了解 vSRX 缺省配置
IBM Cloud® Juniper vSRX 设备随附以下缺省配置:
- 在 vSRX 公共和专用网关 IP 地址上都允许 SSH 和 Ping 流量
- 公共和专用网关 IP 地址的 HTTPS 端口 8443 上允许使用 Juniper Web 管理 (J-Web) UI 访问
- IBM 服务网络已预先设置了一个地址集
SERVICE - 预定义了两个安全专区:
SL-PRIVATE和SL-PUBLIC。 SL-PRIVATE区域的所有服务均由 IBM 提供,允许使用地址设置SERVICE- 其他所有网络访问都会被拒绝
配置了两个冗余组。 下表说明了这两个冗余组:
| 冗余组 | 冗余组功能 |
|---|---|
| redundancy-group 0 | 用于控制平面的冗余组 |
| redundancy-group 1 | 用于数据平面的冗余组 |
冗余组中的优先级决定了哪个 vSRX 节点处于活动状态。 缺省情况下,对于控制平面和数据平面,都是节点 0 处于活动状态。
样本 1G 独立 SR-IOV Public 和 Private vSRX Gateway 的缺省配置
以下代码样本是来自最新代码发布的示例。
## Last commit: 2020-04-28 00:32:27 UTC by root
version 18.4R1-S1.3;
system {
login {
class security {
permissions [ security-control view-configuration ];
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$6$5gPuIk9u$JPzyjh5zVz0tf4P3.POWv4UWGDfowbzirGmnpiBUW0tDWLf1ZfvP.YwN88Mc8.cyOIvgDMrksbCYsmZxf4f3p."; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password "$6$q9tQzuqT$/TFQLkHK.woO.Qv9YcZ1nnJqZqhLBqXeg7L3xkUWXVmq8fn4N7mClTpckoCKhombXucxU6StRKOiHTDUeTdd91"; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
netconf {
ssh {
port 830;
}
}
web-management {
http {
interface fxp0.0;
}
https {
port 8443;
system-generated-certificate;
interface [ fxp0.0 ae0.0 ae1.0 ge-0/0/0.0 ge-0/0/1.0 ];
}
session {
session-limit 100;
}
}
}
host-name asloma-swap-18-1g-sa0-vsrx-vSRX;
name-server {
10.0.80.11;
10.0.80.12;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
ntp {
server 10.0.77.54;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 10;
}
}
}
security {
log {
mode stream;
report;
}
address-book {
global {
address SL8 10.1.192.0/20;
address SL9 10.1.160.0/20;
address SL4 10.2.128.0/20;
address SL5 10.1.176.0/20;
address SL6 10.1.64.0/19;
address SL7 10.1.96.0/19;
address SL1 10.0.64.0/19;
address SL2 10.1.128.0/19;
address SL3 10.0.86.0/24;
address SL20 10.3.80.0/20;
address SL18 10.2.176.0/20;
address SL19 10.3.64.0/20;
address SL16 10.2.144.0/20;
address SL17 10.2.48.0/20;
address SL14 10.1.208.0/20;
address SL15 10.2.80.0/20;
address SL12 10.2.112.0/20;
address SL13 10.2.160.0/20;
address SL10 10.2.32.0/20;
address SL11 10.2.64.0/20;
address SL_PRIV_MGMT 10.188.111.70/32;
address SL_PUB_MGMT 169.60.101.121/32;
address-set SERVICE {
address SL8;
address SL9;
address SL4;
address SL5;
address SL6;
address SL7;
address SL1;
address SL2;
address SL3;
address SL20;
address SL18;
address SL19;
address SL16;
address SL17;
address SL14;
address SL15;
address SL12;
address SL13;
address SL10;
address SL11;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone SL-PRIVATE to-zone SL-PRIVATE {
policy Allow_Management {
match {
source-address any;
destination-address [ SL_PRIV_MGMT SERVICE ];
application any;
}
then {
permit;
}
}
}
from-zone SL-PUBLIC to-zone SL-PUBLIC {
policy Allow_Management {
match {
source-address any;
destination-address SL_PUB_MGMT;
application [ junos-ssh junos-https junos-http junos-icmp-ping ];
}
then {
permit;
}
}
}
}
zones {
security-zone SL-PRIVATE {
interfaces {
ae0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone SL-PUBLIC {
interfaces {
ae1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
ether-options {
802.3ad ae0;
}
}
ge-0/0/1 {
ether-options {
802.3ad ae1;
}
}
ge-0/0/2 {
ether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
ether-options {
802.3ad ae1;
}
}
ae0 {
description PRIVATE_VLANs;
flexible-vlan-tagging;
native-vlan-id 925;
unit 0 {
vlan-id 925;
family inet {
address 10.188.111.70/26;
}
}
}
ae1 {
description PUBLIC_VLAN;
flexible-vlan-tagging;
native-vlan-id 985;
unit 0 {
vlan-id 985;
family inet {
address 169.60.101.121/28;
}
family inet6 {
address 2607:f0d0:3901:0063:0000:0000:0000:000f/64;
}
}
}
fxp0 {
unit 0;
}
lo0 {
unit 0 {
family inet {
filter {
input PROTECT-IN;
}
address 127.0.0.1/32;
}
}
}
}
firewall {
filter PROTECT-IN {
term PING {
from {
destination-address {
169.60.101.121/32;
10.188.111.70/32;
}
protocol icmp;
}
then accept;
}
term SSH {
from {
destination-address {
169.60.101.121/32;
10.188.111.70/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term WEB {
from {
destination-address {
169.60.101.121/32;
10.188.111.70/32;
}
protocol tcp;
port 8443;
}
then accept;
}
term DNS {
from {
protocol udp;
source-port 53;
}
then accept;
}
}
}
routing-options {
static {
route 166.9.0.0/16 next-hop 10.188.111.65;
route 0.0.0.0/0 next-hop 169.60.101.113;
route 161.26.0.0/16 next-hop 10.188.111.65;
route 10.0.0.0/8 next-hop 10.188.111.65;
}
}
下表说明了先前配置的网络接口定义:
| 接口名称 | 接口功能 |
|---|---|
| ge-0/0/0 | 用于 SL-PRIVATE 传输 VLAN 的千兆以太网接口 |
| ge-0/0/1 | 用于 SL-PUBLIC 传输 VLAN 的千兆以太网接口 |
| ge-0/0/2 | 用于 SL-PRIVATE 传输 VLAN 的千兆以太网接口 |
| ge-0/0/3 | 用于 SL-PUBLIC 传输 VLAN 的千兆以太网接口 |
| ae0.0 | 聚集的以太网接口 |
| ae1.0 | 聚集的以太网接口 |
| fxp0 | 管理接口 |
| lo0 | 回送接口 |
样本 10G HA SR-IOV Public 和 Private vSRX Gateway 的缺省配置
## Last commit: 2020-04-21 17:22:34 UTC by root
version 18.4R1-S1.3;
groups {
node0 {
system {
host-name asloma-tc1b-18-10g-pubpriv-dual-ha1-vsrx-vSRX-Node0;
}
}
node1 {
system {
host-name asloma-tc1b-18-10g-pubpriv-dual-ha1-vsrx-vSRX-Node1;
}
}
}
apply-groups "${node}";
system {
login {
class security {
permissions [ security-control view-configuration ];
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "xxx"; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password "xxx”;## SECRET-DATA
}
services {
ssh {
root-login allow;
}
netconf {
ssh {
port 830;
}
}
web-management {
http {
interface fxp0.0;
}
https {
port 8443;
system-generated-certificate;
interface [ fxp0.0 reth1.0 reth0.0 ];
}
session {
session-limit 100;
}
}
}
name-server {
10.0.80.11;
10.0.80.12;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
ntp {
server 10.0.77.54;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 4;
heartbeat-interval 2000;
heartbeat-threshold 8;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
inactive: preempt;
interface-monitor {
ge-0/0/3 weight 130;
ge-0/0/4 weight 130;
ge-7/0/3 weight 130;
ge-7/0/4 weight 130;
}
}
}
}
security {
log {
mode stream;
report;
}
address-book {
global {
address SL8 10.1.192.0/20;
address SL9 10.1.160.0/20;
address SL4 10.2.128.0/20;
address SL5 10.1.176.0/20;
address SL6 10.1.64.0/19;
address SL7 10.1.96.0/19;
address SL1 10.0.64.0/19;
address SL2 10.1.128.0/19;
address SL3 10.0.86.0/24;
address SL20 10.3.80.0/20;
address SL18 10.2.176.0/20;
address SL19 10.3.64.0/20;
address SL16 10.2.144.0/20;
address SL17 10.2.48.0/20;
address SL14 10.1.208.0/20;
address SL15 10.2.80.0/20;
address SL12 10.2.112.0/20;
address SL13 10.2.160.0/20;
address SL10 10.2.32.0/20;
address SL11 10.2.64.0/20;
address SL_PRIV_MGMT 10.87.40.36/32;
address SL_PUB_MGMT 169.62.79.21/32;
address-set SERVICE {
address SL8;
address SL9;
address SL4;
address SL5;
address SL6;
address SL7;
address SL1;
address SL2;
address SL3;
address SL20;
address SL18;
address SL19;
address SL16;
address SL17;
address SL14;
address SL15;
address SL12;
address SL13;
address SL10;
address SL11;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone SL-PRIVATE to-zone SL-PRIVATE {
policy Allow_Management {
match {
source-address any;
destination-address [ SL_PRIV_MGMT SERVICE ];
application any;
}
then {
permit;
}
}
}
from-zone SL-PUBLIC to-zone SL-PUBLIC {
policy Allow_Management {
match {
source-address any;
destination-address SL_PUB_MGMT;
application [ junos-ssh junos-https junos-http junos-icmp-ping ];
}
then {
permit;
}
}
}
}
zones {
security-zone SL-PRIVATE {
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone SL-PUBLIC {
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/1 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/2 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/3 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/5 {
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-0/0/8 {
gigether-options {
redundant-parent reth3;
}
}
ge-7/0/1 {
gigether-options {
redundant-parent reth0;
}
}
ge-7/0/2 {
gigether-options {
redundant-parent reth0;
}
}
ge-7/0/3 {
gigether-options {
redundant-parent reth1;
}
}
ge-7/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-7/0/5 {
gigether-options {
redundant-parent reth2;
}
}
ge-7/0/6 {
gigether-options {
redundant-parent reth2;
}
}
ge-7/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-7/0/8 {
gigether-options {
redundant-parent reth3;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/0;
ge-0/0/9;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-7/0/0;
ge-7/0/9;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input PROTECT-IN;
}
address 127.0.0.1/32;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description "SL PRIVATE VLAN INTERFACE";
family inet {
address 10.87.40.36/26;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description "SL PUBLIC VLAN INTERFACE";
family inet {
address 169.62.79.21/29;
}
family inet6 {
address 2607:f0d0:2901:002e:0000:0000:0000:0003/64;
}
}
}
reth2 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
}
reth3 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
}
}
firewall {
filter PROTECT-IN {
term PING {
from {
destination-address {
169.62.79.21/32;
10.87.40.36/32;
}
protocol icmp;
}
then accept;
}
term SSH {
from {
destination-address {
169.62.79.21/32;
10.87.40.36/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term WEB {
from {
destination-address {
169.62.79.21/32;
10.87.40.36/32;
}
protocol tcp;
port 8443;
}
then accept;
}
term DNS {
from {
protocol udp;
source-port 53;
}
then accept;
}
}
}
routing-options {
static {
route 166.9.0.0/16 next-hop 10.87.40.1;
route 0.0.0.0/0 next-hop 169.62.79.17;
route 161.26.0.0/16 next-hop 10.87.40.1;
route 10.0.0.0/8 next-hop 10.87.40.1;
}
}
下表中的信息表示上面的配置:
| 接口名称 | 接口功能 | 冗余接口 |
|---|---|---|
| ge-0/0/1 / ge-0/0/2 | 节点 0 上 SL-PRIVATE 传输 VLAN 的千兆以太网接口 | reth0 |
| ge-0/0/3 / ge-0/0/4 | 节点 0 上的 SL-PUBLIC 传输 VLAN 的千兆以太网接口 | reth1 |
| ge-0/0/5 / ge-0/0/6 | 节点 0 上客户专用 VLAN 的千兆以太网接口 | reth2 |
| ge-0/0/7 / ge-0/0/8 | 节点 0 上客户公用 VLAN 的千兆以太网接口 | reth3 |
| ge-7/0/1 / ge-7/0/2 | 节点 1 上 SL-PRIVATE 传输 VLAN 的千兆以太网接口 | reth0 |
| ge-7/0/3 / ge-7/0/4 | 节点 1 上的 SL-PUBLIC 传输 VLAN 的千兆以太网接口 | reth1 |
| ge-7/0/5 / ge-7/0/6 | 节点 1 上客户专用 VLAN 的千兆以太网接口 | reth2 |
| ge-7/0/7 / ge-7/0/8 | 节点 1 上客户公用 VLAN 的千兆以太网接口 | reth3 |
| fab0 | 机箱集群光纤网链路使用 ge-0/0/0 和 ge-0/0/9 | |
| fab1 | 机箱集群光纤网链路使用 ge-7/0/0 和 ge-7/0/9 | |
| fxp0 | 管理接口 | |
| lo0 | 回送接口 |
接口配置
这些配置的旧体系结构利用了 Ubuntu 主机管理程序上的 Linux 桥接。 此后,IBM 已转换为其网关的新体系结构,以利用主机上的 SR-IOV。 这导致 vSRX 配置的接口映射在许多情况下发生更改。 接口配置中的差异还受 vSRX 是否为以下值的影响:
- 10G 或 1G
- 独立或高可用性
- 公用和专用,或者仅专用
- vSRX 版本
- 所有基于15.1的vSRX’s都使用传统架构
- 一些基于18.4的vSRX’s也使用传统架构
以下部分中详细描述了旧体系结构和当前体系结构。
vSRX 高可用性接口 (当前体系结构)
| interface | 10G 发布 + 特权 | 10G 仅限 Priv | 1G 发布 + 特权 | 1G 仅限 Priv |
|---|---|---|---|---|
| ge-0/0/0 | fab0 | fab0 | fab0 | fab0 |
| ge-0/0/1 | reth0 | reth0 | reth0 | reth0 |
| ge-0/0/2 | reth0 | reth0 | reth0 | reth0 |
| ge-0/0/3 | reth1 | reth2 | reth1 | reth2 |
| ge-0/0/4 | reth1 | reth2 | reth1 | reth2 |
| ge-0/0/5 | reth2 | fab0 | reth2 | fab0 |
| ge-0/0/6 | reth2 | 不存在 | reth2 | 不存在 |
| ge-0/0/7 | reth3 | 不存在 | reth3 | 不存在 |
| ge-0/0/8 | reth3 | 不存在 | reth3 | 不存在 |
| ge-0/0/9 | fab0 | 不存在 | fab0 | 不存在 |
| ge-7/0/0 | fab1 | fab1 | fab1 | fab1 |
| ge-7/0/1 | reth0 | reth0 | reth0 | reth0 |
| ge-7/0/2 | reth0 | reth0 | reth0 | reth0 |
| ge-7/0/3 | reth1 | reth2 | reth1 | reth2 |
| ge-7/0/4 | reth1 | reth2 | reth1 | reth2 |
| ge-7/0/5 | reth2 | fab1 | reth2 | fab1 |
| ge-7/0/6 | reth2 | 不存在 | reth2 | 不存在 |
| ge-7/0/7 | reth3 | 不存在 | reth3 | 不存在 |
| ge-7/0/8 | reth3 | 不存在 | reth3 | 不存在 |
| ge-7/0/9 | fab1 | 不存在 | fab1 | 不存在 |
vSRX 独立接口 (当前体系结构)
| interface | 10G 发布 + 特权 | 10G 仅限 Priv | 1G 发布 + 特权 | 1G 仅限 Priv |
|---|---|---|---|---|
| ge-0/0/0 | ae0 | ae0 | ae0 | ae0 |
| ge-0/0/1 | ae1 | ae0 | ae1 | ae0 |
| ge-0/0/2 | ae0 | 不存在 | ae0 | 不存在 |
| ge-0/0/3 | ae1 | 不存在 | ae1 | 不存在 |
vSRX 高可用性接口 (旧体系结构)
| interface | 10G Priv + 发布 | 10G 仅限 Priv | 1G Priv + 发布 | 1G 仅限 Priv |
|---|---|---|---|---|
| ge-0/0/0 | fab0 | fab0 | fab0 | fab0 |
| ge-0/0/1 | reth0 | reth0 | reth0 | reth0 |
| ge-0/0/2 | reth0 | reth0 | reth2 | reth2 |
| ge-0/0/3 | reth1 | reth2 | reth1 | 未用 |
| ge-0/0/4 | reth1 | reth2 | reth3 | 未用 |
| ge-0/0/5 | reth2 | 未用 | 不存在 | 不存在 |
| ge-0/0/6 | reth2 | 未用 | 不存在 | 不存在 |
| ge-0/0/7 | reth3 | 未用 | 不存在 | 不存在 |
| ge-0/0/8 | reth3 | 未用 | 不存在 | 不存在 |
| ge-7/0/0 | fab1 | fab1 | fab1 | fab1 |
| ge-7/0/1 | reth0 | reth0 | reth0 | reth0 |
| ge-7/0/2 | reth0 | reth0 | reth2 | reth2 |
| ge-7/0/3 | reth1 | reth2 | reth1 | 未用 |
| ge-7/0/4 | reth1 | reth2 | reth3 | 未用 |
| ge-7/0/5 | reth2 | 未用 | 不存在 | 不存在 |
| ge-7/0/6 | reth2 | 未用 | 不存在 | 不存在 |
| ge-7/0/7 | reth3 | 未用 | 不存在 | 不存在 |
| ge-7/0/8 | reth3 | 未用 | 不存在 | 不存在 |
vSRX 独立接口 (旧体系结构)
| interface | 10G 发布 + 特权 | 10G 仅限 Priv | 1G 发布 + 特权 | 1G 仅限 Priv |
|---|---|---|---|---|
| ge-0/0/0 | ae0 | ae0 | ge-0/0/0 | ge-0/0/0 |
| ge-0/0/1 | ae1 | ae0 | ge-0/0/1 | 不存在 |
| ge-0/0/2 | ae0 | 不存在 | 不存在 | 不存在 |
| ge-0/0/3 | ae1 | 不存在 | 不存在 | 不存在 |