Juniper SRX防火墙基本配置手册1SRX防火墙的PPPoE拔号配置Juniper SRX防火墙支持PPPoE拔号,这样防火墙能够连接ADSL链路,提供给内网用户访问网络的需求。
配置拓扑如下所示:Juniper SRX240防火墙在Juniper SRX防火墙上面设置ADSL PPPoE拔号,可以在WEB界面或者命令行下面查看PPPoE拔号接口pp0,在命令行下面的查看命令如下所示:juniper@HaoPeng# run show interfaces terse | match ppInterface Admin Link Proto Local Remotepp0 up up在WEB界面下,也能够看到PPPoE的拔号接口pp0配置步聚如下所示:第一步:选择接口ge-0/0/4作为PPPoE拔号接口的物理接口,将接口封装成PPPoETo configure PPPoE encapsulation on an Ethernet interface:juniper@HaoPeng# set interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether第二步:配置PPPoE接口PP0.0的参数To create a PPPoE interface and configure PPPoE options:user@host# set interfaces pp0 unit 0 pppoe-options underlying-interfacege-0/0/4.0 auto-reconnect 100 idle-timeout 100 client第三步:配置PPPoE接口的MTU值To configure the maximum transmission unit (MTU) of the IPv4 family:user@host# set interfaces pp0 unit 0 family inet mtu 1492第四步:配置PPPoE接口的地址为negotiate-addressTo configure the PPPoE interface address:user@host# set interfaces pp0 unit 0 family inet negotiate-address第五步:配置PPPoE接口的PAP认证set int pp0 unit 0 ppp-options pap default password 88888878 local-name szdigicn1@163.gd local-password88888878 passive注意:default password和local password都必须设置成ADSL拔号时所用的密码,local name 必须是ADSL拔号时所用的用户名。
第六步:配置静态路由指向PPOE接口PP0.0set routing-options static route 0.0.0.0/0 next-hop pp0.0PPPoE拔号配置输出汇总如下所示:验证PPPoE是否已经拔通,已经获得IP地址root# run show interfaces terse | match pppp0 up uppp0.0 up up inet 219.134.120.126 --> 219.134.120.1验证PPPoE常见命令如下所示:show interfaces pp0show pppoe interfacesshow pppoe versionshow pppoe statisticsclear pppoe sessionsclear pppoe sta2 SRX 防火墙的FBF(Filter-based Forwarding)配置Juniper SRX 防火墙的FBF 功能类似Juniper Netscreen 防火墙上PBR(Policy based Routing),其基本功能就是基于数据包的源地址进行转发,可以将不同源地址的数据包转发到不同链路上来。
配置拓扑如下所示:G-0/0/8:192.168.100.2/24G-0/0/5河辰一体机作内网接口地址:192.168.0.1/24SRX240配置需求:客户这边有四条ADSL 链路去上网,要求内网不同段走不同ADSL 链路去上网 配置步聚如下所述: 第一步:接口配置配置PPPOE 拔号接口PP0.0set interfaces pp0 unit 0 ppp-options pap default-password 88888878 set interfaces pp0 unit 0 ppp-options pap local-name "szdigicn1@163.gd" set interfaces pp0 unit 0 ppp-options pap local-password 88888878 set interfaces pp0 unit 0 ppp-options pap passiveset interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/4.0set interfaces pp0 unit 0 pppoe-options idle-timeout 0set interfaces pp0 unit 0 pppoe-options auto-reconnect 2set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 family inet negotiate-addressset interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether其他PP0.1、PP0.2、PP0.3接口类似于PP0.0接口的配置。
配置内网接口Ge-0/0/8set interfaces ge-0/0/8 unit 0 family inet address 192.168.100.2/24第二步:创建路由实例(routing-instance),创建四个VRF用来匹配四个PPPOE接口,routing-instance的类型是forwarding.set routing-instances TRUST-VRF-1 instance-type forwardingset routing-instances TRUST-VRF-1 routing-options static route 0.0.0.0/0 next-hop pp0.0set routing-instances TRUST-VRF-2 instance-type forwardingset routing-instances TRUST-VRF-2 routing-options static route 0.0.0.0/0 next-hop pp0.1set routing-instances TRUST-VRF-3 instance-type forwardingset routing-instances TRUST-VRF-3 routing-options static route 0.0.0.0/0 next-hop pp0.2set routing-instances TRUST-VRF-4 instance-type forwardingset routing-instances TRUST-VRF-4 routing-options static route 0.0.0.0/0 next-hop pp0.3第三步:设置路由信息组set routing-options interface-routes rib-group inet INSIDEset routing-options rib-groups INSIDE import-rib inet.0set routing-options rib-groups INSIDE import-rib TRUST-VRF-1.inet.0set routing-options rib-groups INSIDE import-rib TRUST-VRF-2.inet.0set routing-options rib-groups INSIDE import-rib TRUST-VRF-3.inet.0set routing-options rib-groups INSIDE import-rib TRUST-VRF-4.inet.0第四步:设置防火墙过滤(firewall filter),匹配数据包的源地址段客户要求内网192.168.2.0,192.168.3.0,192.168.7.0网段走走第一条ADSL线路set firewall filter USER-IN term 1 from source-address 192.168.2.0/24set firewall filter USER-IN term 1 from source-address 192.168.3.0/24set firewall filter USER-IN term 1 from source-address 192.168.7.0/24set firewall filter USER-IN term 1 then routing-instance TRUST-VRF-1客户要求内网192.168.6.0,192.168.8.0网段走走第二条ADSL线路set firewall filter USER-IN term 2 from source-address 192.168.6.0/24set firewall filter USER-IN term 2 from source-address 192.168.8.0/24set firewall filter USER-IN term 2 then routing-instance TRUST-VRF-2客户要求内网192.168.9.0网段走走第三条ADSL线路set firewall filter USER-IN term 3 from source-address 192.168.9.0/24set firewall filter USER-IN term 3 then routing-instance TRUST-VRF-3客户要求内网192.168.5.0, 192.168.1.0网段走走第四条ADSL线路set firewall filter USER-IN term 4 from source-address 192.168.5.0/24set firewall filter USER-IN term 4 from source-address 192.168.1.0/24set firewall filter USER-IN term 4 then routing-instance TRUST-VRF-4set firewall filter USER-IN term 5 then accept第五步:在内网接口上面ge-0/0/8 input方向引用定义的firewall filter USER-IN set interfaces ge-0/0/8 unit 0 family inet filter input USER-IN查看SRX上面的路由表,能够查看到5张路由表,一张全局路由表,还有四张VRF路由表TRUST-VRF-1,2,3,4root# run show routeinet.0: 25 destinations, 26 routes (25 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:40:49via pp0.0via pp0.1via pp0.2via pp0.3> to 192.168.0.1 via ge-0/0/9.058.61.136.1/32 *[Direct/0] 00:40:49> via pp0.058.61.137.74/32 *[Local/0] 00:40:49Local via pp0.0192.168.0.0/24 *[Direct/0] 00:40:49> via ge-0/0/9.0192.168.0.254/32 *[Local/0] 00:41:02Local via ge-0/0/9.0192.168.1.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.2.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.3.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.4.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.5.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.6.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.7.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.8.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.9.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.10.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.11.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.12.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.13.0/24 *[Static/5] 00:40:53> to 192.168.100.1 via ge-0/0/8.0192.168.100.0/24 *[Direct/0] 00:40:53> via ge-0/0/8.0192.168.100.2/32 *[Local/0] 00:41:02Local via ge-0/0/8.0219.133.216.1/32 *[Direct/0] 00:30:06> via pp0.2219.133.216.203/32 *[Local/0] 00:30:06Local via pp0.2219.134.120.1/32 *[Direct/0] 00:06:05> via pp0.1[Direct/0] 00:04:04> via pp0.3219.134.121.59/32 *[Local/0] 00:04:04Local via pp0.3219.134.121.165/32 *[Local/0] 00:06:05Local via pp0.1TRUST-VRF-1.inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:17:41> via pp0.058.61.136.1/32 *[Direct/0] 00:17:41> via pp0.058.61.137.74/32 *[Local/0] 00:05:41Local via pp0.0192.168.0.0/24 *[Direct/0] 00:17:41> via ge-0/0/9.0192.168.0.254/32 *[Local/0] 00:05:41Local via ge-0/0/9.0192.168.100.0/24 *[Direct/0] 00:17:41> via ge-0/0/8.0192.168.100.2/32 *[Local/0] 00:05:41Local via ge-0/0/8.0219.133.216.1/32 *[Direct/0] 00:17:41> via pp0.2219.133.216.203/32 *[Local/0] 00:05:41Local via pp0.2219.134.120.1/32 *[Direct/0] 00:06:05> via pp0.1[Direct/0] 00:04:04> via pp0.3219.134.121.59/32 *[Local/0] 00:04:04Local via pp0.3219.134.121.165/32 *[Local/0] 00:05:41Local via pp0.1TRUST-VRF-2.inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:06:05> via pp0.158.61.136.1/32 *[Direct/0] 00:17:41> via pp0.058.61.137.74/32 *[Local/0] 00:05:41Local via pp0.0192.168.0.0/24 *[Direct/0] 00:17:41> via ge-0/0/9.0192.168.0.254/32 *[Local/0] 00:05:41Local via ge-0/0/9.0192.168.100.0/24 *[Direct/0] 00:17:41> via ge-0/0/8.0192.168.100.2/32 *[Local/0] 00:05:41Local via ge-0/0/8.0219.133.216.1/32 *[Direct/0] 00:17:41> via pp0.2219.133.216.203/32 *[Local/0] 00:05:41Local via pp0.2219.134.120.1/32 *[Direct/0] 00:06:05> via pp0.1[Direct/0] 00:04:04> via pp0.3219.134.121.59/32 *[Local/0] 00:04:04Local via pp0.3219.134.121.165/32 *[Local/0] 00:05:41Local via pp0.1TRUST-VRF-3.inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:17:41> via pp0.258.61.136.1/32 *[Direct/0] 00:17:41> via pp0.058.61.137.74/32 *[Local/0] 00:05:41Local via pp0.0192.168.0.0/24 *[Direct/0] 00:17:41> via ge-0/0/9.0192.168.0.254/32 *[Local/0] 00:05:41Local via ge-0/0/9.0192.168.100.0/24 *[Direct/0] 00:17:41> via ge-0/0/8.0192.168.100.2/32 *[Local/0] 00:05:41Local via ge-0/0/8.0219.133.216.1/32 *[Direct/0] 00:17:41> via pp0.2219.133.216.203/32 *[Local/0] 00:05:41Local via pp0.2219.134.120.1/32 *[Direct/0] 00:06:05> via pp0.1[Direct/0] 00:04:04> via pp0.3219.134.121.59/32 *[Local/0] 00:04:04Local via pp0.3219.134.121.165/32 *[Local/0] 00:05:41Local via pp0.1TRUST-VRF-4.inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:04:05> via pp0.358.61.136.1/32 *[Direct/0] 00:17:42> via pp0.058.61.137.74/32 *[Local/0] 00:05:42Local via pp0.0 192.168.0.0/24 *[Direct/0] 00:17:42> via ge-0/0/9.0 192.168.0.254/32 *[Local/0] 00:05:42Local via ge-0/0/9.0 192.168.100.0/24 *[Direct/0] 00:17:42> via ge-0/0/8.0 192.168.100.2/32 *[Local/0] 00:05:42Local via ge-0/0/8.0 219.133.216.1/32 *[Direct/0] 00:17:42> via pp0.2219.133.216.203/32 *[Local/0] 00:05:42Local via pp0.2 219.134.120.1/32 *[Direct/0] 00:06:06> via pp0.1[Direct/0] 00:04:05> via pp0.3219.134.121.59/32 *[Local/0] 00:04:05Local via pp0.3 219.134.121.165/32 *[Local/0] 00:05:42Local via pp0.1。