'분류 전체보기' 카테고리의 글 목록

안녕하세요.

오늘은 시스코 C9300 장비에 대해서 알아보겠습니다.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html

Catalyst 9300 Series Switches Data Sheet

This data sheet provides detailed information about the Catalyst 9300 series switches, the lead stackable enterprise switching platform for fixed access switches.

www.cisco.com

Table 1. Product Family Configurations

Models	Modular Uplinks and Speeds	Stacking Bandwidth Support	mGig Density	Cisco StackPower	HW-Based IPsec	App hosting Capacity
Catalyst 9300X	10G, 25G, 40G, mGig and 100G	Stackwise-1T (480G when stacking with Catalyst 9300 model)	48x 10G	✓ (Larger Power Budget)	Up to 100G IPsec*	✓ (2x hosting resources over Catalyst 9300 models)
Catalyst 9300	10G, 25G, 40G and mGig	Stackwise-480	48x5G and 24x10G	✓	✗	✓
Catalyst 9300L	✗	Stackwise-320	12x10G	✗	✗	✓
Catalyst 9300LM	✗	Stackwise-320	8x10G	✗	✗	✓

C9300장비는 1U 장비 입니다.

C9300-24T	24 port Data	Modular Uplinks	350W AC
C9300-48T	48 port Data	Modular Uplinks	350W AC
C9300-24P	24 port PoE+	Modular Uplinks	715W AC
C9300-48P2	48 port PoE+ ENERGY STAR® certified	Modular Uplinks	715W AC
C9300-24U	24 port Cisco UPOE	Modular Uplinks	1100W AC
C9300-48U	48 port Cisco UPOE	Modular Uplinks	1100W AC
C9300-24UX	24 port Multigigabit Cisco UPOE (10G/5G/2.5G/1G/100M)	Modular Uplinks	1100W AC
C9300-48UXM2	48 port Cisco UPOE, 36 ports 100M/1G/2.5G + 12 ports Multigigabit (10G/5G/2.5G/1G/100M) ENERGY STAR® certified	Modular Uplinks	1100W AC
C9300-48UN	48 port 5Gbps Multigigabit UPOE ports (5G/2.5G/1G/100M)	Modular Uplinks	1100W AC
C9300-24UB	24 port Cisco UPOE	Modular Uplinks	1100W AC
C9300-24UXB	24 port Multigigabit Cisco UPOE (10G/5G/2.5G/1G/100M)	Modular Uplinks	1100W AC
C9300-48UB	48 port Cisco UPOE	Modular Uplinks	1100W AC
C9300-24H	24 port Cisco UPOE+	Modular Uplinks	1100W AC
C9300-48H	48 Cisco UPOE+	Modular Uplinks	1100W AC
C9300-24S	24 1G SFP	Modular Uplinks	715W AC
C9300-48S	48 port 1G SFP	Modular Uplinks	715W AC

Network Modules

Cisco Catalyst 9300 Series switches (C9300X and C9300 SKUs) support optional network modules for uplink ports (Figure 2). These field-replaceable network modules with 25G and 40G speeds in the Cisco Catalyst 9300 Series enable greater architectural flexibility and infrastructure investment protection by allowing a nondisruptive migration from 10G to 25G and beyond. The default switch configuration does not include the network module. When you purchase the switch, you can choose from the network modules described in Table 2.

Network module	Description
C9300X-NM-8M**	Catalyst 9300X 8x 10G/1G Multigigabit Network Module
C9300X-NM-8Y**	Catalyst 9300X 8x 25G/10G/1G Network Module
C9300X-NM-2C**	Catalyst 9300X 2x 100G/40G Network Module
C9300X-NM-4C*	Catalyst 9300X 4x 100G/40G Network Module
C9300-NM-4G	Catalyst 9300 Series 4x 1G Network Module
C9300-NM-4M	Catalyst 9300 Series 4x Multigigabit Network Module
C9300-NM-8X	Catalyst 9300 Series 8x 10G/1G Network Module
C9300-NM-2Q	Catalyst 9300 Series 2x 40G Network Module
C9300-NM-2Y	Catalyst 9300 Series 2x 25G/10G/1G Network Module

Stacking

Cisco Catalyst 9300 Series switch models are designed for stacking switches as a single virtual switch, enabling customers to have a single management plane and control plane for up to 448 access ports.

C9300X SKUs	StackWise-1T	1 Tbps	StackWise cable	8	Stacks with other Catalyst 9300X models at StackWise-1T speeds with same license level Stacks with C9300 SKUs at StackWise-480 speeds with same license level
C9300 SKUs	StackWise-480	480 Gbps	StackWise Cable	8	Other C9300 SKUs with same license level C9300 higher scale SKUs only stack with other like higher scale models
C9300L SKUs	StackWise-320	320 Gbps	C9300L-STACK-KIT Or C9300L-STACK-KIT2	8	Stacks with other Catalyst 9300L and 9300LM models with same license level
C9300LM SKUs	StackWise-320	320 Gbps	C9300L-STACK-KIT2	8	Stacks with other Catalyst 9300L and 9300LM models with same license level

Mixed stacking between Catalyst 9300X and Catalyst 9300 models are supported at StackWise-480 speeds.

Table 9. Bandwidth specifications

SKU	Switching Capacity	Switching Capacity with stacking	Forwarding rate	Forwarding rate with stacking
C9300-24T	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48T	256 Gbps	736 Gbps	190.47 Mpps	547.62 Mpps
C9300-24P	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48P	256 Gbps	736 Gbps	190.47 Mpps	547.62 Mpps
C9300-24U	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48U	256 Gbps	736 Gbps	190.48 Mpps	547.62 Mpps
C9300-24UX	640 Gbps	1120 Gbps	476.19 Mpps	833.33 Mpps
C9300-48UXM	580 Gbps	1060 Gbps	431.54 Mpps	788.69 Mpps
C9300-48UN	640 Gbps	1120 Gbps	476.19 Mpps	833.33 Mpps
C9300-24UB	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48UB	256 Gbps	736 Gbps	190.48 Mpps	547.62 Mpps
C9300-24UXB	640 Gbps	1120 Gbps	476.19 Mpps	833.33 Mpps
C9300-24H	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48H	256 Gbps	736 Gbps	190.48 Mpps	547.62 Mpps
C9300-24S	208 Gbps	688 Gbps	154.76 Mpps	511.90 Mpps
C9300-48S	256 Gbps	736 Gbps	190.47 Mpps	547.62 Mpps

저작자표시

'IT TECH TIP' 카테고리의 다른 글

[C4506-E] - 장비 공부 (0)	2025.04.18
[IT TECH TIP-#2] - 접속된 WIFI 패스워드 확인 - cmd (0)	2025.02.01
[IT TECH TIP-#1] - 접속된 WIFI 패스워드 확인 - 윈도우11 (0)	2025.02.01
와이어바알리(wirebarlery), 한국에서 해외로 저렴하게 송금하기(수수료 무료) (0)	2020.11.28

안녕하세요.

현재도 고객사중에서는 이미 EOL된 장비를 사용 하는 고객사들이 많이 있습니다.

장비를 교체할 시기에 회사에 사정상 교체 할 수 없어서 계속 사용하거나 아니면 아무 문제 없어서 계속 사용하는 경우도 많이 있습니다.

오늘은 C4506-E에 대해서 알아보도록 하겠습니다.

C4506-E는 Chassis 형태에 스위치 입니다.

3 WS-C4506-E Cat4500 E-Series 6-Slot Chassis, fan, no ps 2
3.1 S45EU-S8-36E CAT4500e SUP8e Universal Image 2
3.2 C4K-SLOT-CVR-E Catalyst 4500 E-Series Family Slot Cover 6
3.3 C4500E-IPB Paper IP Base License 2
3.4 CON-OSP-C4506E SNTC-24X7X4OS Cat4500 E-Series 6-Slot Chassis, fan, no 2
3.5 WS-X45-SUP8-E Catalyst 4500 E-Series Supervisor 8-E 2
3.6 WS-X4712-SFP-E Catalyst 4500 E-Series 12-Port GE (SFP) 2
3.7 WS-X4748-RJ45-E Catalyst 4500 E-Series 48-Port 10/100/1000 Non-Blocking 2
3.8 PWR-C45-1000AC Catalyst 4500 1000W AC Power Supply (Data Only) 2
3.9 CAB-BS1363-C15-UK BS-1363 to IEC-C15 8ft UK 4
3.10 PWR-C45-1000AC/2 Catalyst 4500 1000W AC Power Supply Redundant(Data Only) 2
3.11 SFP-10G-SR= 10GBASE-SR SFP Module 2

3. WS-C4506-E Cat4500 E-Series 6-Slot Chassis, fan,

3-5 WS-X45-SUP8-E

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/data_sheet_c78-728191.html

Cisco Catalyst 4500E Supervisor Engine 8-E: Wired and Wireless Convergence Data Sheet

This data sheet describes the benefits, specifications, and ordering information for the Cisco Catalyst 4500 Series Switches.

www.cisco.com

The new Cisco Catalyst 4500E Supervisor Engine 8-E is an enterprise-class, access and aggregation supervisor engine designed to provide up to 928 Gbps of wired access per system with an E-Series chassis

Table 1. Cisco Catalyst 4500E Supervisor Engine 8-E Performance and Scalability Features

Features	Performance and Scalability
Centralized Wired Switching Capacity	Up to 928 Gbps
Wireless Termination Capacity	Up to 20 Gbps (software Roadmap)
Per-slot Switching Capacity	48 Gbps
Throughput	● 250 Mpps for IPv4 ● 125 Mpps for IPv6
IPv4 Routing Entries	256,000
IPv6 Routing Entries	128,000
Multicast Routes	32,000
CPU	Quad core; 2.0 GHz
CPU Queues	64
Synchronous Dynamic RAM (SDRAM)	4 GB
Nonvolatile RAM (NVRAM)	2 GB
Security and QoS Hardware Entries	128,000
Dynamic Host Configuration Protocol (DHCP) Snooping Entries	12,000
MAC Addresses	55,000
Active VLANs	4094
Address Resolution Protocol (ARP) Entries	47,000
Spanning Tree Protocol Instances	10,000
Switched Virtual Interfaces (SVIs)	4094
Switched Port Analyzer (SPAN)	Maximum of 8 bi-directional sessions

3.6 WS-X4712-SFP-E Catalyst 4500 E-Series 12-Port GE (SFP) 2

• 슬롯당 48기가비트 용량
• 3포트씩 4개 그룹에 대역폭이 할당되며 포트 그룹당 12Gbps(2.5:1) 제공
• 최대 12포트 10GE SFP+(10GBASE-R) 또는 12포트 GE SFP(1GBASE-X) 지원
• 동일 라인 카드에 특별한 제한 없이 SFP+와 SFP를 동시에 사용 가능

3.7 WS-X4748-RJ45-E Catalyst 4500 E-Series 48-Port 10/100/1000 Non-Blocking 2

• 슬롯당 48기가비트 용량

• 48포트 논블로킹

• 10/100/1000 모듈(RJ-45)

• Cisco IOS XE Release 3.1.0SG 이상

• Energy Efficient Ethernet 802.3az

BB#1#show module
Switch Number: 1 Role: Virtual Switch Active

Chassis Type : WS-C4506-E

Power consumed by backplane : 0 Watts

Mod Ports Card Type                              Model              Serial No.
---+-----+--------------------------------------+------------------+-----------
1     8  Sup 8-E 10GE (SFP+), 1000BaseX (SFP)   WS-X45-SUP8-E      CAT2129L0KY
3    12  1000BaseX SFP                          WS-X4712-SFP-E     CAT2107L62U
4    48  10/100/1000BaseT EEE (RJ45)            WS-X4748-RJ45-E    CAT2127L4ER

Mod  Redundancy role     Operating mode      Redundancy status
----+-------------------+-------------------+----------------------------------
1   Active Supervisor   SSO                 Active

Switch Number: 2 Role: Virtual Switch Standby

Chassis Type : WS-C4506-E

Power consumed by backplane : 0 Watts

Mod Ports Card Type                              Model              Serial No.
---+-----+--------------------------------------+------------------+-----------
1     8  Sup 8-E 10GE (SFP+), 1000BaseX (SFP)   WS-X45-SUP8-E      CAT2129L0F4
3    12  1000BaseX SFP                          WS-X4712-SFP-E     CAT2107L62F
4    48  10/100/1000BaseT EEE (RJ45)            WS-X4748-RJ45-E    CAT2127L6TW

Mod  Redundancy role     Operating mode      Redundancy status
----+-------------------+-------------------+----------------------------------
1   Standby Supervisor  SSO                 Standby hot

Referance

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/data_sheet_c78-728191.html

Cisco Catalyst 4500E Supervisor Engine 8-E: Wired and Wireless Convergence Data Sheet

This data sheet describes the benefits, specifications, and ordering information for the Cisco Catalyst 4500 Series Switches.

www.cisco.com

https://www.cisco.com/c/dam/global/ko_kr/products/switches/catalyst-4500-series-switches/Cisco_Catalyst_4500E_Series_Chassis_data_sheet.pdf

https://www.cisco.com/c/dam/global/ko_kr/products/switches/catalyst-4500-series-switches/Cisco_Catalyst_4500_Series_Line_Cards_data_sheet.pdf

EOS and EOS(Support)

https://www.cisco.com/c/en/us/support/switches/catalyst-4500-series-switches/series.html

Cisco Catalyst 4500 Series Switches

Find software and support documentation to design, install and upgrade, configure, and troubleshoot Cisco Catalyst 4500 Series Switches.

www.cisco.com

저작자표시

'IT TECH TIP' 카테고리의 다른 글

[C9300] - 장비 공부 (0)	2025.04.18
[IT TECH TIP-#2] - 접속된 WIFI 패스워드 확인 - cmd (0)	2025.02.01
[IT TECH TIP-#1] - 접속된 WIFI 패스워드 확인 - 윈도우11 (0)	2025.02.01
와이어바알리(wirebarlery), 한국에서 해외로 저렴하게 송금하기(수수료 무료) (0)	2020.11.28

안녕하세요.

오늘은 Cisco ASA Remote Access VPN에서 사용할 인증서 Self Signed Certificate를 생성하고 이 인증서는 Remote Access VPN용으로 사용해 보겠습니다.

1. 시간을 설정합니다.

conf t
clock set 13:48:00 17 Apr 2025

or

ntp server 64.235.61.113

2. Hostname이랑 Domain-name를 설정합니다.

conf t
hostname asa1
domain-name kevin.rest

3. key 생성 -
key name: VPN-RSA-KEY

asa1(config)# crypto key generate rsa label VPN-RSA-KEY modulus 1024
INFO: The name for the keys will be: VPN-RSA-KEY
Keypair generation process begin. Please wait...
asa1(config)#

asa1(config)# show crypto key mypubkey rsa | begin VPN-RSA-KEY
Key name: VPN-RSA-KEY
Usage: General Purpose Key
Modulus Size (bits): 1024
Storage: config
Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f63a7d
  bfa01ce5 e5f2eebb 08fca4a2 225a2e68 ac1132cd 3d38ee18 095932ef 6f793164
  4081cb1c 7c8a24f2 0e274bb7 bb6aa2c6 21c8ddc9 8ec71c91 aa2e8324 98f499ea
  abcece44 44dd1932 7f78e3aa ef13a478 06a285f5 a6188d31 19d7ebaa 5526b86c
  f91a4e56 85e11dbc 58b42a15 c45e9f9b 2b9d5ca8 335934ee 3d59a593 f7020301
  0001
asa1(config)#

trustpoint 설정

name: SELF_RA_VPN

asa1(config)# crypto ca trustpoint SELF_RA_VPN
asa1(config-ca-trustpoint)# enro
asa1(config-ca-trustpoint)# enrollment sel
asa1(config-ca-trustpoint)# enrollment self
asa1(config-ca-trustpoint)# fqd
asa1(config-ca-trustpoint)# fqdn asa1.kevin.rest
asa1(config-ca-trustpoint)# sub
asa1(config-ca-trustpoint)# subject-name CN=asa1.kevin.rest
asa1(config-ca-trustpoint)# ke
asa1(config-ca-trustpoint)# keypa
asa1(config-ca-trustpoint)# keypair VPN-RSA-KEY
asa1(config-ca-trustpoint)#

asa1(config)# crypto ca enroll SELF_RA_VPN

% The fully-qualified domain name in the certificate will be: asa1.kevin.rest

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
asa1(config)#

RA VPN 인증서 outside 설정

asa1(config)# ssl trust-point SELF_RA_VPN outside
asa1(config)#

테스트를 합니다.

CA인증기관으로 부터 인증 받은 인증서가 아니기때문에, 아래처럼 Certificate Warning Message가 발생합니다.

인증서를 PC에 설치 합니다.

인증서를 외부로 저장 합니다.

인증서를 클릭해서 설치 합니다.

Install Certificate버튼을 클릭 합니다.

Local Machine - Next버튼을 클릭 합니다.

아래처럼 설정합니다.

인증서는 Trusted Root Certification Authorities 폴더에 저장 해야 합니다.

아래처럼 인증서 에러없이 RA VPN 접속 가능 합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #08] - SSL (0)	2025.04.17
[ASA #07] - NTP and NTP zone configuration (0)	2025.04.15
[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02

안녕하세요.

오늘은 ASA Certificate를 공부 하기 전에 SSL에 대해서 알아보겠습니다.

ASA Remote Access VPN를 사용 할때 Certificate이 필요합니다.

CA를 통해서 인증되지 않는 인증서는 아래와 같이 Warning Message가 발생합니다.

CA인증기관으로부터 인증서를 인증 받으서 CISCO ASA에 등록 하면, 유저가 VPN에 접속 할때 인증서 경고 메시지가 발생지 않습니다.

CA인증기관은 여러기관이 있지만, 대표적으로 아래와 같습니다.

[각 브랜드 별 웹사이트]

Comodo(Sectigo) - https://www.comodo.com/ (+ PositiveSSL, EssentialSSL, InstantSSL ...)
Thawte by DigiCert - https://www.thawte.com/
GeoTrust by DigiCert - https://www.geotrust.com/ (+ RapidSSL)
Verisign - https://www.verisign.com/
GoDaddy - https://godaddy.com/
GlobalSign - https://www.globalsign.com/ (+ AlphaSSL)
DigiCert - https://www.digicert.com/

용도

CA(Certificate Authority)

CA인증기관은 서버 또는 네트워크 장비등으로 부터 CSR를 받으면 CA인증기관이 CSR를 승인하여 신뢰할 수 있는 사이트인지 아닌지 구분해주는 인증서 발급해주는 기관입니다.

ROOT CA

- 무조건 신뢰할 수 있는 기관이 몇군데 존재하는데 그 CA 기관들을 최상위 인증 기관이라고 합니다. Root CA는 본인들만의

고유한 비밀 키를 가지고 있습니다. 그리고 관련해서 동개키를 전세계에 배도합니다.

그리고 이 ROOT CA 인증서는 암묵적으로 신뢰 할수 있는 기관으로 간주 합니다.

키 종류

공개키 PUBLIC KEY - 공개키는 공개해도 되는 키 입니다. 이 공개키로 암호화를 수행 할 수 있습니다. (개인키 Private Key 함깨 사용)

개인키 PRIVATE KEY - 공개키로 암호화된 파일을 복호화 할때 사용하는 키가 바로 개인키 Private Key입니다.

이 개인키 Private Key는 외부로 노출 되면 안됩니다. (공개키 PUBLIC KEY랑 함깨 사용)

대칭키 : 암호화와 복호화에 같은 키를 사용하는 방식을 대칭키 입니다

비대칭키: 암호화할 때와 복호화 할때 사용하는 키가 서로 다른갓을 비댕칭키라고 합니다.

Kevin의 공개키로 암호화된 데이터는 Kevin의 개인키로만 복호화 가능 합니다.

Kevin의 개인키로 암호화된 데이터는 Kevin의 공개키로만 복호화 가능 합니다.

SSL 인증은 도메인 기반으로 인증 됩니다.

kevin.rest라는 도메인이 있다고 가정합니다. SSL 인증은 이 kevin.rest라는 도메인으로 인증이 됩니다.

IP주소가 변경 되어도 도메인주소가 같으면 상관 없습니다.

이번에는 도메인에 대해서 알아보겠습니다.

https://www.kevin.rest

https - Protocol

www - host

kevin - name

rest - TLD (Top-level Domain)

Root Domain - kevin.rest 의미 합니다.

Sub Domain - A레코드를 추가한 상태를 의미 합니다.

www.kevin.rest

ftp.kevin.rest
mail.kevin.rest

위와 같이 A레코드를 추가한 도메인을 서브 도메인이라고 합니다.

SSL 도메인 기반으로 동작하기 떄문에 만약에 아래처럼 도메인이 있다고 가정합니다.

kevin.rest

kevin.com

2개에 SSL 인증서가 필요합니다.

아래처럼 2개에 서브 도메인이 있다고 가정합니다.

asa.kevin.rest

pa.kevin.rest

2개에 SSL인증서가 필요합니다.

CSR - Certificate Signing Request

SSL인증서를 신청자의 신원의 정보가 담겨져 있습니다. 아래와 정보를 이용해서 CA인증기관에 승인을 받아 인증서를 발급 받습니다.

1. 신청자의 국가

2. 지역

3. 회사명

4. 도메인 정보

5. 공개키

SSL 인코딩 인증서 확장자 종류

1. DER (Distinguished Encoding Representation) 바이너리 포맷입니다.

2. PEM (Privacy Enhanced Mail) - Base 64 인코딩된 ASCII Test File입니다.

메모장으로 열고 수정이 가능 합니다.

개인키, 서버인증서, 루드 인증서, 체인 인증서 및 SSL 발급 요청시 생성하는 CSR 등등에 정보들이 포함 되어져 있습니다.

----- BEGIN CERTIFICATE --------

xxx

----- END CERTIFICATE --------

표시 됩니다.

SSL 인증서 확장자

1. csr - Certificate Signing Request의 약자이며 대부분 PEM포맷입니다. SSL발급 신청을 위해서 본 파일 내용을 인증기관인 CA에 제풀할때 사용하는 파일 입니다.

2. crt - 대부분 PEM포맷이며, 주로 유닉스, 리눅스 기반에 사용되는 인증서 파일 입니다.

3. cer - 대부분 PEM포맷이며, 주로 windows 기반에서 사용되는 인증서 파일 입니다.

SSL 인증서 등급 DV, OV, EV나뒵니다.

등급에 따라 암호화 기술에 차이가 있다고 생각 할 수 있지만 보안 기술은 모두 동일합니다.

DV 인증서 - 도메인 소유/관리 정보를 검증하기 위한 DCV domain control Validated 인증만 진행 합니다

OV 인증서 - DCV인증뿐 아니라, 기업이 실제로 존재하는지 확인하기 위해 회사 정보가 기재되어 있는 서류와 발급 신청자의 전화 인증 절차를 거칩니다.

EV 인증서 - 기존 OV인증서에 더해, 기업 인사 당담자와의 유선 연락을 통해 신청자의 재직 여뷰를 확인하는 인증서입니다.

가격

DV -> OV -> EV

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #09] - Self-Signed Certificate for Remote Access VPN (0)	2025.04.17
[ASA #07] - NTP and NTP zone configuration (0)	2025.04.15
[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02

안녕하세요.

오늘은 Cisco ASA에서 NTP Server 설정과 NTP Zone를 설정해 보겠습니다.

1. 싱가폴 NTP Server List 확인

google 에서 Singapore NTP server 검색

server 0.sg.pool.ntp.org
server 1.sg.pool.ntp.org
server 2.sg.pool.ntp.org
server 3.sg.pool.ntp.org

IP주소 확인

C:\Users\admin>ping 0.sg.pool.ntp.org

Pinging 0.sg.pool.ntp.org [173.234.15.82] with 32 bytes of data:
Reply from 173.234.15.82: bytes=32 time=40ms TTL=55
Reply from 173.234.15.82: bytes=32 time=38ms TTL=55
Reply from 173.234.15.82: bytes=32 time=39ms TTL=55
Reply from 173.234.15.82: bytes=32 time=40ms TTL=55

Ping statistics for 173.234.15.82:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 40ms, Average = 39ms

C:\Users\admin>

2. ASA에서 NTP Server 설정

ciscoasa(config)# ntp server 173.234.14.135

3. NTP Syn 되었는지 확인

ciscoasa# show ntp associations
address ref clock st when poll reach delay offset disp
~173.234.14.135 17.253.60.125 2 15 64 0 5.2 1089.4 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

곧바로 동기화가 안되고 약 10분 기다립니다.

ciscoasa# show ntp associations
address ref clock st when poll reach delay offset disp
*~173.234.14.135 17.253.60.125 2 45 64 1 3.4 0.80 15890.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

4. 시간 확인

ciscoasa# show clock
01:54:19.479 UTC Tue Apr 15 2025

5. Zone를 설정합니다.

ASA1(config)# clock timezone SGT +8

6. 시간 확인

ASA1# show clock
09:56:47.392 SGT Tue Apr 15 2025

정상적으로 싱가폴 시간이랑 동기화 되었습니다.

지금까지 [ASA #07] - NTP and NTP zone configuration 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #09] - Self-Signed Certificate for Remote Access VPN (0)	2025.04.17
[ASA #08] - SSL (0)	2025.04.17
[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02

안녕하세요.

오늘은 Okta에서 Paloalto Global Protect Application를 설치해보겠습니다.

1. Applications -> Applications -> Browse App Catalog 클릭 합니다.

2. Global Protect를 클릭 합니다. 그리고 아래처럼 SAML paloalto - Global Protect를 클릭 합니다.

3. Add Integration 버튼을 클릭 합니다.

4. Global Protect IP주소를 입력 합니다.

5. 아래처럼 설치가 완료 되었습니다.

지금까지 [Okta-#2] - PaloAlto Global Protect App Install 글을 읽어주셔서 감사합니다.

저작자표시

'2FA > Okta' 카테고리의 다른 글

[Okta-#1] - Sign up - Free Developer Edition (0)	2025.04.10

안녕하세요.

PALOALTO GP 접속 시도시 2FA로 Okta를 사용해 보겠습니다.

회원 가입을 할때 Free Developer Edition를 가입하면 테스트용으로 Okta를 사용 가능 합니다.

1. 아래 사이트를 접속 합니다.

https://developer.okta.com/signup/

Okta Developer

BEST FOR DEVELOPERS Secure my customers or SaaS applications Build intuitive, secure user experiences in customer-facing applications.

developer.okta.com

2. 아래 버튼을 클릭 합니다.

3. Sign up버튼을 클릭 합니다.

4. 회사 이메일로 Activiation Email이 발송 되었습니다.

5. 아래 Acticate 버튼을 클릭 합니다.

6. 패스워드를 입력 합니다.

7. 패스워드를 설정후 로그인을 하면 아래처럼 화면이 표시 됩니다.

아래 set up버튼을 클릭 합니다.

8. 아래처럼 QR 코드를 확인 할수 있습니다.

9. 휴대폰에서 Okta Verify 앱을 설치 하고 Add Account를 클릭 합니다.

10. 아래 Organization 버튼을 클릭 합니다.

11. Add Account From Another Device 버튼을 클릭 합니다.

12. Scan QR Code를 클릭 하고 회사 이메일에 QR코드를 스캔 합니다.

13. Enable버튼을 클릭 합니다.

14. 등록 되었습니다.

15. 아래처럼 확인 가능 합니다.

16.

가입 했을떄 okta로 부터 도메인이 생성 되었습니다.

아래 처럼 입력 합니다.

https://dev-18331728.okta.com/

https://dev-18331728.okta.com/app/UserHome?iss=https%3A%2F%2Fdev-18331728.okta.com&session_hint=AUTHENTICATED

Javascript is required Javascript is disabled on your browser. Please enable Javascript and refresh this page. Refresh https://itunes.apple.com/us/app/okta-extension-app/id1439967473 null 2 PROD

dev-18331728.okta.com

17. 휴대폰에서 Okta Verify Code를 입력후 로그인 버튼을 클릭 합니다.

18. 아래처럼 로그인 되었습니다.

지금까지 [Okta-#1] - Sign up - Free Developer Edition 글을 읽어주셔서 감사합니다.

저작자표시

'2FA > Okta' 카테고리의 다른 글

[Okta-#2] - PaloAlto Global Protect App Install (0)	2025.04.10

안녕하세요.

오늘은 팔로알토 장비 Password Recovery에 대해서 알아보겠습니다.

0. maint를 입력 합니다.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2025.03.14 15:44:52 =~=~=~=~=~=~=~=~=~=~=~=

Autoboot to default partition in 5 seconds.
Enter 'maint' to boot to maint partition.

Entry: m Entry: ma Entry: mai Entry: main Entry: maint

Booting to maint mode.

10054784 bytes read in 37 ms (259.2 MiB/s)
Allocating memory for ELF segment: addr: 0xffffffff80100000 (adjusted to: 0x100000), size 0x7c52a0
Bootloader: Done loading app on coremask:
0xff
Starting cores:
0xff
Linux version 3.10.87-oct2-mp (build@61b4b5631e94) (gcc version 4.7.0 (Cavium Inc. Version: SDK_BUILD build 49) ) #4 SMP Fri Nov 5 01:44:34 PDT 2021
CVMSEG size: 3 cache lines (384 bytes)
Cavium Inc. SDK-3.1.2
bootconsole [early0] enabled
CPU revision is: 000d9703 (Cavium Octeon III)
FPU revision is: 00739700
Checking for the multiply/shift bug... no.
Checking for the daddiu bug... no.
Determined physical RAM map:
memory: 0000000000702000 @ 0000000000100000 (kernel data and code)
memory: 000000000004e000 @ 0000000000802000 (usable after init)
memory: 0000000000076000 @ 0000000000850000 (kernel data and code)
memory: 0000000000100000 @ 00000000eff00000 (usable)
memory: 000000000feff000 @ 00000000f0001000 (usable)
memory: 00000000f0000000 @ 000000031f000000 (usable)
No power GPIO device tree entry
No power GPIO device tree entry

1. 콘솔포트를 연결하고 파워 전원을 연결 합니다.

2. Factory Reset

3. Select Factory Reset

4. 완료 될때까지 기다립니다.

5. Reboot를 선택 합니다.

6. 부팅이 완료 되면 admin/admin으로 로그인 합니다.

admin@PA-820> show interface management

-------------------------------------------------------------------------------
Name: Management Interface
Link status:
  Runtime link speed/duplex/state: unknown/unknown/down
  Configured link speed/duplex/state: auto/auto/auto
MAC address:
  Port MAC address c4:24:56:a6:84:00

Ip address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway:
Ipv6 address: unknown
Ipv6 link local address: unknown
Ipv6 default gateway:
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received                    0
admin@PA-820>

7. admin/admin 로그인 합니다.

지금까지 [PaloAlto FW-#20] - Password Recovery(Factory Reset) 글을 읽어주셔서 감사합니다.

저작자표시

안녕하세요.

오늘은 [2025][C8200][#3] Reset Smart license 대해서 알아보겠습니다.

17.3.2 이상부터는 smart licensing using policy 사용합니다. 장비가 발주가 될때 이미 SV/VA가 등록이 되어서 장비가 전달 됩니다.

SV = KOREA
VA = JAPAN

근데 만약에 고객사에 요청으로 인하여 VA를 USA로 변경해야 한다면, cisco license team에 요청해서 라이센스를 VA =USA 변경 가능 합니다.

하지만 장비를 부팅하고 show license status 하면 아래처럼 표시 됩니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: KOREA
  Virtual Account: JAPAN

이 상태에서 CSSM에서 아래 환경에서 TOKEN를 발급해서 장비에 등록을 해도 정상적으로 동작하지 않습니다.

SA: KOREA

VA: USA

이상태에서 장비에 기존에 있는 SA/VA정보를 초기화 해야 합니다.

Router#license smart factory re
Router#license smart factory reset
%Warning: reload required after "license smart factory reset" command
Router#
Router#
Router#reload
WARNING:

장비가 부팅이 완료 되면 아래처럼 show license status 확인합니다

초기화 되었습니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: <none>
  Virtual Account: <none>

이상태에서 장비를 CSSM에 등록 하면 정상적으로 동작 합니다.

아래처럼 정상적으로 CSSM에 등록 되었습니다.

Router#license smart trust idtoken OGJjMmQwZDgtMWY3Zi00ZTdlLTk1YzctYjRjMzQ0Y all force

Router#
*Mar  4 04:56:30.279: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair has been removed from key storage[OK]
*Mar  4 04:56:32.118: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
*Mar  4 04:56:32.177: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM
*Mar  4 04:56:34.590: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Mar  4 04:56:37.118: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200-1N-4T,S:XXXXXX.
Router#
Router#
Router#
Router#

CSSM에서 Event Log를 보면 정상적으로 등록 되었습니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC안에서 DHCP기능을 실행 합니다.

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC에서 자체 DHCP기능 설정

10. Lookback interface 생성

11. WLAN에서 DHCP Relay Look IP로 설정

WLAN VLAN 110이 DHCP relay로 직접 WLC DHCP 기능으로 IP할당 가능.

10. WLC interface IP주소

WLC01#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       unassigned      YES unset  up                    up
GigabitEthernet2       unassigned      YES unset  up                    up
GigabitEthernet3       192.168.10.182  YES NVRAM  up                    up
Loopback10             1.1.1.1         YES TFTP   up                    up
Port-channel1          unassigned      YES unset  up                    up
Vlan1                  unassigned      YES NVRAM  up                    up
Vlan100                192.168.100.182 YES NVRAM  up                    up
Vlan110                192.168.110.254 YES NVRAM  up                    up
Vlan120                192.168.120.254 YES NVRAM  up                    up
Vlan130                192.168.130.254 YES NVRAM  up                    up
WLC01#

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. WLC에서 DHCP Binding 확인

WLC01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
192.168.110.11  0056.6c31.3130          Mar 01 2025 12:48 PM    Automatic  Selecting  Vlan110
WLC01#

지금까지 [C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC WLAN에서 DHCP Reply를 설정 합니다.

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC WLAN에서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#13]- DHCP - option4 - WLAN DHCP Relay 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. DC 백본 스위치에서 INT VLAN110 - DHCP Rely설정

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC VLAN110에 대해서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. 백본 스위치에서 DHCP Relay 설정

interface Vlan110
ip address 192.168.110.1 255.255.255.0
ip helper-address 192.168.10.224

11. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#12]- DHCP - option3 - SW dhcp Relay 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0)	2025.03.01
[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC SVI에서 DHCP Relay를 설정 합니다.

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC VLAN110에 대해서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#11]- DHCP Relay (SVI) - Option2 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26
[C9800CL][#8]- Data Interface Redundancy - Port Channel (0)	2024.12.25

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. DC 백본 스위치에서 DHCP 기능을 활성화 합니다.

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. DC SWITCH에서 DHCP 설정

DHCP
ip dhcp excluded-address 192.168.110.1 192.168.110.230
!
ip dhcp pool VL110
network 192.168.110.0 255.255.255.0
default-router 192.168.110.1
dns-server 8.8.8.8
!
VLAN 110
!
Int vlan 110
ip add 192.168.110.1 255.255.255.0
no shutdown

9. DHCP Binding 확인

SW01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
SW01#

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. DC BackBone Swtich에서 DHCP Binding 확인

SW01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
192.168.110.239 011e.e792.411c.f0       Mar 02 2025 06:56 AM    Automatic  Active     Vlan110
SW01#

SW01#ping 192.168.110.239
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.239, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/48 ms
SW01#

지금까지 [C9800CL][#10]- DHCP Bridging - Option1 - BackBone SW DHCP 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26
[C9800CL][#8]- Data Interface Redundancy - Port Channel (0)	2024.12.25
[C9800CL][#7]- AP authentication - AP MAC on WLC (0)	2024.12.25

안녕하세요.

오늘은 PNETLab Upgrade하는 방법에 대해서 알아보겠습니다.

1. PNETLab 설치 방법

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

2. GUI에 접속 합니다. https://192.168.40.250

System 클릭 합니다.

3. Versions을 클릭 합니다.

4. Upgrade버튼을 클릭 합니다.

Current Version이랑 Latest Version이랑 똑같아서 클릭 해도 Upgrade가 않됩니다.

위와 같은 방법으로 upgrade하면 됩니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

안녕하세요.

오늘은 Juniper SRX Traffic Flow에 대해서 알아보겠습니다.

각 벤더마다 아키텍처가 다를수 있습니다.

이부분이 정책하게 이해해야지 설정값을 설정값을 잘 만들수 있습니다.

예를 들어서 SNAT, DNAT, Static NAT, 라우팅 테이블이 중에서

DNAT가 먼저 적용되고 변경된 Destination IP주소로 라우팅을 검색해서 라우팅을 하는지.

아니면 라우팅이 먼저 적용된다음에 DNAT가 적용 되는지.

순서에 따라서 설정값이 많이 달라집니다.

그래서 아래처럼 방화벽 Traffic Flow를 이해하는것이 중요 합니다.

주니퍼 방화벽 공식 홈페이지 URL주소 입니다.

https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html

Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks

Junos OS for security devices integrates network security and routing capabilities of Juniper Networks. Packets that enter and exit a device undergo both packet-based and flow-based processing. Understanding the Default Processing Behavior for IPv4 Traffic

www.juniper.net

시간이 되시면 위에 공식 홈페이지에 글을 끝까지 읽어보시길 바랍니다.

지금까지 [2025][Juniper SRX #31] Traffic Flow 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper IPS Signature Update하는 방법에 대해서 알아보겠습니다.

1. Juniper SRX License Check

root> show system license
License usage:
                                 Licensed     Licensed    Licensed
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed    Expiry
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:

  License identifier: JUNOS422937473
  License version: 4
  Valid for device: CW4024AX0159
  Customer ID: KDDI ASIA PACIFIC PTE. LTD.
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

2. Juniper IDP Signature check.

root> show security idp security-package-version
  Attack database version:N/A(N/A)
  Detector version :N/A
  Policy template version :N/A
  Rollback Attack database version :N/A(N/A)
  Rollback Detector version : N/A

3. Juniper SRX IDP package Download- 외부에 통신 확인.

root> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=46.391 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=33.274 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=20.448 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=19.188 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=18.793 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 18.793/27.619/46.391/10.815 ms

root> request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI

root>

root> request security idp security-package download status
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3786(Thu Feb 27 14:04:10 2025 UTC, Detector=23.6.160240709)

root>

4. Juniper SRX IDP Package Install

root> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI

root> request security idp security-package install status
In progress:Installing AI ...

root>

약 5분 뒤에 request security idp security-package install status 확인 합니다.

root> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=3786,ExportDate=Thu Feb 27 14:04:10 2025 UTC,Detector=23.6.160240709]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no active policy configured.

5. check version

root> show security idp security-package-version
  Attack database version:3786(Thu Feb 27 14:04:10 2025 UTC)
  Detector version :23.6.160240709
  Policy template version :N/A
  Rollback Attack database version :()
  Rollback Detector version : N/A

root>

지금까지 [2025][Juniper SRX #30] IDP Signature Update 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #31] Traffic Flow (0)	2025.02.18
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX Firmware Upgrade를 해보겠습니다.

Juniper SRX는 보통 CLI에서 많이 사용 합니다.

1. Juniper 기본 설정값을 확인 합니다.

root> show configuration | display set | no-more
set version 21.4R3-S3.4
set system root-authentication encrypted-password "$6$Kt3WFIik$0vN75BKuEZDkbTiLXUiAaTbrdkZ2EQCMo0u/G2D.nI3yQFDnN2sRwSwMra/BrVBfXg2lnWtzltwnPZkIWY2Zi."
set system services ssh
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface irb.0
set system services web-management https system-generated-certificate
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file interactive-commands interactive-commands any
set system syslog file messages any notice
set system syslog file messages authorization info
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces cl-1/0/0 dialer-options pool 1 priority 100
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 family inet6 negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces dl0 unit 0 dialer-options dial-string 1234
set interfaces dl0 unit 0 dialer-options always-on
set interfaces irb unit 0 family inet address 192.168.1.1/24
set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols l2-learning global-mode switching
set protocols rstp interface all

root>

root> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:
  License identifier: JUNOS422937473
  License version: 4
  Valid for device: CW4024AX0159
  Customer ID: KDDI ASIA PACIFIC PTE. LTD.
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

root> show version
Model: srx320
Junos: 21.4R3-S3.4
JUNOS Software Release [21.4R3-S3.4]

2. UTP 케이블을 노트북과 Juniper SRX Ge-0/0/3에 연결합니다.

그리고 노트북에 192.168.1.2 255.255.255.0 설정하고

Ping 192.168.1.1

C:\Users\admin>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\admin>

C:\Users\admin>

3. ftp enable 합니다.

root# set system services ftp

[edit]
root# show system services
ftp;
ssh;
netconf {
    ssh;
}
dhcp-local-server {
    group jdhcp-group {
        interface irb.0;
    }
}
web-management {
    https {
        system-generated-certificate;
    }
}

[edit]
root# commit
commit complete

[edit]
root#

또는 GUI에서 아래와 같이 확인 가능 합니다.

라이센스 정보 확인 합니다.

현재 SRX320 Firmware Version 확인

Currnet Version: 21.4R3-S3.4

Target Version: 23.4R2-S3

Firmware Upgrade Path

https://supportportal.juniper.net/s/article/Junos-upgrade-paths-for-SRX-platforms?language=en_US

CEC Juniper Community

supportportal.juniper.net

Upgrade table

To make it easy to lookup for each Junos release for SRX from which earlier releases it is supported to directly upgrade to it, please see the below table.

Before performing the upgrade, please make sure to check the Notes section below for possible caveats and limitations which may apply.

Target Junos releaseDirect upgrade supported from

24.4(*2)	24.2, 23.4, 23.2
24.2	23.4, 23.2, 22.4
23.4	23.2, 22.4, 22.3
23.2	22.4, 22.3, 22.2
22.4	22.3, 22.2, 22.1, 21.4
22.3	22.2, 22.1, 21.4
22.2	22.1, 21.4, 21.3, 21.2
22.1	21.4, 21.3, 21.2
21.4	21.3, 21.2, 21.1, 20.4
21.3	21.2, 21.1, 20.4
21.2	21.1, 20.4, 20.3, 20.2
21.1	20.4, 20.3, 20.2
20.4	20.3, 20.2, 20.1, 19.4
20.3	20.2, 20.1, 19.4
20.2	20.1, 19.4, 19.3, 19.2
20.1	19.4, 19.3, 19.2
19.4	19.3, 19.2, 19.1, 18.4, 15.1X49
19.3	19.2, 19.1, 18.4
19.2	19.1, 18.4, 18.3, 18.2
19.1	18.4, 18.3, 18.2
18.4	18.3, 18.2, 18.1, 17.4, 15.1X49
18.3	18.2, 18.1, 17.4
18.2	18.1, 17.4, 17.3
18.1	17.4, 17.3
17.4	17.3, 15.1X49
17.3	15.1X49
15.1X49	12.3X48

위에 정보를 확인한 결과

To upgrade your SRX device from Junos 21.4R3 to 23.4R2-S3
Path: 21.4R3 --> 22.4R3 --> 23.4R2-S3

Juniper 홈페이지에 접속해서 Firmware를 다운로드 합니다.

https://support.juniper.net/support/downloads/?p=srx320

Downloads

Help us improve your experience. Let us know what you think. Do you have time for a two-minute survey?

support.juniper.net

22.4R3.25 - Checksums 정보

MD5 : 22c2f625180aabe85f252f89c3f212d3
SHA1 : 6e5b2d2ef96227b1db95d265ba899854bd1b6c24
SHA256 : 12d7f2b8245c3f6610f34380a57a642d831aba83f6008b6929d3987737f93bf7
SHA512 : 024fd745d0d3e53daee5713e11aab9029ca9f9979d9b677be8e45f93446e7c2d0b228535291acdec9b3007d51f396ddd407786921cbd99be070212359edebfda

23.4R2.13 - Checksums 정보

MD5 : 18085ebeec8305f538226bd690b18954
SHA1 : 9eaa6ba139907f30863e8a53f9641ad206078d5e
SHA256 : 0728b9bf9c1576661b325a12d0fac7b5c3c2dd29dce184b9bcefca5ca4d973f8
SHA512 : 29d7c7676ca0bd8d8813f6ac2205eaf834ff0e7998ae7ff078f609630131c0136c105128707508e76e9b566ade07230af41256e6fcb0380b3977ea9a52bfdb06

Firmware업르게이드 하기전에 모든 Firmware Version를 다운로드 받았습니다.

winscp를 실행 합니다.

접속이 완료 되면 경로를 아래와 같이 합니다.

첫번째 이미지를 업로드 합니다.

파일이 업로드가 완료 되면 아래와 같이 명령어를 입력해서 확인 합니다.

root> file list /cf/var/tmp

/cf/var/tmp:
appidd_cust_app_trace
appidd_trace_debug
bcast.bdisp.log
bcast.disp.log
bcast.rstdisp.log
bcast.undisp.log
cleanup-pkgs.log
ebmq_authd_vty
eedebug_bin_file
install/
junos-srxsme-22.4R3.25.tgz
kmdchk.log
krt_rpf_filter.txt
mmcq_authd
mmcq_bbeStatsdGetCollector
mmcq_mmdb_rep_mmcq
mmcq_sdb_bbe_mmcq
nsd_restart
pfe-limit
pfe_debug_commands
phone-home/
pics/
policy_status
rtsdb/
sd-upgrade/
sec-download/
vi.recover/

root>

Firmware MD5 checksum 확인

root> file checksum md5 /cf/var/tmp/junos-srxsme-22.4R3.25.tgz MD5 (/cf/var/tmp/junos-srxsme-22.4R3.25.tgz) = 22c2f625180aabe85f252f89c3f212d3

root>

1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드

아래처럼 입력 하고 업그레이드가 완료 될때가지 기다립니다.

root> request system software add /cf/var/tmp/junos-srxsme-22.4R3.25.tgz no-validate reboot
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 596.0MB (1220680 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 149.02MB, 9537 blks, 19200 inodes.
super-block backups (for fsck -b #) at:
32, 305216, 610400, 915584
saving package file in /var/sw/pkg ...
Installing package '/altroot/cf/packages/install-tmp/junos-22.4R3.25' ...
Verified junos-boot-srxsme-22.4R3.25.tgz signed by PackageProductionECP256_2024 method ECDSA256+SHA256
Verified junos-srxsme-22.4R3.25-domestic signed by PackageProductionECP256_2024 method ECDSA256+SHA256
Verified manifest signed by PackageProductionECP256_2024 method ECDSA256+SHA256
JUNOS 22.4R3.25 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 6825]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***

System going down IMMEDIATELY

부팅 과정 생략

Amnesiac (ttyu0)

login:

부팅이 완료 되면 로그인 합니다.

root> show version
Model: srx320
Junos: 22.4R3.25
JUNOS Software Release [22.4R3.25]

root> show system license
License usage:
                                 Licenses     Licenses    Licenses
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed  Expiry
  idp-sig                               0            1           0    2030-01                          -26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permane                          nt
  remote-access-juniper-std             0            2           0    permane                          nt

Licenses installed:
  License identifier:
  License version: 4
  Valid for device:
  Customer ID:
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드 완료 되었습니다.

2차로 22.4R3.25 -> 23.4R2.13 업그레이드를 하겠습니다.

우선 파일을 srx에 업로드 합니다.

root> file list /cf/var/tmp

/cf/var/tmp:
appidd_cust_app_trace
appidd_trace_debug
bcast.bdisp.log
bcast.disp.log
bcast.rstdisp.log
bcast.undisp.log
cleanup-pkgs.log
dyn_filterd_trace_debug
ebmq_authd_vty
eedebug_bin_file
install/
junos-srxsme-22.4R3.25.tgz
junos-srxsme-23.4R2.13.tgz
kmdchk.log
krt_rpf_filter.txt
mmcq_authd
mmcq_bbeStatsdGetCollector
mmcq_mmdb_rep_mmcq
mmcq_sdb_bbe_mmcq
nsd_restart
pfe-limit
pfe_debug_commands
phone-home/
pics/
policy_status
rtsdb/
sd-upgrade/
sec-download/
vi.recover/

MD5 Check

root> file checksum md5 /cf/var/tmp/junos-srxsme-23.4R2.13.tgz
MD5 (/cf/var/tmp/junos-srxsme-23.4R2.13.tgz) = 18085ebeec8305f538226bd690b18954

Firmware Upgrade and check version

root> request system software add /cf/var/tmp/junos-srxsme-23.4R2.13.tgz no-validate reboot

부팅 과정 생략

root> show version
Model: srx320
Junos: 23.4R2.13
JUNOS Software Release [23.4R2.13]

root> show system license
License usage:
                                 Licensed     Licensed    Licensed
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed    Expiry
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:

  License identifier:
  License version: 4
  Valid for device:
  Customer ID:
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

지금까지 [2025][Juniper SRX #29] Firmware Upgrade - CLI 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #31] Traffic Flow (0)	2025.02.18
[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX DNAT에 대해서 알아보겠습니다.

User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

untrust 192.168.10.85 으로 접속하면 20.1.1.1 으로 통신가능하게 DNAT를 설정하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

제 PC에서도 PING를 시도 합니다.

Probing 192.168.10.85:80/tcp - No response - time=2001.746ms
Probing 192.168.10.85:80/tcp - No response - time=2003.928ms
Probing 192.168.10.85:80/tcp - No response - time=2013.536ms
Probing 192.168.10.85:80/tcp - No response - time=2006.107ms
Probing 192.168.10.85:80/tcp - No response - time=2006.452ms
Probing 192.168.10.85:80/tcp - No response - time=2005.353ms
Probing 192.168.10.85:80/tcp - No response - time=2012.393ms
Probing 192.168.10.85:80/tcp - No response - time=2012.957ms
Probing 192.168.10.85:80/tcp - No response - time=2008.528ms
Probing 192.168.10.85:80/tcp - No response - time=2011.220ms
Probing 192.168.10.85:80/tcp - No response - time=2008.000ms
Probing 192.168.10.85:80/tcp - No response - time=2008.216ms
Probing 192.168.10.85:80/tcp - No response - time=2004.983ms
Probing 192.168.10.85:80/tcp - No response - time=2000.407ms
Probing 192.168.10.85:80/tcp - No response - time=2005.790ms

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86

DESTINATION NAT 설정

set security nat destination pool web_server address 20.1.1.1/32

set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32
set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server

PC에서 통신을 확인 합니다.

정상적으로 통신 가능 합니다.

Probing 192.168.10.86:80/tcp - Port is open - time=23.372ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.897ms
Probing 192.168.10.86:80/tcp - Port is open - time=14.309ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.139ms
Probing 192.168.10.86:80/tcp - Port is open - time=23.166ms
Probing 192.168.10.86:80/tcp - Port is open - time=19.464ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.645ms
Probing 192.168.10.86:80/tcp - Port is open - time=27.360ms
Probing 192.168.10.86:80/tcp - Port is open - time=19.947ms
Probing 192.168.10.86:80/tcp - Port is open - time=20.782ms

위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 844 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80
set security nat destination pool web_server address 20.1.1.1/32
set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32
set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #27] Destination Nat - DNAT 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX Destination Nat - Port Forwarding 에 대해서 알아보겠습니다.

User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

untrust 192.168.10.85:80 으로 접속하면 20.1.1.1:80으로 통신가능하게 DNAT를 설정하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

제 PC에서도 PING를 시도 합니다.

Probing 192.168.10.85:80/tcp - No response - time=2001.746ms
Probing 192.168.10.85:80/tcp - No response - time=2003.928ms
Probing 192.168.10.85:80/tcp - No response - time=2013.536ms
Probing 192.168.10.85:80/tcp - No response - time=2006.107ms
Probing 192.168.10.85:80/tcp - No response - time=2006.452ms
Probing 192.168.10.85:80/tcp - No response - time=2005.353ms
Probing 192.168.10.85:80/tcp - No response - time=2012.393ms
Probing 192.168.10.85:80/tcp - No response - time=2012.957ms
Probing 192.168.10.85:80/tcp - No response - time=2008.528ms
Probing 192.168.10.85:80/tcp - No response - time=2011.220ms
Probing 192.168.10.85:80/tcp - No response - time=2008.000ms
Probing 192.168.10.85:80/tcp - No response - time=2008.216ms
Probing 192.168.10.85:80/tcp - No response - time=2004.983ms
Probing 192.168.10.85:80/tcp - No response - time=2000.407ms
Probing 192.168.10.85:80/tcp - No response - time=2005.790ms

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85

DESTINATION NAT 설정

set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80

set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server

PC에서 통신을 확인 합니다.

정상적으로 통신 가능 합니다.

C:\Users\USER>tcping -t 192.168.10.85 80

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:80/tcp - Port is open - time=65.904ms
Probing 192.168.10.85:80/tcp - Port is open - time=15.969ms
Control-C

만약에 192.168.10.85:8000 -> 20.1.1.1:80으로 통신 하고 싶다면 아래와 같이 설정 합니다.

set security nat destination rule-set to_web_server01 rule port_forwarding match destination-port 8000

내 PC에서 통신 시도

C:\Users\USER>tcping -t 192.168.10.85 8000

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:8000/tcp - Port is open - time=14.496ms
Probing 192.168.10.85:8000/tcp - Port is open - time=17.589ms
Probing 192.168.10.85:8000/tcp - Port is open - time=13.039ms
Probing 192.168.10.85:8000/tcp - Port is open - time=15.563ms
Probing 192.168.10.85:8000/tcp - Port is open - time=15.389ms
Probing 192.168.10.85:8000/tcp - Port is open - time=13.528ms
Probing 192.168.10.85:8000/tcp - Port is open - time=11.238ms
Probing 192.168.10.85:8000/tcp - Port is open - time=14.091ms

C:\Users\USER>tcping -t 192.168.10.85 80

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:80/tcp - Port is open - time=55.989ms
Probing 192.168.10.85:80/tcp - Port is open - time=54.255ms
Probing 192.168.10.85:80/tcp - Port is open - time=19.360ms

위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.

root> show security nat destination summary
Total pools: 1
Pool name            Address                           Routing        Port  Total
                     Range                             Instance             Address
port_foward_server   20.1.1.1       - 20.1.1.1                        80    1

Total rules: 1
Rule name            Rule set       From                               Action
port_forwarding      to_web_server  untrust                            port_foward_server

root>

root> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: port_forwarding        Rule-set: to_web_server
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
    Destination addresses    : 192.168.10.85   - 192.168.10.85
    Destination port         : 80              - 80
                               8000            - 8000
  Action                     : port_foward_server
  Translation hits           : 106
    Successful sessions      : 106
  Number of sessions         : 0

root>

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 844 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80
set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #27] Destination Nat - Port Forwarding 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07

안녕하세요.

오늘은 PNETLab에서 Cisco Catalyst 8000v를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search cpsg검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search 8000v
┌────────────────────────────────────────────────────────────────┐
│ MOTD from the ishare2 team:                                    │
│ Changelog:                                                     │
│ - Fixed bug when doing integrity checks againts qemu images.   │
│                                                                │
│ Telegram: https://t.me/NetLabHub │
│ Donate: https://buymeacoffee.com/sudoalex │
│ GitHub: https://github.com/ishare2-org/ishare2-cli │
└────────────────────────────────────────────────────────────────┘
=============================
    Available QEMU images
=============================
ID   NAME                     SIZE
--   ----                     ----
151  c8000v-17.06.03          1.5 GiB
152  c8000v-17.07.01a         1.5 GiB
153  c8000v-17.08.01          1.5 GiB
154  c8000v-17.10.01a         1.5 GiB
155  c8000v-17.11.01a         1.5 GiB
172  cat8000v-17-09-01a       1.7 GiB
173  cat8000v-17-13-01a       1.9 GiB
180  catalyst8000v-17.04.01   1.3 GiB
181  catalyst8000v-17.04.01a  1.3 GiB
182  catalyst8000v-17.04.01b  1.3 GiB
183  catalyst8000v-17.05.01a  1.4 GiB
184  catalyst8000v-17.06.01a  1.5 GiB
185  catalyst8000v-17.06.02   1.5 GiB

13 QEMU images found for the term: "8000v"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "8000v"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "8000v"

root@pnetlab:~# ^C

3. Cisco Catalyst 8000v 설치

root@pnetlab:~# ishare2 pull qemu 183
[!] IMAGE INFO
- Image Name       : catalyst8000v-17.05.01a
- Image Size       : 1.4 GiB
- Image Type       : QEMU
- Image ID         : 183
- Image path       : /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons/qemu/catalyst8000v-17.05.01 100%[=====================================================================================================>]   1.38G  8.54MB/s    in 3m 26s
[+] DOWNLOAD COMPLETED!
[-] Extracting: catalyst8000v-17.05.01a.tgz file...
[+] Extracted: /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a. Image ready to use.
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.254 접속합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. 아무 이름이나 입력 후 Savve 버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. CheckPoint Security Gateay VE 선택합니다.

7. Save버튼을 클릭 합니다.

8. click 라우터

License Type: Perpetual
Next reload license Level:

Addon License Level:
Addon License Type: Subscription
Next reload addon license Level:

The current throughput level is 10000 kbps

Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco C8000V (VXE) processor (revision VXE) with 2032007K/3075K bytes of memory.
Processor board ID 9DJL2EOPCI1
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3965344K bytes of physical memory.
5234688K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

Router>  show inven
Router>  show inventory
NAME: "Chassis", DESCR: "Cisco Catalyst 8000V Edge Chassis"
PID: C8000V            , VID: V00  , SN: 9DJL2EOPCI1

NAME: "module R0", DESCR: "Cisco Catalyst 8000V Edge Route Processor"
PID: C8000V            , VID: V00  , SN: JAB1303001C

NAME: "module F0", DESCR: "Cisco Catalyst 8000V Edge Embedded Services Processor"
PID: C8000V            , VID:      , SN:

Router>

지금까지 [PNETLab][#9]- Cisco Catalyst 8000v install 글을 읽어주셔서 감사합니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#10]- PNETLab Upgrade (0)	2025.02.18
[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

안녕하세요.

오늘은 [2025][Juniper SRX #27] Static NAT - One to One NAT 설정해보겠습니다.

User01 - 10.1.1.1 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고

User02 - 10.1.1.2 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고
HTTP SERVER - 20.1.1.1에 static nat를 설정 하겠습니다.

외부에서 DMZ Server에 통신할때 192.168.10.84 -> 20.1.1.1 변경됩니다.

HTTP Server 20.1.1.1 외부로 통신할때 192.168.10.84로 변경 됩니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

DMZ에 20.1.1.1 서버에서 외부로 PING를 시도 합니다.

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

제 PC에서도 PING를 시도 합니다.

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 0, 손실 = 4 (100% 손실),

One to One NAT ( Static NAT)를 사용 해서 192.168.10.84 <---> 20.1.1.1로 설정합니다.

서버는 외부 통신할때 Source IP 20.1.1.1 -> 192.168.10.84 변경됩니다.

외부에서 DMZ서버랑 통신 할때 Destination IP 192.168.10.84 -> 20.1.1.1 변경 됩니다.

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

Static NAT 설정

set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32

WEB SERVER에서 외부로 PING

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms
R1#

내 PC에서 통신 시도

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
192.168.10.84의 응답: 바이트=32 시간=40ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=163ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=17ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=11ms TTL=253

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 11ms, 최대 = 163ms, 평균 = 57ms

C:\Users\USER>

내 피시에서 https://192.168.10.84 접속하면 아래처럼 페이지가 열립니다.

SRX session 확인

아래처럼 20.1.1.1은 192.168.10.84로 변환하여 통신하고 있는것을 확인 가능 합니다.

root> show security flow session
Session ID: 57417, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/0 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

Session ID: 57418, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/1 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

제 PC에서 192.168.10.84 통신 했을때, 20.1.1.1로 변경되는것을 확인 가능 합니다.

root> show security flow session
Session ID: 58466, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11434;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11434 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58467, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11436;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11436 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58468, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11438;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11438 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,
Total sessions: 3

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2083
    Successful sessions      : 2083
  Number of sessions         : 4

root>

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 196 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 NAT 확인

root> show security nat source summary
Total port number usage for port translation pool: 64512
Maximum port number for port translation pool: 50331648
Total pools: 1
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
source_nat           192.168.10.84-192.168.10.84 default           yes  1

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     trust             untrust              interface
                               ^
syntax error, expecting <command>.
root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 1942
    Successful sessions      : 1942
  Number of sessions         : 0

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2302
    Successful sessions      : 2302
  Number of sessions         : 5

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT를 IP Pool에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

Ge-0/0/0 192.168.10.83 IP를 사용하지 않고, 192.168.10.84 IP를 통해서 Trust / DMZ Traffic를 SNAT하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=621 timeout
8.8.8.8 icmp_seq=622 timeout
8.8.8.8 icmp_seq=623 timeout
8.8.8.8 icmp_seq=624 timeout
8.8.8.8 icmp_seq=625 timeout
8.8.8.8 icmp_seq=626 timeout
8.8.8.8 icmp_seq=627 timeout
8.8.8.8 icmp_seq=628 timeout
8.8.8.8 icmp_seq=629 timeout
8.8.8.8 icmp_seq=630 timeout
8.8.8.8 icmp_seq=631 timeout
8.8.8.8 icmp_seq=632 timeout
VPCS>

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

PC에서 다시 8.8.8.8 PING

VPCS> ping 8.8.8.8 -c 1000

8.8.8.8 icmp_seq=1 timeout
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.954 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.603 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.052 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=56 time=2.130 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=56 time=2.229 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=56 time=2.078 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=56 time=2.150 ms
84 bytes from 8.8.8.8 icmp_seq=10 ttl=56 time=2.061 ms
84 bytes from 8.8.8.8 icmp_seq=11 ttl=56 time=2.151 ms
84 bytes from 8.8.8.8 icmp_seq=12 ttl=56 time=2.173 ms
84 bytes from 8.8.8.8 icmp_seq=13 ttl=56 time=2.450 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=56 time=2.411 ms
84 bytes from 8.8.8.8 icmp_seq=15 ttl=56 time=2.296 ms
84 bytes from 8.8.8.8 icmp_seq=16 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=17 ttl=56 time=2.047 ms
84 bytes from 8.8.8.8 icmp_seq=18 ttl=56 time=2.101 ms

SRX session 확인

root> show security flow session
Session ID: 3402, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2368;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2368 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3403, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37592 --> 8.8.8.8/64;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/64 --> 192.168.10.84/20216;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3405, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2369;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2369 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3406, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37848 --> 8.8.8.8/65;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/65 --> 192.168.10.84/30540;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3408, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2370;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2370 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3409, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/38104 --> 8.8.8.8/66;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/66 --> 192.168.10.84/22474;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3411, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2371;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2371 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,
Total sessions: 7

root>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$foWa5m5j$QTNzAZvC.AJNs4b9yJq/18Qp038uo2x6rPM/imUQn/M3hFIJsz5FxlOXdwq6iS2UG12O3SIpFdTzZBYi4wmkY1"
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

PC에서 다시 확인

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=23.166 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.255 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.980 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.337 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.088 ms
^C
VPCS>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #25] Source Nat - SNAT 글을 읽어주셔서 감사합니다.

저작자표시

안녕하세요.

오늘은 PNETLab에서 CheckPoint Firewall를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search cpsg검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search cpsg
=============================
    Available QEMU images
=============================
ID   NAME                      SIZE
--   ----                      ----
201  cpsg-R77-20 (checkpoint)  4.0 GiB
202  cpsg-R80-20M1_T14         3.9 GiB
203  cpsg-R80-40               7.4 GiB
204  cpsg-R81                  5.5 GiB
205  cpsg-R81.10               8.1 GiB
206  cpsg-R81.10               5.7 GiB
207  cpsg-R81.20-Licensed      4.9 GiB
208  cpsg2-R81.20-Licensed     4.7 GiB

8 QEMU images found for the term: "cpsg"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "cpsg"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "cpsg"

root@pnetlab:~#

3. CheckPoint Firewall 설치

root@pnetlab:~# ishare2 pull qemu 202
[!] IMAGE INFO
- Image Name       : cpsg-R80-20M1_T14
- Image Size       : 3.9 GiB
- Image Type       : QEMU
- Image ID         : 202
- Image path       : /opt/unetlab/addons/qemu/cpsg-R80-20M1_T14
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons 100%[===================>]   3.92G  6.78MB/s    in 14m 17s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. CheckPoint Test 그리고 Savve 버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. CheckPoint Security Gateay VE 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

11. 아이콘을 더블클릭 하면 아래처럼 putty 또는 CRT가 실행 됩니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#10]- PNETLab Upgrade (0)	2025.02.18
[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

안녕하세요.

오늘은 PNETLab에서 Aruba Mobility Controller 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search VMC검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search VMC
=============================
    Available QEMU images
=============================
ID  NAME                      SIZE
--  ----                      ----
59  aruba-VMC-8.5.0.13_80140  238.9 MiB
60  aruba-VMC-8.6.0.4-74969   246.3 MiB
61  aruba-VMC-8.8.0.1_80393   257.1 MiB
62  aruba-VMC-8.8.0.1_80393   206.5 MiB
63  aruba-VMC_8.3.0.3         726.0 MiB
64  aruba-VMC_8.4.0.3         238.7 MiB

6 QEMU images found for the term: "VMC"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "VMC"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "VMC"

root@pnetlab:~#

3. Aruba VMC 설치

root@pnetlab:~# ishare2 pull qemu 61
[!] IMAGE INFO
- Image Name       : aruba-VMC-8.8.0.1_80393
- Image Size       : 257.1 MiB
- Image Type       : QEMU
- Image ID         : 61
- Image path       : /opt/unetlab/addons/qemu/aruba-VMC-8.8.0.1_80393
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons/qemu/ 100%[====================================>] 237.56M  8.24MB/s    in 28s
/opt/unetlab/addons/qemu/ 100%[====================================>]  19.50M  6.03MB/s    in 3.5s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba WIFI Controller 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

부팅이 완료 될때까지 기다립니다.

그리고 기본적은 설정을 합니다.

Yes를 입력하면 재부팅이 됩니다.

부팅이 완료 될때까지 기다립니다.

https://192.168.10.88

로그인 정보를 입력 합니다.

지금까지 [PNETLab][#7]-Aruba Mobility Controller Install 글을 읽어주셔서 감사합니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03

안녕하세요.

오늘은 PNETLab에서 Aruba CX Switch를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search arubacx 검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search arubacx
┌────────────────────────────────────────────────────────────────┐
│ MOTD from the ishare2 team:                                    │
│ Changelog:                                                     │
│ - Fixed bug when doing integrity checks againts qemu images.   │
│                                                                │
│ Telegram: https://t.me/NetLabHub │
│ Donate: https://buymeacoffee.com/sudoalex │
│ GitHub: https://github.com/ishare2-org/ishare2-cli │
└────────────────────────────────────────────────────────────────┘
=============================
    Available QEMU images
=============================
ID  NAME           SIZE
--  ----           ----
65  arubacx-10.03  882.9 MiB
66  arubacx-10.04  1013.9 MiB
67  arubacx-10.04  329.7 MiB
68  arubacx-10.05  350.6 MiB
69  arubacx-10.07  1.4 GiB
70  arubacx-10.07  483.7 MiB

6 QEMU images found for the term: "arubacx"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "arubacx"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "arubacx"

3. Aruba CX Switch 설치

root@pnetlab:~# ishare2 pull qemu 69
[!] IMAGE INFO
- Image Name       : arubacx-10.07
- Image Size       : 1.4 GiB
- Image Type       : QEMU
- Image ID         : 69
- Image path       : /opt/unetlab/addons/qemu/arubacx-10.07
- Using host       : https://drive.labhub.eu.org
/opt/unetlab/addons/qemu/arubacx-10.07/virt 100%[========================================================================================>]   1.40G  1.15MB/s    in 20m 55s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba OS-CX Virtual Switch 선택합니다.

7. Save버튼을 클릭 합니다.

8. 장비를 부팅 합니다.

10. 디폴트 로그인 정보입니다.

user: admin

password: no password

switch login: admin
Password:

Please configure the 'admin' user account password.
Enter new password: *************
Confirm new password: *************
switch#

switch# show
  aaa                    Authentication, Authorization and Accounting
  access-list            Access control list (ACL)
  accounting             Show local accounting information
  active-gateway         Show active gateway settings
  alias                  Short names configured for a set of commands
  arp                    Show IPv4 addresses from neighbor table
  aruba-central          Configure Aruba-Central
  banner                 Show one of the configured system banners
  bfd                    Show BFD information
  bgp                    BGP specific commands
  bluetooth              Display information about Bluetooth wireless
                         management
  boot-history           Display boot history details
  capacities             Show system capacities and their values
  capacities-status      Show system capacities status and their values
  cdp                    Show various CDP settings
  checkpoint             Checkpoint information
  class                  Show Class configuration
  clock                  Show system date, time, and timezone settings
  configuration-lockout  Show REST Lockout configuration
  copp-policy            Control Plane Policing (CoPP) policy
  core-dump              Display core-dump list for current boot
  crypto                 Display crypto related features and settings
  debug                  Display currently active debug log destinations and
                         types
  dhcp                   Dynamic Host Configuration Protocol
  dhcp-relay             Show DHCP relay configuration
  dhcp-server            Show DHCP server configuration
  dhcpv4-snooping        Show DHCPv4-Snooping configuration
  dhcpv6-relay           Show DHCPv6 relay configuration
  dhcpv6-server          Show DHCP V6 server configuration
  dhcpv6-snooping        Show DHCPv6-Snooping configuration
  domain-name            Display domain name
  environment            Display system environment status information
  events                 Display all event logs
  evpn                   EVPN sub-address family
  external-storage       Show info for one external storage volume or all if
                         none specified
  history                Show previously entered commands
  hostname               Display hostname
  https-server           HTTPS Server Configuration
  interface              Interface information
  ip                     IP information
  ip-sla                 IP SLA
  ipv4                   IPv4 information
  ipv6                   IPv6 information
  keychain               Keychain information
  lacp                   Show various LACP settings
  lag                    Show LAG interface information
  lldp                   Show various LLDP settings
  logging                Display all event logs
  logrotate              Show logrotate config parameters
  loop-protect           Show loop protection status for all ports with loop
                         protection enabled
  mac-address-table      Show Layer 2 MAC address table information
  macsec                 Show MACsec information
  mirror                 Show Mirroring configuration
  mka                    Show MKA information
  mvrp                   Show MVRP settings and status
  nae-agent              NAE Agent details
  nae-script             NAE Script details
  nd-snooping            Show ND Snooping configuration
  ntp                    Show NTP information
  object-group           Object Group
  password-complexity    Show password complexity enforcement
  pbr                    Show Policy Based Routing (PBR) information
  pbr-action-list        Show Policy Based Routing (PBR) action list
                         configuration information
  policy                 Classifier policy
  port-access            Show Port Access information
  power-over-ethernet    Show Power over Ethernet (PoE) information
  qos                    Show QoS Configuration
  radius                 RADIUS Client configuration
  radius-server          Show RADIUS server configuration
  resources              Show line module resource information
  rmon                   Show RMON alarm configurations
  route-map              Display all Route-map
  router                 Routing Information
  running-config         Current running configuration
  service                Show service information
  session-timeout        Idle session timeout in minutes
  sflow                  sFlow configuration
  snmp                   SNMP configuration
  snmpv3                 SNMP version 3 configurations
  spanning-tree          Show spanning tree information
  ssh                    Show SSH configuration
  startup-config         Contents of startup configuration
  system                 System information
  tacacs-server          Show TACACS server configuration
  tech                   Display output of a predefined command sequence used
                         by technical support
  terminal-monitor       Displays Terminal-monitor status
  tls                    Display the state of TLS settings
  track                  Track information
  ubt                    User Based Tunnel configuration
  udld                   Show UDLD information
  upgrade                Show upgrade information
  uptime                 Show the elapsed time since the device was booted
  usb                    USB storage device settings
  user                   Show user information
  user-group             Local user group to be displayed
  user-list              Displays the list of local users
  version                Displays switch version
  vlan                   Show VLAN configuration
  vrf                    VRF Configuration
  vrrp                   VRRP information
  vsx                    Show various VSX settings
  ztp                    Zero Touch Provisioning
switch# show
% Command incomplete.
switch#

지금까지 [PNETLab][#6]-Aruba CX Switch Install 글을 읽어주셔서 감사합니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03
[PNETLab][#2]- ishare command (0)	2024.12.27

안녕하세요.

오늘은 C8200라우터는 smart licensing using policy 모드를 사용 합니다.

IOS XE버전별로 License 동작하는 방식이 다릅니다.

IOS XE Release	Platform Requirements	CUBE Licensing
16.6.1 to 16.9.x	Smart Licensing mode is optional	RTU licensing only
16.10.x	Smart Licensing mode only	RTU licensing only
16.11.1a to 17.1.x	Smart Licensing mode only Continued registration is required to enable CUBE features	Smart Licensing only* Trunk license requests are set by manual configuration No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.2.1r to 17.3.1a	Smart Licensing mode only Continued registration is required in order to enable CUBE features	Smart Licensing only* Trunk license requests are set dynamically by usage No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.3.2 onwards	Smart Licensing with the use of Policy mode only License use must be reported within the account policy to enable CUBE features	Smart Licensing only* Trunk license use is measured periodically and reported as per the Smart Account policy In accordance with policy, license policing reports are not acknowledged (SIP processing is disabled otherwise)

Step Summary

conf t

license boot level network-essentials

interface GigabitEthernet 0/0/0

ip add [IP address] [subnet] or ip add dhcp

no shutdown

exit

ip name-server 8.8.8.8

ip domain lookup source-interface GigabitEthernet 0/0/0

ip http client source-interface GigabitEthernet 0/0/0

license smart transport smart

license smart url default

ip route 0.0.0.0 0.0.0.0 [nexthop] if dhcp no need ip route command

end

show run

show ip int brie

show ip route

확인 후 저장 그리고 재부팅

write memory

reload

1. show version를 통해서 IOS XE버전을 확인 합니다.

2. 기본 설정을 합니다.

conf t
license boot level network-essentials
interface GigabitEthernet 0/0/0
ip add dhcp
no shutdown
exit
ip name-server 8.8.8.8
ip domain lookup source-interface GigabitEthernet 0/0/0
ip http client source-interface GigabitEthernet 0/0/0
license smart transport smart
license smart url default

3. 인터페이스 상태 확인 라우팅 상태 확인

그리고 외부 통신 확인

Router#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   172.20.10.3     YES DHCP   up                    up
GigabitEthernet0/0/1   unassigned      YES unset  administratively down down
GigabitEthernet0/0/2   unassigned      YES unset  administratively down down
GigabitEthernet0/0/3   unassigned      YES unset  administratively down down

Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is 172.20.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 172.20.10.1
      172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.10.0/28 is directly connected, GigabitEthernet0/0/0
L        172.20.10.3/32 is directly connected, GigabitEthernet0/0/0
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!

4. 저장후 재부팅

wr
reload

5. Cisco CSSM에서 Idtoken를 생성 합니다.

cisco CSSM에서 Idtoken를 복사합니다.

ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

license smart trust idtoken ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX all force　

Router#
*Feb 13 01:38:52.352: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
*Feb 13 01:38:52.414: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM[OK]
*Feb 13 01:38:55.470: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 13 01:38:55.493: %CRYPTO_SL_TP_LEVELS-6-VAR_NEW_VALUE: Setting crypto bidir throughput to: 10000 kbps
*Feb 13 01:38:58.298: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200L-1N-4T,XXXXXXXXXXX
Router#

정상적으로 등록 되면 위에처럼 표시 됩니다.

6. License를 확인 합니다.

아래처럼 SA/VA에 고객사 정보가 확인 되면 정상적으로 등록 된것입니다.

Router#show license summary
Account Information:
  Smart Account: 고객사 정보 확인 가능
  Virtual Account: XXXXX

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-essentials_10M  (ESR_P_10M_E)                     1 IN USE
  Router US Export Lic... (DNA_HSEC)                        0 NOT IN USE

또는 아래 명령어도 주로 사용 됩니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: 고객사 정보
  Virtual Account: XXXXX

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy:
    Not Configured
  VRF: <empty>

Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes:
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes:
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Enforced (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)
  Export (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)

Miscellaneous:
  Custom Id: <empty>

Usage Reporting:
  Last ACK received: <none>
  Next ACK deadline: Feb 13 01:31:19 2026 UTC
  Reporting push interval: 0 (no reporting)
  Next ACK push check: Feb 13 02:09:10 2025 UTC
  Next report push: <none>
  Last report push: Feb 13 01:39:08 2025 UTC
  Last report file write: <none>

Trust Code Installed: Feb 13 01:38:58 2025 UTC

Router#

지금까지 [2025][C8200][#2] Register License to CSSM - smart licensing using policy 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 PNETLab에서 Aruba ClearPass를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search clearpass 검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search clearpass
=============================
    Available QEMU images
=============================
ID   NAME                   SIZE
--   ----                   ----
192  clearpass-6.4.0.66263  10.8 GiB
193  clearpass-6.4.0.66263  10.8 GiB
194  clearpass-6.8.0        2.9 GiB

3 QEMU images found for the term: "clearpass"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "clearpass"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "clearpass"

root@pnetlab:~#

3. Aruba Classpass 설치

root@pnetlab:~# ishare2 pull qemu 194
[!] IMAGE INFO
- Image Name       : clearpass-6.8.0
- Image Size       : 2.9 GiB
- Image Type       : QEMU
- Image ID         : 194
- Image path       : /opt/unetlab/addons/qemu/clearpass-6.8.0
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons 100%[===================>]   2.86G   497KB/s    in 87m 5s
[+] DOWNLOAD COMPLETED!
[-] Extracting: clearpass-6.8.0.tgz file...
[+] Extracted: /opt/unetlab/addons/qemu/clearpass-6.8.0. Image ready to use.
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba ClearPass 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

11. Lab용이기 때문에, 1번을 선택하고 엔터를 누릅니다.

Y를 선택 합니다.

Y를 선택 합니다.

Y선택 합니다.

부팅이 완료 될때까지 기다립니다.

엔터를 클릭 합니다.

12. 디폴트 Username 그리고 Password

user: appadmin

password: eTIPS123

13. 아래처럼 기본 설정을 합니다.

IP주소를 잘못 설정 하였습니다.

로그인해서 아래처럼 수정 하고 Y를 클릭 합니다.

그리고 PC에서 PIng를 시도 합니다.

Ping 192.168.40.91 32바이트 데이터 사용:
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=4ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=54ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=120ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=201ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=283ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=359ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=395ms TTL=64

https://192.168.40.91로 접속 하면 잘 접속 됩니다.

ClearPass Policy Manager를 클릭 하면 라이센스 입력 페이지가 나옵니다.

Aruba Clear Pass는 NAC역활을 합니다. Cisco 제품군으로 비교하면 Cisco ISE랑 똑같습니다.

Cisco ISE는 6개월 정도 라이센스없이 Trial Version으로 사용 가능하나

Aruba Clear Pass는 라이센스 없으면 사용이 불가능 합니다. 홈페이지에서 trial license 신청 가능합니다.

지금까지 [PNETLab][#5]-Aruba ClearPass Install 글을 읽어주셔서 감사합니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03
[PNETLab][#2]- ishare command (0)	2024.12.27
[PNETLab][#1]- Installation on VMware workstation (0)	2024.12.27

안녕하세요.

오늘은 C8200L Router IOS XE를 업그레이드를 해보겠습니다.

1. 현재 장비에서 show version를 통해서 version를 확인 합니다.

Router#show version
Cisco IOS XE Software, Version 17.06.06a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.6a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Fri 20-Oct-23 18:26 by mcpre

2. cisco 홈페이지에서 현재 시점에서 8200 router ios xe 추천 버전을 확인 합니다.

3. 파일을 다운로드 받고 파일을 USB에 복사합니다.

4. MD5 Checksum를 확인 합니다. 추후에 파일을 라우터에 복사하고 MD5 Checksum를 이용해서 파일이 잘 복사 되었는지 확인합니다. 만약에 파일이 깨진 상태에서 Upgrdae 업그레이드 하면 Upgrade가 Failed하고 Rommon mode로 빠질수 있습니다. 꼭 업그레이드 또는 다운그레이드 전에 파일 복사 후 MD5 체크섬을 확인 합니다.

C8200 라우터 Firmware Install 방식은 2가지가 있습니다.

1. ios xe file를 파일로 복사하고 boot config를 통해서 부팅 시키는 방법

2. install mode로 펌웨어를 설치하는 방법

현재 라우터 install mode인지 레거시 모드인지 확인하는 방법

아래처럼 표시 되면 install mode입니다.

Router#show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.06.06a.0.6

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

또는 Bin 파일이 없고, Package 파일만 보이면 install mode입니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 05:32:00 +00:00  tracelogs
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6161752064 bytes free)
Router#

그럼 Firmware Upgrade를 합니다.

1. USB를 C8200 Router에 연결 합니다.

아래처럼 로그가 발생하면 정상적으로 usb가 인식 되었습니다.

Router#
*Feb 10 05:34:02.622: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usb0 added

Router#dir usb0:/TC_8200
Directory of usb0:/TC_8200/

819 -rwx 859360566 Feb 10 2025 12:36:56 +00:00 c8000be-universalk9.17.09.05e.SPA.bin

2. 파일 복사하기

Router#copy usb0:/TC_8200/c8000be-universalk9.17.09.05e.SPA.bin flash:
Destination filename [c8000be-universalk9.17.09.05e.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
859360566 bytes copied in 40.479 secs (21229787 bytes/sec)
Router#

파일 확인하기

아래 c8000be-universalk9.17.09.05e.SPA.bin 복사 되었습니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 06:07:00 +00:00  tracelogs
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (5311582208 bytes free)
Router#

3. MD5 Checksum 확인

789f0f212ccd155b8aef19ce93c8476e

Router#verify /md5 flash:/c8000be-universalk9.17.09.05e.SPA.bin
.............................................................................................................................................................................................
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (bootflash:/c8000be-universalk9.17.09.05e.SPA.bin) = 789f0f212ccd155b8aef19ce93c8476e

Router#

파일이 잘 복사 되었습니다.

4. 이제 새로운 ios xe를 설치 합니다.

SUMMARY STEPS

enable
install add file location: filename
show install summary
install activate [auto-abort-timer <time>]
install abort
install commit
install rollback to committed
install remove {file filesystem: filename | inactive}
show install summary
exit

install add file flash:c8000be-universalk9.17.09.05e.SPA.bin activate commit

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration...
[OK]Modified configuration has been saved

*Feb 10 06:15:04.641: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 10 06:15:05.160: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot bootflash:c8000be-universalk9.17.09.05e.SPA.bininstall_add_activate_commit: Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ....

--- Starting Add ---
Performing Add on Active/Standby
  [1] Add package(s) on R0
  [1] Finished Add on R0
Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add

Image added. Version: 17.09.05e.0.80
install_add_activate_commit: Activating PACKAGE

*Feb 10 06:19:52.040: %EVENTLIB-3-CPUHOG: C0/0: iomd: uipeer downlink listener: 1520ms, Traceback=1#150f3a63e6e344df147a5440723734c6  evlib:7F79718AB000+A1D6 c:7F793381E000+3B3B0 ld-linux-x86-64:7F7983E83000+A974 ld-linux-x86-64:7F7983E83000+B4C5 ld-linux-x86-64:7F7983E83000+10085 ld-linux-x86-64:7F7983E83000+16BCA bipc:7F7972F08000+A381 bipc:7F7972F08000+412F uipeer:7F79739AB000+1EF7C evlib:7F79718AB000+8E16 evlib:7F79718AB000+9B60Following packages shall be activated:
/bootflash/c8000be-rpboot.17.09.05e.SPA.pkg
/bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n] y
--- Starting Activate ---
Performing Activate on Active/Standby

재부팅이 완료 될때까지 기다립니다.

5. Version 확인

Router# show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.09.05e.0.80

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

6. 기존에 Package가 Flash:에 존재 합니다. 필요없는 파일은 삭제합니다.

Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:29:40 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

Router#install remove inactive
install_remove: START Mon Feb 10 06:34:40 UTC 2025
install_remove: Removing IMG
Cleaning up unnecessary package files
No path specified, will use booted path /bootflash/packages.conf

Cleaning /bootflash
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ...
    [R0]: /bootflash/packages.conf File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-rpboot.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.conf File is in use, will not delete.

The following files will be deleted:
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.bin

Do you want to remove the above files?
                                      *Feb 10 06:34:40.411: %INSTALL-5-INSTALL_START_INFO: R0/0: install_mgr: Started install remove [y/n]y

Deleting file /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-universalk9.17.09.05e.SPA.bin ... done.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---
Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Mon Feb 10 06:35:12 UTC 2025

Router#
*Feb 10 06:35:12.911: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_mgr: Completed install remove
Router#
Router#
Router#
Router#
Router#
Router#
Router#
Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:35:13 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6116417536 bytes free)
Router#

show version

Router#               show version
Cisco IOS XE Software, Version 17.09.05e
Cisco IOS Software [Cupertino], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.5e, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Thu 12-Dec-24 19:05 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 17.6(8.1r)

Router uptime is 9 minutes
Uptime for this control processor is 9 minutes
System returned to ROM by Reload Command
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-----------------------------------------------------------------
Technology     Type         Technology-package Technology-package
                            Current            Next Reboot
-----------------------------------------------------------------
Smart License  Perpetual    None               None
Smart License  Subscription None               None

The current crypto throughput level is 250000 kbps

Smart Licensing Status: Smart Licensing Using Policy

cisco C8200L-1N-4T (1RU) processor with 1653598K/6147K bytes of memory.
Processor board ID FGL2835L17V
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7245823K bytes of flash memory at bootflash:.

Configuration register is 0x2102

Router#

다시 한번 재부팅해서 제대로 부팅되는지 확인합니다.

Router#reload
Proceed with reload? [confirm]

*Feb 10 06:37:38.872: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

정상적으로 부팅이 잘 됩니다.

지금까지 [2025][C8200] Router IOS XE upgrade 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

내 블로그 - 관리자 홈 전환	`Q` `Q`
새 글 쓰기	`W` `W`

글 수정 (권한 있는 경우)	`E` `E`
댓글 영역으로 이동	`C` `C`

이 페이지의 URL 복사	`S` `S`
맨 위로 이동	`T` `T`
티스토리 홈 이동	`H` `H`
단축키 안내	`Shift` + `/` `⇧` + `/`