The-JUNIPER-SSG series of PBR (Policy Routing) configuration finalization

Okay, everybody.

This weekend seems to have been very fast, because there are too many customers after-sales problems need to actively cooperate with the processing, in short, the time for engineers to do a good job of technology has gone, many times we have to assume too 

this share, but also focused on the configuration of the idea of , rock Mesh firewall configuration ideas, in favor of everyone comprehend by analogy, spend a few minutes to study, also very welcome more treatise, One of the configuration examples that we share today is the 30-year-old network worker's favorite series, the JUNIPER-SSG series of strategic routing configuration instances. This scenario is often used in enterprise-level networking, so be sure to make a lot of bricks, thank you very much

Demo Environment

Firmware version: 6.2.0r6.0 (FIREWALL+VPN)

Device Model: SSG-320

Demo topology:

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/8A/1F/wKioL1goXxqgBbUkAACJibNxhc0209.png-wh_500x0-wm_3 -wmp_4-s_75153376.png "title=" Qq20161113203817.png "alt=" Wkiol1goxxqgbbukaacjibnxhc0209.png-wh_50 "/>

lab-Requirements:

1. SSG access to dual ISP access, VPN use CTC line and Shanghai each region to establish IPSEC-VPN

2. The SSG is the gateway role and uses policy routing to complete a specific traffic (114.102 of the host) tuning (the default points to the BGP egress) for the CTC exit.

lab-Network planning: "Here in the test environment, you may have some questions."

1. BGP Test public network: 172.16.102.0/24 "equivalent to: 114.1.1.100/24"

2. CTC Test public network: 172.16.103.0/24 "Ibid."

3. Intranet: 172.16.114.0/24 "equivalent to: 192.168.1.0/24"

The current pc-a to the public network of the route tracking diagram is as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/8A/23/wKiom1goZtSjF-cJAAB4zor-_Ys014.png "title=" Qq20161113211209.png "alt=" Wkiom1goztsjf-cjaab4zor-_ys014.png "/>

Trial Scenario:

1. As described in this chapter, scenarios that apply to multiple network access providers

2. Deployed in the intranet, upstream there are multiple firewall devices or WAF devices, load devices, etc. that need to be adjusted on specific traffic on the gateway device

3. Third-party operators, PBR in this scenario is used to ensure that the telecommunications, Unicom and other original into the original

4. Side-hung DDoS detection equipment, traffic redirection, etc. (this skill requires a bit higher after a detailed chat)

Well, not much to explain, we serve the dishes directly.

Ssg-web-ui Initial Configuration comparison basis here is not detailed to repeat, if necessary, trouble message, the author in the future to fill in.

One, select Network---routing---PBR---extended ACL list, click New to add:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/8A/23/wKiom1goYWPi75eaAABK5MJy6iE755.png-wh_500x0-wm_3 -wmp_4-s_396144184.png "title=" Qq20161113204921.png "alt=" Wkiom1goywpi75eaaabk5mjy6ie755.png-wh_50 "/>

Extended ACL id:acl number

Sequence No.: Entry number

Source Address: 172.16.114.0/24

Destination Address: 0.0.0.0/0

Protocol: Select as any

Port number selection is: 1-65535

Ip-tos (1-255): omitted here, to introduce to you later

Click OK and the output is as follows:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/8A/1F/wKioL1goYcGjkB_tAAAsDKXJAOs108.png "title=" Qq20161113205104.png "alt=" Wkiol1goycgjkb_taaasdkxjaos108.png "/>

Comments:

This step corresponds to the definition ACL for the PBR configuration of the  Switch, where the SSG configuration defines 102 of this host, as follows:

ACL 3001

Rule permit IP Source 103.1.1.1 0.0.0.0 destination any

Rule permit IP Source 114.1.1.0 0.0.0.255 destination any

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/8A/23/wKiom1goYm3hbeBxAAApJgqM9z0795.png-wh_500x0-wm_3 -wmp_4-s_2141167510.png "title=" Qq20161113205357.png "alt=" Wkiom1goym3hbebxaaapjgqm9z0795.png-wh_50 "/>

The role of the Match Group is to associate ACLs

Confirm the output as follows: (The evil watermark, it blocked the OK, note there are no other options, direct confirmation can be)

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/8A/1F/wKioL1goYsHR3ptqAAAxbQep-CY543.png "title=" Qq20161113205518.png "alt=" Wkiol1goyshr3ptqaaaxbqep-cy543.png "/>

Comments:

Reference example equivalent to the PBR configuration:

Traffic classifier PBR operator and

If-match ACL 3001

The equivalent of the Stone Network section PBR Configuration Reference Example:

Pbr-policy "115.102" Vrouter "TRUST-VR"

Match ID 1

Src-ip 172.16.115.102/32

Dst-ip 0.0.0.0/0

Service "any"

Nexthop 172.16.105.1

Schedule "any"

Third, configure the action group-"similar to the configuration of many devices,  traffic behavior, Cisco's set IP Next-hop, stone match ID inside Nexthop"

Network---Routing---PBR---action Group, click Add:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/23/wKiom1goY93As1tRAABHEQfJaM8847.png-wh_500x0-wm_3 -wmp_4-s_1166375172.png "title=" Qq20161113205902.png "alt=" Wkiom1goy93as1traabheqfjam8847.png-wh_50 "/>

Comments:

Here specify the next hop interface or address,  Stone, Hua Three configuration window is not introduced, will play PBR, all understand what this is.

OK output results are as follows:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/23/wKiom1goZCTyNhmrAAArwyzYLjc611.png "title=" Qq20161113210116.png "alt=" Wkiom1gozctynhmraaarwyzyljc611.png "/>

Configuration policy, (this is similar to  Traffic policy Association class and Behavior configuration)

1. Network---Routing---PBR---policy, click Add

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/23/wKiom1goZKHzZC7DAAAvVwu2asg451.png-wh_500x0-wm_3 -wmp_4-s_2202681810.png "title=" Qq20161113210321.png "alt=" Wkiom1gozkhzzc7daaavvwu2asg451.png-wh_50 "/>

Bind the Match Group and Action Group of the newly established access Telecom 1.0.0.0/8

Comments:

Traffic Policy PBR

Classifier PBR Behavior PBR

OK output results are as follows:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/23/wKiom1goZQiR_w3MAAAtE1-kLRE332.png "title=" Qq20161113210502.png "alt=" Wkiom1gozqir_w3maaate1-klre332.png "/>

Network---Routing---PBR---policybinding, click Add

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/20/wKioL1goZT2SoJfRAABi8G6QaU0154.png-wh_500x0-wm_3 -wmp_4-s_3256352031.png "title=" Qq20161113210554.png "alt=" Wkiol1gozt2sojfraabi8g6qau0154.png-wh_50 "/>

The configured policy (pbr_trust) is applied to the physical interface of the trust, noting that the device does not emphasize in or out. Just to emphasize whether or not to bind, as to where to differentiate in and out, we grab the packet and find that he is based on in direction to control, and the conventional layer three switch is a mechanism.

Another: we can see the SSG firewall, he can be based on the global TRUST-VR to bind or zone binding or physical interface to bind. There are three ways to bind, so be sure to pay attention to this detail.

Click N/A on the arrow in the diagram and the output is as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/20/wKioL1goZh3ArDwkAAAWEuXChmQ495.png "title=" Qq20161113210941.png "alt=" Wkiol1gozh3ardwkaaaweuxchmq495.png "/>

Comments:

The equivalent of the PBR configuration reference for 

Interface GIGABITETHERNET0/0/5

Description E4s5700-g0/0/5-app3-eth1

Port Link-type Trunk

Port Trunk Allow-pass VLAN All

traffic-policy PBR Inbound

By the end of this configuration, the final test can be done.

Here, I'll post the route trace diagram before the configuration:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/20/wKioL1goZrKD47sHAAB4zor-_Ys729.png "title=" Qq20161113211209.png "alt=" Wkiol1gozrkd47shaab4zor-_ys729.png "/>

The following is a configured route tracking diagram:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/23/wKiom1goZoHCamEgAABr1eEtnQ4165.png "title=" Qq20161113211039.png "alt=" Wkiom1gozohcamegaabr1eetnq4165.png "/>

Do you think my test environment is a bit biantai, the front of the route how so many jumps, this is I deliberately made out to the team of the other members of the test environment, many times we tend to ignore the wrong line of thinking, just focus on how to configure. This is to do network work taboo, so please everyone must pay attention to, troubleshooting and repeated debugging in the work is crucial.

—————————————— from a Shanghai two-level operator of the network workers to share

This article from "Allen on the road-from zero to one" blog, reprint please contact the author!

The-JUNIPER-SSG series of PBR (Policy Routing) configuration finalization