《Juniper防火墙nsrp配置指南》由会员分享,可在线阅读,更多相关《Juniper防火墙nsrp配置指南(24页珍藏版)》请在金锄头文库上搜索。
1、JuniperJuniper防火墙防火墙nsrpnsrp配置配置指南指南2Copyright 2005 Juniper Networks, Inc. Proprietary and C A/AA/A、A/PA/P静态路由环境静态路由环境FW2FW1SW2L3 switchR1 R2SW1L3 switchLANHAL2 switchL2 switchhsrp/vrrpIntranethsrp/vrrp3Copyright 2005 Juniper Networks, Inc. Proprietary and C A/P配置SW1、SW2 配置要点:对于下面的lan需要启用vrrp+mstp使网
2、关分布到两台交换机上,对于上面的防火墙也要启用vrrp4Copyright 2005 Juniper Networks, Inc. Proprietary and C SW1配置interface VLAN 10 no ip proxy-arp ip address 192.168.40.253 255.255.255.0 vrrp 1 priority 200 vrrp 1 ip 192.168.40.254interface VLAN 20 no ip proxy-arp ip address 192.168.60.253 255.255.255.0 vrrp 1 ip 192.168.6
3、0.254interface VLAN 100 no ip proxy-arp ip address 10.0.0.2 255.255.255.0 vrrp 1 priority 200 vrrp 1 ip 10.0.0.1ip route 0.0.0.0 0.0.0.0 10.0.0.254spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-4094 instance 10 vlan 10 instance 20 vlan 20spanning-tree mst 10 priority 4096interface Fa
4、stEthernet 0/1 switchport access vlan 100! interface FastEthernet 0/2 switchport mode trunk switchport trunk allowed vlan remove 1-9,11-19,21-4094!interface FastEthernet 0/3 switchport mode trunk switchport trunk allowed vlan remove 1-9,11-19,21-99,101-40945Copyright 2005 Juniper Networks, Inc. Prop
5、rietary and C SW2配置interface VLAN 10 no ip proxy-arp ip address 192.168.40.252 255.255.255.0 vrrp 1 ip 192.168.40.254interface VLAN 20 no ip proxy-arp ip address 192.168.60.252 255.255.255.0 vrrp 1 priority 200 vrrp 1 ip 192.168.60.254interface VLAN 100 no ip proxy-arp ip address 10.0.0.3 255.255.25
6、5.0 vrrp 1 ip 10.0.0.1ip route 0.0.0.0 0.0.0.0 10.0.0.254spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-4094 instance 10 vlan 10 instance 20 vlan 20spanning-tree mst 20 priority 4096interface FastEthernet 0/1 switchport access vlan 100! interface FastEthernet 0/2 switchport mode trun
7、k switchport trunk allowed vlan remove 1-9,11-19,21-99,101-4094!interface FastEthernet 0/3 switchport mode trunk switchport trunk allowed vlan remove 1-9,11-19,21-99,101-40946Copyright 2005 Juniper Networks, Inc. Proprietary and C FW配置要点Layer3 Fullmesh连接A/P组网使用全交叉网络连接模式,容许在同一设备上提供链路级冗余,发生链路故障时,由备用链路
8、接管网络流量,防火墙间无需进行状态切换。仅在上行或下行两条链路同时发生故障情况下,防火墙才会进行状态切换。7Copyright 2005 Juniper Networks, Inc. Proprietary and C FW1配置(主)Set interface red1 zone Untrust /*创建冗余接口1*/ Set interface e1 zone nullSet interface e1 group red1Set interface e2 zone nullSet interface e2 group red1Set interface red1 ip 192.168.1.
9、1/24Set interface red2 zone trust /*创建冗余接口2*/Set interface e3 zone nullSet interface e3 group red2Set interface e4 zone nullSet interface e4 group red2Set interface red2 ip 10.0.0.254/24Set interface ethernet7 zone ha /*配置ha链路*/Set interface ethernet8 zone haset nsrp cluster id 1set nsrp rto-mirror
10、sync /*容许会话信息自动同步*/set nsrp vsd-group id 0 priority 50 /*配置优先级,越低越好*/set nsrp monitor interface ethernet2 /*监控接口状态*/set nsrp monitor interface ethernet18Copyright 2005 Juniper Networks, Inc. Proprietary and C FW2配置(备)Set interface red1 zone Untrust /*创建冗余接口1*/ Set interface e1 zone nullSet interface
11、 e1 group red1Set interface e2 zone nullSet interface e2 group red1Set interface red1 ip 192.168.1.1/24Set interface red2 zone trust /*创建冗余接口2*/Set interface e3 zone nullSet interface e3 group red2Set interface e4 zone nullSet interface e4 group red2Set interface red2 ip 10.0.0.254/24Set interface e
12、thernet7 zone ha /*配置ha链路*/Set interface ethernet8 zone haset nsrp cluster id 1set nsrp rto-mirror sync /*容许会话信息自动同步*/set nsrp vsd-group id 0 priority 100 /*配置优先级,越低越好*/set nsrp monitor interface ethernet2 /*监控接口状态*/set nsrp monitor interface ethernet19Copyright 2005 Juniper Networks, Inc. Proprieta
13、ry and C 路由器配置要点与三层交换一样,需要对防火墙做vrrp,二层交换机的作用其实就是让vrrp可以透传过去,同时加大了链路的冗余性。10Copyright 2005 Juniper Networks, Inc. Proprietary and C R1、R2配置R1:interface FastEthernet 0/0ip address 192.168.1.254 255.255.255.0 vrrp 1 ip 192.168.1.254ip route 192.168.40.0 255.255.0.0 192.168.1.1 ip route 192.168.60.0 255.
14、255.0.0 192.168.1.1R2:interface FastEthernet 0/0ip address 192.168.1.253 255.255.255.0 vrrp 1 ip 192.168.1.254ip route 192.168.40.0 255.255.0.0 192.168.1.1 ip route 192.168.60.0 255.255.0.0 192.168.1.111Copyright 2005 Juniper Networks, Inc. Proprietary and C A/A配置SW1、SW2 配置要点:对于下面的lan需要启用vrrp+mstp使网
15、关分布到两台交换机上,对于上面的防火墙也要启用vrrp,并做两个分组,对应两个流量。12Copyright 2005 Juniper Networks, Inc. Proprietary and C SW1配置interface VLAN 10 ip policy route-map aa no ip proxy-arp ip address 192.168.40.253 255.255.255.0 vrrp 1 priority 200 vrrp 1 ip 192.168.40.254interface VLAN 20 ip policy route-map aa no ip proxy-a
16、rp ip address 192.168.60.253 255.255.255.0 vrrp 1 ip 192.168.60.254interface VLAN 100 no ip proxy-arp ip address 10.0.0.2 255.255.255.0 vrrp 1 priority 200 vrrp 1 ip 10.0.0.1 vrrp 2 ip 10.0.0.10ip route 0.0.0.0 0.0.0.0 10.0.0.254spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-4094 ins
17、tance 10 vlan 10 instance 20 vlan 20spanning-tree mst 10 priority 4096interface FastEthernet 0/1 switchport access vlan 100interface FastEthernet 0/2 switchport mode trunk switchport trunk allowed vlan remove 1-9,11-19,21-409interface FastEthernet 0/3 switchport mode trunk switchport trunk allowed v
18、lan remove 1-9,11-19,21-99,101-4094interface FastEthernet 0/4interface FastEthernet 0/5 switchport access vlan 10013Copyright 2005 Juniper Networks, Inc. Proprietary and C SW1配置流量分流还需要策略路由ip access-list standard 110 permit 192.168.40.0 0.0.0.255 ip access-list standard 210 permit 192.168.60.0 0.0.0.
19、255route-map aa permit 10match ip address 1set ip next-hop 10.0.0.254route-map aa permit 20match ip address 2set ip next-hop 10.0.0.20014Copyright 2005 Juniper Networks, Inc. Proprietary and C SW2配置interface VLAN 10 ip policy route-map aa no ip proxy-arp ip address 192.168.40.252 255.255.255.0 vrrp
20、1 priority 200 vrrp 1 ip 192.168.40.254interface VLAN 20 ip policy route-map aa no ip proxy-arp ip address 192.168.60.252 255.255.255.0 vrrp 1 ip 192.168.60.254interface VLAN 100 no ip proxy-arp ip address 10.0.0.3 255.255.255.0 vrrp 2 priority 200 vrrp 1 ip 10.0.0.1 vrrp 2 ip 10.0.0.10ip route 0.0.
21、0.0 0.0.0.0 10.0.0.200spanning-tree mst configuration instance 0 vlan 1-9, 11-19, 21-4094 instance 10 vlan 10 instance 20 vlan 20spanning-tree mst 10 priority 4096interface FastEthernet 0/1 switchport access vlan 100interface FastEthernet 0/2 switchport mode trunk switchport trunk allowed vlan remov
22、e 1-9,11-19,21-409interface FastEthernet 0/3 switchport mode trunk switchport trunk allowed vlan remove 1-9,11-19,21-99,101-4094interface FastEthernet 0/4interface FastEthernet 0/5 switchport access vlan 10015Copyright 2005 Juniper Networks, Inc. Proprietary and C SW2配置流量分流还需要策略路由ip access-list stan
23、dard 110 permit 192.168.40.0 0.0.0.255 ip access-list standard 210 permit 192.168.60.0 0.0.0.255route-map aa permit 10match ip address 1set ip next-hop 10.0.0.254route-map aa permit 20match ip address 2set ip next-hop 10.0.0.20016Copyright 2005 Juniper Networks, Inc. Proprietary and C FW配置要点在NSRP中创建
24、两个虚拟安全设备 (VSD) 组,每个组都具有自己的虚拟安全接口(VSI),通过VSI接口与网络进行通信。设备A充当VSD组1的主设备和VSD 组2的备份设备。设备B充当VSD组2的主设备和VSD组1的备份设备。Active/Active模式中两台防火墙同时进行信息流的处理并彼此互为备份。在双主动模式中不存在任何单一故障点。 17Copyright 2005 Juniper Networks, Inc. Proprietary and C FW配置要点注意分流还是需要下三层去决定,防火墙本身无法进行流量分流!18Copyright 2005 Juniper Networks, Inc. Pro
25、prietary and C FW1配置(主1)Set interface red1 zone Untrust /*创建冗余接口1*/ Set interface e1 zone nullSet interface e1 group red1Set interface e2 zone nullSet interface e2 group red1Set interface red1 ip 192.168.1.1/24Set interface red2 zone trust /*创建冗余接口2*/Set interface e3 zone nullSet interface e3 group
26、red2Set interface e4 zone nullSet interface e4 group red2Set interface red2 ip 10.0.0.254/24Set interface red1:1 ip 192.168.1.10/24/*组1的地址*/Set interface red2 :1ip 10.0.0.200/24Set interface ethernet7 zone ha /*配置ha链路*/Set interface ethernet8 zone ha19Copyright 2005 Juniper Networks, Inc. Proprietar
27、y and C FW1配置(主1)set nsrp cluster id 1set nsrp rto-mirror sync /*容许会话信息自动同步*/set nsrp vsd-group id 0 priority 50 /*配置优先级,越低越好*/set nsrp monitor interface ethernet2 /*监控接口状态*/set nsrp monitor interface ethernet1set nsrp vsd-group id 1 priority 100 /*配置优先级,越低越好*/set route 0.0.0.0/0 interface ethernet0
28、/0 gateway 192.168.1.254 preference 20set route 192.168.40.0/24 interface redundant1 gateway 10.0.0.1 preference 20set route 192.168.40.0/24 interface redundant1:1 gateway 10.0.0.10 preference 20set route 192.168.60.0/24 interface redundant1 gateway 10.0.0.1 preference 20set route 192.168.60.0/24 in
29、terface redundant1:1 gateway 10.0.0.10 preference 20set route 0.0.0.0/0 interface ethernet0/0:1 gateway 192.168.1.200 preference 2020Copyright 2005 Juniper Networks, Inc. Proprietary and C FW1配置(主2)Set interface red1 zone Untrust /*创建冗余接口1*/ Set interface e1 zone nullSet interface e1 group red1Set i
30、nterface e2 zone nullSet interface e2 group red1Set interface red1 ip 192.168.1.1/24Set interface red2 zone trust /*创建冗余接口2*/Set interface e3 zone nullSet interface e3 group red2Set interface e4 zone nullSet interface e4 group red2Set interface red2 ip 10.0.0.254/24Set interface red1:1 ip 192.168.1.
31、10/24/*组1的地址*/Set interface red2 :1ip 10.0.0.200/24Set interface ethernet7 zone ha /*配置ha链路*/Set interface ethernet8 zone ha21Copyright 2005 Juniper Networks, Inc. Proprietary and C FW1配置(主2)set nsrp cluster id 1set nsrp rto-mirror sync /*容许会话信息自动同步*/set nsrp vsd-group id 0 priority 100 /*配置优先级,越低越好
32、*/set nsrp monitor interface ethernet2 /*监控接口状态*/set nsrp monitor interface ethernet1set nsrp vsd-group id 1 priority 50 /*配置优先级,越低越好*/set route 0.0.0.0/0 interface ethernet0/0 gateway 192.168.1.254 preference 20set route 192.168.40.0/24 interface redundant1 gateway 10.0.0.1 preference 20set route 1
33、92.168.40.0/24 interface redundant1:1 gateway 10.0.0.10 preference 20set route 192.168.60.0/24 interface redundant1 gateway 10.0.0.1 preference 20set route 192.168.60.0/24 interface redundant1:1 gateway 10.0.0.10 preference 20set route 0.0.0.0/0 interface ethernet0/0:1 gateway 192.168.1.200 preferen
34、ce 2022Copyright 2005 Juniper Networks, Inc. Proprietary and C 路由器配置要点与三层交换一样,需要对防火墙做两个vrrp,二层交换机的作用其实就是让vrrp可以透传过去,同时加大了链路的冗余性。这里我们只考虑上网业务,不考虑从外网的访问,所以路由器没有对底下做策略路由。23Copyright 2005 Juniper Networks, Inc. Proprietary and C R1、R2配置R1:interface FastEthernet 0/0ip address 192.168.1.252 255.255.255.0vr
35、rp 1 priority 200vrrp 1 ip 192.168.1.254vrrp 2 ip 192.168.1.200ip route 192.168.40.0 255.255.255.0 192.168.1.1ip route 192.168.60.0 255.255.255.0 192.168.1.10R2:interface FastEthernet 0/0ip address 192.168.1.253 255.255.255.0 vrrp 1 ip 192.168.1.254vrrp 2 priority 200vrrp 2 ip 192.168.1.200ip route 192.168.40.0 255.255.0.0 192.168.1.10 ip route 192.168.60.0 255.255.0.0 192.168.1.1结束结束
