You are on page 1of 18

IP Backbone Detailed Planning

Learning Element 6 General Network Design


Recommendations

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Nokia Solutions and Networks Academy


Legal notice
Intellectual Property Rights
All copyrights and intellectual property rights for Nokia Solutions and Networks training
documentation, product documentation and slide presentation material, all of which are forthwith
known as Nokia Solutions and Networks training material, are the exclusive property of Nokia
Solutions and Networks. Nokia Solutions and Networks owns the rights to copying, modification,
translation, adaptation or derivatives including any improvements or developments. Nokia
Solutions and Networks has the sole right to copy, distribute, amend, modify, develop, license,
sublicense, sell, transfer and assign the Nokia Solutions and Networks training material.
Individuals can use the Nokia Solutions and Networks training material for their own personal
self-development only, those same individuals cannot subsequently pass on that same
Intellectual Property to others without the prior written agreement of Nokia Solutions and
Networks. The Nokia Solutions and Networks training material cannot be used outside of an
agreed Nokia Solutions and Networks training session for development of groups without the
prior written agreement of Nokia Solutions and Networks.

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Objectives
After completing this learning element, participant should be able
to:
Identify the basic steps for configuring a router.
Deploy best practices for router configuration.
Apply configuration of network services.
Describe basic security issues in deploying a router
configuration.

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

General Steps to configure a router


Set router hostname
Configure loopback interface for router identification
Configure AAA with TACACS or RADIUS
Set banners
Configure servers NTP, Syslog and DNS
Configure SNMP
Configure interfaces
Configure routing protocols
Secure routing protocols

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Router access

Remote access
protocol

Local accounts
Root password
Access levels
-Admin
-Operator
-Read-only

SSH, SFTP
Telnet, FTP

User/pasword
Authentication

RADIUS
TACACS
Router

Validation of
credentials

Authentication
Server

Secure access protocols (SSH, SFTP) should ONLY be employed


An external authentication server is always recommended
Local accounts should be available for last resort access

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Router access
Device name
set groups re0 system host-name <device_name-re0>
set groups re1 system host-name <device_name-re1>
set apply-groups [re0 re1]

Root authentication
set system root-authentication encrypted-password <PASSWORD>
set system services ssh root-login deny

User authentication
set
set
set
set

system
system
system
system

authentication-order [<radius|tacplus> password]


login user <name> class super-user
login user <name> full-name <Local Admin User>
login user <name> authentication encrypted-password <PASSWD>

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Out of Band (OoB) Management interface


fxp0 interface
[edit groups re0 interfaces fxp0]
unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.132/25;
}
}
[edit groups re1 interfaces fxp0]
unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.133/25;
}
}

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Remote access
Enable SSH and SFTP
set system services ssh
set system services ssh connection-limit <value>
set system services protocol-version [v2 v1]

Login banner
set system login message <text>

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

RADIUS authentication
RADIUS server

10

set
set
set
set

system
system
system
system

radius-server
radius-server
radius-server
radius-server

<IP_RADIUS_1>
<IP_RADIUS_1>
<IP_RADIUS_1>
<IP_RADIUS_1>

secret <RADIUS_secret>
retry <value_retries>
timeout <value_timeout>
source-address <IP_lo0>

set
set
set
set

system
system
system
system

radius-server
radius-server
radius-server
radius-server

<IP_RADIUS_2>
<IP_RADIUS_2>
<IP_RADIUS_2>
<IP_RADIUS_2>

secret <RADIUS_secret>
retry <value_retries>
timeout <value_timeout>
source-address <IP_lo0>

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

TACACS authentication
TACACS server

11

set
set
set
set

system
system
system
system

tacplus-server
tacplus-server
tacplus-server
tacplus-server

<IP_TACACS_1>
<IP_TACACS_1>
<IP_TACACS_1>
<IP_TACACS_1>

secret <TACACS_secret>
retry <value_retries>
timeout <value_timeout>
source-address <IP_lo0>

set
set
set
set

system
system
system
system

tacplus-server
tacplus-server
tacplus-server
tacplus-server

<IP_TACACS_2>
<IP_TACACS_2>
<IP_TACACS_2>
<IP_TACACS_2>

secret <TACACS_secret>
retry <value_retries>
timeout <value_timeout>
source-address <IP_lo0>

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Network services

SNMP

NTP

Manage and collect


statistics from a
router remotely
Send notifications
or traps after events

DNS

Time synchronization Resolution of


of router from central
server

router hostname
to IP address

Syslog
Log historical and real
time events about
router operations
Local storage and/or
remote syslog server

Network management and administration tools/services


are critical for the correct operation, monitoring and
troubleshooting of a network

12

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

NTP and DNS


Network Time Protocol (NTP)
set
set
set
set

system
system
system
system

ntp
ntp
ntp
ntp

boot-server <IP_NTP_SERVER_1>
server <IP_NTP_SERVER_1> prefer
server <IP_NTP_SERVER_2>
source-address <IP_lo0>

Domain Name System (DNS)


set system name-server <IP_DNS_SERVER_1>
set system name-server <IP_DNS_SERVER_2>
set system domain-name <global_domain>

13

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Simple Network Management Protocol (SNMP)


set snmp description <hostname>
set snmp location <location_identifier>
set snmp contact <contact_text>

14

set
set
set
set

snmp
snmp
snmp
snmp

community
community
community
community

<com_name>
<com_name>
<com_name>
<com_name>

set
set
set
set
set
set
set
set

snmp
snmp
snmp
snmp
snmp
snmp
snmp
snmp

trap-group
trap-group
trap-group
trap-group
trap-group
trap-group
trap-group
trap-group

<tg_name>
<tg_name>
<tg_name>
<tg_name>
<tg_name>
<tg_name>
<tg_name>
<tg_name>

CN10566EN03GLA0

authorization read-write
version v2
clients <IP_SNMP_SERVER_1>
clients <IP_SNMP_SERVER_1>
categories authentication
categories chassis
categories link
categories routing
categories configuration
version v2
targets <IP_SNMP_SERVER_1>
targets <IP_SNMP_SERVER_2>

2014 Nokia Solutions and Networks. All rights reserved.

Logging - Syslog
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
15

system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system

syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog
syslog

user
host
host
host
host
host
host
host
host
host
host
file
file
file
file
file
file
file
file
file
file
file

* any emergency
<IP_LOG_SERVER_1> any notice
<IP_LOG_SERVER_1> interactive-commands info
<IP_LOG_SERVER_1> facility-override local0
<IP_LOG_SERVER_1> log-prefix <hostname>
<IP_LOG_SERVER_1> explicit-priority
<IP_LOG_SERVER_2> any notice
<IP_LOG_SERVER_2> interactive-commands info
<IP_LOG_SERVER_2> facility-override local0
<IP_LOG_SERVER_2> log-prefix <hostname>
<IP_LOG_SERVER_2> explicit-priority
messages any any
messages interactive-commands none
messages archive size 1m
messages archive files 10
messages explicit-priority
cli-commands authorization info
cli-commands change-log info
cli-commands interactive-commands info
cli-commands archive size 1m
cli-commands archive files 10
cli-commands explicit-priority

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

JUNOS system-config example

system {
authentication-order [ ];
Set authentication
root-authentication [ ];
radius-server { }
RADIUS/TACACS parameters
login {
message "TEXT\n";
user admin {
Login banner

}
Define local accounts
}
name server {

}
DNS parameters
services {
ssh {

}
syslog {
SSH parameters

}
ntp {
Syslog parameters

}
}
snmp {
NTP parameters

SNMP parameters
16

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

Router security
Objectives
Protection from external attacks
Restrict router access to authorized users only
Discard unknown traffic types and sources
Security mechanisms
Control physical access to device
User authentication
Login banner
Password encryption
Routing engine protection filter

RE Protection Filter
List of protocols allowed
- Management (SSH, NTP, SNMP, etc)
- Routing (OSPF, BGP, LDP, etc)

Only allow IP addresses of known


peers/sources
Deny rest of traffic

Security is a critical component of every network and all available


protection mechanisms should be applied. Specially critical in
Junos is the Routing Engine protection filter

17

CN10566EN03GLA0

2014 Nokia Solutions and Networks. All rights reserved.

RE protection filter
set firewall family inet filter <Protection-RE> term <name> from protocol <protocol>
set firewall family inet filter <Protection-RE> term <name> from destination-port <port>
set firewall family inet filter <Protection-RE> term <name> from source-prefix-list
<name_prefix_list>
set firewall family inet filter <Protection-RE> term <name> then <accept|discard>

set interfaces lo0 unit 0 family inet filter input <Protection-RE>


Description
RADIUS Allowed
RADIUS Denied
SSH Allowed
SSH Denied
SNMP Allowed
SNMP Denied
BGP Allowed
BGP Denied
NTP Allowed
NTP Denied
LDP Allowed
LDP Denied
DNS Allowed
DNS Denied

Deny rest
18

Term
1
2
3
4
5
6
7
8
9
10
11
12
13
14

15

Protocol
UDP
UDP
TCP
TCP
UDP
UDP
TCP
TCP
UDP
UDP
UDP TCP
UDP TCP
UDP
UDP

--

CN10566EN03GLA0

Port
SRC 1812,1813
SRC 1812,1813
DST 22
DST 22
DST 161
DST 161
DST 179
DST 179
SRC 123
SRC 123
DST 646
DST 646
SRC 53
SRC 53

--

Prefix List
<From_RADIUS_servers>
-<From_SSH_hosts>
-<From_SNMP_hosts>
-<From_BGP_peers>
-<From_NTP_servers>
-<From_LDP_neighbors>
-<From_DNS_servers>
-
--

2014 Nokia Solutions and Networks. All rights reserved.

Action
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard
Accept
Discard

Discard

JUNOS RE protection filter example


interfaces {
lo0 {
unit 0 {
family inet {
filter {
input protection_RE;
}
}
}
}
firewall {
family inet {
filter protection_RE {
term SSH-Allowed { }
term SSH-Denied { }
term BGP-Allowed { }
term BGP-Denied { }

term Deny_all { }
}
}

19

CN10566EN03GLA0

Apply Routing Engine protection


filter to loopback interface

2014 Nokia Solutions and Networks. All rights reserved.