Lab 2.1 Cấu hình Static Route trên Router Juniper

root · 23/11/2014

I. Mô hình
- Mô hình

- Yêu cầu

Các PC trong LAN ping được tới Router Juniper
Router Juniper cấu hình default route để ping được ra internet
PC trong LAN truy cập internet thành công

II. Triển khai
1. Cấu hình IP cho Router Juniper

[TABLE="class: outer_border, width: 700"]
[TR]
[TD]// Đặt tên cho Router
root> configure
root#set system host-name svuit-vSRX

// Cấu hình IP interface ge-0/0/0
root@svuit-vSRX#set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.200/24

// Cấu hình IP interface ge-0/0/1
root@svuit-vSRX#set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.254/24

root@svuit-vSRX#commit[/TD]
[/TR]
[/TABLE]

- Kiểm tra lại cấu hình vừa rồi

Mã:

[COLOR=#ff0000][B]root@svuit-vSRX# show interfaces[/B][/COLOR]
[COLOR=#ff0000][B]ge-0/0/0[/B][/COLOR] {
    unit 0 {
        family inet {
[COLOR=#ff0000][B]            address 172.16.1.200/24;[/B][/COLOR]
        }
    }
}
[COLOR=#ff0000][B]ge-0/0/1[/B][/COLOR] {
    unit 0 {
        family inet {
[COLOR=#ff0000]            address 192.168.10.254/24;[/COLOR]
        }
    }
}


[edit]

Hoặc

Mã:

[COLOR=#ff0000][B]root@[/B][/COLOR][COLOR=#ff0000][B]svuit-vSRX[/B][/COLOR][COLOR=#ff0000][B]# run show interfaces terse[/B][/COLOR]
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
[B][COLOR=#ff0000]ge-0/0/0.0              up    up   inet     172.16.1.200/24[/COLOR][/B]
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up
[COLOR=#ff0000][B]ge-0/0/1.0              up    up   inet     192.168.10.254/24[/B][/COLOR]
dsc                     up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down


[edit]

- Router ping ra internet chưa thành công. Vì chưa thực hiện định tuyến

Mã:

[COLOR=#ff0000][B]root@[/B][/COLOR][B]svuit-vSRX[/B][COLOR=#ff0000][B]# run ping 8.8.8.8[/B][/COLOR]
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss


[edit]
root@Juniper#

- Cấu hình default Route trên Router Juniper

[TABLE="class: outer_border, width: 700"]
[TR]
[TD]root@svuit-vSRX# set routing-options static route 0.0.0.0/0 next-hop 172.16.1.254
root@svuit-vSRX#commit[/TD]
[/TR]
[/TABLE]

- Kiếm tra bảng định tuyến

Mã:

root@[B]svuit-vSRX[/B]# [B][COLOR=#ff0000]show routing-options[/COLOR][/B]
static {
[COLOR=#ff0000]    route 0.0.0.0/0 next-hop 172.16.1.254;[/COLOR]
}


[edit]

Mã:

root@[B]svuit-vSRX[/B]#[COLOR=#ff0000][B] run show route[/B][/COLOR]


inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both


[COLOR=#ff0000]0.0.0.0/0[/COLOR]          *[Static/5] 00:29:47
                    > [COLOR=#ff0000]to 172.16.1.254 via ge-0/0/0.0[/COLOR]
172.16.1.0/24      *[Direct/0] 00:37:20
                    > via ge-0/0/0.0
172.16.1.200/32    *[Local/0] 00:37:20
                      Local via ge-0/0/0.0
192.168.10.0/24    *[Direct/0] 02:02:46
                    > via ge-0/0/1.0
192.168.10.254/32  *[Local/0] 02:02:46
                      Local via ge-0/0/1.0


[edit]

- Và Router ping ra internet thành công

Mã:

[B][COLOR=#ff0000]root@[/COLOR][/B][B]svuit-vSRX[/B][B][COLOR=#ff0000]# run ping 8.8.8.8[/COLOR][/B]
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=72.780 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=64.434 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max/stddev = 64.434/68.607/72.780/4.173 ms

- PC và Router ping lẫn nhau chưa được. Vì int ge-0/0/0 được thuộc vùng trust nên không cho phép ping.

Mã:

[B][COLOR=#ff0000]PC1[/COLOR][/B]> ping 192.168.10.254
192.168.10.254 icmp_seq=1 timeout
192.168.10.254 icmp_seq=2 timeout
192.168.10.254 icmp_seq=3 timeout
192.168.10.254 icmp_seq=4 timeout
192.168.10.254 icmp_seq=5 timeout

Mã:

[COLOR=#ff0000][B]root@[B]svuit-vSRX[/B]# run ping 192.168.10.10[/B][/COLOR]
PING 192.168.10.10 (192.168.10.10): 56 data bytes
PING 192.168.10.10 (192.168.10.10): 56 data bytes
PING 192.168.10.10 (192.168.10.10): 56 data bytes
^C
--- 192.168.10.10 ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss

- Cấu hình interface ge-0/0/1 vào zone INSIDE (do bạn tự đặt tên) và cho phép ping

[TABLE="class: outer_border, width: 850"]
[TR]
[TD]root@svuit-vSRX#set security zones security-zone Inside interfaces ge-0/0/1 host-inbound-traffic system-services ping[/TD]
[/TR]
[/TABLE]

- Kiểm tra zones

Mã:

root@[B]svuit-vSRX[/B]# [B][COLOR=#ff0000]show security zones[/COLOR][/B]
security-zone trust {
    tcp-rst;
}
[COLOR=#ff0000][B]security-zone untrust[/B][/COLOR] {
    screen untrust-screen;
    interfaces {
       [I][COLOR=#ff0000] ge-0/0/0.0[/COLOR][/I] {
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ssh;
                    telnet;
                    dhcp;
                }
            }
        }
    }
}
[B][I][COLOR=#ff0000]security-zone INSIDE[/COLOR][/I][/B] {
    interfaces {
      [I][COLOR=#ff0000]  ge-0/0/1.0[/COLOR][/I] {
            host-inbound-traffic {
                system-services {
                   [COLOR=#ff0000] ping[/COLOR];
                }
            }
        }
    }
}


[edit]

- Như vầy PC và Router có thể ping lẫn nhau

Mã:

[COLOR=#ff0000][B]PC1[/B][/COLOR]> ping 192.168.10.254
84 bytes from 192.168.10.254 icmp_seq=1 ttl=64 time=46.937 ms
84 bytes from 192.168.10.254 icmp_seq=2 ttl=64 time=0.935 ms
84 bytes from 192.168.10.254 icmp_seq=3 ttl=64 time=3.808 ms
84 bytes from 192.168.10.254 icmp_seq=4 ttl=64 time=1.840 ms
84 bytes from 192.168.10.254 icmp_seq=5 ttl=64 time=2.332 ms

Mã:

[B][COLOR=#ff0000]root@[/COLOR][/B][B]svuit-vSRX[/B][B][COLOR=#ff0000]# run ping 192.168.10.10[/COLOR][/B]
PING 192.168.10.10 (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=64 time=10.140 ms
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=5.733 ms
^C
--- 192.168.10.10 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.733/7.937/10.140/2.203 ms

root · 23/11/2014

3. Cấu hình PC truy cập internet
- Mình sẽ cho interface ge-0/0/0 vào 1 zones mới OUTSIDE cho các bạn dễ hình dung
- Vì mỗi interface chỉ được thuộc 1 Zone duy nhất, nên mình sẽ cấu hình loại bỏ interface ge-0/0/0 ra khỏi Zone unstructs mặc định của nó.

Mã:

[COLOR=#ff0000][B]root@svuit-vSRX# show security zones[/B][/COLOR]
security-zone trust {
    tcp-rst;
}
[COLOR=#ff0000]security-zone untrust [/COLOR]{
    screen untrust-screen;
    interfaces {
       [COLOR=#ff0000] ge-0/0/0.0[/COLOR] {
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ssh;
                    telnet;
                    dhcp;
                }
            }
        }
    }
}


[edit]

- Và add nó vào Zone OUTSIDE của mình

[TABLE="class: outer_border, width: 800"]
[TR]
[TD]//loại bỏ interface ge-0/0/0 ra khỏi Zone unstructs
root@svuit-vSRX#delete security zones security-zone untrust interfaces ge-0/0/0.0

//add interface ge-0/0/0 vào Zone OUTSIDE của mình
root@svuit-vSRX#set security zones security-zone OUTSIDE interfaces ge-0/0/0[/TD]
[/TR]
[/TABLE]

- Kiểm tra lại các bạn sẽ thấy

Mã:

root@Juniper# commit
commit complete


[edit]
root@Juniper# show security zones
security-zone trust {
    tcp-rst;
}
security-zone untrust {
    screen untrust-screen;
}
[COLOR=#ff0000][B]security-zone INSIDE[/B][/COLOR] {
    interfaces {
       [COLOR=#ff0000] ge-0/0/1.0 [/COLOR]{
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}
[B][COLOR=#ff0000]security-zone OUTSIDE[/COLOR][/B] {
    interfaces {
[COLOR=#ff0000]        ge-0/0/0.0;[/COLOR]
    }
}


[edit]

- Tiếp theo là bạn cần 1 security policy cho phép INSIDE truy cập OUTSIDE

[TABLE="class: outer_border, width: 870"]
[TR]
[TD]root@svuit-vSRX#set security policies from-zone INSIDE to-zone OUTSIDE policy INSIDE-INSIDE match source-address any
root@svuit-vSRX#set security policies from-zone Inside to-zone Outside policy INSIDE-INSIDE match destination-address any
root@svuit-vSRX#set security policies from-zone Inside to-zone Outside policy INSIDE-INSIDE match application any
root@svuit-vSRX#set security policies from-zone Inside to-zone Outside policy INSIDE-INSIDE then permit[/TD]
[/TR]
[/TABLE]

- Kiểm tra lại Security POlicy của Router

Mã:

root@svuit-vSRX# show security policies
from-zone trust to-zone trust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone untrust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy default-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}
[COLOR=#ff0000]from-zone INSIDE to-zone OUTSIDE[/COLOR] {
    policy INSIDE-INSIDE {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}


[edit]

- Kết quả PC truy cập internet thành công

Mã:

PC1> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=48 time=75.228 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=48 time=63.502 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=48 time=61.618 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=48 time=70.183 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=48 time=68.123 ms

p/s: cho thêm cái static-route vào con Modum nhà bạn vì ở đây mình sử dụng Route. Không dùng NAT nhé

cuongsacotk37 · 20/10/2021

Thanks bạn, bài viết rất hay

Lab 2.1 Cấu hình Static Route trên Router Juniper

root

Specialist

root

Specialist

cuongsacotk37

Intern