srx策略路由
今天给各位分享srx策略路由的知识,其中也会对sr 路由进行解释,如果能碰巧解决你现在面临的问题,别忘了关注本站
本文内容目录一览:
juniper SRX如何实现分流
一、命令汇总
1. set ip next-hop { ip-address [...ip-address] | recursive ip-address }
这条命令允许写多个下一跳IP,但这些IP必须是直连路由器的接口IP。如果定义了多个下一跳IP,则当第一个下一跳关联的本地出接口DOWN掉,则自动切换到下一个next-hop
命令中,recursive next-hop(递归下一跳)特性突破了传统下一跳必须是直连路由器下一跳接口IP的限制。Recursive next-hop可以不是直连网络,只要路由表中有相关的路由可达即可。一般如果recursive next-hop不可达,数据将交由路由处理(一般就被默认路由匹配走了)。
如果在一个route-map列表的同一个序列中同时使用ip next-hop及ip next-hop recursive,则ip next-hop 有效。如果ip next-hop 挂了,则启用ip next-hop recursive,如果ip next-hop recursive和ip next-hop 都挂了,则丢给路由表处理。注意:一个route-map序列,只允许配置一个ip next-hop recursive。
2. set ip next-hop verify-availability [ next-hop-address sequence track object ]
检测下一跳的可达性,默认是关闭的。
Sequence of next hops. The acceptable range is from 1 to 65535.
此条命令可以下列方式使用:
在PBR环境下使用CDP检测下一跳IP可达性(不加后面的可选参数)
使用该特性可能会一定程度上降低设备性能,另外必须保证自己以及邻居路由器接口CDP都是开启的,最后过程交换及CEF都支持该特性,但dCEF不支持。
该特性借助设备的CDP表来判断下一跳的可达性,
如果本端开启了该特性,next-hop设备不支持CDP,则切换至下一个next-hop,如果没,则跳过PBR
如果本端没开启该特性,那么数据包要么被成功策略路由,要么永远无法正常路由出去(被丢弃)
如果仅仅想检测部分next-hop设备的可达性,则可以配置不同的route-map条目,来选择性的使用该特性(同一个route-map)。
结合object tracking来检测一个远端设备(或IP)的可达性
使用object tracking,PBR可以做的更加灵活,可依据ICMP、HTTP、路由表中某条路由的存在与否、接口的up/DOWN等来进行决策。
注意: 如若基于CDP的检测及基于object tracking的检测都应用了,则后者优先
3. set ip next-hop 与set ip default next-hop的区别比较简单,这里就不解析了
Juniper 防火墙 SRX220组网怎么配置?
其实我觉的把路由器放在防火墙与交换机之间没有什么用处,路由器又不做NAT. 最好的做法是把防火墙放在路由器和交换机之间,防火墙做为透明模式,做相应的策略。这样的话路由器和防火墙,交换机都能用上了。 服务器可以接到交换机上,不过最好还是接交换机上不然以后增加服务器后,防火墙就没有端口了。
怎么设置Juniper SRX100
如果只是简单的连接的话,juniper防火墙上要配接口地址,并将接口接入到zone,在加一个permit策略就可以了,内网出去,可以设置一条默认路由,下一跳为专线对端地址即可
求教各位高手 juniper srx 策略路由怎么写
Juniper的策略路由叫FBF,Filter-based Forwarding。
比如下面这个例子就是说SRX在双ISP上联的时候FBF的配置:
To implement this scenario an input firewall filter will be configured on the internal LAN interface (ge-0/0/0.0 in this case). This filter will be used to forward the incoming traffic towards one of two different routing instances (routing tables). One routing table has a best default route towards ISP1 and a second best route towards ISP2. In the other routing instance the route preferences are reversed.
When one of the interfaces goes down, all new sessions will be going through the interface that is still up.
In this example the traffic is source NAT'ed to the outgoing interface IP address. This will make sure that the response from the server on the Internet will come back to the same interface again and no asymmetric traffic will exist (which is not supported in a flow based configuration).
The example filter used here is used to send packets with destination ports 22, 3389 or 8080 towards ISP2 and the rest to ISP1. It is also possible to select on different criteria, such as source or destination IP addresses.
interfaces {
ge-0/0/0 {
unit 0 {
description Internal_LAN;
family inet {
filter {
input FILTER1;
}
address 172.30.72.253/23;
}
}
}
fe-0/0/2 {
unit 0 {
description ISP1;
family inet {
address 10.1.1.1/24;
}
}
}
fe-0/0/3 {
unit 0 {
description ISP2;
family inet {
address 10.2.2.1/24;
}
}
}
}
##### This configuration with rib groups is used to import the directly connected routes into the routing tables. The static default route shown here is used for the traffic originated from the SRX itself.
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 next-hop [ 10.1.1.2 10.2.2.2 ];
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
}
}
}
##### This is the filter that decides which traffic is sent to which ISP
firewall {
filter FILTER1 {
term mgmtallow { #This term is necessary for allowing managment traffic/host-inbound traffic.
from {
destination-address 172.30.72.253/23;
}
then {
accept;
}
}
term TERM1 {
from {
destination-port [ 22 3389 8080 ];
}
then {
routing-instance routing-table-ISP2;
}
}
term default {
then {
routing-instance routing-table-ISP1;
}
}
}
}
routing-instances {
routing-table-ISP1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 10.1.1.2;
qualified-next-hop 10.2.2.2 {
preference 100;
}
}
}
}
}
routing-table-ISP2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 10.2.2.2;
qualified-next-hop 10.1.1.2 {
preference 100;
}
}
}
}
}
}
In addition, the necessary security policies and nat policies should to be in place as well. Here is an example:
security {
nat {
rule-set OUTGOING {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/2.0;
fe-0/0/3.0;
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
Verifying the configuration:
The configuration can be verified as follows. Two kinds of traffic are sent and checked if they are routed as expected. Traffic with destination ports 22, 3389 or 8080 should go to ISP2 (fe-0/0/3.0) and the rest goes to ISP1 (fe-0/0/2.0).
An internal host (172.30.73.129) opens an SSH (port 22) session to 4.4.4.4 (an internet IP address).
The resulting security flow session created in SRX:
root@srx210 show security flow session destination-port 22
Session ID: 4336, Policy name: default-permit/5, Timeout: 1784
In: 172.30.73.129/45893 -- 4.4.4.4/22;tcp, If: ge-0/0/0.0
Out: 4.4.4.4/22 -- 10.2.2.1/7523;tcp, If: fe-0/0/3.0
=== Correct
An internal host (172.30.73.129) opens a telnet (port 23) session to 4.4.4.4 (an internet IP address).
The resulting security flow session created in SRX:
root@srx210 show security flow session destination-port 23
Session ID: 4380, Policy name: default-permit/5, Timeout: 1768
In: 172.30.73.129/36448 -- 4.4.4.4/23;tcp, If: ge-0/0/0.0
Out: 4.4.4.4/23 -- 10.1.1.1/8481;tcp, If: fe-0/0/2.0
=== Correct
srx策略路由的介绍就聊到这里吧,感谢你花时间阅读本站内容,更多关于sr 路由、srx策略路由的信息别忘了在本站进行查找喔。
