juniper SRX 利用虚拟路由器实现多链路冗余以及双向接入案例

juniper SRX 利用虚拟路由器实现多链路冗余以及双向接入案例

目录

文档查看须知： (2)

测试拓扑： (4)

一虚拟路由器（记住来流量入口）； (5)

需求： (5)

配置： (5)

验证： (7)

配置解析： (7)

二虚拟路由器（多链路负载冗余）； (10)

需求： (10)

配置： (11)

验证： (13)

配置解析： (18)

三虚拟路由器（双线接入）； (21)

需求： (21)

配置： (21)

验证： (25)

注意点： (26)

文档查看须知：

测试环境：SRX 220H

拓扑对应 IP:G-0/0/3：192.168.3.1/24

G-0/0/4：192.168.4.1/24

G-0/0/5：192.168.5.1/24

G-0/0/6：10.10.30.189/24

F0/1：192.168.4.2/24

F0/2：192.168.5.2/24

F0/3:192.168.100.1/24（模拟遥远互联网）

测试拓扑：

一虚拟路由器（记住来流量入口）；

需求：

外网用户访问防火墙的外网接口 3389 端口 NAT 到内网服务器 192.168.3.5:3389，流量按原路返回；

放行所有外网用户到主机 192.168.3.5 的 3389 端口；（双线接入）

配置：

set routing-instances Tel instance-type virtual-router

set routing-instances Tel interface ge-0/0/4.0

set routing-instances Tel routing-options interface-routes rib-group inet Big-rib

set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2

set routing-instances CNC instance-type virtual-router

set routing-instances CNC interface ge-0/0/5.0

set routing-instances CNC routing-options interface-routes rib-group inet Big-rib

set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2

set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24

set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24

set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24

set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24

set routing-options interface-routes rib-group inet Big-rib

set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1

set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2

set routing-options static route 0.0.0.0/0 install

set routing-options static route 0.0.0.0/0 no-readvertise

set routing-options rib-groups Big-rib import-rib inet.0

set routing-options rib-groups Big-rib import-rib CNC.inet.0

set routing-options rib-groups Big-rib import-rib Tel.inet.0

set security nat destination pool 111 address 192.168.3.5/32

set security nat destination rule-set 1 from zone Tel-trust

set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0

set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32

set security nat destination rule-set 1 rule 111 match destination-port 3389

set security nat destination rule-set 1 rule 111 then destination-nat pool 111

set security nat destination rule-set 2 from zone CNC-trust

set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0

set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32

set security nat destination rule-set 1 rule 111 match destination-port 3389

set security nat destination rule-set 2 rule 222 then destination-nat pool 111

set applications application tcp_3389 protocol tcp

set applications application tcp_3389 destination-port 3389

set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32

set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address any

set security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389

set security policies from-zone Tel-trust to-zone trust policy default-permit then permit

set security policies from-zone CNC-trust to-zone trust policy default-permit match source-address any

set security policies from-zone CNC-trust to-zone trust policy default-permit match destination-address

H_192.168.3.5

set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389

set security policies from-zone CNC-trust to-zone trust policy default-permit then permit

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/3.0

set security zones security-zone Tel-trust host-inbound-traffic system-services all