juniper SRX240增加线路，调整策略顺序笔记

1先配置端口，将线路接在interfaces ge-0/0/12 unit 0上面

[edit]

root@SRX240# edit interfaces ge-0/0/12 unit 0 

[edit interfaces ge-0/0/12 unit 0]

root@SRX240# set description isp66 

[edit interfaces ge-0/0/12 unit 0]

root@SRX240# set family inet address 222.222.222.222/32 

[edit interfaces ge-0/0/12 unit 0]

2指定使用线路的电脑，理解为路由也可以

192.168.50.42/32走222.222.222.222上外网

[edit]

root@SRX240# edit routing-instances isp66  

[edit routing-instances isp66]

root@SRX240# set instance-type virtual-router 

root@SRX240#set routing-options static route 192.168.50.42/32 next-hop 222.222.222.222

3进口登记

root@SRX240# edit routing-options rib-groups IMPORT-PHY      

[edit routing-options rib-groups IMPORT-PHY]

root@SRX240# insert import-rib isp66.inet.0 after line2.inet.0 

[edit routing-options rib-groups IMPORT-PHY]

4配置ISP，理解为条目，模块都可以，方便调用

[edit]

root@SRX240# edit policy-options policy-statement inject-to-inet0 

[edit policy-options policy-statement inject-to-inet0]

root@SRX240# edit term 66 

[edit policy-options policy-statement inject-to-inet0 term 66]

root@SRX240# edit then 

[edit policy-options policy-statement inject-to-inet0 term 66 then]

root@SRX240# set accept 

root@SRX240# top 

root@SRX240# edit policy-options policy-statement inject-to-inet0 

[edit policy-options policy-statement inject-to-inet0]

root@SRX240# edit term 66 

[edit policy-options policy-statement inject-to-inet0 term 66]

root@SRX240# edit from 

[edit policy-options policy-statement inject-to-inet0 term 66 from]

root@SRX240# set instance isp66 

[edit policy-options policy-statement inject-to-inet0 term 66 from]

root@SRX240# set route-filter 0.0.0.0/0 exact 

[edit policy-options policy-statement inject-to-inet0 term 66 from]

root@SRX240# commit 

5配置防火墙策略

[edit]

root@SRX240# edit firewall filter F1 

root@SRX240# edit term 66 

[edit firewall filter F1 term 66]

root@SRX240# set from source-address 192.168.50.42/32      

[edit firewall filter F1 term 66]

root@SRX240# set then routing-instance isp66 

[edit firewall filter F1 term 66]

root@SRX240# commit 

commit complete

6调整防火墙策略顺序

root@SRX240# insert term 66 before term 7 

[edit firewall filter F1]

root@SRX240# commit 

commit complete