JuniperSRX VR

主要应用:双出口网关,替代策略路由;MPL ×××;等于思科的vrf,实现路由的网络隔离

全局路由表 和 虚拟路由表 也是可以互相灌

一,配置:(zones:DMZ--Inside2)

1) 创建虚拟路由器,并放入接口

edit routing-instances [DMZ-Inside2]

set instance-type virtual-router

set interface ge-0/0/4.0

set interface ge-0/0/3.0

2) 测试直连网络连通性DMZ,Inside2

run ping routing-instances [DMZ-Iside2] 10.1.2.1 //直接ping的话,是找的全局路由表

run ping routing-instances [DMZ-Iside2] 192.168.1.1

3)创建Zone间策略:Security Policis(放行流量DMZ--Inside2)

edit security policies from-zone DMZ to-zone Inside2

edit policy [Permit-ICMP]

set match source-address any

set match destination-address any

set match application junos-ping

set then permit

edit policy [Permit-Telnet]

set match source-address any

set match destination-address any

set match application junos-telnet

set then permit

#show security policies

edit security policies from-zone DMZ to-zone Inside2

#rename policy [Permit-ICMP]to [Permit-ICMP-And-Telnet]

5)DMZ区域的PC机ping 1.1.1.1,telnet 1.1.1.1,查看连通性,及其走的是否是VR(Routing-Instance)

ping 1.1.1.1

4) 查看命令

run show route //查看 全局路由表和虚拟路由表

二,配置(Inside1路由器启lo:1.1.1.1;Inside2路由器启lo:1.1.1.1)

全局配置静态路由 to Inside1

set routing-options static route 1.1.1.1/32 nex-hop 10.1.1.1

#show routing-options

虚拟路由器配置静态路由 to Inside2

edit routing-instance [DMZ-Iside2] routing-options

set static route 1.1.1.1/32 next-hop 10.1.2.1

#show routing-instance

#run show route //查看 全局路由表和虚拟路由表