自适应服务与新一代服务的配置差异
概述
新一代服务要求您以不同于自适应服务的方式配置服务,自适应服务在 MS 类型卡(MS-MPC、MS-MIC 和 MS-DPC)上运行。配置 SPC3 服务卡的方式与配置服务网关的方式更加一致。熟悉这种更统一的方法后,您应该能够以更无缝的方式在这两个平台上配置服务,最终减少训练开销并降低配置错误的风险。
除了 CLI 差异之外,您还需要了解多服务 (MS) 类型(MS-DPC、MS-MPC 和 MS-MIC)卡与 SPC3 服务卡之间的基本硬件差异。MS 型卡包含四个 CPU 复合体,而 SPC3 卡虽然功能更强大,但包含两个 CPU 复合体。每个 CPU 复杂为一个 PIC 提供服务,这意味着 MS 类型卡支持四个 PIC,而 SPC3 支持两个 PIC。MS 类型卡使用特殊的多服务 (MS) 和自适应服务 (AS) PIC,而 SPC3 卡上的 PIC 是集成的。
由于 PIC 的数量直接影响接口的数量(表 1),因此您可能需要向 SPC3 上的每个接口添加逻辑单元,以将接口数量增加到 4 个。例如,如果您当前使用 MS 类型卡上的所有四个接口,并且每个接口都有一个服务集,则可以在 SPC3 上的每个接口创建两个逻辑单元,使接口总数达到 4 个,然后将这四个服务集重新关联到这四个逻辑接口。
MS 卡 |
SPC3 |
|
|---|---|---|
CPU 复合体数量 |
4 |
2 |
每个 CPU 复合体的 PIC 数 |
1 |
1 |
每个 PIC 的接口数 |
1 |
1 |
卡上的接口总数 |
4 |
2 |
|
注意:
有关 SPC3 硬件的详细信息,请参阅 MX 系列 5G 通用路由平台接口模块参考。 |
||
以下部分概述了 MS 类型卡上的服务与 SPC3 卡上的服务之间的基本配置差异。这些部分旨在通过使用基本示例来说明主要更改来帮助您入门。这些示例显示了 CLI 配置选项的子集,不会取代《适用于路由设备的新一代服务接口用户指南》和《Junos OS CLI 参考指南》中对主题的更正式处理。
这些部分中的配置示例并排呈现,以便轻松查看两者之间的差异。这些示例旨在向您展示如何在 SPC3 上配置现有的 MS 类型卡功能。这些示例并非旨在向您展示如何配置仅在 SPC3 上提供的新功能。为了方便易读和便于比较,呈现的陈述顺序可能与 CLI 中显示的陈述的实际顺序略有不同。
如果您现有有大量自适应服务,我们认识到这些更改可能会给您带来不便。为了帮助您从 MS 类型卡迁移到 SPC3,我们建议您按以下步骤作:
浏览本指南中的示例,全面了解所需的更改。
查看知识库文章 KB35348 中的一组配置示例。
请通读本指南和 Junos OS CLI 参考指南,了解所有功能、配置选项和语法。
请联系 JTAC 获取迁移帮助。
如果继续在 MS 类型卡上运行自适应服务,则无需进行这些配置更改。但是,在路由器上部署 SPC3 后,您必须更换该路由器上的所有 MS 类型卡,并重新配置服务以符合新一代服务配置范例。
接口
MS 类型卡使用接口命名约定 ms-1/0/0,而您使用虚拟多服务或 vms-1/0/0 接口命名约定来指定 SPC3 接口。的 ams 名称和 mams 接口没有更改。
此外,在接口上ms配置services-options的许多参数在服务集中配置service-set-options。
表 2 显示了这些更改的示例。
MS 类型卡 |
SPC3 |
|---|---|
[edit interfaces]
ms-5/1/0 {
<...>
}
|
[edit interfaces]
# Change interface name to vms.
vms-5/1/0 {
<...>
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
open-timeout 40;
close-timeout 40;
inactivity-tcp-timeout 10;
inactivity-asymm-tcp-timeout 10;
tcp-tickles 8;
ignore-errors tcp;
}
}
|
[edit services]
service-set sset1 {
service-set-options {
# Set tcp parameters under tcp-session.
tcp-session {
open-timeout 40;
close-timeout 40;
inactivity-tcp-timeout 10;
inactivity-asymm-tcp-timeout 10;
tcp-tickles 8;
ignore-errors tcp;
}
}
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
inactivity-non-tcp-timeout 40;
session-timeout 10;
}
}
|
[edit services]
service-set sset1 {
# Set non-tcp parameters directly under
# service-set-options.
service-set-options {
inactivity-non-tcp-timeout 40;
session-timeout 10;
}
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
fragment-limit 10;
reassembly-timeout 5;
}
} |
[edit interfaces]
vms-5/1/0 {
services-options {
fragment-limit 10;
reassembly-timeout 5;
}
} |
[edit interfaces]
ms-5/1/0 {
services-options {
session-limit {
maximum 100;
cpu-load-threshold 12;
rate 10;
}
}
}
|
[edit services]
# Maximum number of sessions can be
# specified per service-set.
service-set sset1 {
service-set-options {
session-limit {
maximum 100;
}
}
}
[edit interfaces]
# All session-limit parameters continue to be
# configurable per interface. If the maximum
# number of sessions is different from the associated
# service-set, the smaller number takes effect.
vms-5/1/0 {
services-options {
session-limit {
maximum 100;
cpu-load-threshold 12;
rate 10;
}
}
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
pba-interim-logging-interval 10;
}
}
|
[edit interfaces]
# Set interim-logging-interval under the nat branch.
nat {
source {
pool src-pool {
port {
block-allocation {
interim-logging-interval 10;
}
}
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
syslog {
host {
<...>
}
}
}
}
|
请参阅 |
[edit interfaces]
ms-5/1/0 {
services-options {
syslog {
message-rate-limit 10;
}
}
}
|
[edit services]
service-set sset1 {
syslog {
event-rate 10;
}
}
|
[edit interfaces]
ms-5/1/0 {
services-options {
ignore-errors alg;
disable-global-timeout-override;
trio-flow-offload {
minimum-bytes 1000;
}
}
}
|
不支持 |
服务集
表 3 显示了某些 service-set 参数配置方式的细微变化。
MS 类型卡 |
SPC3 |
|---|---|
[edit services]
service-set sset1 {
tcp-mss 1460;
service-set-options {
tcp-non-syn drop-flow-send-rst;
tcp-fast-open drop;
}
}
|
[edit services]
service-set sset1 {
service-set-options {
# Set tcp parameters under tcp-session.
tcp-session {
tcp-mss 1460;
tcp-non-syn drop-flow-send-rst;
tcp-fast-open drop;
}
}
}
|
[edit services]
service-set sset1 {
replicate-services {
replication-threshold 180;
}
}
|
[edit interfaces]
# Set replication-threshold on the interface.
vms-5/1/0 {
redundancy-options {
replication-threshold 180;
}
}
|
[edit services]
service-set sset1 {
syslog {
host 10.1.1.1 {
port 514;
}
}
}
|
[edit services]
service-set sset1 {
syslog
# Process security logs in the dataplane.
mode stream;
stream s1 {
# Specify host to send security logs to.
host {
10.1.1.1;
port 514;
}
}
}
}
|
[edit services]
service-set sset1 {
syslog {
host local;
}
}
|
[edit services]
service-set sset1 {
syslog
# Process security logs in the control plane,
# saving logs to local file specified by rtlog.
mode event;
}
}
rtlog {
traceoptions {
# Specify filename for logs.
file rtlog size 1g;
flag all;
}
}
|
[edit services]
service-set sset1 {
service-order <...>
}
|
服务顺序是固定的。 |
[edit services]
service-set sset1 {
sampling-service <...>
}
|
内联支持 J-Flow 日志记录。 |
[edit services]
service-set sset1 {
tag-rule-sets <...>
tag-rules <...>
hcm-profile <...>
hcm-url-rule-sets <...>
hcm-url-rules <...>
service-set-options {
bypass-traffic-on-pic-failure;
}
}
|
目前不支持 |
有状态防火墙
规则和政策
SPC3 上的有状态防火墙规则的结构与 MS 类型卡上服务的有状态防火墙规则略有不同。在 SPC3 上,将规则括在包装器中 policies ,并在规则中包含的 中 policy 定义规则的匹配项和作。
就像 MS 类型卡上的状态防火墙服务一样,您可以创建一个服务集来将接口与规则集相关联。规则集包含对一个或多个规则的引用。规则将按照您列出的顺序按顺序应用,直到发生匹配并执行作。
每个规则包含一对或多对匹配术语和作。在 SPC3 上,每对匹配术语和作称为策略。策略将按照您指定的顺序按顺序应用,直到发生匹配并执行作。
表 4 显示了 MS 卡上的有状态防火墙规则与 SP3 之间的配置差异。特别是,请注意 /deny/reject作的不同permit定义。
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set s1 {
stateful-firewall-rule-sets rule-set-basic-sfw;
interface-service {
service-interface ms-1/1/0;
}
}
|
service-set s1 {
policies stateful-firewall-rule-sets rule-set-basic-sfw;
interface-service {
service-interface vms-1/1/0;
}
}
|
stateful-firewall {
|
# Enclose stateful firewall rules within the policies wrapper.
policies {
|
rule Rule1 {
match-direction input;
term ping-https-apps {
from {
source-address {
any
}
destination-address {
any
}
applications [junos-icmp-ping junos-https];
}
then {
accept/reject/discard
skip-ids;
syslog;
}
}
term accept {
then {
accept;
}
}
} # end Rule1
|
policies stateful-firewall-rule Rule1 {
match-direction input;
# Define match terms and actions in a policy.
policy ping-https-apps {
# Unlike the from statement, the match statement (and
# source-address, destination-address, and application)
# are mandatory.
match {
source-address any;
destination-address any;
application [ junos-icmp-ping junos-https ];
}
then {
# permit = allow
# deny = silently drop
# reject = drop and send ICMP unreachable or TCP RST
permit/deny/reject
# skip-ids is not supported. One possible way of
# achieving this same goal is to create two
# service-sets, one with IDS and one without IDS,
# and route your next-hop-service
# traffic to the desired service set via the associated
# inside or outside interface.
log;
}
}
policy accept {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
} # end Rule1
|
rule Rule2 {
match-direction output;
term local {
from {
source-address {
10.1.3.2/32;
}
application-sets APPL-SET1;
}
then {
accept;
}
}
} # end Rule2
|
policies stateful-firewall-rule Rule2 {
match-direction output;
policy local {
match {
source-address 10.1.3.2/32;
destination-address any;
# application can refer to an application set.
application APPL-SET1;
}
then {
permit;
}
}
} # end Rule2
|
rule-set rule-set-basic-sfw {
rule Rule1;
rule Rule2;
}
} # end stateful-firewall
|
# Use the stateful-firewall-rule-set element to list the
# firewall rules in the order that you want them applied.
stateful-firewall-rule-set rule-set-basic-sfw {
stateful-firewall-rule Rule1;
stateful-firewall-rule Rule2;
}
} # end policies
|
地址列表和范围
状态防火墙规则可以包含引用地址范围和列表的匹配术语。
在 MS 卡上,您可以使用 and destination-address-range 元素来指定地址范围,并prefix-list使用source-address-range元素policy-options来指定地址列表。该prefix-list元素不仅可用于有状态防火墙规则。您还可以使用该prefix-list元素指定要在路由策略中使用的地址列表。
在 SP3 上,该 prefix-list 元素不用于有状态防火墙规则。您可以使用 address-book under services 定义地址列表和范围,以便在状态防火墙规则中使用。该 prefix-list 元素仍然存在,但专门用于路由策略。因此,如果要为状态防火墙规则指定地址列表,为路由策略指定地址列表,则需要同时 address-book 配置 and prefix-list 元素。
表 5 显示了在 MS 卡上与 SP3 上为状态防火墙规则指定地址之间的区别。
MS 卡 |
SP3 |
|---|---|
[edit]
policy-options {
prefix-list p1 {
10.1.22.45/32;
192.168.0.11/32;
}
}
[edit services]
stateful-firewall {
rule sfw-rule {
match-direction input;
term banned-addresses {
from {
source-prefix-list {
p1;
}
source-address-range {
low 10.1.22.100 high 10.1.22.109;
}
}
then {
reject;
syslog;
}
}
<...>
|
[edit services]
# Define address lists and address ranges in an address book.
address-book {
global {
address-set p1 {
address p1-a;
address p1-b;
}
address p1-a 10.1.22.45/32;
address p1-b 192.168.0.11/32;
address p2 {
address-range 10.1.22.100/32 {
to {
10.1.22.109/32;
}
}
}
}
} # end address-book
policies {
stateful-firewall-rule sfw-rule {
match-direction input;
policy banned-addresses {
match {
# Refer to the addresses defined in the address book.
source-address [ p1 p2 ];
destination-address any;
application any;
}
then {
deny;
log;
}
<...>
|
应用
与 MS 卡相比,SP3 支持更多的内置 Junos 应用程序。创建有状态防火墙规则时,可以在这些内置应用上进行匹配。
要查看内置应用程序的完整列表,请使用 show groups junos-defaults applications 配置模式命令。例如:
[edit]
# show groups junos-defaults applications | match junos
application junos-ftp {
application junos-ftp-data {
application junos-tftp {
application junos-twamp {
application junos-rtsp {
application junos-netbios-session {
<...>
Traceoptions 和计数器
SP3 新一代服务的有状态防火墙支持帮助调试和计算流量的其他功能:
traceoptions- 用于跟踪与策略相关的事件,例如策略查找和基于规则的事件。事件被捕获在指定的文件中以供查看。count- 用于计算与流量相关的事件,例如传入/传出字节和数据包。使用 show 命令查看计数器:show services policies detail- 当您在策略中指定选项时,count输出将包括与流量相关的计数器show services policies hit-count- 无论您是否在保单中使用该count选项,命中次数始终可用
表 6 显示了如何使用 traceoptions and count 元素:
MS 卡 |
SP3 |
|---|---|
不支持 |
[edit services]
policies {
# Enable traceoptions to trace policy-related events.
traceoptions {
file policylogs size 10m files 5;
flag all;
}
stateful-firewall-rule Rule1 {
match-direction input;
policy my-policy {
match {
source-address any;
destination-address any;
application [ junos-dns-udp junos-dns-tcp ];
}
then {
permit
# Enable counting of traffic events.
count;
}
} # end my-policy
...
|
运营商等级网络地址转换 (CGNAT)
在 SP3 上为下一代服务配置 NAT 与在 MS 卡上的旧服务上配置 NAT 有以下多种不同:
在 SP3 上,您可以将源 NAT 与目标 NAT 分开配置。在配置树的源分支中配置源 NAT,并在配置树的目标分支中配置目标 NAT。源 NAT 和目标 NAT 各自在配置树的各自分支中都有自己的地址池和规则集。
在 SP3 上,如果同时配置源 NAT 和目标 NAT,则首先应用目标 NAT,然后将源 NAT 应用于目标 NAT 转换结果。换句话说,您不是根据原始数据包而是根据目标 NAT 转换结果编写源 NAT 规则。
在 SP3 上,您不会显式配置
translation-type.转换类型由您的配置隐式决定。在 SP3 上,端口转换是动态映射的默认行为(其中,不同的 NAT 前地址可能会随着时间的推移映射到相同的 NAT 后地址)。如果未在池定义中显式包含该
port语句,则端口转换将使用端口范围 [1024, 65535] 进行,并以轮询方式选择端口。如果您不希望进行端口转换,则必须添加带有port该no-translation选项的语句。此默认值不适用于静态映射,其中 NAT 前地址始终映射到相同的 NAT 后地址。
表 7 到 表 19 显示了如何在 SP3 上配置不同转换类型的示例。
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-basic-nat44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-basic-nat44;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.0/24;
}
|
pool src-pool {
address {
10.10.10.0/24;
}
# host-address-base indicates a type of static mapping
# where the base address 10.45.1.0/0 maps to the
# lowest address in the pool, namely 10.10.10.0/0,
# and the other addresses map sequentially from there
# e.g. 10.45.1.1 maps to 10.10.10.1, and so on.
# Since this is a static mapping, there is no port translation
# by default.
# Note that host-address-base does not have to be the
# lowest address allowed by the subsequent source rule.
# Any packet with a source address allowed by the source rule
# but is lower than the host-address-base is discarded.
host-address-base 10.45.1.0/0;
}
|
rule rule-basic-nat44 {
match-direction input;
term t1 {
from {
source-address {
10.45.1.0/24
}
}
then {
translated {
source-pool src-pool;
translation-type {
basic-nat44;
}
}
}
}
}
|
rule-set rule-basic-nat44 {
match-direction input;
rule r1 {
match {
source-address 10.45.1.0/24;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-basic-nat66;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-basic-nat66;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 2001:DB8:2222::0/96;
}
|
pool src-pool {
address {
2001:DB8:2222::0/96;
}
}
|
rule rule-basic-nat66 {
match-direction input;
term t1 {
from {
source-address {
2001:DB8:1111::0/96;
}
}
then {
translated {
source-pool src-pool;
translation-type {
basic-nat66;
}
}
}
}
}
|
rule-set rule-basic-nat66 {
match-direction input;
rule r1 {
match {
source-address 2001:DB8:1111:::0/96;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-dynamic-nat44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-dynamic-nat44;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address-range low 10.10.10.2 high 10.10.10.10;
}
|
pool src-pool {
address {
10.10.10.2/32 to 10.10.10.10/32;
}
# Since this is implicitly a dynamic mapping,
# there is port translation by default , so we need to
# explictly specify that we don’t want port translation.
port {
no-translation;
}
}
|
rule rule-dynamic-nat44 {
match-direction input;
term t0 {
from {
applications junos-icmp-all;
}
then {
no-translation;
}
}
term t1 {
from {
destination-address {
10.99.0.2/32;
}
source-address-range {
low 10.45.0.2 high 10.45.0.10;
}
}
then {
translated {
source-pool src-pool;
translation-type {
dynamic-nat44;
}
}
}
}
}
|
rule-set rule-dynamic-nat44 {
match-direction input;
rule r0 {
match {
source-address 0.0.0.0/0;
application junos-icmp-all;
}
then {
source-nat {
off;
}
}
}
rule r1 {
match {
source-address-name addr1;
destination-address 10.99.0.2/32;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
address-book {
global {
address addr1 {
address-range 10.45.0.2/32 {
to {
10.45.0.10/32;
}
}
}
}
}
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-napt44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-napt44;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.0/24;
port {
automatic;
}
}
|
pool src-pool {
address {
10.10.10.0/24;
}
# Since this is implicitly a dynamic mapping,
# and there is no explicit port statement
# to indicate otherwise, the default port
# mapping behavior takes effect.
}
|
rule rule-napt44 {
match-direction input;
term t1 {
from {
source-address {
10.45.1.0/24
}
application-sets accept-algs;
}
then {
translated {
source-pool src-pool;
translation-type {
napt44;
}
}
}
}
}
|
rule-set rule-napt44 {
match-direction input;
rule r1 {
match {
source-address 10.45.1.0/24;
application accept-algs;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-napt66;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-napt66;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 2001:DB8:2222::0/112;
port {
range low 20000 high 30000;
}
}
|
pool src-pool {
address {
2001:DB8:2222::0/112;
}
port {
range {
20000;
to {
30000;
}
}
}
}
|
rule rule-napt66 {
match-direction input;
term t1 {
from {
source-address {
2001:DB8:1111::0/96;
}
}
then {
translated {
source-pool src-pool;
translation-type {
napt66;
}
}
}
}
}
|
rule-set rule-napt66 {
match-direction input;
rule r1 {
match {
source-address 2001:DB8:1111::0/96;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-dnat-44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-dnat-44;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
destination {
|
pool dest-pool {
address 10.10.10.2/32;
}
|
pool dest-pool {
address {
10.10.10.2/32;
}
}
|
rule rule-dnat-44 {
match-direction input;
term t1 {
from {
destination-address {
10.45.0.2/32
}
}
then {
translated {
destination-pool dest-pool;
translation-type {
dnat-44;
}
}
}
}
}
|
rule-set rule-dnat-44 {
match-direction input;
rule r1 {
match {
destination-address 10.45.0.2/32;
}
then {
destination-nat {
pool {
dest-pool;
}
}
}
}
}
|
} # end nat |
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-stateful-nat464;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-stateful-nat464-src;
nat-rule-sets rule-stateful-nat464-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.0/24;
port {
automatic;
}
}
|
pool src-pool {
address {
10.10.10.0/24;
}
port {
automatic {
round-robin;
}
}
}
|
rule rule-stateful-nat464 {
match-direction input;
term t1 {
from {
source-address {
2001:DB8:1111::0/96;
}
destination-address {
2001:DB8:2222::0/96;
}
applications [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1];
}
then {
translated {
source-pool src-pool;
clat-prefix 2001:DB8:1111::0/96;
destination-prefix 2001:DB8:2222::0/96;
translation-type {
stateful-nat464;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-stateful-nat464-src {
match-direction input;
rule r1 {
match {
source-address 2001:DB8:1111::0/96;
# Since destination NAT happens first, the
# destination IPv6 prefix has been stripped off,
# resulting in an IPv4 destination address.
destination-address 0.0.0.0/0;
application [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1];
}
then {
source-nat {
pool {
src-pool;
}
clat-prefix 2001:DB8:1111::0/96;
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
# This destination rule applies before the source rule.
rule-set rule-stateful-nat464-dest {
match-direction input;
rule r1 {
match {
destination-address 2001:DB8:2222::0/96;
}
then {
destination-nat {
destination-prefix 2001:DB8:2222::0/96;
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-stateful-nat64;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-stateful-nat64-src;
nat-rule-sets rule-stateful-nat64-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.0/24;
port {
automatic;
random-allocation;
}
}
mapping-timeout 500;
}
|
pool src-pool {
address {
10.10.10.0/24;
}
port {
automatic {
random-allocation;
}
}
mapping-timeout 500;
}
|
rule rule-stateful-nat64 {
match-direction input;
term t1 {
from {
destination-address {
2001:DB8:2222::0/64;
}
}
then {
translated {
source-pool src-pool;
destination-prefix 2001:DB8:2222::0/64;
translation-type {
stateful-nat64;
}
}
}
}
term t2 {
from {
destination-address {
2001:DB8:3333::0/64;
}
}
then {
translated {
source-pool src-pool;
destination-prefix 2001:DB8:3333::0/64;
translation-type {
stateful-nat64;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-stateful-nat64-src {
match-direction input;
rule r1 {
match {
source-address 0::/0;
# Since destination NAT applies first, the
# destination address is now IPv4.
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
# This destination rule applies before the source rule.
rule-set rule-stateful-nat64-dest {
match-direction input;
rule r1 {
match {
destination-address 2001:DB8:2222::0/64;
}
then {
destination-nat {
destination-prefix 2001:DB8:2222::0/64;
}
}
}
rule r2 {
match {
destination-address 2001:DB8:3333::0/64;
}
then {
destination-nat {
destination-prefix 2001:DB8:3333::0/64;
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-twice-basic-nat-44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-twice-basic-nat-44-src;
nat-rule-sets rule-twice-basic-nat-44-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.98.10.0/24;
}
pool dest-pool {
address 10.99.10.0/24;
}
|
pool src-pool {
address {
10.98.10.0/24;
}
# host-address-base indicates a type of static mapping where
# the base address 10.10.10.0/0 maps to the lowest
# address in the pool, namely 10.98.10.0/0,
# and the other addresses map sequentially from there
# e.g. 10.10.10.1 maps to 10.98.10.1, and so on.
# Since this is a static mapping, there is no port translation
# by default.
# Note that host-address-base does not have to be the
# lowest address allowed by the subsequent source rule.
# Any packet with a source address allowed by the source rule
# but is lower than the host-address-base is discarded.
host-address-base 10.10.10.0/0;
}
|
rule rule-twice-basic-nat-44 {
match-direction input;
term t1 {
from {
source-address {
10.10.10.0/24;
}
destination-address {
10.20.10.0/24;
}
}
then {
translated {
source-pool src-pool;
destination-pool dest-pool;
translation-type {
twice-basic-nat-44;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-twice-basic-nat-44-src {
match-direction input;
rule r1 {
match {
source-address 10.10.10.0/24;
# Since destination NAT happens first, the destination
# address refers to the NAT’d address.
destination-address 10.99.10.0/24;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
pool dest-pool {
address {
10.99.10.0/24;
}
}
|
|
# This destination rule applies before the source rule.
rule-set rule-twice-basic-nat-44-dest {
match-direction input;
rule r1 {
match {
destination-address 10.20.10.0/24;
}
then {
destination-nat {
pool {
dest-pool;
}
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-twice-dynamic-nat-44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-twice-dynamic-nat-44-src;
nat-rule-sets rule-twice-dynamic-nat-44-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.98.10.0/24;
}
pool dest-pool {
address 10.99.10.0/24;
}
|
pool src-pool {
address {
10.98.10.0/24;
}
port {
no-translation;
}
}
|
rule rule-twice-dynamic-nat-44 {
match-direction input;
term t1 {
from {
source-address {
10.10.10.0/24;
}
destination-address {
10.20.10.0/24;
}
}
then {
translated {
source-pool src-pool;
destination-pool dest-pool;
translation-type {
twice-dynamic-nat-44;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-twice-dynamic-nat-44-src {
match-direction input;
rule r1 {
match {
source-address 10.10.10.0/24;
# Since destination NAT happens first, the destination
# address refers to the NAT’d address.
destination-address 10.99.10.0/24;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
pool dest-pool {
# By default, address mapping in destination pools is static.
address {
10.99.10.0/24;
}
}
|
|
# This destination rule applies before the source rule.
rule-set rule-twice-dynamic-nat-44-dest {
match-direction input;
rule r1 {
match {
destination-address 10.20.10.0/24;
}
then {
destination-nat {
pool {
dest-pool;
}
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-twice-napt-44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-twice-napt-44-src;
nat-rule-sets rule-twice-napt-44-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.98.10.0/24;
port {
automatic;
secured-port-block-allocation block-size 256 max-blocks-per-address 1 active-block-timeout 300;
}
}
pool dest-pool {
address 10.99.10.2/32;
}
|
pool src-pool {
address {
10.98.10.0/24;
}
port {
automatic {
round-robin;
}
block-allocation {
block-size 256;
maximum-blocks-per-host 1;
active-block-timeout 300;
}
}
}
|
rule rule-twice-napt-44 {
match-direction input;
term t1 {
from {
source-address {
10.10.10.0/24;
}
destination-address {
10.20.10.2/32;
}
}
then {
translated {
source-pool src-pool;
destination-pool dest-pool;
translation-type {
twice-napt-44;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-twice-napt-44-src {
match-direction input;
rule r1 {
match {
source-address 10.10.10.0/24;
# Since destination NAT happens first, the
# destination address refers to the NAT’d address.
destination-address 10.99.10.2/32;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
pool dest-pool {
address {
10.99.10.2/32;
}
}
|
|
# This destination rule applies before the source rule.
rule-set rule-twice-napt-44-dest {
match-direction input;
rule r1 {
match {
source-address 10.10.10.0/24;
destination-address 10.20.10.2/32;
}
then {
destination-nat {
pool {
dest-pool;
}
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-deterministic-napt44;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-deterministic-napt44;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.0/24;
port {
range low 1024 high 19999;
deterministic-port-block-allocation block-size 256;
}
mapping-timeout 120;
}
|
pool src-pool {
address {
10.10.10.0/24;
}
port {
range {
1024;
to {
19999;
}
}
deterministic {
block-size 256;
# host address specifies the subnet that you
# want to apply to this pool.
host address 10.2.0.0/20;
}
}
mapping-timeout 120;
}
|
rule rule-deterministic-napt44 {
match-direction input;
term t1 {
from {
source-address {
10.2.0.0/18;
}
}
then {
translated {
source-pool src-pool;
translation-type {
deterministic-napt44;
}
mapping-type endpoint-independent;
}
}
}
}
|
rule-set rule-deterministic-napt44 {
match-direction input;
rule r1 {
match {
source-address 10.2.0.0/18;
}
then {
source-nat {
pool {
src-pool;
}
mapping-type endpoint-independent;
}
}
}
}
|
} # end nat |
} # end source
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-deterministic-napt64;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-deterministic-napt64-src;
nat-rule-sets rule-deterministic-napt64-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.98.10.0/24;
port {
automatic;
random-allocation;
}
deterministic-port-block-allocation block-size 256;
}
}
|
pool src-pool {
address {
10.98.10.0/24;
}
port {
automatic {
random-allocation;
}
deterministic {
block-size 256;
host address 2001:DB8:1111::1/120;
}
}
}
|
rule rule-deterministic-napt64 {
match-direction input;
term t1 {
from {
source-address {
2001:DB8:1111::1/120;
}
}
then {
translated {
destination-prefix 2001:DB8:2222::/96;
source-pool src-pool;
translation-type {
deterministic-napt64;
}
}
}
}
}
|
# This source rule applies after the destination rule.
rule-set rule-deterministic-napt64-src {
match-direction input;
rule r1 {
match {
source-address 2001:DB8:1111::1/120;
# Since destination NAT happens first, the destination
# address refers to the NAT’d address.
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
pool dest-pool {
address {
10.99.10.2/32;
}
}
|
|
# This destination rule applies before the source rule.
rule-set rule-destination-napt64-dest {
match-direction input;
rule r1 {
match {
destination-address 2001:DB8:2222::/96;
}
then {
destination-nat {
destination-prefix 2001:DB8:2222::/96;
}
}
}
}
|
|
} # end destination
} # end nat
|
MS 卡 |
SP3 |
|---|---|
[edit services] |
[edit services] |
service-set sset1 {
nat-rules rule-napt-pt;
interface-service {
service-interface ms-1/2/0;
}
}
|
service-set sset1 {
nat-rule-sets rule-napt-pt-src;
nat-rule-sets rule-napt-pt-dest;
interface-service {
service-interface vms-2/0/0;
}
}
|
nat {
|
nat {
source {
|
pool src-pool {
address 10.10.10.2/32;
}
pool dest-pool {
address 10.99.10.2/32;
}
|
pool src-pool {
address {
10.10.10.2/32;
}
}
|
rule rule-napt-pt {
match-direction input;
term t1 {
from {
source-address {
2001:DB8:1111::2/128;
}
destination-address {
2001:DB8:2222::2/128;
}
}
then {
translated {
source-pool src-pool;
destination-pool dest-pool;
translation-type {
napt-pt;
}
}
}
}
}
|
rule-set rule-napt-pt-src {
match-direction input;
rule r1 {
match {
source-address 2001:DB8:1111::2/128;
destination-address 10.99.10.0/24;
}
then {
source-nat {
pool {
src-pool;
}
}
}
}
}
|
} # end nat |
} # end source
|
destination {
|
|
pool dest-pool {
address {
10.99.10.2/32;
}
}
|
|
rule-set rule-napt-pt-dest {
match-direction input;
rule r1 {
match {
destination-address 2001:DB8:2222::2/128;
}
then {
destination-nat {
pool {
dest-pool;
}
}
}
}
}
|
|
} # end destination
} # end nat
|
入侵检测系统 (IDS)
SP3 上下一代服务的 IDS 规则在分支下 screen 定义。各个元素的命名方式略有不同,但主要变化在于检测具有 IPv4 选项和 IPv6 扩展名的数据包的行为:
对于 MS 卡上的 IDS 服务,默认行为是检测并丢弃带有 IPv4 选项和 IPv6 扩展的信息包。如果要允许这些数据包,则必须通过配置明确允许它们。
对于 SP3 上的 IDS 下一代服务,默认行为是允许具有 IPv4 选项和 IPv6 扩展名的数据包。如果要检测和丢弃这些数据包,则必须通过配置明确禁止它们。
表 21 显示了配置差异的示例。
MS 卡 |
SP3 |
|---|---|
[edit services]
service-set sset1 {
ids-rules r1;
ids-rules r2;
}
|
[edit services]
service-set sset1 {
# Replace ids-rules with ids-option.
ids-option ids1;
ids-option ids2;
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
<...>
}
}
}
|
[edit services]
# Define ids rules under the screen branch.
screen {
# Replace rule with ids-option.
ids-option ids1 {
match-direction input;
# Flatten hierarchy by removing term and placing
# contents directly under ids-option.
<...>
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
allow-ip-options [ loose-source-route route-record router-alert security stream-id strict-source-route timestamp ];
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
# By default, all ip options are allowed.
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
<no allow-ip-options configured>
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
# Explicitly specify the disallowed options.
ip {
loose-source-route-option;
record-route-option;
security-option;
stream-option;
strict-source-route-option;
timestamp-option;
# router-alert option for IPv4 is not supported.
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
allow-ipv6-extension-header [ ah dstopts esp fragment hop-by-hop mobility routing ];
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
# By default, all ipv6 extensions are allowed.
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
<no allow-ipv6-extension-header configured>
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
ip {
# Explicitly specify the disallowed extensions.
ipv6-extension-header {
AH-header;
ESP-header;
fragment-header;
hop-by-hop-header;
mobility-header;
routing-header;
# dstoptions is not supported.
}
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
aggregation {
source-prefix 24;
destination-prefix 24;
source-prefix-ipv6 64;
destination-prefix-ipv6 64;
}
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
aggregation {
source-prefix-mask 24;
destination-prefix-mask 24;
source-prefix-v6-mask 64;
destination-prefix-v6-mask 64;
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
icmp-fragment-check;
icmp-large-packet-check;
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
# Group icmp checks under icmp.
icmp {
fragment;
large;
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
land-attack-check;
tcp-winnuke-check;
tcp-syn-fragment-check;
tcp-syn-defense;
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
# Group tcp checks under tcp.
tcp {
land;
winnuke;
syn-frag;
# tcp-syn-defense is not supported.
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
session-limit {
by-source {
maximum 100;
rate 10;
packets 1k;
}
by-destination {
maximum 100;
rate 10;
packets 1k;
}
}
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
limit-session {
by-source {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
by-destination {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
session-limit {
by-source {
by-protocol {
tcp {
maximum 100;
rate 10;
packets 1k;
}
udp {
maximum 100;
rate 10;
packets 1k;
}
icmp {
maximum 100;
rate 10;
packets 1k;
}
}
}
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
limit-session {
by-source {
by-protocol {
tcp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
udp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
icmp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
}
}
}
}
}
|
[edit services]
ids {
rule r1 {
match-direction input;
term t1 {
then {
session-limit {
by-destination {
by-protocol {
tcp {
maximum 100;
rate 10;
packets 1k;
}
udp {
maximum 100;
rate 10;
packets 1k;
}
icmp {
maximum 100;
rate 10;
packets 1k;
}
}
}
}
}
}
}
|
[edit services]
screen {
ids-option ids1 {
match-direction input;
limit-session {
by-destination {
by-protocol {
tcp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
udp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
icmp {
maximum-sessions 100;
session-rate 10;
packet-rate 1k;
}
}
}
}
}
}
|
从 MS 卡迁移到 SP3
使用此过程配置路由器以支持新一代服务。
通常使用此过程将 MS 卡上支持旧服务的路由器迁移到 SP3 上支持下一代服务的路由器,但即使要迁移的路由器不包含 MS 卡,此过程也适用。
由于下一代服务配置与旧版服务配置不兼容,因此迁移路由器以支持 SP3 上的下一代服务需要完全取消配置并重新配置路由器。此外:
不能在有 MS 卡的路由器中安装 SP3 卡。
您无法在配备 MS 卡的路由器上配置新一代服务。
您无法在配备 SP3 卡的路由器上配置旧版服务。
换句话说,路由器可以使用 MS 卡或 SP3 卡运行,但不能同时运行两者。
注意:
此过程会影响服务。您将路由器设置为出厂默认配置。