First, the lab topology
Business segment:
siteA: vlan100 192.168.100.0/24, vlan200 192.168.200.0/24
siteB: 192.168.10.0/24
SiteC: 192.168.20.0/24
Internet segments:
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24
siteA vlan100 ping siteB: ping 192.168.10.10 routing-instance v100
siteA vlan200 ping siteC: ping 192.168.10.10 routing-instance v200
vMX-ISP router simulation ISP operators.
Two, vSRXA configuration:
vSRXA interface IP address configuration:
SET COUNT-The chassis Cluster. 8 Reth
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 100 vlan-id 100
set interfaces reth0 unit 100 family inet address 192.168.100.1/24
set interfaces reth0 unit 200 vlan-id 200
set interfaces reth0 unit 200 family inet address 192.168.200.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 172.16.3.1/24
vSRXA接口加入到安全区域:
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0
vSRXA配置安全策略,放行所有流量:
set security zones security-zone v100 host-inbound-traffic system-services all
set security zones security-zone v100 host-inbound-traffic protocols all
set security zones security-zone v100 interfaces reth0.100
set security zones security-zone v200 host-inbound-traffic system-services all
set security zones security-zone v200 host-inbound-traffic protocols all
set security zones security-zone v200 interfaces reth0.200
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces reth1.0
{primary:node0}[edit]
root@vSRXA1# show security policies | display set
set security policies from-zone v100 to-zone untrust policy 1 match source-address any
set security policies from-zone v100 to-zone untrust policy 1 match destination-address any
set security policies from-zone v100 to-zone untrust policy 1 match application any
set security policies from-zone v100 to-zone untrust policy 1 then permit
set security policies from-zone v200 to-zone untrust policy 1 match source-address any
set security policies from-zone v200 to-zone untrust policy 1 match destination-address any
set security policies from-zone v200 to-zone untrust policy 1 match application any
set security policies from-zone v200 to-zone untrust policy 1 then permit
set security policies from-zone v100 to-zone v200 policy 1 match source-address any
set security policies from-zone v100 to-zone v200 policy 1 match destination-address any
set security policies from-zone v100 to-zone v200 policy 1 match application any
set security policies from-zone v100 to-zone v200 policy 1 then permit
set security policies from-zone v200 to-zone v100 policy 1 match source-address any
set security policies from-zone v200 to-zone v100 policy 1 match destination-address any
set security policies from-zone v200 to-zone v100 policy 1 match application any
set security policies from-zone v200 to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v100 policy 1 match source-address any
set security policies from-zone untrust to-zone v100 policy 1 match destination-address any
set security policies from-zone untrust to-zone v100 policy 1 match application any
set security policies from-zone untrust to-zone v100 policy 1 then permit
set security policies from-zone untrust to-zone v200 policy 1 match source-address any
set security policies from-zone untrust to-zone v200 policy 1 match destination-address any
set security policies from-zone untrust to-zone v200 policy 1 match application any
set security policies from-zone untrust to-zone v200 policy 1 then permit
vSRXA routing configurations:
the SET-Options routing static route 0.0.0.0/0 the Next-Hop 172.16.3.2
Three, vSRXB1 arranged
vSRXB1 interface and security zone configuration:
SET the interfaces GE-0/0/0 0 Unit Family inet address 172.16.1.1/24
SET the interfaces GE-0/0/0. 1 Unit Family inet address 192.168.10.1/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.1.2
vSRXB1的安全策略配置:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
Four, vSRXC1 configuration
vSRXC1 interfaces and security zone configuration:
root @ # vSRX-NGC1 Show in the interfaces | Run the display the SET
the SET in the interfaces GE-0/0/0 0 Family Unit inet address 172.16.2.1/24
the SET in the interfaces GE-0/0/1 unit 0 family inet address 192.168.20.1/24
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.2.2
vSRXC1安全策略配置:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
五、vMX-ISP路由器配置
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 30
set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.2/24
set interfaces ge-0/0/3 unit 0 family inet address 172.16.2.2/24
set interfaces irb unit 30 family inet address 172.16.3.2/24
[edit]
root@vMX-ISP# show routing-options | display set
set routing-options static route 192.168.10.0/24 next-hop 172.16.1.1
set routing-options static route 192.168.20.0/24 next-hop 172.16.2.1
set routing-options static route 192.168.100.0/24 next-hop 172.16.3.1
set routing-options static route 192.168.200.0/24 next-hop 172.16.3.1
六:vMXA1、vMXB1、vMXC1配置
root@vMXA1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 200
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 100
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 200
set interfaces irb unit 100 family inet address 192.168.100.10/24
set interfaces irb unit 200 family inet address 192.168.200.10/24
[edit]
root@vMXA1# show routing-instances | display set
set routing-instances v100 instance-type virtual-router
set routing-instances v100 interface irb.100
set routing-instances v100 routing-options static route 0.0.0.0/0 next-hop 192.168.100.1
set routing-instances v200 instance-type virtual-router
set routing-instances v200 interface irb.200
set routing-instances v200 routing-options static route 0.0.0.0/0 next-hop 192.168.200.1
[edit]
root@vMXB1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.10/24
root@vMXB1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.1
root@vMXC1# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.10/24
root@vMXC1# show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 192.168.20.1
Seven connectivity test
the root @ vMXA1> of ping 192.168.10.10 routing instance V100-COUNT. 1
the PING 192.168.10.10 (192.168.10.10): Data bytes 56 is
64 bytes from 192.168.10.10: icmp_seq TTL = 0 Time = 61 is MS = 21.264
--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.264/21.264/21.264/0.000 ms
root@vMXA1> ping 192.168.10.10 routing-instance v200 count 1
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=61 time=19.351 ms
--- 192.168.10.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.351/19.351/19.351/0.000 ms
root@vMXA1> ping 192.168.20.10 routing-instance v200 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.968 ms
--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.968/14.968/14.968/0.000 ms
root@vMXA1> ping 192.168.20.10 routing-instance v100 count 1
PING 192.168.20.10 (192.168.20.10): 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=61 time=14.589 ms
--- 192.168.20.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.589/14.589/14.589/0.000 ms
root@vMXA1
Summary:
1, the physical interface IP address configuration SRX HA environment, VLAN interface IP address configuration
2, the configuration interface security zone
3, the security policy row seating configuration
4, the routing configuration of the communication