Shulou(Shulou.com)06/01 Report--

I. Network structure

Analysis and pre-planning

The plan is ↑ as shown in the figure above.

Analyze the current tentative topology scheme of the customer to realize the communication between multi-vlan. In theory, SW-A will only allow the host of 10.10.0.X/24 to pass, and Juniper firewall Ping vlanif1-6 can reach it. This is the problem. Only the host of 10.10.0.x/24 can access the Juniper device without port. At this point, you can realize the direction of one-arm routing! (^ _ ^)

[one-arm routing defines literacy]

One-arm routing (router-on-a-stick) refers to the interconnection and interworking between different VLAN (virtual local area networks) that were originally isolated from each other by configuring subinterfaces (or "logical interfaces", there is no real physical interface) on an interface of the router (this time, because the devices of the screwdriver interface are Juniper devices, the firewall can achieve the independence of each other through policies, if there is no policy, it is interconnection).

Advantages: realize the communication between different vlan, help to understand and learn the principle of VLAN and the concept of subinterface.

Disadvantages: it is easy to become a single point of failure of the network, and the configuration is slightly complex, which is of little practical significance.

IV. Firewall configuration:

The configuration on Web-UI is as follows:

Step-1, drop down and select Sub-IF

Step-2, enter the parameters

Set interface "ethernet0/1.1" tag 2 zone "Trust"

Set interface "ethernet0/1.2" tag 3 zone "Trust" # create a subinterface on e0ram 1 and tag it with vlan

Set interface ethernet0/1.1 ip 10.10.2.1 Compact 24 # IP configuration

Set interface ethernet0/1.1 nat

Set interface ethernet0/1.2 ip 10.10.3.1 Compact 24 # IP configuration

Set interface ethernet0/1.2 nat

(PS: pay attention to the interface and area, and Vlan tag, where 10.10.2.1 take 24 is the Vlanif2 of SW-A, so here to correspond one by one, click-OK to output the following figure

Please note that once the subinterface is established, the default is UP, and once the main interface is down, the subinterface will be down. After such an one-to-one correspondence has been established, the communication between the vlan has been successfully completed. The test vlan port is normal, which is router-on-a-stick. In order to better let you understand the one-arm routing, I found a picture, you look down.

Theoretically, vlan10 and vlan20 can not communicate with each other through ping, but they can be interconnected through the introduced one-arm route. (generally speaking, multiple gateways are set up through subinterfaces in Fa0/0.)

V. Review of implementation

Single-arm routing length is used in small and medium-sized enterprises, when enterprises can not budget to buy layer 3 switches, through layer 2 switches to achieve multi-vlan interconnection.

For the implementation and delivery of this cross-border communication, I did not do the strategy here because customers need interconnection between vlan. Here is a brief introduction to SSG series policy configuration.

Two network segments are prohibited from accessing each other, which can be added according to actual needs.

Set policy id 35 from "Trust" to "Trust"10.10.2.1 cue 24"10.10.3.1 cue 24"ANY" deny log

Set policy id 35

Exit

Set policy id 34 from "Trust" to "Trust"10.10.3.1 take 24"10.10.2.1 per 24"ANY" deny log

Set policy id 34

Then configure the access policy of Untrust-Trust, independent of each other, and do their own security policy:

Set policy id 36 from "Utrust" to "Trust"any"10.10.2.1 Compact 24"ANY" deny log

Set policy id 36

Set policy id 37 from "Utrust" to "Trust"any"10.10.3.1 Compact 24"ANY" deny log

Set policy id 37

PS: at present, this operation has not been debugged and tested, and its practicability needs to be studied. Thank you, Shi Zhennan, for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.