当前位置:theitroad>JunOS:如何在Juniper SRX防火墙上添加专用的安全区域

JunOS:如何在Juniper SRX防火墙上添加专用的安全区域

时间:2020-02-23 14:44:15  来源:igfitidea点击:

本文将说明如何添加具有专用VLan,DHCP作用域和DNS代理规则的安全区域。

就本示例而言,我们将添加一个具有以下参数的来宾区域:

  • VLan ID:40
  • 子网:10.10.40.0/24
  • 网关IP(第3层接口):10.10.40.1
  • DHCP范围:10.10.40.128/25
  • 政策:允许http,https,ping,traceroute,dns,dhcp
  • 允许的接口:ge-0/0/2

1.定义VLan:

set vlans v40 description "Guest LAN"
set vlans v40 vlan-id 40

2.在VLan 40上定义第3层接口和网关IP:

set vlans v40 l3-interface irb.40
set interfaces irb unit 40 family inet address 10.10.40.1/24

3.配置DHCP服务器和范围:

set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet network 10.10.40.0/24
set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet range DHCP_Grp_GUEST_Pool1_Range1 low 10.10.40.129
set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet range DHCP_Grp_GUEST_Pool1_Range1 high 10.10.40.254
set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet dhcp-attributes name-server 10.10.40.1
set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet dhcp-attributes router 10.10.40.1
set system services dhcp-local-server group DHCP_Grp_GUEST interface irb.40

4.配置DNS代理:

set system services dns dns-proxy interface irb.40

5.配置安全区域并允许所有出站流量:

set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic protocols all

6.将所需的接口添加到VLan 40:

set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members v40

注意:根据需要添加任意数量的接口,还请确保所有接口都具有正确的模式(访问,中继),此外,如果需要,还应具有native-vlan-id。

7.定义安全区域允许的出站服务:

set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services ping
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services dhcp
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services dns
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services http
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services https
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services traceroute

注意:在某些特定情况下,您还可以允许所有服务,但不建议在访客区使用:

set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services all

相关推荐

FreeBSD:ld-elf.so.1找不到共享对象libz.so.6, wget需要该对象

FreeBSD:ld-elf.so.1找不到共享对象libz.so.6, wget需要该对象

FreeBSD:vsftpd未配置为独立,必须从inetd启动

FreeBSD:vsftpd未配置为独立,必须从inetd启动

FTP:连接到LIST失败,无法检索目录列表

FTP:连接到LIST失败,无法检索目录列表

FTP:文件传输失败,但权限正确

FTP:文件传输失败,但权限正确

相关推荐
最近更新
标签