分公司网络建设---Juniper网络设备策略路由配置
分公司的网络建设,内网通过ospf实现路由访问,防火墙连接外网和录音平台,流量访问要实现明细化,即访问平台的流量通过平台的专线,访问外网的流量通过单独的外网专线,网关启用在核心交换机上,要实现该需求,就要通过静态路由和策略路由来控制。
网络拓扑图如下:
在核心交换机上配置去往外网和录音平台的静态路由,流量防火墙后,通过静态路由分别访问各自的目的地址;但是在防火墙上回包流量需要通过策略来分流,如图红线为访问录音平台的流量,黑线为访问外网的流量。
在Juniper防火墙上配置策略路由,命令如下:
//创建路由实例
set routing-instances internet-to-inside instance-type forwarding
set routing-instances internet-to-inside routing-options static route 0.0.0.0/0 next-hop 10.128.31.157
set routing-instances qingniu-to-inside instance-type forwarding
set routing-instances qingniu-to-inside routing-options static route 0.0.0.0/0 next-hop 10.128.31.161
//通过ACL来控制流量
set firewall family inet filter qingniu-to-inside term 10 from source-address 10.128.31.64/28
set firewall family inet filter qingniu-to-inside term 10 from source-address 10.128.31.166/32
set firewall family inet filter qingniu-to-inside term 10 from destination-address 10.0.0.0/8
set firewall family inet filter qingniu-to-inside term 10 then routing-instance qingniu-to-inside
set firewall family inet filter qingniu-to-inside term 20 then accept
set firewall family inet filter Internet-to-inside term 10 from destination-address 10.0.0.0/8
set firewall family inet filter Internet-to-inside term 10 then routing-instance internet-to-inside
//关联路由表
set routing-options interface-routes rib-group inet FBF-Group
set routing-options rib-groups FBF-Group import-rib inet.0
set routing-options rib-groups FBF-Group import-rib qingniu-to-inside.inet.0
set routing-options rib-groups FBF-Group import-rib internet-to-inside.inet.0
//应用在流量的入口处
set interfaces ge-0/0/15 unit 0 family inet filter input internet-to-inside
set interfaces ge-0/0/14 unit 0 family inet filter input qingniu-to-inside
希望对读者有所帮助,如有问题,可以留言互动。