分公司網絡建設---Juniper 設備策略路由配置

分公司網絡建設---Juniper網絡設備策略路由配置

    分公司的網絡建設，內網經過ospf實現路由訪問，防火牆鏈接外網和錄音平臺，流量訪問要實現明細化，即訪問平臺的流量經過平臺的專線，訪問外網的流量經過單獨的外網專線，網關啓用在覈心交換機上，要實現該需求，就要經過靜態路由和策略路由來控制。

    網絡拓撲圖以下：

    在覈心交換機上配置去往外網和錄音平臺的靜態路由，流量防火牆後，經過靜態路由分別訪問各自的目的地址；可是在防火牆上回包流量須要經過策略來分流，如圖紅線爲訪問錄音平臺的流量，黑線爲訪問外網的流量。

    在Juniper防火牆上配置策略路由，命令以下：

//建立路由實例

set routing-instances internet-to-inside instance-type  forwarding

set routing-instances internet-to-inside routing-options static route 0.0.0.0/0  next-hop  10.128.31.157

set routing-instances qingniu-to-inside instance-type forwarding

set routing-instances qingniu-to-inside routing-options static route 0.0.0.0/0 next-hop 10.128.31.161

//經過ACL來控制流量

set firewall family inet filter qingniu-to-inside term 10 from source-address  10.128.31.64/28     

set firewall family inet filter qingniu-to-inside term 10 from source-address  10.128.31.166/32

set firewall family inet filter qingniu-to-inside term 10 from destination-address 10.0.0.0/8

set firewall family inet filter qingniu-to-inside term 10 then routing-instance qingniu-to-inside

set firewall family inet filter qingniu-to-inside term 20 then accept

set firewall family inet filter Internet-to-inside term 10 from destination-address 10.0.0.0/8

set firewall family inet filter Internet-to-inside term 10 then routing-instance internet-to-inside       

//關聯路由表

set routing-options interface-routes rib-group inet FBF-Group

set routing-options rib-groups FBF-Group import-rib inet.0      

set routing-options rib-groups FBF-Group import-rib qingniu-to-inside.inet.0

set routing-options rib-groups FBF-Group import-rib internet-to-inside.inet.0

//應用在流量的入口處

set interfaces ge-0/0/15 unit 0 family inet filter input internet-to-inside

set interfaces ge-0/0/14 unit 0 family inet filter input qingniu-to-inside

但願對讀者有所幫助，若有問題，能夠留言互動。