Professional Documents
Culture Documents
A Dvanced Junos Security: Lab Diagrams
A Dvanced Junos Security: Lab Diagrams
1.2.b
Lab Diagrams
Juniper Networks reserves the right to change, modify, transfer. or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. TheJunos operating syster, has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for usingJuniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, orJuniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use theJuniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Management Network Diagram
ge-0/0/0 (on all student devices)
Student
Workstations
Management Addressing
srxA-1 - srxD-1 -
srxA-2 - srxD-2 -
srxB-1 _ vr-device -
srxB-2 - Server
srxC-1 _ Gateway
srxC-2 _ Term Server
Server Note: Your instructor will provide address and access information.
Pod A Network Diagram: Implementing
AppSecure Lab
I
D
VM Client
172.16.1.100
Untrust Zone
ge-0/0/8
172.16.1.1/24
K= pod
.... - (1or2)
srxA-K
ge-0/0/9
172.16.10.1/24
- = - --
: VM Server's Duties I
Trust Zone FTP Server
Web Server
VM Server
172.16.10.100
Pod A Network Diagram: Implementing
Layer 2 Security Lab
I
�
Host 172.31.15.1
-1,>�
",(&
-�·q...
,si
o
(.'<J
.§>'e
Untrust Zone 'O
<;::,\o\}
� :;.---q...l.Y
x--[il
Host 172.31.15.1
-<>�
"-<<9·
�o
:Y'j,
b
(.�
Untrust Zone'-..s>"e9,
, (2,-
0
::Y'a
srxA-1 (.1) ge-0/0/1 172.19.1.0/30 ge-0/0/1 (.2) srxA-2
(.�lan.201 ......,
- Interface ge-0/0/4 -
172.20.101.0/24 172.20.201.0/24 172.20.102.0/24 172.20.202.0/24
(.10) (.10) (10) (.10)'
-+
Juniper-SV ACME-SV .....___ Virtual Routers Juniper-WF ACME-WF
Pod A Network Diagram: Advanced NAT
Implementations Lab (Parts 1-3)
!�
- �,
Host 172.31.15.1
-<.>�
'-<c9
·�·
q_..\Y
o
r.-2,;
<S'°<9,o
rg_..
a
I \l··r....'>n"1 I ---
Juniper-SY · --- Virtual Routers Juniper-WF ACME-WF
Pod A Network Diagram: Advanced NAT
Implementations Lab (Parts 4-5)
o
o\'':J -<'.><·.ze
\.<oruntrust Zone Untrust Zone �"2
:'\,..,v· g,..
\. -5>o
(.1
vlan.201 vlan.202
,
,r
172.20.202.0/24
\
1Pv6 Subnet
(.10) (.10)
Added
Spoke3A-1 Spoke3A-2
stO: 10.10.10.5/24 I I li lstO: 10.10.10.8/24
loO: 192.168.10.5 loO: 192.168.10.8
NonJunos / "NonJunos
Device Device
srxA-1 srxA-2
stO: 10.10.10.1/24 stO: 10.10.10.2/24
I loO: 192.168.10.1 K_1) (.10)1 . loO: 192.168.10.2 I
. .. ·� I ___ , ...... l(.iO)
I,LUt; Ull
- Loca1-vt< cH-vn fi.
172.20.100.0/24 ____ I 72.20.200.0/24
Pod A Network Diagram: Configuring Group
VPNs Lab Lab
Key Server
loO: 192.168.11.3
I
srxA-1 srxA-2
loO: 192.168.11.1 loO: 192.168.11.2
.,..
- Interface ge-0/0/4 -
172.20.101.0/24 172.20.201.0/24 172.20.102.0/24 172.20.202.0/24
(.10) (.10) (.10) (.10)'
,,,.
Juniper-SV ACME-SV ..___ Virtual Routers - Juniper-WF ACME-WF
Pod A Network Diagram: Implementing
Advanced IPsec VPN Solutions Lab
rl��;I-V�R Local-VR
(.10)
1 J;,<
· ·::Z
e
I (.10)
\
0
172.20.100.0/24 0
�< � I'� 172.20.100.0/24
Untrust Zone �
. srxA-1 SriV"\--
Acquired Zone�
stO: 10.10.10.1/24 stO: 10_10_10_2124 VAcquired Zone
(.1) GRE: 11.11.11.1/30 GRE: 11.11.11.2/3or(.1)
loO: 192.168.1.1 loO: 192.168.2.1
vlan.101 7TI)\:vlan.201 ._ _ _ . _ ·- .• vlan.102 7T.Ii\:vlan.202
/ , - mterrace ge-u/U/4 _ / "
172.20.101.0/24 172.20.201.0/24 172.20.102.0/24 172.20.202.0/24
(.10) (.10� L(.10) (.10)'
....----.
I "'"n1 I I vr1 O? I
I .. -,,� I ..___ Virtual
. Routers --+ I ··--- I
Juniper-SV - Juniper-WF ACME-WF
Pod A Network Diagram: Performing
Security Troubleshooting Techniques Lab
srxA-1 srxA-2
(J�lan.202
- Interface ge-0/0/4 -
172.20.101.0/24 172.20.201.0/24 172.20.102.0/24 172.20.202.0/24
(.10) (.10) (10) (.10)�
...
Juniper-SV ACME-SV ..___ Virtual Routers - Juniper-WF ACME-WF
..
fl)
E
ftl
·-Qftl
.D
....
ftl
m
,,0
a.
Pod B Network Diagram: Implementing
AppSecure Lab
:l
·D· 'l:,
VM Client
172.16.1.100
Untrust Zone
ge-0/0/8
172.16.1.1/24
_ K= pod
.....
�---- (1 or 2)
srxB-K
ge-0/0/9
172.16.10.1/24 �-· = - - "''"
VM Server's Duties
Trust Zone FTP Server
Web Server
1-
---1·. --'!
r
•� �)j·
VM Server
172.16.10.100
Pod B Network Diagram: Implementing
Layer 2 Security Lab
E [il
Host 172.31.15.1
-1�
"-<&·
�o
:::---u>
o
(.-?)
a\ �
Untrust Zone �6)'0r
p� q_.u>
t{g
141) vlan.243 172.20.243.0/24 ge-0/0/1 (.50)
srxB-1 srxB-2
loO: 192.168.1.1! (.50) ge-0/0/2 172.20.244.0/24 vlan.244 (. loO: 192.168.2.1
:7"
vlan.2437r:'� vlan.244
/ . . � ff�-� v- fi. l) ,
:V�<J , �
172.20.243.0/24 '},_/ Q
n�69' 172.20.244.0/24
/ rt?'
(.10) c>J (.10)
.....---....
Juniper-SY Virtual Routers ----------� Juniper-WF
Pod B Network Diagram: Implementing
Junos Virtual Routing Lab
r--�
Host 172.31.15.1
-<>..?
"-<c9
""<o
:;;,--.s>o
\:'V' (...?;
Untrust Zone '-.::�
C)\o�untrust Zone
'� o
fl,
� :;;,--1.Y
vlan.103
- Interface ge-0/0/4 -
172.20.103.0/24 172.20.203.0/24 172.20.104.0/24 172.20.204.0/24
(.10) (.10) /(.10) (.10)'
�
,,,,. L.:.::...J
Virtual Routers -
Juniper-SY ACME-SV
.___ Juniper-WF ACME-WF
Pod B Network Diagram: Advanced NAT
Implementations Lab (Parts 1-3)
1�-�
Host 172.31.15.1
-<.>�
'-<&·
�o
/"
u>o
(.-2)
�61
'0
�q_,\Y
\':>() -<;:>.;,
l\,�y ·-Ia
">,<o-y Untrust Zone Untrust Zone �<g,..
:'\'1,.·
">, ao
vlan.203 vlan.204
1Pv6 Subnet
(.10)
Added
Spoke2 B-1
stO: 10.10.20.4/24
loO: 192.168.20.4
Spoke3 B-1
St0: 10.10.20.5/24 I i
loO: 192.168.20.5
NonJunos / 'NonJunos
Device Device
srxB-1 srxB-2
stO: 10.10.20.1/24 stO: 10.10.20.2/24
I loO: 192.168.20.1 1.{:,1) (.!l,I loO: 192.168.20.2 I
(.lO)I • ___ , .,... I _ 1 ___ , "..,
!(.lO)
-- LU1..c:11-v n - I LUliar·vn �
172.20.100.0/24 ___.... 172.20.200.0/24
Pod B Network Diagram: Configuring Group
VPNs Lab
Key Server
loO: 192.168.21.3
srxB-1 srxB-2
loO: 192.168.21.1 loO: 192.168.21.2
7'.
vlan.103
- Interface ge-0/0/4 -
172.20.103.0/24 172.20.203.0/24 172 .20.104.0/24 172.20.204.0/24
(.10) /(.10) (.10)�
(.�
___........ I vr104 I
Juniper-SV � ..___ Virtual Routers - Juniper-WF ACME-WF
Pod B Network Diagram: Implementing
Advanced IPsec VPN Solutions Lab
Local-VR
o
(.10) c/�
'),.<r>'>--·
112.20.100.0;24 172.20.100.0/24
,ye-ol'i o\'?>
�'(:?
.-----:.-�--.., Untrust Zone
srxB-1 srxB-2
Acquired Zone c red Zone
stO: 10.10.20.1/24 stO: 10.10.20.2/24 11', qui
(.1) GRE: 11.11.21.1/30 GRE: 11.11.21.2/30r )( .1
loO: 192.168.1.1 loO: 192.168.2.1
vlan.103 (.1),vlan.203 ,,. vlan.104/ (.1 )�1an.204
,,7 '- - :ntsifacs gs-0/0/4 - I '
Juniper-SV �
ACME-SV --- Virtual Routers
Pod B Network Diagram: Performing
Security Troubleshooting Techniques Lab
srxB-1 srxB-2
vlan.103
- Interface ge-0/0/4 -
172.20.103.0/24 172.20.203.0/24 172.20.104.0/24 172.20.204.0/24
(.10) (.10) (.10) (.10)�
Juniper-SV '----::-:::-:--
ACME-SV ..___ Virtual Routers Juniper-WF ACME-WF
..
Cl)
E
ca
·ca-
'OI
Q
.a
...c.,ca
,,0
A.
Pod C Network Diagram: Implementing
AppSecure Lab
1------10
VM Client
172.16.1.100
Untrust Zone
ge-0/0/8
172.16.1.1/24
K= pod
srxC-K ...... - (1or2)
ge-0/0/9 ""
172.16.10.1/24 I 1
VM Server's Duties
Trust Zone FTP Server
Web Server
VM Server
172.16.10.100
Pod C Network Diagram: Implementing
Layer 2 Security Lab
Host 172.31.15.1
-l�
"-l&·
�o:;.--
.s>o
(.,?;
r::::,\� Untrust Zone �(9'0
e;r::::,\
/"g.....,S>
�-
Internet E ,�
�
Host 172.31.15.1
-<,>�
"-<<9
-�·q....
-s>
o
(.<,)
Untrust Zone ,-q....
,�� 0
:,,'a
(.1) ge-0/0/1 172.19.1.0/30 ge-0/0/1 (.2)
srxC-1 srxC-2
vlan.105
--+ vlan.1067'.1)\..vlan.206
- Interface ge-0/0/4 -
172.20.105.0/24 172.20.205.0/24 172.20.106.0/24 172.20.206.0/24
(.10) (.10) (10) (.10)
,,,.....
Juniper-SV
..___ Virtual Routers Juniper-WF ACME-WF
,_A_C_M_E_-S_V__.
Pod C Network Diagram: Advanced NAT
Implementations Lab (Parts 1-3)
I �
Host 172.31.15.1
-<,>�
"-<&·
-2
0
::.---\Yo
(.'S)
�-o
:::.---q,,
a
srxC-1 I \. .LJ ge-u/U/"L 10.0.1.0/24
\'?,C) -Z,>s?
\-'>Y ·.ze
\-<o.;,, Untrust Zone Untrust Zone��g,,
:'\'1,·
\, \Yo
(.1
vlan.205 vlan.20S
,
,
172.20.206.0/24
1Pv6 Subnet
(.10)
Added
NonJunos / "NonJunos
Device Device
srxC-1 srxC-2
stO: 10.10.30.1/24 stO: 10.10.30.2/24
I loO: 192.168.30.1 lf:_1)
1 ---• \In
(.1:},I loO: 192.168.30.2 I
. 1
(.10)1 I �M, \ID l(.iO)
LUl.icH-m I Lu1..,arvn l1
172.20.100.0/24} I 172.20.200.0/24
Pod C Network Diagram: Configuring Group
VPNs Lab
Key Server
loO: 192.168.31.3
srxC-1 srxC-2
loO: 192.168.31.1 loO: 192.168.31.2
7X /;'\.�;
vlan.105 (.1) xlan.206
- Interface ge-0/0/4 -
172.20.105.0/24 172.20.205.0/24 172.20.106.0/24 172.20.206.0/24
(.10) (.10) (.10) (.10)'
(.10) =>C)
c/ (.10)
ri'),.<c,'>-.'
172.20.100.0/24 � a\'=> 172.20.100.0/24
\...')). n0'C)\
"' Untrust Zone f: 1
,_.;=-;:i,,<
srxC-1
�I....----=-�-. I srxc _
Acquired Zone
stO: 10.10.30.1/24 stO: 10.10.30.2/24 I/Acquired Zone
(.1) GRE: 11.11.31.1/30 GRE: 11.11.31.2/3or(.1)
loO: 192.168.1.1 loO: 192.168.2.1
vlan.105 ?Tii�lan.205 -+ vlan .106 / (.1),vlan.206
- Interface ge-0/0/4 -
172.20.105.0/24 172.20.205.0/24 172.20.106.0/24 172.20.206.0/24
(.10) (.10)\. /(.10) (.10)'
II \/r?m,
··--- I I vr106 I
I..___ Virtual
. Routers -
... I ----- I
Juniper-SV Juniper-WF ACME-WF
Pod C Network Diagram: Performing
Security Troubleshooting Techniques Lab
�
sr
��
0 6
-+ vlan.1 0�1an.20
- Interface ge-0/0/4 -
172.20.106.0/24 172.20.206.0/24
(.10) (.10)
...
I __o_s---11 ....___ Virtua
Juniper-SV ACME-SV l Routers - -+ Juniper-WF ACME-WF
en
..
E
ca
·-ca
'QI)
Q
.a
....ca
Q
,:s
0
A.
Pod D Network Diagram: Implementing
AppSecure Lab
VM Client
172.16.1.100
Untrust Zone
ge-0/0/8
172.16.1.1/24
K= pod
srxD-K ...., - (1or2)
ge-0/0/9
172.16.10.1/24
r VM Server·� Duti� I
Trust Zone FTP Server
Web Server
VM Server
172.16.10.100
Pod D Network Diagram: Implementing
Layer 2 Security Lab
r:.- -[fl
Host 172.31.15.1
-<.>-2
"-<c9
·-2·
q_..�
o
\.:� r.-2;
'?
c:) Untrust Zone <§>"c9'0
p\
f :,.,'q_..�
srxD-1 srxD-2
172.20.247.0/24 ge-0/0/1 (.50)
loO: 192.168.1.11 (.50) ge-0/0/2 172.20.248.0/24 vlan.248 (.y loO: 192.168.2.1
"
vlan.248
v�
vlan.247{1
) �&-o .1)
llf,:l
()\'>-/
172.20.247.0/24 <1
�
,;:,\
¢J
r
)��
172.20.248.0/24
(.10) (.10)
"
.
� . ·.
Host 172.31.15.1
'(�
'-<&·
"20�
I.Yo
(.-0
'.§>"(9.
Untrust Zone ,-g.,
0
�a
srxD-1 (.1) ge-0/0/1 172.19.1.0/30 ge-0/0/1 (.2) srxD-2
vlan.107
- Interface ge-0/0/4 -
172.20.107.0/24 172.20.207.0/24 172.20.108.0/24 172.20.208.0/24
(.10) ( .10) (.10) (.10)�
,,,,.
Juniper-SV ACME-SV ..___ Virtual Routers - Juniper-WF ACME-WF
Pod D Network Diagram: Advanced NAT
Implementations Lab (Parts 1-3)
I �
Host 172 .31.15.1
-<>�
'-<&'
"20
/"
.s>o
(.�
�<S>-o
�g....,S>
c:,
o\'?J -<;>�
\-<o�ntrust Zone Untrust Zone
-..:!&.
,<
' g.,.
i'1-
'), -Yo
(.1\
vlan.207 vlan.208
r·..-����----,
172.20.208.0/24
1Pv6 Subnet
(.10) (.10)
Added
srxD-1 srxD-2
loO: 192.168.41.1 loO: 192.168.41.2
7�
vlan.107
- Interface ge-0/0/4 -
172.20.107.0/24 172.20.207.0/24 172.20.108.0/24 172.20.208.0/24
(.10) (.10) (10) (.10)�
Local-VR ocal-VR
a
(.10) <l�
a.·'\c·
(.10)
\cu
srxD-1 srxD-2
vlan.107
- Interface ge-0/0/4 -
172.20.107.0/24 172.20.207.0/24 172.20.108.0/24 172.20.208.0/24
(.10) (.10) (10) (.10)'
,,,...
Juniper-SY ACME-SV � Virtual Routers Juniper-WF ACME-WF