Professional Documents
Culture Documents
Tunnel Explanation
Tunnel Explanation
Tunnel Explanation
Tutorials
BDR1 (Hold Shift + ⌘ or Ctrl, then click)
Ground Floor
103.228.188.1 lo0
Read how to create a multi-layerd
diagram
ge-0/0/
IRB 100 103.228.190.25/30 1.100
Learn how to draw network diagrams
xe-0/2/0.100
Vocus Agg Port
Vocus Network
ge-0/0/
8.100
VLAN 100 103.228.190.26/30
SRX345
WEST-PERTH-ACP-
SRX345 P2P
103.228.190.53/30 ge-0/0/2 and ge-0/0/3 LACP Members 103.228.190.52/30
vlan50 Server subnet
103.228.188.136/29
LACP VLAN 50
103.228.190.52/30
103.228.190.54/30
vlan50 ge-0/0/2 and ge-0/0/3 LACP Members
SRX380
RadianArc-Test WEST-PERTH-1S
Network
QFX5100
RadianArc-Test WEST-PERTH-
Network 1Q
Activeport Sydney Office - VLAN 100
Internet via
Zetta
EQUINIXSY4- 1S
10.35.62.254
ge-0/0/
VLAN 100 203.196.95.70/31 0.100
ge-0/0/
29.100
EQUINIXSY4- 1Q
10.35.63.254
xe-0/0/46.100
Vocus Agg Port
Vocus Network
ge-0/0/
8.0
SRX345
203.196.95.71/31
ge-0/0/7
Swiitch
SRX380
INTERNET
SRX380
ae1.50=X.X.X.1
3
aeX=1.1.1.1/30
X
x
VLAN X – P2P
X.X.X.X/30 VLAN X – P2P
1.1.1.1/30
ae1
LACP ae1
LACP
3
ae1.X=X.X.X.2
18
19
SRX380 ae1.50=1.1.1.2/30
SRX380
SRX380
SRX380
17
16 .2
17
16
.2
0
.2
ae0 .2
LACP ae0
LACP
10.29.192.0/30 10.29.1.0/30
LACP 10.29.192.0/30 10.29.1.0/30
ae0 LACP
ae0
.1 .1
50
29
.1 .1
50
29
QFX5100
QFX5100
QFX5100
QFX5100
0
8
4
13
10
30
12
11
15
14
8
9
LACP LACP LACP
ae99 ae101 LACP LACP LACP
VLAN 200 IPMI ae102
192.168.2.0/24 VLAN 200 IPMI ae99 ae102 ae101
192.168.2.0/24
VLAN 300 VM – 192.168.3.0/24
VLAN 300 VM – 192.168.3.0/24
VLAN 100 MGMT – 192.168.1.0/24
VLAN 200 IPMI – VLAN 100 MGMT – 192.168.1.0/24
192.168.2.0/24
Mgmt-2
Mgmt-2
Mgmt-1
Mgmt-1
Mgmt-2
Mgmt-1
Mgmt-2
Mgmt-2
Mgmt-1
Mgmt-1
Mgmt-2
Mgmt-1
IPMI
IPMI
iDRAC
IPMI
IPMI
iDRAC
Managment Server GPU#2 GPU#1
Managment Server GPU#2 GPU#1
INTERNET
INTERNET
INTERNET
2
ge-0/0/0
ae0.0
Management 192.168.1.0/24 100 192.168.1.10 192.168.1.200 192.168.1.254 8.8.8.8 8.8.4.4 IPMI 192.168.2.0/24 200 192.168.2.1 192.168.2.101 192.168.2.254 8.8.8.8 8.8.4.4
iDRAC 192.168.0.0/24 99 192.168.0.1 192.168.0.100 192.168.0.254 8.8.8.8 8.8.4.4
2
ge-0/0/0
ae0.0
IPMI 192.168.2.0/24 200 192.168.2.1 192.168.2.101 192.168.2.254 8.8.8.8 8.8.4.4
2
ae0.300
ae0.200
ae0.100
ge-0/0/0
ae0.0
ae0.300
ae0.200
ae0.100
ae0.99
IPMI 192.168.2.0/24 200 192.168.2.1 192.168.2.101 192.168.2.254 8.8.8.8 8.8.4.4
ae0.300
ae0.200
ae0.100
ae0.99
OSPF area 0 Standard area
Management QFX
Managment
flexible-vlan-tagging
10.29.192.2
Managment
10.29.1.1 ->2nd link ge-0/0/0.0
flexible-vlan-tagging
Managment
whithin Global instance 10.29.1.1 ->2nd link ge-0/0/0.0
whithin Global instance.
whithin Global instance.
ge-0/0/29
ge-0/0/29
ae0.0
ge-0/0/29
ae0.0
ae0.0
QFX5100 ae0.0=10.29.192.1/30
Vlans QFX5100 ae0.0=10.29.192.1/30
QFX5100 ae0.0=10.29.192.1/30
-IPMI
-Mgmt
->200
->100
Global Vlans
Vlans -IPMI ->200
-VM ->300
instance -IPMI ->200 Global
-iDRAC ->99
RID OSPF 10.29.63.254 Global -Mgmt ->100
-Mgmt ->100 -VM ->300 instance
-VM ->300 instance RID OSPF 10.29.63.254 -iDRAC ->99
RID OSPF 10.29.63.254
-iDRAC ->99
GPU#1
GPU#1
GPU#1
RadianArc Network Security Workflow
Junos-host
junos-ssh;
Junos to junos-https;
untrust junos-ike; all
junos-ping;
junos-icmp-all
Untrust
Untrust to Interfaces any
Junos-host Untrust to ae1.50 all
Trust Untrust to trusted-ips
Untrust to
IPMI VM
Trust
Untrust Interfaces
ZONES
all
ae0.100 build-server
ae0.99
gpu-servers-ipmi
IPMI
IPMI to Interfaces
ae0.200 all
Untrust IPMI to mgmt1-ipmi
VM
VM to VM to
VM
Untrust VM to trust Interfaces gpu-servers all
IPMI
ae0.300
RULES
ID From-Zone-to Rule name Source Interface Destination Interface Source objects Destination objects Aplication Protocol TCP/UDP Destination Port Log Permit/Deny
N# 1 Untrust to-zone junos-host untrust-to-junos_host-mgmt-permit trusted-ips any junos-ssh; junos-https TCP 22,443 yes Permit
ae1.50
N# 2 Untrust to-zone junos-host untrust-to-junos_host-other-mgmt-deny any any junos-ssh; junos-https TCP 22,443 no Deny
ae1.50
untrust-to-junos_host-other-
N# 3 Untrust to-zone junos-host any any junos-ike; junos-ping; junos-icmp-all TCP/UDP 500,ping,icmp no Permit
ike_ping_traceroute ae1.50
N# 6 IPMI to-zone Untrust ipmi-to-untrust-permit any any any TCP/UDP any no Permit
ae0.200 ae1.50
Destination IP
NAT Rule name Source interface Source IP Address Application Source Port Destination interface Application Destination Port
Address N# 1 Zone Trust to zone Untrust SRCNAT_Trust 192.168.1.0/24 any Permit
ae0.100 ; ae0.99 ae1.50
N# 1 mgmt1-ssh ae1.50 103.228.190.54 SSH 2222 ae0.100 192.168.1.10/32 SSH 22
N# 2 gpu1-mgmt-ssh ae1.50 103.228.190.54 SSH 2224 ae0.100 192.168.1.101/32 SSH 22
N# 3 gpu2-mgmt-ssh ae1.50 103.228.190.54 SSH 2225 ae0.100 192.168.1.102/32 SSH 22 N# 2 Zone IPMI to zone Untrust SRCNAT_IPMI 192.168.2.0/24 any Deny
ae0.200 ae1.50
N# 4 gpu3-mgmt-ssh ae1.50 103.228.190.54 SSH 2226 ae0.100 192.168.1.103/32 SSH 22
N# 5 gpu4-mgmt-ssh ae1.50 103.228.190.54 SSH 2227 ae0.100 192.168.1.104/32 SSH 22
N# 6 gpu5-mgmt-ssh ae1.50 103.228.190.54 SSH 2228 ae0.100 192.168.1.105/32 SSH 22
N# 3 Zone VM to zone Untrust SRCNAT_VM 192.168.3.0/24 any Permit
N# 7 gpu6-mgmt-ssh ae1.50 103.228.190.54 SSH 2229 ae0.100 192.168.1.106/32 SSH 22
ae0.300 ae1.50
N# 8 gpu7-mgmt-ssh ae1.50 103.228.190.54 SSH 2230 ae0.100 192.168.1.107/32 SSH 22
N# 9 gpu8-mgmt-ssh ae1.50 103.228.190.54 SSH 2231 ae0.100 192.168.1.108/32 SSH 22
N# 10 mgmt1-ipmi-web ae1.50 103.228.190.54 HTTPS 4445 ae0.200 192.168.2.10/24 HTTPS 443 N# 4 Zone Trust to zone trust HAIRPIN_Trust 192.168.1.0/24 192.168.1.0/24 Permit
POLICIES INTERFACES ADDRESS-SETS APPLICATIONS N# 11 gpu1-ipmi-web ae1.50 103.228.190.54 HTTPS 4446 ae0.200 192.168.2.101/32 HTTPS 443
ae0.100 ; ae0.99 ae0.100 ; ae0.99
N# 12 gpu2-ipmi-web ae1.50 103.228.190.54 HTTPS 4447 ae0.200 192.168.2.102/32 HTTPS 443
N# 13 gpu3-ipmi-web ae1.50 103.228.190.54 HTTPS 4448 ae0.200 192.168.2.103/32 HTTPS 443
N# 14 gpu4-ipmi-web ae1.50 103.228.190.54 HTTPS 4449 ae0.200 192.168.2.104/32 HTTPS 443
N# 15 gpu5-ipmi-web ae1.50 103.228.190.54 HTTPS 4450 ae0.200 192.168.2.105/32 HTTPS 443
Untrust
Trust
Interfaces ssh
ae0.200 ipmi-nic
IPMI to Untrust
TCP
20000 to 20319
Interfaces gpu-servers UDP
VM to Untrust
VM
1
set groups RADIANARC interfaces lt-0/0/0 unit 1 encapsulation ethernet ae1.x =ip public /30 set security policies from-zone Z2 to-zone Z2 policy Z2-Z2 match destination-address any
set groups RADIANARC interfaces lt-0/0/0 unit 1 peer-unit 2 ae0.99=192.168.0.1/24 set security policies from-zone Z2 to-zone Z2 policy Z2-Z2 match application any
set groups RADIANARC interfaces lt-0/0/0 unit 1 family inet address 10.20.30.1/30 ae0.100=192.168.1.254/24 set security policies from-zone Z2 to-zone Z2 policy Z2-Z2 then permit
set groups RADIANARC interfaces ge-0/0/1 unit 0 family inet address 192.168.50.1/24 ae0.200=192.168.2.254/24 RadianArc Global
OSPF routing configuration ae0.300=192.168.3.254/24
set groups RADIANARC routing-instances RadianArc protocols ospf area 0.0.0.0 interface lt-0/0/0.1 ae0.300=Subnet public/2X instance instance
set groups RADIANARC routing-instances RadianArc interface lt-0/0/0.1 Lt-0/0/0=10.20.30.1/30 RID OSPF 10.29.1.32
Security Zones configuration Ge-0/0/1=192.168.50.1/24
set groups RADIANARC security zones security-zone Z1 host-inbound-traffic system-services all
set groups RADIANARC security zones security-zone Z1 host-inbound-traffic protocols all
ge-0/0/0
ae0.0
set groups RADIANARC security policies from-zone Z1 to-zone Z1 policy Z1-Z1 then permit
Routing policies configuration
set groups RADIANARC policy-options policy-statement p1 from instance RadianArc
set groups RADIANARC policy-options policy-statement p1 from protocol direct
set groups RADIANARC policy-options policy-statement p1 then accept
SNMP configuration
set groups RADIANARC snmp location "ActivePort West Perth Office, Level 4"
set groups RADIANARC snmp contact "support@activeport.com.au"
set groups RADIANARC snmp community ActivePortSNMP authorization read-only
set groups RADIANARC snmp community ActivePortSNMP routing-instance RadianArc
set groups RADIANARC snmp trap-options source-address 192.168.1.254
set groups RADIANARC snmp trap-group ActivePortSNMP version v2
set groups RADIANARC snmp trap-group ActivePortSNMP categories chassis
set groups RADIANARC snmp trap-group ActivePortSNMP categories link
set groups RADIANARC snmp trap-group ActivePortSNMP categories remote-operations
set groups RADIANARC snmp trap-group ActivePortSNMP categories routing
set groups RADIANARC snmp trap-group ActivePortSNMP categories startup
ge-0/0/29
Zabbix Agent