主要应用:双出口网关,替代策略路由;MPL ×××;等于思科的vrf,实现路由的网络隔离
全局路由表 和 虚拟路由表 也是可以互相灌
一,配置:(zones:DMZ--Inside2)
1) 创建虚拟路由器,并放入接口
edit routing-instances [DMZ-Inside2]
set instance-type virtual-router
set interface ge-0/0/4.0
set interface ge-0/0/3.0
2) 测试直连网络连通性DMZ,Inside2
run ping routing-instances [DMZ-Iside2] 10.1.2.1 //直接ping的话,是找的全局路由表
run ping routing-instances [DMZ-Iside2] 192.168.1.1
3)创建Zone间策略:Security Policis(放行流量DMZ--Inside2)
edit security policies from-zone DMZ to-zone Inside2
edit policy [Permit-ICMP]
set match source-address any
set match destination-address any
set match application junos-ping
set then permit
edit policy [Permit-Telnet]
set match source-address any
set match destination-address any
set match application junos-telnet
set then permit
#show security policies
edit security policies from-zone DMZ to-zone Inside2
#rename policy [Permit-ICMP]to [Permit-ICMP-And-Telnet]
5)DMZ区域的PC机ping 1.1.1.1,telnet 1.1.1.1,查看连通性,及其走的是否是VR(Routing-Instance)
ping 1.1.1.1
4) 查看命令
run show route //查看 全局路由表和虚拟路由表
二,配置(Inside1路由器启lo:1.1.1.1;Inside2路由器启lo:1.1.1.1)
全局配置静态路由 to Inside1
set routing-options static route 1.1.1.1/32 nex-hop 10.1.1.1
#show routing-options
虚拟路由器配置静态路由 to Inside2
edit routing-instance [DMZ-Iside2] routing-options
set static route 1.1.1.1/32 next-hop 10.1.2.1
#show routing-instance
#run show route //查看 全局路由表和虚拟路由表
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
