book

Juniper Networks Warrior

by Peter Southwick

November 2012

Intermediate to advanced

432 pages

11h 5m

English

O'Reilly Media, Inc.

Read now

Unlock full access

What Is the New Network Platform Architecture?How to Use This BookWhat’s in This Book?A Note About This BookConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Company ProfileNetworkTraffic FlowNeed for ChangeClass of ServiceDesign Trade-OffsRouting and survivabilityRemote locationsMain locationClass of serviceImplementationPrototype PhaseClass of ServiceCut-OverMain SiteRemote Site JAXRemote Sites PHL and IADBackup Site BNAConclusions
IDP8200 BackgroundCommand-Line InterfaceWeb Management InterfaceNSM ManagementSupport TasksDaily TasksIDP PoliciesRulebase OptimizationOther TasksUpdating the detector engineUpdating IDP appliance OSUpdating attacksConclusion
DiscussionDesign Trade-OffsDecisionConfigurationTake One Configuration: ClusteringTake 2 Configuration: Active/Active without RethsTake 3 Configuration: Active/Active with One-Legged RethsTestingSummary
ProblemQ-in-Q FramingVPLS OverheadSolutionsRFC 4623Customer MTU restrictionsMove the MTUConfigurationsManagementlo0.0AccessProtocolsMPLSBGPOSPFCore Router ConfigurationsDistribution Switch ConfigurationsDistribution Router ConfigurationsRate ControlCPE Switch ConfigurationConclusion
ObjectiveDesignTrade-offsRoutingIBR integrationIDPFilter-based forwardingClusteringConfigurationClusteringSecurityRouting instancesInterfaces, zones, and policiesNATSecurity loggingRoutingBGPOSPFDefault routeOut-of-band management networkImplementationLessons LearnedFeature interactionsNetwork interactionsAdministrative issuesConclusion
Company ProfilePhysical Network TopologyServicesDesign ApproachMX connectivityEX connectivityDeploymentManagement networkDesign Trade-OffsOSPFVPLSBGPMPLSTrade-off choicesConfigurationsBoilerplate ConfigurationMX InterfacesEX Boilerplate and InterfacesOSPFMBGPMPLSRSVPLayer 3 VPNVPLSOBMConclusion
IntroductionClient GoalsDesign Trade-OffsFirewallsRoutingAddressingSurvivabilityRecommended DesignSwitching LayerRouting LayerFirewall LayerVirtualizationConfigurationsEX4200 ConfigurationMX240 ConfigurationFirewall ConfigurationDeploymentInitial ConnectivityThe Maintenance WindowPCI ComplianceSummary

Existing DesignIntroduction to Fibre ChannelProposed DesignConcerns and ResolutionsNamingNetwork qualityNetwork UpgradeAdvantages and Benefits of the SolutionQFX3500 Fibre Channel Gateway ConfigurationsManagement ConfigurationsFibre Channel Gateway Interface ConfigurationDCB ConfigurationEX4500 Transit Switch ConfigurationsInterfaces and VLANsTransit Switch DCB ConfigurationVerificationConclusions
Plans and TopologyPhase 1MX ConfigurationManagement ConfigurationRouting Engine ProtectionPolicy ConfigurationsPrefer to receive an aggregate of the locally assigned addressesNo subnets longer than /24No RFC 1918 prefixesAuthentication on all BGP linksThe ISPs will ignore the use of MEDsThe ISPs will respond to local preferenceThe ISPs will forward a default route if requiredThe ISPs will accept prepending only for the local ASThe ISP will not act as a transit network for any other traffic except for its customersProtocol ConfigurationsOSPFBGPPhase 2Final PhasesConclusion
Original Network ArchitectureWAN ConnectivityAddressingInternal ConnectivityFirewallsProblem DefinitionProposed Solution 1Solution 1 AdvantagesSolution 1 DetailsSolution 1 IssuesProposed Solution 2: OSPF over TunnelsEarly Death of Solution 2Configuration for Solution 2Final Solution: Static Routes over TunnelsSolution AdvantagesSolution IssuesRPF checksDefault gateway failure detectionEmail Server Address ResolutionFirewall ConfigurationsConclusion
RequirementsExisting NetworkRouting ProtocolsSolution OptionsThree-Layer DesignTwo-Layer DesignOne-Tier DesignConfigurationsDeployment ScenarioManagement Staging and TestingTop-of-Rack Switch TestingISP Link TestingProduction ConfigurationCut-OverConclusion

Content preview from Juniper Networks Warrior

Chapter 7. A PCI-Compliant Data Center

For most clients, the goal of a Juniper professional service engagement is to improve the client’s network. Our clients are typically looking to us network warriors to increase the speed of their networks, or for a new set of services—and this is where the “warrior” in network warrior comes in. We are the smoking gun, the get-this-done fix-it specialist and miracle worker all rolled into one professional service engineer. This is also where Juniper Networks has really made a name for itself this past decade, by being faster, more reliable, and more feature-rich than the competition, and thus making our warrior jobs much easier.

In almost every case, the result of the engagement is an increase in connectivity and/or availability for the client’s network. That is why this next engagement was totally different from all the others I have participated in—we were brought in to deter connectivity and reduce the availability of services.

Introduction

For this engagement, the tribe was brought in to make a client’s data center compliant with Payment Card Industry (PCI) regulations. This client deals with a high volume of customer credit cards and personal and credit information. As such, they must meet strict regulations set forth by the government for the protection of this information. For those of you that have not played with PCI compliance, check out the information found on the official PCI Security Standard Council website.

From a network warrior’s ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

OSPF and IS-IS: Choosing an IGP for Large-Scale Networks

Publisher Resources

ISBN: 9781449361709Errata

Juniper Networks Warrior

by Peter Southwick

Chapter 7. A PCI-Compliant Data Center

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

OSPF and IS-IS: Choosing an IGP for Large-Scale Networks

Cisco Networks: Engineers' Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA

Juniper SRX Series

Configuring Arista Network Switches

Publisher Resources

Chapter 7. A PCI-Compliant Data Center

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

OSPF and IS-IS: Choosing an IGP for Large-Scale Networks

Cisco Networks: Engineers' Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA

Juniper SRX Series

Configuring Arista Network Switches

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.