NKN Juniper Configuration Template V1.3 (1)

Configuration Template

Generated For : NIC Project Name : NKNGenerated On : 05-09-2011

Low Level Design - [Customer Name]

Table of Contents Document Version Control..........................................................................................................................3

1. Chassis and System Configuration...................................................................................................4

1.1 Chassis and Port Numbering...................................................................................................................41.2 Component Inventory...............................................................................................................................81.3 JUNOS Software......................................................................................................................................8

Make Juniper Router Reachable via WAN..................................................................................................9

1.4 System Configurations...........................................................................................................................121.4.1 SNMP...............................................................................................................................................141.4.2 NTP and Time..................................................................................................................................151.4.3 Syslog...............................................................................................................................................15

1.5 Chassis Configuration............................................................................................................................161.6 Interface Configuration Template...........................................................................................................16

2. OSPF Configuration........................................................................................................................ 18

2.1 OSPF Configuration Template...............................................................................................................183. BGP Design.................................................................................................................................... 19

3.1 BGP Configuration Template.................................................................................................................194. Multicast.......................................................................................................................................... 20

5. MPLS.............................................................................................................................................. 21

5.1 Overview of NKN MPLS.........................................................................................................................215.2 MPLS Configuration Templates.............................................................................................................21

5.2.1 LDP Configuration............................................................................................................................215.2.2 MPLS Configuration.........................................................................................................................215.2.3 L3 VPN Configuration.......................................................................................................................22

6. Unicast Reverse Path Forwarding...................................................................................................24

7. Sign Off........................................................................................................................................... 25

© 2009 Juniper Networks, Inc. Page 2 of 26


Document Version Control

Author: Chetan Prakash GautamVersion: Version 1.1Date: 05-09-2011

Version History:

VersionNumber

Author Date Reason for Change

1.0 Chetan Gautam 05-09-2011 Initial Draft

1.1 Chetan Gautam 21-09-2011 Updated with Comments of NKN team to make it more specific and remove additional details.

1.1 Gaurav Bajpai 27-09-2011 Added configuration for OSPF authentication, Configuration for Protect RE filter, configuration for Syslog, Configuration for remote user.

1.2 Gaurav Bajpai 01-10-2011 Added Configuration for Multicast

1.3 Gaurav Bajpai 05-10-2011 Added Configuration for NKN-PUB VRFAdded Configuration for URPFAdded Multicast RP address ASM & SSM group range



1. Chassis and System Configuration This section outlines Juniper router’s chassis components and details system configuration of JUNOS used in the new IP/MPLS core network.

1.1 Chassis and Port Numbering

MX80

NIC is using modular MX80 router which has two slots into it. The cards in MX routers are “Modular Interface Card” known as MIC. Each MX80 is provided with one 20X1G card which can be installed in any of these slots. This card has 20 numbers of 1G port.

Interface in JUNOS

Interface in JUNOS are written in their short form while configuring devices. Some of the example are shown below.

ge-1/0/1 Gigabit Ethernet Interfaceso-1/0/1 Sonet Interfacet1-1/0/1 T1 Interface

In rest of the document we will only use ge for our reference.

Interface Numbering:

Below Diagram shows port numbering in MX80.



Modular Slot in MX80 is MPC 1. So the port numbering for port in MIC card always starts with 1. Each MIC is internally divided into two PIC. The MIC on left side will have PIC 0 and 1 as shown in diagram. The MIC on right side will have PIC 2 and 3 as shown in diagram.

Below diagram shows the MIC numbering of MX80.

Below diagram shows MX80 layout and port numbering as explained above.



M10i Hardware Details and Port Numbering



Below Diagram shows port numbering of M10i Router. M10i has two build-in linecards known as FPC ( Flexible PIC concentrator). TheseFPCs are numbered FPC0 and FPC1.

Each FPC can hold four PICs into it numbered 0-3, i.e, PIC0, PIC1, PIC2 and PIC3.

Also, these routers are capable of having redundant Routing Engines ( RE), but NKN routers are installed with single RE only.



1.2 Component Inventory

MX80: USB, Fiber and Copper SFP, 20X1GE MICM10i: Single RE, Single CFEB, Four 4X1GEPIC, One MS-PIC, One Tunnel PIC

1.3 JUNOS SoftwareJuniper Junos is the software or the network operating system used in Juniper Networks hardware systems. Juniper markets Junos as a uniform operating system that operates similarly across Juniper's routing, switching and security product lines.

The Junos software is modular and has distributed architecture which comprises of multiple demons. The Junos configuration is performed in hierarchy depending upon the network functionality ad requirement.

Figure 1: Configuration Mode Hierarchy Directories

The low level design defined in this document is known to work with JUNOS 11.1R4 .Other versions of JUNOS will support this configuration, but we advise to test the services before going live. Any configuration not in this document should not be applied to a Juniper MX960 router acting as a P/PE unless otherwise stated. The software up gradation and configuration change will be performed depending on the test result and new requirement based on the recommendation from Juniper



Make Juniper Router Reachable via WAN

Login via Console

Connect to console and login with username “root”. ( Initially no password will be prompted)“root%” prompt will be seen.

Type “cli” and “root> prompt will be seen.Type “configure” and root root# prompt will be seen, which is the configuration mode.

root% cliroot> configureroot> ##Operational Moderoot# ##Config Mode

Root Password

JUNOS does not allow to commit config unless password for root is configured. This can be tested if we try to commit while setting up router initially.

juniper@M10i# commit[edit] 'system' Missing mandatory statement: 'root-authentication'

error: commit failed: (missing statements)

If you see this error, it means that rot authentication needs tobe configured. Please use below CLI to configure root authentication.

juniper@M10i# set system root-authentication plain-text-passwordNew password:Retype new password:

[edit]juniper@M10i# commit

commit complete



Enable Telnet and FTP

By default telnet, ssh and ftp are not enabled. Follow the steps below to enable these services telnet and ssh.Please note that ssh is not enabled at this stage.JUNOS upgrade is required to enable ssh. There will be separate document for upgrading JUNOS.

set system services ftpset system services telnetset system services ssh This should only be enabled after Junos Upgrade

Configure WAN Interface for Connectivity

For connectivity, default route and Interface IP address needs to be configured:Lets say WAN interface is ge-1/1/7.

set interfaces ge-1/1/7 description " Connected Towards Core"set interfaces ge-1/1/7 mtu 9114set interfaces ge-1/1/7 unit 0 family inet address <ip-address/subnet-mask> e.g (10.25.252.193/30)

Configure Default Route

Use below CLI to configure default route.

set routing-options static route 0.0.0.0/0 next-hop <ip-address-of-connected-RTR> e.g (10.25.252.194)

Once this is done, router should be reachable from iNOC, provided WAN IP is available via routing.If not, PC/Laptop can be connected at this stage to telnet router.Even though, we can telnet to router via IP connectivity, there is no user configured to login.

Username “root” cannot be used when connected to router via telnet. It can be used only for console.



Configuring Local Username on Router

Use below CLI to configure username and password.

set system login user juniper uid 2000set system login user juniper class super-userset system login user juniper authentication plain-text-passwordNew password: juniper123Retype new password:juniper123

During the initial phase of implementation a separate class of users will be created with limited permission to the router.The user mapped to this group will be authenticated by TACACS+ server and authorization will be done locally.Below configuration snippet should be configured on all the routers. All remote users except for super user will be authenticated TACACS+ during initial phase of deployment.


set system login class NOC permissions accessset system login class NOC permissions clearset system login class NOC permissions interfaceset system login class NOC permissions networkset system login class NOC permissions routingset system login class NOC permissions systemset system login class NOC permissions viewset system login class NOC permissions view-configuration

set system login user remote uid 2001set system login user remote class NOC


1.4 System Configurations

Below section provides details on System level configuration.

set system domain-name <DOMAIN NAME> set system time-zone Asia/Calcuttaset system no-redirects

All the RE generated traffic takes source IP of loopback address

set system default-address-selection

Below command is helpful is debugging. In case kernel of JUNOS crashes, router does to debug prompt for log collection.

set system dump-on-panicset system internet-options tcp-drop-synfin-setset system name-server <DNS_SERVER

Configure Below Commands to set terminal type on console.Also, user will be logged out once cable is removed from console.

set system ports console log-out-on-disconnectset system ports console type vt100

Configure Root Password

set system root-authentication plain-text-password <root_password>

Configure authentication order with below command. Password means local authentication.This can be configured initially so that telnet/ssh can be done with local username incase tacacs has problem.This should be removed.

set system authentication-order tacplusset system authentication-order password

TACACS Configuration

set system tacplus-server <tacacs_server1> secret "<secret_key>"set system tacplus-server <tacacs_server1> timeout 5set system tacplus-server <tacacs_server1> source-address <loopback_address>set system tacplus-server <tacacs_server2> secret "<secret_key>"set system tacplus-server <tacacs_server2> timeout 5set system tacplus-server <tacacs_server2> source-address <loopback_address>set system tacplus-options service-name junos-exec



Accounting to be done on TACACS Server

set system accounting events loginset system accounting events change-logset system accounting events interactive-commandsset system accounting destination tacplus server <tacacs_server1> secret <secret_key>set system accounting destination tacplus server <tacacs_server1> timeout 5set system accounting destination tacplus server <tacacs_server1> source-address <loopback_address>set system accounting destination tacplus server <tacacs_server2> secret <secret_key>set system accounting destination tacplus server <tacacs_server2> timeout 5set system accounting destination tacplus server <tacacs_server2> source-address <loopback_address>

Below CLI configures Login banner

set system login message "\NKN\n\nWARNING: You have accessed a network device operated by NKN. You are required\nto have a personal authorisation from the system administrator before you use\nthis computer and you are strictly limited to the use set out in that written\nauthorisation. Unauthorised access to or misuse of this system is prohibited\nand may constitute an offence.\n\nIf you disclose any information obtained through this system without authority\nNKN will take an appropriate action against you. This may include legal\nproceedings, prosecution and disciplinary action up to and including\ndismissal.\n\n"

Start ssh and telnet service on JUNOS. Note that telnet is not enabled for security reasons.By default telnet, ssh and ftp are not enabled and needs to be explicitly enabled.

set system services ssh connection-limit 16set system services ssh rate-limit 16set system services ssh root-login deny protocol-version v2set system services ftp

Drop Packet that both SYn & FIN bit set in TCP flag for RE bound traffic

set system internet-option tcp-drop-synfin-set



1.1.1 SNMP

Note: This needs to be tested in NKN env and this comment can be removed.

The section below provides details of snmp configuration. The configuration helps snmp to poll or do a MIB walk on router via SNMP management station.

Also, trap-group command specified below makes sure that snmp traps related to authentication, chassis, link, routing etc are sent to snmp server specified.

set snmp location "Site, Row, Rack, Shelf"set snmp contact "<provide contact details"set snmp community <community> authorization read-onlyset snmp community <community> clients <snmp-server>set snmp community <community> clients <snmp-server>set snmp trap-group nkn-traps categories authenticationset snmp trap-group nkn-traps categories chassisset snmp trap-group nkn-traps categories link

set snmp trap-group nkn-traps categories routingset snmp trap-group nkn-traps categories configurationset snmp trap-group nkn-traps targets <snmp-server>set snmp trap-group nkn-traps targets <snmp-server>set snmp trap-options source-address lo0>>>>

/***The above configuration is the sample of how to configure SNMP on juniper router***/

/***Below configuration should be pated on the routers, once integrated to the network***/set snmp location I-NOC-DLEHI-NIC-OFFICEset snmp contact SNMP-MGMT-TEAMset snmp community 20NknNode09 authorization read-onlyset snmp community 20NknNode09 clients 10.1.17.4/32set snmp community 20NknNode09 clients 10.1.17.132/32set snmp community 20NknNode09 clients 10.1.17.6/32set snmp community 20NknNode09 clients 10.1.17.134/32set snmp community 20NknNode09 clients 10.1.17.14/32set snmp community 20NknNode09 clients 10.1.17.142/32set snmp community 20NknNode09 clients 10.1.17.16/32set snmp community 20NknNode09 clients 10.1.17.144/32set snmp trap-options source-address 10.255.246.119set snmp trap-group nkn-traps categories authenticationset snmp trap-group nkn-traps categories chassisset snmp trap-group nkn-traps categories linkset snmp trap-group nkn-traps categories routingset snmp trap-group nkn-traps categories startupset snmp trap-group nkn-traps categories configurationset snmp trap-group nkn-traps targets 10.1.17.4set snmp trap-group nkn-traps targets 10.1.17.132set snmp trap-group nkn-traps targets 10.1.17.6set snmp trap-group nkn-traps targets 10.1.17.134set snmp trap-group nkn-traps targets 10.1.17.14set snmp trap-group nkn-traps targets 10.1.17.142set snmp trap-group nkn-traps targets 10.1.17.16set snmp trap-group nkn-traps targets 10.1.17.144



1.1.2 NTP and Time

Below commands can be used to specify NTP server for network.

set system ntp boot-server 10.255.255.3set system ntp server 10.255.255.3

Verifying the NTP association:-

juniper@M10i> show ntp associations remote refid st t when poll reach delay offset jitter==============================================================================*10.255.255.3 CHU_AUDIO(1) 2 - 497 1024 377 0.807 -9.675 1.433

1.1.3 Syslog

A proper collection of system log, or syslog is very critical to manage the network health condition. The following template is recommended to ensure:

Log messages will be saved on the local disk with specified file. JUNOS provides flexibility to store different kinds of logs in different filename so that finding logs is easier. For example, in below configuration files ‘messages” and “cli.log” are used.

Syslog can also be sent to remote syslog server on the specified <IP_SERVER> User access information will be logged to a separate local file. Log commands executed by each account in a separate local file. Various system log information is logged to the default local file such as message, chassis etc. The number and size of log files are 10 and 1 MB respectively to maintain log messages in a reasonable

duration.

set system syslog archive size 1m set system syslog archive files 10 set system syslog user * any emergency set system syslog host <IP_SERVER> any notice set system syslog host <IP_SERVER> authorization info set system syslog host <IP_SERVER> facility-override local7 set system syslog host <IP_SERVER> explicit-priority set system syslog file messages any notice set system syslog file messages authorization info set system syslog file messages explicit-priority set system syslog file interactive-commands interactive-commands any set system syslog file change.log change-log any set system syslog file change.log explicit-priority set system syslog file cli.log interactive-commands info set system syslog file cli.log match ".*(cmdline|junoscript).*" set system syslog file cli.log explicit-priority set system syslog file link.up.down daemon info set system syslog file link.up.down match UpDown set system syslog file link.up.down explicit-priority



1.5 Chassis Configuration

This section provides details on commands to be configured at chassis hierarchy.

This is only for MX80

set chassis network-services ip

1.6 Interface Configuration Template

Core Facing Interface

This section provides details of Interface Configuration. Verify the interface numbering as explained in the hardware section above.

Following details can be provided on Interface:-

Interface DescriptionPhysical MTU: Please note that JUNOS accounts for 14 bytes of Ethernet Header.Family to be used on Interface : For example inet for ipv4, inet6 for ipv6 and mpls.IP Address: Please note how subnet mask needs to be specified.

set interfaces ge-1/1/7 description " Connected Towards Core Router <District-Router-Interface"set interfaces ge-1/1/7 mtu 9114set interfaces ge-1/1/7 unit 0 family inet address <IP-Address/30>set interfaces ge-1/1/7 unit 0 family inet6set interfaces ge-1/1/7 unit 0 family mpls

Loopback Interface

All routers must be configured with loopback interface specified by HQ for that particular site.

Please note that Firewall Filter is not applied at this time which helps to implement VTY ACL kind of functionality

set interfaces lo0 unit 0 family inet address 127.0.0.1/32set interfaces lo0 unit 0 family inet address <ip-address/32 primary



L3VPN CE Facing Interface

This section shows the interface configuration of Interface used to connect L3VPN CE.Please note that in this template this same interface name might be used to show L3VPN config.

set interfaces ge-1/1/9 description " Connected Towards CE Router <University-College-L3VPN"set interfaces ge-1/1/9 unit 0 family inet address <IP-Address/30>

Application of Firewall filter on Loopback interface to restrict the user access

The firewall filter must be applied to Loopback interface in order to prevent the unauthorized access to the router from unidentified source.Note:- Apply the below mentioned configuration only after the confirmation from INOC


set firewall family inet filter PROTECT_RE_FILTER term PERMIT_SSH from source-prefix-list SSH_INFRA_PREFIXset firewall family inet filter PROTECT_RE_FILTER term PERMIT_SSH from protocol tcpset firewall family inet filter PROTECT_RE_FILTER term PERMIT_SSH from port sshset firewall family inet filter PROTECT_RE_FILTER term PERMIT_SSH then acceptset firewall family inet filter PROTECT_RE_FILTER term DENY_SSH from protocol tcpset firewall family inet filter PROTECT_RE_FILTER term DENY_SSH from port sshset firewall family inet filter PROTECT_RE_FILTER term DENY_SSH then discardset firewall family inet filter PROTECT_RE_FILTER term ACCEPT_EVERYTHING_ELSE then accept

set policy-options prefix-list SSH_INFRA_PREFIX 10.1.16.0/22set policy-options prefix-list SSH_INFRA_PREFIX 10.1.27.69/32

set interfaces lo0 unit 0 family inet filter input PROTECT_RE_FILTER /*** Apply only after the confirmation ***/


2. OSPF ConfigurationThis section provides details of OSPF configuration.

OSPF protocol is being used for NKN network. Please check with HQ for NKN POP area number.

1.7 OSPF Configuration Template

OSPF area number <area-number> is configured and interface ge-1/1/7 is made part of it.Also, interface ge-1/1/7 is defined as point-to-point interface under OSPF.

Please note that it is mandatory to make lo0 interface as part of OSPF.set protocols ospf area <area-number> interface ge-1/1/7.0 interface-type p2pset protocols ospf area <area-number> interface lo0.0set protocols ospf area <area-number> interface ge-1/1/7.0 authentication md5 1 key <Key value>set protocols ospf area <area-number> interface ge-1/1/7.0 authentication md5 2 key <Key value>

Note: As explained in “Cofiguring Interface” section, please make sure that core facing interface MTU is configured as 9114 when it is connected to Cisco router hacing MTU of 9100.



3. BGP DesignThis section details the BGP design and the factors contributing to design decisions.

1.8 BGP Configuration Template

This section explains the configuration of iBGP.

Familiy “inet-vpn” is the only configuration required for MP-BGP ( vpn-v4)Local-address is similar to update-source and if type “internal” is specified, we don’t need to provide remote-as.

set protocols bgp group NKN-Reflector family inet unicastset protocols bgp group NKN-Reflector family inet-vpn unicastset protocols bgp authentication-key "<key>"set protocols bgp group NKN-Reflector type internalset protocols bgp group NKN-Reflector local-address <Loopback-Address>set protocols bgp group NKN-Reflector neighbor <RR1>set protocols bgp group NKN-Reflector neighbor <RR2>

set protocols bgp group NKN-Reflector mtu-discoveryset protocols bgp group NKN-Reflector log-updown

Autonomous System is defined Globally in JUNOSan routing-options.

set routing-options autonomous-system <as-number>



4. Multicast

This section details the global multicast configuration required for PIM Source Specific Multicast.

set protocols pim interface <Interface_Identifier> mode sparse version 2

/*** WAN interface must be configured under the Protocol PIM hierarchy***/

set routing-options multicast ssm-groups <SSM_Group_Range>/*** SSM_GROUP_RANGE = 239.232.0.0/16 ***/

The SSM configuration for VPN works in Provider tunnel mode. The configuration for MVPN will shared in the next version of LLD or as on required.

For configuring the RP in multicast ASM below configuration required. NKN network has predefined RP that’s why static RP should be configured on every Juniper PE router unless otherwise stated.

set protocols pim rp local address <address_rp> /***use above command to specify the local router as RP ***/

set protocols pim rp static address <address_rp> group-ranges 239.192.0.0/16/***use above command to specify the static rp address***//*** Static RP =10.255.232.255***//***ASM group range = 239.192.0.0/16***/

Note: - In either of the case the WAN interface must always be configured under Protocol PIM. To Support the Rosen draft 7 SSM the BGP must be configured for family inet-mdt.



5. MPLS

This section describes configuration required for MPLS and MPLS based services.

1.9 Overview of NKN MPLS

Existing Cisco based network is already using LDP as signaling protocol. On Cisco, distribute list is used to filter all the labels except label for Loopback interface. The default behavior for JUNOS is to generate Label for lo0 interface only.

Default timers will be used.

Traceoptions/Debug will not be used in production network. It shall be used only for troubleshooting purposes.

Martini based L2circuit will be used. Both VLAN based and Port Based ( VC Type 5) will be used.

Full mesh and extranet L3VPN will be used. Internet access will be provided by importing community of NKN_PUB.

1.10MPLS Configuration Templates

5.1.1 LDP Configuration

Enable LDP on the core facing Interface on NKN PE Router. If router is acting as transit, then MPLS needs to be enabled on all the interfaces connected to MPLS domain. Please note that LDP is enabled on lo0 interface as well.

At present track-igp-metric and igp-sync are not used. They will be tested first in NKN environment.

set protocols ldp interface <core-facing-interface.set protocols ldp interface lo0.0

5.1.2 MPLS Configuration

The below snippet enables interface to carry the MPLS (Label traffic) traffic and makes it part of MPLS domain. MPLS should be enabled on all of the interfaces which are acting as transit interface for MPLS traffic.

set interfaces ge-*/*/* unit 0 family mpls

set protocols mpls interface ge-*/*/*.0

While configuring the interface within the protocol MPLS hierarchy it’s advised to configure the unit identifier value of interface, if it is different than unit 0. When an interface is configured under the MPLS hierarchy the default unit identifier is unit 0, if not explicitly specified.



5.1.3 L3 VPN Configuration

Most o the L3VPN configuration is done under routing-instance hierarchy. The one time configuration of MP-BGP is don under “protocol bgp” hierarchy as explained in BP section.

The Configuration steps are:-

Define “vrf” type routing-instance. Add RD to the routing instance/VRF.Add interface to VRF.RT is configured via vrf-import and vrf-export CLI for import and export of community.

Please refer to HLD doc for more details on L3VPN.

set routing-instances NKN-PUB instance-type vrfset routing-instances NKN-PUB route-distinguisher <AS:RD>set routing-instances NKN-PUB vrf-table-labelset routing-instances NKN-PUB vrf-target target:xxx:yyy (where xxx:yyy is community of VPN)set routing-instances NKN-PUB <Interface>

Using Static Route as PE-CE routing protocol

set routing-instances NKN-PUB routing-options static route <customer subnet> next-hop <next-hop>

Never Use default Route in VRF when Using vrf-target knob.

VRF-Target

This is the easiest method to attach or import extended community to VPN routes. VRF-Target is used when both import can export community is same and only single community is required. Using this options allows automatic advertisement of all the routes in routing-instance. Though, this option seems very simple, it needs to be used with caution if default static routes are used in VRF during centralized NAT on PE router.

vrf-target target:1:1



Vrf-table-label

The vrf-table-label statement makes it possible to map the inner label to a specific VRF routing table; such mapping allows the examination of the encapsulated IP header at an egress VPN router. This feature is enabled when the following behavior is required:

Forward traffic on a PE-router-to-CE-device interface, in a shared medium, where the CE device is a Layer 2 switch without IP capabilities (for example, a metro Ethernet switch).

The first lookup is done on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium. This is required for example to ARP for the correct host on an Ethernet network.Perform egress filtering at the egress PE router.

NKN-PUB Routing-Instance Configuration

The below section details the NKN-PUB VRF (Routing Instance ) configuration of the NKN PE routers.

set routing-instances NKN-PUB instance-type vrfset routing-instances NKN-PUB interface <Interface_Identifier>set routing-instances NKN-PUB route-distinguisher 4758:200set routing-instances NKN-PUB vrf-target target:4758:200set routing-instances NKN-PUB vrf-table-labelset routing-instances NKN-PUB routing-options static route <IP_SUBNET> next-hop <IP_ADDRESS_CPE>

/*** <Interface_Identifier> = CPE connected interface <IP_SUBNET> = Reverse route for the CPE subnet <IP_ADDRESS_CPE>= IP address of the connected CPE interface ***/



6. Unicast Reverse Path Forwarding

IP spoofing can occur during a denial-of-service (DoS) attack. IP spoofing allows an intruder to pass IP packets to a destination as genuine traffic, when in fact the packets are not actually meant for the destination. This type of spoofing is harmful because it consumes the destination’s resources.

Unicast reverse-path-forwarding (RPF) check is a tool to reduce forwarding of IP packets that may be spoofing an address. A unicast RPF check performs a route table lookup on an IP packet’s source address, and checks the incoming interface. The router determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the router forwards the packet to the destination address. If it is not from a valid path, the router discards the packet. Unicast RPF is supported for the IPv4 and IPv6 protocol families, as well as for the virtual private network (VPN) address family.

The below section details the Unicast RPF configuration

set interfaces ge-<*/*/*> unit 0 family inet rpf-check

Verifying Unicast RPF:-

juniper@M10i> show interfaces ge-0/0/1 extensive | match RPF

Flags: Sendbcast-pkt-to-re, uRPF

RPF Failures: Packets: 0, Bytes: 0

/*** RPF fail packets will be listed in the counter above***/



7. Sign Off (Optional – remove this section in case the sign off is by email or on another document)

This final sign off is based on the understanding that formal review meetings have been conducted to present, explain and discuss the Low Level Design document created. As per the observations made during these meetings, we have incorporated NIC’s input and feedback in this document.

Juniper Networks Inc CustomerApproved YES NO Approved YES NO

Name Name

Signature Signature

Position Position

Date Date



Corporate and Sales Headquarters Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

APAC HeadquartersJuniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

EMEA HeadquartersJuniper Networks IrelandAirside Business Park Swords, County Dublin, IrelandPhone: 35.31.8903.600EMEA Sales: 00800.4586.4737Fax: 35.31.8903.601Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered

trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

November 2009

NKN Juniper Configuration Template V1.3 (1)

Documents