NESTA PÁGINA
Configure um link WAN com backup LTE no modo ativo/ativo para a Internet
Este exemplo mostra como configurar um link WAN com backup LTE na configuração ativa/ativa na linha SRX300 de dispositivos ou SRX550M.
Requisitos
Este exemplo, os seguintes componentes de hardware e software:
Um dispositivo da Série SRX300 (SRX320, SRX340, SRX345, SRX380) ou SRX550M
Um Mini-PIM LTE para a Série SRX300
Uma placa SIM com assinatura para serviços de dados
Junos OS 19.4R1 ou posterior
Testamos essa configuração em um dispositivo SRX320 com Junos OS 19.4R1.
Visão geral
Neste exemplo, estamos configurando uma filial da Série SRX320 para fornecer uma Internet com e sem fio e acesso intranet aos funcionários no local. Também estamos fornecendo um acesso à Internet sem fio aos dispositivos convidados. A conectividade de enlace primário é fornecida pelo MPLS. O acesso à Internet de banda larga é por meio da Ethernet e a conectividade de backup é por meio de uma rede LTE. Os dois links estão configurados no modo Ativo/Ativo; nenhum tráfego é roteado pelo modem LTE, a menos que ambos os links primários e secundários estejam desativados.
Estamos usando a topologia mostrada na Figura 1 para este exemplo.
![Branch Office with Redundant Internet Connectivity Example](/documentation/us/en/software/nce/nce-210-wan-link-with-lte-active-active-mode/images/g301122.png)
Na topologia:
O LTE Mini-PIM está instalado no slot 1 do dispositivo da Série SRX.
A placa SIM está instalada no slot 1 do LTE Mini-PIM.
O link MPLS primário está conectado à interface ge-0/0/6.
O link de Internet de banda larga está conectado à interface ge-0/0/7.
A interface cl-1/0/0 identifica o modem Mini-PIM.
O link sobre a rede celular termina na interface dl0.0.
As portas com fio ge-0/0/6 e ge-0/0/7 recebem seu endereço IP, máscara de rede e gateway padrão por meio do DHCP.
As interfaces LTE (cl-1/0/0 e dl0.0) recebem endereço IP, máscara de rede, gateway padrão pelo provedor de serviços celulares.
Neste exemplo, estamos usando duas zonas de segurança não confiáveis e a confiança configuradas no dispositivo SRX320. A separação das interfaces em zonas de segurança permite a separação do tráfego e mitiga os riscos a que a Intranet corporativa é exposta. As zonas de segurança também permitem que você obtenha uma implementação clara e simplificada de políticas de segurança. A zona não confiável hospeda interfaces que têm acesso à Internet. As interfaces internas da Intranet corporativa estão na zona de confiança. Veja a Figura 2 e a Tabela 1 para entender as interfaces, zonas de segurança e a configuração das políticas de segurança.
A Figura 2 mostra as interfaces em cada zona de segurança.
![Security Zones](/documentation/us/en/software/nce/nce-210-wan-link-with-lte-active-active-mode/images/g301039.png)
A Tabela 1 mostra o comportamento desejado das políticas de segurança para o tráfego entre as zonas.
Da Zona |
Para a zona |
Comportamento da política de segurança para permitir o tráfego |
---|---|---|
Confiar |
Confiar |
Sim |
Não confiável |
Não confiável |
Não |
Confiar |
Não confiável |
Sim |
Não confiável |
Confiar |
Somente iniciado pela confiança. Permitir que o tráfego seja iniciado na zona de confiança e no tráfego de retorno. |
A Tabela 2 resume as informações de VLAN e as informações de endereço IP para as interfaces.
Interface |
VLAN |
Endereço IP |
Máscara de rede |
---|---|---|---|
dl0.0 |
- |
DHCP |
- |
ge-0/0/6 |
|
DHCP |
255.255.255.0 |
ge-0/0/7 |
- |
DHCP |
- |
irb.0 |
3 |
192.168.1.1 |
255.255.255.0 |
Vamos considerar os aplicativos na Tabela 3. Para fins ilustrativos, vamos supor que os aplicativos Office365, Salesforce e Zoom são essenciais para os negócios, vamos encaminhá-los pelo link MPLS predominantemente. Também estamos priorizando esses aplicativos no link LTE. Os demais aplicativos usarão o link de acesso à Internet de banda larga. Estamos reservando o link de backup LTE para apenas aplicativos críticos para os negócios. Como resultado, aplicativos nãocríticos são inacessíveis quando a conexão LTE é a única conexão disponível.
Aplicativos |
Link primário |
Link secundário |
Aplicativo crítico? |
---|---|---|---|
Office365 |
MPLS |
Internet de banda larga |
Sim |
Salesforce |
MPLS |
Internet de banda larga |
Sim |
Zoom |
MPLS |
Internet de banda larga |
Sim |
Folga |
Internet de banda larga |
MPLS |
Não |
Gotomeeting |
Internet de banda larga |
MPLS |
Não |
Dropbox |
Internet de banda larga |
MPLS |
Não |
Skype |
Internet de banda larga |
MPLS |
Não |
Youtube |
Internet de banda larga |
MPLS |
Não |
Configuração
Procedimento
Procedimento passo a passo
As etapas neste exemplo de configuração são logicamente construídas das camadas inferiores às camadas superiores.
Defina o nome do ponto de acesso (APN) para o SIM no modem (LTE-MPIM).
user@host>
request modem wireless create-profile profile-id 10 access-point-name broadband cl-1/0/0 slot 1Crie uma VLAN comum para o segmento lan da rede. Neste exemplo, usamos o VLAN ID 3 e o chamamos de vlan-trust.
user@host#
set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0Definir regras do AppQoS e critérios de correspondência de aplicativos.
set class-of-service application-traffic-control rule-sets critical_app_rs rule 1 match application-any set class-of-service application-traffic-control rule-sets critical_app_rs rule 1 then log
Crie uma política de segurança para permitir o tráfego entre a zona de confiança e a zona não confiável. Certifique-se de incluir os segmentos e aplicativos de rede desejados na política.
set security policies from-zone trust to-zone untrust policy allow-in-zone match source-address 192.168.1.0/24 set security policies from-zone trust to-zone untrust policy allow-in-zone match destination-address any set security policies from-zone trust to-zone untrust policy allow-in-zone match application any set security policies from-zone trust to-zone untrust policy allow-in-zone then permit application-services application-traffic-control rule-set critical_app_rs
Crie uma política de segurança para permitir o tráfego entre dispositivos na zona de confiança. Certifique-se de incluir os segmentos e aplicativos de rede desejados na política.
set security policies from-zone trust to-zone trust policy allow-in-zone match source-address 192.168.1.0/24 set security policies from-zone trust to-zone trust policy allow-in-zone match destination-address 192.168.1.0/24 set security policies from-zone trust to-zone trust policy allow-in-zone match application any set security policies from-zone trust to-zone trust policy allow-in-zone then permit
Crie um grupo de servidor DHCP exclusivo para os dispositivos conectados no segmento de LAN.
set system services dhcp-local-server group jdhcp -group interface irb.0
Crie um pool de endereços IP a serem atribuídos a dispositivos no segmento de LAN. Para este pool de endereços IP, especifique o endereço IP mais baixo e mais alto, o endereço IP para os servidores DNS e o endereço IP do gateway padrão (
irb.0
interface). O gateway padrão normalmente é a interface irb.0.set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.10 set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.240 set access address-assignment pool junosDHCPPool family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool junosDHCPPool family inet dhcp-attributes name-server 1.1.1.1 set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/7 set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
Crie NAT de origem para aplicar NAT a dispositivos na zona de confiança à interface externa.
set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.1.0/24 set security nat source rule-set trust-to-untrust rule r1 then source-nat interface
Configure a interface para o link principal da Internet. Definir a interface para obter configuração por protocolo DHCP.
set interfaces ge-0/0/7 unit 0 description "WAN Interface 1 - Primary" set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
Configure a interface LTE-MPIM. Certifique-se de que o slot SIM, que contém a placa SIM, esteja definido para ativo.
set interfaces cl-1/0/0 description “WAN Interfaces 2 – Backup” set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces cl-1/0/0 act-sim 1 set interfaces cl-1/0/0 cellular-options sim 1 radio-access automatic
Configure a interface do dialer.
set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string "*99#"
Configure as interfaces de LAN ge-0/0/0, ge-0/0/1 e as outras interfaces como interfaces de comutação na VLAN trust. A VLAN trust adiciona efetivamente as interfaces à zona de confiança. Estamos mostrando a configuração para uma única interface. Repita as mesmas etapas para configurar todas as interfaces de segmentos de LAN.
set interface ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-trust
Permita os protocolos necessários na zona de confiança. Essa etapa garante a operação adequada do segmento lan da rede.
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0
Permita os protocolos necessários na zona não confiável.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services netconf set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services netconf set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
Crie sondas de monitoramento de desempenho de tempo para cada aplicativo e cada link especificado na Tabela 3.
Nesta etapa, estamos configurando o tipo de sondagem
icmp-ping
quanto ao aplicativo Office365. O Office365 usa o link MPLS. Este teste de sondagem a conectividade ao endereço IP 40.97.223.114, que é usado pelo Office365. O teste da sonda é executado 5 vezes, 6 segundos de diferença. Os limites esperados que não devem ser violados são a perda de 5 testes sucessivos e/ou retorno do tempo de transmissão (RTT) de 300000 microssegundos. O endereço IP do gateway na interface ge-0/0/6 é 192.168.220.1set services rpm probe office365_rpm_primary test office365_test_primary probe-type icmp-ping set services rpm probe office365_rpm_primary test office365_test_primary target address 40.97.223.114 set services rpm probe office365_rpm_primary test office365_test_primary probe-count 5 set services rpm probe office365_rpm_primary test office365_test_primary probe-interval 6 set services rpm probe office365_rpm_primary test office365_test_primary thresholds successive-loss 5 set services rpm probe office365_rpm_primary test office365_test_primary rtt 300000 set services rpm probe office365_rpm_primary test office365_test_primary destination-interface ge-0/0/6.0 set services rpm probe office365_rpm_primary test office365_test_primary next-hop 192.168.220.1
Crie a segunda sondagem para o mesmo aplicativo. Certifique-se de usar os detalhes da interface secundária para este aplicativo. O endereço IP do gateway padrão no link de Internet de banda larga é 10.10.10.1.
set services rpm probe office365_rpm_secondary test office365_test_secondary probe-type icmp-ping set services rpm probe office365_rpm_secondary test office365_test_secondary target address 40.97.223.114 set services rpm probe office365_rpm_secondary test office365_test_secondary probe-count 5 set services rpm probe office365_rpm_secondary test office365_test_secondary probe-interval 6 set services rpm probe office365_rpm_secondary test office365_test_secondary thresholds successive-loss 5 set services rpm probe office365_rpm_secondary test office365_test_secondary rtt 300000 set services rpm probe office365_rpm_secondary test office365_test_secondary destination-interface ge-0/0/7.0 set services rpm probe office365_rpm_secondary test office365_test_secondary next-hop 10.10.10.1
Crie duas sondagens para o aplicativo Domamundo.
Nesta etapa, estamos estabelecendo um intervalo de sondagem mais curto de 1 segundo, e um RTT mais curto de 60000 microssegundos. Essa configuração reflete as garantias de link mais altas para o aplicativo. Observe que a interface da sonda primária é ge-0/0/7 e o endereço IP a ser sondado é diferente, em comparação com o Office365. Os endereços IP usados nesta etapa são os endereços-alvo que usamos para nossas sondagens. Ou seja, cada um dos endereços-alvo pertence ao aplicativo para o qual criamos a sonda.
set services rpm probe skype_rpm_primary test skype_test_primary probe-type icmp-ping set services rpm probe skype_rpm_primary test skype_test_primary target address 13.107.8.2 set services rpm probe skype_rpm_primary test skype_test_primary probe-count 5 set services rpm probe skype_rpm_primary test skype_test_primary probe-interval 1 set services rpm probe skype_rpm_primary test skype_test_primary thresholds successive-loss 5 set services rpm probe skype_rpm_primary test skype_test_primary rtt 60000 set services rpm probe skype_rpm_primary test skype_test_primary destination-interface ge-0/0/7.0 set services rpm probe skype_rpm_primary test skype_test_primary next-hop 10.10.10.1 set services rpm probe skype_rpm_secondary test skype_test_secondary probe-type icmp-ping set services rpm probe skype_rpm_secondary test skype_test_secondary target address 13.107.8.2 set services rpm probe skype_rpm_secondary test skype_test_secondary probe-count 5 set services rpm probe skype_rpm_secondary test skype_test_secondary probe-interval 1 set services rpm probe skype_rpm_secondary test skype_test_secondary thresholds successive-loss 5 set services rpm probe skype_rpm_secondary test skype_test_secondary rtt 60000 set services rpm probe skype_rpm_secondary test skype_test_secondary destination-interface ge-0/0/6.0 set services rpm probe skype_rpm_secondary test skype_test_secondary next-hop 192.168.220.1
Configure as sondas para os aplicativos restantes usando o mesmo padrão.
set services rpm probe salesforce_rpm_primary test salesforce_test_primary probe-type icmp-ping set services rpm probe salesforce_rpm_primary test salesforce_test_primary target address 96.43.144.26 set services rpm probe salesforce_rpm_primary test salesforce_test_primary probe-count 5 set services rpm probe salesforce_rpm_primary test salesforce_test_primary probe-interval 6 set services rpm probe salesforce_rpm_primary test salesforce_test_primary thresholds successive-loss 5 set services rpm probe salesforce_rpm_primary test salesforce_test_primary rtt 300000 set services rpm probe salesforce_rpm_primary test salesforce_test_primary destination-interface ge-0/0/6.0 set services rpm probe salesforce_rpm_primary test salesforce_test_primary next-hop 192.168.220.1 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary probe-type icmp-ping set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary target address 96.43.144.26 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary probe-count 5 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary probe-interval 6 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary thresholds successive-loss 5 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary rtt 300000 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary destination-interface ge-0/0/7.0 set services rpm probe salesforce_rpm_secondary test salesforce_test_secondary next-hop 10.10.10.1 set services rpm probe dropbox_rpm_primary test dropbox_test_primary probe-type icmp-ping set services rpm probe dropbox_rpm_primary test dropbox_test_primary target address 162.125.248.1 set services rpm probe dropbox_rpm_primary test dropbox_test_primary probe-count 5 set services rpm probe dropbox_rpm_primary test dropbox_test_primary probe-interval 1 set services rpm probe dropbox_rpm_primary test dropbox_test_primary thresholds successive-loss 5 set services rpm probe dropbox_rpm_primary test dropbox_test_primary rtt 200000 set services rpm probe dropbox_rpm_primary test dropbox_test_primary destination-interface ge-0/0/7.0 set services rpm probe dropbox_rpm_primary test dropbox_test_primary next-hop 10.10.10.1 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary probe-type icmp-ping set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary target address 162.125.248.1 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary probe-count 5 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary probe-interval 1 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary thresholds successive-loss 5 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary rtt 200000 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary destination-interface ge-0/0/6.0 set services rpm probe dropbox_rpm_secondary test dropbox_test_secondary next-hop 192.168.220.1 set services rpm probe zoom_rpm_primary test zoom_test_primary probe-type icmp-ping set services rpm probe zoom_rpm_primary test zoom_test_primary target address 3.80.20.128 set services rpm probe zoom_rpm_primary test zoom_test_primary probe-count 5 set services rpm probe zoom_rpm_primary test zoom_test_primary probe-interval 1 set services rpm probe zoom_rpm_primary test zoom_test_primary thresholds successive-loss 5 set services rpm probe zoom_rpm_primary test zoom_test_primary rtt 60000 set services rpm probe zoom_rpm_primary test zoom_test_primary destination-interface ge-0/0/6.0 set services rpm probe zoom_rpm_primary test zoom_test_primary next-hop 192.168.220.1 set services rpm probe zoom_rpm_secondary test zoom_test_secondary probe-type icmp-ping set services rpm probe zoom_rpm_secondary test zoom_test_secondary target address 3.80.20.128 set services rpm probe zoom_rpm_secondary test zoom_test_secondary probe-count 5 set services rpm probe zoom_rpm_secondary test zoom_test_secondary probe-interval 1 set services rpm probe zoom_rpm_secondary test zoom_test_secondary thresholds successive-loss 5 set services rpm probe zoom_rpm_secondary test zoom_test_secondary rtt 60000 set services rpm probe zoom_rpm_secondary test zoom_test_secondary destination-interface ge-0/0/7.0 set services rpm probe zoom_rpm_secondary test zoom_test_secondary next-hop 10.10.10.1 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary probe-type icmp-ping set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary target address 216.115.208.241 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary probe-count 5 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary probe-interval 1 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary thresholds successive-loss 5 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary rtt 60000 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary destination-interface ge-0/0/7.0 set services rpm probe gotomeeting_rpm_primary test gotomeeting_test_primary next-hop 10.10.10.1 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary probe-type icmp-ping set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary target address 216.115.208.241 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary probe-count 5 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary probe-interval 1 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary thresholds successive-loss 5 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary rtt 60000 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary destination-interface ge-0/0/6.0 set services rpm probe gotomeeting_rpm_secondary test gotomeeting_test_secondary next-hop 192.168.220.1 set services rpm probe youtube_rpm_primary test youtube_test_primary probe-type http-get set services rpm probe youtube_rpm_primary test youtube_test_primary target url https://youtube.com set services rpm probe youtube_rpm_primary test youtube_test_primary probe-count 5 set services rpm probe youtube_rpm_primary test youtube_test_primary probe-interval 10 set services rpm probe youtube_rpm_primary test youtube_test_primary thresholds successive-loss 5 set services rpm probe youtube_rpm_primary test youtube_test_primary rtt 150000 set services rpm probe youtube_rpm_primary test youtube_test_primary destination-interface ge-0/0/7.0 set services rpm probe youtube_rpm_primary test youtube_test_primary next-hop 10.10.10.1 set services rpm probe youtube_rpm_secondary test youtube_test_secondary probe-type http-get set services rpm probe youtube_rpm_secondary test youtube_test_secondary target url https://youtube.com set services rpm probe youtube_rpm_secondary test youtube_test_secondary probe-count 5 set services rpm probe youtube_rpm_secondary test youtube_test_secondary probe-interval 10 set services rpm probe youtube_rpm_secondary test youtube_test_secondary thresholds successive-loss 5 set services rpm probe youtube_rpm_secondary test youtube_test_secondary rtt 150000 set services rpm probe youtube_rpm_secondary test youtube_test_secondary destination-interface ge-0/0/6.0 set services rpm probe youtube_rpm_secondary test youtube_test_secondary next-hop 192.168.220.1 set services rpm probe slack_rpm_primary test slack_test_primary probe-type icmp-ping set services rpm probe slack_rpm_primary test slack_test_primary target address 216.115.208.241 set services rpm probe slack_rpm_primary test slack_test_primary probe-count 5 set services rpm probe slack_rpm_primary test slack_test_primary probe-interval 1 set services rpm probe slack_rpm_primary test slack_test_primary thresholds successive-loss 5 set services rpm probe slack_rpm_primary test slack_test_primary rtt 60000 set services rpm probe slack_rpm_primary test slack_test_primary destination-interface ge-0/0/7.0 set services rpm probe slack_rpm_primary test slack_test_primary next-hop 10.10.10.1 set services rpm probe slack_rpm_secondary test slack_test_secondary probe-type icmp-ping set services rpm probe slack_rpm_secondary test slack_test_secondary target address 216.115.208.241 set services rpm probe slack_rpm_secondary test slack_test_secondary probe-count 5 set services rpm probe slack_rpm_secondary test slack_test_secondary probe-interval 1 set services rpm probe slack_rpm_secondary test slack_test_secondary thresholds successive-loss 5 set services rpm probe slack_rpm_secondary test slack_test_secondary rtt 60000 set services rpm probe slack_rpm_secondary test slack_test_secondary destination-interface ge-0/0/6.0 set services rpm probe slack_rpm_secondary test slack_test_secondary next-hop 192.168.220.1
Crie uma instância de roteamento para cada aplicativo. Certifique-se de que a rota sobre o link principal para esse aplicativo tenha um valor de preferência menor, em comparação com os outros links. O menor valor de preferência torna a rota mais preferida. Garanta que os aplicativos críticos para os negócios usem a interface de backup LTE.
Nesta etapa, estamos configurando a instância de roteamento para o aplicativo Office365. O link principal é o link MPLS. Definir um valor de preferência de 10 para o gateway deste link torna-o a rota mais preferida. O valor de preferência de 20 para o gateway do link de Internet de banda larga torna-o a segunda melhor opção preferida. O link de backup LTE tem um valor de preferência de 30 e é a opção menos preferida.
set routing-instances office365_RInstance instance-type forwarding set routing-instances office365_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 10 set routing-instances office365_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 20 set routing-instances office365_RInstance routing-options static route 0/0 qualified-next-hop dl0.0 set routing-instances office365_RInstance routing-options static route 0/0 preference 30
Configure as instâncias de roteamento para os aplicativos restantes usando o mesmo padrão da etapa anterior.
set routing-instances skype_RInstance instance-type forwarding set routing-instances skype_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 10 set routing-instances skype_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 20 set routing-instances salesforce_RInstance instance-type forwarding set routing-instances salesforce_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 10 set routing-instances salesforce_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 20 set routing-instances salesforce_RInstance routing-options static route 0/0 qualified-next-hop dl0.0 preference 30 set routing-instances dropbox_RInstance instance-type forwarding set routing-instances dropbox_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 10 set routing-instances dropbox_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 20 set routing-instances slack_RInstance instance-type forwarding set routing-instances slack_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 10 set routing-instances slack_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 20 set routing-instances zoom_RInstance instance-type forwarding set routing-instances zoom_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 10 set routing-instances zoom_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 20 set routing-instances zoom_RInstance routing-options static route 0/0 qualified-next-hop dl0.0 preference 30 set routing-instances gotomeeting_RInstance instance-type forwarding set routing-instances gotomeeting_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 10 set routing-instances gotomeeting_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 20 set routing-instances youtube_RInstance instance-type forwarding set routing-instances youtube_RInstance routing-options static route 0/0 qualified-next-hop 10.10.10.1 preference 10 set routing-instances youtube_RInstance routing-options static route 0/0 qualified-next-hop 192.168.220.1 preference 20
Configure políticas de monitoramento de IP para todos os aplicativos. O objetivo das políticas é alterar a métrica das rotas criadas nas instâncias de roteamento em relação à etapa anterior. As políticas são criadas por sondagem.
Nesta etapa, estamos criando uma política de monitoramento de IP para o aplicativo office365. Configuramos duas sondagens e, portanto, criamos duas políticas— uma para cada sondagem. Quando o link sondado se desvia dos limites permitidos, a política muda a preferência das rotas para redirecionar o tráfego de aplicativos pelo outro link. A política reduz a métrica para o segundo melhor link para 2.
Exemplo: quando a sonda identifica que o link primário (MPLS) para o Office35 não atende aos requisitos de RTT e perda de pacotes, a política permite que o gateway para o link de Internet de banda larga tenha uma métrica de 2. Observe que a política muda a métrica para a segunda melhor rota.
set services ip-monitoring policy office365_ipm_primary match rpm-probe office365_rpm_primary set services ip-monitoring policy office365_ipm_primary then preferred-route routing-instances office365_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy office365_ipm_primary then preferred-route routing-instances office365_RInstance route 0/0 preferred-metric 2
Configure a política de monitoramento de IP para a sonda secundária para o Office365. O endereço de próximo salto é o link PRINCIPAL MPLS.
set services ip-monitoring policy office365_ipm_secondary match rpm-probe office365_rpm_ secondary set services ip-monitoring policy office365_ipm_ secondary then preferred-route routing-instances office365_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy office365_ipm_ secondary then preferred-route routing-instances office365_RInstance route 0/0 preferred-metric 2
Configure a política de monitoramento de IP para os aplicativos restantes seguindo o padrão semelhante feito em duas etapas anteriores.
set services ip-monitoring policy skype_ipm_primary match rpm-probe skype_rpm_primary set services ip-monitoring policy skype_ipm_primary then preferred-route routing-instances skype_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy skype_ipm_primary then preferred-route routing-instances skype_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy skype_ipm_secondary match rpm-probe skype_rpm_ secondary set services ip-monitoring policy skype_ipm_ secondary then preferred-route routing-instances skype_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy skype_ipm_ secondary then preferred-route routing-instances skype_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy salesforce_ipm_primary match rpm-probe salesforce_rpm_primary set services ip-monitoring policy salesforce_ipm_primary then preferred-route routing-instances salesforce_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy salesforce_ipm_primary then preferred-route routing-instances salesforce_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy salesforce_ipm_secondary match rpm-probe salesforce_rpm_ secondary set services ip-monitoring policy salesforce_ipm_ secondary then preferred-route routing-instances salesforce_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy salesforce_ipm_ secondary then preferred-route routing-instances salesforce_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy dropbox_ipm_primary match rpm-probe dropbox_rpm_primary set services ip-monitoring policy dropbox_ipm_primary then preferred-route routing-instances dropbox_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy dropbox_ipm_primary then preferred-route routing-instances dropbox_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy dropbox_ipm_secondary match rpm-probe dropbox_rpm_ secondary set services ip-monitoring policy dropbox_ipm_ secondary then preferred-route routing-instances dropbox_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy dropbox_ipm_ secondary then preferred-route routing-instances dropbox_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy slack_ipm_primary match rpm-probe slack_rpm_primary set services ip-monitoring policy slack_ipm_primary then preferred-route routing-instances slack_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy slack_ipm_primary then preferred-route routing-instances slack_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy slack_ipm_secondary match rpm-probe slack_rpm_ secondary set services ip-monitoring policy slack_ipm_ secondary then preferred-route routing-instances slack_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy slack_ipm_ secondary then preferred-route routing-instances slack_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy zoom_ipm_primary match rpm-probe zoom_rpm_primary set services ip-monitoring policy zoom_ipm_primary then preferred-route routing-instances zoom_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy zoom_ipm_primary then preferred-route routing-instances zoom_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy zoom_ipm_secondary match rpm-probe zoom_rpm_ secondary set services ip-monitoring policy zoom_ipm_ secondary then preferred-route routing-instances zoom_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy zoom_ipm_ secondary then preferred-route routing-instances zoom_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy gotomeeting_ipm_primary match rpm-probe gotomeeting_rpm_primary set services ip-monitoring policy gotomeeting_ipm_primary then preferred-route routing-instances gotomeeting_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy gotomeeting_ipm_primary then preferred-route routing-instances gotomeeting_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy gotomeeting_ipm_secondary match rpm-probe gotomeeting_rpm_ secondary set services ip-monitoring policy gotomeeting_ipm_ secondary then preferred-route routing-instances gotomeeting_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy gotomeeting_ipm_ secondary then preferred-route routing-instances gotomeeting_RInstance route 0/ preferred-metric 2 set services ip-monitoring policy youtube_ipm_primary match rpm-probe youtube_rpm_primary set services ip-monitoring policy youtube_ipm_primary then preferred-route routing-instances youtube_RInstance route 0/0 next-hop 192.168.220.1 set services ip-monitoring policy youtube_ipm_primary then preferred-route routing-instances youtube_RInstance route 0/0 preferred-metric 2 set services ip-monitoring policy youtube_ipm_secondary match rpm-probe youtube_rpm_ secondary set services ip-monitoring policy youtube_ipm_ secondary then preferred-route routing-instances youtube_RInstance route 0/0 next-hop 10.10.10.1 set services ip-monitoring policy youtube_ipm_ secondary then preferred-route routing-instances youtube_RInstance route 0/0 preferred-metric 2
Configure um perfil avançado de roteamento baseado em políticas (APBR) que corresponda a todos os oito aplicativos em escopo e redirecione o tráfego para a respectiva instância de roteamento para esse aplicativo. O perfil é dividido em regras. Cada regra abrange um aplicativo e uma instância de roteamento.
Nesta etapa, a regra
office365_rule
corresponde a todo o tráfego para aplicativojunos:OFFICE365-CREATE-CONVERSATION
" e redireciona o tráfego para a instânciaoffice365_RInstance
de roteamento.set security advance-policy-based-routing tunables max-route-change 0 set security advance-policy-based-routing profile apbr_profile rule office365_rule match dynamic-application junos:OFFICE365-CREATE-CONVERSATION set security advance-policy-based-routing profile apbr_profile rule office365_rule then routing-instance office365_RInstance set security advance-policy-based-routing profile apbr_profile rule skype_rule match dynamic-application junos: SKYPE set security advance-policy-based-routing profile apbr_profile rule skype_rule then routing-instance skype_RInstance set security advance-policy-based-routing profile apbr_profile rule salesforce_rule match dynamic-application junos:SALESFORCE set security advance-policy-based-routing profile apbr_profile rule salesforce_rule then routing-instance salesforce_RInstance set security advance-policy-based-routing profile apbr_profile rule dropbox_rule match dynamic-application junos: DROPBOX set security advance-policy-based-routing profile apbr_profile rule dropbox_rule then routing-instance dropbox_RInstance set security advance-policy-based-routing profile apbr_profile rule slack_rule match dynamic-application junos:SLACK set security advance-policy-based-routing profile apbr_profile rule slack_rule then routing-instance slack_RInstance set security advance-policy-based-routing profile apbr_profile rule zoom_rule match dynamic-application junos:ZOOM set security advance-policy-based-routing profile apbr_profile rule zoom_rule then routing-instance zoom_RInstance set security advance-policy-based-routing profile apbr_profile rule gotomeeting_rule match dynamic-application junos: GOTOMEETING set security advance-policy-based-routing profile apbr_profile rule gotomeeting_rule then routing-instance gotomeeting_RInstance set security advance-policy-based-routing profile apbr_profile rule youtube_rule match dynamic-application junos:YOUTUBE set security advance-policy-based-routing profile apbr_profile rule youtube_rule then routing-instance youtube_RInstance set
Nesta etapa, não estamos permitindo mudanças no caminho do meio da sessão para as sessões em curso para evitar qualquer impacto na continuidade do aplicativo. Isso é conseguido estabelecendo o
max-route-change
parâmetro para 0.Configure um grupo independente de protocolo de tabelas de roteamento. O grupo importa as tabelas de roteamento das instâncias dedicadas para a tabela principal de roteamento.
set routing-options interface-routes rib-group inet apbr_group set routing-options rib-groups apbr_group import-rib inet.0 set routing-options rib-groups apbr_group import-rib office365_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib skype_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib salesforce_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib dropbox_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib slack_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib zoom_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib gotomeeting_RInstance.inet.0 set routing-options rib-groups apbr_group import-rib youtube_RInstance.inet.0
Adicione o perfil
apbr_profile
recém-criado à confiança da zona de segurança. Essa configuração aplica o perfil ao tráfego na zona de confiança.set security zones security-zone trust advance-policy-based-routing-profile apbr_profile
Confirmar a configuração.
commit
Validação
Para confirmar que a configuração está funcionando corretamente, execute as seguintes tarefas:
- Verifique a detecção de módulos Mini-PIM pelo Junos OS
- Verifique a versão de firmware do Mini-PIM
- Verifique a eficácia das regras do APBR
Verifique a detecção de módulos Mini-PIM pelo Junos OS
Propósito
Verifique se o Junos OS está detectando módulos Mini-PIM.
Ação
Do modo operacional:
user@host> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis CX0916AF0004 SRX320-POE Routing Engine REV 0x05 650-065041 CX0916AF0004 RE-SRX320-POE FPC 0 FPC PIC 0 6xGE,2xGE SFP Base PIC FPC 1 REV 02 650-073958 AH06074206 FPC PIC 0 LTE for AE Power Supply 0
Significado
O dispositivo exibe o módulo LTE for AE
Mini-PIM na saída.
Verifique a versão de firmware do Mini-PIM
Propósito
Verifique a versão de firmware do Mini-PIM.
Ação
Do modo operacional:
user@host> show system firmware Part Type Tag Current Available Status version version FPC 1 PIC 0 MLTE_FW 1 17.1.80 0 OK Routing Engine 0 RE BIOS 0 3.0 3.6 OK Routing Engine 0 RE BIOS Backup 1 3.0 3.6 OK
Significado
A saída mostra a versão de firmware do Mini-PIM como 17.1.80. Atualize o firmware se necessário. Consulte o upgrade de firmware no módulo de interface mini-física LTE.
Verifique a eficácia das regras do APBR
Propósito
Verifique os detalhes de manuseio de tráfego após a aplicação da regra APBR.
Ação
Do modo operacional:
user@host> show security advance-policy-based-routing statistics Advance Profile Based Routing statistics: Sessions Processed 5611 App rule hit on cache hit 1 App rule hit on HTTP Proxy/ALG 0 Midstream disabled rule hit on cache hit 0 URL cat rule hit on cache hit 0 DSCP rule hit on first packet 0 App and DSCP hit on first packet 0 App rule hit midstream 0 Midstream disabled rule hit midstream 0 URL cat rule hit midstream 0 App and DSCP rule hit midstream 0 DSCP rule hit midstream 0 Route changed on cache hits 1 Route changed on HTTP Proxy/ALG 0 Route changed midstream 0 Zone mismatch 0 Drop on zone mismatch 0 Next hop not found 0 Application services bypass 0
Significado
A saída exibe detalhes sobre as sessões processadas para a regra de roteamento baseada em aplicativo, o número de vezes que o tráfego do aplicativo corresponde ao perfil APBR (rule hit
) e o número de tempo que o APBR é aplicado para a sessão (Route change
).