Os comandos usados para executar a config acima:
set policy prefix-list BGP
set policy prefix-list EXPORT rule 10 action permit
set policy prefix-list EXPORT rule 10 prefix 38.x.x.0/24
set policy prefix-list IMPORT rule 20 action permit
set policy prefix-list IMPORT rule 20 prefix 0.0.0.0/0
set protocols bgp 5XXX1 neighbor 38.x.x.125 description 'COGENT AS Neighbor'
set protocols bgp 5XXX1 neighbor 38.x.x.125 prefix-list export EXPORT
set protocols bgp 5XXX1 neighbor 38.x.x.125 prefix-list import IMPORT
set protocols bgp 5XXX1 neighbor 38.x.x.125 remote-as 174
set protocols bgp 5XXX1 neighbor 38.x.x.125 soft-reconfiguration inbound
set protocols bgp 5XXX1 neighbor 144.x.x.229 description 'LIGHTOWER AS Neighbor'
set protocols bgp 5XXX1 neighbor 144.x.x.229 prefix-list export EXPORT
set protocols bgp 5XXX1 neighbor 144.x.x.229 prefix-list import IMPORT
set protocols bgp 5XXX1 neighbor 144.x.x.229 remote-as 46887
set protocols bgp 5XXX1 neighbor 144.x.x.229 soft-reconfiguration inbound
set protocols bgp 5XXX1 network 38.x.x.0/24
set protocols static route 38.x.x.0/24 blackhole
<these commands were used to restrict access to the interfaces of the bgp router while allowing ping and bgp>
set firewall group network-group ALLOWED_ADMIN_GROUP network 38.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 38.x.x.128/26
set firewall group network-group ALLOWED_ADMIN_GROUP network 10.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 172.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 96.x.x.2/32
set firewall name REMOTE_ACCESS default-action drop
set firewall name REMOTE_ACCESS description 'IPv4 inbound traffic to the router'
set firewall name REMOTE_ACCESS enable-default-log
set firewall name REMOTE_ACCESS rule 5 action accept
set firewall name REMOTE_ACCESS rule 5 description 'Allow Established'
set firewall name REMOTE_ACCESS rule 5 log disable
set firewall name REMOTE_ACCESS rule 5 protocol all
set firewall name REMOTE_ACCESS rule 5 state established enable
set firewall name REMOTE_ACCESS rule 5 state related enable
set firewall name REMOTE_ACCESS rule 10 action accept
set firewall name REMOTE_ACCESS rule 10 description 'Allow BGP'
set firewall name REMOTE_ACCESS rule 10 log disable
set firewall name REMOTE_ACCESS rule 10 destination port 179
set firewall name REMOTE_ACCESS rule 10 protocol tcp
set firewall name REMOTE_ACCESS rule 20 action accept
set firewall name REMOTE_ACCESS rule 20 description 'Allow ICMP'
set firewall name REMOTE_ACCESS rule 20 log disable
set firewall name REMOTE_ACCESS rule 20 protocol icmp
set firewall name REMOTE_ACCESS rule 30 action accept
set firewall name REMOTE_ACCESS rule 30 description 'Allow SNMP'
set firewall name REMOTE_ACCESS rule 30 destination port 161
set firewall name REMOTE_ACCESS rule 30 protocol udp
set firewall name REMOTE_ACCESS rule 30 log disable
set firewall name REMOTE_ACCESS rule 30 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 40 action accept
set firewall name REMOTE_ACCESS rule 40 description 'Allow SSH'
set firewall name REMOTE_ACCESS rule 40 destination port 22
set firewall name REMOTE_ACCESS rule 40 protocol tcp
set firewall name REMOTE_ACCESS rule 40 log disable
set firewall name REMOTE_ACCESS rule 40 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 50 action accept
set firewall name REMOTE_ACCESS rule 50 description 'Allow HTTPS'
set firewall name REMOTE_ACCESS rule 50 destination port 443
set firewall name REMOTE_ACCESS rule 50 protocol tcp
set firewall name REMOTE_ACCESS rule 50 log disable
set firewall name REMOTE_ACCESS rule 50 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 60 action accept
set firewall name REMOTE_ACCESS rule 60 description 'Allow HTTP'
set firewall name REMOTE_ACCESS rule 60 destination port 80
set firewall name REMOTE_ACCESS rule 60 protocol tcp
set firewall name REMOTE_ACCESS rule 60 log disable
set firewall name REMOTE_ACCESS rule 60 source group network-group ALLOWED_ADMIN_GROUP
set interfaces ethernet eth0 firewall local name REMOTE_ACCESS
set interfaces ethernet eth1 firewall local name REMOTE_ACCESS
set interfaces ethernet eth2 firewall local name REMOTE_ACCESS
set interfaces ethernet eth3 firewall local name REMOTE_ACCESS
Os comandos usados para executar a config acima:
set policy prefix-list BGP
set policy prefix-list EXPORT rule 10 action permit
set policy prefix-list EXPORT rule 10 prefix 38.x.x.0/24
set policy prefix-list IMPORT rule 20 action permit
set policy prefix-list IMPORT rule 20 prefix 0.0.0.0/0
set protocols bgp 5XXX1 neighbor 38.x.x.125 description 'COGENT AS Neighbor'
set protocols bgp 5XXX1 neighbor 38.x.x.125 prefix-list export EXPORT
set protocols bgp 5XXX1 neighbor 38.x.x.125 prefix-list import IMPORT
set protocols bgp 5XXX1 neighbor 38.x.x.125 remote-as 174
set protocols bgp 5XXX1 neighbor 38.x.x.125 soft-reconfiguration inbound
set protocols bgp 5XXX1 neighbor 144.x.x.229 description 'LIGHTOWER AS Neighbor'
set protocols bgp 5XXX1 neighbor 144.x.x.229 prefix-list export EXPORT
set protocols bgp 5XXX1 neighbor 144.x.x.229 prefix-list import IMPORT
set protocols bgp 5XXX1 neighbor 144.x.x.229 remote-as 46887
set protocols bgp 5XXX1 neighbor 144.x.x.229 soft-reconfiguration inbound
set protocols bgp 5XXX1 network 38.x.x.0/24
set protocols static route 38.x.x.0/24 blackhole
<these commands were used to restrict access to the interfaces of the bgp router while allowing ping and bgp>
set firewall group network-group ALLOWED_ADMIN_GROUP network 38.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 38.x.x.128/26
set firewall group network-group ALLOWED_ADMIN_GROUP network 38.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 10.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 10.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 172.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 10.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 10.x.x.0/24
set firewall group network-group ALLOWED_ADMIN_GROUP network 96.x.x.2/32
set firewall name REMOTE_ACCESS default-action drop
set firewall name REMOTE_ACCESS description 'IPv4 inbound traffic to the router'
set firewall name REMOTE_ACCESS enable-default-log
set firewall name REMOTE_ACCESS rule 5 action accept
set firewall name REMOTE_ACCESS rule 5 description 'Allow Established'
set firewall name REMOTE_ACCESS rule 5 log disable
set firewall name REMOTE_ACCESS rule 5 protocol all
set firewall name REMOTE_ACCESS rule 5 state established enable
set firewall name REMOTE_ACCESS rule 5 state related enable
set firewall name REMOTE_ACCESS rule 10 action accept
set firewall name REMOTE_ACCESS rule 10 description 'Allow BGP'
set firewall name REMOTE_ACCESS rule 10 log disable
set firewall name REMOTE_ACCESS rule 10 destination port 179
set firewall name REMOTE_ACCESS rule 10 protocol tcp
set firewall name REMOTE_ACCESS rule 20 action accept
set firewall name REMOTE_ACCESS rule 20 description 'Allow ICMP'
set firewall name REMOTE_ACCESS rule 20 log disable
set firewall name REMOTE_ACCESS rule 20 protocol icmp
set firewall name REMOTE_ACCESS rule 30 action accept
set firewall name REMOTE_ACCESS rule 30 description 'Allow SNMP'
set firewall name REMOTE_ACCESS rule 30 destination port 161
set firewall name REMOTE_ACCESS rule 30 protocol udp
set firewall name REMOTE_ACCESS rule 30 log disable
set firewall name REMOTE_ACCESS rule 30 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 40 action accept
set firewall name REMOTE_ACCESS rule 40 description 'Allow SSH'
set firewall name REMOTE_ACCESS rule 40 destination port 22
set firewall name REMOTE_ACCESS rule 40 protocol tcp
set firewall name REMOTE_ACCESS rule 40 log disable
set firewall name REMOTE_ACCESS rule 40 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 50 action accept
set firewall name REMOTE_ACCESS rule 50 description 'Allow HTTPS'
set firewall name REMOTE_ACCESS rule 50 destination port 443
set firewall name REMOTE_ACCESS rule 50 protocol tcp
set firewall name REMOTE_ACCESS rule 50 log disable
set firewall name REMOTE_ACCESS rule 50 source group network-group ALLOWED_ADMIN_GROUP
set firewall name REMOTE_ACCESS rule 60 action accept
set firewall name REMOTE_ACCESS rule 60 description 'Allow HTTP'
set firewall name REMOTE_ACCESS rule 60 destination port 80
set firewall name REMOTE_ACCESS rule 60 protocol tcp
set firewall name REMOTE_ACCESS rule 60 log disable
set firewall name REMOTE_ACCESS rule 60 source group network-group ALLOWED_ADMIN_GROUP
set interfaces ethernet eth0 firewall local name REMOTE_ACCESS
set interfaces ethernet eth1 firewall local name REMOTE_ACCESS
set interfaces ethernet eth2 firewall local name REMOTE_ACCESS
set interfaces ethernet eth3 firewall local name REMOTE_ACCESS