Juniper SRX550新增Virtual Router SOP
以telnet 登入Juniper SRX550,進入設定模式
configure
指定整個Cluster 中redundant ethernet interface數量上限
set
chassis cluster reth-count 6
設定SRX介面接收vlan tag
set
interfaces reth5 vlan-tagging
定義介面vlan & sub interface
set
interfaces ge-0/0/8 gigether-options
redundant-parent reth4
set
interfaces ge-9/0/8 gigether-options
redundant-parent reth4
set
interfaces ge-0/0/9 gigether-options
redundant-parent reth5
set
interfaces ge-9/0/9 gigether-options
redundant-parent reth5
set
interfaces reth4 redundant-ether-options
redundancy-group 1
set
interfaces reth5 redundant-ether-options
redundancy-group 1
set
interfaces reth4 unit 0 family
inet address 192.168.0.4/24
set
interfaces reth5 unit 3001
vlan-id 3001
set
interfaces reth5 unit 3001
family inet address 10.168.1.254/24
set
interfaces reth5 unit 3002
vlan-id 3002
set
interfaces reth5 unit 3002
family inet address 10.168.2.254/24
set
interfaces reth5 unit 3003
vlan-id 3003
set
interfaces reth5 unit 3003
family inet address 10.168.3.254/24
set
interfaces reth5 unit 3004
vlan-id 3004
set
interfaces reth5 unit 3004
family inet address 10.168.4.254/24
新增Virtual Router
set
routing-instances vr3 instance-type
virtual-router
配置指定介面至Virtual Router
set
routing-instances vr3 interface reth4.0
set
routing-instances vr3 interface reth5.3001
set
routing-instances vr3 interface reth5.3002
set
routing-instances vr3 interface reth5.3003
set
routing-instances vr3 interface reth5.3004
設定Virtual Router路由
set
routing-instances vr3 routing-options static
route 0.0.0.0/0 next-hop 192.168.0.1
定義S-NAT pool
set
security nat source pool 192_168_0_250 address 192.168.0.250/32
設定S-NAT規則
set
security nat source rule-set vr3-SNAT from zone trust-vr3
set
security nat source rule-set vr3-SNAT to zone untrust-vr3
set
security nat source rule-set vr3-SNAT rule vr3-S-Rule1 match source-address 10.168.0.0/16
set
security nat source rule-set vr3-SNAT rule vr3-S-Rule1 then source-nat pool 192_168_0_250
設定untrust zone 接收IP封包範圍
set
security nat proxy-arp interface reth4.0 address 10.168.0.5/32 to 10.168.0.254/32
定義Zone
set
security zones security-zone untrust-vr3
host-inbound-traffic system-services snmp
set
security zones security-zone untrust-vr3
host-inbound-traffic system-services snmp-trap
set
security zones security-zone untrust-vr3
host-inbound-traffic system-services ping
set
security zones security-zone untrust-vr3
interfaces reth4.0
set
security zones security-zone trust-vr3
host-inbound-traffic system-services snmp
set
security zones security-zone trust-vr3
host-inbound-traffic system-services snmp-trap
set
security zones security-zone trust-vr3
host-inbound-traffic system-services http
set security
zones security-zone trust-vr3
host-inbound-traffic system-services telnet
set
security zones security-zone trust-vr3
host-inbound-traffic system-services ping
set
security zones security-zone trust-vr3
interfaces reth5.3001
set
security zones security-zone trust-vr3
interfaces reth5.3002
set
security zones security-zone trust-vr3
interfaces reth5.3003
set
security zones security-zone trust-vr3
interfaces reth5.3004
設定Zone測試規則
set
security policies from-zone untrust-vr3 to-zone trust-vr3 policy permit_all match source-address any
set
security policies from-zone untrust-vr3 to-zone trust-vr3 policy permit_all match destination-address
any
set
security policies from-zone untrust-vr3 to-zone trust-vr3 policy permit_all match application any
set
security policies from-zone untrust-vr3 to-zone trust-vr3 policy permit_all then permit
set
security policies from-zone trust-vr3 to-zone untrust-vr3 policy permit_all match source-address any
set
security policies from-zone trust-vr3 to-zone untrust-vr3 policy permit_all match
destination-address any
set
security policies from-zone trust-vr3 to-zone untrust-vr3 policy permit_all match application any
set
security policies from-zone trust-vr3 to-zone untrust-vr3 policy permit_all then permit
配置Redundant Interface
最後再進行設定,避免介面未設定完畢造成設備切換
set
chassis cluster redundancy-group 1
interface-monitor ge-0/0/8 weight 255
set
chassis cluster redundancy-group 1
interface-monitor ge-0/0/9 weight 255
set
chassis cluster redundancy-group 1
interface-monitor ge-9/0/8 weight 255
set
chassis cluster redundancy-group 1
interface-monitor ge-9/0/9 weight 255
設定vr3 snmp
set snmp
community Public authorization read-write
set snmp
community Public clients 192.168.0.10/32
set snmp
community Public clients 10.168.1.0/24
set snmp
community Public routing-instance vr3
set snmp
routing-instance-access access-list vr3
寫入設定
commit
