网络工程 - 瞻博网络 SRX240 和 EX2200 网络 - 吾爱随笔录

瞻博网络 SRX240 和 EX2200 网络

网络工程瞻博网络杜松-srx 杜松

2021-07-05 18:28:20

我不是网络工程师，所以这一定是一个菜鸟问题。

网络设置

我的任务很简单，我需要所有客户端都可以访问互联网。两个 EX2200 之前都配置为第 2 层交换机，所以我认为它们的配置没问题。

在 SRX240 上，我能够设置互联网访问。如果我将笔记本电脑连接到它，互联网就可以正常工作。但是无法连接到 EX2200。我尝试了来自互联网的不同指南，但似乎没有任何效果。

我应该如何配置 SRX240，以便所有 EX2200 客户端都可以访问互联网。理想情况下，我希望所有客户端都能从 SRX240 DHCP 获取 ip 并位于同一子网中。

当前配置。

SRX240

version 11.2R4.3;
system {
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.129.152.129;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

EX2200 - 24

version 11.4R7.5;
system {
    ports {
        console {
            log-out-on-disconnect;
            type vt100;
        }
    }
    login {
        user admin {
            uid 2000;
            class super-user;
        }
    }
    services {
        ssh {
            root-login allow;
        }
        telnet;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    alarm {
        management-ethernet {
            link-down ignore;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members public-eth;
                }
            }
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.1.2/24;
            }
        }
        unit 100 {
            family inet {
                address 10.129.152.135/25;
            }
        }
    }
}
snmp {
    community school-ro {
        authorization read-only;
        clients {
            10.143.255.0/24;
        }
    }
    trap-group ESMA {
        targets {
            10.143.255.2;
            10.143.255.6;
            10.143.255.10;
            10.143.255.14;
            10.143.255.42;
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.129.152.129;
    }
}
protocols {
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
ethernet-switching-options {
    storm-control {
        interface all;
    }
}
vlans {
    management {
        vlan-id 10;
        l3-interface vlan.10;
    }
    private-eth {
        vlan-id 20;
    }
    public-eth {
        vlan-id 30;
    }
    wan {
        vlan-id 100;
        l3-interface vlan.100;
    }
}

1个回答

为了回答这个问题，我将逐一介绍您的配置。

您的 SRX240 配置基本上是正确的，应该可以工作，但有一个小问题，即您的 WAN/Internet 接口 (ge-0/0/0) 似乎正在使用 DHCP：

SRX：

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
[...]

当您定义了默认网关时：

SRX：

routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.129.152.129;
    }
}

很可能，您的默认网关由 DHCP 提供，因此您可能不需要/不想静态定义它。如果 10.129.152.129 不在您的 dhcp 地址/网络掩码中，则 JunOS 可能会忽略它，而且由于您还说过直接插入 SRX 时您能够成功获得 Internet 连接，这可能不会导致问题。要摆脱这种清洁，请在 SRX240 上发出以下命令：

SRX：

configure
delete routing-options static
commit

在开关上。您没有告诉我们 SRX240 上的哪个端口连接到 EX2200 上的哪个端口，所以这很难回答，但是根据提供的配置，我可以推断出您的 WAN/Internet 链接是 ge-0/0/0在 SRX240 上，并且至少有一个交换机插入 SRX 上的其他接口之一（ge-0/0/1 到 15。）

使用您提供的配置（仅适用于 EX2200-24，不适用于 EX2200-48），只要端口 ge-0/0/0 到 21 连接到 SRX，您的拓扑就应该可以工作。但是，如果 SRX 插入 EX 上的端口 22 或 23，则会出现问题，因为这些端口处于中继模式，并且 SRX 未配置为或不期望带有 VLAN 标记的以太网帧。

前任：

interfaces {
[...]
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
[...]

此外，如果您真正想要的只是一个扁平的 L2 拓扑，那么您还有一些没有的人留下的配置：

前任：

ge-0/0/XX {
    unit 0 {
        family ethernet-switching {
            vlan {
                members public-eth;
            }
        }
    }
}

和

前任：

vlans {
    management {
        vlan-id 10;
        l3-interface vlan.10;
    }
    private-eth {
        vlan-id 20;
    }
    public-eth {
        vlan-id 30;
    }
    wan {
        vlan-id 100;
        l3-interface vlan.100;
    }
}

和

前任：

interfaces {
[...]
    vlan {
        unit 10 {
            family inet {
                address 192.168.1.2/24;
            }
        }
        unit 100 {
            family inet {
                address 10.129.152.135/25;
            }
        }
    }

您可以看到多个 IP 地址、VLAN 等已配置。为了回到最基本的 L2 功能，我们应该删除一些旧的不必要的配置（只要您确定这是您的网络，并且您不是违背网络管理员意愿的流氓。）

前任：

configure
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
delete interfaces ge-0/0/16
delete interfaces ge-0/0/17
delete interfaces ge-0/0/18
delete interfaces ge-0/0/19
delete interfaces ge-0/0/20
delete interfaces ge-0/0/21
delete interfaces ge-0/0/22
delete interfaces ge-0/0/23
set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/1.0 family ethernet-switching
set interfaces ge-0/0/2.0 family ethernet-switching
set interfaces ge-0/0/3.0 family ethernet-switching
set interfaces ge-0/0/4.0 family ethernet-switching
set interfaces ge-0/0/5.0 family ethernet-switching
set interfaces ge-0/0/6.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching
set interfaces ge-0/0/8.0 family ethernet-switching
set interfaces ge-0/0/9.0 family ethernet-switching
set interfaces ge-0/0/10.0 family ethernet-switching
set interfaces ge-0/0/11.0 family ethernet-switching
set interfaces ge-0/0/12.0 family ethernet-switching
set interfaces ge-0/0/13.0 family ethernet-switching
set interfaces ge-0/0/14.0 family ethernet-switching
set interfaces ge-0/0/15.0 family ethernet-switching
set interfaces ge-0/0/16.0 family ethernet-switching
set interfaces ge-0/0/17.0 family ethernet-switching
set interfaces ge-0/0/18.0 family ethernet-switching
set interfaces ge-0/0/19.0 family ethernet-switching
set interfaces ge-0/0/20.0 family ethernet-switching
set interfaces ge-0/0/21.0 family ethernet-switching
set interfaces ge-0/0/22.0 family ethernet-switching
set interfaces ge-0/0/23.0 family ethernet-switching
delete interfaces vlan.100
delete vlans
delete snmp
rename interfaces vlan.10 to unit 0
set vlans default l3-interface vlan.0
set vlans default vlan-id 1
delete routing-options
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

commit

上述命令执行以下操作：

清除交换机上每个接口的当前配置
为每个相同的接口创建新的空白/默认配置
摆脱 vlan 100 上可能未使用的 IP 地址
删除 SNMP 配置（与您声明的目标无关）
将所有内容合并到默认 VLAN（如果未指定另一个 VLAN，所有接口都会自动成为“默认”的成员。）
将管理 VLAN 更改为默认 VLAN，因为它通常在全新出厂的 JunOS 安装中
将默认网关设置为防火墙，这在此拓扑中不是绝对必要的，因为在这种情况下 EX 只是充当第 2 层交换机，但至少您可以从交换机 ping 互联网上的主机，如果一切正常。

您可能想要对没有为其提供配置的 EX2200-48 执行类似的操作，但希望您可以查看上述命令并执行类似的过程。如果您按照我所描述的方式展平拓扑结构，您的所有客户端都将从 SRX240 获取其 IP 地址并访问 Internet。

其它你可能感兴趣的问题

上一篇TRUNK 和 ACCESS VLAN 端口上未标记流量的行为下一篇Cisco路由器telnet故障排除-连接超时；没有反应的主机