안녕하세요.
오늘은 [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface에 대해서 확인해 보겠습니다.
1. Layer3 Physical Interface - untagged mode
2. Layer3 Logical Interface - tagged mode - sub interface개념
3. RVI - untagged mode - L2기반에서 동작하는 Layer3 Interface
4. RVI - tagged mode - L2기번에서 동작하는 Layer3 Interface
테스트를 위해서 아래처럼 Node 2개를 생성하고 케이블을 연결합니다
1. vSRX - ge-0/0/0
2. vIOS Switch - G0/0
1. Layer3 Physical Interface 테스트해 보겠습니다.
vSRX Side -
delete 디폴트 설정값을 지웁니다.
set system root-authentication plain-text-password : root 패스워드를 입력합니다.
commit : 설정값을 적용 및 저장합니다.
| root@:~ # cli root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# |
VLAN를 3개를 생성합니다.
VL10 - 10
VL20 - 20
VL30 - 30
왼쪽은 VLAN이름을 입니다.
오른쪽은 VLAN번호입니다.
| root# set vlans VL10 vlan-id 10 [edit] root# set vlans VL20 vlan-id 20 [edit] root# set vlans VL30 vlan-id 30 [edit] root# |
ge-0/0/0 인터페이스를 tagging 인터페이스로 설정합니다. 이 인터페이스를 통해서 VLAN 1개 이상을 전달받을 수 있습니다 즉 위에 설정한 VLAN 10, 20, 30이 Juniper Ge-0/0/0 tagging port로 트래픽을 받을 수 있습니다.
| root# set interfaces ge-0/0/0 vlan-tagging [edit] root# set interfaces ge-0/0/0 unit 10 vlan-id 10 [edit] root# set interfaces ge-0/0/0 unit 10 family inet address 10.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 20 vlan-id 20 [edit] root# set interfaces ge-0/0/0 unit 20 family inet address 20.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 30 vlan-id 30 [edit] root# set interfaces ge-0/0/0 unit 30 family inet address 30.1.1.1/24 |
Interface 상태를 확인합니다.
root> show interfaces terse | match inet ge-0/0/0.10 up up inet 10.1.1.1/24 ge-0/0/0.20 up up inet 20.1.1.1/24 ge-0/0/0.30 up up inet 30.1.1.1/24 sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 root> |
Cisco Switch Side
Vlan 10, 20 and 30를 생성합니다.
| Switch(config)#vlan 10 Switch(config-vlan)#vlan 20 Switch(config-vlan)#vlan 30 |
Gi0/0 Interface를 Trunk로 생성합니다.
| Switch(config)#int g0/0 Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk Switch(config-if)#no shutdown |
Gi0/0 서브 인터페이스를 생성합니다.
| Switch(config)#interface vlan 10 Switch(config-if)#ip address 10.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#interface vlan 20 Switch(config-if)#ip address 20.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#interface vlan 30 Switch(config-if)#ip address 30.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)# |
Interface 상태를 확인합니다.
| Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.3 YES manual up up Switch# |
Cisco Switch에서 vSRX로 ping를 시도합니다.
| Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch# |
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10
root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping
root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20
root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping
root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30
root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
| root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping root# commit commit complete |
Cisco Switch에서 다시 Ping테스트를 시도합니다.
| Switch# Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms Switch#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch# |
지금까지 [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface 글을 읽어 주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0) | 2024.07.17 |
|---|---|
| [2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0) | 2024.07.16 |
| [2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface (0) | 2024.07.14 |
| [2024][Juniper SRX #2] Interface Numbering (0) | 2024.07.14 |
| [2024][Juniper SRX #1] 기본 CLI 명령어 (0) | 2024.07.13 |