juniper防火墙HA详解
Cluster-id #:0-15可选,如果等于0不能做HA。
Group #:横向,用于数据控制。
Node id #:竖向,SRX1,SRX2.
Fxp0:带外管理口。独立于HA,且管理口配置不会进行同步
Fxp1:控制层面心跳口。不同型号接口不一样,不做配置。
Fab#:数据面心跳。模块类型1GE或10GE
Reth#:转发数据口,每个SRX分一个接口捆绑成一个reth#。
对于新设备而言,拆箱上架,开机,先将控制心跳线必须连接,无需做任何配置,否则,主备设备无法识别在同一个cluster-id中之后将主备设备加入同一个cluster-id中重启设备,做成HA,此后所有的操作都在主设备上配置。在操作模式下可以对配置进行变更。
>set chassis cluster cluster-id 1 node 0 reboot 主设备配置
>set chassis cluster cluster-id 1 node 1 reboot 备设备配置设置主机名
set groups node0 system host-name DCB_NIB232_INT_FW01
set groups node1 system host-name DCB_NIB233_INT_FW02配置管理接口fxp0的ip
set groups node0 interfaces fxp0 unit 0 family inet address 10.188.255.31/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.188.255.32/24
set apply-groups "${node}"
配置数据接口fab0、fab1划入物理接口
set interfaces fab0 fabric-options member-interfaces ge-0/0/9
set interfaces fab1 fabric-options member-interfaces ge-4/0/9配置reth接口将物理接口划分到reth
set chassis cluster reth-count 10
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-4/0/0 gigether-options redundant-parent reth0
set interfaces ge-4/0/1 gigether-options redundant-parent reth1配置reth接口ip
set interfaces reth0 unit 0 family inet address 172.254.247.4/28
set interfaces reth1 unit 0 family inet address 172.254.248.1/28配置reth#划入到zone
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
配置reth#到group
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
配置node #优先级
set chassis cluster control-link-recovery #当其中一个心跳线坏了,备会disable,自动进行reboot
set chassis cluster heartbeat-interval 1000 检测心跳时间间隔1000ms
set chassis cluster heartbeat-threshold 3 检测心跳次数,3次后将不再检测
set chassis cluster redundancy-group 0 node 0 priority 200 为group配置优先级,值越大越优先
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt 设置抢占
配置group的监控端口
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-4/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-4/0/1 weight 255
状态查看
show version
show system alarm
show chassis alarm
show chassis hardware
show chassis routing-engine
show chassis fpc detail
show chassis fpc pic-status
show chassis environmentredun
show chassis cluster status (redeundancy-group 1)
show chassis cluster information
show chassis cluster statistics
show chassis cluster interfaces
show interfaces terse | match reth
show interfaces terse | match “fab|fxp1”
地址转换NAT
基于源ip的NAT
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
Pool based Source Nat 基于地址池的源地址转换
set security nat source pool snatpool address 202.100.12.23/32 to 202.100.12.30/32 #映射后的地址池
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule 1 match source-address 192.168.0.0/22
set security nat source rule-set trust-to-untrust rule 1 then source-nat pool snatpool
set security nat proxy-arp interface ge-0/0/1.0 address 202.100.12.23/32 to 202.100.12.30/32 #只要是pool的,必须用proxy-arp
基于目的地址池Pool-based & no port translation
set security nat destination pool a address 192.168.12.1/32 to 192.168.12.4/32
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 to zone trust
set security nat destination rule-set 1 rule 1a match destination-address 100.0.0.1/32
set security nat destination rule-set 1 rule 1a then destination-nat pool a
Pool based Destination Nat 基于地址池的目标地址转换
set security nat destination pool srv11-3389 address 172.16.1.11/32 #映射前的目的ip
set security nat destination pool srv11-3389 address port 3389
set security nat destination rule-set utot from zone untrust
set security nat destination rule-set utot to zone trust
set security nat destination rule-set utot rule u236-srv11-3389 match sourceaddress 0.0.0.0/0
set security nat destination rule-set utot rule u236-srv11-3389 match destinationaddress 192.168.1.236/32 #映射后的目的ip
set security nat destination rule-set utot rule u236-srv11-3389 match destinationport 3389
set security nat destination rule-set utot rule u236-srv11-3389 then destinationnat pool srv11-3389
Pool based Static Nat 基于地址池的静态地址转换(目的NAT转换,)
set security nat static rule-set SUTOT from zone untrust
set security nat static rule-set SUTOT to zone trust
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address 192.168.1.237/32 #转换后的目的ip
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix 172.16.1.10/32 #转换前的目的ip
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32
注意:大多数情况下,基于源做NAT目的是任意的,基于目的做NAT 源是任意的,因此任意的参数可配可不配,如果是主机地址
NAT状态检查
run show security flow session destination-prefix 59.46.168.212 destination-port 80
run show security zones untrust
run show security policy from-zone untrust to-zone trust
run show security nat static rule all
run show security nat destination rule all
run show security nat source rule all
run show security nat source pool all
run show security nat destination pool all
juniper防火墙HA详解相关推荐
- 飞塔防火墙HA详解与配置
提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 前言 一.HA配置 二.HA主备选举机制 1. 监控端口中的有效接口数量 2. 设备运行时间 3.优先级与序列号 4.抢占 ...
- Iptables防火墙配置详解
iptables防火墙配置详解 iptables简介 iptables是基于内核的防火墙,功能非常强大,iptables内置了filter,nat和mangle三张表. (1)filter表负责过滤数 ...
- Windows 7防火墙设置详解(三)
Windows 7防火墙设置详解(三) 一.如何禁用或启用规则 方法:只需要在需要禁用或启动的规则上,鼠标右键选择启用或禁止规则即可,或点击右侧的操作栏进行规则启用或禁止. 二.入站规则和出站规则 由 ...
- Windows 7防火墙设置详解(一)
Windows 7防火墙设置详解(一) 本文介绍Windows 7防火墙的设置方法,自从Vista开始,Windows的防火墙功能已经是越加臻于完善.今非昔比了,系统防火墙已经成为系统的一个不可或缺的 ...
- Centos7 防火墙配置详解(非常详细!)
Centos7 防火墙配置详解(非常详细) 一. zone的概念 1.1 预定义的zone 1.2 将interface和source划分到某个zone 1.3 zone配置文件 二. Service ...
- Windows 7防火墙设置详解(二)
Windows 7防火墙设置详解(二) 一.高级安全Windows 防火墙MMC 依次点击"计算机"--"控制面板"--"Windows防火墙&quo ...
- Firewalld防火墙策略详解
Firewalld防火墙策略详解 一.Firewalld firewalld防火墙是Centos7系统默认的防火墙管理工具,取代了之前的iptables防火墙,也是工作在网络层,属于包过滤防火墙. f ...
- linux服务器3306端口,linux系统对外开放3306、8080等端口,防火墙设置详解
linux系统对外开放3306.8080等端口,防火墙设置详解 发布时间:2020-10-10 23:08:49 来源:脚本之家 阅读:141 作者:julielele 栏目:服务器 我们很多时候在l ...
- Iptables防火墙策略详解
Iptables防火墙策略详解 一.iptables Linux 系统的防火墙--netfilter/iptables IP信息包过滤系统,它实际上由两个组件netfilter 和 iptables组 ...
- 防火墙iptables详解
防火墙详解 基本概念 什么是防火墙?路由策略和策略路由/ipsec vpn gre hdlc ppp 硬件 iDS+ 在计算中,防火墙是基于预定安全规则来监视和控制传入和传出网络流量的网络安全系统.该 ...
最新文章
- 数字进度条组件NumberProgressBar
- confusion_matrix函数的使用
- DzzOffice1.0 Beta2发布
- grep 打印出过滤字段及后3行内容
- 12c集群日志位置_Oracle 19C RAC 集群日志位置变化
- Integer及String的equals及==注意示例,涉及自动拆箱、自动装箱以及equals源码分析
- ubuntu16.04 在cuda9.0环境下编译安装opencv2.4.13.7
- django2.2 连接redis集群
- [转]Tomcat启动报错:AnnotationConfigBeanDefinitionParser are only available on JDK 1.5 and higher...
- GitHub推出“AI程序员”插件 !
- RK3308(5)---编译根文件系统
- 数据结构--栈-C语言实现迷宫求解
- Python FastAPI 微信公众号后台服务器验证
- 五款机房教学管理系统,你的教室安装了吗
- java 静态方法中调用非静态方法
- 华为交换机flaping_MAC地址飘移查看及解决方法 一般是网络中存在环路
- 【牛客SQL】SQL45 将titles_test表名修改为titles_2017
- 数据分析6-数据可视化
- 笔记本电脑外接屏幕步骤
- lucene geohash 在外卖场景中,商家不规则多边形配送范围技术应用