业务网段:
siteA: vlan100 192.168.100.0/24 , vlan200 192.168.200.0/24
siteB: 192.168.10.0/24
siteC: 192.168.20.0/24
互联网段:
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24
siteA vlan100 ping siteB: ping 192.168.10.10 routing-instance v100
siteA vlan200 ping siteC: ping 192.168.10.10 routing-instance v200
vMX-ISP路由器模拟ISP运营商。
二、vSRXA的配置:
vSRXA接口IP地址配置:
set chassis cluster reth-count 8
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 100 vlan-id 100
set interfaces reth0 unit 100 family inet address 192.168.100.1/24
set interfaces reth0 unit 200 vlan-id 200
set interfaces reth0 unit 200 family inet address 192.168.200.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 172.16.3.1/24
vSRXA接口加入到安全区域:
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0
vSRXA配置安全策略,放行所有流量:
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0
{primary:node0}[edit]
root@vSRXA1# show security policies | display set
set security policies from-zone v100 to-zone untrust policy 1 match source-address any
set security policies from-zone v100 to-zone untrust policy 1 match destination-address any
set security policies from-zone v100 to-zone untrust policy 1 match application any
set security policies from-zone v100 to-zone untrust policy 1 then permit
set security policies from-zone v200 to-zone untrust policy 1 match source-address any
set security policies from-zone v200 to-zone untrust policy 1 match destination-address any
set security policies from-zone v200 to-zone untrust policy 1 match application any
set security policies from-zone v200 to-zone untrust policy 1 then permit
set security policies from-zone v100 to-zone v200 policy 1 match source-address any
set security policies from-zone v100 to-zone v200 policy 1 match destination-address any
set security policies from-zone v100 to-zone v200 policy 1 match application any
set security policies from-zone v100 to-zone v200 policy 1 then permit
set security policies from-zone v200 to-zone v100 policy 1 match source-address any
set security policies from-zone v200 to-zone v100 policy 1 match destination-address any
set security policies from-zone v200 to-zone v100 policy 1 match application any
set security policies from-zone v200 to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v100 policy 1 match source-address any
set security policies from-zone untrust to-zone v100 policy 1 match destination-address any
set security policies from-zone untrust to-zone v100 policy 1 match application any
set security policies from-zone untrust to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v200 policy 1 match source-address any
set security policies from-zone untrust to-zone v200 policy 1 match destination-address any
set security policies from-zone untrust to-zone v200 policy 1 match application any
set security policies from-zone untrust to-zone v200 policy 1 then permit
vSRXA的路由配置:
set routing-options static route 0.0.0.0/0 next-hop 172.16.3.2
三、vSRXB1配置
vSRXB1的接口及安全区域配置:
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.1.2
vSRXB1的安全策略配置:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
四、vSRXC1配置
vSRXC1接口与安全区域配置:
root@vSRX-NGC1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 172.16.2.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.1/24
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.2.2
vSRXC1安全策略配置:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
五、vMX-ISP路由器配置
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.2/24
set interfaces ge-0/0/3 unit 0 family inet address 172.16.2.2/24
set interfaces irb unit 30 family inet address 172.16.3.2/24
[edit]
root@vMX-ISP# show routing-options | display set
set routing-options static route 192.168.10.0/24 next-hop 172.16.1.1
set routing-options static route 192.168.20.0/24 next-hop 172.16.2.1
set routing-options static route 192.168.100.0/24 next-hop 172.16.3.1
set routing-options static route 192.168.200.0/24 next-hop 172.16.3.1
六:vMXA1、vMXB1、vMXC1配置
root@vMXA1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 200
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 200
set interfaces irb unit 100 family inet address 192.168.100.10/24
set interfaces irb unit 200 family inet address 192.168.200.10/24
[edit]
root@vMXA1# show routing-instances | display set
set routing-instances v100 instance-type virtual-router
set routing-instances v100 interface irb.100
set routing-instances v100 routing-options static route 0.0.0.0/0 next-hop 192.168.100.1
set routing-instances v200 instance-type virtual-router
set routing-instances v200 interface irb.200
set routing-instances v200 routing-options static route 0.0.0.0/0 next-hop 192.168.200.1
[edit]
root@vMXB1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.10/24
root@vMXB1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.1
root@vMXC1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.10/24
root@vMXC1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.20.1
七、连通性测试
root@vMXA1> ping 192.168.10.10 routing-instance v100 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=21.264 ms
--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.264/21.264/21.264/0.000 ms
root@vMXA1> ping 192.168.10.10 routing-instance v200 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=19.351 ms
--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.351/19.351/19.351/0.000 ms
root@vMXA1> ping 192.168.20.10 routing-instance v200 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.968 ms
--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.968/14.968/14.968/0.000 ms
root@vMXA1> ping 192.168.20.10 routing-instance v100 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.589 ms
--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.589/14.589/14.589/0.000 ms
root@vMXA1
总结:
1、SRX HA 环境下物理接口IP地址配置、vlan接口IP地址配置
2、接口与安全区域的配置
3、安全策略安放行配置
4、路由连通性配置