示例:EVPN-VXLAN 上的基于过滤器的转发
要求
此 EVPN-VXLAN 交换矩阵使用边缘路由桥接 (ERB) 模型。VLAN 间路由发生在叶设备上。此示例假设 ERB 交换矩阵已就位,因此可以重点放在使用 FBF 选择用于安全检查的流上。示例末尾的详细配置显示了工作 ERB 基准所需的配置,以及检查特定流量所需的 FBF。拓扑示例如下所示。
有关 ERB EVPN-VXLAN 交换矩阵的背景信息和配置详细信息,请参阅 EVPN-VXLAN 架构和技术。
拓扑
此 NCE 描述的 EVPN-VXLAN 交换矩阵由四台服务器叶交换机、两台底层主干交换机、两个服务叶交换机和一个防火墙组成。
主干节点
- 运行 Junos 20.2R2 版的 QFX5120-32C 系列交换机
服务器叶式
- 运行 Junos 20.3R1 版的 QFX5120-48Y 系列交换机
服务叶式
- 运行 Junos 20.2R2 版的 QFX5120-32C 系列交换机
防火墙
- 运行 Junos 20.1R2 版本的 SRX 4200 服务网关
逐步配置
在以下配置中,我们将端点 1 连接到服务器叶式 1。我们还创建新的路由实例,INSPECT_VRF,并将其配置为使用服务叶 1 和服务叶 2 导出和导入 5 类路由。我们使用基于过滤器的转发将流量从端点 1 重定向到端点 2,再重定向到INSPECT_VRF。
服务器叶式-1
-
在服务器叶 1 上,设置INSPECT_VRF路由实例:
set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances INSPECT_VRF description "VRF for Firewall-1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.140:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set interfaces lo0 unit 991 family inet address 192.168.91.1/32
-
为端点 1 添加静态路由,指向Tenant1_VRF:
set routing-instances INSPECT_VRF routing-options static route 10.1.110.11/32 next-table Tenant1_VRF.inet.0
-
Inspect_VRF需要为端点 1 播发 5 类静态主机路由,以便防火墙可以接收流量。防火墙还需要播发叶 1 的默认路由:
set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_static from protocol static set policy-options policy-statement T5_INSPECT_EXPORT term fm_static then accept
-
现在我们需要为 Leaf-1 设置防火墙过滤器。过滤器匹配从端点 1 到端点 2 的流量,并将这些数据包重定向到INSPECT_VRF。所有其他流量在Tenant1_VRF中照常路由:
set firewall family inet filter SecureTraffic term EP1_to_EP2 from source-address 10.1.110.11/32 set firewall family inet filter SecureTraffic term EP1_to_EP2 from destination-address 10.1.111.21/32 set firewall family inet filter SecureTraffic term EP1_to_EP2 then count EP1_to_EP2 set firewall family inet filter SecureTraffic term EP1_to_EP2 then routing-instance INSPECT_VRF set firewall family inet filter SecureTraffic term Allow_All then count Normal_Count set firewall family inet filter SecureTraffic term Allow_All then accept
-
在叶 1 上,当 VLAN 110 流量遍历 IRB.110(这是连接到端点-1 的接口)时,我们需要将防火墙过滤器应用到 VLAN 110 流量:
set interfaces irb unit 110 virtual-gateway-accept-data set interfaces irb unit 110 family inet filter input SecureTraffic set interfaces irb unit 110 family inet address 10.1.110.100/24 virtual-gateway-address 10.1.110.1 set interfaces irb unit 110 virtual-gateway-v4-mac e4:5d:37:11:10:01
服务器叶式 2
接下来,我们需要在服务器叶 2 上创建SECURE_VRF路由实例,以便同时使用服务叶 1 和服务叶 2 导出和导入 5 类路由。与之前一样,我们使用基于过滤器的转发将流量从端点 2 重定向到端点-1 到SECURE_VRF。
-
在服务器叶 2 上,设置SECURE_VRF路由实例:
set routing-instances SECURE_VRF routing-options multipath set routing-instances SECURE_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances SECURE_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances SECURE_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set routing-instances SECURE_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances SECURE_VRF instance-type vrf set routing-instances SECURE_VRF interface lo0.992 set routing-instances SECURE_VRF route-distinguisher 10.80.224.141:9992 set routing-instances SECURE_VRF vrf-target target:64730:992 set routing-instances SECURE_VRF vrf-table-label set interfaces lo0 unit 992 family inet address 192.168.92.2/32
-
为端点 2 配置静态路由,该端点指向Tenant1_VRF:
set routing-instances SECURE_VRF routing-options static route 10.1.111.21/32 next-table Tenant1_VRF.inet.0
-
在SECURE_VRF内部,我们需要播发端点 2 的 5 类静态主机路由,以便防火墙可以接收流量。防火墙还需要播发叶 2 的默认路由:
set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_static from protocol static set policy-options policy-statement T5_SECURE_EXPORT term fm_static then accept
-
与之前一样,我们现在需要为 Leaf-2 设置防火墙过滤器。这一次,过滤器匹配从端点 2 到端点 1 的流量,并将这些数据包重定向到SECURE_VRF。所有其他流量在Tenant1_VRF中照常路由:
set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 from source-address 10.1.111.21/32 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 from destination-address 10.1.110.11/32 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 then count EP2_to_EP1 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 then routing-instance SECURE_VRF set firewall family inet filter SecureResponseTraffic term Allow_All then accept
-
最后,在 Leaf-2 上,我们需要在 VLAN 111 流量遍历 IRB.111(这是连接到端点-2 的接口)时应用防火墙过滤器。
set interfaces irb unit 111 virtual-gateway-accept-data set interfaces irb unit 111 family inet filter input SecureResponseTraffic set interfaces irb unit 111 family inet address 10.1.111.101/24 virtual-gateway-address 10.1.111.1 set interfaces irb unit 111 virtual-gateway-v4-mac e4:5d:37:11:11:01
服务枝叶-1
Service Leaf-1 包括INSPECT_VRF和SECURE_VRF路由实例,并连接服务叶和防火墙,如下图所示。接口 IRB.991 位于 INSPECT VRF 中,接口 IRB.992 位于 SECURE VRF 中。
在这两个路由实例中,服务叶都与防火墙建立 EBGP 对等,从防火墙接收默认路由。Service Leaf-1 使用 type-5 将默认路由播发至服务器叶,并从它们接收端点 1 和端点-2 的特定主机路由,然后使用 EBGP 将这些路由播发至防火墙。
-
从服务叶到防火墙的连接是一个中继端口,其中包含 VLAN 991 和 VLAN 992,每个带有一个 IRB。接口,如下所示:
set interfaces xe-0/0/4:0 description "SRX Firewall 1: xe-0/0/4" set interfaces xe-0/0/4:0 mtu 9192 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V991 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V992 set interfaces irb unit 991 family inet address 10.81.91.2/30 set interfaces irb unit 992 family inet address 10.81.92.2/30
-
我们需要在 Service Leaf-1 上设置路由实例:
set routing-instances INSPECT_VRF description "VRF for Firewall-1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface irb.991 set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.138:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols bgp group Firewall-1 type external set routing-instances INSPECT_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances INSPECT_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances INSPECT_VRF protocols bgp group Firewall-1 neighbor 10.81.91.1 peer-as 64777 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances SECURE_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances SECURE_VRF instance-type vrf set routing-instances SECURE_VRF interface irb.992 set routing-instances SECURE_VRF interface lo0.992 set routing-instances SECURE_VRF route-distinguisher 10.80.224.138:9992 set routing-instances SECURE_VRF vrf-target target:64730:992 set routing-instances SECURE_VRF vrf-table-label set routing-instances SECURE_VRF routing-options multipath set routing-instances SECURE_VRF protocols bgp group Firewall-1 type external set routing-instances SECURE_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances SECURE_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances SECURE_VRF protocols bgp group Firewall-1 neighbor 10.81.92.1 peer-as 64777 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances SECURE_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances SECURE_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set interfaces lo0 unit 991 family inet address 192.168.91.253/32 set interfaces lo0 unit 992 family inet address 192.168.92.253/32 set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_SECURE_EXPORT term Default_Route then accept set policy-options policy-statement FW1_Export from protocol evpn set policy-options policy-statement FW1_Export then accept
-
我们还需要设置 Service Leaf-1 的策略声明:
set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_SECURE_EXPORT term Default_Route then accept set policy-options policy-statement FW1_Export from protocol evpn set policy-options policy-statement FW1_Export then accept
服务枝叶-2
服务叶 2 上的配置类似于服务叶 1 配置。
-
在这里,我们设置防火墙互连服务叶式 2:
set interfaces xe-0/0/4:0 description "SRX Firewall-1: xe-0/0/5" set interfaces xe-0/0/4:0 mtu 9192 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V991 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V992 set interfaces irb unit 991 family inet address 10.81.91.6/24 set interfaces irb unit 992 family inet address 10.81.92.6/24
-
在这里,我们在 Service Leaf-2 上设置路由实例:
set routing-instances INSPECT_VRF description "VRF for Firewall-1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface irb.991 set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.139:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols bgp group Firewall-1 type external set routing-instances INSPECT_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances INSPECT_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances INSPECT_VRF protocols bgp group Firewall-1 neighbor 10.81.91.5 peer-as 64777 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances SECURE_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances SECURE_VRF instance-type vrf set routing-instances SECURE_VRF interface irb.992 set routing-instances SECURE_VRF interface lo0.992 set routing-instances SECURE_VRF route-distinguisher 10.80.224.139:9992 set routing-instances SECURE_VRF vrf-target target:64730:992 set routing-instances SECURE_VRF vrf-table-label set routing-instances SECURE_VRF routing-options multipath set routing-instances SECURE_VRF protocols bgp group Firewall-1 type external set routing-instances SECURE_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances SECURE_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances SECURE_VRF protocols bgp group Firewall-1 neighbor 10.81.92.5 peer-as 64777 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances SECURE_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances SECURE_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set interfaces lo0 unit 991 family inet address 192.168.91.254/32 set interfaces lo0 unit 992 family inet address 192.168.92.254/32
-
最后,我们在 Service Leaf-2 上设置策略声明:
set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_SECURE_EXPORT term Default_Route then accept set policy-options policy-statement FW1_Export from protocol evpn set policy-options policy-statement FW1_Export then accept
防火墙
防火墙接口配置为 VLAN 标记的接口。它会与每个服务叶建立两个 EBGP 会话,如图 2 所示。
-
在这里,我们设置图中所示的防火墙-1 服务叶互连,以及 BGP 对等和路由导出:
set interfaces xe-0/0/4 vlan-tagging set interfaces xe-0/0/4 unit 991 vlan-id 991 set interfaces xe-0/0/4 unit 991 family inet address 10.81.91.1/30 set interfaces xe-0/0/4 unit 992 vlan-id 992 set interfaces xe-0/0/4 unit 992 family inet address 10.81.92.1/30 set interfaces xe-0/0/5 vlan-tagging set interfaces xe-0/0/5 unit 991 vlan-id 991 set interfaces xe-0/0/5 unit 991 family inet address 10.81.91.5/30 set interfaces xe-0/0/5 unit 992 vlan-id 992 set interfaces xe-0/0/5 unit 992 family inet address 10.81.92.5/30 set protocols bgp group ServiceLeaf type external set protocols bgp group ServiceLeaf export Export-Default-Route set protocols bgp group ServiceLeaf local-as 64777 set protocols bgp group ServiceLeaf neighbor 10.81.91.2 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.92.2 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.91.6 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.92.6 peer-as 64730 set policy-options policy-statement Export-Default-Route term 10 from route-filter 0.0.0.0/0 exact set policy-options policy-statement Export-Default-Route term 10 then accept set policy-options policy-statement Export-Default-Route term 100 then reject
-
现在,我们需要为 Firewall-1 设置区域和策略配置。我们将遍历逻辑接口 991 的流量放入INSPECT_Zone中,将遍历逻辑接口 992 的流量放入SECURE_Zone。
set security zones security-zone INSPECT_Zone address-book address EP1 10.1.110.11/32 set security zones security-zone INSPECT_Zone host-inbound-traffic system-services all set security zones security-zone INSPECT_Zone host-inbound-traffic protocols all set security zones security-zone INSPECT_Zone interfaces xe-0/0/4.991 set security zones security-zone INSPECT_Zone interfaces xe-0/0/5.991 set security zones security-zone SECURE_Zone address-book address EP2 10.1.111.21/32 set security zones security-zone SECURE_Zone host-inbound-traffic system-services all set security zones security-zone SECURE_Zone host-inbound-traffic protocols all set security zones security-zone SECURE_Zone interfaces xe-0/0/4.992 set security zones security-zone SECURE_Zone interfaces xe-0/0/5.992
-
为了将端点 1 到端点 2 之间的通信限制为仅特定协议(Ping、HTTPS、SSH 和 UDP,以支持来自服务器的跟踪路由),我们为INSPECT_Zone与SECURE_Zone之间的流量创建安全策略:
set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match source-address 10.1.110.11 set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match destination-address 10.1.111.21 set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-https set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-ssh set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-ping set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-udp-any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 then permit set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match source-address any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match destination-address any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match application any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All then deny
-
您可以定义一个策略,以接受从安全区域到 INSPECT 区域的所有流量:
set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match source-address any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match destination-address any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match application any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All then permit
验证
本节中的命令和输出验证 FBF 是否在 EP1 和 EP2 之间的流量上工作正常。
- 在 EP1 和 EP2 之间生成 ping。ping 在流动时,先清除,然后在叶 1 和叶 2 上显示防火墙计数器:
{master:0} jcluser@Leaf1>clear firewall all {master:0} root@Leaf1> show firewall Filter: SecureTraffic Counters: Name Bytes Packets EP1_to_EP2 1484 14 . . . {master:0} root@Leaf1> show firewall Filter: SecureTraffic Counters: Name Bytes Packets EP1_to_EP2 2332 22
叶 1 的输出确认 BMS ping 流量正在达到 安全流量 过滤器,以及将流量重定向到INSPECT_VRF的防火墙术语。对于将回复引导到SECURE_VRF的 SecureResponseTraffic 过滤器的 Leaf2 中也指出了类似的结果。
- 在 SRX 设备上显示安全流信息:
jcluser@firewall>clear firewall all root@firewall> show security flow session | match icmp In: 10.1.110.11/5554 --> 10.1.111.21/31;icmp, Conn Tag: 0x0, If: xe-0/0/5.991, Pkts: 1, Bytes: 84, Out: 10.1.111.21/31 --> 10.1.110.11/5554;icmp, Conn Tag: 0x0, If: xe-0/0/4.992, Pkts: 0, Bytes: 0, In: 10.1.110.11/5554 --> 10.1.111.21/32;icmp, Conn Tag: 0x0, If: xe-0/0/5.991, Pkts: 1, Bytes: 84, Out: 10.1.111.21/32 --> 10.1.110.11/5554;icmp, Conn Tag: 0x0, If: xe-0/0/4.992, Pkts: 0, Bytes: 0, In: 10.1.110.11/5554 --> 10.1.111.21/33;icmp, Conn Tag: 0x0, If: xe-0/0/5.991, Pkts: 1, Bytes: 84,
输出将确认 BMS ping 流量正在受到防火墙的检查。这可以确认 FBF 正在将 EP1 发送到 EP2 的流量从枝叶定向到服务叶,再从该叶定向到防火墙设备。
- 跟踪 EP1 和 EP2 之间的路径。您期望看到通过防火墙设备的底层转发跃点。
结果如图 3 所示
注意:来自 EP1 的流量被封装到 VXLAN 中,并从叶 1 发送到服务叶。服务叶对流量进行解封装,并将其作为本机 IP 路由到防火墙设备,从而允许在跟踪路由的输出中显示底层跃点。图 3:使用 FBF 的 EP1 到 EP2 追踪路由EP1 (BMS 1) 的追踪路由输出显示了用于引导流量通过防火墙的其他交换矩阵转发跃点。在输出中,跃点 1 和 6 分别表示叶 1 和叶 2 中的 IRB 接口。合同中的 10.81.91.2 跃点代表位于INSPECT_VRF的服务叶 1 上的 irb.991 接口。这些结果会进一步确认 EP1 到 EP2 的流量已正确通过防火墙。
- 停用应用于叶 1 和叶 2 的 IRB 接口的防火墙过滤器。请务必提交更改。
{master:0}[edit] root@Leaf1# deactivate interfaces irb unit 110 family inet filter input
{master:0}[edit] root@Leaf2# deactivate interfaces irb unit 111 family inet filter input
重复 EP1 和 EP2 之间的追踪路由。结果如图 4 所示
图 4:不带 FBF 的 EP1 到 EP2 追踪路由追踪路由输出显示,当过滤器停用后,EP1 到 EP2 的流量直接在叶设备中的 IRB 接口之间传输。使用 FBF,移除服务枝叶,防火墙设备不再在这些端点之间的转发路径中。
完整设备配置
本节提供此示例中使用的所有设备的完整配置。省略用户登录、系统服务、日志记录和管理接口的站点特定配置。
主干-1 的配置
set system host-name Spine1 set chassis fpc 0 pic 0 port 4 channel-speed 10g set interfaces et-0/0/0 mtu 9200 set interfaces et-0/0/0 unit 0 family inet address 10.80.224.30/31 set interfaces et-0/0/1 mtu 9200 set interfaces et-0/0/1 unit 0 family inet address 10.80.224.0/31 set interfaces xe-0/0/4:0 mtu 9200 set interfaces xe-0/0/4:0 unit 0 family inet address 10.80.224.2/31 set interfaces et-0/0/4:1 unit 0 family ethernet-switching vlan members default set interfaces et-0/0/4:1 unit 0 family ethernet-switching storm-control default set interfaces xe-0/0/4:1 mtu 9200 set interfaces xe-0/0/4:1 unit 0 family inet address 10.80.224.4/31 set interfaces et-0/0/4:2 unit 0 family ethernet-switching vlan members default set interfaces et-0/0/4:2 unit 0 family ethernet-switching storm-control default set interfaces xe-0/0/4:2 mtu 9200 set interfaces xe-0/0/4:2 unit 0 family inet address 10.80.224.6/31 set interfaces et-0/0/4:3 unit 0 family ethernet-switching vlan members default set interfaces et-0/0/4:3 unit 0 family ethernet-switching storm-control default set interfaces xe-0/0/4:3 mtu 9200 set interfaces xe-0/0/4:3 unit 0 family inet address 10.80.224.8/31 set interfaces lo0 unit 0 family inet address 10.80.224.149/32 set forwarding-options storm-control-profiles default all set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.80.224.128/25 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.0.0.0/24 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.80.224.128/25 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.0.0.0/24 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "manage connection from leaves" set protocols bgp group EVPN_FABRIC local-address 10.80.224.149 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC cluster 10.80.224.149 set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.139 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.140 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.141 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.142 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.143 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.138 set protocols bgp group EVPN_FABRIC vpn-apply-export set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY import UNDERLAY-IMPORT set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export UNDERLAY-EXPORT set protocols bgp group UNDERLAY local-as 10021 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.9 peer-as 65015 set protocols bgp group UNDERLAY neighbor 10.80.224.7 peer-as 65014 set protocols bgp group UNDERLAY neighbor 10.80.224.3 peer-as 65012 set protocols bgp group UNDERLAY neighbor 10.80.224.5 peer-as 65013 set protocols bgp group UNDERLAY neighbor 10.80.224.1 peer-as 65011 set protocols bgp group UNDERLAY neighbor 10.80.224.31 peer-as 65009 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols lldp interface all set protocols igmp-snooping vlan default set vlans default vlan-id 1
主干-2 的配置
set system host-name Spine2 set chassis fpc 0 pic 0 port 4 channel-speed 10g set interfaces et-0/0/0 mtu 9200 set interfaces et-0/0/0 unit 0 family inet address 10.80.224.10/31 set interfaces et-0/0/1 mtu 9200 set interfaces et-0/0/1 unit 0 family inet address 10.80.224.32/31 set interfaces xe-0/0/4:0 mtu 9200 set interfaces xe-0/0/4:0 unit 0 family inet address 10.80.224.12/31 set interfaces xe-0/0/4:1 mtu 9200 set interfaces xe-0/0/4:1 unit 0 family inet address 10.80.224.14/31 set interfaces xe-0/0/4:2 unit 0 family inet address 10.80.224.16/31 set interfaces et-0/0/4:3 unit 0 family inet dhcp vendor-id Juniper-qfx5120-32c set interfaces xe-0/0/4:3 mtu 9200 set interfaces xe-0/0/4:3 unit 0 family inet address 10.80.224.18/31 set interfaces lo0 unit 0 family inet address 10.80.224.150/32 set forwarding-options storm-control-profiles default all set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK from route-filter 10.80.224.128/25 orlonger set policy-options policy-statement UNDERLAY-EXPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-EXPORT term DEFAULT then reject set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK from route-filter 10.80.224.128/25 orlonger set policy-options policy-statement UNDERLAY-IMPORT term LOOPBACK then accept set policy-options policy-statement UNDERLAY-IMPORT term DEFAULT then reject set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "manage connection from leaves" set protocols bgp group EVPN_FABRIC local-address 10.80.224.150 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC cluster 10.80.224.150 set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.139 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.140 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.141 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.142 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.143 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.138 set protocols bgp group EVPN_FABRIC vpn-apply-export set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY import UNDERLAY-IMPORT set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export UNDERLAY-EXPORT set protocols bgp group UNDERLAY local-as 10022 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.13 peer-as 65012 set protocols bgp group UNDERLAY neighbor 10.80.224.19 peer-as 65015 set protocols bgp group UNDERLAY neighbor 10.80.224.11 peer-as 65011 set protocols bgp group UNDERLAY neighbor 10.80.224.17 peer-as 65014 set protocols bgp group UNDERLAY neighbor 10.80.224.15 peer-as 65013 set protocols bgp group UNDERLAY neighbor 10.80.224.33 peer-as 65009 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all set protocols igmp-snooping vlan default
服务器叶式 1 的配置
set system host-name Leaf1 set system root-authentication encrypted-password "$6$yMrAzWii$mH8/hzspVvEAWSta.W2sbI3Fkjh5DpY.QMJhvyXP1ZfFWZ4E0KLfzlPZISlUqElTGmzeKEuE9EDths9PviIwR/" set system login user jcluser uid 2000 set system login user jcluser class super-user set system login user jcluser authentication encrypted-password "$6$yz5sIC9j$Z3P7ygtxzWAdfjDFXUmz787lCqquxA0YbkseMs9W1ZxyDOIsXBwJer1ShHlrBp3obTitLJGYbrVk3IdIR5DfI." set system services ssh root-login allow set interfaces xe-0/0/0 mtu 9200 set interfaces xe-0/0/0 unit 0 family inet address 10.80.224.3/31 set interfaces xe-0/0/2 mtu 9200 set interfaces xe-0/0/2 unit 0 family inet address 10.80.224.13/31 set interfaces irb unit 110 virtual-gateway-accept-data set interfaces irb unit 110 family inet filter input SecureTraffic set interfaces irb unit 110 family inet address 10.1.110.100/24 virtual-gateway-address 10.1.110.1 set interfaces irb unit 110 virtual-gateway-v4-mac e4:5d:37:11:10:01 set interfaces irb unit 111 family inet address 10.1.111.1/24 set interfaces irb unit 111 virtual-gateway-v4-mac e4:5d:37:11:11:01 set interfaces irb unit 112 family inet address 10.1.112.1/24 set interfaces irb unit 112 virtual-gateway-v4-mac e4:5d:37:11:12:01 set interfaces lo0 unit 0 description "** dc-leaf1-lo0" set interfaces lo0 unit 0 family inet address 10.80.224.140/32 set interfaces lo0 unit 110 family inet address 192.168.110.1/32 set interfaces lo0 unit 110 family inet6 address 2001:db8::192:168:110:1/128 set interfaces lo0 unit 112 family inet address 192.168.112.1/32 set interfaces lo0 unit 112 family inet6 address 2001:db8::192:168:112:1/128 set interfaces lo0 unit 991 family inet address 192.168.91.1/32 set forwarding-options storm-control-profiles default all set forwarding-options vxlan-routing next-hop 32768 set forwarding-options vxlan-routing overlay-ecmp set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement T5_EXPORT term fm_v6_host from route-filter 0::0/0 prefix-length-range /128-/128 set policy-options policy-statement T5_EXPORT term fm_v6_host then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_static from protocol static set policy-options policy-statement T5_INSPECT_EXPORT term fm_static then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_static from protocol static set policy-options policy-statement T5_SECURE_EXPORT term fm_static then accept set firewall family inet filter SecureTraffic term EP1_to_EP2 from source-address 10.1.110.11/32 set firewall family inet filter SecureTraffic term EP1_to_EP2 from destination-address 10.1.111.21/32 set firewall family inet filter SecureTraffic term EP1_to_EP2 then count EP1_to_EP2 set firewall family inet filter SecureTraffic term EP1_to_EP2 then routing-instance INSPECT_VRF set firewall family inet filter SecureTraffic term Allow_All then accept set routing-instances INSPECT_VRF routing-options static route 10.1.110.11/32 next-table Tenant1_VRF.inet.0 set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances INSPECT_VRF description "VRF for Firewall1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.140:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set routing-instances Tenant1_VRF routing-options multipath set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes vni 9110 set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant1_VRF description "VRF for tenant Tenant_1" set routing-instances Tenant1_VRF instance-type vrf set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 overrides relay-source lo0.110 set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 forward-only set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 forward-only-replies set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 group all interface irb.110 set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 server-group dhcp-servers-v6 2001:db8::10:1:140:188 set routing-instances Tenant1_VRF forwarding-options dhcp-relay dhcpv6 active-server-group dhcp-servers-v6 set routing-instances Tenant1_VRF forwarding-options dhcp-relay relay-option-82 set routing-instances Tenant1_VRF interface irb.110 set routing-instances Tenant1_VRF interface irb.111 set routing-instances Tenant1_VRF interface lo0.110 set routing-instances Tenant1_VRF route-distinguisher 10.80.224.140:9110 set routing-instances Tenant1_VRF vrf-target target:64730:110 set routing-instances Tenant1_VRF vrf-table-label set routing-instances Tenant2_VRF routing-options multipath set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes vni 9112 set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant2_VRF description "VRF for tenant Tenant_1" set routing-instances Tenant2_VRF instance-type vrf set routing-instances Tenant2_VRF interface irb.112 set routing-instances Tenant2_VRF interface lo0.112 set routing-instances Tenant2_VRF route-distinguisher 10.80.224.140:9112 set routing-instances Tenant2_VRF vrf-target target:64730:112 set routing-instances Tenant2_VRF vrf-table-label set routing-options router-id 10.80.224.140 set routing-options autonomous-system 64730 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "Connection to EVPN Fabric RRs (tenants.bgp_reflector)" set protocols bgp group EVPN_FABRIC local-address 10.80.224.140 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.149 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.150 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY export FROM_UNDERLAY_BGP set protocols bgp group UNDERLAY local-as 65012 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.12 peer-as 10022 set protocols bgp group UNDERLAY neighbor 10.80.224.2 peer-as 10021 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols evpn encapsulation vxlan set protocols evpn extended-vni-list 110 set protocols evpn extended-vni-list 111 set protocols evpn extended-vni-list 112 set protocols l2-learning global-mac-table-aging-time 600 set protocols l2-learning global-mac-ip-table-aging-time 300 set protocols l2-learning decapsulate-accept-inner-vlan set protocols lldp interface all set protocols igmp-snooping vlan default set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 10.80.224.140:1 set switch-options vrf-target target:64730:1 set switch-options vrf-target auto set vlans default vlan-id 1 set vlans v110 vlan-id 110 set vlans v110 l3-interface irb.110 set vlans v110 vxlan vni 110 set vlans v111 vlan-id 111 set vlans v111 l3-interface irb.111 set vlans v111 vxlan vni 111 set vlans v112 vlan-id 112 set vlans v112 l3-interface irb.112 set vlans v112 vxlan vni 112
服务器叶式 2 的配置:
set system host-name Leaf2 set interfaces xe-0/0/0 mtu 9200 set interfaces xe-0/0/0 unit 0 family inet address 10.80.224.5/31 set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v110 set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members v111 set interfaces et-0/0/2 unit 0 family inet dhcp vendor-id Juniper-qfx5120-48y-8c set interfaces ge-0/0/2 unit 0 family inet dhcp vendor-id Juniper-qfx5120-48y-8c set interfaces xe-0/0/2 mtu 9200 set interfaces xe-0/0/2 unit 0 family inet address 10.80.224.15/31 set interfaces irb unit 110 virtual-gateway-accept-data set interfaces irb unit 110 family inet address 10.1.110.101/24 virtual-gateway-address 10.1.110.1 set interfaces irb unit 110 virtual-gateway-v4-mac e4:5d:37:11:10:01 set interfaces irb unit 111 virtual-gateway-accept-data set interfaces irb unit 111 family inet filter input SecureResponseTraffic set interfaces irb unit 111 family inet address 10.1.111.101/24 virtual-gateway-address 10.1.111.1 set interfaces irb unit 111 virtual-gateway-v4-mac e4:5d:37:11:11:01 set interfaces irb unit 112 family inet address 10.1.112.101/24 virtual-gateway-address 10.1.112.1 set interfaces irb unit 112 virtual-gateway-v4-mac e4:5d:37:11:12:01 set interfaces lo0 unit 0 description "** dc-leaf2-lo0" set interfaces lo0 unit 0 family inet address 10.80.224.141/32 set interfaces lo0 unit 110 family inet address 192.168.110.2/32 set interfaces lo0 unit 110 family inet6 address 2001:db8::192:168:110:2/128 set interfaces lo0 unit 112 family inet address 192.168.112.2/32 set interfaces lo0 unit 112 family inet6 address 2001:db8::192:168:112:2/128 set interfaces lo0 unit 992 family inet address 192.168.92.2/32 set forwarding-options storm-control-profiles default all set forwarding-options vxlan-routing next-hop 32768 set forwarding-options vxlan-routing overlay-ecmp set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement T5_EXPORT term fm_v6_host from route-filter 0::0/0 prefix-length-range /128-/128 set policy-options policy-statement T5_EXPORT term fm_v6_host then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_static from protocol static set policy-options policy-statement T5_INSPECT_EXPORT term fm_static then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_static from protocol static set policy-options policy-statement T5_SECURE_EXPORT term fm_static then accept set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 from source-address 10.1.111.21/32 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 from destination-address 10.1.110.11/32 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 then count EP2_to_EP1 set firewall family inet filter SecureResponseTraffic term EP2_to_EP1 then routing-instance SECURE_VRF set firewall family inet filter SecureResponseTraffic term Allow_All then accept set routing-instances INSPECT_VRF routing-options static route 10.1.111.21/32 next-table Tenant1_VRF.inet.0 set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set routing-instances INSPECT_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface lo0.992 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.141:9992 set routing-instances INSPECT_VRF vrf-target target:64730:992 set routing-instances INSPECT_VRF vrf-table-label set routing-instances Tenant1_VRF routing-options multipath set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes vni 9110 set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant1_VRF description "VRF for tenant Tenant_1" set routing-instances Tenant1_VRF instance-type vrf set routing-instances Tenant1_VRF interface irb.110 set routing-instances Tenant1_VRF interface irb.111 set routing-instances Tenant1_VRF interface lo0.110 set routing-instances Tenant1_VRF route-distinguisher 10.80.224.141:9110 set routing-instances Tenant1_VRF vrf-target target:64730:110 set routing-instances Tenant1_VRF vrf-table-label set routing-instances Tenant2_VRF routing-options multipath set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes vni 9112 set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant2_VRF description "VRF for tenant Tenant_1" set routing-instances Tenant2_VRF instance-type vrf set routing-instances Tenant2_VRF interface irb.112 set routing-instances Tenant2_VRF interface lo0.112 set routing-instances Tenant2_VRF route-distinguisher 10.80.224.141:9112 set routing-instances Tenant2_VRF vrf-target target:64730:112 set routing-instances Tenant2_VRF vrf-table-label set routing-options static route 0.0.0.0/0 next-hop 100.123.0.1 set routing-options router-id 10.80.224.141 set routing-options autonomous-system 64730 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "Connection to EVPN Fabric RRs (tenants.bgp_reflector)" set protocols bgp group EVPN_FABRIC local-address 10.80.224.141 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.149 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.150 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY export FROM_UNDERLAY_BGP set protocols bgp group UNDERLAY local-as 65013 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.4 peer-as 10021 set protocols bgp group UNDERLAY neighbor 10.80.224.14 peer-as 10022 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols evpn encapsulation vxlan set protocols evpn extended-vni-list 110 set protocols evpn extended-vni-list 111 set protocols evpn extended-vni-list 112 set protocols l2-learning global-mac-table-aging-time 600 set protocols l2-learning global-mac-ip-table-aging-time 300 set protocols l2-learning decapsulate-accept-inner-vlan set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols igmp-snooping vlan default set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 10.80.224.143:1 set switch-options vrf-target target:64730:1 set switch-options vrf-target auto set vlans v110 vlan-id 110 set vlans v110 l3-interface irb.110 set vlans v110 vxlan vni 110 set vlans v111 vlan-id 111 set vlans v111 l3-interface irb.111 set vlans v111 vxlan vni 111 set vlans v112 vlan-id 112 set vlans v112 l3-interface irb.112 set vlans v112 vxlan vni 112
服务叶式-1 的配置
set system host-name ServiceLeaf1 set chassis fpc 0 pic 0 port 4 channel-speed 10g set interfaces et-0/0/0 mtu 9200 set interfaces et-0/0/0 unit 0 family inet address 10.80.224.31/31 set interfaces et-0/0/1 mtu 9200 set interfaces et-0/0/1 unit 0 family inet address 10.80.224.33/31 set interfaces xe-0/0/4:0 description "SRX Firewall 1: xe-0/0/4" set interfaces xe-0/0/4:0 mtu 9192 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V991 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V992 set interfaces et-0/0/4:1 unit 0 family inet dhcp vendor-id Juniper-qfx5120-32c set interfaces irb unit 991 family inet address 10.81.91.2/30 set interfaces irb unit 992 family inet address 10.81.92.2/30 set interfaces lo0 unit 0 family inet address 10.80.224.138/32 set interfaces lo0 unit 110 family inet address 192.168.110.253/32 set interfaces lo0 unit 110 family inet6 address 2001:db8::192:168:110:253/128 set interfaces lo0 unit 112 family inet address 192.168.112.253/32 set interfaces lo0 unit 112 family inet6 address 2001:db8::192:168:112:253/128 set interfaces lo0 unit 991 family inet address 192.168.91.253/32 set interfaces lo0 unit 992 family inet address 192.168.92.253/32 set forwarding-options storm-control-profiles default all set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement FW1_Export from protocol evpn set policy-options policy-statement FW1_Export then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement T5_EXPORT term fm_v6_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v6_host from route-filter 0::0/0 prefix-length-range /128-/128 set policy-options policy-statement T5_EXPORT term fm_v6_host then accept set policy-options policy-statement T5_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_EXPORT term Default_Route then accept set policy-options policy-statement T5_EXPORT term Default_Route_v6 from route-filter ::/0 exact set policy-options policy-statement T5_EXPORT term Default_Route_v6 then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_SECURE_EXPORT term Default_Route then accept set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances INSPECT_VRF protocols bgp group Firewall-1 type external set routing-instances INSPECT_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances INSPECT_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances INSPECT_VRF protocols bgp group Firewall-1 neighbor 10.81.91.1 peer-as 64777 set routing-instances INSPECT_VRF description "VRF for Firewall-1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface irb.991 set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.138:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set routing-instances SECURE_VRF routing-options multipath set routing-instances SECURE_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances SECURE_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances SECURE_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set routing-instances SECURE_VRF protocols bgp group Firewall-1 type external set routing-instances SECURE_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances SECURE_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances SECURE_VRF protocols bgp group Firewall-1 neighbor 10.81.92.1 peer-as 64777 set routing-instances SECURE_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances SECURE_VRF instance-type vrf set routing-instances SECURE_VRF interface irb.992 set routing-instances SECURE_VRF interface lo0.992 set routing-instances SECURE_VRF route-distinguisher 10.80.224.138:9992 set routing-instances SECURE_VRF vrf-target target:64730:992 set routing-instances SECURE_VRF vrf-table-label set routing-instances Tenant1_VRF routing-options multipath set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes vni 9110 set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant1_VRF instance-type vrf set routing-instances Tenant1_VRF interface xe-0/0/28:1.110 set routing-instances Tenant1_VRF interface lo0.110 set routing-instances Tenant1_VRF route-distinguisher 10.80.224.138:9110 set routing-instances Tenant1_VRF vrf-target target:64730:110 set routing-instances Tenant1_VRF vrf-table-label set routing-instances Tenant2_VRF routing-options multipath set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes vni 9112 set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant2_VRF instance-type vrf set routing-instances Tenant2_VRF interface xe-0/0/28:0.112 set routing-instances Tenant2_VRF interface xe-0/0/28:1.112 set routing-instances Tenant2_VRF interface lo0.112 set routing-instances Tenant2_VRF route-distinguisher 10.80.224.138:9112 set routing-instances Tenant2_VRF vrf-target target:64730:112 set routing-instances Tenant2_VRF vrf-table-label set routing-options router-id 10.80.224.138 set routing-options autonomous-system 64730 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "Connection to EVPN Fabric RRs (tenants.bgp_reflector)" set protocols bgp group EVPN_FABRIC local-address 10.80.224.138 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.149 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.150 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY export FROM_UNDERLAY_BGP set protocols bgp group UNDERLAY local-as 65009 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.30 peer-as 10021 set protocols bgp group UNDERLAY neighbor 10.80.224.32 peer-as 10022 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols l2-learning global-mac-table-aging-time 600 set protocols l2-learning global-mac-ip-table-aging-time 300 set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all set protocols igmp-snooping vlan default set vlans V991 vlan-id 991 set vlans V991 l3-interface irb.991 set vlans V992 vlan-id 992 set vlans V992 l3-interface irb.992
服务叶-2 的配置
set system host-name ServiceLeaf2 set chassis fpc 0 pic 0 port 4 channel-speed 10g set interfaces et-0/0/0 mtu 9200 set interfaces et-0/0/0 unit 0 family inet address 10.80.224.11/31 set interfaces et-0/0/1 mtu 9200 set interfaces et-0/0/1 unit 0 family inet address 10.80.224.1/31 set interfaces xe-0/0/4:0 description "SRX Firewall-1: xe-0/0/5" set interfaces xe-0/0/4:0 mtu 9192 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V991 set interfaces xe-0/0/4:0 unit 0 family ethernet-switching vlan members V992 set interfaces irb unit 991 family inet address 10.81.91.6/24 set interfaces irb unit 992 family inet address 10.81.92.6/24 set interfaces lo0 unit 0 description "** qfx10k-svador" set interfaces lo0 unit 0 family inet address 10.80.224.139/32 set interfaces lo0 unit 110 family inet address 192.168.110.254/32 set interfaces lo0 unit 110 family inet6 address 2001:db8::192:168:110:254/128 set interfaces lo0 unit 112 family inet address 192.168.112.254/32 set interfaces lo0 unit 112 family inet6 address 2001:db8::192:168:112:254/128 set interfaces lo0 unit 991 family inet address 192.168.91.254/32 set interfaces lo0 unit 992 family inet address 192.168.92.254/32 set forwarding-options storm-control-profiles default all set policy-options policy-statement ECMP-POLICY then load-balance per-packet set policy-options policy-statement FROM_Lo0 term 10 from interface lo0.0 set policy-options policy-statement FROM_Lo0 term 10 then accept set policy-options policy-statement FROM_Lo0 term 20 then reject set policy-options policy-statement FROM_UNDERLAY_BGP term 10 from protocol bgp set policy-options policy-statement FROM_UNDERLAY_BGP term 10 then accept set policy-options policy-statement FW1_Export from protocol evpn set policy-options policy-statement FW1_Export then accept set policy-options policy-statement T5_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_EXPORT term fm_direct then accept set policy-options policy-statement T5_EXPORT term fm_static from protocol static set policy-options policy-statement T5_EXPORT term fm_static then accept set policy-options policy-statement T5_EXPORT term fm_v4_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v4_host from route-filter 0.0.0.0/0 prefix-length-range /32-/32 set policy-options policy-statement T5_EXPORT term fm_v4_host then accept set policy-options policy-statement T5_EXPORT term fm_v6_host from protocol evpn set policy-options policy-statement T5_EXPORT term fm_v6_host from route-filter 0::0/0 prefix-length-range /128-/128 set policy-options policy-statement T5_EXPORT term fm_v6_host then accept set policy-options policy-statement T5_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_EXPORT term Default_Route then accept set policy-options policy-statement T5_EXPORT term Default_Route_v6 from route-filter ::/0 exact set policy-options policy-statement T5_EXPORT term Default_Route_v6 then accept set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_INSPECT_EXPORT term fm_direct then accept set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_INSPECT_EXPORT term Default_Route then accept set policy-options policy-statement T5_SECURE_EXPORT term fm_direct from protocol direct set policy-options policy-statement T5_SECURE_EXPORT term fm_direct then accept set policy-options policy-statement T5_SECURE_EXPORT term Default_Route from route-filter 0.0.0.0/0 exact set policy-options policy-statement T5_SECURE_EXPORT term Default_Route then accept set routing-instances INSPECT_VRF routing-options multipath set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes vni 9991 set routing-instances INSPECT_VRF protocols evpn ip-prefix-routes export T5_INSPECT_EXPORT set routing-instances INSPECT_VRF protocols bgp group Firewall-1 type external set routing-instances INSPECT_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances INSPECT_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances INSPECT_VRF protocols bgp group Firewall-1 neighbor 10.81.91.5 peer-as 64777 set routing-instances INSPECT_VRF description "VRF for Firewall-1" set routing-instances INSPECT_VRF instance-type vrf set routing-instances INSPECT_VRF interface irb.991 set routing-instances INSPECT_VRF interface lo0.991 set routing-instances INSPECT_VRF route-distinguisher 10.80.224.139:9991 set routing-instances INSPECT_VRF vrf-target target:64730:991 set routing-instances INSPECT_VRF vrf-table-label set routing-instances SECURE_VRF routing-options multipath set routing-instances SECURE_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances SECURE_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances SECURE_VRF protocols evpn ip-prefix-routes vni 9992 set routing-instances SECURE_VRF protocols evpn ip-prefix-routes export T5_SECURE_EXPORT set routing-instances SECURE_VRF protocols bgp group Firewall-1 type external set routing-instances SECURE_VRF protocols bgp group Firewall-1 export FW1_Export set routing-instances SECURE_VRF protocols bgp group Firewall-1 local-as 64730 set routing-instances SECURE_VRF protocols bgp group Firewall-1 neighbor 10.81.92.5 peer-as 64777 set routing-instances SECURE_VRF description "VRF for SECURED FIREWALL TRAFFIC" set routing-instances SECURE_VRF instance-type vrf set routing-instances SECURE_VRF interface irb.992 set routing-instances SECURE_VRF interface lo0.992 set routing-instances SECURE_VRF route-distinguisher 10.80.224.139:9992 set routing-instances SECURE_VRF vrf-target target:64730:992 set routing-instances SECURE_VRF vrf-table-label set routing-instances Tenant1_VRF routing-options multipath set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes vni 9110 set routing-instances Tenant1_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant1_VRF instance-type vrf set routing-instances Tenant1_VRF interface xe-0/0/28:0.110 set routing-instances Tenant1_VRF interface xe-0/0/28:1.110 set routing-instances Tenant1_VRF interface xe-0/0/39:0.0 set routing-instances Tenant1_VRF interface lo0.110 set routing-instances Tenant1_VRF route-distinguisher 10.80.224.139:9110 set routing-instances Tenant1_VRF vrf-target target:64730:110 set routing-instances Tenant1_VRF vrf-table-label set routing-instances Tenant2_VRF routing-options multipath set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes encapsulation vxlan set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes vni 9112 set routing-instances Tenant2_VRF protocols evpn ip-prefix-routes export T5_EXPORT set routing-instances Tenant2_VRF instance-type vrf set routing-instances Tenant2_VRF interface xe-0/0/28:0.112 set routing-instances Tenant2_VRF interface xe-0/0/28:1.112 set routing-instances Tenant2_VRF interface lo0.112 set routing-instances Tenant2_VRF route-distinguisher 10.80.224.139:9112 set routing-instances Tenant2_VRF vrf-target target:64730:112 set routing-instances Tenant2_VRF vrf-table-label set routing-options router-id 10.80.224.139 set routing-options autonomous-system 64730 set routing-options forwarding-table export ECMP-POLICY set routing-options forwarding-table ecmp-fast-reroute set routing-options forwarding-table chained-composite-next-hop ingress evpn set protocols bgp group EVPN_FABRIC type internal set protocols bgp group EVPN_FABRIC description "Connection to EVPN Fabric RRs (tenants.bgp_reflector)" set protocols bgp group EVPN_FABRIC local-address 10.80.224.139 set protocols bgp group EVPN_FABRIC family evpn signaling set protocols bgp group EVPN_FABRIC local-as 64730 set protocols bgp group EVPN_FABRIC multipath set protocols bgp group EVPN_FABRIC neighbor 10.80.224.149 set protocols bgp group EVPN_FABRIC neighbor 10.80.224.150 set protocols bgp group UNDERLAY type external set protocols bgp group UNDERLAY description "Connection to EBGP UNDERLAY" set protocols bgp group UNDERLAY family inet unicast set protocols bgp group UNDERLAY export FROM_Lo0 set protocols bgp group UNDERLAY export FROM_UNDERLAY_BGP set protocols bgp group UNDERLAY local-as 65011 set protocols bgp group UNDERLAY multipath multiple-as set protocols bgp group UNDERLAY bfd-liveness-detection minimum-interval 350 set protocols bgp group UNDERLAY bfd-liveness-detection multiplier 3 set protocols bgp group UNDERLAY neighbor 10.80.224.0 peer-as 10021 set protocols bgp group UNDERLAY neighbor 10.80.224.10 peer-as 10022 set protocols bgp hold-time 10 set protocols bgp log-updown set protocols l2-learning global-mac-table-aging-time 600 set protocols l2-learning global-mac-ip-table-aging-time 300 set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all set protocols igmp-snooping vlan default set vlans V991 vlan-id 991 set vlans V991 l3-interface irb.991 set vlans V992 vlan-id 992 set vlans V992 l3-interface irb.992
防火墙配置
set system host-name firewall set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match source-address 10.1.110.11 set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match destination-address 10.1.111.21 set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-https set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-ssh set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-ping set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 match application junos-udp-any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Allow_EP1_to_EP2 then permit set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match source-address any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match destination-address any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All match application any set security policies from-zone INSPECT_Zone to-zone SECURE_Zone policy Block_All then deny set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match source-address any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match destination-address any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All match application any set security policies from-zone SECURE_Zone to-zone INSPECT_Zone policy Allow_All then permit set security zones security-zone INSPECT_Zone address-book address 10.1.110.11 10.1.110.11/32 set security zones security-zone INSPECT_Zone address-book address EP1 10.1.110.11/32 set security zones security-zone INSPECT_Zone host-inbound-traffic system-services all set security zones security-zone INSPECT_Zone host-inbound-traffic protocols all set security zones security-zone INSPECT_Zone interfaces xe-0/0/4.991 set security zones security-zone INSPECT_Zone interfaces xe-0/0/5.991 set security zones security-zone SECURE_Zone address-book address 10.1.111.21 10.1.111.21/32 set security zones security-zone SECURE_Zone address-book address EP2 10.1.111.21/32 set security zones security-zone SECURE_Zone host-inbound-traffic system-services all set security zones security-zone SECURE_Zone host-inbound-traffic protocols all set security zones security-zone SECURE_Zone interfaces xe-0/0/4.992 set security zones security-zone SECURE_Zone interfaces xe-0/0/5.992 set interfaces xe-0/0/4 vlan-tagging set interfaces xe-0/0/4 unit 991 vlan-id 991 set interfaces xe-0/0/4 unit 991 family inet address 10.81.91.1/30 set interfaces xe-0/0/4 unit 992 vlan-id 992 set interfaces xe-0/0/4 unit 992 family inet address 10.81.92.1/30 set interfaces xe-0/0/5 vlan-tagging set interfaces xe-0/0/5 unit 991 vlan-id 991 set interfaces xe-0/0/5 unit 991 family inet address 10.81.91.5/30 set interfaces xe-0/0/5 unit 992 vlan-id 992 set interfaces xe-0/0/5 unit 992 family inet address 10.81.92.5/30 set policy-options policy-statement Export-Default-Route term 10 from route-filter 0.0.0.0/0 exact set policy-options policy-statement Export-Default-Route term 10 then accept set policy-options policy-statement Export-Default-Route term 100 then reject set protocols bgp group ServiceLeaf type external set protocols bgp group ServiceLeaf export Export-Default-Route set protocols bgp group ServiceLeaf local-as 64777 set protocols bgp group ServiceLeaf neighbor 10.81.91.2 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.92.2 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.91.6 peer-as 64730 set protocols bgp group ServiceLeaf neighbor 10.81.92.6 peer-as 64730