1.4Juniper防火墙路由模式
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Juniper防火墙路由模式
ITman论坛 http://www.itman1024.com
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Layer 3 操作模式
10.1.10.0/2 4 .1
10.1.10.0/2 4 .1
.254
Private Zone
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
Network 10.1. 10.1. 1.1.7 1.1.8 1.1.70.0/24 10.1.10.0/
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Step 4: 配置静态路由
Network > Routing > Destination > Edit
set route <network>/<mask> interface <out_int> gateway <nhr> Example: ns208-> set route 10.1.10.0/24 interface e1 gateway 10.1.1.254
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Step 1: 建立 Zones
Network > Zones
set zone name <name> Example: ns208-> set zone name Private
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
Step 3: 分配地址给接口
Network > Interfaces (Edit)
set interface <name> ip <X.X.X.X>/<mask> ns208-> set interface e8 ip 1.1.8.1/24
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
get route ip <address> ns208-> get route ip 10.1.10.5 Destination Routes for 10.1.10.5 --------------------trust-vr : => 10.1.10.0/24 (id=6) via 10.1.1.254 (vr: trust-vr) Interface ethernet1 , metric 1
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
1.1.70.0/24
.1
.1
Public Zone
CNext Hop Network Interface B 10.1.1.0/24 1.1.70.250 E1 10.1.2.0/24 E2 1.1.7.0/24 E7 1.1.8.0/24 E8 10.1.10.0/24 E1 10.1.1.254 0.0.0.0/0 E8 1.1.8.254
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
验证接口的配置
ns208-> get interface A - Active, I - Inactive, U - Up, D - Down, R - Ready Interfaces in vsys Root: IP Address Zone MAC VLAN State VSD 10.1.1.1/24 Private 0010.db1d.1be0 U 0.0.0.0/0 V1-DMZ 0010.db1d.1be4 D 0.0.0.0/0 V1-Untrust 0010.db1d.1be5 D 0.0.0.0/0 Private 0010.db1d.1be6 D 0.0.0.0/0 Untrust 0010.db1d.1be7 D 0.0.0.0/0 Null 0010.db1d.1be8 D 1.1.7.1/24 Public 0010.db1d.1be9 U 1.1.8.1/24 External 0010.db1d.1bea U 0.0.0.0/0 VLAN 0010.db1d.1bef 1 D Proprietary and Confidential www.juniper.net
.1 B
.1
Public Zone
C
1.1.70.250
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
默认网关
10.1.10.0/2 4 .1
.254
Private Zone
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
traceroute
ns208-> trace 10.1.10.5 Type escape sequence to escape
Sending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/9 ms
ns208-> ping Target IP address:10.1.10.5 Repeat count [5]: Datagram size [100]: Timeout in seconds[2]: Source interface: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/4 ms
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证静态路由 - CLI
ns208-> get route untrust-vr (0 entries) ------------------------------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1 E2 - OSPF external type 2 trust-vr (9 entries) ------------------------------------------------------------------------------ID IP-Prefix Interface Gateway P Pref Mtr Vsys ------------------------------------------------------------------------------* 7 0.0.0.0/0 eth8 1.1.8.254 S 20 1 Root * 8 10.1.1.0/24 eth1 1.1.1.10 S 20 1 Root 9 10.2.1.0/24 eth2 1.1.2.10 S 20 1 Root * 6 1.1.8.0/24 eth8 0.0.0.0 C 0 0 Root 11 10.3.1.0/24 eth3 1.1.3.10 S 20 1 Root * 5 1.1.7.0/24 eth7 0.0.0.0 C 0 0 Root 4 1.1.3.0/24 eth3 0.0.0.0 C 0 0 Root 3 1.1.2.0/24 eth2 0.0.0.0 C 0 0 Root * 2 1.1.1.0/24 eth1 0.0.0.0 C 0 0 Root
Int.
Zone
IP
Int.
Zone
www.juniper.net
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
‹#›
配置第三层的步骤
1. 2. 3. 4. 建立 zones (如果没有使用默认的zone ) 分配接口给zone 分配IP地址给接口 配置静态路由
Address 10.1.1.1 10.1.2.1 1.1.7.1 1.1.8.1
Public Zone
C
1.1.70.250
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
静态路由
www.juniper.net
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
‹#›
Zones 和 Interfaces 的复习和回顾
严格的等级管理 接口必须属于一个zone ,然后才能为其分配IP 地址
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
Step 2: 分配接口给 Zones
Network > Interfaces (Edit)
set interface <int-name> zone <zone-name> ns208-> set interface e8 zone untrust
.254
Private Zone
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
Байду номын сангаас
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
1.1.70.0/24
.1 B
.1
Interface E1 E2 E7 E8
Network > Interfaces eth1
eth2 eth3 eth4 eth5 eth6 eth7 eth8 vlan1
Copyright © 2007 Juniper Networks, Inc.
Name
‹#›
验证静态路由 – WebUI
Network > Routing > Destination
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
Ping and extended ping
ns208-> ping 10.1.10.5 Type escape sequence to abort
ITman论坛 http://www.itman1024.com
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Layer 3 操作模式
10.1.10.0/2 4 .1
10.1.10.0/2 4 .1
.254
Private Zone
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
Network 10.1. 10.1. 1.1.7 1.1.8 1.1.70.0/24 10.1.10.0/
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Step 4: 配置静态路由
Network > Routing > Destination > Edit
set route <network>/<mask> interface <out_int> gateway <nhr> Example: ns208-> set route 10.1.10.0/24 interface e1 gateway 10.1.1.254
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Step 1: 建立 Zones
Network > Zones
set zone name <name> Example: ns208-> set zone name Private
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
Step 3: 分配地址给接口
Network > Interfaces (Edit)
set interface <name> ip <X.X.X.X>/<mask> ns208-> set interface e8 ip 1.1.8.1/24
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
get route ip <address> ns208-> get route ip 10.1.10.5 Destination Routes for 10.1.10.5 --------------------trust-vr : => 10.1.10.0/24 (id=6) via 10.1.1.254 (vr: trust-vr) Interface ethernet1 , metric 1
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
1.1.70.0/24
.1
.1
Public Zone
CNext Hop Network Interface B 10.1.1.0/24 1.1.70.250 E1 10.1.2.0/24 E2 1.1.7.0/24 E7 1.1.8.0/24 E8 10.1.10.0/24 E1 10.1.1.254 0.0.0.0/0 E8 1.1.8.254
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
验证接口的配置
ns208-> get interface A - Active, I - Inactive, U - Up, D - Down, R - Ready Interfaces in vsys Root: IP Address Zone MAC VLAN State VSD 10.1.1.1/24 Private 0010.db1d.1be0 U 0.0.0.0/0 V1-DMZ 0010.db1d.1be4 D 0.0.0.0/0 V1-Untrust 0010.db1d.1be5 D 0.0.0.0/0 Private 0010.db1d.1be6 D 0.0.0.0/0 Untrust 0010.db1d.1be7 D 0.0.0.0/0 Null 0010.db1d.1be8 D 1.1.7.1/24 Public 0010.db1d.1be9 U 1.1.8.1/24 External 0010.db1d.1bea U 0.0.0.0/0 VLAN 0010.db1d.1bef 1 D Proprietary and Confidential www.juniper.net
.1 B
.1
Public Zone
C
1.1.70.250
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
默认网关
10.1.10.0/2 4 .1
.254
Private Zone
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
traceroute
ns208-> trace 10.1.10.5 Type escape sequence to escape
Sending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/9 ms
ns208-> ping Target IP address:10.1.10.5 Repeat count [5]: Datagram size [100]: Timeout in seconds[2]: Source interface: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/4 ms
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证静态路由 - CLI
ns208-> get route untrust-vr (0 entries) ------------------------------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1 E2 - OSPF external type 2 trust-vr (9 entries) ------------------------------------------------------------------------------ID IP-Prefix Interface Gateway P Pref Mtr Vsys ------------------------------------------------------------------------------* 7 0.0.0.0/0 eth8 1.1.8.254 S 20 1 Root * 8 10.1.1.0/24 eth1 1.1.1.10 S 20 1 Root 9 10.2.1.0/24 eth2 1.1.2.10 S 20 1 Root * 6 1.1.8.0/24 eth8 0.0.0.0 C 0 0 Root 11 10.3.1.0/24 eth3 1.1.3.10 S 20 1 Root * 5 1.1.7.0/24 eth7 0.0.0.0 C 0 0 Root 4 1.1.3.0/24 eth3 0.0.0.0 C 0 0 Root 3 1.1.2.0/24 eth2 0.0.0.0 C 0 0 Root * 2 1.1.1.0/24 eth1 0.0.0.0 C 0 0 Root
Int.
Zone
IP
Int.
Zone
www.juniper.net
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
‹#›
配置第三层的步骤
1. 2. 3. 4. 建立 zones (如果没有使用默认的zone ) 分配接口给zone 分配IP地址给接口 配置静态路由
Address 10.1.1.1 10.1.2.1 1.1.7.1 1.1.8.1
Public Zone
C
1.1.70.250
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
静态路由
www.juniper.net
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
‹#›
Zones 和 Interfaces 的复习和回顾
严格的等级管理 接口必须属于一个zone ,然后才能为其分配IP 地址
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
‹#›
Step 2: 分配接口给 Zones
Network > Interfaces (Edit)
set interface <int-name> zone <zone-name> ns208-> set interface e8 zone untrust
.254
Private Zone
External Zone
D
.254
A
10.1.10.5 10.1.1.0/24 1.1.8.0/24
200.5.5.5
10.1.20.0/2 4
Байду номын сангаас
10.1.2.0/24
.254
1.1.7.0/24
.254
B
10.1.20.5
1.1.70.0/24
.1 B
.1
Interface E1 E2 E7 E8
Network > Interfaces eth1
eth2 eth3 eth4 eth5 eth6 eth7 eth8 vlan1
Copyright © 2007 Juniper Networks, Inc.
Name
‹#›
验证静态路由 – WebUI
Network > Routing > Destination
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
验证路由
Ping and extended ping
ns208-> ping 10.1.10.5 Type escape sequence to abort