Shulou(Shulou.com)06/01 Report--

1. Routing instance

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The routing table of the routing instance can be formed by setting various parameters of the interface and routing protocol.

Each routing instance has its own instance name and maintains a separate routing table.

A global route is actually a routing instance, which is actually called inet.0.

2. Ordinary static policy routing (policy only, no NAT translation)

The setup includes the following steps:

1) set the application interface subinterface, which is defined as the inbound / outbound interface of the service area

2) define routing instance. Instance type is forwarding, and instance routing table

3) define filter firewall filter

4) define the interface routing group rib-group

5) Import the interface routing group into the global routing table and the routing table of the routing instance

6) apply filter filter to the intranet interface

3. Do static policy routing for NAT (do both policy and NAT translation)

Note:

1) in this case, you need to try out a routing instance of virtual-router type.

2) each virtual-router maintains a separate routing table

Configuration instance topology diagram

To achieve the goal:

The default intranet host accesses the public network via the CNC 2m link, and the designated PC accesses the public network via the CNC 50m link.

The idea of realization is:

By default, all hosts in the private network are outbound to access the public network through the global routing table inet.0 via the CNC 2m link, and some of the specified PC are deactivated by the instance's routing table through Juniper SRX's FBF routing policy.

The setup steps are as follows:

1) define servant region zone

Example configuration:

Set security zones security-zone lt host-inbound-traffic system-services all

Set security zones security-zone lt host-inbound-traffic protocols all

2) set the application interface subinterface, which is defined as the inbound / outbound interface of the service area

Example configuration:

Set security zones security-zone lt interfaces ge-0/0/2.0 host-inbound-traffic system-services all

Set security zones security-zone lt interfaces ge-0/0/2.0 host-inbound-traffic protocols all

3) define routing instances. The number of routing instances can be defined according to the number of ISP lines accessed. Virtual interface of instance type virtual-router,VR, routing table of VR

Example configuration:

Set routing-instances CNC50M instance-type virtual-router

Set routing-instances CNC50M interface ge-0/0/2.0

Set routing-instances CNC50M routing-options static route 0.0.0.0 next-hop XX.XX.XX.XX # # points to the public network gateway provided by ISP

4) define NAT related mapping rule-set, rule, policy policy, address-book, application, etc.

Example rule-set configuration for √ Source NAT:

Set security nat source rule-set CNC50M-snat-internet from zone trust

Set security nat source rule-set CNC50M-snat-internet to zone lt

Set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside match source-address 0.0.0.0/0

Set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside match destination-address 0.0.0.0/0

Set security nat source rule-set CNC50M-snat-internet rule CNC50M-inside-to-outside then source-nat interface

Example of √ policy policy configuration:

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match source-address CBGZ-out-norestrict

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match destination-address any

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet match application any

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then permit

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then log session-init

Set security policies from-zone trust to-zone lt policy CNC50M-snat-internet then log session-close

5) define filter filter

Example configuration:

Set firewall family inet filter filter-1 term LAN_term from destination-address 172.16.0.0/16

Set firewall family inet filter filter-1 term LAN_term from destination-address 172.20.0.0/16

Set firewall family inet filter filter-1 term LAN_term from destination-address 192.168.0.0/16

Set firewall family inet filter filter-1 term LAN_term then accept # # allows private network PC to access each other. Not making the above configuration will prevent the gateway from accessing other private network PC of the private network interface of this firewall.

# # specified PC outbound access to public network from CNC 50m link

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.29.25/32

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.29.251/32

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.166/32

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.137/32

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.139/32

Set firewall family inet filter filter-1 term CNC50M_term from source-address 172.16.28.138/32

Set firewall family inet filter filter-1 term CNC50M_term then routing-instance CNC50M

Set firewall family inet filter filter-1 term default then accept # # for other filter data, take the default action accept (accepted)

6) define interface routing group

Example configuration:

Set routing-options interface-routes rib-group inet INSIDE

7) Import the interface routing group into the global routing table and the routing table of the instance

Example configuration:

Set routing-options rib-groups INSIDE import-rib inet.0

Set routing-options rib-groups INSIDE import-rib CNC50M.inet.0

Set routing-options rib-groups INSIDE import-rib default.inet.0

8) apply the corresponding filter filter to the intranet interface

Set interfaces ge-0/0/0 unit 0 family inet filter input filter-1

4. The difference between ordinary static policy route and NAT translated policy route.

Routing instance types are different:

Normal static policy route type: forwarding

Policy route type for NAT translation: virtual-router

Reference link: http://www.docin.com/p-598358767.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.