Part2 security zone and interfaces
创建安全zone
user@host# set interfaces ge-0/0/1 unit 1 family inet address 10.12.12.1/24 user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 配置接口的管理方式
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services snmp 或者
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services all
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services http except
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp except 同时可以用protocol替换system-services
Address Books and Address Sets
每一个安全zone包含一个address book。在两个zone之间建立policys之前必须定义zone’s的address book的地址。为了管理包含大量地址的addressbook,必须创建叫address set的地址组。Policy负责引用address book
user@host# set security zones security-zone green address-book address src_addr1 .10.4.44/32
user@host# set security zones security-zone green address-book address src_addr2 .10.9.28/32
user@host# set security zones security-zone green address-book address src_addr3 10.10.10.10/24
user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr1
user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr2
user@host# set security zones security-zone green address-book address-set my_source_addresses address src_addr3--------------引用这个集合 address set的系统参数
*为了配置address set,address book中必须有多余一个的地址 *address set 只能包含同一安全区域的的地址名称 *address的名字不能和address set的名字相同
配置address books
user@host# set security zones security-zone IntranetGREEN address-book address G1 10.1.10.0/24
user@host# set security zones security-zone IntranetGREEN address-book address G2 10.1.10.0/32
user@host# set security zones security-zone IntranetGREEN address-book address-set SerAll address G1 address G2
Part 3 security policy
user@host# set security policies from-zone green to-zone red policy abctopublic match source-address abc
user@host# set security policies from-zone red to-zone green policy abctopublic match destination-address public
user@host# set security policies from-zone red to-zone green policy abctopublic match application ssh
user@host# set security policies from-zone red to-zone green policy abctopublic then permit
案例 定义安全策略
1. Set interfaces.
user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24 user@host# set interfaces ge-0/0/2 unit 0 family inet address 1.2.2.1/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.1/24 user@host# set security zones security-zone internal interfaces ge-0/0/1.0 user@host# set security zones security-zone dmz interfaces ge-0/0/2.0 user@host# set security zones security-zone external interfaces ge-0/0/3.0 2. Configure addresses.
user@host# set security zones security-zone internal address-book address corp_net 10.1.1.0/24
user@host# set security zones security-zone dmz address-book address mail_svr 1.2.2.5/32
user@host# set security zones security-zone external address-book address r-mail_svr 2.2.2.5/32
3. Configure application sets.-----这里的MAIL-POP3是自定义的应用
user@host# set applications application-set MAIL-POP3 application junos-mail user@host# set applications application-set MAIL-POP3 application junos-pop3 4. Create policies.------MAIL是系统自带的
user@host# set security policies from-zone internal to-zone dmz corp_net mail_svr MAIL-POP3 permit
user@host# set security policies from-zone dmz to-zone external mail_svr r-mail_svr MAIL permit
user@host# set security policies from-zone external to-zone dmz r-mail_svr mail_svr MAIL permit
5. If you are finished configuring the device, commit the configuration.
Security Policy Applications
定义应用集合
user@host# set applications application-set WebMailApps application smtp user@host# set applications application-set WebMailApps application http user@host# set applications application-set WebMailApps application https user@host# set applications application-set WebMailApps application POPS
自定义应用
user@host# set applications application cust-telnet protocol tcp source-port 1-65535 destination-port 23000-23000
user@host# set applications application cust-telnet inactivity-timeout 30
Configuring Pass-Through Authentication
Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, a Telnet, or an HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall.
1. Create IP addresses for the device interfaces:
user@host# set interfaces ge-0/0/1
user@host# set unit 0 family inet address 20.20.20.1/24 user@host# set unit 0 family inet address 20.20.20.2/24 user@host# set interfaces ge-5/0/0
user@host# set unit 0 family inet address 30.30.30.1/24 user@host# set unit 0 family inet address 30.30.30.2/24
2. Create the FWAUTH access profile for the FWClient1 user and specify the pwd password:
user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd
3. Add the FWAuth profile for pass-through firewall authentication:
user@host# set access firewall-authentication pass-through default-profile FWAUTH
4. Define a success banner for Telnet sessions:
user@host# set access firewall-authentication pass-through telnet banner success \"WELCOME TO JUNIPER TELNET SESSION\" 5. Create security zones:
user@host# set security zones security-zone UT-ZONE host-inbound-traffic system-services all
user@host# set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
user@host# set security zones security-zone T-ZONE host-inbound-traffic system-services all
user@host# set security zones security-zone T-ZONE interfaces fe-5/0/0.0 host-inbound-traffic protocols all
6. Assign the policy1 security policy to the zones:
user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match source-address any
user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match destination-address any
user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match application junos-telnet
7. Use Telnet to authenticate the FWClient1 firewall user to host2: regress@FWClient1# run telnet 30.30.30.2 Trying 30.30.30.2...
Connected to 30.30.30.2. Escape character is '^]'.
Firewall User Authentication Username: FWClient1 Password:***
WELCOME TO JUNIPER TELNET SESSION Host1 (ttyp0) login: regress Password:
--- JUNOS 8.5R1.1 built 2007-10-12 13:30:18 UTC %
Virtual Private Networks
基于路由的
1 配置ip地址给私有lan,公网接口和secure tunnel (ST)接口 set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 set interfaces st0 unit 0 family inet address 10.11.11.10/24 2 配置默认路由和tunnel路由
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options static route 192.168.168.0/24 next-hop st0.0 3 配置安全zone 并且分配接口
set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/3.0 set security zones security-zone interfaces st0.0 4 为每个zone分配入栈服务
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic system-services ike 如果需要其他的服务也可以开启 5 分配地址标签给zone
set security zones security-zone trust address-book address local-net 10.10.10.0/24
set security zones security-zone address-book address remote-net 192.168.168.0/24 6 配置IKE策略
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text \"secretkey\"
standard包含了preshared-group2-3des-sha1 and preshared-group2-aes128-sha1 proposals,当然也可以自定义 7 配置IKE网关(第一阶段)
set security ike gateway ike-gate ike-policy ike-policy1 set security ike gateway ike-gate address 2.2.2.2
set security ike gateway ike-gate external-interface ge-0/0/3.0 8 配置ipsec策略
set security ipsec policy -policy1 proposal-set standard 9 配置ipsec
set security ipsec ike- ike gateway ike-gate
set security ipsec ike- ike ipsec-policy -policy1 set security ipsec ike- bind-interface st0.0 10 配置internet的流量策略
edit security policies from-zone trust to-zone untrust
## Entering from-zone “trust” to-zone “untrust” hierarchy set policy any-permit match source-address any set policy any-permit match destination-address any set policy any-permit match application any
set policy any-permit then permit source-nat interface exit
11 配置tunnel流量双向的安全策略。
edit security policies from-zone trust to-zone ## Entering zone “trust” to zone “” hierarchy set policy -tr- match source-address local-net
set policy -tr- match destination-address remote-net set policy -tr- match application any set policy -tr- then permit exit
edit security policies from-zone to-zone trust ## Enter zone “” to zone “trust” hierarchy
set policy --tr match source-address remote-net set policy --tr match destination-address local-net set policy --tr match application any set policy --tr then permit exit
set security flow tcp-mss ipsec- mss 1350
ssg5的配置
set zone name \"VPN\"
set interface ethernet0/6 zone \"Trust\" set interface ethernet0/0 zone \"Untrust\" set interface \"tunnel.1\" zone \"VPN\"
set interface ethernet0/6 ip 192.168.168.1/24 set interface ethernet0/6 route
set interface ethernet0/0 ip 2.2.2.2/30 set interface ethernet0/0 route
set interface tunnel.1 ip 10.11.11.11/24 set flow tcp-mss 1350
set address \"Trust\" \"192.168.168-net\" 192.168.168.0 255.255.255.0 set address \"VPN\" \"10.10.10-net\" 10.10.10.0 255.255.255.0
set ike gateway \"corp-ike\" address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare \"secretkey\" sec-level standard
set \"corp-\" gateway \"corp-ike\" replay tunnel idletime 0 sec-level standard set \"corp-\" monitor optimized rekey set \"corp-\" bind interface tunnel.1
set policy from \"Trust\" to \"Untrust\" \"ANY\" \"ANY\" \"ANY\" nat src permit
set policy from \"Trust\" to \"VPN\" \"192.168.168-net\" \"10.10.10-net\" \"ANY\" permit set policy from \"VPN\" to \"Trust\" \"10.10.10-net\" \"192.168.168-net\" \"ANY\" permit set route 10.10.10.0/24 interface tunnel.1
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1
IPsec VPN Configuration
When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies, and finally the gateway.
user@host# set security ike proposal ike_prop_1 description \"new ike proposal\" user@host# set security ike proposal ike_prop_1 authentication-method pre-shared-keys
user@host# set security ike proposal ike_prop_1 dh-group group2
user@host# set security ike proposal ike_prop_1 authentication-algorithm md5 user@host# set security ike proposal ike_prop_1 encryption-algorithm 3des-cbc user@host# set security ike proposal ike_prop_1 lifetime-seconds 300
user@host# set security ike policy ike_pol_1 mode aggressive
user@host# set security ike policy ike_pol_1 description \"new ike policy\" user@host# set security ike policy ike_pol_1 proposals ike_prop_1 user@host# set security ike policy ike_pol_1 pre-shared-key ascii-text \"$9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI\"
user@host# show security ike policy ike_pol_1
user@host# set security ike gateway ike_gateway_1 ike-policy ike_pol_1 user@host# set security ike gateway ike_gateway_1 address 1.1.1.2
user@host# set security ike gateway ike_gateway_1 dead-peer-detection interval
10
user@host# set security ike gateway ike_gateway_1 dead-peer-detection threshold 5
user@host# set security ike gateway ike_gateway_1 external-interface ge-0/0/0 ser@host# show security ike gateway ike_gateway_1
When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies, and finally the AutoKey IKE.
user@host# set security ipsec proposal ipsec_prop_1 description \"new ipsec proposal\"
user@host# set security ipsec proposal ipsec_prop_1 protocol esp
user@host# set security ipsec proposal ipsec_prop_1 authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal ipsec_prop_1 encryption-algorithm 3des-cbc user@host# set security ipsec proposal ipsec_prop_1 lifetime-seconds 1800 user@host# show security ipsec proposal ipsec_prop_1
user@host# set security ipsec policy ipsec_pol_1 description \"new ipsec policy\" user@host# set security ipsec policy ipsec_pol_1 perfect-forward-secrecy keys group2
user@host# set security ipsec policy ipsec_pol_1 proposals ipsec_prop_1
user@host# set security ipsec _1 bind-interface st0.0
user@host# set security ipsec _1 ike gateway ike_gateway_1 user@host# set security ipsec _1 ike ipsec-policy ipsec_pol_1
user@host# set security ike respond-bad-spi 5
user@host# set security ipsec -monitor-options interval 15 threshold 15
Hub-and-Spoke VPN Configuration
To configure the hub in a hub-and-spoke VPN:
1. Configure Phase 1 of the IPsec tunnel:
a. Configure IKE Phase 1 proposals:
user@host# set security ike proposal first_ikeprop authentication-method pre-shared-keys
user@host# set security ike proposal first_ikeprop dh-group group2
user@host# set security ike proposal first_ikeprop authentication-algorithm md5
user@host# set security ike proposal first_ikeprop encryption-algorithm 3des-cbc
user@host# set security ike proposal third_ikeprop authentication-method pre-shared-keys
user@host# set security ike proposal third_ikeprop dh-group group2
user@host# set security ike proposal third_ikeprop authentication-algorithm md5
user@host# set security ike proposal third_ikeprop encryption-algorithm 3des-cbc
b. Configure IKE policies (and reference the proposals): user@host# set security ike policy first_ikepol mode main
user@host# set security ike policy first_ikepol proposals first_ikeprop user@host# set security ike policy first_ikepol pre-shared-key ascii-text \"$9$xFU-b2ZUH5Qn4aQn/CB17-V\"
user@host# set security ike policy third_ikepol mode main
user@host# set security ike policy third_ikepol proposals third_ikeprop user@host# set security ike policy third_ikepol pre-shared-key ascii-text \"$9$GvjkPFnCBIc5QIcylLXUjH\"
c. Configure the IKE gateway (and reference the policy):
user@host# set security ike gateway first ike-policy first_ikepol user@host# set security ike gateway first address 4.4.4.2
user@host# set security ike gateway first external-interface ge-0/0/0.0 user@host# set security ike gateway third ike-policy third_ikepol user@host# set security ike gateway third address 2.2.2.1
user@host# set security ike gateway third external-interface ge-0/0/3.0
2. Configure Phase 2 of the IPsec tunnel:
a. Configure Phase 2 proposals:
user@host# set security ipsec proposal first_ipsecprop protocol esp user@host# set security ipsec proposal first_ipsecprop authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal first_ipsecprop encryption-algorithm 3des-cbc
user@host# set security ipsec proposal third_ipsecprop protocol esp user@host# set security ipsec proposal third_ipsecprop authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal third_ipsecprop encryption-algorithm 3des-cbc
b. Configure policies (and reference proposals):
user@host# set security ipsec policy first_ipsecpol perfect-forward-secrecy keys group1
user@host# set security ipsec policy first_ipsecpol proposals first_ipsecprop user@host# set security ipsec policy third_ipsecpol perfect-forward-secrecy keys group1
user@host# set security ipsec policy third_ipsecpol proposals third_ipsecprop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway first
user@host# set security ipsec first_ ike ipsec-policy first_ipsecpol user@host# set security ipsec first_ establish-tunnels immediately user@host# set security ipsec third_ bind-interface st0.0 user@host# set security ipsec third_ ike gateway third
user@host# set security ipsec third_ ike ipsec-policy third_ipsecpol user@host# set security ipsec third_ establish-tunnels immediately
3. Configure the security policy:
user@host# set security policies default-policy permit-all
4. Configure routing options:
user@host# set routing-options static route 1.1.1.0/24 next-hop st0.0 user@host# set routing-options static route 3.1.1.0/24 next-hop st0.0
5. Enable Next Hop Tunnel Binding (nhtb):
user@host# set interfaces st0 unit 0 multipoint
Configuring Spoke 1 in a Hub-and-Spoke VPN 1. Configure Phase 1 of the IPsec tunnel:
a. Configure IKE Phase 1 proposals:
user@host# set security ike proposal ike_prop authentication-method pre-shared-keys
user@host# set security ike proposal ike_prop dh-group group2
user@host# set security ike proposal ike_prop authentication-algorithm md5 user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc b. Configure IKE policies (and reference the proposals): user@host# set security ike policy ike_pol mode main
user@host# set security ike policy ike_pol proposals ike_prop
user@host# set security ike policy ike_pol pre-shared-key ascii-text \"$9$vA38xd24Zk.5bs.5QFAtM8X\"
c. Configure IKE gateway (and reference the policy):
user@host# set security ike gateway first ike-policy ike_pol user@host# set security ike gateway first address 4.4.4.1
user@host# set security ike gateway first external-interface fe-2/0/0.0
2. Configure Phase 2 of the IPsec tunnel:
a. Configure Phase 2 proposals:
user@host# set security ipsec proposal ipsec_prop protocol esp
user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc
b. Configure policies (and reference proposals):
user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1
user@host# set security ipsec policy ipsec_pol proposals ipsec_prop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway gate
user@host# set security ipsec first_ ike ipsec-policy ipsec_pol
3. Configure the security policy:
user@host# set security policies default-policy permit-all
4. Configure routing options:
user@host# set routing-options static route 1.1.1.0/24 next-hop 7.7.7.1
Configuring Spoke 2 in a Hub-and-Spoke VPN 1. Configure Phase 1 of the IPsec tunnel:
a. Configure IKE Phase 1 proposals:
user@host# set security ike proposal ike_prop authentication-method pre-shared-keys
user@host# set security ike proposal ike_prop dh-group group2
user@host# set security ike proposal ike_prop authentication-algorithm md5 user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc b. Configure IKE policies (and reference the proposals): user@host# set security ike policy ike_pol mode main
user@host# set security ike policy ike_pol proposals ike_prop
user@host# set security ike policy ike_pol pre-shared-key ascii-text \"$9$JrUi.QF/0BEP5BEcyW8ZUj\"
user@host# set security ike gateway gate ike-policy ike_pol c. Configure IKE gateway (and reference the policy):
user@host# set security ike gateway third address 2.2.2.2
user@host# set security ike gateway third external-interface ge-0/0/3.0
2. Configure Phase 2 of the IPsec tunnel:
a. Configure Phase 2 proposals:
user@host# set security ipsec proposal ipsec_prop protocol esp
user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc
b. Configure policies (and reference proposals):
user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1
user@host# set security ipsec policy ipsec_pol proposals ipsec_prop c. Configure AutoKey IKE (and reference the policy and gateway): user@host# set security ipsec first_ bind-interface st0.0 user@host# set security ipsec first_ ike gateway gate
user@host# set security ipsec first_ ike ipsec-policy ipsec_pol
3. Configure the security policy:
user@host# set security policies default-policy permit-all
4. Configure routing options:
user@host# set routing-options static route3.1.1.0/24 next-hop 7.7.7.1
Dynamic VPNs
Creating a Dynamic VPN Client Configuration
user@host# set security dynamic- clients config1 remote-protected-resources 10.100.100.0/24
user@host# set security dynamic- clients config1 remote-exceptions 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32
user@host# set security dynamic- clients config1 ipsec- ipsec-config user@host# set security dynamic- clients config1 user johndoe, janedoe
Configuring Dynamic VPN Global Client Download Settings
user@host# set security dynamic- clients remote-users user@host# set security dynamic- force-upgrade
SRX High Availability Design Guide
双机热备jsrp
1. Enabling clustering---------------A/S模式
In node 0:
user@host> set chassis cluster node 0 cluster-id 1 reboot In node 1:
user@host> set chassis cluster node 1 cluster-id 1 reboot
2. Management interface
user@host# set groups node0 system host-name SRX-A
user@host# set groups node0 interfaces fxp0 unit 0 family inet address 192.168.3.110/24
user@host#set groups node1 system host-name SRX-B
user@host# set groups node1 interfaces fxp0 unit 0 family inet address 192.168.3.111/24
user@host# set apply-groups “${node}” 3. Fabric interface
user@host# set interfaces fab0 fabric-options member-interfaces ge-0/0/1 user@host# set interfaces fab1 fabric-options member-interfaces ge-4/0/1 4. Redundancy groups
user@host# set chassis cluster reth-count 2-------指定redundant Ethernet interface 数量,类似ae interface
user@host# set chassis cluster heartbeat-interval 1000 user@host# set chassis cluster heartbeat-threshold 3 user@host# set chassis cluster node 0 user@host# set chassis cluster node 1
user@host# set chassis cluster redundancy-group 0 node 0 priority 100 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# set chassis cluster redundancy-group 1 node 0 priority 100 user@host# set chassis cluster redundancy-group 1 node 1 priority 1
user@host# set chassis cluster redundancy-group 1 interface-monitor fe-1/0/0 weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor fe-5/0/0 weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor ge-4/0/0 weight 255----group 0是默认的 不要考虑 监控的端口是走数据流量的 5. Redundant Ethernet interfaces
user@host# set interfaces ge-0/0/0 gigether-options redundant-parent reth1 user@host# set interfaces ge-4/0/0 gigether-options redundant-parent reth1 user@host# set interfaces fe-1/0/0 fastether-options redundant-parent reth0 user@host# set interfaces fe-5/0/0 fastether-options redundant-parent reth0 user@host# set interfaces reth0 redundant-ether-options redundancy-group 1 user@host# set interfaces reth0 unit 0 family inet address 10.16.8.1/24
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1 user@host# set interfaces reth1 unit 0 family inet address 1.2.0.233/24 6. Security zones
user@host# set security zones security-zone Untrust interfaces reth1.0 user@host# set security zones security-zone Trust interfaces reth0.0 7. Security policies
user@host# set security policies from-zone Trust to-zone Untrust policy ANY match source-address any
user@host# set security policies from-zone Trust to-zone Untrust policy ANY match destination-address any
user@host# set security policies from-zone Trust to-zone Untrust policy ANY match application any
user@host# set security policies from-zone Trust to-zone Untrust policy ANY then permit 切换
request chassis cluster failover redundancy-group 1 node1
Request chassis cluster failover reset redundancy-group 1------设成正常的group1的优先级
SRX5800的cluster
有4种模式
In this document we are going to cover the four most common high availability scenarios when deploying SRX. Active/Passive Simple Deployment Active/Passive Full Mesh Deployment Active/Active Deployment Active/Passive Transparent Mode Deployment Basic Active / Passive SRX Deployment Scenario
配置过程如下
1 配置参与者的编号,cluster-id范围1-15,0表示单机 SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot
2 控制端口配置 srx5800以上需要指定,以下的有机器自带的。
set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0 3 指定数据端口
set interfaces fab0 fabric-options member-interfaces ge-11/3/0 set interfaces fab1 fabric-options member-interfaces ge-23/3/0 4 节点配置 包含带外管理口 set groups node0 set groups node1
set groups node0 system host-name SRX5800-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24 set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}
5 配置冗余组 group0总是负责控制层面 group1总是负责数据层面 set chassis cluster reth-count 2----------------------冗余接口的数量 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1------A/S模式中node0总是主
6 配置冗余接口
set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 2.2.2.1/24
7配置端口监控 权限设为255的话只要一个断就切换,要想有多个断的时候在切换,需要把值给缩小。
set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster control-link-recovery
这里因为group0是走控制流量的 所以不用监控,只监控group1 8 配置虚拟接口的zone和路由等
set security zones security-zone untrust interfaces reth0.0
set security zones security-zone trust interfaces reth1.0 set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 set routing-options static route 2.0.0.0/8 next-hop 2.2.2.2
下面的EX-8200配置
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800
set interfaces vlan unit 50 family inet address 2.2.2.2/24 set vlans SRX5800 vlan-id 50
set vlans SRX5800 l3-interface vlan.50
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1/24 MX240 Configuration
set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces irb unit 0 family inet address 1.1.1.2/24 set routing-options static route 2.0.0.0/8 next-hop 1.1.1.1
set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800 vlan-id X (could be set to “none”)
set bridge-domains SRX5800 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800 domain-type bridge interface xe-2/0/0
Active / Passive Full Mesh SRX Deployment Scenario
混杂full连接
SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot
set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0
set interfaces fab0 fabric-options member-interfaces ge-11/3/0 set interfaces fab1 fabric-options member-interfaces ge-23/3/0
set groups node0 set groups node1
set groups node0 system host-name SRX5800-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24 set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}
set chassis cluster reth-count 4
set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1
set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-6/2/0 gigether-options redundant-parent reth2 set interfaces xe-6/3/0 gigether-options redundant-parent reth3 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/2/0 gigether-options redundant-parent reth2 set interfaces xe-18/3/0 gigether-options redundant-parent reth3 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 2.2.2.1/24
set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 unit 0 family inet address 3.3.3.1/24
set interfaces reth3 redundant-ether-options redundancy-group 1 set interfaces reth3 unit 0 family inet address 4.4.4.1/24
set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/2/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/3/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/2/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/3/0 weight 255 set chassis cluster control-link-recovery
set security zones security-zone untrust interfaces reth0.0 set security zones security-zone untrust interfaces reth1.0 set security zones security-zone trust interfaces reth2.0 set security zones security-zone trust interfaces reth3.0 set protocols ospf area 0.0.0.0 interface reth0.0 set protocols ospf area 0.0.0.0 interface reth1.0 set protocols ospf area 0.0.0.0 interface reth2.0 set protocols ospf area 0.0.0.0 interface reth3.0
set routing-options graceful-restart
EX-8208-1
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members
SRX5800-RETH0
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members
SRX5800-RETH1
set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk vlan members [SRX5800-RETH1 SRX5800-RETH0]
set interfaces vlan unit 50 family inet address 3.3.3.2/24 set interfaces vlan unit 60 family inet address 4.4.4.2/24 set vlans SRX5800-RETH0 vlan-id 50
set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60
set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all
EX-8208-2
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800-RETH0
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800-RETH1
set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk vlan members
[SRX5800-RETH1 SRX5800-RETH0]
set interfaces vlan unit 50 family inet address 3.3.3.250/24 set interfaces vlan unit 60 family inet address 4.4.4.250/24 set vlans SRX5800-RETH0 vlan-id 50
set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60
set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all
MX480 Configuration MX480-1
set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-3/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-4/0/0 encapsulation ethernet-bridge unit 0 family bridge
set interfaces xe-5/0/0 unit 0 family bridge interface-mode trunk vlan-id-list [x y] set interfaces irb unit 0 family inet address 1.1.1.2/24 set interfaces irb unit 1 family inet address 2.2.2.2/24
set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800-1 vlan-id X
set bridge-domains SRX5800-1 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800-1 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800-1 domain-type bridge interface xe-2/0/0 set bridge-domains SRX5800-2 vlan-id Y
set bridge-domains SRX5800-2 domain-type bridge routing-interface irb.1 set bridge-domains SRX5800-2 domain-type bridge interface xe-3/0/0 set bridge-domains SRX5800-2 domain-type bridge interface xe-4/0/0 set protocols ospf area 0.0.0.0 interface irb.0 set protocols ospf area 0.0.0.0 interface irb.1 set routing-options graceful-restart
MX480-2
set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-3/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-4/0/0 encapsulation ethernet-bridge unit 0 family bridge
set interfaces xe-5/0/0 unit 0 family bridge interface-mode trunk vlan-id-list [x y] set interfaces irb unit 0 family inet address 1.1.1.250/24 set interfaces irb unit 1 family inet address 2.2.2.250/24
set routing-options static route 0.0.0.0/0 next-hop (upstream router) set bridge-domains SRX5800-1 vlan-id X
set bridge-domains SRX5800-1 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800-1 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800-1 domain-type bridge interface xe-2/0/0 set bridge-domains SRX5800-2 vlan-id Y
set bridge-domains SRX5800-2 domain-type bridge routing-interface irb.1 set bridge-domains SRX5800-2 domain-type bridge interface xe-3/0/0 set bridge-domains SRX5800-2 domain-type bridge interface xe-4/0/0 set protocols ospf area 0.0.0.0 interface irb.0
set protocols ospf area 0.0.0.0 interface irb.1 set routing-options graceful-restart
Active / Active SRX Deployment Scenario
A/A模式在数据层面上是A/A,但是再控制层面上还是A/S 1 配置编号
SRX 5800-1: set chassis cluster cluster-id 1 node 0 reboot SRX 5800-2: set chassis cluster cluster-id 1 node 1 reboot 2 配置控制接口
set chassis cluster control-ports fpc 1 port 0 set chassis cluster control-ports fpc 13 port 0 3 数据接口配置
set interfaces fab0 fabric-options member-interfaces xe-6/3/0 set interfaces fab1 fabric-options member-interfaces xe-18/3/0 4 特殊接口配置 set groups node0 set groups node1
set groups node0 system host-name SRX5800-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24 set groups node0 system backup-router 10.3.5.2 destination 0.0.0.0/0 set groups node1 system host-name SRX5800-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24
set groups node1 system backup-router 10.3.5.2 destination 0.0.0.0/0 set apply-groups ${node}
5 冗余group A/A模式有两个数据组 set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 2 node 0 priority 1 set chassis cluster redundancy-group 2 node 1 priority 100 6 配置冗余接口
set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 2 set interfaces reth1 unit 0 family inet address 2.2.2.1/24 7 isp出口
set interface xe-6/2/0 unit 0 family inet address 3.3.3.1/24 set interface xe-18/2/0 unit 0 family inet address 4.4.4.1/24 8 配置监控接口
set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster control-link-recovery 配置zone
set security zones security-zone trust interfaces reth0.0 set security zones security-zone trust interfaces reth1.0 set security zones security-zone untrust interfaces xe-6/2/0.0 set security zones security-zone untrust interfaces xe-18/2/0.0 配置路由
set routing-options static route 0.0.0.0/0 next-hop 3.3.3.2 preference 2 set protocol bgp group eBGP type external
set protocol bgp group eBGP neighbor 3.3.3.2 peer-as 65333 set protocol bgp group eBGP neighbor 4.4.4.2 peer-as 4 set protocols ospf area 0.0.0.0 interface reth0.0 set protocols ospf area 0.0.0.0 interface reth1.0 set routing-options graceful-restart
set routing-options autonomous-system 65111
EX-8208-1
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH0
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH1
set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk members
[SRX5800-RETH1 SRX5800-RETH0]
set interfaces vlan unit 50 family inet address 2.2.2.2/24 set interfaces vlan unit 60 family inet address 1.1.1.2/24 set vlans SRX5800-RETH0 vlan-id 50
set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60
set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all
EX-8208-2
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH0
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access members SRX5800-RETH1
set interfaces xe-3/0/0 unit 0 family ethernet-switching port-mode trunk members
[SRX5800-RETH1 SRX5800-RETH0]
set interfaces vlan unit 50 family inet address 2.2.2.250/24 set interfaces vlan unit 60 family inet address 1.1.1.250/24 set vlans SRX5800-RETH0 vlan-id 50
set vlans SRX5800-RETH0 l3-interface vlan.50 set vlans SRX5800-RETH1 vlan-id 60
set vlans SRX5800-RETH1 l3-interface vlan.60 set protocols ospf area 0.0.0.0 interface vlan.50 set protocols ospf area 0.0.0.0 interface vlan.60 set routing-options graceful-restart set protocols rstp interface all
vlan vlan vlan
vlan vlan vlan
Active / Passive Transparent Mode
2层透传A/S模式
Network Address Translation
SRX 中不再使用MIP/VIP/DIP 这些概念,其中MIP 被Static 静态地址转换取代,两者在功能上完全一致;DIP被Source NAT 取代;基于Policy 的目的地址转换及VIP 被 Destination NAT 取代。ScreenOS 中基于Untrust zone 接口的源地址转换被保留下来,但在SRX 中不再是缺省模式(SRX 中Trust Zone 接口没有NAT 模式概念),需要手工配置。类似ScreenOS,Static 属于双向NAT,其他类型均属于单向NAT。
Source NAT Interface NAT
edit security nat source rule-set Dept-A-to-Inet [edit security nat source rule-set Dept-A-to-Inet] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone Inet
james@SRX5800-1# set rule intNAT match source-address 10.1/16 james@SRX5800-1# set rule intNAT then source-nat interface show security flow session
show security nat source rule all
Address Pools
james@SRX5800-1# edit security nat source
james@SRX5800-1# set pool ipPool address 10.10.10.192/29 [edit security nat source rule-set Dept-A-to-Inet] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone Inet
james@SRX5800-1# set rule poolNAT match source-address 10.10/16 james@SRX5800-1# set rule poolNAT then source-nat pool ipPool
Removing PAT
非PAT,也不是端口转换。内部地址被直接转换成公网地址池中的地址。TCP&UDP端口不改变
james@SRX5800-1# edit security nat source pool ipPool james@SRX5800-1# set port no-translation james@SRX5800-1# set overflow-pool interface
NAT 配置:相当于netscreen的DIP
set security nat source pool pool-1 address 192.168.1.50 to 192.168.1.150 set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/0 address 192.168.1.50 to 192.168.1.150
上述配置表示从trust 方向( any ) 到untrust 方向(any) 访问时提供源地址转换, 源地址池为pool1(192.168.1.50-192.168.1.150),同时fe-0/0/0 接口为此pool IP 提供ARP 代理。需要注意的是:定义Pool 时不需要与Zone 及接口进行关联。配置proxy-arp 目的是让返回包能够送达SRX,如果Pool 与出接口IP不在同一子网,则对端设备需要配置指向fe-0/0/0 接口的Pool 地址路由。
Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address pc-1
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy 策略,允许Trust zone 10.1.2.2 地址访问Untrust 方向任何地址,根据前面的NAT 配置,SRX 在建立session 时自动执行源地址转换。
james@SRX5800-1# edit security nat source [edit security nat source]
james@SRX5800-1# set pool ISP-A-Pool address 198.18.8.72/29 james@SRX5800-1# set pool ISP-B-Pool address 198.18.130.48/29 james@SRX5800-1# edit rule-set Dept-A-to-ISP-A [edit security nat source rule-set Dept-A-to-ISP-A] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone ISP-A
james@SRX5800-1# set rule ISP-A-PAT match source-address 0/0
james@SRX5800-1# set rule ISP-A-PAT then source-nat pool ISP-A-Pool james@SRX5800-1# edit rule-set Dept-A-to-ISP-B [edit security nat source rule-set Dept-A-to-ISP-B] james@SRX5800-1# set from zone Dept-A james@SRX5800-1# set to zone ISP-B
james@SRX5800-1# set rule ISP-B-PAT match source-address 0/0
james@SRX5800-1# set rule ISP-B-PAT then source-nat pool ISP-B-Pool 策略和nat是的
set security policies from-zone trust to-zone untrust policy 1 match source-address 0.0.0.0/0
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
Destination NAT
代替screen的vip和策略nat
james@SRX5800-1# edit security nat destination [edit security nat destination]
james@SRX5800-1# set pool serverPool address 10.3.1.45/32 port 80---内部服务器 james@SRX5800-1# edit rule-set Internet
[edit security nat destination rule-set Internet] james@SRX5800-1# set from zone Inet james@SRX5800-1# edit rule serverNAT
[edit security nat destination rule-set Internet rule serverNAT] james@SRX5800-1# set match source-address 0/0
[edit security nat destination rule-set Internet rule serverNAT]
james@SRX5800-1# set match destination-address 198.18.12.1/32----公网ip james@SRX5800-1# set match destination-port 80
james@SRX5800-1# set then destination-nat pool serverPool
james@SRX5800-1# edit security nat destination [edit security nat destination]
james@SRX5800-1# set pool HTTP-VIP address 10.1.1.1 port 80 james@SRX5800-1# set pool DNS-VIP address 10.1.1.2 port 53 james@SRX5800-1# set pool IMAP-VIP address 10.1.1.3 port 143 james@SRX5800-1# edit rule-set Virtual-IP
[edit security nat destination rule-set Virtual-IP] james@SRX5800-1# set from zone Inet
james@SRX5800-1# set rule HTTP match destination-address 198.18.5.72 james@SRX5800-1# set rule HTTP match destination-port 80
james@SRX5800-1# set rule HTTP then destination-nat pool HTTP-VIP james@SRX5800-1# set rule DNS match destination-address 198.18.5.72 james@SRX5800-1# set rule DNS match destination-port 53
james@SRX5800-1# set rule DNS then destination-nat pool DNS-VIP
james@SRX5800-1# set rule IMAP match destination-address 198.18.5.72 james@SRX5800-1# set rule IMAP match destination-port 143
james@SRX5800-1# set rule IMAP then destination-nat pool IMAP-VIP
配置untrust到trust的策略
Static NAT
Configuring Static NAT
james@SRX5800-1# edit security nat static rule-set Org-A-to-Org-B [edit security nat static rule-set Org-A-to-Org-B] james@SRX5800-1# set from routing-instance Org-A
james@SRX5800-1# set rule Orb-B-hide match destination-address 172.31/16 james@SRX5800-1# set rule Orb-B-hide then static-nat prefix 10.1/16 james@SRX5800-1# up
james@SRX5800-1# edit rule-set Org-B-to-Org-A james@SRX5800-1# set from routing-instance Org-B
james@SRX5800-1# set rule Org-A-hide match destination-address 172.30/16 james@SRX5800-1# set rule Org-A-hide then static-nat prefix 10.1/16
例子2
routing-instance是功能组的意思
In this example, you perform the following tasks:
■ Define a static NAT rule for traffic from zone red to address 20.1.1.100. Translate the destination IP to 10.0.0.200 and routing-instance ri-green.
■ Define a static NAT rule for traffic from zone red to address 20.1.1.101. Translate the destination IP to 10.0.1.200 and routing-instance ri-blue.
■ Define a static NAT rule for traffic from interface ge-0/0/0.0 to address 30.1.1.3. Translate the destination IP to 10.0.2.200.
■ Define a static NAT rule for traffic from routing-instance ri-red to address subnet 30.1.1.0/24. Translate the destination address subnet to 172.16.0.0/24.
user@host# set security nat static rule-set rs3 from zone red
user@host# set security nat static rule-set rs3 rule r1 match destination-address 20.1.1.100
user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200
user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200 routing-instance ri-green
user@host# set security nat static rule-set rs3 from zone red
user@host# set security nat static rule-set rs3 rule r2 match destination-address 20.1.1.101
user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200
user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200 routing-instance ri-blue
user@host#set security nat static rule-set rs3 from interface ge-0/0/0.0
user@host#set security nat static rule-set rs3 rule r3 match destination address 30.1.1.3
user@host#set security nat static rule-set rs3 rule r3 then static-nat prefix 10.0.2.200
user@host#set security nat static rule-set rs4 from routing-instance ri-red
user@host#set security nat static rule-set rs4 rule r3 match destination-address 30.1.1.0/24
user@host#set security
VRF(VPN Routing & Forwarding Instance) 2009-05-31 17:53 1、什么是VRF? VPN Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are
independent, the same or overlapping IP addresses can be used without conflicting with each other.
VRF---VPN路由转发实例(VPN Routing & Forwarding Instance)
每一个VRF可以看作虚拟的路由器,好像是一台专用的PE设备。该虚拟路由器包括如下元素:
一张的路由表,当然也包括了的地址空间; 一组归属于这个VRF的接口的集合; 一组只用于本VRF的路由协议。
对于每个PE,可以维护一个或多个VRF,同时维护一个公网的路由表(也叫全局路由表),多个VRF实例相互分离。
2、VRF 可以解决什么问题?
2.1 实现类似专用PE的功能,用路由隔离不同的用户。 2.2 解决地址重叠的问题
即同时支持使用公有地址的客户端设备和私有地址的客户端设备,或者多个VPN使用同一个地址空间;
也可以支持创建重叠VPN,所谓重叠VPN是指同一个站点同时属于多个VPN的情况。
引入RT的概念
在 PE 中,存在全局路由表、vrf 等,从全局路由表选择路由到 vrf 称为 export 导出;从 vrf 中选择路由到全局路由表称为 import 。RT 用于路由信息的分发,它分成 Import RT和 Export RT,分别用于路由信息的导入、导出策略。当从全局路由表中导出路由到 vrf 时,要用Export RT对VPN路由进行标记;在往全局路由导入 VPNv4 路由时,只有所带 RT 标记与 VRF 表中任意一个 Import RT相符的路由才会被导入到全局路由表中。RT使得PE路由器只包含和其直接相连的VPN的路由,而不是全网所有 ipv4 的路由,从而节省了PE路由器的资 源,提高了网络拓展性。 在一个VRF中,在发布路由时使用 RT 的 export 规则。直接发送给其他的PE设备。在接收端的PE上,接收所有的路由,并根据每个 VRF 配置的 RT 的 import 规则进行检查,如果与路由中的RT属性match,则将该路由加入到相应的VRF中。
Export Target: 我这个 VRF 发出的路由打上什么标记; Import Target:我这个 VRF 接受什么标记的路由。
引入RD的概念
ISP 网络需要把来自 CE 用户的路由,通过公用网络传递到用户的其他 CE 路由器。但是来自不同用户的路由可能相同(重叠)。假设 A 用户有个路由条目是 10.180.0.0/16,B 用户有个路由也是 10.180.0.0/16 。这样在 ISP 内部将不能区分 10.180.0.0/16 到底是那个用户的。为了解决这个问题映入 RD (bit)概念,将 ipv4 地址扩展为 ip4 地址(RD:ipv4), 在 ISP 内部传播路由时为每个来自 CE 的路由加一个区别标识,这样对端 ISP,PE收到不同vrf的相同路由,就能准确区分。 假设 A 用户的 RD 是 65001:1, B 用户的RD为 65002:1, 这样 A 的 10.180.0.0/16 就扩充为 65001:1:10.180.0.0/16 , B 扩充为 65002:1:10.180.0.0/16 ,这种扩充后的路由成为 ip4 route 。只要 RD 全局唯一, 将不唯一的IPv4地址转化为唯一的 IPVPNv4 地址,但是 IPVPNv4 地址对客户端设备来说是不可见的。
3、VRF 在 PE 上部署和配置
公网路由表:包含全部PE和P 路由器之间的路由,由骨干网 IGP 产生。 私网路由表:包含本 VPN 用户可达信息的路由和转发表。 3.1 配置RD
理论上可以为每个VRF配置一个RD。
通常建议为每个VPN都配置相同的RD,不同的VPN配置不同的RD。
但是实际上只要保证存在相同地址的两个VRF的RD不同即可,不同的VPN可以配置相同的RD,相同的VPN也可以配置不同的RD。
VPN RD的关系比较松散,只需要保证存在地址相同的两个VRF的RD不同即可。只要能区分不同vrf的系统路由就可以了。
PE1(config-vrf)#rd ?
ASN:nn or IP-address:nn VPN Route Distinguisher
一般采用:ASN:nn
3.2 配置 RT
PE1(config-vrf)#route-target import ?
ASN:nn or IP-address:nn Target VPN Extended Community
PE1(config-vrf)#route-target export ?
ASN:nn or IP-address:nn Target VPN Extended Community
3.3 为 VRF 指派接口
一旦你创建VRF的工作结束,你就可以开始分配特定的接口并且开始把客户分开。如果你在确定VRF中的接口之前分配IP地址,这个IP地址将被删除,你必须重新为接口分配IP地址。
PE1(config)#interface s1/0
PE1(config-if)#ip vrf forwarding -a PE1(config-if)#
PE1(config-if)#do show ip vrf
Name Default RD Interfaces -a 65001:1 Se1/0 vv
Configuring Transparent Mode
The interfaces and VLANS are as follows:
• ge-0/0/1 will be in access mode, with VLAN 10 as its VLAN for unit 0.10 • ge-0/0/2 will be in access mode, with VLAN 20 as its VLAN for unit 0.20
• ge-0/0/3 will be in trunk mode, with VLAN 10 on unit 10, VLAN 30 on unit 30, and VLAN 40 on unit 40.
• ge-0/0/4 will be in trunk mode, with VLAN 20 on unit 20, VLAN 50 on unit 50, and VLAN 60 on unit 60.
The six bridge domains are each called L2-VLAN-XX where XX is the VLAN number. The
bridge domains logically separate the traffic for the different VLANs. Let’s go:
{secondary:node0}[edit]
root@SRX3400-1# edit interfaces ge-0/0/1 unit 0 family bridge {secondary:node0}[edit interfaces ge-0/0/1 unit 0 family bridge] root@SRX3400-1# set interface-mode access vlan-id 10
{secondary:node0}[edit interfaces ge-0/0/1 unit 0 family bridge] root@SRX3400-1# up 3
{secondary:node0}[edit interfaces]
root@SRX3400-1# edit ge-0/0/2 unit 0 family bridge
{secondary:node0}[edit interfaces ge-0/0/2 unit 0 family bridge] root@SRX3400-1# set interface-mode access vlan-id 20
{secondary:node0}[edit interfaces ge-0/0/2 unit 0 family bridge] root@SRX3400-1# up 3
{secondary:node0}[edit interfaces] root@SRX3400-1# edit ge-0/0/3
{secondary:node0}[edit interfaces ge-0/0/3]
root@SRX3400-1# set unit 10 family bridge interface-mode trunk vlan-id-list 10 {secondary:node0}[edit interfaces ge-0/0/3]
root@SRX3400-1# set unit 30 family bridge interface-mode trunk vlan-id-list 30 {secondary:node0}[edit interfaces ge-0/0/3]
root@SRX3400-1# set unit 40 family bridge interface-mode trunk vlan-id-list 40 {secondary:node0}[edit interfaces ge-0/0/3]
root@SRX3400-1# set vlan-tagging
因篇幅问题不能全部显示,请点此查看更多更全内容
Copyright © 2019- sceh.cn 版权所有 湘ICP备2023017654号-4
违法及侵权请联系:TEL:199 1889 7713 E-MAIL:2724546146@qq.com
本站由北京市万商天勤律师事务所王兴未律师提供法律服务