}ge-0/0/21 {


}}ge-0/0/22 {


}}ge-0/0/23 {


}

}ge-0/1/0 {

description connected to DHK_FW_02unit 0 {

family ethernet-switching {port-mode trunk;

vlan {members all;

}}

}xe-0/1/0 {


}}ge-0/1/1 {

description Connected to DHK_DC_SW_01;unit 0 {


vlan {members all;

8/12/2019 BD Link IIG LLD v1.0[1]

50/76

8/12/2019 BD Link IIG LLD v1.0[1]

51/76


Page 51

ISP1 {vlan-id 2;

}ISP2 {

vlan-id 3;}ISP3 {

vlan-id 4;}

}


snmp {location "Location Name";

community test123 {authorization read-only;clients {

103.12.236.3/32;103.12.236.4/32;

}}

}

4.7. Dhaka Data Center Switch-2 Configuration

This section captures the configuration of Dhaka Data Center Switch-2.


system {host-name DHK_DC_SW_02;services {

ftp;ssh;

}syslog {

user * {any emergency;

}file messages {

any notice;authorization info;

}file interactive-commands {

interactive-commands any;

8/12/2019 BD Link IIG LLD v1.0[1]

52/76


Page 52

}}commit {

factory-settings {reset-chassis-lcd-menu;reset-virtual-chassis-configuration;

}}

}

4.7.2. VLAN &Trunk Configuration

interfaces {description "Connected to DHK_FW_02"ge-0/0/0 {

unit 0 {port-mode trunk;family ethernet-switching {

vlan {members all;

}}

}}ge-0/0/1 {

unit 0 {family ethernet-switching {}

}}ge-0/0/2 {

unit 0 {family ethernet-switching {}

}}ge-0/0/3 {description "Connected to NMS"unit 0 {


members mgt;}

}

8/12/2019 BD Link IIG LLD v1.0[1]

53/76


Page 53

}}

}ge-0/0/4 {

description "Connected to MRTG"unit 0 {


members mgt;}

}}

}ge-0/0/5 {

description "Connected to NSMXpress"unit 0 {


members mgt;}

}}

}

ge-0/0/6 {description "Connected to DHK_CORE_01"

unit 0 {family ethernet-switching {vlan {

members mgt;}

}}

}ge-0/0/7 {

description "Connected toDHK_CORE_02"

unit 0 {family ethernet-switching {vlan {

members mgt;}

}}

}ge-0/0/8 {

description "Connected to DHK_IDP_01"unit 0 {

8/12/2019 BD Link IIG LLD v1.0[1]

54/76


Page 54


members mgt;}

}}

}ge-0/0/9 {

description "Connected to DHK_AGG_01"unit 0 {


members mgt;}

}}

}ge-0/0/10 {

description "Connected to DHK_AGG_02"unit 0 {


members mgt;

}}

}}ge-0/0/11 {


}}ge-0/0/12 {


}}ge-0/0/13 {


}}ge-0/0/14 {


}

8/12/2019 BD Link IIG LLD v1.0[1]

55/76


Page 55

}ge-0/0/15 {


}}ge-0/0/16 {


}}ge-0/0/17 {


}}ge-0/0/18 {


}}ge-0/0/19 {

unit 0 {


}ge-0/0/20 {


}}ge-0/0/21 {


}

}ge-0/0/22 {


}}ge-0/0/23 {


}}

8/12/2019 BD Link IIG LLD v1.0[1]

56/76


Page 56

ge-0/1/0 {description connected to DHK_FW_02unit 0 {


vlan {members all;

}}

}xe-0/1/0 {


}}ge-0/1/1 {

description Link DHK_DC_SW_01;unit 0 {


vlan {members all;}

}}

}xe-0/1/1 {


}}ge-0/1/2 {


}}xe-0/1/2 {


}}ge-0/1/3 {


}

8/12/2019 BD Link IIG LLD v1.0[1]

57/76


Page 57

}}protocols {igmp-snooping {vlan all;

}rstp;lldp {

interface all;}

lldp-med {interface all;

}}ethernet-switching-options {

storm-control {interface all;

}}

vlans {ISP4 {

vlan-id 4;}ISP5 {

vlan-id 5;}ISP6 {

vlan-id 6;}

}




103.12.236.3/32;103.12.236.4/32;

}}

}

8/12/2019 BD Link IIG LLD v1.0[1]

58/76


Page 58

4.8. IDP Configuration

4.8.1. OS Up gradation through CLI

Following steps to upgrade/install IDP OS:

the following file are required for IDP OS upgradation

+sensor_5_0r1.sh

+sensor_5_1r2.sh

+sensor_5_1r3.sh

[root@idp ~]# cd /tmp

[root@idptmp]# ls -l

-rw-rw-r-- 1 admin admin 474454694 Jul 11 23:04 sensor_5_1r2.sh

to excute the above file with following

[root@idptmp]# sh sensor_5_0r1.sh



4.8.2. System Basic Configuration through Web GUI (ACM)

Step1.Host name configurationStep2.DNS configurationsStep3.IP configuration for MGT accessStep4.default gateway

4.8.3.NSM Server Configuration

4.8.3.1. REDHAT 5 OS Installation

First need to install RedHat Linux before Install NSM.

8/12/2019 BD Link IIG LLD v1.0[1]

59/76


Page 59

4.8.3.2. NSM server 2010.4 OS Installation

Following steps to install nsm on a linux server:

Step 1.Following files are required for NSM

+Linux server

+Linux system update utilities

+ Windows Ui client

Step 2.Move all the three files to the nsm server.

Step 3.unzip the systemupdate file

+untar it , will get a folder named rhes4/rhes5.

+move inside this folder and run the script rhes5.sh

Step 4.After this unzip the Linux serverfile(nsm_2010.4s3_linux_servers_x86.zip)

will get the script file nsm_2010.4s3_linux_servers_x86.zip

run this script to perform the installation

tar xvf nsm_2010.4s3_linux_servers_x86.zip

Step 5.nsm client installation on the workstation.

4.8.3.3. NSM client Installation for configuration the NSM server

NSM Client software need to install in a Workstation to configure NSMServer.

4.8.3.4. IDP device adding into NSM server

Following Screenshots shown IDP device adding into a NSM Server.

8/12/2019 BD Link IIG LLD v1.0[1]

60/76


Page 60

8/12/2019 BD Link IIG LLD v1.0[1]

61/76

8/12/2019 BD Link IIG LLD v1.0[1]

62/76


Page 62

8/12/2019 BD Link IIG LLD v1.0[1]

63/76


Page 63

4.8.3.5. Policy implementation

Following Screenshots shown Policy configuration to IDP.

8/12/2019 BD Link IIG LLD v1.0[1]

64/76


Page 64

8/12/2019 BD Link IIG LLD v1.0[1]

65/76


Page 65

8/12/2019 BD Link IIG LLD v1.0[1]

66/76


Page 66

8/12/2019 BD Link IIG LLD v1.0[1]

67/76


Page 67

4.8.3.6. Log view and reporting, custom report generation

Following Screenshots shown log view, reporting & custom reportgeneration from NSM server.

8/12/2019 BD Link IIG LLD v1.0[1]

68/76


Page 68

8/12/2019 BD Link IIG LLD v1.0[1]

69/76

8/12/2019 BD Link IIG LLD v1.0[1]

70/76


Page 70

4.9. DC Firewall 1 & 2 Configuration

4.9.1. OS Upgrade

OS upgradation with JUNOS 10.4R10.7 through command line

Steps: Copy the JUNOS OS file into /var/tmpfrom the pen drive

>request system software add /var/tmp/junos-srxsme-10.0R2.10-domestic.tgzno-copy no-validate reboot.


root@%root@%cliroot>configureroot# set system root authentication plain-text passwordroot# set system host name DHK_FWroot# set system login user test class supper-user authentication plain-textpasswordtest# set system services telnettest# set system services ssh

8/12/2019 BD Link IIG LLD v1.0[1]

71/76


Page 71


interfaces {ge-0/0/3 {

gigether-options {redundant-parent reth1;

}}ge-0/0/4 {


}}ge-0/0/5 {


}}ge-5/0/3 {


}}ge-5/0/4 {


}}ge-5/0/5 {


}}fab0 {

fabric-options {member-interfaces {

ge-0/0/2;}

}}fab1 {

fabric-options {member-interfaces {

ge-5/0/2;

8/12/2019 BD Link IIG LLD v1.0[1]

72/76


Page 72

}}

}reth0 {

vlan-tagging;redundant-ether-options {

redundancy-group 1;}unit XX {

vlan-id XX;family inet {

address XX.XX.XX.XX/XX;}

}unit 102 {

vlan-id 102;family inet {

address XX.XX.XX.XX/XX;}

}}reth1 {

redundant-ether-options {

redundancy-group 1;}unit 0 {


}}

}reth2 {

redundant-ether-options {redundancy-group 1;

}

unit 0 {family inet {

address 10.100.102.8/24;}

}}

}

Interfaces will configure with UNTRUST, TRUST and DMZ zone

security-zone trust {

8/12/2019 BD Link IIG LLD v1.0[1]

73/76


Page 73

interfaces {ge-0/0/0.0 {

host-inbound-traffic {system-services {

all;}protocols {

all;}

security-zone untrust {screen untrust-screen;interfaces {

ge-0/0/1.0;}

security-zone DMZ {interfaces {

ge-0/0/2.0 {Host-inbound-traffic {

System-services {all;

}

Protocols {all;

}

4.9.4. HA Configuration

VRRP/JSRP will configure for HA with Active/Standby mode. Device-1 will act asmaster and device-2 will act as standby mode, once master will goes down thendevice-2 will take the full ownership.

groups {node1 {

system {host-name FW2;

}interfaces {

fxp0 {unit 0 {


}}

}

8/12/2019 BD Link IIG LLD v1.0[1]

74/76


Page 74

}}node0 {

system {host-name FW1;

}interfaces {

fxp0 {unit 0 {


}}

}}

}}

chassis {cluster {

reth-count 4;redundancy-group 0 {

node 0 priority 100;

node 1 priority 1;}redundancy-group 1 {

node 0 priority 100;node 1 priority 50;

preempt;interface-monitor {

ge-0/0/3 weight 60;ge-0/0/5 weight 60;ge-0/0/4 weight 60;

}}

}}

4.9.5. Security Policy Configuration

Policy1: TRUST to UNTRUST:permit any any

policies {from-zone trust to-zone untrust {

policy trust-to-untrust {match {

8/12/2019 BD Link IIG LLD v1.0[1]

75/76


Page 75

source-address any;destination-address any;application any;

}then {

permit;}

Policy2: UNRUST to TRUST:deny all

policies {

from-zone untrust to-zone trust {policy untrust-to-trust {

match {source-address any;destination-address any;application any;

}then {

deny;}

Policy3: DMZ to UNTRUST:permit any any

policies {from-zone DMZ to-zone untrust {

policy untrust-to-trust {match {

source-address any;destination-address any;application any;

}then {

permit;}

Policy4: UNTRUST to DMZ: only permit particular application services withdedicated port.

Policy5:Screening policy will be configured for UNTRUST zone.

Policy6:ALG policy will configure based on Application /services.

8/12/2019 BD Link IIG LLD v1.0[1]

76/76

5. LLD v 1.0 Signoff

Low Level Design v1.0 Approved - [YES / NO]

With Amendments [YES / NO]

Amendments:

BD LINK LLD v1.0 Approval & Signoff

BD LINK Team

LLD Check:

LLD Verification:

LLD Approval:

GAZI Project Manager

Name:Designation

________________________________

Signature of the GAZI PM

GAZI Implementation Manager

Name:Designation

________________________________Signature of the GAZI IM

Comments:

BD Link IIG LLD v1.0[1]

Documents

Transcript of BD Link IIG LLD v1.0[1]