网创优客建站品牌官网
为成都网站建设公司企业提供高品质网站建设
热线:028-86922220
成都专业网站建设公司

定制建站费用3500元

符合中小企业对网站设计、功能常规化式的企业展示型网站建设

成都品牌网站建设

品牌网站建设费用6000元

本套餐主要针对企业品牌型网站、中高端设计、前端互动体验...

成都商城网站建设

商城网站建设费用8000元

商城网站建设因基本功能的需求不同费用上面也有很大的差别...

成都微信网站建设

手机微信网站建站3000元

手机微信网站开发、微信官网、微信商城网站...

建站知识

当前位置:首页 > 建站知识

Netscreen与JuniperSRX跑OSPF

拓扑:

10年积累的网站制作、成都网站制作经验,可以快速应对客户对网站的新想法和需求。提供各种问题对应的解决方案。让选择我们的客户得到更好、更有力的网络服务。我虽然不认识你,你也不认识我。但先网站制作后付款的网站建设流程,更有拜城免费网站建设让你可以放心的选择与我们合作。

Netscreen 与Juniper SRX跑OSPF

Netscreen Configuration:

set zone name y1

set interface "tunnel.1" zone "y1"

set interface "loopback.1" zone "Home"

set interface "loopback.2" zone "Home"

set interface "loopback.3" zone "Home"

set interface ethernet3 ip 200.1.1.2/24

set interface loopback.1 ip 192.168.1.1/24

set interface loopback.2 ip 192.168.2.1/24

set interface loopback.3 ip 192.168.3.1/24

set interface tunnel.1 ip 172.16.1.1/24

set interface ethernet3 manage

set interface loopback.1 manage

set interface loopback.2 manage

set interface loopback.3 manage

set address "Home" "192.168.1.0" 192.168.1.0 255.255.255.0

set address "Home" "192.168.2.0" 192.168.2.0 255.255.255.0

set address "Home" "192.168.3.0" 192.168.3.0 255.255.255.0

set address "y1" "192.168.4.0" 192.168.4.0 255.255.255.0

set address "y1" "192.168.5.0" 192.168.5.0 255.255.255.0

set address "y1" "192.168.6.0" 192.168.6.0 255.255.255.0

set address "y1" "192.168.8.0" 192.168.8.0 255.255.255.0

set group address "Home" "zongbu"

set group address "Home" "zongbu" add "192.168.1.0"

set group address "Home" "zongbu" add "192.168.2.0"

set group address "Home" "zongbu" add "192.168.3.0"

set group address "y1" "y1-add"

set group address "y1" "y1-add" add "192.168.4.0"

set group address "y1" "y1-add" add "192.168.5.0"

set group address "y1" "y1-add" add "192.168.6.0"

set group address "y1" "y1-add" add "192.168.8.0"

set ike gateway "to-y1" address 200.1.2.2 Main outgoing-interface "ethernet3" preshare "Gxl2rRLGNckqmts4QACGowXnN2nJ8eFsew==" sec-level standard

set *** "y1" gateway "to-y1" no-replay tunnel idletime 0 sec-level standard

set *** "y1" id 0x1 bind interface tunnel.1

set *** "y1" proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 "ANY"

set policy id 6 from "y1" to "Home" "y1-add" "zongbu" "ANY" permit

set policy id 5 from "Home" to "y1" "zongbu" "y1-add" "ANY" permit

set vrouter trust-vr protocol ospf

set vrouter trust-vr protocol ospf enable

set vrouter trust-vr protocol ar 0

set router-id 1.1.1.1

set route 0.0.0.0/0 interface ethernet3 gateway 200.1.1.1

set interface loopback.1 protocol ospf area 0.0.0.0

set interface loopback.1 protocol ospf enable

set interface loopback.2 protocol ospf area 0.0.0.0

set interface loopback.2 protocol ospf enable

set interface loopback.3 protocol ospf area 0.0.0.0

set interface loopback.3 protocol ospf enable

set interface tunnel.1 protocol ospf area 0.0.0.0

set interface tunnel.1 protocol ospf ignore-mtu 本实验最重要的命令,不敲则ospf邻居卡在exstart状态

set interface tunnel.1 protocol ospf enable

ISP Configurationg:

int e0/0

ip add 200.1.1.1 255.255.255.0

no sh

int e0/1

ip add 200.1.2.1 255.255.255.0

no sh

Juniper SRX Configuration:

version 12.1X44.4;

system {

root-authentication {

encrypted-password "$1$Iq3z9EVf$2Qjh4Bi1SYKIqfaawy9QW/"; ## SECRET-DATA

}

login {

user juniper {

uid 2001;

class super-user;

}

}

services {

ssh;

web-management {

http {

interface ge-0/0/0.0;

}

}

}

syslog {

user * {

any emergency;

}

file messages {

any any;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 200.1.2.2/24;

}

}

}

ge-0/0/1 {

unit 0 {

family inet {

address 192.168.8.1/24;

}

}

}

st0 {

unit 0 {

family inet {

address 172.16.1.2/24;

}

}

}

}

routing-options {

static {

route 0.0.0.0/0 next-hop 200.1.2.1;

}

}

protocols {

ospf {

area 0.0.0.0 {

interface ge-0/0/1.0;

interface st0.0;

}

}

}

security {

ike {

policy l2l-p1-gateway {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$s24oGPfz6CuaZz6"; ## SECRET-DATA

}

gateway l2l-p1-gateway {

ike-policy l2l-p1-gateway;

address 200.1.1.2;

external-interface ge-0/0/0.0;

}

}

ipsec {

policy l2l-p2-policy {

proposal-set standard;

}

*** route-*** {

bind-interface st0.0;

ike {

gateway l2l-p1-gateway;

proxy-identity {

local 0.0.0.0/0;

remote 0.0.0.0/0;

service any;

}

ipsec-policy l2l-p2-policy;

}

}

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: 'queue-size' is deprecated

timeout 20;

}

land;

}

}

}

policies {

from-zone trust to-zone svti {

policy permit-trust-svti {

match {

source-address y1;

destination-address zongbu;

application any;

}

then {

permit;

}

}

}

from-zone svti to-zone trust {

policy permit-svti-trust {

match {

source-address zongbu;

destination-address y1;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone untrust {

host-inbound-traffic {

system-services {

ike;

}

}

interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

ping;

telnet;

ssh;

ike;

}

}

}

}

}

security-zone trust {

address-book {

address 192.168.8.0 192.168.8.0/24;

address 192.168.4.0 192.168.4.0/24;

address 192.168.5.0 192.168.5.0/24;

address 192.168.6.0 192.168.6.0/24;

address-set y1 {

address 192.168.8.0;

address 192.168.4.0;

address 192.168.5.0;

address 192.168.6.0;

}

}

interfaces {

ge-0/0/1.0 {

host-inbound-traffic {

system-services {

ping;

}

protocols {

ospf;

}

}

}

}

}

security-zone svti {

address-book {

address 192.168.1.0 192.168.1.0/24;

address 192.168.2.0 192.168.2.0/24;

address 192.168.3.0 192.168.3.0/24;

address-set zongbu {

address 192.168.1.0;

address 192.168.2.0;

address 192.168.3.0;

}

}

host-inbound-traffic {

system-services {

ping;

}

protocols {

ospf;

}

}

interfaces {

st0.0;

}

}

security-zone UN;

}

}

[edit]

R2 configuration:

int e0/0

ip add 192.168.8.2 255.255.255.0

no sh

ip os 110 ar 0

int l0

ip add 192.168.4.1 255.255.255.0

ip os 110 ar 0

int l1

ip add 192.168.5.1 255.255.255.0

ip os 110 ar 0

int l2

ip add 192.168.6.1 255.255.255.0

ip os 110 ar 0

效果图:

Netscreen 与Juniper SRX跑OSPF

Netscreen 与Juniper SRX跑OSPF

Netscreen 与Juniper SRX跑OSPF

注意一点就OK

netscreen的TUN.1口一定要忽略mtu
命令是
ns5gt-> set int tun.1 protocol ospf ignore-mtu
不然死活卡在了exstart状态

新闻标题:Netscreen与JuniperSRX跑OSPF
文章网址:http://bjjierui.cn/article/pgddoj.html

其他资讯