您好,欢迎来到尚车旅游网。
搜索
您的当前位置:首页juniper SRX系列防火墙高级安全设置

juniper SRX系列防火墙高级安全设置

来源:尚车旅游网
juniper SRX系列防火墙高级安全设置

Part2 security zone and interfaces

创建安全zone

user@host# set interfaces ge-0/0/1 unit 1 family inet address 10.12.12.1/24 user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 配置接口的管理方式

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet

user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services snmp 或者

user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services all

user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services http except

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp except 同时可以用protocol替换system-services

Address Books and Address Sets

每一个安全zone包含一个address book。在两个zone之间建立policys之前必须定义zone’s的address book的地址。为了管理包含大量地址的addressbook,必须创建叫address set的地址组。Policy负责引用address book

user@host# set security zones security-zone green address-book address src_addr1 .10.4.44/32

user@host# set security zones security-zone green address-book address src_addr2 .10.9.28/32

user@host# set security zones security-zone green address-book address src_addr3 10.10.10.10/24

user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr1

user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr2

user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr3--------------引用这个集合 address set的系统参数

*为了配置address set,address book中必须有多余一个的地址 *address set 只能包含同一安全区域的的地址名称 *address的名字不能和address set的名字相同

配置address books

user@host# set security zones security-zone IntranetGREEN address-book address G1 10.1.10.0/24

user@host# set security zones security-zone IntranetGREEN address-book address G2 10.1.10.0/32

user@host# set security zones security-zone IntranetGREEN address-book address-set SerAll address G1 address G2

Part 3 security policy

user@host# set security policies from-zone green to-zone red policy abctopublic match source-address abc

user@host# set security policies from-zone red to-zone green policy abctopublic match destination-address public

user@host# set security policies from-zone red to-zone green policy abctopublic match application ssh

user@host# set security policies from-zone red to-zone green policy abctopublic then permit

案例 定义安全策略

1. Set interfaces.

user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24 user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.2.2.1/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.1/24 user@host# set security zones security-zone internal interfaces ge-0/0/1.0 user@host# set security zones security-zone dmz interfaces ge-0/0/2.0 user@host# set security zones security-zone external interfaces ge-0/0/3.0 2. Configure addresses.

user@host# set security zones security-zone internal address-book address corp_net 10.1.1.0/24

user@host# set security zones security-zone dmz address-book address mail_svr 1.2.2.5/32

user@host# set security zones security-zone external address-book address r-mail_svr 2.2.2.5/32

3. Configure application sets.-----这里的MAIL-POP3是自定义的应用

user@host# set applications application-set MAIL-POP3 application junos-mail user@host# set applications application-set MAIL-POP3 application junos-pop3 4. Create policies.------MAIL是系统自带的

user@host# set security policies from-zone internal to-zone dmz corp_net mail_svr MAIL-POP3 permit

user@host# set security policies from-zone dmz to-zone external mail_svr r-mail_svr MAIL permit

user@host# set security policies from-zone external to-zone dmz r-mail_svr mail_svr MAIL permit

5. If you are finished configuring the device, commit the configuration.

Security Policy Applications

定义应用集合

user@host# set applications application-set WebMailApps application smtp user@host# set applications application-set WebMailApps application http user@host# set applications application-set WebMailApps application https user@host# set applications application-set WebMailApps application POPS

自定义应用

user@host# set applications application cust-telnet protocol tcp source-port 1-65535 destination-port 23000-23000

user@host# set applications application cust-telnet inactivity-timeout 30

Configuring Pass-Through Authentication

Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, a Telnet, or an HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall.

1. Create IP addresses for the device interfaces:

user@host# set interfaces ge-0/0/1

user@host# set unit 0 family inet address 20.20.20.1/24 user@host# set unit 0 family inet address 20.20.20.2/24 user@host# set interfaces ge-5/0/0

user@host# set unit 0 family inet address 30.30.30.1/24 user@host# set unit 0 family inet address 30.30.30.2/24

2. Create the FWAUTH access profile for the FWClient1 user and specify the pwd password:

user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd

3. Add the FWAuth profile for pass-through firewall authentication:

user@host# set access firewall-authentication pass-through default-profile FWAUTH

4. Define a success banner for Telnet sessions:

user@host# set access firewall-authentication pass-through telnet banner success \"WELCOME TO JUNIPER TELNET SESSION\" 5. Create security zones:

user@host# set security zones security-zone UT-ZONE host-inbound-traffic system-services all

user@host# set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all

user@host# set security zones security-zone T-ZONE host-inbound-traffic system-services all

user@host# set security zones security-zone T-ZONE interfaces fe-5/0/0.0 host-inbound-traffic protocols all

6. Assign the policy1 security policy to the zones:

user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match source-address any

user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match destination-address any

user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match application junos-telnet

7. Use Telnet to authenticate the FWClient1 firewall user to host2: regress@FWClient1# run telnet 30.30.30.2 Trying 30.30.30.2...

Connected to 30.30.30.2. Escape character is '^]'.

Firewall User Authentication Username: FWClient1 Password:***

WELCOME TO JUNIPER TELNET SESSION Host1 (ttyp0) login: regress Password:

--- JUNOS 8.5R1.1 built 2007-10-12 13:30:18 UTC %

Virtual Private Networks

基于路由的

1 配置ip地址给私有lan,公网接口和secure tunnel (ST)接口 set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 set interfaces st0 unit 0 family inet address 10.11.11.10/24 2 配置默认路由和tunnel路由

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-options static route 192.168.168.0/24 next-hop st0.0 3 配置安全zone 并且分配接口

set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/3.0 set security zones security-zone interfaces st0.0 4 为每个zone分配入栈服务

set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic system-services ike 如果需要其他的服务也可以开启 5 分配地址标签给zone

set security zones security-zone trust address-book address local-net 10.10.10.0/24

set security zones security-zone address-book address remote-net 192.168.168.0/24 6 配置IKE策略

set security ike policy ike-policy1 mode main

set security ike policy ike-policy1 proposal-set standard

set security ike policy ike-policy1 pre-shared-key ascii-text \"secretkey\"

standard包含了preshared-group2-3des-sha1 and preshared-group2-aes128-sha1 proposals,当然也可以自定义 7 配置IKE网关(第一阶段)

set security ike gateway ike-gate ike-policy ike-policy1 set security ike gateway ike-gate address 2.2.2.2

set security ike gateway ike-gate external-interface ge-0/0/3.0 8 配置ipsec策略

set security ipsec policy -policy1 proposal-set standard 9 配置ipsec

set security ipsec ike- ike gateway ike-gate

set security ipsec ike- ike ipsec-policy -policy1 set security ipsec ike- bind-interface st0.0 10 配置internet的流量策略

edit security policies from-zone trust to-zone untrust

## Entering from-zone “trust” to-zone “untrust” hierarchy set policy any-permit match source-address any set policy any-permit match destination-address any set policy any-permit match application any

set policy any-permit then permit source-nat interface exit

11 配置tunnel流量双向的安全策略。

edit security policies from-zone trust to-zone ## Entering zone “trust” to zone “” hierarchy set policy -tr- match source-address local-net

set policy -tr- match destination-address remote-net set policy -tr- match application any set policy -tr- then permit exit

edit security policies from-zone to-zone trust ## Enter zone “” to zone “trust” hierarchy

set policy --tr match source-address remote-net set policy --tr match destination-address local-net set policy --tr match application any set policy --tr then permit exit

set security flow tcp-mss ipsec- mss 1350

ssg5的配置

set zone name \"VPN\"

set interface ethernet0/6 zone \"Trust\" set interface ethernet0/0 zone \"Untrust\" set interface \"tunnel.1\" zone \"VPN\"

set interface ethernet0/6 ip 192.168.168.1/24 set interface ethernet0/6 route

set interface ethernet0/0 ip 2.2.2.2/30 set interface ethernet0/0 route

set interface tunnel.1 ip 10.11.11.11/24 set flow tcp-mss 1350

set address \"Trust\" \"192.168.168-net\" 192.168.168.0 255.255.255.0 set address \"VPN\" \"10.10.10-net\" 10.10.10.0 255.255.255.0

set ike gateway \"corp-ike\" address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare \"secretkey\" sec-level standard

set \"corp-\" gateway \"corp-ike\" replay tunnel idletime 0 sec-level standard set \"corp-\" monitor optimized rekey set \"corp-\" bind interface tunnel.1

set policy from \"Trust\" to \"Untrust\" \"ANY\" \"ANY\" \"ANY\" nat src permit

set policy from \"Trust\" to \"VPN\" \"192.168.168-net\" \"10.10.10-net\" \"ANY\" permit set policy from \"VPN\" to \"Trust\" \"10.10.10-net\" \"192.168.168-net\" \"ANY\" permit set route 10.10.10.0/24 interface tunnel.1

set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1

IPsec VPN Configuration

When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies, and finally the gateway.

user@host# set security ike proposal ike_prop_1 description \"new ike proposal\" user@host# set security ike proposal ike_prop_1 authentication-method pre-shared-keys

user@host# set security ike proposal ike_prop_1 dh-group group2

user@host# set security ike proposal ike_prop_1 authentication-algorithm md5 user@host# set security ike proposal ike_prop_1 encryption-algorithm 3des-cbc user@host# set security ike proposal ike_prop_1 lifetime-seconds 300

user@host# set security ike policy ike_pol_1 mode aggressive

user@host# set security ike policy ike_pol_1 description \"new ike policy\" user@host# set security ike policy ike_pol_1 proposals ike_prop_1 user@host# set security ike policy ike_pol_1 pre-shared-key ascii-text \"$9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI\"

user@host# show security ike policy ike_pol_1

user@host# set security ike gateway ike_gateway_1 ike-policy ike_pol_1 user@host# set security ike gateway ike_gateway_1 address 1.1.1.2

user@host# set security ike gateway ike_gateway_1 dead-peer-detection interval

10

user@host# set security ike gateway ike_gateway_1 dead-peer-detection threshold 5

user@host# set security ike gateway ike_gateway_1 external-interface ge-0/0/0 ser@host# show security ike gateway ike_gateway_1

When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies, and finally the AutoKey IKE.

user@host# set security ipsec proposal ipsec_prop_1 description \"new ipsec proposal\"

user@host# set security ipsec proposal ipsec_prop_1 protocol esp

user@host# set security ipsec proposal ipsec_prop_1 authentication-algorithm hmac-md5-96

user@host# set security ipsec proposal ipsec_prop_1 encryption-algorithm 3des-cbc user@host# set security ipsec proposal ipsec_prop_1 lifetime-seconds 1800 user@host# show security ipsec proposal ipsec_prop_1

user@host# set security ipsec policy ipsec_pol_1 description \"new ipsec policy\" user@host# set security ipsec policy ipsec_pol_1 perfect-forward-secrecy keys group2

user@host# set security ipsec policy ipsec_pol_1 proposals ipsec_prop_1

user@host# set security ipsec _1 bind-interface st0.0

user@host# set security ipsec _1 ike gateway ike_gateway_1 user@host# set security ipsec _1 ike ipsec-policy ipsec_pol_1

user@host# set security ike respond-bad-spi 5

user@host# set security ipsec -monitor-options interval 15 threshold 15

Hub-and-Spoke VPN Configuration

To configure the hub in a hub-and-spoke VPN:

1. Configure Phase 1 of the IPsec tunnel:

a. Configure IKE Phase 1 proposals:

user@host# set security ike proposal first_ikeprop authentication-method pre-shared-keys

user@host# set security ike proposal first_ikeprop dh-group group2

user@host# set security ike proposal first_ikeprop authentication-algorithm md5

user@host# set security ike proposal first_ikeprop encryption-algorithm 3des-cbc

user@host# set security ike proposal third_ikeprop authentication-method pre-shared-keys

user@host# set security ike proposal third_ikeprop dh-group group2

user@host# set security ike proposal third_ikeprop authentication-algorithm md5

user@host# set security ike proposal third_ikeprop encryption-algorithm 3des-cbc

b. Configure IKE policies (and reference the proposals): user@host# set security ike policy first_ikepol mode main

user@host# set security ike policy first_ikepol proposals first_ikeprop user@host# set security ike policy first_ikepol pre-shared-key ascii-text \"$9$xFU-b2ZUH5Qn4aQn/CB17-V\"

user@host# set security ike policy third_ikepol mode main

user@host# set security ike policy third_ikepol proposals third_ikeprop user@host# set security ike policy third_ikepol pre-shared-key ascii-text \"$9$GvjkPFnCBIc5QIcylLXUjH\"

c. Configure the IKE gateway (and reference the policy):

user@host# set security ike gateway first ike-policy first_ikepol user@host# set security ike gateway first address 4.4.4.2

user@host# set security ike gateway first external-interface ge-0/0/0.0 user@host# set security ike gateway third ike-policy third_ikepol user@host# set security ike gateway third address 2.2.2.1

user@host# set security ike gateway third external-interface ge-0/0/3.0

2. Configure Phase 2 of the IPsec tunnel:

a. Configure Phase 2 proposals:

user@host# set security ipsec proposal first_ipsecprop protocol esp user@host# set security ipsec proposal first_ipsecprop authentication-algorithm hmac-md5-96

user@host# set security ipsec proposal first_ipsecprop encryption-algorithm 3des-cbc

user@host# set security ipsec proposal third_ipsecprop protocol esp user@host# set security ipsec proposal third_ipsecprop authentication-algorithm hmac-md5-96

user@host# set security ipsec proposal third_ipsecprop encryption-algorithm 3des-cbc

b. Configure policies (and reference proposals):

user@host# set security ipsec policy first_ipsecpol perfect-forward-secrecy keys group1

user@host# set security ipsec policy first_ipsecpol proposals first_ipsecprop user@host# set security ipsec policy third_ipsecpol perfect-forward-secrecy keys group1

user@host# set security ipsec policy third_ipsecpol proposals third_ipsecprop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway first

user@host# set security ipsec first_ ike ipsec-policy first_ipsecpol user@host# set security ipsec first_ establish-tunnels immediately user@host# set security ipsec third_ bind-interface st0.0 user@host# set security ipsec third_ ike gateway third

user@host# set security ipsec third_ ike ipsec-policy third_ipsecpol user@host# set security ipsec third_ establish-tunnels immediately

3. Configure the security policy:

user@host# set security policies default-policy permit-all

4. Configure routing options:

user@host# set routing-options static route 1.1.1.0/24 next-hop st0.0 user@host# set routing-options static route 3.1.1.0/24 next-hop st0.0

5. Enable Next Hop Tunnel Binding (nhtb):

user@host# set interfaces st0 unit 0 multipoint

Configuring Spoke 1 in a Hub-and-Spoke VPN 1. Configure Phase 1 of the IPsec tunnel:

a. Configure IKE Phase 1 proposals:

user@host# set security ike proposal ike_prop authentication-method pre-shared-keys

user@host# set security ike proposal ike_prop dh-group group2

user@host# set security ike proposal ike_prop authentication-algorithm md5 user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc b. Configure IKE policies (and reference the proposals): user@host# set security ike policy ike_pol mode main

user@host# set security ike policy ike_pol proposals ike_prop

user@host# set security ike policy ike_pol pre-shared-key ascii-text \"$9$vA38xd24Zk.5bs.5QFAtM8X\"

c. Configure IKE gateway (and reference the policy):

user@host# set security ike gateway first ike-policy ike_pol user@host# set security ike gateway first address 4.4.4.1

user@host# set security ike gateway first external-interface fe-2/0/0.0

2. Configure Phase 2 of the IPsec tunnel:

a. Configure Phase 2 proposals:

user@host# set security ipsec proposal ipsec_prop protocol esp

user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96

user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc

b. Configure policies (and reference proposals):

user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1

user@host# set security ipsec policy ipsec_pol proposals ipsec_prop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway gate

user@host# set security ipsec first_ ike ipsec-policy ipsec_pol

3. Configure the security policy:

user@host# set security policies default-policy permit-all

4. Configure routing options:

user@host# set routing-options static route 1.1.1.0/24 next-hop 7.7.7.1

Configuring Spoke 2 in a Hub-and-Spoke VPN 1. Configure Phase 1 of the IPsec tunnel:

a. Configure IKE Phase 1 proposals:

user@host# set security ike proposal ike_prop authentication-method pre-shared-keys

user@host# set security ike proposal ike_prop dh-group group2

user@host# set security ike proposal ike_prop authentication-algorithm md5 user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc b. Configure IKE policies (and reference the proposals): user@host# set security ike policy ike_pol mode main

user@host# set security ike policy ike_pol proposals ike_prop

user@host# set security ike policy ike_pol pre-shared-key ascii-text \"$9$JrUi.QF/0BEP5BEcyW8ZUj\"

user@host# set security ike gateway gate ike-policy ike_pol c. Configure IKE gateway (and reference the policy):

user@host# set security ike gateway third address 2.2.2.2

user@host# set security ike gateway third external-interface ge-0/0/3.0

2. Configure Phase 2 of the IPsec tunnel:

a. Configure Phase 2 proposals:

user@host# set security ipsec proposal ipsec_prop protocol esp

user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96

user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc

b. Configure policies (and reference proposals):

user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1

user@host# set security ipsec policy ipsec_pol proposals ipsec_prop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway gate

user@host# set security ipsec first_ ike ipsec-policy ipsec_pol

3. Configure the security policy:

user@host# set security policies default-policy permit-all

4. Configure routing options:

user@host# set routing-options static route3.1.1.0/24 next-hop 7.7.7.1

Dynamic VPNs

Creating a Dynamic VPN Client Configuration

user@host# set security dynamic- clients config1 remote-protected-resources 10.100.100.0/24

user@host# set security dynamic- clients config1 remote-exceptions 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32

user@host# set security dynamic- clients config1 ipsec- ipsec-config user@host# set security dynamic- clients config1 user johndoe, janedoe

Configuring Dynamic VPN Global Client Download Settings

user@host# set security dynamic- clients remote-users user@host# set security dynamic- force-upgrade

SRX High Availability Design Guide

双机热备jsrp

1. Enabling clustering---------------A/S模式

In node 0:

user@host> set chassis cluster node 0 cluster-id 1 reboot In node 1:

user@host> set chassis cluster node 1 cluster-id 1 reboot

2. Management interface

user@host# set groups node0 system host-name SRX-A

user@host# set groups node0 interfaces fxp0 unit 0 family inet address 192.168.3.110/24

user@host#set groups node1 system host-name SRX-B

user@host# set groups node1 interfaces fxp0 unit 0 family inet address 192.168.3.111/24

user@host# set apply-groups “${node}” 3. Fabric interface

user@host# set interfaces fab0 fabric-options member-interfaces ge-0/0/1 user@host# set interfaces fab1 fabric-options member-interfaces ge-4/0/1 4. Redundancy groups

user@host# set chassis cluster reth-count 2-------指定redundant Ethernet interface 数量,类似ae interface

user@host# set chassis cluster heartbeat-interval 1000 user@host# set chassis cluster heartbeat-threshold 3 user@host# set chassis cluster node 0 user@host# set chassis cluster node 1

user@host# set chassis cluster redundancy-group 0 node 0 priority 100 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# set chassis cluster redundancy-group 1 node 0 priority 100 user@host# set chassis cluster redundancy-group 1 node 1 priority 1

user@host# set chassis cluster redundancy-group 1 interface-monitor fe-1/0/0 weight 255

user@host# set chassis cluster redundancy-group 1 interface-monitor fe-5/0/0 weight 255

user@host# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255

user@host# set chassis cluster redundancy-group 1 interface-monitor ge-4/0/0 weight 255----group 0是默认的 不要考虑 监控的端口是走数据流量的 5. Redundant Ethernet interfaces

user@host# set interfaces ge-0/0/0 gigether-options redundant-parent reth1 user@host# set interfaces ge-4/0/0 gigether-options redundant-parent reth1 user@host# set interfaces fe-1/0/0 fastether-options redundant-parent reth0 user@host# set interfaces fe-5/0/0 fastether-options redundant-parent reth0 user@host# set interfaces reth0 redundant-ether-options redundancy-group 1 user@host# set interfaces reth0 unit 0 family inet address 10.16.8.1/24

user@host# set interfaces reth1 redundant-ether-options redundancy-group 1 user@host# set interfaces reth1 unit 0 family inet address 1.2.0.233/24 6. Security zones

user@host# set security zones security-zone Untrust interfaces reth1.0 user@host# set security zones security-zone Trust interfaces reth0.0 7. Security policies

user@host# set security policies from-zone Trust to-zone Untrust policy ANY match source-address any

user@host# set security policies from-zone Trust to-zone Untrust policy ANY match destination-address any

user@host# set security policies from-zone Trust to-zone Untrust policy ANY match application any

user@host# set security policies from-zone Trust to-zone Untrust policy ANY then permit 切换

request chassis cluster failover redundancy-group 1 node1

Request chassis cluster failover reset redundancy-group 1------设成正常的group1的优先级

SRX5800的cluster

有4种模式

In this document we are going to cover the four most common high availability scenarios when deploying SRX. Active/Passive Simple Deployment Active/Passive Full Mesh Deployment Active/Active Deployment Active/Passive Transparent Mode Deployment Basic Active / Passive SRX Deployment Scenario

配置过程如下

1 配置参与者的编号,cluster-id范围1-15,0表示单机 SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot

2 控制端口配置 srx5800以上需要指定,以下的有机器自带的。

set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0 3 指定数据端口

set interfaces fab0 fabric-options member-interfaces ge-11/3/0 set interfaces fab1 fabric-options member-interfaces ge-23/3/0 4 节点配置 包含带外管理口 set groups node0 set groups node1

set groups node0 system host-name SRX5800-1

set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2

set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24 set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}

5 配置冗余组 group0总是负责控制层面 group1总是负责数据层面 set chassis cluster reth-count 2----------------------冗余接口的数量 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100

set chassis cluster redundancy-group 1 node 1 priority 1------A/S模式中node0总是主

6 配置冗余接口

set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24

set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 2.2.2.1/24

7配置端口监控 权限设为255的话只要一个断就切换,要想有多个断的时候在切换,需要把值给缩小。

set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster control-link-recovery

这里因为group0是走控制流量的 所以不用监控,只监控group1 8 配置虚拟接口的zone和路由等

set security zones security-zone untrust interfaces reth0.0

set security zones security-zone trust interfaces reth1.0 set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 set routing-options static route 2.0.0.0/8 next-hop 2.2.2.2

下面的EX-8200配置

set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800

set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800

set interfaces vlan unit 50 family inet address 2.2.2.2/24 set vlans SRX5800 vlan-id 50

set vlans SRX5800 l3-interface vlan.50

set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1/24 MX240 Configuration

set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces irb unit 0 family inet address 1.1.1.2/24 set routing-options static route 2.0.0.0/8 next-hop 1.1.1.1

set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800 vlan-id X (could be set to “none”)

set bridge-domains SRX5800 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800 domain-type bridge interface xe-2/0/0

Active / Passive Full Mesh SRX Deployment Scenario

混杂full连接

SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot

set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0

set interfaces fab0 fabric-options member-interfaces ge-11/3/0 set interfaces fab1 fabric-options member-interfaces ge-23/3/0

set groups node0 set groups node1

set groups node0 system host-name SRX5800-1

set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2

set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24 set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}

set chassis cluster reth-count 4

set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1

set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-6/2/0 gigether-options redundant-parent reth2 set interfaces xe-6/3/0 gigether-options redundant-parent reth3 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/2/0 gigether-options redundant-parent reth2 set interfaces xe-18/3/0 gigether-options redundant-parent reth3 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24

set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 2.2.2.1/24

set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 unit 0 family inet address 3.3.3.1/24

set interfaces reth3 redundant-ether-options redundancy-group 1 set interfaces reth3 unit 0 family inet address 4.4.4.1/24

set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/2/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/3/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/2/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/3/0 weight 255 set chassis cluster control-link-recovery

set security zones security-zone untrust interfaces reth0.0 set security zones security-zone untrust interfaces reth1.0 set security zones security-zone trust interfaces reth2.0 set security zones security-zone trust interfaces reth3.0 set protocols ospf area 0.0.0.0 interface reth0.0 set protocols ospf area 0.0.0.0 interface reth1.0 set protocols ospf area 0.0.0.0 interface reth2.0 set protocols ospf area 0.0.0.0 interface reth3.0

set routing-options graceful-restart

EX-8208-1

set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members

SRX5800-RETH0

set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members

SRX5800-RETH1

set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk vlan members [SRX5800-RETH1 SRX5800-RETH0]

set interfaces vlan unit 50 family inet address 3.3.3.2/24 set interfaces vlan unit 60 family inet address 4.4.4.2/24 set vlans SRX5800-RETH0 vlan-id 50

set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60

set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all

EX-8208-2

set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800-RETH0

set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800-RETH1

set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk vlan members

[SRX5800-RETH1 SRX5800-RETH0]

set interfaces vlan unit 50 family inet address 3.3.3.250/24 set interfaces vlan unit 60 family inet address 4.4.4.250/24 set vlans SRX5800-RETH0 vlan-id 50

set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60

set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all

MX480 Configuration MX480-1

set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-3/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-4/0/0 encapsulation ethernet-bridge unit 0 family bridge

set interfaces xe-5/0/0 unit 0 family bridge interface-mode trunk vlan-id-list [x y] set interfaces irb unit 0 family inet address 1.1.1.2/24 set interfaces irb unit 1 family inet address 2.2.2.2/24

set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800-1 vlan-id X

set bridge-domains SRX5800-1 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800-1 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800-1 domain-type bridge interface xe-2/0/0 set bridge-domains SRX5800-2 vlan-id Y

set bridge-domains SRX5800-2 domain-type bridge routing-interface irb.1 set bridge-domains SRX5800-2 domain-type bridge interface xe-3/0/0 set bridge-domains SRX5800-2 domain-type bridge interface xe-4/0/0 set protocols ospf area 0.0.0.0 interface irb.0 set protocols ospf area 0.0.0.0 interface irb.1 set routing-options graceful-restart

MX480-2

set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-3/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-4/0/0 encapsulation ethernet-bridge unit 0 family bridge

set interfaces xe-5/0/0 unit 0 family bridge interface-mode trunk vlan-id-list [x y] set interfaces irb unit 0 family inet address 1.1.1.250/24 set interfaces irb unit 1 family inet address 2.2.2.250/24

set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800-1 vlan-id X

set bridge-domains SRX5800-1 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800-1 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800-1 domain-type bridge interface xe-2/0/0 set bridge-domains SRX5800-2 vlan-id Y

set bridge-domains SRX5800-2 domain-type bridge routing-interface irb.1 set bridge-domains SRX5800-2 domain-type bridge interface xe-3/0/0 set bridge-domains SRX5800-2 domain-type bridge interface xe-4/0/0 set protocols ospf area 0.0.0.0 interface irb.0

set protocols ospf area 0.0.0.0 interface irb.1 set routing-options graceful-restart

Active / Active SRX Deployment Scenario

A/A模式在数据层面上是A/A,但是再控制层面上还是A/S 1 配置编号

SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot 2 配置控制接口

set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0 3 数据接口配置

set interfaces fab0 fabric-options member-interfaces xe-6/3/0 set interfaces fab1 fabric-options member-interfaces xe-18/3/0 4 特殊接口配置 set groups node0 set groups node1

set groups node0 system host-name SRX5800-1

set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2

set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24

set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}

5 冗余group A/A模式有两个数据组 set chassis cluster reth-count 2

set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 2 node 0 priority 1 set chassis cluster redundancy-group 2 node 1 priority 100 6 配置冗余接口

set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24

set interfaces reth1 redundant-ether-options redundancy-group 2 set interfaces reth1 unit 0 family inet address 2.2.2.1/24 7 isp出口

set interface xe-6/2/0 unit 0 family inet address 3.3.3.1/24 set interface xe-18/2/0 unit 0 family inet address 4.4.4.1/24 8 配置监控接口

set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster control-link-recovery 配置zone

set security zones security-zone trust interfaces reth0.0 set security zones security-zone trust interfaces reth1.0 set security zones security-zone untrust interfaces xe-6/2/0.0 set security zones security-zone untrust interfaces xe-18/2/0.0 配置路由

set routing-options static route 0.0.0.0/0 next-hop 3.3.3.2 preference 2 set protocol bgp group eBGP type external

set protocol bgp group eBGP neighbor 3.3.3.2 peer-as 65333 set protocol bgp group eBGP neighbor 4.4.4.2 peer-as 4 set protocols ospf area 0.0.0.0 interface reth0.0 set protocols ospf area 0.0.0.0 interface reth1.0 set routing-options graceful-restart

set routing-options autonomous-system 65111

EX-8208-1

set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH0

set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH1

set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk members

[SRX5800-RETH1 SRX5800-RETH0]

set interfaces vlan unit 50 family inet address 2.2.2.2/24 set interfaces vlan unit 60 family inet address 1.1.1.2/24 set vlans SRX5800-RETH0 vlan-id 50

set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60

set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all

EX-8208-2

set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH0

set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH1

set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk members

[SRX5800-RETH1 SRX5800-RETH0]

set interfaces vlan unit 50 family inet address 2.2.2.250/24 set interfaces vlan unit 60 family inet address 1.1.1.250/24 set vlans SRX5800-RETH0 vlan-id 50

set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60

set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all

vlan vlan vlan

vlan vlan vlan

Active / Passive Transparent Mode

2层透传A/S模式

Network Address Translation

SRX 中不再使用MIP/VIP/DIP 这些概念,其中MIP 被Static 静态地址转换取代,两者在功能上完全一致;DIP被Source NAT 取代;基于Policy 的目的地址转换及VIP 被 Destination NAT 取代。ScreenOS 中基于Untrust zone 接口的源地址转换被保留下来,但在SRX 中不再是缺省模式(SRX 中Trust Zone 接口没有NAT 模式概念),需要手工配置。类似ScreenOS,Static 属于双向NAT,其他类型均属于单向NAT。

Source NAT Interface NAT

edit security nat source rule-set Dept-A-to-Inet [edit security nat source rule-set Dept-A-to-Inet] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone Inet

james@SRX5800-1# set rule intNAT match source-address 10.1/16 james@SRX5800-1# set rule intNAT then source-nat interface show security flow session

show security nat source rule all

Address Pools

james@SRX5800-1# edit security nat source

james@SRX5800-1# set pool ipPool address 10.10.10.192/29 [edit security nat source rule-set Dept-A-to-Inet] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone Inet

james@SRX5800-1# set rule poolNAT match source-address 10.10/16 james@SRX5800-1# set rule poolNAT then source-nat pool ipPool

Removing PAT

非PAT,也不是端口转换。内部地址被直接转换成公网地址池中的地址。TCP&UDP端口不改变

james@SRX5800-1# edit security nat source pool ipPool james@SRX5800-1# set port no-translation james@SRX5800-1# set overflow-pool interface

NAT 配置:相当于netscreen的DIP

set security nat source pool pool-1 address 192.168.1.50 to 192.168.1.150 set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust

set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

set security nat source rule-set 1 rule rule1 then source-nat pool pool-1

set security nat proxy-arp interface ge-0/0/0 address 192.168.1.50 to 192.168.1.150

上述配置表示从trust 方向( any ) 到untrust 方向(any) 访问时提供源地址转换, 源地址池为pool1(192.168.1.50-192.168.1.150),同时fe-0/0/0 接口为此pool IP 提供ARP 代理。需要注意的是:定义Pool 时不需要与Zone 及接口进行关联。配置proxy-arp 目的是让返回包能够送达SRX,如果Pool 与出接口IP不在同一子网,则对端设备需要配置指向fe-0/0/0 接口的Pool 地址路由。

Policy:

set security policies from-zone trust to-zone untrust policy 1 match source-address pc-1

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit

上述配置定义Policy 策略,允许Trust zone 10.1.2.2 地址访问Untrust 方向任何地址,根据前面的NAT 配置,SRX 在建立session 时自动执行源地址转换。

james@SRX5800-1# edit security nat source [edit security nat source]

james@SRX5800-1# set pool ISP-A-Pool address 198.18.8.72/29 james@SRX5800-1# set pool ISP-B-Pool address 198.18.130.48/29 james@SRX5800-1# edit rule-set Dept-A-to-ISP-A [edit security nat source rule-set Dept-A-to-ISP-A] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone ISP-A

james@SRX5800-1# set rule ISP-A-PAT match source-address 0/0

james@SRX5800-1# set rule ISP-A-PAT then source-nat pool ISP-A-Pool james@SRX5800-1# edit rule-set Dept-A-to-ISP-B [edit security nat source rule-set Dept-A-to-ISP-B] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone ISP-B

james@SRX5800-1# set rule ISP-B-PAT match source-address 0/0

james@SRX5800-1# set rule ISP-B-PAT then source-nat pool ISP-B-Pool 策略和nat是的

set security policies from-zone trust to-zone untrust policy 1 match source-address 0.0.0.0/0

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit

Destination NAT

代替screen的vip和策略nat

james@SRX5800-1# edit security nat destination [edit security nat destination]

james@SRX5800-1# set pool serverPool address 10.3.1.45/32 port 80---内部服务器 james@SRX5800-1# edit rule-set Internet

[edit security nat destination rule-set Internet] james@SRX5800-1# set from zone Inet james@SRX5800-1# edit rule serverNAT

[edit security nat destination rule-set Internet rule serverNAT] james@SRX5800-1# set match source-address 0/0

[edit security nat destination rule-set Internet rule serverNAT]

james@SRX5800-1# set match destination-address 198.18.12.1/32----公网ip james@SRX5800-1# set match destination-port 80

james@SRX5800-1# set then destination-nat pool serverPool

james@SRX5800-1# edit security nat destination [edit security nat destination]

james@SRX5800-1# set pool HTTP-VIP address 10.1.1.1 port 80 james@SRX5800-1# set pool DNS-VIP address 10.1.1.2 port 53 james@SRX5800-1# set pool IMAP-VIP address 10.1.1.3 port 143 james@SRX5800-1# edit rule-set Virtual-IP

[edit security nat destination rule-set Virtual-IP] james@SRX5800-1# set from zone Inet

james@SRX5800-1# set rule HTTP match destination-address 198.18.5.72 james@SRX5800-1# set rule HTTP match destination-port 80

james@SRX5800-1# set rule HTTP then destination-nat pool HTTP-VIP james@SRX5800-1# set rule DNS match destination-address 198.18.5.72 james@SRX5800-1# set rule DNS match destination-port 53

james@SRX5800-1# set rule DNS then destination-nat pool DNS-VIP

james@SRX5800-1# set rule IMAP match destination-address 198.18.5.72 james@SRX5800-1# set rule IMAP match destination-port 143

james@SRX5800-1# set rule IMAP then destination-nat pool IMAP-VIP

配置untrust到trust的策略

Static NAT

Configuring Static NAT

james@SRX5800-1# edit security nat static rule-set Org-A-to-Org-B [edit security nat static rule-set Org-A-to-Org-B] james@SRX5800-1# set from routing-instance Org-A

james@SRX5800-1# set rule Orb-B-hide match destination-address 172.31/16 james@SRX5800-1# set rule Orb-B-hide then static-nat prefix 10.1/16 james@SRX5800-1# up

james@SRX5800-1# edit rule-set Org-B-to-Org-A james@SRX5800-1# set from routing-instance Org-B

james@SRX5800-1# set rule Org-A-hide match destination-address 172.30/16 james@SRX5800-1# set rule Org-A-hide then static-nat prefix 10.1/16

例子2

routing-instance是功能组的意思

In this example, you perform the following tasks:

■ Define a static NAT rule for traffic from zone red to address 20.1.1.100. Translate the destination IP to 10.0.0.200 and routing-instance ri-green.

■ Define a static NAT rule for traffic from zone red to address 20.1.1.101. Translate the destination IP to 10.0.1.200 and routing-instance ri-blue.

■ Define a static NAT rule for traffic from interface ge-0/0/0.0 to address 30.1.1.3. Translate the destination IP to 10.0.2.200.

■ Define a static NAT rule for traffic from routing-instance ri-red to address subnet 30.1.1.0/24. Translate the destination address subnet to 172.16.0.0/24.

user@host# set security nat static rule-set rs3 from zone red

user@host# set security nat static rule-set rs3 rule r1 match destination-address 20.1.1.100

user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200

user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200 routing-instance ri-green

user@host# set security nat static rule-set rs3 from zone red

user@host# set security nat static rule-set rs3 rule r2 match destination-address 20.1.1.101

user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200

user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200 routing-instance ri-blue

user@host#set security nat static rule-set rs3 from interface ge-0/0/0.0

user@host#set security nat static rule-set rs3 rule r3 match destination address 30.1.1.3

user@host#set security nat static rule-set rs3 rule r3 then static-nat prefix 10.0.2.200

user@host#set security nat static rule-set rs4 from routing-instance ri-red

user@host#set security nat static rule-set rs4 rule r3 match destination-address 30.1.1.0/24

user@host#set security

VRF(VPN Routing & Forwarding Instance) 2009-05-31 17:53 1、什么是VRF? VPN Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are

independent, the same or overlapping IP addresses can be used without conflicting with each other.

VRF---VPN路由转发实例(VPN Routing & Forwarding Instance)

每一个VRF可以看作虚拟的路由器,好像是一台专用的PE设备。该虚拟路由器包括如下元素:

一张的路由表,当然也包括了的地址空间; 一组归属于这个VRF的接口的集合; 一组只用于本VRF的路由协议。

对于每个PE,可以维护一个或多个VRF,同时维护一个公网的路由表(也叫全局路由表),多个VRF实例相互分离。

2、VRF 可以解决什么问题?

2.1 实现类似专用PE的功能,用路由隔离不同的用户。 2.2 解决地址重叠的问题

即同时支持使用公有地址的客户端设备和私有地址的客户端设备,或者多个VPN使用同一个地址空间;

也可以支持创建重叠VPN,所谓重叠VPN是指同一个站点同时属于多个VPN的情况。

引入RT的概念

在 PE 中,存在全局路由表、vrf 等,从全局路由表选择路由到 vrf 称为 export 导出;从 vrf 中选择路由到全局路由表称为 import 。RT 用于路由信息的分发,它分成 Import RT和 Export RT,分别用于路由信息的导入、导出策略。当从全局路由表中导出路由到 vrf 时,要用Export RT对VPN路由进行标记;在往全局路由导入 VPNv4 路由时,只有所带 RT 标记与 VRF 表中任意一个 Import RT相符的路由才会被导入到全局路由表中。RT使得PE路由器只包含和其直接相连的VPN的路由,而不是全网所有 ipv4 的路由,从而节省了PE路由器的资 源,提高了网络拓展性。 在一个VRF中,在发布路由时使用 RT 的 export 规则。直接发送给其他的PE设备。在接收端的PE上,接收所有的路由,并根据每个 VRF 配置的 RT 的 import 规则进行检查,如果与路由中的RT属性match,则将该路由加入到相应的VRF中。

Export Target: 我这个 VRF 发出的路由打上什么标记; Import Target:我这个 VRF 接受什么标记的路由。

引入RD的概念

ISP 网络需要把来自 CE 用户的路由,通过公用网络传递到用户的其他 CE 路由器。但是来自不同用户的路由可能相同(重叠)。假设 A 用户有个路由条目是 10.180.0.0/16,B 用户有个路由也是 10.180.0.0/16 。这样在 ISP 内部将不能区分 10.180.0.0/16 到底是那个用户的。为了解决这个问题映入 RD (bit)概念,将 ipv4 地址扩展为 ip4 地址(RD:ipv4), 在 ISP 内部传播路由时为每个来自 CE 的路由加一个区别标识,这样对端 ISP,PE收到不同vrf的相同路由,就能准确区分。 假设 A 用户的 RD 是 65001:1, B 用户的RD为 65002:1, 这样 A 的 10.180.0.0/16 就扩充为 65001:1:10.180.0.0/16 , B 扩充为 65002:1:10.180.0.0/16 ,这种扩充后的路由成为 ip4 route 。只要 RD 全局唯一, 将不唯一的IPv4地址转化为唯一的 IPVPNv4 地址,但是 IPVPNv4 地址对客户端设备来说是不可见的。

3、VRF 在 PE 上部署和配置

公网路由表:包含全部PE和P 路由器之间的路由,由骨干网 IGP 产生。 私网路由表:包含本 VPN 用户可达信息的路由和转发表。 3.1 配置RD

理论上可以为每个VRF配置一个RD。

通常建议为每个VPN都配置相同的RD,不同的VPN配置不同的RD。

但是实际上只要保证存在相同地址的两个VRF的RD不同即可,不同的VPN可以配置相同的RD,相同的VPN也可以配置不同的RD。

VPN RD的关系比较松散,只需要保证存在地址相同的两个VRF的RD不同即可。只要能区分不同vrf的系统路由就可以了。

PE1(config-vrf)#rd ?

ASN:nn or IP-address:nn VPN Route Distinguisher

一般采用:ASN:nn

3.2 配置 RT

PE1(config-vrf)#route-target import ?

ASN:nn or IP-address:nn Target VPN Extended Community

PE1(config-vrf)#route-target export ?

ASN:nn or IP-address:nn Target VPN Extended Community

3.3 为 VRF 指派接口

一旦你创建VRF的工作结束,你就可以开始分配特定的接口并且开始把客户分开。如果你在确定VRF中的接口之前分配IP地址,这个IP地址将被删除,你必须重新为接口分配IP地址。

PE1(config)#interface s1/0

PE1(config-if)#ip vrf forwarding -a PE1(config-if)#

PE1(config-if)#do show ip vrf

Name Default RD Interfaces -a 65001:1 Se1/0 vv

Configuring Transparent Mode

The interfaces and VLANS are as follows:

• ge-0/0/1 will be in access mode, with VLAN 10 as its VLAN for unit 0.10 • ge-0/0/2 will be in access mode, with VLAN 20 as its VLAN for unit 0.20

• ge-0/0/3 will be in trunk mode, with VLAN 10 on unit 10, VLAN 30 on unit 30, and VLAN 40 on unit 40.

• ge-0/0/4 will be in trunk mode, with VLAN 20 on unit 20, VLAN 50 on unit 50, and VLAN 60 on unit 60.

The six bridge domains are each called L2-VLAN-XX where XX is the VLAN number. The

bridge domains logically separate the traffic for the different VLANs. Let’s go:

{secondary:node0}[edit]

root@SRX3400-1# edit interfaces ge-0/0/1 unit 0 family bridge {secondary:node0}[edit interfaces ge-0/0/1 unit 0 family bridge] root@SRX3400-1# set interface-mode access vlan-id 10

{secondary:node0}[edit interfaces ge-0/0/1 unit 0 family bridge] root@SRX3400-1# up 3

{secondary:node0}[edit interfaces]

root@SRX3400-1# edit ge-0/0/2 unit 0 family bridge

{secondary:node0}[edit interfaces ge-0/0/2 unit 0 family bridge] root@SRX3400-1# set interface-mode access vlan-id 20

{secondary:node0}[edit interfaces ge-0/0/2 unit 0 family bridge] root@SRX3400-1# up 3

{secondary:node0}[edit interfaces] root@SRX3400-1# edit ge-0/0/3

{secondary:node0}[edit interfaces ge-0/0/3]

root@SRX3400-1# set unit 10 family bridge interface-mode trunk vlan-id-list 10 {secondary:node0}[edit interfaces ge-0/0/3]

root@SRX3400-1# set unit 30 family bridge interface-mode trunk vlan-id-list 30 {secondary:node0}[edit interfaces ge-0/0/3]

root@SRX3400-1# set unit 40 family bridge interface-mode trunk vlan-id-list 40 {secondary:node0}[edit interfaces ge-0/0/3]

root@SRX3400-1# set vlan-tagging

因篇幅问题不能全部显示,请点此查看更多更全内容

Copyright © 2019- sceh.cn 版权所有 湘ICP备2023017654号-4

违法及侵权请联系:TEL:199 1889 7713 E-MAIL:2724546146@qq.com

本站由北京市万商天勤律师事务所王兴未律师提供法律服务