Juniper SRX防火墙基本配置手册

Juniper SRX防火墙 基本配置手册

Juniper SRX防火墙基本配置手册

1 SRX防火墙的PPPoE拔号配置

Juniper SRX防火墙支持PPPoE拔号，这样防火墙能够连接ADSL链路，提供给内网用户访问网络的需求。

配置拓扑如下所示：

Juniper SRX240防火墙

在Juniper SRX防火墙上面设置ADSL PPPoE拔号，可以在WEB界面或者命令行下面查看PPPoE拔号接口pp0，在命令行下面的查看命令如下所示：

juniper@HaoPeng# run show interfaces terse | match pp

Interface Admin Link Proto Local Remote pp0 up up

在WEB界面下，也能够看到PPPoE的拔号接口

pp0

配置步聚如下所示：

第一步：选择接口ge-0/0/4作为PPPoE拔号接口的物理接口，将接口封装成PPPoE To configure PPPoE encapsulation on an Ethernet interface:

juniper@HaoPeng# set interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether

第二步：配置PPPoE接口PP0.0的参数

To create a PPPoE interface and configure PPPoE options:

user@host# set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/4.0 auto-reconnect 100 idle-timeout 100 client

Juniper SRX防火墙基本配置手册

第三步：配置PPPoE接口的MTU值

To configure the maximum transmission unit (MTU) of the IPv4 family: user@host# set interfaces pp0 unit 0 family inet mtu 1492

第四步：配置PPPoE接口的地址为negotiate-address To configure the PPPoE interface address:

user@host# set interfaces pp0 unit 0 family inet negotiate-address

第五步：配置PPPoE接口的PAP认证

set int pp0 unit 0 ppp-options pap default password 88888878 local-name szdigicn1@163.gd local-password 88888878 passive 注意：default password和local password都必须设置成ADSL拔号时所用的密码，local name必须是ADSL拔号时所用的用户名。

第六步：配置静态路由指向PPOE接口PP0.0

set routing-options static route 0.0.0.0/0 next-hop pp0.0

PPPoE拔号配置输出汇总如下所示：

验证PPPoE是否已经拔通，已经获得IP地址

root# run show interfaces terse | match pp

pp0 up up

pp0.0 up up inet 219.134.120.126 --> 219.134.120.1

验证PPPoE常见命令如下所示： show interfaces pp0 show pppoe interfaces show pppoe version show pppoe statistics clear pppoe sessions clear pppoe sta

Juniper SRX防火墙基本配置手册

2 SRX防火墙的FBF(Filter-based Forwarding)配置

Juniper SRX防火墙的FBF功能类似Juniper Netscreen防火墙上PBR(Policy based Routing),其基本功能就是基于数据包的源地址进行转发，可以将不同源地址的数据包转发到不同链路上来。

配置拓扑如下所示：

配置需求：客户这边有四条ADSL链路去上网，要求内网不同段走不同ADSL链路去上网 配置步聚如下所述： 第一步：接口配置 配置PPPOE拔号接口PP0.0

set interfaces pp0 unit 0 ppp-options pap default-password 88888878 set interfaces pp0 unit 0 ppp-options pap local-name "szdigicn1@163.gd" set interfaces pp0 unit 0 ppp-options pap local-password 88888878 set interfaces pp0 unit 0 ppp-options pap passive

Juniper SRX防火墙基本配置手册

set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/4.0 set interfaces pp0 unit 0 pppoe-options idle-timeout 0 set interfaces pp0 unit 0 pppoe-options auto-reconnect 2 set interfaces pp0 unit 0 pppoe-options client

set interfaces pp0 unit 0 family inet negotiate-address set interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether 其他PP0.1、PP0.2、PP0.3接口类似于PP0.0接口的配置。

配置内网接口Ge-0/0/8

set interfaces ge-0/0/8 unit 0 family inet address 192.168.100.2/24

第二步：创建路由实例(routing-instance)，创建四个VRF用来匹配四个PPPOE接口，routing-instance的类型是forwarding.

set routing-instances TRUST-VRF-1 instance-type forwarding

set routing-instances TRUST-VRF-1 routing-options static route 0.0.0.0/0 next-hop pp0.0

set routing-instances TRUST-VRF-2 instance-type forwarding

set routing-instances TRUST-VRF-2 routing-options static route 0.0.0.0/0 next-hop pp0.1

set routing-instances TRUST-VRF-3 instance-type forwarding

set routing-instances TRUST-VRF-3 routing-options static route 0.0.0.0/0 next-hop pp0.2

set routing-instances TRUST-VRF-4 instance-type forwarding

set routing-instances TRUST-VRF-4 routing-options static route 0.0.0.0/0 next-hop pp0.3

第三步：设置路由信息组

set routing-options interface-routes rib-group inet INSIDE set routing-options rib-groups INSIDE import-rib inet.0

set routing-options rib-groups INSIDE import-rib TRUST-VRF-1.inet.0 set routing-options rib-groups INSIDE import-rib TRUST-VRF-2.inet.0 set routing-options rib-groups INSIDE import-rib TRUST-VRF-3.inet.0 set routing-options rib-groups INSIDE import-rib TRUST-VRF-4.inet.0

第四步：设置防火墙过滤(firewall filter)，匹配数据包的源地址段

客户要求内网192.168.2.0,192.168.3.0,192.168.7.0网段走走第一条ADSL线路 set firewall filter USER-IN term 1 from source-address 192.168.2.0/24 set firewall filter USER-IN term 1 from source-address 192.168.3.0/24 set firewall filter USER-IN term 1 from source-address 192.168.7.0/24 set firewall filter USER-IN term 1 then routing-instance TRUST-VRF-1

客户要求内网192.168.6.0,192.168.8.0网段走走第二条ADSL线路

set firewall filter USER-IN term 2 from source-address 192.168.6.0/24 set firewall filter USER-IN term 2 from source-address …… 此处隐藏：7951字，全部文档内容请下载后查看。喜欢就下载吧 ……