分公司网络建设---Juniper 设备策略路由配置

分公司网络建设---Juniper网络设备策略路由配置

    分公司的网络建设，内网通过ospf实现路由访问，防火墙连接外网和录音平台，流量访问要实现明细化，即访问平台的流量通过平台的专线，访问外网的流量通过单独的外网专线，网关启用在核心交换机上，要实现该需求，就要通过静态路由和策略路由来控制。

    网络拓扑图如下：

    在核心交换机上配置去往外网和录音平台的静态路由，流量防火墙后，通过静态路由分别访问各自的目的地址；但是在防火墙上回包流量需要通过策略来分流，如图红线为访问录音平台的流量，黑线为访问外网的流量。

    在Juniper防火墙上配置策略路由，命令如下：

//创建路由实例

set routing-instances internet-to-inside instance-type  forwarding

set routing-instances internet-to-inside routing-options static route 0.0.0.0/0  next-hop  10.128.31.157

set routing-instances qingniu-to-inside instance-type forwarding

set routing-instances qingniu-to-inside routing-options static route 0.0.0.0/0 next-hop 10.128.31.161

//通过ACL来控制流量

set firewall family inet filter qingniu-to-inside term 10 from source-address  10.128.31.64/28     

set firewall family inet filter qingniu-to-inside term 10 from source-address  10.128.31.166/32

set firewall family inet filter qingniu-to-inside term 10 from destination-address 10.0.0.0/8

set firewall family inet filter qingniu-to-inside term 10 then routing-instance qingniu-to-inside

set firewall family inet filter qingniu-to-inside term 20 then accept

set firewall family inet filter Internet-to-inside term 10 from destination-address 10.0.0.0/8

set firewall family inet filter Internet-to-inside term 10 then routing-instance internet-to-inside       

//关联路由表

set routing-options interface-routes rib-group inet FBF-Group

set routing-options rib-groups FBF-Group import-rib inet.0      

set routing-options rib-groups FBF-Group import-rib qingniu-to-inside.inet.0

set routing-options rib-groups FBF-Group import-rib internet-to-inside.inet.0

//应用在流量的入口处

set interfaces ge-0/0/15 unit 0 family inet filter input internet-to-inside

set interfaces ge-0/0/14 unit 0 family inet filter input qingniu-to-inside

希望对读者有所帮助，如有问题，可以留言互动。

    

转载于:https://blog.51cto.com/liufei888/1660241