sbpaek
- 문가네 고추장 추어탕 2021.10.12
- 영월 여행중… 2021.09.19
- Juniper SRX Cluster configuration 2021.08.26 2
- Juniper SRX Policy-Based IPSec VPN 2021.08.26
- Juniper SRX Routed-Based IPSec VPN 2021.08.26
- 쏠비치 2021.08.16
- 고라니를 키우시는 외삼촌 2021.08.08
- Juniper RestAPI Sample 2021.08.06
문가네 고추장 추어탕
2021. 10. 12. 20:20
영월 여행중…
2021. 9. 19. 17:16
반응형
반응형
'지금 이 순간' 카테고리의 다른 글
| 꽃놀이 가구 싶다 (0) | 2021.11.01 |
|---|---|
| 문가네 고추장 추어탕 (0) | 2021.10.12 |
| 쏠비치 (0) | 2021.08.16 |
| 고라니를 키우시는 외삼촌 (0) | 2021.08.08 |
| 일요일 아침 동네 한바퀴 (0) | 2021.06.06 |
Juniper SRX Cluster configuration
2021. 8. 26. 09:23
반응형
- Node 0
# set chassis cluster cluster-id 1 node 0 reboot
- Node 1
# set chassis cluster cluster-id 1 node 1 reboot
set groups node0 system host-name srx1500-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.16.35.46/24
set groups node1 system host-name srx1500-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.16.35.47/24
set groups node0 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set groups node1 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set apply-groups "${node}"
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-7/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255
set chassis cluster reth-count 2
set interfaces ge-0/0/5 gigether-options redundant-parent reth1
set interfaces ge-7/0/5 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0
Verification
>show chassis cluster status
>show chassis cluster interfaces
>show chassis cluster statistics
>clear chassis cluster statistics
>show chassis cluster control-plane statistics
>show chassis cluster data-plane statistics
>show chassis cluster status redundancy-group 1
>show chassis cluster information configuration-synchronization
> show log jsrpd
>show log chassisd
>show log messages
>show log dcd
>show traceoptions
반응형
'업무이야기 > Security' 카테고리의 다른 글
| AhnLab Network Solutions (0) | 2022.11.21 |
|---|---|
| FortiGate FSSO 설정 (0) | 2022.08.10 |
| Juniper SRX Policy-Based IPSec VPN (0) | 2021.08.26 |
| Juniper SRX Routed-Based IPSec VPN (0) | 2021.08.26 |
| DefensePro CLI (0) | 2021.04.26 |
Juniper SRX Policy-Based IPSec VPN
2021. 8. 26. 09:07
반응형
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone untrust
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Host1
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Host1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2
반응형
'업무이야기 > Security' 카테고리의 다른 글
| FortiGate FSSO 설정 (0) | 2022.08.10 |
|---|---|
| Juniper SRX Cluster configuration (2) | 2021.08.26 |
| Juniper SRX Routed-Based IPSec VPN (0) | 2021.08.26 |
| DefensePro CLI (0) | 2021.04.26 |
| Juniper SRX request chassis cluster failover redundancy-group (0) | 2021.04.13 |
Juniper SRX Routed-Based IPSec VPN
2021. 8. 26. 09:05
반응형
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 bind-interface st0.0
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone VPN
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match application any
set security policies from-zone trust to-zone VPN policy VPN-OUT then permit
set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match application any
set security policies from-zone VPN to-zone trust policy VPN-IN then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services ping
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set interfaces st0 unit 0 family inet address 10.100.200.2/24
set routing-options static route 10.100.11.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2
반응형
'업무이야기 > Security' 카테고리의 다른 글
| Juniper SRX Cluster configuration (2) | 2021.08.26 |
|---|---|
| Juniper SRX Policy-Based IPSec VPN (0) | 2021.08.26 |
| DefensePro CLI (0) | 2021.04.26 |
| Juniper SRX request chassis cluster failover redundancy-group (0) | 2021.04.13 |
| IPS (Sniper) 기본 Command (3) | 2021.03.29 |
쏠비치
2021. 8. 16. 10:53
반응형
반응형
'지금 이 순간' 카테고리의 다른 글
| 문가네 고추장 추어탕 (0) | 2021.10.12 |
|---|---|
| 영월 여행중… (0) | 2021.09.19 |
| 고라니를 키우시는 외삼촌 (0) | 2021.08.08 |
| 일요일 아침 동네 한바퀴 (0) | 2021.06.06 |
| 동네 산책 (0) | 2021.05.19 |
고라니를 키우시는 외삼촌
2021. 8. 8. 17:57
Juniper RestAPI Sample
2021. 8. 6. 09:15
반응형
<load-configuration format="xml">
<configuration>
<interfaces>
<interface>
<name>et-0/0/0</name>
<unit>
<name>0</name>
<family>
<inet>
<filter>
<input>
<filter-name>fw_filter</filter-name>
</input>
</filter>
</inet>
</family>
</unit>
</interface>
<interface>
<name>et-0/0/10</name>
<unit>
<name>0</name>
<family>
<inet>
<filter>
<input>
<filter-name>fw_filter</filter-name>
</input>
</filter>
</inet>
</family>
</unit>
</interface>
<interface>
<name>et-0/0/20</name>
<unit>
<name>0</name>
<family>
<inet>
<filter>
<input>
<filter-name>fw_filter</filter-name>
</input>
</filter>
</inet>
</family>
</unit>
</interface>
</interfaces>
<forwarding-options>
<port-mirroring>
<instance>
<name>tcp80</name>
<family>
<inet>
<output>
<interface>
<name>et-0/0/30.0</name>
<next-hop>
<name>200.0.10.2</name>
</next-hop>
</interface>
</output>
</inet>
</family>
</instance>
<instance>
<name>tcp443</name>
<family>
<inet>
<output>
<interface>
<name>et-0/0/30.0</name>
<next-hop>
<name>200.0.10.2</name>
</next-hop>
</interface>
</output>
</inet>
</family>
</instance>
<instance>
<name>udp123</name>
<family>
<inet>
<output>
<interface>
<name>et-0/0/30.0</name>
<next-hop>
<name>200.0.10.2</name>
</next-hop>
</interface>
</output>
</inet>
</family>
</instance>
</port-mirroring>
</forwarding-options>
<firewall>
<family>
<inet>
<filter>
<name>fw_filter</name>
<term>
<name>tcp80</name>
<from>
<destination-address>
<name>1.1.1.1/32</name>
</destination-address>
<protocol>tcp</protocol>
<destination-port>80</destination-port>
</from>
<then>
<port-mirror-instance>tcp80</port-mirror-instance>
<discard>
</discard>
</then>
</term>
<term>
<name>tcp443</name>
<from>
<destination-address>
<name>2.2.2.2/32</name>
</destination-address>
<protocol>tcp</protocol>
<destination-port>443</destination-port>
</from>
<then>
<port-mirror-instance>tcp443</port-mirror-instance>
<discard>
</discard>
</then>
</term>
<term>
<name>udp123</name>
<from>
<source-address>
<name>3.3.3.3/32</name>
</source-address>
<protocol>udp</protocol>
<source-port>123</source-port>
</from>
<then>
<port-mirror-instance>udp123</port-mirror-instance>
<discard>
</discard>
</then>
</term>
<term>
<name>default</name>
<then>
<accept/>
</then>
</term>
</filter>
</inet>
</family>
</firewall>
</configuration>
</load-configuration>
<commit/>
반응형
'업무이야기 > Network' 카테고리의 다른 글
| Juniper EX2200 이중화 (1) | 2023.05.02 |
|---|---|
| Juniper Switch Virtual-Chassis (STACK) (0) | 2023.05.02 |
| Juniper VRRP and Load Sharing (0) | 2021.06.14 |
| Juniper show command (RSI : request support information) (0) | 2021.03.29 |
| Juniper Troubleshooting Commands (0) | 2021.03.29 |