中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Juniper SRX策略路由總結

發布時間:2020-07-21 18:01:17 來源:網絡 閱讀:24487 作者:caichuanhui 欄目:網絡安全

1、路由實例

路由實例是路由表、接口和路由協議參數的集合。通過設置接口及路由協議各種參數可以形成路由實例的路由表。

每個路由實例都有自己的實例名稱,并且各自維護一張獨立的路由表。

全局路由其實也是一個路由實例,其實例名稱為inet.0。


2、普通靜態策略路由(只做策略,不作NAT轉換)

Juniper SRX策略路由總結

設置包括如下步驟:

1)設置應用接口子接口,定義為服務區域的入接口/出接口

2)定義路由實例,實例類型為forwarding,實例路由表

3)定義過濾器firewall filter

4)定義接口路由組rib-group;

5)將接口路由組導入到全局路由表及路由實例的路由表中;

6)在內網接口應用過濾器filter


3、做NAT的靜態策略路由(既做策略又做NAT轉換)

注意:

1)該情況下需要試用virtual-router類型的路由實例

2)每個virtual-router維護一張獨立的路由表


配置實例拓撲圖

Juniper SRX策略路由總結


達到目的:

默認內網主機上網走CNC 2M鏈路訪問公網,指定的PC走CNC 50M鏈路訪問外網


實現思路:

默認內網所有主機通過全局路由表inet.0走CNC 2M鏈路出局訪問公網,部分指定的PC通過Juniper SRX的FBF路由策略走路由實例的路由表出局訪問公網


設置步驟如下:

1)定義服務區域zone

配置示例:

set security zones security-zone lt host-inbound-traffic system-services all

set security zones security-zone lt host-inbound-traffic protocols all


2)設置應用接口子接口,定義為服務區域的入接口/出接口

配置示例:

set security zones security-zone lt interfaces ge-0/0/2.0 host-inbound-traffic system-services all

set security zones security-zone lt interfaces ge-0/0/2.0 host-inbound-traffic protocols all


3)定義路由實例,路由實例數量可根據接入的ISP線路數量來定義。實例類型為virtual-router,VR的虛擬接口,VR的路由表

配置示例:

set routing-instances CNC50M instance-type virtual-router

set routing-instances CNC50M interface ge-0/0/2.0

set routing-instances CNC50M routing-options static route 0.0.0.0/0 next-hop XX.XX.XX.XX  ##指向ISP提供的公網網關


4)定義NAT的相關映射rule-set、rule,策略policy、address-book、application等

√Source NAT的rule-set 配置示例:

set security nat source rule-set CNC50M-snat-internet from zone trust

set security nat source rule-set CNC50M-snat-internet to zone lt

set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside match source-address 0.0.0.0/0

set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside match destination-address 0.0.0.0/0

set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside then source-nat interface

√ 策略policy 配置示例:

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match source-address CBGZ-out-norestrict

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match destination-address any

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match application any

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then permit

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then log session-init

set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then log session-close


5)定義過濾器filter

配置示例:

set firewall family inet filter filter-1 term LAN_term from destination-address 172.16.0.0/16

set firewall family inet filter filter-1 term LAN_term from destination-address 172.20.0.0/16

set firewall family inet filter filter-1 term LAN_term from destination-address 192.168.0.0/16

set firewall family inet filter filter-1 term LAN_term then accept     ##允許內網PC互訪,不作以上配置將會導致網關為此防火墻內網接口的PC無法訪問內網其他PC。


##指定的PC從CNC 50M鏈路出局訪問公網

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.29.25/32

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.29.251/32

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.166/32

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.137/32

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.139/32

set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.138/32

set firewall family inet filter filter-1 term CNC50M_term then routing-instance CNC50M


set firewall family inet filter filter-1 term default then accept ##對于filter的其他數據,采取默認動作accept(接受)


6)定義接口路由組

配置示例:

set routing-options interface-routes rib-group inet INSIDE


7)將接口路由組導入到全局路由表及實例的路由表中

配置示例:

set routing-options rib-groups INSIDE import-rib inet.0

set routing-options rib-groups INSIDE import-rib CNC50M.inet.0

set routing-options rib-groups INSIDE import-rib default.inet.0


8)在內網接口應用相應的過濾器filter

set interfaces ge-0/0/0 unit 0 family inet filter input filter-1


4、普通靜態策略路由與NAT轉換的策略路由之間的區別

路由實例類型不同:

普通靜態策略路由類型:forwarding

NAT轉換的策略路由類型:virtual-router


參考鏈接:http://www.docin.com/p-598358767.html


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

崇左市| 平塘县| 罗城| 宁阳县| 寻乌县| 壶关县| 二手房| 巫溪县| 九龙城区| 竹溪县| 呈贡县| 胶南市| 晋州市| 宁武县| 南昌县| 玉林市| 钟山县| 浠水县| 河津市| 靖宇县| 清苑县| 南皮县| 巴塘县| 浦北县| 社旗县| 石城县| 林口县| 视频| 姚安县| 伊川县| 新绛县| 黎平县| 宜黄县| 泾阳县| 濉溪县| 环江| 北安市| 昌都县| 慈溪市| 郁南县| 和田市|