안녕하세요.
오늘은 [2024][Juniper SRX #7] host-inbound-traffic입니다.
주니퍼 SRX장비는 방화벽(보안) 장비이기 때문에, SRX에 interface가 목적지인 경우에는 기본적으로 패킷이 차단됩니다.
방법은 2가지입니다.
1. zone에서 host-inbound-traffic를 허용하는 방법 - Zone안에 있는 Interface에 일괄적으로 적용
2. Interface별로 host-inbound-trafic를 허용하는 방법 - Interface별로 개별 적용.
| root# ...rity-zone trust host-inbound-traffic ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > protocols Protocol type of incoming traffic to accept > system-services Type of incoming system-service traffic to accept |
Protocols를 선택하면 아래와 같습니다.
| root# ...rity-zone trust host-inbound-traffic protocols ? Possible completions: all All protocols bfd Bidirectional Forwarding Detection bgp Border Gateway Protocol dvmrp Distance Vector Multicast Routing Protocol igmp Internet Group Management Protocol ldp Label Distribution Protocol msdp Multicast Source Discovery Protocol nhrp Next Hop Resolution Protocol ospf Open Shortest Path First ospf3 Open Shortest Path First version 3 pgm Pragmatic General Multicast pim Protocol Independent Multicast rip Routing Information Protocol ripng Routing Information Protocol next generation router-discovery Router Discovery rsvp Resource Reservation Protocol sap Session Announcement Protocol vrrp Virtual Router Redundancy Protocol [edit] |
System-services를 선택하면 아래와 같습니다.
| root# ...rity-zone trust host-inbound-traffic system-services ? Possible completions: all All system services any-service Enable services on entire port range appqoe APPQOE active probe service bootp Bootp and dhcp relay-agent service dhcp Dynamic Host Configuration Protocol dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6 dns DNS service finger Finger service ftp FTP high-availability High Availability service http Web management service using HTTP https Web management service using HTTP secured by SSL ident-reset Send back TCP RST to IDENT request for port 113 ike Internet Key Exchange lsping Label Switched Path ping service netconf NETCONF service ntp Network Time Protocol service ping Internet Control Message Protocol echo requests r2cp Enable Radio-Router Control Protocol service reverse-ssh Reverse SSH service reverse-telnet Reverse telnet service rlogin Rlogin service rpm Real-time performance monitoring rsh Rsh service snmp Simple Network Management Protocol service snmp-trap Simple Network Management Protocol traps ssh SSH service tcp-encap Tcp encapsulation service telnet Telnet service tftp TFTP traceroute Traceroute service webapi-clear-text Webapi service using http webapi-ssl Webapi service using HTTP secured by SSL xnm-clear-text JUNOScript API for unencrypted traffic over TCP xnm-ssl JUNOScript API service over SSL [edit] |
테스트를 해보겠습니다.
토폴로지 아래와 같습니다.
Juniper
1. Ge-0/0/0 - 10.1.1.1/24
2. Zone Trust 생성
3. Ge-0/0/0를 Zone Trust 할당
4. OSPF 설정
Cisco
1. g0/0 - 10.1.1.2/24 설정
2. lo0 - 192.168.1.1/24 설정
3. OSPF 설정
테스트
1. Juniper랑 Cisco랑 OSPF 네이버 확인
2. Juniper라우팅 테이블에 192.168.1.0/24 확인
2. Cisco에서 Juniper Interface ge-0/0/0 10.1.1.1로 PIng 시도
위에 테스트를 하기 위해서는 주니퍼에 host-inbound-traffic 기능이 필요합니다.
Juniper Side
1. 설정값을 초기화합니다.
| root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
2. Juniper Ge-0/0/0에 10.1.1.1/24 IP 할
| root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 |
3. Zone Trust 생성
| [edit] root# set security zones security-zone Trust [edit] root# set security zones security-zone Trust interfaces ge-0/0/0 |
4. Ospf 설정
| root# set routing-options router-id 10.1.1.1 root# set protocols ospf area 0.0.0.0 interface ge-0/0/0 |
Cisco Side
1. Interface에 IP 할당하기
| Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface gigabitEthernet 0/0 Switch(config-if)#no sw Switch(config-if)#no switchport Switch(config-if)#ip address 10.1.1.2 255.255.255.0 Switch(config-if)#no shutdown Switch(config)#interface loopback 1 Switch(config-if)#ip address 192.168.1.1 255.255.255.0 Switch(config-if)#ip ospf network point-to-point |
2. OSPF 설정
| Switch(config)#router ospf 1 Switch(config-router)#router-id 10.1.1.2 Switch(config-router)#network 0.0.0.0 0.0.0.0 area 0 |
테스트
Cisco에서 Juniper Ge-0/0/0 10.1.1.1로 PIng 테스
| Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch# |
Cisco랑 Juniper Interface 상태 확인
| Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Loopback0 unassigned YES unset up up Loopback1 192.168.1.1 YES manual up up Switch# root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
Interface상태가 모두 다 up인데도 Ping 실패
Juniper Side
Zone에서 ping를 허용하는 host-inbound-traffic system-service 커맨드를 사용하여 허용하겠습니다.
| root# set security zones security-zone Trust host-inbound-traffic system-services ping [edit] root# commit |
Cisco에서 다시 Ping 테스트 시도 합니다
| Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/94 ms Switch# |
이번에는 Cisco에서 ospf 네이버를 확인하겠습니다. 네이버가 Full 상태가 아니라 INIT상태입니다.
Cisco랑 Juniper 사이에 네이버가 생성되지 않습니다.
| Switch#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0 Switch# |
Juniper Side
Zone에서 host-inbound-traffic protocol 커맨드를 사용하여 ospf를 허용하겠습니다.
| root# set security zones security-zone Trust host-inbound-traffic protocols ospf [edit] root# commit commit complete |
Cisco에서 네이버를 확인해 보겠습니다.
아래처럼 네이버가 생성되었습니다.
| Switch#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0 |
Juniper에서 네이버를 확인합니다. 그리고 라우팅 테이블에 192.168.1.0/24를 Cisco에서 받아 왔는지 확인합니다.
| root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 33 root> show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.0/24 *[Direct/0] 00:16:43 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:16:43 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:00:29, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:07:06, metric 1 MultiRecv inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:44:15 MultiRecv root> |
아래처럼 Zone에서 host-inbound-traffic 사용하여 해결합니다.
set security zones security-zone Trust host-inbound-traffic system-services ping
set security zones security-zone Trust host-inbound-traffic protocols ospf
이번에는 Zone에 Interface ge-0/0/0에 host-inbound-traffic 사용하여 해결해 보겠습니다.
Juniper Side
Zone에 설정된 host-inbound-traffic를 삭제합니다.
| root#security zones security-zone Trust host-inbound-traffic system-services ping root#security zones security-zone Trust host-inbound-traffic protocols ospf root# commit commit complete |
Zone에 Interface ge-0/0/0에 host-inbound-traffic 설정
| root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf root#commit |
Cisco에서 Ping이랑 OSPF 테스트
| Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms Switch#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 FULL/DR 00:00:33 10.1.1.1 GigabitEthernet0/0 Switch# |
Juniper에서 ospf네이버랑 라우팅 테이블 확인
| root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 36 root> show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.0/24 *[Direct/0] 00:22:05 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:22:05 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:05:51, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:12:28, metric 1 MultiRecv inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:49:37 MultiRecv root> |
모두 다 정상적으로 동작합니다.
지금까지 [2024][Juniper SRX #7] host-inbound-traffic 글을 읽어 주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0) | 2024.07.21 |
|---|---|
| [2024][Juniper SRX #8] Zone configuration (1) | 2024.07.20 |
| [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0) | 2024.07.17 |
| [2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0) | 2024.07.16 |
| [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0) | 2024.07.15 |