OpenConfig 방화벽 필터 명령을 Junos 구성에 매핑
주니퍼 네트웍스 ACX 시리즈, MX 시리즈 및 PTX 시리즈에 대한 데이터 모델 지원 버전과 해당 Junos OS 또는 Junos Evolved OS 릴리스를 이해하려면 OpenConfig 데이터 모델 버전 주제를 참조하십시오.
다음 표는 OpenConfig 방화벽 필터 명령과 Junos OS의 관련 구성 매핑을 보여줍니다.
- 표 1: DSCP(Differentiated Services Code Point) 필터 구성
- 표 2: Google Discovery Protocol(GDP) 및 Traceroute 구성
-
표 3: MPLS 필터 구성
- 표 4: IPv4 필터 구성
- 표 5: IPv6 필터 구성
- 표 6: 바인드 구성
- 표 7: IPv6 네트워크 인스턴스 필터링 구성
- 표 8: 네트워크 인스턴스 작업 필터링 구성
- 표 9: 네트워크 인스턴스 바인딩 구성
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
필터 |
network-instances { network-instance n1 { policy-forwarding { policies { policy dscp-steer { config { policy-id dscp-steer; } rules { rule 1 { config { sequence-id 1; } ipv4 { config { dscp <>; } } ipv6 { config { dscp <>; } } action { config { network-instance <>; } } } } } } } } |
firewall { family inet { filter dscp-steer-ipv4-n1 { term 1 { from { interface et-1/0/0.0; dscp <>; } then { routing-instance <>; } } term 2 { then accept; } } } family inet6 { filter dscp-steer-ipv6-n1 { term 1 { from { interface et-1/0/0.0; traffic-class <>; } then { routing-instance <>; } } term 2 { then accept; } } } } |
바인딩 |
network-instances { network-instance n1 { policy-forwarding { interfaces { interface et-1/0/0.0 { config { apply-forwarding-policy dscp_steer; } interface-ref { config { interface et-1/0/0; subinterface 0; } } } } } } } |
routing-instances { n1 { forwarding-options { family inet { filter { input dscp-steer-ipv4-n1; } } family inet6 { filter { input dscp-steer-ipv6-n1; } } } } } In case of binding to ‘default’ routing instance then following will be the junos config forwarding-options { family inet { filter { input dscp-steer-ipv4-n1; } } family inet6 { filter { input dscp-steer-ipv6-n1; } } } |
이 OpenConfig DSCP 구성은 디바이스 구성에 지정된 다음 입력 기준 집합에 따라 특정 포트로 라우팅되는 트래픽을 필터링하기 위한 것입니다.
일치하는 패킷이 없는 경우 패킷은 노출된 헤더에 따라 라우팅되는 기본 VRF 컨텍스트로 다시 필터링됩니다. |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
필터 |
acl-sets { acl-set gdp-trace-route-filter ACL_MIXED { config { name gdp-trace-route-filter; type ACL_MIXED; } acl-entries { acl-entry 1 { config { sequence-id 1; } l2 { config { ethertype 0x6007; } } actions { config { jnx-redirect <>; } } acl-entry 2 { config { sequence-id 2; } ipv4 { config { hop-limit 0; } } actions { config { jnx-redirect <>; } } acl-entry 3 { config { sequence-id 3; } ipv4 { config { hop-limit 1; } } actions { config { jnx-redirect <>; } } acl-entry 4 { config { sequence-id 4; } ipv6 { config { hop-limit 0; } } actions { config { jnx-redirect <>; } } acl-entry 5 { config { sequence-id 5; } ipv6 { config { hop-limit 1; } } actions { config { jnx-redirect <>; } } } acl-entry 6 { config { sequence-id 6; } actions { config { forwarding-action ACCEPT; } } } } } } } |
firewall { family any { filter gdp-trace-route-filter { term 1 { from { ether-type 0x6007; } then redirect <>; } term 2 { from { ip-version { ipv4 { ttl 0; } } } then redirect <>; } term 3 { from { ip-version { ipv4 { ttl 1; } } } then redirect <>; } term 4 { from { ip-version { ipv6 { hop-limit 0; } } } then redirect <>; } term 5 { from { ip-version { ipv6 { hop-limit 1; } } } then redirect <>; } term 6 { then accept; } } } } services { inline-monitoring { instance { <> { controller p4; } } } } |
Junos |
||
바인딩 |
interfaces { interface et-0/0/1 { config { id et-0/0/1; } interface-ref { config { interface et-0/0/1; subinterface 4000; } } ingress-acl-sets { ingress-acl-set gdp-trace-route-filter ACL_MIXED { config { set-name gdp-trace-route-filter; type ACL_MIXED; } } } } } |
/* gdp-trace-route-filter binding */ interfaces { et-0/0/1 { unit 4000 { filter { input gdp-trace-route-filter; } } } } |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
트래픽 클래스 |
acl-sets { acl-set <> ACL_MPLS { acl-entries { acl-entry 1 { mpls { config { traffic-class <>; } } } } } } |
family mpls { filter <> { term <> { from { exp0 <>; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/traffic-class |
||
시작 레이블 값 |
acl-sets { acl-set <> ACL_MPLS { acl-entries { acl-entry 1 { mpls { config { start-label-value <>; } } } } } } |
family mpls { filter <> { term <> { from { label 0 <>; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/start-label-value |
||
끝 레이블 값 |
acl-sets { acl-set <> ACL_MPLS { acl-entries { acl-entry 1 { mpls { config { end-label-value <>; } } } } } } |
family mpls { filter <> { term <> { from { label 0 <>; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/end-label-value |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
목적지 주소 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { ipv4 { config { destination-address <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { destination-address { <>; } } } } } } |
OpenConfig 경로: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/destination-address |
||
Dscp |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { ipv4 { config { dscp <>; } } } } } } |
Firewall { family inet { filter <> { term <> { from { dscp <>; } } } } } |
OpenConfig 경로: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/dscp |
||
홉 제한 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { ipv4 { config { hop-limit <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { ttl <>; } } } } } |
OpenConfig 경로: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/hop-limit |
||
프로토콜 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { ipv4 { config { protocol <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { protocol <>; } } } } } |
OpenConfig 경로: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/protocol |
||
소스 주소 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { ipv4 { config { source-address <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { source-address { <>; } } } } } } |
OpenConfig 경로: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/source-address |
||
목적지 포트 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { transport { config { destination-port <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { destination-port <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/destination-port |
||
소스 포트 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { transport { config { source-port <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { source-port <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/source-port |
||
TCP 플래그 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { transport { config { tcp-flags <>; } } } } } } |
firewall { family inet { filter <> { term <> { from { tcp-flags <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags |
||
인터페이스 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { input-interface { interface-ref { config { interface <>; subinterface <>; } } } } } } } |
firewall { family inet { filter <> { term <> { from { interface <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/input-interface/interface-ref/config/interface-subinterface |
||
forwarding-action 수락 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { actions { config { forwarding-action ACCEPT; } } } } } } |
firewall { family inet { filter <> { term <> { then accept; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
forwarding-action DROP |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { actions { config { forwarding-action DROP; } } } } } } |
firewall { family inet { filter <> { term <> { then { discard; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
forwarding-action 거부 |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { actions { config { forwarding-action REJECT; } } } } } } |
firewall { family inet { filter <> { term <> { then { reject; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
log-action LOG_SYSLOG |
acl-sets { acl-set <> ACL_IPV4 { acl-entries { acl-entry <> { actions { config { log-action LOG_SYSLOG; } } } } } } |
firewall { family inet { filter <> { term <> { then syslog; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
목적지 주소 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { ipv6 { config { destination-address <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { destination-address { <>; } } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/destination-address |
||
홉 제한 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { ipv6 { config { hop-limit <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { hop-limit <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/hop-limit |
||
프로토콜 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { ipv6 { config { protocol <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { next-header <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/protocol |
||
소스 주소 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { ipv6 { config { source-address <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { source-address { <>; } } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/source-address |
||
Dscp |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { ipv6 { config { dscp <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { traffic-class <>; } } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/dscp |
||
목적지 포트 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { transport { config { destination-port <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { destination-port <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/destination-port |
||
소스 포트 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { transport { config { source-port <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { source-port <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/source-port |
||
TCP 플래그 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { transport { config { tcp-flags <>; } } } } } } |
firewall { family inet6 { filter <> { term <> { from { tcp-flags <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags |
||
인터페이스 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { input-interface { interface-ref { config { interface <>; subinterface <>; } } } } } } } |
firewall { family inet6 { filter <> { term <> { from { interface <>; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/input-interface/interface-ref/config/interface |
||
forwarding-action 수락 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { actions { config { forwarding-action ACCEPT; } } } } } } |
firewall { family inet6 { filter <> { term <> { then accept; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
forwarding-action DROP |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { actions { config { forwarding-action DROP; } } } } } } |
firewall { family inet6 { filter <> { term <> { then discard; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
forwarding-action 거부 |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { actions { config { forwarding-action REJECT; } } } } } } |
firewall { family inet6 { filter <> { term <> { then { reject; } } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action |
||
log-action LOG_SYSLOG |
acl-sets { acl-set <> ACL_IPV6 { acl-entries { acl-entry <> { actions { config { log-action LOG_SYSLOG; } } } } } } |
firewall { family inet6 { filter <> { term <> { then syslog; } } } } |
OpenConfig 경로: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
수신 바인드 구성 |
openconfig-acl:acl { interfaces { interface <> { interface-ref { config { interface <>; subinterface <>; } } ingress-acl-sets { ingress-acl-set <> ACL_IPV6; } } } } |
interfaces { xe-<> { unit 0 { family inet6 { filter { input <>; } } } } } |
OpenConfig 경로: /acl/interfaces/interface/config/interface/interface-ref/config/interface/ingress-acl-sets/ingress-acl-set |
||
송신 바인드 구성 |
openconfig-acl:acl { interfaces { interface <> { interface-ref { config { interface <>; subinterface <>; } } egress-acl-sets { egress-acl-set <> ACL_IPV6; } } } } |
interfaces { <> { unit 0 { family inet6 { filter { output <>; } } } } } |
OpenConfig 경로: /acl/interfaces/interface/config/interface/interface-ref/config/interface/egress-acl-sets/egress-acl-set |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
목적지 주소 |
network-instances { network-instance <> { policy-forwarding { policies { policy <> { rules { rule <> { ipv6 { config { destination-address <>; } } } } } } } } } |
firewall { family inet6 { filter <> { term <> { from { destination-address { <>; } } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/destination-address |
||
홉 제한 |
network-instances { network-instance <> { policy-forwarding { policies { policy <> { rules { rule <> { ipv6 { config { hop-limit <>; } } } } } } } } } |
firewall { family inet6 { filter <> { term <> { from { ttl <>; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/hop-limit |
||
프로토콜 |
network-instances { network-instance <> { policy-forwarding { policies { policy <> { rules { rule <> { ipv6 { config { protocol <>; } } } } } } } } } |
firewall { family inet6 { filter <> { term <> { from { protocol <>; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/protocol |
||
소스 주소 |
network-instances { network-instance <> { policy-forwarding { policies { policy dscp <> { rules { rule <> { ipv6 { config { source-address <>; } } } } } } } } } |
firewall { family inet6 { filter <> { term <> { from { source-address <>; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/source-address |
||
작업: 삭제 |
network-instances { network-instance <> { policy-forwarding { policies { policy <> { rules { rule <> { action { config { discard <>; } } } } } } } } } |
firewall { family inet6 { filter <> { term <> { then { discard; } } } } } |
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
작업: 삭제 |
network-instances { network-instance <> { policy-forwarding { policies { policy <> { rules { rule <> { action { config { discard <>; } } } } } } } } } |
firewall { family inet { filter <> { term <> { then { discard; } } } } } firewall { family inet6 { filter <> { term <> { then { discard; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/action/config/discard
|
||
작업: 네트워크 인스턴스 구성 |
network-instances { network-instance <> { policy-forwarding { policies { policy dscp-steer { rules { rule <> { action { config { network-instance <>; } } } } } } } } } |
firewall { family inet { filter <> { term <> { then { routing-instance <>; } } } } } firewall { family inet6 { filter <> { term <> { then { routing-instance <>; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/policies/policy dscp-steer/rules/rule/action/config/network-instance
참고:
리프가
|
명령 이름 |
OpenConfig 구성 |
Junos 구성 |
---|---|---|
INET: 포워딩 정책 적용(기본 라우팅 인스턴스) |
INET 인터페이스 바인드 수신(기본 라우팅 인스턴스) network-instances { network-instance <> { policy-forwarding { interfaces { interface <> { config { apply-forwarding-policy <>; } interface-ref { config { interface <>; subinterface <>; } } } } } } } |
INET 인터페이스 바인드 수신(기본 라우팅 인스턴스) firewall { family inet { filter <> { term <> { then { next-interface; } } } } } forwarding-options { family inet { filter { input <>; } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface
참고:
리프를 |
||
INET: 포워딩 정책 적용(기본 라우팅 인스턴스가 아님 ) |
INET 인터페이스 바인드 수신(기본 라우팅 인스턴스 아님) network-instances { network-instance <> { policy-forwarding { interfaces { interface <> { config { apply-forwarding-policy <>; } interface-ref { config { interface <>; subinterface <>; } } } } } } } |
INET 인터페이스 바인드 수신(기본 라우팅 인스턴스 아님) firewall { family inet { filter <> { term <> { then { next-interface; } } } } } routing-instances { <> { forwarding-options { family inet { filter { input <>; } } } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface |
||
INET6: 포워딩 정책 적용(기본 라우팅 인스턴스) |
INET6 인터페이스 바인드 수신(기본 라우팅 인스턴스) network-instances { network-instance <> { policy-forwarding { interfaces { interface <> { config { apply-forwarding-policy <>; } interface-ref { config { interface <>; subinterface <>; } } } } } } } |
INET6 인터페이스 바인드 수신(기본 라우팅 인스턴스) firewall { family inet6 { filter <> { term <> { then { next-interface; } } } } } forwarding-options { family inet6 { filter { input <>; } } } |
OpenConfig 경로: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface |
||
INET6: 포워딩 정책 적용(기본 라우팅 인스턴스가 아님 ) |
INET6 인터페이스 바인드 수신(기본 라우팅 인스턴스가 아님) network-instances { network-instance <> { policy-forwarding { interfaces { interface <> { config { apply-forwarding-policy <>; } interface-ref { config { interface <>; subinterface <>; } } } } } } } |
INET6 인터페이스 바인드 수신(기본 라우팅 인스턴스가 아님) firewall { family inet6 { filter <> { term <> { then { next-interface; } } } } } routing-instances { <> { forwarding-options { family inet6 { filter { input <>; } } } } } |
참고:
이러한 필터는 입력 포워딩 테이블 필터로 구현됩니다.
참고:
송신 필터링은 지원되지 않습니다. |