物理接口IP配置
interfaces { xe-0/0/0 { unit 0 { family inet { address addr/mask } } |
二层物理接口配置
interfaces { xe-0/0/0 { //将接口配置成trunk,并允许透传vlan100 unit 0 { family ethernet-switching { port-mode trunk; vlan { members vlan100; } }
vlan { //配置三层RVI接口vlan.100的ip地址 unit 100 { family inet { address addr/mask; } } } } vlans { vlan100 { //配置vlan100,并绑定三层接口vlan.100 vlan-id 100; l3-interface vlan.100; } |
1. 配置防火墙路由配置:
routing-options { static { route 0/0 next-hop address; } } |
2. 安全区域配置
配置防火墙安全区域与端口
security { zones { security-zone trust { interfaces { vlan.x { //将vlan.x接口放入trust zone host-inbound-traffic { //允许任意流量通过 system-services { all; } protocols { all; } } } } } security-zone untrust { interfaces { vlan.y { //将vlan.y接口放入untrust zone host-inbound-traffic {//允许任意流量通过 system-services { all; } protocols { all; } } }
|
3. 安全策略配置
配置防火墙安全策略
security { policies { from-zone trust to-zone untrust { //permit trust zone至untrust zone的流量 policy default { match { source-address any; destination-address any; application any; } then { permit; } security { policies { from-zone untrust to-zone trust { /permit untrust zone至trust zone的流量 policy default { match { source-address any; destination-address any; application any; } then { permit; } } }
|
4. 防火墙的虚拟化应用
建立新的路由表
routing-instances { jkyw { // 创建名字为jkyw的路由实例 instance-type virtual-router; interface xe-x/x/x/; } //将相应接口划进相应路由实例 |