Jump to content
Калькуляторы

Juniper: Два провайдера 2 белых IP

Здраствуйте!

 

У меня есть Juniper SRX 100h2 с JunOS 12.1X44 в него приходит 2 провайдера, каждый из которых мне дает по белому IP.

 

> show configuration interfaces fe-0/0/6

description fe-0/0/6:ISP1;
unit 0 {
   family inet {
       address 94.156.223.21/24;
   }
}

 

> show configuration interfaces fe-0/0/7    
unit 0 {
   description fe-0/0/7:ISP2;
   family inet {
       address 117.57.38.48/24;
   }
}

 

ISP2 - является провайдером по умолчанию

 

Хочется чтобы каждый из белых IP работал и оба были доступны извне одновременно. Для этих целей попытался сделать Policy Based Routing. Найти в интернете именно чтоб 2 ip работало одновременно у меня не вышло. Нашел только как настроить PBR для перенаправления определенных портов в разных провайдеров с внутреней сети. ( эту статью. ) Если сделать так как там описано - то все работает. Но если фильтр подцепить не на internal_LAN интерфейс, а на интерфейс ISP. то перенаправления в другой route-instance не происходит по каким то причинам.

 

Знающие люди подскажите пожалуйста как мне заставить оба IP работать одновременно, и что я делаю не так.

 

# show firewall filter isp1-table 
term default-route {
   from {
       destination-address 94.156.223.21;
   }
   then {
       routing-instance ISP1;
   }
}

# show interfaces fe-0/0/6
description fe-0/0/6:ISP1;
unit 0 {
   family inet {
       filter {
         input isp1-table;
       }
       address 94.156.223.21/24;
   }
}
# show interfaces fe-0/0/6;
unit 0 {
   description fe-0/0/7:ISP2;
   family inet {
       address 117.57.38.48/24;
   }
}

# show routing-options
interface-routes {
   rib-group inet all-ribs;
}
static {
   route 0.0.0.0/0 {
       qualified-next-hop 117.57.38.254 {
           metric 1;
       }
       qualified-next-hop 94.156.223.1 {
           metric 5;
           interface fe-0/0/6.0;
       }
   }
}
rib-groups {
   all-ribs {
       import-rib [ inet.0 ISP1.inet.0 ];
   }
}

# show routing-instances 
ISP1 {
   instance-type forwarding;
   routing-options {
       static {
           route 0.0.0.0/0 next-hop 94.156.223.1;
       }
   }
}

Edited by Tokish

Share this post


Link to post
Share on other sites

Ничего не понял. У вас два IP на интерфейсах провайдеров и вам надо сделать чтобы был SRX доступен снаружи для менеджмента? Или там то что за ним стоит было доступно? И зачем этот фильтр вешать на интерфейс исп?

Share this post


Link to post
Share on other sites

Вот мой конфиг. SRX210 - Доступен из вне по айпи 192.168.0.156 , 10.175.100.108

 

## Last changed: 2014-02-06 17:32:41 MSK
version 12.1R4.7;
system {
   host-name junos.gw.g-1.***;
   domain-name *****;
   time-zone Europe/Moscow;
   root-authentication {
       encrypted-password "*****";
   }
   name-server {
       192.168.252.2;
       85.21.192.3;
   }
   login {
       user *** {
           full-name ***;
           uid 2004;
           class super-user;
           authentication {
               encrypted-password "****";
           }
       }
   }
   services {
       telnet;
       xnm-clear-text;
       web-management {
           http {
               interface [ vlan.2 vlan.1 ];
           }
           https {
               system-generated-certificate;
               interface vlan.2;
           }
       }
       dhcp {
           default-lease-time 9999999;
           domain-name *****;
       }
   }
   syslog {
       archive size 100k files 3;
       user * {
           any emergency;
       }
       file messages {
           any critical;
           authorization info;
       }
       file interactive-commands {
           interactive-commands error;
       }
       file policy_session {
           user info;
           match RT_FLOW;
           archive size 1000k world-readable;
           structured-data;
       }
   }
   max-configurations-on-flash 5;
   max-configuration-rollbacks 5;
   license {
       autoupdate {
           url https://ae1.juniper.net/junos/key_retrieval;
       }
   }
}
interfaces {
   ge-0/0/0 {
       unit 0 {
           family ethernet-switching {
               port-mode trunk;
               vlan {
                   members [ default office-p2p ];
               }
           }
       }
   }
   ge-0/0/1 {
       description DES-3828;
       unit 0 {
           description DES-3828;
           family ethernet-switching {
               port-mode trunk;
               vlan {
                   members [ Management office-p2p gw-200-0 ];
               }
               native-vlan-id 1;
           }
       }
   }
   fe-0/0/2 {
       description Office-p2p;
       unit 0 {
           description IPTV-spal;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   fe-0/0/3 {
       description ****;
       unit 0 {
           description ****;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   fe-0/0/4 {
       description Server-DL380;
       unit 0 {
           description Server-DL380;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   fe-0/0/5 {
       description DL380G4-ILO;
       unit 0 {
           description DL380G4-ILO;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   fe-0/0/6 {
       description DL360-Ilo;
       unit 0 {
           description DL360-Ilo;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   fe-0/0/7 {
       description DL360;
       unit 0 {
           description DL360;
           family ethernet-switching {
               port-mode access;
               vlan {
                   members default;
               }
           }
       }
   }
   vlan {
       unit 1 {
           family inet {
               address 10.175.100.108/21;
           }
       }
       unit 2 {
           family inet {
               address 192.168.249.3/26;
           }
       }
       unit 3 {
           family inet {
               address 192.168.0.156/24;
           }
       }
       unit 4 {
           family inet {
               address 192.168.99.1/24;
           }
       }
   }
}
snmp {
   description junos.gw.*****;
   contact *****;
   community ***** {
       authorization read-only;
   }
}
routing-options {
   static {
       route 10.175.0.0/16 next-hop 10.175.96.1;
       route 10.86.0.0/16 next-hop 10.175.96.1;
       route 10.22.0.0/16 next-hop 10.175.96.1;
       route 10.114.0.0/16 next-hop 10.175.96.1;
       route 10.97.0.0/16 next-hop 10.175.96.1;
       route 0.0.0.0/0 next-hop 192.168.99.2;
   }
   router-id 192.168.99.1;
   autonomous-system *****;
}
protocols {
   bgp {
       local-address 192.168.99.1;
       local-as *****;
       group Test {
           description BGP***;
           advertise-inactive;
           advertise-peer-as;
           damping;
           peer-as *****;
           neighbor 192.168.99.2;
       }
   }
   stp;
   igmp-snooping {
       vlan default {
           query-interval 60;
           query-last-member-interval 75;
           query-response-interval 3;
           robust-count 4;
           immediate-leave;
           interface ge-0/0/0.0 {
               multicast-router-interface;
           }
           interface ge-0/0/1.0 {
               static {
                   group 233.33.0.0;
               }
           }
       }
   }
}
policy-options {
   prefix-list as***{
       10.61.0.0/16;
       10.147.0.0/16;
   }
   policy-statement TO-RS {
       term as**** {
           from rib inet.0;
           then accept;
       }
   }
}
security {
   log {
       mode stream;
       format sd-syslog;
   }
   screen {
       ids-option untrust-screen {
           alarm-without-drop;
           icmp {
               ip-sweep;
               fragment;
               large;
               flood;
               ping-death;
           }
           ip {
               timestamp-option;
               security-option;
               stream-option;
               spoofing;
               source-route-option;
               strict-source-route-option;
               unknown-protocol;
               block-frag;
               tear-drop;
           }
           tcp {
               syn-fin;
               fin-no-ack;
               tcp-no-flag;
               syn-frag;
               port-scan;
               syn-ack-ack-proxy;
               syn-flood {
                   alarm-threshold 1024;
                   attack-threshold 200;
                   source-threshold 1024;
                   destination-threshold 2048;
                   timeout 20;
               }
               land;
               winnuke;
           }
           udp {
               flood;
           }
       }
   }
   nat {
       source {
           rule-set trust-to-untrust {
               from zone trust;
               to zone untrust;
               rule source-nat-rule {
                   match {
                       source-address 0.0.0.0/0;
                   }
                   then {
                       source-nat {
                           interface;
                       }
                   }
               }
           }
       }
   }
   policies {
       from-zone trust to-zone untrust {
           policy trust-to-untrust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
                   log {
                       session-init;
                       session-close;
                   }
               }
           }
       }
       from-zone untrust to-zone trust {
           policy untrust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
   }
   zones {
       security-zone trust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               vlan.2 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
               fe-0/0/2.0;
               fe-0/0/6.0;
               fe-0/0/7.0 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
           }
       }
       security-zone untrust {
           screen untrust-screen;
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               ge-0/0/0.0 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
               vlan.1 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
               fe-0/0/4.0 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
               vlan.3 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
               vlan.4 {
                   host-inbound-traffic {
                       system-services {
                           all;
                       }
                       protocols {
                           all;
                       }
                   }
               }
           }
       }
   }
}
ethernet-switching-options {
   voip;
}
vlans {
   Management {
       description Management;
       vlan-id 2;
       l3-interface vlan.2;
   }
   default {
       l3-interface vlan.1;
   }
   gw-200-0 {
       description gw-200-0;
       vlan-id 3;
       l3-interface vlan.4;
   }
   office-p2p {
       description office-p2p;
       vlan-id 701;
       l3-interface vlan.3;
   }
}

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this