MX-SPC3 上自适应服务和新一代服务之间的配置差异
概述
MX-SPC3 上的下一代服务要求您以不同于您在 MS 类型卡(MS-MPC、MS-MIC 和 MS-DPC)上运行的自适应服务所习惯的服务配置方式。配置 MX-SPC3 服务卡与配置 SRX 系列服务网关的方式更加一致。熟悉这种更加统一的方法后,您应该能够以更无缝的方式在这两个平台上配置服务,最终减少培训开销并降低配置错误的风险。
除了 CLI 差异之外,您还需要了解多服务 (MS) 类型(MS-DPC、MS-MPC 和 MS-MIC)卡与 MX-SPC3 服务卡之间的基本硬件差异。MS 型卡包含四个 CPU 复合体,而 MX-SPC3 卡虽然功能更强大,但包含两个 CPU 复合体。每个 CPU 复合体为一个 PIC 提供服务,这意味着 MS 类型的卡支持四个 PIC,而 MX-SPC3 支持两个 PIC。MS 型卡使用特殊多服务 (MS) 和自适应服务 (AS) PIC,而 MX-SPC3 卡上的 PIC 是集成的。
由于 PIC 的数量直接影响接口数量(表 1),因此您可能需要向 MX-SPC3 上的每个接口添加逻辑单元,以将接口数量增加到 4 个。例如,如果您当前使用 MS 类型卡上的所有四个接口,并且每个接口都有一个服务集,则可以在 MX-SPC3 上为每个接口创建两个逻辑单元,使接口总数达到四个,然后将这四个服务集重新关联到这四个逻辑接口。
MS 卡 |
MX-SPC3 |
|
---|---|---|
CPU 复合体数 |
4 |
2 |
每个 CPU 复合体的 PIC 数 |
1 |
1 |
每个 PIC 的接口数 |
1 |
1 |
卡上的接口总数 |
4 |
2 |
注意:
有关 MX-SPC3 硬件的详细信息,请参阅 MX 系列 5G 通用路由平台接口模块参考 。 |
以下各节概述了 MS 类型卡上的服务和 MX-SPC3 卡上的服务之间的基本配置差异。这些部分的目的是通过使用基本示例来说明主要更改来帮助您入门。这些示例显示了 CLI 配置选项的子集,并不能取代《下一代服务接口路由设备用户指南》和《Junos OS CLI 参考指南》中对主题的更正式处理。
这些部分中的配置示例并排显示,因此您可以轻松查看两者之间的差异。这些示例旨在向您展示如何在 MX-SPC3 上配置现有的 MS 型卡功能。这些示例并非旨在向您展示如何配置仅在 MX-SPC3 上找到的新功能。为了便于阅读和比较,显示的语句顺序可能与 CLI 中显示的语句的实际顺序略有不同。
如果您有大量现有的自适应服务,我们认识到这些更改可能会给您带来不便。为了帮助您从 MS 型卡迁移到 MX-SPC3,我们建议您执行以下操作:
浏览本指南中的示例,全面了解所需的更改。
浏览知识库文章 KB35348 中的配置示例集。
通读本指南和 Junos OS CLI 参考指南,了解所有功能、配置选项和语法。
请联系 JTAC 获取迁移帮助。
如果继续在 MS 类型卡上运行自适应服务,则无需进行这些配置更改。但是,在路由器上部署 MX-SPC3 后,必须更换该路由器上的所有 MS 类型卡,并重新配置服务以符合下一代服务配置范例。
接口
MS 类型卡使用接口命名约定 ,而您则使用虚拟多服务或vms-1/0/0
接口命名约定ms-1/0/0
指定 MX-SPC3 接口。和mams
接口的名称ams
没有变化。
此外,在接口下services-options
ms
配置的许多参数也在服务集下配置service-set-options
。
表 2 显示了这些更改的示例。
MS 型卡 |
MX-SPC3 |
---|---|
[edit interfaces] ms-5/1/0 { <...> } |
[edit interfaces] # Change interface name to vms. vms-5/1/0 { <...> } |
[edit interfaces] ms-5/1/0 { services-options { open-timeout 40; close-timeout 40; inactivity-tcp-timeout 10; inactivity-asymm-tcp-timeout 10; tcp-tickles 8; ignore-errors tcp; } } |
[edit services] service-set sset1 { service-set-options { # Set tcp parameters under tcp-session. tcp-session { open-timeout 40; close-timeout 40; inactivity-tcp-timeout 10; inactivity-asymm-tcp-timeout 10; tcp-tickles 8; ignore-errors tcp; } } } |
[edit interfaces] ms-5/1/0 { services-options { inactivity-non-tcp-timeout 40; session-timeout 10; } } |
[edit services] service-set sset1 { # Set non-tcp parameters directly under # service-set-options. service-set-options { inactivity-non-tcp-timeout 40; session-timeout 10; } } |
[edit interfaces] ms-5/1/0 { services-options { fragment-limit 32; reassembly-timeout 3; } } |
这些参数硬编码如下:
|
[edit interfaces] ms-5/1/0 { services-options { session-limit { maximum 100; cpu-load-threshold 12; rate 10; } } } |
[edit services] # Maximum number of sessions can be # specified per service-set. service-set sset1 { service-set-options { session-limit { maximum 100; } } } [edit interfaces] # All session-limit parameters continue to be # configurable per interface. If the maximum # number of sessions is different from the associated # service-set, the smaller number takes effect. vms-5/1/0 { services-options { session-limit { maximum 100; cpu-load-threshold 12; rate 10; } } } |
[edit interfaces] ms-5/1/0 { services-options { pba-interim-logging-interval 10; } } |
[edit interfaces] # Set interim-logging-interval under the nat branch. nat { source { pool src-pool { port { block-allocation { interim-logging-interval 10; } } } |
[edit interfaces] ms-5/1/0 { services-options { syslog { host { <...> } } } } |
请参阅 |
[edit interfaces] ms-5/1/0 { services-options { syslog { message-rate-limit 10; } } } |
[edit services] service-set sset1 { syslog { event-rate 10; } } |
[edit interfaces] ms-5/1/0 { services-options { ignore-errors alg; disable-global-timeout-override; trio-flow-offload { minimum-bytes 1000; } } } |
不支持 |
服务集
表 3 显示了某些 service-set
参数配置方式的细微变化。
MS 型卡 |
MX-SPC3 |
---|---|
[edit services] service-set sset1 { tcp-mss 1460; service-set-options { tcp-non-syn drop-flow-send-rst; tcp-fast-open drop; } } |
[edit services] service-set sset1 { service-set-options { # Set tcp parameters under tcp-session. tcp-session { tcp-mss 1460; tcp-non-syn drop-flow-send-rst; tcp-fast-open drop; } } } |
[edit services] service-set sset1 { replicate-services { replication-threshold 180; } } |
[edit interfaces] # Set replication-threshold on the interface. vms-5/1/0 { redundancy-options { replication-threshold 180; } } |
[edit services] service-set sset1 { syslog { host 10.1.1.1 { port 514; } } } |
[edit services] service-set sset1 { syslog # Process security logs in the dataplane. mode stream; stream s1 { # Specify host to send security logs to. host { 10.1.1.1; port 514; } } } } |
[edit services] service-set sset1 { syslog { host local; } } |
[edit services] service-set sset1 { syslog # Process security logs in the control plane, # saving logs to local file specified by rtlog. mode event; } } rtlog { traceoptions { # Specify filename for logs. file rtlog size 1g; flag all; } } |
[edit services] service-set sset1 { service-order <...> } |
服务订单是固定的。 |
[edit services] service-set sset1 { sampling-service <...> } |
内联支持 J-Flow 日志记录。 |
[edit services] service-set sset1 { tag-rule-sets <...> tag-rules <...> hcm-profile <...> hcm-url-rule-sets <...> hcm-url-rules <...> service-set-options { bypass-traffic-on-pic-failure; } } |
目前不支持 |
有状态防火墙
规则和政策
MX-SPC3 上的有状态防火墙规则的结构与 MS 类型卡上服务的有状态防火墙规则略有不同。在 MX-SPC3 上,您将规则括在包装器中,并在规则中包含的 中policies
policy
定义规则的匹配词和操作。
就像 MS 类型卡上的有状态防火墙服务一样,您可以创建一个服务集以将接口与规则集相关联。规则集包含对一个或多个规则的引用。规则将按您列出的顺序依次应用,直到发生匹配并执行操作。
每条规则包含一对或多对匹配字词和操作。在 MX-SPC3 上,每对匹配字词和操作称为一个策略。策略将按您指定的顺序依次应用,直到发生匹配并执行操作。
表 4 显示了 MS 卡和 MX-SPC3 上的有状态防火墙规则之间的配置差异。尤其要注意 /deny
/reject
操作的不同permit
定义。
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set s1 { stateful-firewall-rule-sets rule-set-basic-sfw; interface-service { service-interface ms-1/1/0; } } |
service-set s1 { stateful-firewall-rule-sets rule-set-basic-sfw; interface-service { service-interface vms-1/1/0; } } |
stateful-firewall { |
# Enclose stateful firewall rules within the policies wrapper. policies { |
rule Rule1 { match-direction input; term ping-https-apps { from { source-address { any } destination-address { any } applications [junos-icmp-ping junos-https]; } then { accept/reject/discard skip-ids; syslog; } } term accept { then { accept; } } } # end Rule1 |
stateful-firewall-rule Rule1 { match-direction input; # Define match terms and actions in a policy. policy ping-https-apps { # Unlike the from statement, the match statement (and # source-address, destination-address, and application) # are mandatory. match { source-address any; destination-address any; application [ junos-icmp-ping junos-https ]; } then { # permit = allow # deny = silently drop # reject = drop and send ICMP unreachable or TCP RST permit/deny/reject # skip-ids is not supported. One possible way of # achieving this same goal is to create two # service-sets, one with IDS and one without IDS, # and route your next-hop-service # traffic to the desired service set via the associated # inside or outside interface. log; } } policy accept { match { source-address any; destination-address any; application any; } then { permit; } } } # end Rule1 |
rule Rule2 { match-direction output; term local { from { source-address { 10.1.3.2/32; } application-sets APPL-SET1; } then { accept; } } } # end Rule2 |
stateful-firewall-rule Rule2 { match-direction output; policy local { match { source-address 10.1.3.2/32; destination-address any; # application can refer to an application set. application APPL-SET1; } then { permit; } } } # end Rule2 |
rule-set rule-set-basic-sfw { rule Rule1; rule Rule2; } } # end stateful-firewall |
# Use the stateful-firewall-rule-set element to list the # firewall rules in the order that you want them applied. stateful-firewall-rule-set rule-set-basic-sfw { stateful-firewall-rule Rule1; stateful-firewall-rule Rule2; } } # end policies |
地址列表和范围
有状态防火墙规则可以包含引用地址范围和列表的匹配词。
在 MS 卡上,您可以使用和元素指定地址范围,使用source-address-range
和destination-address-range
元素指定policy-options
地址列表。prefix-list
该prefix-list
元素不仅仅用于有状态防火墙规则。您还可以使用该prefix-list
元素指定要在路由策略中使用的地址列表。
在 MX-SPC3 上,该 prefix-list
元素不用于有状态防火墙规则。您可以使用 under address-book
services
定义要在有状态防火墙规则中使用的地址列表和范围。该 prefix-list
元素仍然存在,但专门用于路由策略。因此,如果要为有状态防火墙规则指定地址列表,为路由策略指定地址列表,则需要同时配置 address-book
和 prefix-list
元素。
表 5 显示了为 MS 卡上的有状态防火墙规则指定地址的方式与 MX-SPC3 之间的区别。
微软卡 |
MX-SPC3 |
---|---|
[edit] policy-options { prefix-list p1 { 10.1.22.45/32; 192.168.0.11/32; } } [edit services] stateful-firewall { rule sfw-rule { match-direction input; term banned-addresses { from { source-prefix-list { p1; } source-address-range { low 10.1.22.100 high 10.1.22.109; } } then { reject; syslog; } } <...> |
[edit services] # Define address lists and address ranges in an address book. address-book { global { address-set p1 { address p1-a; address p1-b; } address p1-a 10.1.22.45/32; address p1-b 192.168.0.11/32; address p2 { address-range 10.1.22.100/32 { to { 10.1.22.109/32; } } } } } # end address-book policies { stateful-firewall-rule sfw-rule { match-direction input; policy banned-addresses { match { # Refer to the addresses defined in the address book. source-address [ p1 p2 ]; destination-address any; application any; } then { deny; log; } <...> |
应用
MX-SPC3 支持比 MS 卡更多的内置 Junos 应用程序。创建有状态防火墙规则时,可以在这些内置应用程序上进行匹配。
要查看内置应用程序的完整列表,请使用 show groups junos-defaults applications
配置模式命令。例如:
[edit] # show groups junos-defaults applications | match junos application junos-ftp { application junos-ftp-data { application junos-tftp { application junos-twamp { application junos-rtsp { application junos-netbios-session { <...>
跟踪选项和计数器
MX-SPC3 上新一代服务的有状态防火墙支持其他功能来帮助调试和计算流量:
traceoptions
- 用于跟踪与策略相关的事件,例如策略查找和基于规则的事件。这些事件将捕获在指定的文件中以供查看。count
- 用于计算与流量相关的事件,例如传入/传出字节和数据包。使用 show 命令查看计数器:show services policies detail
- 当您在策略中指定选项时,count
输出包括与流量相关的计数器show services policies hit-count
- 无论您是否使用count
策略中的选项,命中计数始终可用
表 6 显示了如何使用 traceoptions
和 count
元素:
微软卡 |
MX-SPC3 |
---|---|
不支持 |
[edit services] policies { # Enable traceoptions to trace policy-related events. traceoptions { file policylogs size 10m files 5; flag all; } stateful-firewall-rule Rule1 { match-direction input; policy my-policy { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit # Enable counting of traffic events. count; } } # end my-policy ... |
运营商级网络地址转换 (CGNAT)
在 MX-SPC3 上为下一代服务配置 NAT 与在 MS 卡上的旧服务上配置 NAT 的方式不同:
在 MX-SPC3 上,您可以独立于目标 NAT 配置源 NAT。您可以在配置树的源分支中配置源 NAT,并在配置树的目标分支中配置目标 NAT。源 NAT 和目标 NAT 在配置树的各自分支中都有自己的一组地址池和规则。
在 MX-SPC3 上,如果同时配置源 NAT 和目标 NAT,则首先应用目标 NAT,然后应用源 NAT 应用于目标 NAT 转换结果。换句话说,您不是基于原始数据包编写源 NAT 规则,而是基于目标 NAT 转换结果。
在 MX-SPC3 上,未显式配置
translation-type
.转换类型由配置隐式确定。在 MX-SPC3 上,端口转换是动态映射的默认行为(随着时间的推移,不同的 NAT 前地址可能会映射到相同的后 NAT 地址)。如果未在池定义中显式包含该
port
语句,则会使用端口范围 [1024, 65535] 进行端口转换,并以轮循机制方式选择端口。如果不希望进行端口转换,则必须添加带有port
该选项的no-translation
语句。此默认值不适用于静态映射,其中前 NAT 地址始终映射到相同的后 NAT 地址。
表 7 至表 19 显示了如何在 MX-SPC3 上配置不同转换类型的示例。
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-basic-nat44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-basic-nat44; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.0/24; } |
pool src-pool { address { 10.10.10.0/24; } # host-address-base indicates a type of static mapping # where the base address 10.45.1.0/0 maps to the # lowest address in the pool, namely 10.10.10.0/0, # and the other addresses map sequentially from there # e.g. 10.45.1.1 maps to 10.10.10.1, and so on. # Since this is a static mapping, there is no port translation # by default. # Note that host-address-base does not have to be the # lowest address allowed by the subsequent source rule. # Any packet with a source address allowed by the source rule # but is lower than the host-address-base is discarded. host-address-base 10.45.1.0/0; } |
rule rule-basic-nat44 { match-direction input; term t1 { from { source-address { 10.45.1.0/24 } } then { translated { source-pool src-pool; translation-type { basic-nat44; } } } } } |
rule-set rule-basic-nat44 { match-direction input; rule r1 { match { source-address 10.45.1.0/24; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-basic-nat66; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-basic-nat66; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 2001:DB8:2222::0/96; } |
pool src-pool { address { 2001:DB8:2222::0/96; } } |
rule rule-basic-nat66 { match-direction input; term t1 { from { source-address { 2001:DB8:1111::0/96; } } then { translated { source-pool src-pool; translation-type { basic-nat66; } } } } } |
rule-set rule-basic-nat66 { match-direction input; rule r1 { match { source-address 2001:DB8:1111:::0/96; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-dynamic-nat44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-dynamic-nat44; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address-range low 10.10.10.2 high 10.10.10.10; } |
pool src-pool { address { 10.10.10.2/32 to 10.10.10.10/32; } # Since this is implicitly a dynamic mapping, # there is port translation by default , so we need to # explictly specify that we don’t want port translation. port { no-translation; } } |
rule rule-dynamic-nat44 { match-direction input; term t0 { from { applications junos-icmp-all; } then { no-translation; } } term t1 { from { destination-address { 10.99.0.2/32; } source-address-range { low 10.45.0.2 high 10.45.0.10; } } then { translated { source-pool src-pool; translation-type { dynamic-nat44; } } } } } |
rule-set rule-dynamic-nat44 { match-direction input; rule r0 { match { source-address 0.0.0.0/0; application junos-icmp-all; } then { source-nat { off; } } } rule r1 { match { source-address-name addr1; destination-address 10.99.0.2/32; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source } # end nat |
|
address-book { global { address addr1 { address-range 10.45.0.2/32 { to { 10.45.0.10/32; } } } } } |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-napt44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-napt44; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.0/24; port { automatic; } } |
pool src-pool { address { 10.10.10.0/24; } # Since this is implicitly a dynamic mapping, # and there is no explicit port statement # to indicate otherwise, the default port # mapping behavior takes effect. } |
rule rule-napt44 { match-direction input; term t1 { from { source-address { 10.45.1.0/24 } application-sets accept-algs; } then { translated { source-pool src-pool; translation-type { napt44; } } } } } |
rule-set rule-napt44 { match-direction input; rule r1 { match { source-address 10.45.1.0/24; application accept-algs; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-napt66; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-napt66; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 2001:DB8:2222::0/112; port { range low 20000 high 30000; } } |
pool src-pool { address { 2001:DB8:2222::0/112; } port { range { 20000; to { 30000; } } } } |
rule rule-napt66 { match-direction input; term t1 { from { source-address { 2001:DB8:1111::0/96; } } then { translated { source-pool src-pool; translation-type { napt66; } } } } } |
rule-set rule-napt66 { match-direction input; rule r1 { match { source-address 2001:DB8:1111::0/96; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-dnat-44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-dnat-44; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { destination { |
pool dest-pool { address 10.10.10.2/32; } |
pool dest-pool { address { 10.10.10.2/32; } } |
rule rule-dnat-44 { match-direction input; term t1 { from { destination-address { 10.45.0.2/32 } } then { translated { destination-pool dest-pool; translation-type { dnat-44; } } } } } |
rule-set rule-dnat-44 { match-direction input; rule r1 { match { destination-address 10.45.0.2/32; } then { destination-nat { pool { dest-pool; } } } } } |
} # end nat |
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-stateful-nat464; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-stateful-nat464-src; nat-rule-sets rule-stateful-nat464-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.0/24; port { automatic; } } |
pool src-pool { address { 10.10.10.0/24; } port { automatic { round-robin; } } } |
rule rule-stateful-nat464 { match-direction input; term t1 { from { source-address { 2001:DB8:1111::0/96; } destination-address { 2001:DB8:2222::0/96; } applications [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1]; } then { translated { source-pool src-pool; clat-prefix 2001:DB8:1111::0/96; destination-prefix 2001:DB8:2222::0/96; translation-type { stateful-nat464; } } } } } |
# This source rule applies after the destination rule. rule-set rule-stateful-nat464-src { match-direction input; rule r1 { match { source-address 2001:DB8:1111::0/96; # Since destination NAT happens first, the # destination IPv6 prefix has been stripped off, # resulting in an IPv4 destination address. destination-address 0.0.0.0/0; application [junos-icmp-all junos-icmp-ping junos-traceroute junos-traceroute-ttl 1]; } then { source-nat { pool { src-pool; } clat-prefix 2001:DB8:1111::0/96; } } } } |
} # end nat |
} # end source |
|
destination { |
|
# This destination rule applies before the source rule. rule-set rule-stateful-nat464-dest { match-direction input; rule r1 { match { destination-address 2001:DB8:2222::0/96; } then { destination-nat { destination-prefix 2001:DB8:2222::0/96; } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-stateful-nat64; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-stateful-nat64-src; nat-rule-sets rule-stateful-nat64-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.0/24; port { automatic; random-allocation; } } mapping-timeout 500; } |
pool src-pool { address { 10.10.10.0/24; } port { automatic { random-allocation; } } mapping-timeout 500; } |
rule rule-stateful-nat64 { match-direction input; term t1 { from { destination-address { 2001:DB8:2222::0/64; } } then { translated { source-pool src-pool; destination-prefix 2001:DB8:2222::0/64; translation-type { stateful-nat64; } } } } term t2 { from { destination-address { 2001:DB8:3333::0/64; } } then { translated { source-pool src-pool; destination-prefix 2001:DB8:3333::0/64; translation-type { stateful-nat64; } } } } } |
# This source rule applies after the destination rule. rule-set rule-stateful-nat64-src { match-direction input; rule r1 { match { source-address 0::/0; # Since destination NAT applies first, the # destination address is now IPv4. destination-address 0.0.0.0/0; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
# This destination rule applies before the source rule. rule-set rule-stateful-nat64-dest { match-direction input; rule r1 { match { destination-address 2001:DB8:2222::0/64; } then { destination-nat { destination-prefix 2001:DB8:2222::0/64; } } } rule r2 { match { destination-address 2001:DB8:3333::0/64; } then { destination-nat { destination-prefix 2001:DB8:3333::0/64; } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-twice-basic-nat-44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-twice-basic-nat-44-src; nat-rule-sets rule-twice-basic-nat-44-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.98.10.0/24; } pool dest-pool { address 10.99.10.0/24; } |
pool src-pool { address { 10.98.10.0/24; } # host-address-base indicates a type of static mapping where # the base address 10.10.10.0/0 maps to the lowest # address in the pool, namely 10.98.10.0/0, # and the other addresses map sequentially from there # e.g. 10.10.10.1 maps to 10.98.10.1, and so on. # Since this is a static mapping, there is no port translation # by default. # Note that host-address-base does not have to be the # lowest address allowed by the subsequent source rule. # Any packet with a source address allowed by the source rule # but is lower than the host-address-base is discarded. host-address-base 10.10.10.0/0; } |
rule rule-twice-basic-nat-44 { match-direction input; term t1 { from { source-address { 10.10.10.0/24; } destination-address { 10.20.10.0/24; } } then { translated { source-pool src-pool; destination-pool dest-pool; translation-type { twice-basic-nat-44; } } } } } |
# This source rule applies after the destination rule. rule-set rule-twice-basic-nat-44-src { match-direction input; rule r1 { match { source-address 10.10.10.0/24; # Since destination NAT happens first, the destination # address refers to the NAT’d address. destination-address 10.99.10.0/24; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
pool dest-pool { address { 10.99.10.0/24; } } |
|
# This destination rule applies before the source rule. rule-set rule-twice-basic-nat-44-dest { match-direction input; rule r1 { match { destination-address 10.20.10.0/24; } then { destination-nat { pool { dest-pool; } } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-twice-dynamic-nat-44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-twice-dynamic-nat-44-src; nat-rule-sets rule-twice-dynamic-nat-44-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.98.10.0/24; } pool dest-pool { address 10.99.10.0/24; } |
pool src-pool { address { 10.98.10.0/24; } port { no-translation; } } |
rule rule-twice-dynamic-nat-44 { match-direction input; term t1 { from { source-address { 10.10.10.0/24; } destination-address { 10.20.10.0/24; } } then { translated { source-pool src-pool; destination-pool dest-pool; translation-type { twice-dynamic-nat-44; } } } } } |
# This source rule applies after the destination rule. rule-set rule-twice-dynamic-nat-44-src { match-direction input; rule r1 { match { source-address 10.10.10.0/24; # Since destination NAT happens first, the destination # address refers to the NAT’d address. destination-address 10.99.10.0/24; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
pool dest-pool { # By default, address mapping in destination pools is static. address { 10.99.10.0/24; } } |
|
# This destination rule applies before the source rule. rule-set rule-twice-dynamic-nat-44-dest { match-direction input; rule r1 { match { destination-address 10.20.10.0/24; } then { destination-nat { pool { dest-pool; } } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-twice-napt-44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-twice-napt-44-src; nat-rule-sets rule-twice-napt-44-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.98.10.0/24; port { automatic; secured-port-block-allocation block-size 256 max-blocks-per-address 1 active-block-timeout 300; } } pool dest-pool { address 10.99.10.2/32; } |
pool src-pool { address { 10.98.10.0/24; } port { automatic { round-robin; } block-allocation { block-size 256; maximum-blocks-per-host 1; active-block-timeout 300; } } } |
rule rule-twice-napt-44 { match-direction input; term t1 { from { source-address { 10.10.10.0/24; } destination-address { 10.20.10.2/32; } } then { translated { source-pool src-pool; destination-pool dest-pool; translation-type { twice-napt-44; } } } } } |
# This source rule applies after the destination rule. rule-set rule-twice-napt-44-src { match-direction input; rule r1 { match { source-address 10.10.10.0/24; # Since destination NAT happens first, the # destination address refers to the NAT’d address. destination-address 10.99.10.2/32; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
pool dest-pool { address { 10.99.10.2/32; } } |
|
# This destination rule applies before the source rule. rule-set rule-twice-napt-44-dest { match-direction input; rule r1 { match { source-address 10.10.10.0/24; destination-address 10.20.10.2/32; } then { destination-nat { pool { dest-pool; } } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-deterministic-napt44; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-deterministic-napt44; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.0/24; port { range low 1024 high 19999; deterministic-port-block-allocation block-size 256; } mapping-timeout 120; } |
pool src-pool { address { 10.10.10.0/24; } port { range { 1024; to { 19999; } } deterministic { block-size 256; # host address specifies the subnet that you # want to apply to this pool. host address 10.2.0.0/20; } } mapping-timeout 120; } |
rule rule-deterministic-napt44 { match-direction input; term t1 { from { source-address { 10.2.0.0/18; } } then { translated { source-pool src-pool; translation-type { deterministic-napt44; } mapping-type endpoint-independent; } } } } |
rule-set rule-deterministic-napt44 { match-direction input; rule r1 { match { source-address 10.2.0.0/18; } then { source-nat { pool { src-pool; } mapping-type endpoint-independent; } } } } |
} # end nat |
} # end source } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-deterministic-napt64; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-deterministic-napt64-src; nat-rule-sets rule-deterministic-napt64-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.98.10.0/24; port { automatic; random-allocation; } deterministic-port-block-allocation block-size 256; } } |
pool src-pool { address { 10.98.10.0/24; } port { automatic { random-allocation; } deterministic { block-size 256; host address 2001:DB8:1111::1/120; } } } |
rule rule-deterministic-napt64 { match-direction input; term t1 { from { source-address { 2001:DB8:1111::1/120; } } then { translated { destination-prefix 2001:DB8:2222::/96; source-pool src-pool; translation-type { deterministic-napt64; } } } } } |
# This source rule applies after the destination rule. rule-set rule-deterministic-napt64-src { match-direction input; rule r1 { match { source-address 2001:DB8:1111::1/120; # Since destination NAT happens first, the destination # address refers to the NAT’d address. destination-address 0.0.0.0/0; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
pool dest-pool { address { 10.99.10.2/32; } } |
|
# This destination rule applies before the source rule. rule-set rule-destination-napt64-dest { match-direction input; rule r1 { match { destination-address 2001:DB8:2222::/96; } then { destination-nat { destination-prefix 2001:DB8:2222::/96; } } } } |
|
} # end destination } # end nat |
微软卡 |
MX-SPC3 |
---|---|
[edit services] |
[edit services] |
service-set sset1 { nat-rules rule-napt-pt; interface-service { service-interface ms-1/2/0; } } |
service-set sset1 { nat-rule-sets rule-napt-pt-src; nat-rule-sets rule-napt-pt-dest; interface-service { service-interface vms-2/0/0; } } |
nat { |
nat { source { |
pool src-pool { address 10.10.10.2/32; } pool dest-pool { address 10.99.10.2/32; } |
pool src-pool { address { 10.10.10.2/32; } } |
rule rule-napt-pt { match-direction input; term t1 { from { source-address { 2001:DB8:1111::2/128; } destination-address { 2001:DB8:2222::2/128; } } then { translated { source-pool src-pool; destination-pool dest-pool; translation-type { napt-pt; } } } } } |
rule-set rule-napt-pt-src { match-direction input; rule r1 { match { source-address 2001:DB8:1111::2/128; destination-address 10.99.10.0/24; } then { source-nat { pool { src-pool; } } } } } |
} # end nat |
} # end source |
|
destination { |
|
pool dest-pool { address { 10.99.10.2/32; } } |
|
rule-set rule-napt-pt-dest { match-direction input; rule r1 { match { destination-address 2001:DB8:2222::2/128; } then { destination-nat { pool { dest-pool; } } } } } |
|
} # end destination } # end nat |
入侵检测系统 (IDS)
MX-SPC3 上下一代服务的 IDS 规则在分支下 screen
定义。各种元素的命名略有不同,但主要变化在于检测具有 IPv4 选项和 IPv6 扩展的数据包的行为:
对于 MS 卡上的 IDS 服务,默认行为是检测并丢弃具有 IPv4 选项和 IPv6 扩展的数据包。如果要允许这些数据包,则必须通过配置显式允许它们。
对于 MX-SPC3 上的 IDS 新一代服务,默认行为是允许具有 IPv4 选项和 IPv6 扩展的数据包。如果要检测并丢弃这些数据包,则必须通过配置显式禁止它们。
表 21 显示了配置差异的示例。
微软卡 |
MX-SPC3 |
---|---|
[edit services] service-set sset1 { ids-rules r1; ids-rules r2; } |
[edit services] service-set sset1 { # Replace ids-rules with ids-option. ids-option ids1; ids-option ids2; } |
[edit services] ids { rule r1 { match-direction input; term t1 { <...> } } } |
[edit services] # Define ids rules under the screen branch. screen { # Replace rule with ids-option. ids-option ids1 { match-direction input; # Flatten hierarchy by removing term and placing # contents directly under ids-option. <...> } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { allow-ip-options [ loose-source-route route-record router-alert security stream-id strict-source-route timestamp ]; } } } } |
[edit services] screen { ids-option ids1 { match-direction input; # By default, all ip options are allowed. } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { <no allow-ip-options configured> } } } } |
[edit services] screen { ids-option ids1 { match-direction input; # Explicitly specify the disallowed options. ip { loose-source-route-option; record-route-option; security-option; stream-option; strict-source-route-option; timestamp-option; # router-alert option for IPv4 is not supported. } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { allow-ipv6-extension-header [ ah dstopts esp fragment hop-by-hop mobility routing ]; } } } } |
[edit services] screen { ids-option ids1 { match-direction input; # By default, all ipv6 extensions are allowed. } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { <no allow-ipv6-extension-header configured> } } } } |
[edit services] screen { ids-option ids1 { match-direction input; ip { # Explicitly specify the disallowed extensions. ipv6-extension-header { AH-header; ESP-header; fragment-header; hop-by-hop-header; mobility-header; routing-header; # dstoptions is not supported. } } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { aggregation { source-prefix 24; destination-prefix 24; source-prefix-ipv6 64; destination-prefix-ipv6 64; } } } } } |
[edit services] screen { ids-option ids1 { match-direction input; aggregation { source-prefix-mask 24; destination-prefix-mask 24; source-prefix-v6-mask 64; destination-prefix-v6-mask 64; } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { icmp-fragment-check; icmp-large-packet-check; } } } } |
[edit services] screen { ids-option ids1 { match-direction input; # Group icmp checks under icmp. icmp { fragment; large; } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { land-attack-check; tcp-winnuke-check; tcp-syn-fragment-check; tcp-syn-defense; } } } } |
[edit services] screen { ids-option ids1 { match-direction input; # Group tcp checks under tcp. tcp { land; winnuke; syn-frag; # tcp-syn-defense is not supported. } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { session-limit { by-source { maximum 100; rate 10; packets 1k; } by-destination { maximum 100; rate 10; packets 1k; } } } } } } |
[edit services] screen { ids-option ids1 { match-direction input; limit-session { by-source { maximum-sessions 100; session-rate 10; packet-rate 1k; } by-destination { maximum-sessions 100; session-rate 10; packet-rate 1k; } } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { session-limit { by-source { by-protocol { tcp { maximum 100; rate 10; packets 1k; } udp { maximum 100; rate 10; packets 1k; } icmp { maximum 100; rate 10; packets 1k; } } } } } } } |
[edit services] screen { ids-option ids1 { match-direction input; limit-session { by-source { by-protocol { tcp { maximum-sessions 100; session-rate 10; packet-rate 1k; } udp { maximum-sessions 100; session-rate 10; packet-rate 1k; } icmp { maximum-sessions 100; session-rate 10; packet-rate 1k; } } } } } } |
[edit services] ids { rule r1 { match-direction input; term t1 { then { session-limit { by-destination { by-protocol { tcp { maximum 100; rate 10; packets 1k; } udp { maximum 100; rate 10; packets 1k; } icmp { maximum 100; rate 10; packets 1k; } } } } } } } |
[edit services] screen { ids-option ids1 { match-direction input; limit-session { by-destination { by-protocol { tcp { maximum-sessions 100; session-rate 10; packet-rate 1k; } udp { maximum-sessions 100; session-rate 10; packet-rate 1k; } icmp { maximum-sessions 100; session-rate 10; packet-rate 1k; } } } } } } |
从 MS 卡迁移到 MX-SPC3
此程序用于配置路由器以支持下一代服务。
通常使用此过程将支持MS卡上旧服务的路由器迁移到MX-SPC3上支持下一代服务的路由器,但即使要从中迁移的路由器不包含MS卡,此过程也适用。
由于下一代服务配置与传统服务配置不兼容,因此迁移路由器以支持 MX-SPC3 上的新一代服务需要您完全取消配置并重新配置路由器。此外:
您无法在具有 MS 卡的路由器中安装 MX-SPC3 卡。
您无法在配备 MS 卡的路由器上配置下一代服务。
您无法在配备 MX-SPC3 卡的路由器上配置旧版服务。
换句话说,路由器可以与 MS 卡或 MX-SPC3 卡一起运行,但不能同时运行两者。
此过程会影响服务。您要将路由器设置为出厂默认配置。