Three-tier Juniper operation

View the local route table of the firewall:

À get route

By default, all zones belong to the Trust-VR virtual router.

View the vro of the firewall

À get vrouter

Because the firewall needs to connect to multiple zones, different zones belong to different network segments and need to communicate with each other, the firewall needs to route

Which routing protocols are supported by Juniper's firewall:

1. Static Routing

1. Common Static Routing Protocols

À set route (vrouter trust-vr) 10.1.3.0/24 interface eth3 gateway 1.1.1.3

À get route protocol static

2. Default static route default static route)

À set route 0.0.0.0/0 interface eth3 gateway 1.1.1.3

2. Dynamic Routing

OSPF

RIP

BGP

Juniper defines address establishment and address group

A. Define an address

À set address untrust 10.1.2.2 10.1.2.2 255.255.255.255

B. Define an address group

À set group addrss untrust cjclub01 add 10.1.2.2

À set group addrss untrust cjclub01 add 10.1.3.2

C. Apply the Internet-to-Intranet segment Policy

À set policy from untrust to home cjclub01 any permit

À set policy from untrust to home any permit

Allow all services from the Internet to the Home area to access

Configure the three-layer function of the Juniper Firewall:

A. Create a Zone if the default Zone is not used );

À set zone name cjclub

B. Create an interface, divide the interface into zones, and configure IP addresses.

À set interface loopback.1 zone cjclub

À set interface loopback.1 ip 8.8.8.8/32

C. Configure the static route of the firewall

À set route 10.1.2.0/24 interface eth3 gateway 1.1.1.2

Three-tier view command:

A. Check whether the route to the target host exists.

À get route ip 10.1.2.1

B. view route entries arriving at the destination CIDR Block

À get route prefix 10.1.2.0/24

C. view static route entries

À get route protocol static

D. Route Tracking

À trace-route 10.1.3.2

Debug information of Juniper's firewall:

1. the Debug information can monitor the packets sent by the network in real time.

By default, the Debug information of the Juniper firewall is stored in the cache.

2. configuration of Debug information

A. Open the Debug information.

À debug flow basic

B. view the database cache

À get db stream

C. view the database cache status

À get db info

D. Set the database cache size.

À set db size 4096

E. Clear cache count

À clear dbuf

L directly output the Debug information through the Console Port

À unset console dbuf

3. Configure Juniper firewall Flow Filter

Flow filter:

A. IP address based

B. TCP/UDP-based port numbers

C. IP-based protocol

Là undebug all disable all Debug information

4. view the detailed process of data packets passing through the firewall through the Debug information

A. Set Flow Filter

À set ff src-ip 10.1.1.2

B. view the Flow Filter

À get ff

Flow filter based on:

Id: 0 src ip 10.1.1.2

C. Open the Debug information

À debug flow basic

D. Clear the database cache.

À clear db

E. Disable all Debug information.

À undebug all

L detailed process

1. Screen filter check

Packet passed sanity check

2. check whether a session exists.

Flow got session

3. Search for Route entries

Search route

4. Search for the Policy

5. Search for normal NAT

6. Create a Session;

7. Route data packets

8. Use ARP to parse the MAC address of the next hop IP address)

& Some information about ISG-2000 and NS-5000 high-end firewall cannot be captured through Debug

The capture of Debug information is completely based on CPU processing, and high-end devices use ASIC chips;

Loopback interface (Loopback interface address)

A. The virtual interface is always UP and does not require physical connection.

B. role:

1. Management

2. VPN

3. Dynamic Routing Protocol (ROUTER-ID)

C. Configure loopback

1. Configure an IP address for the interface

À set interface loopback.3 ip 10.10.10.10/32

2. Configure the loopback Management Function

À set interface lo.3 manage

This article is from the "prickly chestnut" blog, please be sure to keep this source http://8019770.blog.51cto.com/8009770/1305309