Juniper Superlab

Juniper Superlab

Hi everyone, so let's get straight to the point. In this post, I will share the configuration of each device that runs in this lab. I'll try to create an explanation of each protocol later. Hope that I can create this as soon as possible. I'm running this lab on an HP ProLiant server that has 24 cores and 128 gigs of RAM. This lab will require 10 cores and 90 gigs of RAM, maybe you can do less if you change the device with another device that requires fewer resources.

So this is the list of devices that I use in this lab, and also the system requirement of each device:
- vMX, version 14.1R1.10 (1 CPU, 2GB RAM)
- vEX, version 23.2R1.14 (4 CPU, 8GB RAM)
- vSRX3.0, version 23.1R1.8 (2 CPU, 4GB RAM)

Let's jump straight into the configuration:

DC-SPINE1

root@DC-SPINE1# show | display set
set version 23.2R1.14
set system host-name DC-SPINE1
set interfaces ge-0/0/0 description "to DC-LEAF1"
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.11.13.11/24
set interfaces ge-0/0/1 description "to DC-LEAF2"
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 family inet address 10.11.14.11/24
set interfaces ge-0/0/2 description "to DC-FW1"
set interfaces ge-0/0/2 unit 0 family inet address 192.168.50.1/24
set interfaces lo0 unit 0 family inet address 192.168.100.11/32
set policy-options policy-statement PFE-LB then load-balance per-packet
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct from protocol direct
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct from protocol static
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct then accept
set policy-options policy-statement UNDERLAY_BGP_EXPORT term default then reject
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct from protocol direct
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct then accept
set policy-options policy-statement UNDERLAY_BGP_IMPORT term default then reject
set routing-options router-id 192.168.100.11
set routing-options autonomous-system 65535
set routing-options forwarding-table export PFE-LB
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols bgp group EXT-TO-HQ type external
set protocols bgp group EXT-TO-HQ peer-as 200
set protocols bgp group EXT-TO-HQ local-as 65511
set protocols bgp group EXT-TO-HQ neighbor 192.168.50.2 description "EBGP peering to DC-FW1"
set protocols bgp group OVERLAY_RR_MESH type internal
set protocols bgp group OVERLAY_RR_MESH local-address 192.168.100.11
set protocols bgp group OVERLAY_RR_MESH family evpn signaling
set protocols bgp group OVERLAY_RR_MESH local-as 65535
set protocols bgp group OVERLAY_RR_MESH neighbor 192.168.100.12 description "IBGP/overlay peering to Spine2"
set protocols bgp group OVERLAY type internal
set protocols bgp group OVERLAY local-address 192.168.100.11
set protocols bgp group OVERLAY family evpn signaling
set protocols bgp group OVERLAY cluster 192.168.100.10
set protocols bgp group OVERLAY local-as 65535
set protocols bgp group OVERLAY multipath
set protocols bgp group OVERLAY neighbor 192.168.100.13 description "IBGP/overlay peering to Leaf1"
set protocols bgp group OVERLAY neighbor 192.168.100.14 description "IBGP/overlay peering to Leaf2"
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY_BGP_IMPORT
set protocols bgp group UNDERLAY export UNDERLAY_BGP_EXPORT
set protocols bgp group UNDERLAY local-as 65511
set protocols bgp group UNDERLAY neighbor 10.11.13.13 description "EBGP peering to Leaf1"
set protocols bgp group UNDERLAY neighbor 10.11.13.13 peer-as 65513
set protocols bgp group UNDERLAY neighbor 10.11.14.14 description "EBGP Peeting to Leaf2"
set protocols bgp group UNDERLAY neighbor 10.11.14.14 peer-as 65514

DC-SPINE2

root@DC-SPINE2# show | display set
set version 23.2R1.14
set system host-name DC-SPINE2
set interfaces ge-0/0/0 description "to DC-LEAF1"
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.12.13.12/24
set interfaces ge-0/0/1 description "to DC-LEAF2"
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 family inet address 10.12.14.12/24
set interfaces lo0 unit 0 family inet address 192.168.100.12/32
set policy-options policy-statement PFE-LB then load-balance per-packet
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 from protocol direct
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 then accept
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 999 then reject
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 from protocol direct
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 then accept
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 999 then reject
set routing-options router-id 192.168.100.12
set routing-options autonomous-system 65535
set routing-options forwarding-table export PFE-LB
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols bgp group OVERLAY_RR_MESH type internal
set protocols bgp group OVERLAY_RR_MESH local-address 192.168.100.12
set protocols bgp group OVERLAY_RR_MESH family evpn signaling
set protocols bgp group OVERLAY_RR_MESH local-as 65535
set protocols bgp group OVERLAY_RR_MESH neighbor 192.168.100.11 description "IBGP/overlay peering to Spine1"
set protocols bgp group OVERLAY type internal
set protocols bgp group OVERLAY local-address 192.168.100.12
set protocols bgp group OVERLAY family evpn signaling
set protocols bgp group OVERLAY cluster 192.168.100.10
set protocols bgp group OVERLAY local-as 65535
set protocols bgp group OVERLAY multipath
set protocols bgp group OVERLAY neighbor 192.168.100.13 description "IBGP/overlay peering to Leaf1"
set protocols bgp group OVERLAY neighbor 192.168.100.14 description "IBGP/overlay peering to Leaf2"
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY_BGP_IMPORT
set protocols bgp group UNDERLAY export UNDERLAY_BGP_EXPORT
set protocols bgp group UNDERLAY local-as 65512
set protocols bgp group UNDERLAY neighbor 10.12.13.13 description "EBGP peering to Leaf1"
set protocols bgp group UNDERLAY neighbor 10.12.13.13 peer-as 65513
set protocols bgp group UNDERLAY neighbor 10.12.14.14 description "EBGP peering to Leaf2"
set protocols bgp group UNDERLAY neighbor 10.12.14.14 peer-as 65514

DC-LEAF1

root@DC-LEAF1# show | display set
set version 23.2R1.14
set system host-name DC-LEAF1
set interfaces ge-0/0/0 description "to DC-SPINE1"
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.11.13.13/24
set interfaces ge-0/0/1 description "to DC-SPINE2"
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 family inet address 10.12.13.13/24
set interfaces ge-0/0/2 description "to PROD-1"
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members VNI_15000
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members VNI_25000
set interfaces lo0 unit 0 family inet address 192.168.100.13/32
set interfaces irb unit 150 proxy-macip-advertisement
set interfaces irb unit 150 virtual-gateway-accept-data
set interfaces irb unit 150 family inet address 192.168.150.1/24 preferred
set interfaces irb unit 150 family inet address 192.168.150.1/24 virtual-gateway-address 192.168.150.254
set interfaces irb unit 250 proxy-macip-advertisement
set interfaces irb unit 250 virtual-gateway-accept-data
set interfaces irb unit 250 family inet address 192.168.250.1/24 preferred
set interfaces irb unit 250 family inet address 192.168.250.1/24 virtual-gateway-address 192.168.250.254
set interfaces lo0 unit 0 family inet address 192.168.100.13/32
set policy-options policy-statement PFE-LB then load-balance per-packet
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct from protocol direct
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_EXPORT term direct then accept
set policy-options policy-statement UNDERLAY_BGP_EXPORT term default then reject
set policy-options policy-statement UNDERLAY_BGP_EXPORT term di then accept
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct from protocol direct
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_IMPORT term direct then accept
set policy-options policy-statement UNDERLAY_BGP_IMPORT term default then reject
set routing-options router-id 192.168.100.13
set routing-options autonomous-system 65535
set routing-options forwarding-table export PFE-LB
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols bgp group OVERLAY type internal
set protocols bgp group OVERLAY local-address 192.168.100.13
set protocols bgp group OVERLAY family evpn signaling
set protocols bgp group OVERLAY local-as 65535
set protocols bgp group OVERLAY neighbor 192.168.100.11 description "IBP/overlay peering to Spine1"
set protocols bgp group OVERLAY neighbor 192.168.100.12 description "IBGP/overlay peering to Spine2"
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY_BGP_IMPORT
set protocols bgp group UNDERLAY export UNDERLAY_BGP_EXPORT
set protocols bgp group UNDERLAY local-as 65513
set protocols bgp group UNDERLAY neighbor 10.11.13.11 description "EBGP peering to Spine1"
set protocols bgp group UNDERLAY neighbor 10.11.13.11 peer-as 65511
set protocols bgp group UNDERLAY neighbor 10.12.13.12 description "EBGP Peering to Spine2"
set protocols bgp group UNDERLAY neighbor 10.12.13.12 peer-as 65512
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway no-gateway-community
set protocols evpn extended-vni-list all
set protocols igmp-snooping vlan default
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 192.168.100.13:1
set switch-options vrf-target target:65535:1
set switch-options vrf-target auto
set vlans VNI_15000 vlan-id 150
set vlans VNI_15000 l3-interface irb.150
set vlans VNI_15000 vxlan vni 15000
set vlans VNI_25000 vlan-id 250
set vlans VNI_25000 l3-interface irb.250
set vlans VNI_25000 vxlan vni 25000

DC-LEAF2

root@DC-LEAF2# show | display set
set version 23.2R1.14
set system host-name DC-LEAF2
set interfaces ge-0/0/0 description "to DC-SPINE1"
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.11.14.14/24
set interfaces ge-0/0/1 description "to DC-SPINE2"
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 description "to Spine2"
set interfaces ge-0/0/1 unit 0 family inet address 10.12.14.14/24
set interfaces ge-0/0/2 description "to DEV-1"
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members VNI_25000
set interfaces ge-0/0/3 description "to PROD-2"
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members VNI_15000
set interfaces lo0 unit 0 family inet address 192.168.100.14/32
set interfaces irb unit 150 proxy-macip-advertisement
set interfaces irb unit 150 virtual-gateway-accept-data
set interfaces irb unit 150 family inet address 192.168.150.2/24 preferred
set interfaces irb unit 150 family inet address 192.168.150.2/24 virtual-gateway-address 192.168.150.254
set interfaces irb unit 250 proxy-macip-advertisement
set interfaces irb unit 250 virtual-gateway-accept-data
set interfaces irb unit 250 family inet address 192.168.250.2/24 preferred
set interfaces irb unit 250 family inet address 192.168.250.2/24 virtual-gateway-address 192.168.250.254
set interfaces lo0 unit 0 family inet address 192.168.100.14/32
set policy-options policy-statement PFE-LB then load-balance per-packet
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 from protocol direct
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 1 then accept
set policy-options policy-statement UNDERLAY_BGP_EXPORT term 999 then reject
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 from protocol direct
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 from protocol bgp
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 1 then accept
set policy-options policy-statement UNDERLAY_BGP_IMPORT term 999 then reject
set routing-options router-id 192.168.100.14
set routing-options autonomous-system 65535
set routing-options forwarding-table export PFE-LB
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols bgp group OVERLAY type internal
set protocols bgp group OVERLAY local-address 192.168.100.14
set protocols bgp group OVERLAY family evpn signaling
set protocols bgp group OVERLAY local-as 65535
set protocols bgp group OVERLAY neighbor 192.168.100.11 description "IBGP/overlay peering to Spine1"
set protocols bgp group OVERLAY neighbor 192.168.100.12 description "IBGP/overlay peering to Spine2"
set protocols bgp group UNDERLAY type external
set protocols bgp group UNDERLAY import UNDERLAY_BGP_IMPORT
set protocols bgp group UNDERLAY export UNDERLAY_BGP_EXPORT
set protocols bgp group UNDERLAY local-as 65514
set protocols bgp group UNDERLAY neighbor 10.11.14.11 description "EBGP peering to Spine1"
set protocols bgp group UNDERLAY neighbor 10.11.14.11 peer-as 65511
set protocols bgp group UNDERLAY neighbor 10.12.14.12 description "EBGP Peering to Spine2"
set protocols bgp group UNDERLAY neighbor 10.12.14.12 peer-as 65512
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway no-gateway-community
set protocols evpn extended-vni-list all
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 192.168.100.14:1
set switch-options vrf-target target:65535:1
set switch-options vrf-target auto
set vlans VNI_15000 vlan-id 150
set vlans VNI_15000 l3-interface irb.150
set vlans VNI_15000 vxlan vni 15000
set vlans VNI_25000 vlan-id 250
set vlans VNI_25000 l3-interface irb.250
set vlans VNI_25000 vxlan vni 25000

R-PE1

root@R-PE1# show | display set
set version 14.1R1.10
set system host-name R-PE1
set interfaces ge-0/0/0 description "to R-P3"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.3.1/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to DC-FW1"
set interfaces ge-0/0/1 encapsulation ethernet-ccc
set interfaces ge-0/0/1 unit 0 family ccc
set interfaces lo0 unit 0 family inet address 192.168.1.1/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1001.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.1.8 interface ge-0/0/1.0 virtual-circuit-id 100
set protocols l2circuit neighbor 192.168.1.8 interface ge-0/0/1.0 encapsulation-type ethernet
set protocols l2circuit neighbor 192.168.1.8 interface ge-0/0/1.0 ignore-mtu-mismatch

R-P2

root@R-P2# show | display set
set version 14.1R1.10
set system host-name R-P2
set interfaces ge-0/0/0 description "to R-P3"
set interfaces ge-0/0/0 unit 0 family inet address 10.2.3.2/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1002.00
set protocols mpls icmp-tunneling
set protocols mpls interface lo0.0
set protocols mpls interface ge-0/0/0.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface lo0.0

R-P3

root@R-P3# show | display set
set version 14.1R1.10
set system host-name R-P3
set interfaces ge-0/0/0 description "to R-PE1"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.3.3/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to R-P2"
set interfaces ge-0/0/1 unit 0 family inet address 10.2.3.3/24
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 description "to R-P4"
set interfaces ge-0/0/2 unit 0 family inet address 10.3.4.3/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces ge-0/0/3 description "to R-P5"
set interfaces ge-0/0/3 unit 0 family inet address 10.3.5.3/24
set interfaces ge-0/0/3 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1003.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface ge-0/0/2.0
set protocols mpls interface ge-0/0/3.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/1.0 point-to-point
set protocols isis interface ge-0/0/2.0 point-to-point
set protocols isis interface ge-0/0/3.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface ge-0/0/2.0
set protocols ldp interface ge-0/0/3.0
set protocols ldp interface lo0.0

R-P4

root@R-P4# show | display set
set version 14.1R1.10
set system host-name R-P4
set interfaces ge-0/0/0 description "to R-P3"
set interfaces ge-0/0/0 unit 0 family inet address 10.3.4.4/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to R-P6"
set interfaces ge-0/0/1 unit 0 family inet address 10.4.6.4/24
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.4/32
set interfaces lo0 unit 0 family iso address 49.0001.0192.0168.0004.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/1.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0

R-P5

root@R-P5# show | display set
set version 14.1R1.10
set system host-name R-P5
set interfaces ge-0/0/0 description "to R-P3"
set interfaces ge-0/0/0 unit 0 family inet address 10.3.5.5/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to R-P6"
set interfaces ge-0/0/1 unit 0 family inet address 10.5.6.5/24
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.5/32
set interfaces lo0 unit 0 family iso address 49.0002.1921.6800.1005.00
set protocols mpls icmp-tunneling
set protocols mpls interface lo0.0
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/1.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0

R-P6

root@R-P6# show | display set
set version 14.1R1.10
set system host-name R-P6
set interfaces ge-0/0/0 description "to R-P4"
set interfaces ge-0/0/0 unit 0 family inet address 10.4.6.6/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to R-P5"
set interfaces ge-0/0/1 unit 0 family inet address 10.5.6.6/24
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 description "to R-P7"
set interfaces ge-0/0/2 unit 0 family inet address 10.6.7.6/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces ge-0/0/3 description "to R-PE8"
set interfaces ge-0/0/3 unit 0 family inet address 10.6.8.6/24
set interfaces ge-0/0/3 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.6/32
set interfaces lo0 unit 0 family iso address 49.0001.0192.0168.0006.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface ge-0/0/2.0
set protocols mpls interface ge-0/0/3.0
set protocols isis level 1 disable
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/1.0 point-to-point
set protocols isis interface ge-0/0/2.0 point-to-point
set protocols isis interface ge-0/0/3.0 point-to-point
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface ge-0/0/2.0
set protocols ldp interface ge-0/0/3.0
set protocols ldp interface lo0.0

R-P7

root@R-P7# show | display set
set version 14.1R1.10
set system host-name R-P7
set interfaces ge-0/0/0 description "to R-P6"
set interfaces ge-0/0/0 unit 0 family inet address 10.6.7.7/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.1.7/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1007.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/0.0 level 1 disable
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface lo0.0

R-PE8

root@R-PE8# show | display set
set version 14.1R1.10
set system host-name R-PE8
set interfaces ge-0/0/0 description "to R-P6"
set interfaces ge-0/0/0 unit 0 family inet address 10.6.8.8/24
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description "to HQ-FW"
set interfaces ge-0/0/1 encapsulation ethernet-ccc
set interfaces ge-0/0/1 unit 0 family ccc
set interfaces lo0 unit 0 family inet address 192.168.1.8/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1008.00
set protocols mpls icmp-tunneling
set protocols mpls interface ge-0/0/0.0
set protocols isis interface ge-0/0/0.0 point-to-point
set protocols isis interface ge-0/0/0.0 level 1 disable
set protocols isis interface lo0.0
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.1.1 interface ge-0/0/1.0 virtual-circuit-id 100
set protocols l2circuit neighbor 192.168.1.1 interface ge-0/0/1.0 encapsulation-type ethernet
set protocols l2circuit neighbor 192.168.1.1 interface ge-0/0/1.0 ignore-mtu-mismatch

DC-FW

root@DC-FW1# show | display set 
set version 23.1R1.8
set system host-name DC-FW1
set security ike proposal IKE-PROPOSAL-DC authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL-DC dh-group group14
set security ike proposal IKE-PROPOSAL-DC authentication-algorithm sha-256
set security ike proposal IKE-PROPOSAL-DC encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL-DC lifetime-seconds 3600
set security ike policy IKE-POLICY-DC mode aggressive
set security ike policy IKE-POLICY-DC proposals IKE-PROPOSAL-DC
set security ike policy IKE-POLICY-DC pre-shared-key ascii-text "$9$fTF/9A0hSeTzSevMXxDiHmQF"
set security ike gateway IKE-GW-DC ike-policy IKE-POLICY-DC
set security ike gateway IKE-GW-DC address 172.16.1.1
set security ike gateway IKE-GW-DC external-interface ge-0/0/3
set security ipsec proposal IPSEC-PROPOSAL-DC protocol esp
set security ipsec proposal IPSEC-PROPOSAL-DC authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-PROPOSAL-DC encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL-DC lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY-DC perfect-forward-secrecy keys group14
set security ipsec policy IPSEC-POLICY-DC proposals IPSEC-PROPOSAL-DC
set security ipsec vpn IPSEC-VPN-DC bind-interface st0.0
set security ipsec vpn IPSEC-VPN-DC ike gateway IKE-GW-DC
set security ipsec vpn IPSEC-VPN-DC ike ipsec-policy IPSEC-POLICY-DC
set security ipsec vpn IPSEC-VPN-DC establish-tunnels immediately
set security address-book global address IT 192.168.11.0/24
set security address-book global address SALES 192.168.12.0/24
set security address-book global address P2P-FW-SW 192.168.101.0/24
set security address-book global address PROD 192.168.150.0/24
set security address-book global address DEV 192.168.250.0/24
set security address-book global address P2P-SPINE-FW 192.168.50.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address PROD
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address DEV
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address P2P-SPINE-FW
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address IT
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address SALES
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address P2P-FW-SW
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match application any
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN then permit
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address IT
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address SALES
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address P2P-FW-SW
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address PROD
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address DEV
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address P2P-SPINE-FW
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match application any
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic system-services traceroute
set security zones security-zone vpn host-inbound-traffic protocols bgp
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/2 description "to DC-SPINE1"
set interfaces ge-0/0/2 unit 0 family inet address 192.168.50.2/24
set interfaces ge-0/0/3 description "to R-PE1"
set interfaces ge-0/0/3 unit 0 family inet address 172.16.1.2/24
set interfaces st0 description "to HQ-FW"
set interfaces st0 unit 0 family inet address 192.0.2.2/24
set protocols bgp group DC-FABRIC type external
set protocols bgp group DC-FABRIC peer-as 65511
set protocols bgp group DC-FABRIC neighbor 192.168.50.1
set protocols bgp group HQ type external
set protocols bgp group HQ local-address 192.0.2.2
set protocols bgp group HQ peer-as 100
set protocols bgp group HQ neighbor 192.0.2.1
set routing-options autonomous-system 200

HQ-FW

root@HQ-FW# show | display set
set version 23.1R1.8
set system host-name HQ-FW
set security ike proposal IKE-PROPOSAL-HQ authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL-HQ dh-group group14
set security ike proposal IKE-PROPOSAL-HQ authentication-algorithm sha-256
set security ike proposal IKE-PROPOSAL-HQ encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL-HQ lifetime-seconds 3600
set security ike policy IKE-POLICY-HQ mode aggressive
set security ike policy IKE-POLICY-HQ proposals IKE-PROPOSAL-HQ
set security ike policy IKE-POLICY-HQ pre-shared-key ascii-text "$9$7h-b2goGqmT-VmTzF/9evMXdb"
set security ike gateway IKE-GW-HQ ike-policy IKE-POLICY-HQ
set security ike gateway IKE-GW-HQ address 172.16.1.2
set security ike gateway IKE-GW-HQ external-interface ge-0/0/1
set security ipsec proposal IPSEC-PROPOSAL-HQ protocol esp
set security ipsec proposal IPSEC-PROPOSAL-HQ authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-PROPOSAL-HQ encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL-HQ lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY-HQ perfect-forward-secrecy keys group14
set security ipsec policy IPSEC-POLICY-HQ proposals IPSEC-PROPOSAL-HQ
set security ipsec vpn IPSEC-VPN-HQ bind-interface st0.0
set security ipsec vpn IPSEC-VPN-HQ ike gateway IKE-GW-HQ
set security ipsec vpn IPSEC-VPN-HQ ike ipsec-policy IPSEC-POLICY-HQ
set security ipsec vpn IPSEC-VPN-HQ establish-tunnels immediately
set security address-book global address IT 192.168.11.0/24
set security address-book global address SALES 192.168.12.0/24
set security address-book global address P2P-FW-SW 192.168.101.0/24
set security address-book global address PROD 192.168.150.0/24
set security address-book global address DEV 192.168.250.0/24
set security address-book global address P2P-SPINE-FIREWALL 192.168.50.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address IT
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address SALES
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match source-address P2P-FW-SW
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address PROD
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address DEV
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match destination-address P2P-SPINE-FIREWALL
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN match application any
set security policies from-zone trust to-zone vpn policy TRUST-TO-VPN then permit
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address PROD
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address DEV
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match source-address P2P-SPINE-FIREWALL
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address IT
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address SALES
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match destination-address P2P-FW-SW
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST match application any
set security policies from-zone vpn to-zone trust policy VPN-TO-TRUST then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic system-services traceroute
set security zones security-zone vpn host-inbound-traffic protocols bgp
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 description "to HQ-SW1"
set interfaces ge-0/0/0 unit 0 family inet address 192.168.101.101/24
set interfaces ge-0/0/1 description "to R-PE8"
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces st0 description "to DC-FW"
set interfaces st0 unit 0 family inet address 192.0.2.1/24
set policy-options prefix-list HQ 192.168.11.0/24
set policy-options prefix-list HQ 192.168.12.0/24
set policy-options prefix-list HQ 192.168.101.0/24
set policy-options policy-statement BGP_DC_EXPORT term 1 from prefix-list HQ
set policy-options policy-statement BGP_DC_EXPORT term 1 then accept
set policy-options policy-statement BGP_DC_EXPORT term 2 then reject
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols bgp group DC type external
set protocols bgp group DC local-address 192.0.2.1
set protocols bgp group DC export BGP_DC_EXPORT
set protocols bgp group DC peer-as 200
set protocols bgp group DC neighbor 192.0.2.2
set routing-options autonomous-system 100

HQ-SW1

ipnet@HQ-SW1# show | display set
set version 23.2R1.14
set system host-name HQ-SW1
set chassis aggregated-devices ethernet device-count 2
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ge-0/0/2 description "to IT-10"
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members it
set interfaces ge-0/0/3 description "to SALES-10"
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/4 description "to HQ-FW"
set interfaces ge-0/0/4 unit 0 family inet address 192.168.101.1/24
set interfaces ae0 description "to HQ-SW2"
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members it
set interfaces ae0 unit 0 family ethernet-switching vlan members sales
set interfaces irb unit 11 family inet address 192.168.11.254/24
set interfaces irb unit 12 family inet address 192.168.12.254/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.101.101
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols ospf area 0.0.0.0 interface ge-0/0/4.0
set protocols ospf area 0.0.0.0 interface irb.11
set protocols ospf area 0.0.0.0 interface irb.12
set protocols lldp interface all
set protocols lldp-med interface all
set vlans it vlan-id 11
set vlans it l3-interface irb.11
set vlans sales vlan-id 12
set vlans sales l3-interface irb.12

HQ-SW2

root@HQ-SW2# show | display set
set version 23.2R1.14
set system host-name HQ-SW2
set chassis aggregated-devices ethernet device-count 2
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ge-0/0/2 description "to IT-20"
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members it
set interfaces ge-0/0/3 description "to SALES-20"
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales
set interfaces ae0 description "to HQ-SW1"
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members it
set interfaces ae0 unit 0 family ethernet-switching vlan members sales
set protocols router-advertisement interface fxp0.0 managed-configuration
set protocols lldp interface all
set protocols lldp-med interface all
set vlans it vlan-id 11
set vlans sales vlan-id 12