最近我们有了一个 SRX240 路由器,我正在迈出理解 JunOS 的第一步。
我想做一个非常简单的事情,这就是情况。我们的组织中有一个巨大的 Intranet,每个子组织都有自己的子网,并且应该只使用其中的地址而不需要任何额外的 NAT 或其他东西,但是,我们仍然可以限制来自其他子组织的子网的访问以防止不必要的活动。
我第一次尽可能地简化了任务(我正在从控制台端口配置设备) ——阻止所有传入流量到配置的 VLAN,但不幸的是,我得到的只是失去对分配给 VLAN IP 地址的访问权限,但不是连接到此 VLAN 的主机。它们仍然可以从任何地方访问,这是错误的。
拓扑也很简单——一个 VLAN 从 0 到 15 端口,上行链路可能连接到其中的任何一个。更多细节在这里:http: //i.imgur.com/AGf1bVB.png
这是配置:
version 12.1X44-D60.2;
system {
time-zone Europe/Moscow;
root-authentication {
encrypted-password "HIDDED_DATA"; ## SECRET-DATA
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.20.30.51 version 1 prefer;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
vlan {
unit 0 {
family inet {
filter {
input TestBlock;
output TestBlock;
}
address 10.20.30.99/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.20.30.1;
}
}
security {
policies;
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
firewall {
family inet {
filter TestBlock {
term blockall {
then {
discard;
}
}
}
}
}
vlans {
MAIN_VLAN {
vlan-id 10;
interface {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
ge-0/0/6.0;
ge-0/0/7.0;
ge-0/0/8.0;
ge-0/0/9.0;
ge-0/0/10.0;
ge-0/0/11.0;
ge-0/0/12.0;
ge-0/0/13.0;
ge-0/0/14.0;
ge-0/0/15.0;
ge-0/0/0.0;
}
l3-interface vlan.0;
}
}
我错过了什么?或者也许我使用完全错误的方法来实现这个目标?..
