Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

MX-SPC3 上自适应服务和新一代服务之间的配置差异

概述

MX-SPC3 上的下一代服务要求您以不同于您在 MS 类型卡(MS-MPC、MS-MIC 和 MS-DPC)上运行的自适应服务所习惯的服务配置方式。配置 MX-SPC3 服务卡与配置 SRX 系列服务网关的方式更加一致。熟悉这种更加统一的方法后,您应该能够以更无缝的方式在这两个平台上配置服务,最终减少培训开销并降低配置错误的风险。

除了 CLI 差异之外,您还需要了解多服务 (MS) 类型(MS-DPC、MS-MPC 和 MS-MIC)卡与 MX-SPC3 服务卡之间的基本硬件差异。MS 型卡包含四个 CPU 复合体,而 MX-SPC3 卡虽然功能更强大,但包含两个 CPU 复合体。每个 CPU 复合体为一个 PIC 提供服务,这意味着 MS 类型的卡支持四个 PIC,而 MX-SPC3 支持两个 PIC。MS 型卡使用特殊多服务 (MS) 和自适应服务 (AS) PIC,而 MX-SPC3 卡上的 PIC 是集成的。

由于 PIC 的数量直接影响接口数量(表 1),因此您可能需要向 MX-SPC3 上的每个接口添加逻辑单元,以将接口数量增加到 4 个。例如,如果您当前使用 MS 类型卡上的所有四个接口,并且每个接口都有一个服务集,则可以在 MX-SPC3 上为每个接口创建两个逻辑单元,使接口总数达到四个,然后将这四个服务集重新关联到这四个逻辑接口。

表1:硬件差异:MS型卡与MX-SPC3卡

MS 卡

MX-SPC3

CPU 复合体数

4

2

每个 CPU 复合体的 PIC 数

1

1

每个 PIC 的接口数

1

1

卡上的接口总数

4

2

注意:

有关 MX-SPC3 硬件的详细信息,请参阅 MX 系列 5G 通用路由平台接口模块参考

以下各节概述了 MS 类型卡上的服务和 MX-SPC3 卡上的服务之间的基本配置差异。这些部分的目的是通过使用基本示例来说明主要更改来帮助您入门。这些示例显示了 CLI 配置选项的子集,并不能取代《下一代服务接口路由设备用户指南》和《Junos OS CLI 参考指南》中对主题的更正式处理。

这些部分中的配置示例并排显示,因此您可以轻松查看两者之间的差异。这些示例旨在向您展示如何在 MX-SPC3 上配置现有的 MS 型卡功能。这些示例并非旨在向您展示如何配置仅在 MX-SPC3 上找到的新功能。为了便于阅读和比较,显示的语句顺序可能与 CLI 中显示的语句的实际顺序略有不同。

如果您有大量现有的自适应服务,我们认识到这些更改可能会给您带来不便。为了帮助您从 MS 型卡迁移到 MX-SPC3,我们建议您执行以下操作:

  • 浏览本指南中的示例,全面了解所需的更改。

  • 浏览知识库文章 KB35348 中的配置示例集。

  • 通读本指南和 Junos OS CLI 参考指南,了解所有功能、配置选项和语法。

  • 请联系 JTAC 获取迁移帮助。

如果继续在 MS 类型卡上运行自适应服务,则无需进行这些配置更改。但是,在路由器上部署 MX-SPC3 后,必须更换该路由器上的所有 MS 类型卡,并重新配置服务以符合下一代服务配置范例。

接口

MS 类型卡使用接口命名约定 ,而您则使用虚拟多服务或vms-1/0/0接口命名约定ms-1/0/0指定 MX-SPC3 接口。和mams接口的名称ams没有变化。

此外,在接口下services-optionsms配置的许多参数也在服务集下配置service-set-options

表 2 显示了这些更改的示例。

表 2:接口和服务选项

MS 型卡

MX-SPC3

[edit interfaces]
ms-5/1/0 {
    <...>
}
[edit interfaces]
# Change interface name to vms.
vms-5/1/0 {
    <...>
}
[edit interfaces]
ms-5/1/0 {
    services-options {
        open-timeout 40;
        close-timeout 40;
        inactivity-tcp-timeout 10;
        inactivity-asymm-tcp-timeout 10;
        tcp-tickles 8;
        ignore-errors tcp;
    }
}
[edit services]
service-set sset1 {
    service-set-options {
        # Set tcp parameters under tcp-session.
        tcp-session {
            open-timeout 40;
            close-timeout 40;
            inactivity-tcp-timeout 10;
            inactivity-asymm-tcp-timeout 10;
            tcp-tickles 8;
            ignore-errors tcp;
        }
    }
}
[edit interfaces]
ms-5/1/0 {
    services-options {
        inactivity-non-tcp-timeout 40;
        session-timeout 10;
    }
}
[edit services]
service-set sset1 {
    # Set non-tcp parameters directly under 
    # service-set-options.
    service-set-options {
        inactivity-non-tcp-timeout 40;
        session-timeout 10;
    }
}
[edit interfaces]
ms-5/1/0 {
    services-options {
        fragment-limit 32;
        reassembly-timeout 3;
    }
}

这些参数硬编码如下:

  • 片段限制 62

  • 重新组装超时 2

[edit interfaces]
ms-5/1/0 {
    services-options {
        session-limit {
            maximum 100;
            cpu-load-threshold 12;
            rate 10;
        }
    }
}
[edit services]
# Maximum number of sessions can be 
# specified per service-set.
service-set sset1 {
    service-set-options {
        session-limit {
            maximum 100;
        }
    }
}
[edit interfaces]
# All session-limit parameters continue to be 
# configurable per interface. If the maximum
# number of sessions is different from the associated 
# service-set, the smaller number takes effect.
vms-5/1/0 {
    services-options {
        session-limit {
            maximum 100;
            cpu-load-threshold 12;
            rate 10;
        }
    }
}
[edit interfaces]
ms-5/1/0 {
    services-options {
        pba-interim-logging-interval 10;
    }
}
[edit interfaces]
# Set interim-logging-interval under the nat branch.
nat {
    source {
        pool src-pool {
            port {
                block-allocation {
                    interim-logging-interval 10;
                }
            }
        }
[edit interfaces]
ms-5/1/0 {
    services-options {
        syslog {
            host {
                <...>
            }
        }
    }
}

请参阅 service-set syslog stream host

[edit interfaces]
ms-5/1/0 {
    services-options {
        syslog {
            message-rate-limit 10;
        }
    }
}
[edit services]
service-set sset1 {
    syslog {
        event-rate 10;
    }
}
[edit interfaces]
ms-5/1/0 {
    services-options {
        ignore-errors alg;
        disable-global-timeout-override;
        trio-flow-offload {
            minimum-bytes 1000;
        }
    }
}

不支持

服务集

表 3 显示了某些 service-set 参数配置方式的细微变化。

表 3:服务集

MS 型卡

MX-SPC3

[edit services]
service-set sset1 {
    tcp-mss 1460;
    service-set-options {
        tcp-non-syn drop-flow-send-rst;
        tcp-fast-open drop;
    }
}
[edit services]
service-set sset1 {
    service-set-options {
        # Set tcp parameters under tcp-session.
        tcp-session {
            tcp-mss 1460;
            tcp-non-syn drop-flow-send-rst;
            tcp-fast-open drop;
        }
    }
}
[edit services]
service-set sset1 {
    replicate-services {
        replication-threshold 180;
    }
}
[edit interfaces]
# Set replication-threshold on the interface.
vms-5/1/0 {
    redundancy-options {
        replication-threshold 180;
    }
}
[edit services]
service-set sset1 {
    syslog {
        host 10.1.1.1 {
            port 514;
        }
    }
}
[edit services]
service-set sset1 {
    syslog
        # Process security logs in the dataplane.
        mode stream;
        stream s1 {
            # Specify host to send security logs to.
            host {
                10.1.1.1;
                port 514;
            }
        }
    }
}
[edit services]
service-set sset1 {
    syslog {
        host local;
    }
}
[edit services]
service-set sset1 {
    syslog
        # Process security logs in the control plane,
        # saving logs to local file specified by rtlog.
        mode event;
    }
}
rtlog {
    traceoptions {
        # Specify filename for logs.
        file rtlog size 1g;
        flag all;
    }
}
[edit services]
service-set sset1 {
    service-order  <...>
}

服务订单是固定的。

[edit services]
service-set sset1 {
    sampling-service  <...>
}

内联支持 J-Flow 日志记录。

[edit services]
service-set sset1 {
    tag-rule-sets <...>
    tag-rules  <...>
    hcm-profile  <...>
    hcm-url-rule-sets  <...>
    hcm-url-rules  <...>
    service-set-options {
        bypass-traffic-on-pic-failure;
    }
}

目前不支持

有状态防火墙

规则和政策

MX-SPC3 上的有状态防火墙规则的结构与 MS 类型卡上服务的有状态防火墙规则略有不同。在 MX-SPC3 上,您将规则括在包装器中,并在规则中包含的 中policiespolicy定义规则的匹配词和操作。

就像 MS 类型卡上的有状态防火墙服务一样,您可以创建一个服务集以将接口与规则集相关联。规则集包含对一个或多个规则的引用。规则将按您列出的顺序依次应用,直到发生匹配并执行操作。

每条规则包含一对或多对匹配字词和操作。在 MX-SPC3 上,每对匹配字词和操作称为一个策略。策略将按您指定的顺序依次应用,直到发生匹配并执行操作。

表 4 显示了 MS 卡和 MX-SPC3 上的有状态防火墙规则之间的配置差异。尤其要注意 /deny/reject 操作的不同permit定义。

表 4:有状态防火墙规则和策略

微软卡

MX-SPC3

[edit services]
[edit services]
service-set s1 {
    stateful-firewall-rule-sets rule-set-basic-sfw;
    interface-service {
        service-interface ms-1/1/0;
    }
}
service-set s1 {
    stateful-firewall-rule-sets rule-set-basic-sfw;
    interface-service {
        service-interface vms-1/1/0;
    }
}
stateful-firewall {
# Enclose stateful firewall rules within the policies wrapper.
policies { 
    rule Rule1 {
        match-direction input;
        term ping-https-apps {
            from {
                source-address {
                    any
                }
                destination-address {
                    any
                }
                applications [junos-icmp-ping junos-https];
            }
            then {
                accept/reject/discard
                skip-ids;
                syslog;
            }
        }
        term accept {
            then {
                accept;
            }
        }
    } # end Rule1
    stateful-firewall-rule Rule1 {
        match-direction input;
        # Define match terms and actions in a policy.
        policy ping-https-apps { 
            # Unlike the from statement, the match statement (and
            # source-address, destination-address, and application)
            # are mandatory.
            match {
                source-address any;
                destination-address any;
                application [ junos-icmp-ping  junos-https ];
            }
            then {
                # permit = allow
                # deny = silently drop
                # reject = drop and send ICMP unreachable or TCP RST
                permit/deny/reject
                # skip-ids is not supported. One possible way of 
                # achieving this same goal is to create two 
                # service-sets, one with IDS and one without IDS, 
                # and route your next-hop-service
                # traffic to the desired service set via the associated
                # inside or outside interface.
                log;
            }
        }
        policy accept { 
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    } # end Rule1
    rule Rule2 {
        match-direction output;
        term local {
            from {
                source-address {
                    10.1.3.2/32;
                }
                application-sets APPL-SET1;
            }
            then {
                accept;
            }
        }
    } # end Rule2
    stateful-firewall-rule Rule2 {
        match-direction output;
        policy local {
            match {
                source-address 10.1.3.2/32;
                destination-address any;
                # application can refer to an application set.
                application APPL-SET1;
            }
            then {
                permit;
            }
        } 
        
    } # end Rule2
    rule-set rule-set-basic-sfw {
        rule Rule1;
        rule Rule2;
    }
} # end stateful-firewall
    # Use the stateful-firewall-rule-set element to list the 
    # firewall rules in the order that you want them applied. 
    stateful-firewall-rule-set rule-set-basic-sfw {
        stateful-firewall-rule Rule1;
        stateful-firewall-rule Rule2;
    }
} # end policies

地址列表和范围

有状态防火墙规则可以包含引用地址范围和列表的匹配词。

在 MS 卡上,您可以使用和元素指定地址范围,使用source-address-rangedestination-address-range元素指定policy-options地址列表。prefix-listprefix-list元素不仅仅用于有状态防火墙规则。您还可以使用该prefix-list元素指定要在路由策略中使用的地址列表。

在 MX-SPC3 上,该 prefix-list 元素不用于有状态防火墙规则。您可以使用 under address-book services 定义要在有状态防火墙规则中使用的地址列表和范围。该 prefix-list 元素仍然存在,但专门用于路由策略。因此,如果要为有状态防火墙规则指定地址列表,为路由策略指定地址列表,则需要同时配置 address-bookprefix-list 元素。

表 5 显示了为 MS 卡上的有状态防火墙规则指定地址的方式与 MX-SPC3 之间的区别。

表 5:地址

微软卡

MX-SPC3

[edit]
policy-options {
    prefix-list p1 {
        10.1.22.45/32;
        192.168.0.11/32;
    }
}
[edit services]
    stateful-firewall {
        rule sfw-rule {
            match-direction input;
            term banned-addresses {
                from {
                    source-prefix-list {
                        p1;
                    }
                    source-address-range {
                        low 10.1.22.100 high 10.1.22.109;
                    }
                }
                then {
                    reject;
                    syslog;
                }
            }
        <...>
[edit services]
# Define address lists and address ranges in an address book.
address-book {
    global {
        address-set p1 {
            address p1-a;
            address p1-b;
        }
        address p1-a 10.1.22.45/32;
        address p1-b 192.168.0.11/32;
        address p2 { 
            address-range 10.1.22.100/32 {
                to {
                    10.1.22.109/32;
                }
            } 
        } 
    } 
} # end address-book
policies { 
    stateful-firewall-rule sfw-rule {
    match-direction input;
        policy banned-addresses { 
            match {
                # Refer to the addresses defined in the address book.
                source-address [ p1 p2 ];
                destination-address any;
                application any;
            }
            then {
                deny;
                log;
            }
        <...>

应用

MX-SPC3 支持比 MS 卡更多的内置 Junos 应用程序。创建有状态防火墙规则时,可以在这些内置应用程序上进行匹配。

要查看内置应用程序的完整列表,请使用 show groups junos-defaults applications 配置模式命令。例如:

跟踪选项和计数器

MX-SPC3 上新一代服务的有状态防火墙支持其他功能来帮助调试和计算流量:

  • traceoptions - 用于跟踪与策略相关的事件,例如策略查找和基于规则的事件。这些事件将捕获在指定的文件中以供查看。

  • count - 用于计算与流量相关的事件,例如传入/传出字节和数据包。使用 show 命令查看计数器:

    • show services policies detail - 当您在策略中指定选项时, count 输出包括与流量相关的计数器

    • show services policies hit-count - 无论您是否使用 count 策略中的选项,命中计数始终可用

表 6 显示了如何使用 traceoptionscount 元素:

表 6:跟踪选项和计数

微软卡

MX-SPC3

不支持

[edit services]
policies { 
# Enable traceoptions to trace policy-related events.
    traceoptions {
        file policylogs size 10m files 5;
        flag all;
    }
    stateful-firewall-rule Rule1 {
        match-direction input;
        policy my-policy { 
            match {
                source-address any;
                destination-address any;
                application [ junos-dns-udp junos-dns-tcp ];
            }
            then {
                permit
                # Enable counting of traffic events.
                count;
            }
        } # end my-policy
    ...

运营商级网络地址转换 (CGNAT)

在 MX-SPC3 上为下一代服务配置 NAT 与在 MS 卡上的旧服务上配置 NAT 的方式不同:

  • 在 MX-SPC3 上,您可以独立于目标 NAT 配置源 NAT。您可以在配置树的源分支中配置源 NAT,并在配置树的目标分支中配置目标 NAT。源 NAT 和目标 NAT 在配置树的各自分支中都有自己的一组地址池和规则。

  • 在 MX-SPC3 上,如果同时配置源 NAT 和目标 NAT,则首先应用目标 NAT,然后应用源 NAT 应用于目标 NAT 转换结果。换句话说,您不是基于原始数据包编写源 NAT 规则,而是基于目标 NAT 转换结果。

  • 在 MX-SPC3 上,未显式配置 translation-type.转换类型由配置隐式确定。

  • 在 MX-SPC3 上,端口转换是动态映射的默认行为(随着时间的推移,不同的 NAT 前地址可能会映射到相同的后 NAT 地址)。如果未在池定义中显式包含该 port 语句,则会使用端口范围 [1024, 65535] 进行端口转换,并以轮循机制方式选择端口。如果不希望进行端口转换,则必须添加带有 port 该选项的 no-translation 语句。此默认值不适用于静态映射,其中前 NAT 地址始终映射到相同的后 NAT 地址。

7表 19 显示了如何在 MX-SPC3 上配置不同转换类型的示例。

表 7:示例:基本 NAT44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-basic-nat44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-basic-nat44;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.0/24;
    }
    
        pool src-pool {
            address {
                10.10.10.0/24;
            }
            # host-address-base indicates a type of static mapping 
            # where the base address 10.45.1.0/0 maps to the 
            # lowest address in the pool, namely 10.10.10.0/0,
            # and the other addresses map sequentially from there
            # e.g. 10.45.1.1 maps to 10.10.10.1, and so on.
            # Since this is a static mapping, there is no port translation
            # by default.
            # Note that host-address-base does not have to be the 
            # lowest address allowed by the subsequent source rule. 
            # Any packet with a source address allowed by the source rule
            # but is lower than the host-address-base is discarded. 
            host-address-base 10.45.1.0/0;
        }
    rule rule-basic-nat44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.45.1.0/24
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        basic-nat44;
                    }
                }
            }
        }
    }
        rule-set rule-basic-nat44 {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.45.1.0/24;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat
表 8:示例:基本 NAT66

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-basic-nat66;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-basic-nat66;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 2001:DB8:2222::0/96;
    }
    
        pool src-pool {
            address {
                2001:DB8:2222::0/96;
            }
        }
    rule rule-basic-nat66 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    2001:DB8:1111::0/96;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        basic-nat66;
                    }
                }
            }
        }
    }
        rule-set rule-basic-nat66 {
            match-direction input;
            rule r1 {
                match {
                    source-address 2001:DB8:1111:::0/96;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat
表 9:示例:动态 NAT44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-dynamic-nat44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-dynamic-nat44;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address-range low 10.10.10.2 high 10.10.10.10;
    }
    
        pool src-pool {
            address {
                10.10.10.2/32 to 10.10.10.10/32;
            }
            # Since this is implicitly a dynamic mapping, 
            # there is port translation by default , so we need to
            # explictly specify that we don’t want port translation.
            port {
                no-translation;
            }
        }
    rule rule-dynamic-nat44 {
        match-direction input;
        term t0 {
            from {
                applications junos-icmp-all;
            }
            then {
                no-translation;
            }
        }
        term t1 {
            from {
                destination-address {
                    10.99.0.2/32;
                }
                source-address-range {
                    low 10.45.0.2 high 10.45.0.10;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        dynamic-nat44;
                    }
                }
            }
        }
    }
        rule-set rule-dynamic-nat44 {
            match-direction input;
            rule r0 {
                match {
                    source-address 0.0.0.0/0;
                    application junos-icmp-all;
                }
                then {
                    source-nat {
                        off;
                    }
                }
            }
            rule r1 {
                match {
                    source-address-name addr1;
                    destination-address 10.99.0.2/32;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat

address-book {
    global {
        address addr1 {
            address-range 10.45.0.2/32 {
                to {
                    10.45.0.10/32;
                }
            }
        }
    }
}
表 10:示例:NAPT-44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-napt44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-napt44;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.0/24;
        port {
            automatic;
        }
    }

    
        pool src-pool {
            address {
                10.10.10.0/24;
            }
            # Since this is implicitly a dynamic mapping,
            # and there is no explicit port statement
            # to indicate otherwise, the default port 
            # mapping behavior takes effect.
        }
    

    rule rule-napt44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.45.1.0/24
                }
                application-sets accept-algs;
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        napt44;
                    }
                }
            }
        }
    }
    
        rule-set rule-napt44 {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.45.1.0/24;
                    application accept-algs;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat
表 11:示例:napt-66

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-napt66;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-napt66;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 2001:DB8:2222::0/112;
        port {
            range low 20000 high 30000;
        }
    }

    
        pool src-pool {
            address {
                2001:DB8:2222::0/112;
            }
            port {
                range {
                    20000;
                    to {
                        30000;
                    }
                }
            }
        }
    

    rule rule-napt66 {
        match-direction input;
        term t1 {
            from {
                source-address {
                     2001:DB8:1111::0/96;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        napt66;
                    }
                }
            }
        }
    }
    
        rule-set rule-napt66 {
            match-direction input;
            rule r1 {
                match {
                    source-address 2001:DB8:1111::0/96;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat
表 12:示例:确定性 NAT-44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-dnat-44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-dnat-44;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    destination {

    pool dest-pool {
        address 10.10.10.2/32;
    }
    
        pool dest-pool {
            address {
                10.10.10.2/32;
            }
        }
    rule rule-dnat-44 {
        match-direction input;
        term t1 {
            from {
                destination-address {
                    10.45.0.2/32
                }
            }
            then {
                translated {
                    destination-pool dest-pool;
                    translation-type {
                        dnat-44;
                    }
                }
            }
        }
    }
        rule-set rule-dnat-44 {
            match-direction input;
            rule r1 {
                match {
                    destination-address 10.45.0.2/32;
                }
                then {
                    destination-nat {
                        pool {
                            dest-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end destination
} # end nat
表 13:示例:有状态 NAT464

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-stateful-nat464;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-stateful-nat464-src;
    nat-rule-sets rule-stateful-nat464-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.0/24;
        port {
            automatic;
        }
    }
    
        pool src-pool {
            address {
                10.10.10.0/24;
            }
            port {
                automatic {
                    round-robin;
                }
            }
        }
    rule rule-stateful-nat464 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    2001:DB8:1111::0/96;
                }
                destination-address {
                    2001:DB8:2222::0/96;
                }
                applications [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1];
            }
            then {
                translated {
                    source-pool src-pool;
                    clat-prefix 2001:DB8:1111::0/96;
                    destination-prefix 2001:DB8:2222::0/96;
                    translation-type {
                        stateful-nat464;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-stateful-nat464-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 2001:DB8:1111::0/96;
                    # Since destination NAT happens first, the 
                    # destination IPv6 prefix has  been stripped off, 
                    # resulting in an IPv4 destination address.
                    destination-address 0.0.0.0/0;
                    application [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1];
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                            }
                        clat-prefix 2001:DB8:1111::0/96;
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    # This destination rule applies before the source rule.
        rule-set rule-stateful-nat464-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 2001:DB8:2222::0/96;
                }
                then {
                    destination-nat {
                        destination-prefix 2001:DB8:2222::0/96;
                    }
                }
            }
        }

    
    } # end destination
} # end nat

表 14:示例:有状态 NAT64

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-stateful-nat64;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-stateful-nat64-src;
    nat-rule-sets rule-stateful-nat64-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.0/24;
        port {
            automatic;
                random-allocation;
            }
        }
        mapping-timeout 500;
    }
    
        pool src-pool {
            address {
                10.10.10.0/24;
            }
            port {
                automatic {
                    random-allocation;
                }
            }
            mapping-timeout 500;
        }
    rule rule-stateful-nat64 {
        match-direction input;
        term t1 {
            from {
                destination-address {
                    2001:DB8:2222::0/64;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-prefix 2001:DB8:2222::0/64;
                    translation-type {
                        stateful-nat64;
                    }
                }
            }
        }
        term t2 {
            from {
                destination-address {
                    2001:DB8:3333::0/64;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-prefix 2001:DB8:3333::0/64;
                    translation-type {
                        stateful-nat64;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-stateful-nat64-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 0::/0;
                    # Since destination NAT applies first, the 
                    # destination address is now IPv4.
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    # This destination rule applies before the source rule.
        rule-set rule-stateful-nat64-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 2001:DB8:2222::0/64;
                }
                then {
                    destination-nat {
                        destination-prefix 2001:DB8:2222::0/64;
                    }
                }
            }
            rule r2 {
                match {
                    destination-address 2001:DB8:3333::0/64;
                }
                then {
                    destination-nat {
                        destination-prefix 2001:DB8:3333::0/64;
                    }
                }
            }
        }

    
    } # end destination
} # end nat
表 15:示例:两次基本 NAT-44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-twice-basic-nat-44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-twice-basic-nat-44-src;
    nat-rule-sets rule-twice-basic-nat-44-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.98.10.0/24;
    }
    pool dest-pool {
        address 10.99.10.0/24;
    }
    
        pool src-pool {
            address {
                10.98.10.0/24;
            }
            # host-address-base indicates a type of static mapping where
            # the base address 10.10.10.0/0 maps to the lowest 
            # address in the pool, namely 10.98.10.0/0,
            # and the other addresses map sequentially from there
            # e.g. 10.10.10.1 maps to 10.98.10.1, and so on.
            # Since this is a static mapping, there is no port translation 
            # by default.
            # Note that host-address-base does not have to be the 
            # lowest address allowed by the subsequent source rule. 
            # Any packet with a source address allowed by the source rule
            # but is lower than the host-address-base is discarded. 
            host-address-base 10.10.10.0/0;
        }
    rule rule-twice-basic-nat-44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.10.10.0/24;
                }
                destination-address {
                    10.20.10.0/24;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-pool dest-pool;
                    translation-type {
                        twice-basic-nat-44;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-twice-basic-nat-44-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.10.10.0/24;
                    # Since destination NAT happens first, the destination
                    # address refers to the NAT’d address.
                    destination-address 10.99.10.0/24;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    
        pool dest-pool {
            address {
                10.99.10.0/24;
            }
        }

    # This destination rule applies before the source rule.
        rule-set rule-twice-basic-nat-44-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 10.20.10.0/24;
                }
                then {
                    destination-nat {
                        pool {
                            dest-pool;
                        }
                    }
                }
            }
        }

    
    } # end destination
} # end nat
表 16:示例:两次动态 NAT-44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-twice-dynamic-nat-44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-twice-dynamic-nat-44-src;
    nat-rule-sets rule-twice-dynamic-nat-44-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.98.10.0/24;
    }
    pool dest-pool {
        address 10.99.10.0/24;
    }
    
        pool src-pool {
            address {
                10.98.10.0/24;
            }
            port {
                no-translation;
            }
        }
    rule rule-twice-dynamic-nat-44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.10.10.0/24;
                }
                destination-address {
                    10.20.10.0/24;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-pool dest-pool;
                    translation-type {
                        twice-dynamic-nat-44;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-twice-dynamic-nat-44-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.10.10.0/24;
                    # Since destination NAT happens first, the destination
                    # address refers to the NAT’d address.
                    destination-address 10.99.10.0/24;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    
        pool dest-pool {
            # By default, address mapping in destination pools is static.
            address {
                10.99.10.0/24;
            }
        }

    # This destination rule applies before the source rule.
        rule-set rule-twice-dynamic-nat-44-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 10.20.10.0/24;
                }
                then {
                    destination-nat {
                        pool {
                            dest-pool;
                        }
                    }
                }
            }
        }

    
    } # end destination
} # end nat
表 17:示例:两次 NAPT-44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-twice-napt-44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-twice-napt-44-src;
    nat-rule-sets rule-twice-napt-44-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.98.10.0/24;
        port {
            automatic;
            secured-port-block-allocation block-size 256 max-blocks-per-address 1 active-block-timeout 300;
        }
    }
    pool dest-pool {
        address 10.99.10.2/32;
    }
    
        pool src-pool {
            address {
                10.98.10.0/24;
            }
            port {
                automatic {
                    round-robin;
                }
                block-allocation {
                    block-size 256;
                    maximum-blocks-per-host 1;
                    active-block-timeout 300;
                }
            }
        }
    rule rule-twice-napt-44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.10.10.0/24;
                }
                destination-address {
                    10.20.10.2/32;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-pool dest-pool;
                    translation-type {
                        twice-napt-44;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-twice-napt-44-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.10.10.0/24;
                    # Since destination NAT happens first, the
                    # destination address refers to the NAT’d address.
                    destination-address 10.99.10.2/32;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    
        pool dest-pool {
            address {
                10.99.10.2/32;
            }
        }

    # This destination rule applies before the source rule.
        rule-set rule-twice-napt-44-dest {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.10.10.0/24;
                    destination-address 10.20.10.2/32;
                }
                then {
                    destination-nat {
                        pool {
                            dest-pool;
                        }
                    }
                }
            }
        }

    
    } # end destination
} # end nat
表 18:示例:确定性 NAPT44

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-deterministic-napt44;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-deterministic-napt44;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.0/24;
        port {
            range low 1024 high 19999;
            deterministic-port-block-allocation block-size 256;
        }
        mapping-timeout 120;
    }
    
        pool src-pool {
            address {
                10.10.10.0/24;
            }
            port {
                range {
                    1024;
                    to {
                        19999;
                    }
                }
                deterministic {
                    block-size 256;
                    # host address specifies the subnet that you
                    # want to apply to this pool.
                    host address 10.2.0.0/20;
                }
            }
            mapping-timeout 120;
        }
    rule rule-deterministic-napt44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.2.0.0/18;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    translation-type {
                        deterministic-napt44;
                    }
                    mapping-type endpoint-independent;
                }
            }
        }
    }
        rule-set rule-deterministic-napt44 {
            match-direction input;
            rule r1 {
                match {
                    source-address 10.2.0.0/18;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                        mapping-type endpoint-independent;
                    }
                }
            }
        }
} # end nat
    
    } # end source
} # end nat
表 19:示例:确定性 - NAPT64

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-deterministic-napt64;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-deterministic-napt64-src;
    nat-rule-sets rule-deterministic-napt64-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.98.10.0/24;
        port {
            automatic;
            random-allocation;
            }
            deterministic-port-block-allocation block-size 256;
        }
    }
    
        pool src-pool {
            address {
                10.98.10.0/24;
            }
            port {
                automatic {
                    random-allocation;
                }
                deterministic {
                    block-size 256;
                    host address 2001:DB8:1111::1/120;
                }
            }
        }
    rule rule-deterministic-napt64 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    2001:DB8:1111::1/120;
                }
            }
            then {
                translated {
                    destination-prefix 2001:DB8:2222::/96;
                    source-pool src-pool;
                    translation-type {
                        deterministic-napt64;
                    }
                }
            }
        }
    }
    # This source rule applies after the destination rule.
        rule-set rule-deterministic-napt64-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 2001:DB8:1111::1/120;
                    # Since destination NAT happens first, the destination
                    # address refers to the NAT’d address.
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    
        pool dest-pool {
            address {
                10.99.10.2/32;
            }
        }

    # This destination rule applies before the source rule.
        rule-set rule-destination-napt64-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 2001:DB8:2222::/96;
                }
                then {
                    destination-nat {
                        destination-prefix 2001:DB8:2222::/96;
                    }
                }
            }
        }

    
    } # end destination
} # end nat
表 20:示例:napt-pt

微软卡

MX-SPC3

[edit services]
[edit services]
service-set sset1 {
    nat-rules rule-napt-pt;
    interface-service {
        service-interface ms-1/2/0;
    }
}
service-set sset1 {
    nat-rule-sets rule-napt-pt-src;
    nat-rule-sets rule-napt-pt-dest;
    interface-service {
        service-interface vms-2/0/0;
    }
}
nat {
nat {
    source {

    pool src-pool {
        address 10.10.10.2/32;
    }
    pool dest-pool {
        address 10.99.10.2/32;
    }
    
        pool src-pool {
            address {
                10.10.10.2/32;
            }
        }
    rule rule-napt-pt {
        match-direction input;
        term t1 {
            from {
                source-address {
                    2001:DB8:1111::2/128;
                }
                destination-address {
                    2001:DB8:2222::2/128;
                }
            }
            then {
                translated {
                    source-pool src-pool;
                    destination-pool dest-pool;
                    translation-type {
                        napt-pt;
                    }
                }
            }
        }
    }
        rule-set rule-napt-pt-src {
            match-direction input;
            rule r1 {
                match {
                    source-address 2001:DB8:1111::2/128;
                    destination-address 10.99.10.0/24;
                }
                then {
                    source-nat {
                        pool {
                            src-pool;
                        }
                    }
                }
            }
        }
} # end nat
    
    } # end source

    destination {

    
        pool dest-pool {
            address {
                10.99.10.2/32;
            }
        }

        rule-set rule-napt-pt-dest {
            match-direction input;
            rule r1 {
                match {
                    destination-address 2001:DB8:2222::2/128;
                }
                then {
                    destination-nat {
                        pool {
                            dest-pool;
                        }
                    }
                }
            }
        }

    
    } # end destination
} # end nat

入侵检测系统 (IDS)

MX-SPC3 上下一代服务的 IDS 规则在分支下 screen 定义。各种元素的命名略有不同,但主要变化在于检测具有 IPv4 选项和 IPv6 扩展的数据包的行为:

  • 对于 MS 卡上的 IDS 服务,默认行为是检测并丢弃具有 IPv4 选项和 IPv6 扩展的数据包。如果要允许这些数据包,则必须通过配置显式允许它们。

  • 对于 MX-SPC3 上的 IDS 新一代服务,默认行为是允许具有 IPv4 选项和 IPv6 扩展的数据包。如果要检测并丢弃这些数据包,则必须通过配置显式禁止它们。

表 21 显示了配置差异的示例。

表 21:IDS 规则

微软卡

MX-SPC3

[edit services]
service-set sset1 {
    ids-rules r1;
    ids-rules r2;
}
[edit services]
service-set sset1 {
    # Replace ids-rules with ids-option.
    ids-option ids1;
    ids-option ids2;
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            <...>
        }
    }
}
[edit services]
# Define ids rules under the screen branch.
screen {
    # Replace rule with ids-option.
    ids-option ids1 {
        match-direction input;
        # Flatten hierarchy by removing term and placing 
        # contents directly under ids-option.
        <...>
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                allow-ip-options [ loose-source-route route-record router-alert security stream-id strict-source-route timestamp ];
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        # By default, all ip options are allowed.
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                <no allow-ip-options configured>
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        # Explicitly specify the disallowed options.
        ip {
            loose-source-route-option;
            record-route-option;
            security-option;
            stream-option;
            strict-source-route-option;
            timestamp-option;
            # router-alert option for IPv4 is not supported.
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                allow-ipv6-extension-header [ ah dstopts esp fragment hop-by-hop mobility routing ];
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        # By default, all ipv6 extensions are allowed.
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                <no allow-ipv6-extension-header configured>
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        ip {
            # Explicitly specify the disallowed extensions.
            ipv6-extension-header {
                AH-header;
                ESP-header;
                fragment-header;
                hop-by-hop-header;
                mobility-header;
                routing-header;
                # dstoptions is not supported.
            }
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                aggregation {
                    source-prefix 24;
                    destination-prefix 24;
                    source-prefix-ipv6 64;
                    destination-prefix-ipv6 64;
                }
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        aggregation {
            source-prefix-mask 24;
            destination-prefix-mask 24;
            source-prefix-v6-mask 64;
            destination-prefix-v6-mask 64;
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                icmp-fragment-check;
                icmp-large-packet-check;
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        # Group icmp checks under icmp.
        icmp {
            fragment;
            large;
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                land-attack-check;
                tcp-winnuke-check;
                tcp-syn-fragment-check;
                tcp-syn-defense;
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        # Group tcp checks under tcp.
        tcp {
            land;
            winnuke;
            syn-frag;
            # tcp-syn-defense is not supported.
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                session-limit {
                    by-source {
                        maximum 100;
                        rate 10;
                        packets 1k;
                    }
                    by-destination {
                        maximum 100;
                        rate 10;
                        packets 1k;
                    }
                }
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        limit-session {
            by-source {
                maximum-sessions 100;
                session-rate 10;
                packet-rate 1k;
            }
            by-destination {
                maximum-sessions 100;
                session-rate 10;
                packet-rate 1k;
            }
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                session-limit {
                    by-source {
                        by-protocol {
                            tcp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                            udp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                            icmp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                        }
                }
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        limit-session {
            by-source {
                by-protocol {
                    tcp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                    udp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                    icmp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                }
            }
        }
    }
}
[edit services]
ids {
    rule r1 {
        match-direction input;
        term t1 {
            then {
                session-limit {
                    by-destination {
                        by-protocol {
                            tcp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                            udp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                            icmp {
                                maximum 100;
                                rate 10;
                                packets 1k;
                            }
                        }
                }
            }
        }
    }
}
[edit services]
screen {
    ids-option ids1 {
        match-direction input;
        limit-session {
            by-destination {
                by-protocol {
                    tcp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                    udp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                    icmp {
                        maximum-sessions 100;
                        session-rate 10;
                        packet-rate 1k;
                    }
                }
            }
        }
    }
}

从 MS 卡迁移到 MX-SPC3

此程序用于配置路由器以支持下一代服务。

通常使用此过程将支持MS卡上旧服务的路由器迁移到MX-SPC3上支持下一代服务的路由器,但即使要从中迁移的路由器不包含MS卡,此过程也适用。

由于下一代服务配置与传统服务配置不兼容,因此迁移路由器以支持 MX-SPC3 上的新一代服务需要您完全取消配置并重新配置路由器。此外:

  • 您无法在具有 MS 卡的路由器中安装 MX-SPC3 卡。

  • 您无法在配备 MS 卡的路由器上配置下一代服务。

  • 您无法在配备 MX-SPC3 卡的路由器上配置旧版服务。

换句话说,路由器可以与 MS 卡或 MX-SPC3 卡一起运行,但不能同时运行两者。

注意:

此过程会影响服务。您要将路由器设置为出厂默认配置。

  1. 将路由器升级到 19.3R2 版。
  2. 将当前路由器配置备份到远程主机。
  3. 将路由器设置为出厂默认配置。
    1. 使用出厂默认配置加载路由器:
    2. 使用加载出厂默认配置之前相同的 IP 地址配置管理接口:
    3. 配置 SSH,以便您可以继续访问路由器。例如:
    4. 提交更改。
  4. 在路由器上启用下一代服务。

    Junos OS 提供系统范围的操作参数,如果要在路由器上配置新一代服务,可启用该参数。默认情况下,不启用此参数。

    从操作模式:

    注意:

    此设置是永久性的,并且在重新启动后仍然存在。

  5. 重新启动路由器。
  6. 将 MS 卡更换为 MX-SPC3 卡。
  7. 重新配置路由器。

    首先,您可以从步骤 2 还原备份,但您可能需要更改此配置以与下一代服务兼容,然后才能提交。