SRX 설정 방법 (CLI)

설정 확인(operation 모드)
show configuration | display set | match “찾을 문자 또는 숫자”

어드레스 추가(configure 모드)

set security zones security-zone untrust address-book address 222_231_7_233 222.231.7.233/32
set security zones security-zone trust address-book address 2_2_2_2 2.2.2.2/32

어드레스 그룹 추가(configure 모드)

set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 222_231_7_233
set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 218_50_1_87

어드레스 그룹 삭제(해당 그룹에서 특정 IP만 제거)

delete security zones security-zone untrust address-book address-set 1_1_1_1/2_2_2_2 address 1_1_1_1

스케줄 추가(configure 모드)

set schedulers scheduler 2014_07_31_23_59 start-date 2012-08-24.00:00 stop-date 2014-07-31.23:59

서비스 추가

#set applications application tcp_3659 term tcp_3659 protocol tcp
#set applications application tcp_3659 term tcp_3659 source-port 1024-65535
#set applications application tcp_3659 term tcp_3659 destination-port 3659-3659

서비스 그룹 추가

#set applications application-set ping_tcp_3659 application junos-ping
#set applications application-set ping_tcp_3659 application tcp_3659

정책 추가(configure 모드)

set security policies from-zone untrust to-zone trust policy 120824001 match source-address 61_110_18_122
set security policies from-zone untrust to-zone trust policy 120824001 match destination-address 121_254_132_198
set security policies from-zone untrust to-zone trust policy 120824001 match application http_8080
set security policies from-zone untrust to-zone trust policy 120824001 then permit
set security policies from-zone untrust to-zone trust policy 120824001 then log session-close
set security policies from-zone untrust to-zone trust policy 120824001 scheduler-name 2014_07_31_23_59

우선순위 변경(configure 모드)

insert security policies from-zone untrust to-zone trust policy 130115001 before policy 706 (인바운드))

정책 우선순위 확인(operation 모드)

show security policies from-zone untrust to-zone trust
show security policies from-zone trust to-zone untrust

정책 리스트 확인

op policy.xml

Source NAT 추가 (configure 모드)

set security nat source rule-set rs_1 to zone untrust --> 초기생성 시 적용
set security nat source rule-set rs_1 rule rule_14 match source-address 172.30.148.0/24
set security nat source rule-set rs_1 rule rule_14 then source-nat pool pool_14
set security nat source pool pool_14 address 117.52.15.148/32

Destination NAT 추가 (configure 모드)

set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1
set security nat destination pool dpool_1 address 192.168.10.50/32

dnat port(포트 포워딩)

set security nat destination pool dpool_1 address 192.168.10.50/32
set security nat destination pool dpool_1 address port 80
set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-port 33890
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1

routing 추가 (configure 모드)

set routing-options static route 172.30.148.0/24 next-hop 172.16.20.113

session 확인

show security flow session source-prefix
show security flow session destination-prefix 출발지IP

• show | compare 로 추가되는 설정 확인 후, commit check로 정상적으로 들어가는지 확인 후 commit 적용 필요~!!!!
  #show | compare
  #commit check
  #commit
  #exit

Example 15 expands on Example 14 by combining out-of-band (OOB) maps with a map passall originating from an inline network group on GigaVUE-HC2.

When the source port of an OOB map is associated with an inline network group, only one port is supported in the port list. In this case, multiple OOB maps are needed because each OOB map only accepts one inline network port as the input (the from argument of the map command).

A protected inline network (which uses bypass combo modules) is included in Example 15. You do not need to configure inline network ports or the inline networks because they are created automatically. The port pairs in Example 15 are
1/1/x17 and 1/1/x18, as well as 1/1/x19 and 1/1/x20. The aliases of the default inline networks in Example 15 are default_inline_net_1_1_1 and default_inline_net_1_1_2.

In Example 15, two OOB maps send traffic from each inline network port (associated with default_inline_net_1_1_1) to the OOB tool. Two more maps would be needed to send traffic from each inline network port (associated with default_inline_net_1_1_2) to the OOB tool, but this is not included in Example 15.

On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure an inline network group consisting of two protected inline networks.

(config) # inline-network-group alias inNetGroup
(config inline-network-group alias inNetGroup) # network-list default_inline_net_1_1_1,default_inline_net_1_1_2
(config inline-network-group alias inNetGroup) # exit
(config) #

2. Configure a regular tool port of port type (tool) and administratively enable it. This is the OOB tool.

(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable

3. Configure two inline tool ports of port type (inline-tool) and administratively enable them.

(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable

(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable

4. Configure inline tool and enable it. Also, specify that the inline tool is going to be shared by different sources. When shared is enabled (true), the inline tool can receive traffic from multiple sources (the inline networks in the inline network group).

(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool1 shared true

5. Configure a map passall, from the inline network group to the inline tool. This sends all the traffic to the inline tool.

(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from inNetGroup
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #

6. Configure the first rule-based map. This is an OOB map from one inline network port (associated with default_inline_net_1_1_1) to the OOB tool.

(config) # map alias OoB_map1
(config map alias OoB_map1) # type regular byRule
(config map alias OoB_map1) # rule add pass ipver 4
(config map alias OoB_map1) # to 1/1/x12
(config map alias OoB_map1) # from 1/1/x17
(config map alias OoB_map1) # exit
(config) #

7. Configure a second rule-based map. This is an OOB map from the other inline network port (associated with default_inline_net_1_1_1) to the OOB tool.

(config) # map alias OoB_map2
(config map alias OoB_map2) # type regular byRule
(config map alias OoB_map2) # rule add pass ipver 4
(config map alias OoB_map2) # to 1/1/x12
(config map alias OoB_map2) # from 1/1/x18
(config map alias OoB_map2) # exit
(config) #

8. Configure a third rule-based map. This is an OOB map from a single inline tool port to the OOB tool.

(config) # map alias OoB_map3
(config map alias OoB_map3) # type inline byRule
(config map alias OoB_map3) # rule add pass ipver 4
(config map alias OoB_map3) # to 1/1/x12
(config map alias OoB_map3) # from 1/2/x23
(config map alias OoB_map3) # exit
(config) #

9. Configure the path of the traffic to inline tool.

(config) # inline-network alias default_inline_net_1_1_1 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_1_1_2 traffic-path to-inline-tool

10. Disable physical bypass on the default inline network aliases.

(config) # inline-network alias default_inline_net_1_1_1 physical-bypass disable
(config) # inline-network alias default_inline_net_1_1_2 physical-bypass disable

11. Display the configuration and statistics for this example.

(config) # show inline-network
(config) # show inline-network-group
(config) # show inline-tool
(config) # show map

Example 14 combines out-of-band (OOB) maps with a map passall originating from an inline network on GigaVUE-HC2. In Example 14, the map passall sends all traffic to the inline tool. The OOB rule-based map sends traffic to an OOB tool.

When the source port of an OOB map is associated with an inline network, multiple source ports are supported in the port list (the from argument of the map command).

A protected inline network (which uses bypass combo modules) is included in Example 14. You do not need to configure inline network ports because they are created automatically. The port pairs in Example 14 are 1/1/x21 and 1/1/x22. You do not need to configure an inline network because it is also created automatically. The alias of the default inline network in Example 14 is default_inline_net_1_1_3.

On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure a regular tool port of port type (tool) and administratively enable it. This is the OOB tool.

(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable

2. Configure two inline tool ports of port type (inline-tool) and administratively enable them.

(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable

(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable

3. Configure inline tool and enable it.

(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable

4. Configure a map passall, from the inline network to the inline tool. This sends all the traffic to the inline tool.

(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from default_inline_net_1_1_3
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #

5. Configure the OOB rule-based map, with both inline network ports in the from argument, and the OOB tool in the to argument.

(config) # map alias OoB_map
(config map alias OoB_map) # type regular byRule
(config map alias OoB_map) # rule add pass ipver 4
(config map alias OoB_map) # to 1/1/x12
(config map alias OoB_map) # from 1/1/x21..x22
(config map alias OoB_map) # exit
(config) #

6. Configure the path of the traffic to inline tool.

(config) # inline-network alias default_inline_net_1_1_3 traffic-path to-inline-tool

7. Disable physical bypass on the default inline network alias.

(config) # inline-network alias default_inline_net_1_1_3 physical-bypass disable

8. Display the configuration and statistics for this example.

(config) # show inline-network
(config) # show inline-tool
(config) # show map
(config) # show port stats

Example 9 is an inline bypass solution on GigaVUE-HC2 for an inline network group. Example 9 expands upon Example 8 by adding a second inline tool. The inline networks are a mix of unprotected and protected.

In addition, user-defined VLAN tags are added in Example 9 to guide traffic from the multiple inline networks in the inline network group.

On GigaVUE-HC3, unprotected inline bypass can be configured on any module on the node. Protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, unprotected inline bypass can be configured on the base module, with the inline networks and inline tools on ports 1/1/x1..x12 and 1/1/g1..g4, or on the bypass combo module on ports x1..x4. Protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure inline network aliases, port type (inline-network), and administratively enable inline network ports.

(config) # port 7/2/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable

(config) # port 7/2/x20 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable

2. Configure inline network.

(config) # inline-network alias inNet pair net-a iN1 and net-b iN2

3. Configure an inline network group consisting of a single unprotected inline network and two protected inline networks.

(config) # inline-network-group alias inNetGroup
(config inline-network-group alias inNetGroup) # network-list inNet,default_inline_net_7_2_1,default_inline_net_7_2_3
(config inline-network-group alias inNetGroup) # exit
(config) #

4. (Optional) Configure user-defined VLAN tags.

Note: The net-a and net-b ports can have the same VLAN tag, but tags must otherwise be unique within the inline network group.

(config) # port 7/2/x1 ingress-vlan-tag 1201
(config) # port 7/2/x20 ingress-vlan-tag 1202
(config) # port 7/2/x17 ingress-vlan-tag 1203
(config) # port 7/2/x18 ingress-vlan-tag 1203

5. Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 7/2/x3 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable

(config) # port 7/2/x4 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable

(config) # port 7/2/x9 alias iT3
(config) # port iT3 type inline-tool
(config) # port iT3 params admin enable

(config) # port 7/2/x10 alias iT4
(config) # port iT4 type inline-tool
(config) # port iT4 params admin enable

6. Configure inline tools and enable them. Also, specify that inline tools are going to be shared by different sources. When shared is enabled (true), the inline tools can receive traffic from multiple sources (the inline networks in the inline network group).

(config) # inline-tool alias inTool1 pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool2 pair tool-a iT3 and tool-b iT4

(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool2 enable

(config) # inline-tool alias inTool1 shared true
(config) # inline-tool alias inTool2 shared true

7. Configure inline tool group and enable it.

(config) # inline-tool-group alias inToolGroup tool-list inTool1,inTool2
(config) # inline-tool-group alias inToolGroup enable

8. Configure map passall, from inline network to inline tool group.

(config) # map-passall alias inMap
(config map-passall alias inMap) # from inNet
(config map-passall alias inMap) # to inToolGroup
(config map-passall alias inMap) # exit
(config) #

9. Configure the path of the traffic to inline tool.

(config) # inline-network alias inNet traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_7_2_1 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_7_2_3 traffic-path to-inline-tool

10. Disable physical bypass on the default inline network aliases.

(config) # inline-network alias default_inline_net_7_2_1 physical-bypass disable
(config) # inline-network alias default_inline_net_7_2_3 physical-bypass disable

11. Display the configuration for this example.

(config) # show inline-network-group
(config) # show ingress-vlan-tag
(config) # show inline-tool-group

Example 8 is an inline bypass solution on GigaVUE-HC2 for an inline network group. This is a many-to-one example with two inline networks and one inline tool. The inline networks are mix of protected and unprotected.

On GigaVUE-HC3, unprotected inline bypass can be configured on any module on the node. Protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, unprotected inline bypass can be configured on the base module, with the inline networks and inline tools on ports 1/1/x1..x12 and 1/1/g1..g4, or on the bypass combo module on ports x1..x4. Protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure inline network aliases, port type (inline-network), and administratively enable inline network ports.

(config) # port 7/2/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable

(config) # port 7/2/x20 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable

2. Configure inline network.

(config) # inline-network alias inNet pair net-a iN1 and net-b iN2

3. Configure an inline network group consisting of a single unprotected inline network and two protected inline networks.

(config) # inline-network-group alias inNetGroup
(config inline-network-group alias inNetGroup) # network-list inNet,default_inline_net_7_2_1,default_inline_net_7_2_3
(config inline-network-group alias inNetGroup) # exit
(config) #

4. Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 7/2/x3 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable

(config) # port 7/2/x4 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable

5. Configure inline tool and enable it. Also, specify that the inline tool is going to be shared by different sources. When shared is enabled (true), the inline tool can receive traffic from multiple sources (the inline networks in the inline network group).

(config) # inline-tool alias inTool pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool enable
(config) # inline-tool alias inTool shared true

6. Configure map passall, from inline network group to inline tool.

(config) # map-passall alias inMap
(config map-passall alias inMap) # from inNetGroup
(config map-passall alias inMap) # to inTool
(config map-passall alias inMap) # exit
(config) #

7. Configure the path of the traffic to inline tool.

(config) # inline-network alias inNet traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_7_2_1 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_7_2_3 traffic-path to-inline-tool

8. Disable physical bypass on the default inline network aliases.

(config) # inline-network alias default_inline_net_7_2_1 physical-bypass disable
(config) # inline-network alias default_inline_net_7_2_3 physical-bypass disable

9. Display the configuration for this example.

(config) # show inline-network-group
(config) # show inline-tool
(config) # show map

L4스위치 A Config

L4스위치 B Config

Cat6500#show run
!

!

! #### Cat6500의 네개의 FastEthernet 포트를 하나의 그룹으로 묶는 인터페이스에 대한 설정입니!

! #### 다.
interface Port-channel1
switchport 

### Port-channel1을 Layer 2 포트로 만들어 줍니다.(L3로 하고자 할 경우에는

### no switchport로 설정하면 됩니다.)
switchport trunk encapsulation dot1q 

### 아래에서 Trunk로 설정시 모든 VLAN에 대한 정보가 

### 이 인터페이스를 송/수신되구 trunking protocol이 시스
### 코용 ISL과 open standard인 dot1q가 있는데 여기는 
### dot1q를 사용

                                                
switchport mode trunk 

### 모든 VLAN 정보가 송/수신되어서 양 단 스위치의 동일 VLAN은

### 라우터없이도 통신이 되도록 만듬
no ip address
!

### 아래는 Port-channel1에 속하는 인터페이스에 대한 설정입니다.

!

interface FastEthernet4/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
channel-group 1 mode desirable

### 인터페이스가 port-channel1 그룹에 포함되도록 설정

!

interface FastEthernet4/3
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
channel-group 1 mode desirable

!

interface FastEthernet4/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
channel-group 1 mode desirable  

!

(생략)

Cat2950#show run

!

!

!
interface Port-channel1
switchport mode trunk

### 위의 Cat6500 장비는 L3도 모두 지원하기 때문에 switchport라구 명시

### 해야만 L2로 동작하지만 cat2950는 Layer 2 스위치이기 떄문에 별도의

### 설정없이도 L2로 동작함. 또한 모든 VLAN 정보 송/수신 가능하게 설정

!

!

### port-channel1 그룹에 속하는 인터페이스에 대한 설정입니다.

!        
interface FastEthernet0/2
switchport mode trunk
channel-group 1 mode desirable

!

!        
interface FastEthernet0/3
switchport mode trunk
channel-group 1 mode desirable

!

!        
interface FastEthernet0/4
switchport mode trunk
channel-group 1 mode desirable

!

(생략)

마지막으로 주의할 점은

   1)       Etherchannel로 설정되는 포트는 동일한 VLAN, 속도, Duplex로 설정이 되어 있어야 합니다.