안녕하세요.
오늘은 [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode - L2기반에서 동작하는 Layer3 Interface에 대해서 확인해 보겠습니다.
1. Layer3 Physical Interface - access mode
2. Layer3 Logical Interface - trunk mode
3. RVI IRB - access mode - L2기반에서 동작하는 Layer3 Interface
4. RVI IRB - trunk mode - L2기번에서 동작하는 Layer3 Interface
테스트를 위해서 아래처럼 Node 2개를 생성하고 케이블을 연결합니다
1. vSRX - ge-0/0/0
2. vIOS Switch - G0/0
1. Layer3 Physical Interface 테스트해 보겠습니다.
vSRX Side -
delete 디폴트 설정값을 지웁니다.
set system root-authentication plain-text-password : root 패스워드를 입력합니다.
commit : 설정값을 적용 및 저장합니다.
| root@:~ # cli root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# |
2. vSRX side
vlan을 생성합니다.
vlan name: VL10, VL20, V30
vlan-id: 10, 20, 30
그리고 vlan를 확인합니다.
| root# set vlans VL10 vlan-id 10 [edit] root# set vlans VL20 vlan-id 20 [edit] root# set vlans VL30 vlan-id 30 [edit] root# commit commit complete [edit] root# exit Exiting configuration mode root> show vlans brief Routing instance VLAN name Tag Interfaces default-switch VL10 10 default-switch VL20 20 default-switch VL30 30 default-switch default 1 root> |
Interface ge-0/0/0를 Trunk mode를 설정합니다.
그리고 VL10, VL20, VL30만 사용할 수 있도록 설정합니다.
| root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 members VL20 members VL30 |
IRB를 설정합니다.
IRB10 - 10.1.1.1/24
IRB20 - 20.1.1.1/24
IRB30 - 30.1.1.1/24
| root# set interfaces irb unit 10 family inet address 10.1.1.1/24 [edit] root# set interfaces irb unit 20 family inet address 20.1.1.1/24 [edit] root# set interfaces irb unit 30 family inet address 30.1.1.1/24 [edit] root# commit commit complete [edit] root# |
IRB interface를 VLAN이랑 mapping를 합니다.
| root# set vlans VL10 l3-interface irb.10 [edit] root# set vlans VL20 l3-interface irb.20 [edit] root# set vlans VL30 l3-interface irb.30 [edit] root# commit commit complete [edit] |
Interface 상태를 확인합니다.
| root> show interfaces terse | no-more Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 irb.20 up up inet 20.1.1.1/24 irb.30 up up inet 30.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up |
Cisco Side
Vlan를 생성합니다.
Vlan 10
Vlan 20
vlan 30
그리고 VLAN를 확인합니다.
| Switch(config)#vlan 10 Switch(config-vlan)#vlan 20 Switch(config-vlan)#vlan 30 Switch(config-vlan)#end Switch#show vlan brie VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi1/0 Gi1/1, Gi1/2, Gi1/3 10 VLAN0010 active Gi0/0 20 VLAN0020 active 30 VLAN0030 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Switch# |
Interface gi0/0를 Trunk mode로 설정합니다.
그리고 VLAN 10,20,30만 사용 가능 하게 설정합니다.
| Switch(config)#interface gigabitEthernet 0/0 Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk allowed vlan 10,20,30 Switch(config-if)# |
SVI를 생성합니다.
SVI 10 - 10.1.1.2/24
SVI 20 - 20.1.1.2/24
SVI 30 - 30.1.1.2/24
| Switch(config)#interface vlan 10 Switch(config-if)#ip address 10.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#interface vlan 20 Switch(config-if)#ip address 20.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#interface vlan 30 Switch(config-if)#ip address 30.1.1.2 255.255.255.0 Switch(config-if)#no shutdown |
Interface 상태를 확인합니다.
| Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.2 YES manual up up Switch# |
Cisco Switch에서 vSRX로 ping를 시도합니다.
vSRX는 보안 장비이기 때문에 기본적으로 icmp 패킷을 차단합니다.
| Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch# |
vSRX side
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
irb.10 -> trust_vl10
irb.20 -> trust_vl20
irb.30 -> trust_vl30
set security zones security-zone trust_vl10 interfaces irb.10
set security zones security-zone trust_vl10 host-inbound-traffic system-services ping
set security zones security-zone trust_vl20 interfaces irb.20
set security zones security-zone trust_vl20 host-inbound-traffic system-services ping
set security zones security-zone trust_vl30 interfaces irb.30
set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #8] Zone configuration (1) | 2024.07.20 |
|---|---|
| [2024][Juniper SRX #7] host-inbound-traffic (0) | 2024.07.19 |
| [2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0) | 2024.07.16 |
| [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0) | 2024.07.15 |
| [2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface (0) | 2024.07.14 |