'분류 전체보기' 카테고리의 글 목록 (8 Page)

안녕하세요.

FTD MGMT IP: 192.168.100.11이고 PC에서 Ping도 잘 됩니다.

FTD GUI를 접속하면 아래와 같이 에러메시지 뜨면 해결 방법 입니다.

EVE-NG에서 FTD를 아이콘을 더블클릭 후 VNC안에서 명령어를 아래와 같이 입력합니다.

> configure manager local
> configure https-access-list 0.0.0.0/0

아래 처럼 접속 가능합니다.

만약에 곧바로 부팅후 접속 시도하면 위와 같이 에러 메시지 발생할수 있습니다.

10분정도 기다렸다가 다시 접속을 시도 합니다.

서버 또는 laptop 성능이 느리면 더 오래 걸릴수도 있습니다.

FTD를 중지 하고 CPU랑 MEM를 늘린후에 다시 부팅후 10분뒤에 접속을 다시 시도해 봅니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > FTD 방화벽' 카테고리의 다른 글

[FTD#6]-FPR FTD ASA Version Order - FPR3105-ASA-K9 (2)	2025.06.07
[FTD#5]-FPR FTD Convert to ASA Code (0)	2025.06.02
[FTD-#4]- cisco asa code (0)	2025.02.02
[FTD-#3]- FTD managed by FMC (0)	2024.11.11
[FTD-#1]-FTD Basic Configuration (0)	2024.11.08

안녕하세요.

오늘은 FTD 기본 설정에 대해서 알아보겠습니다.

EVE-NG에 FTD를 설치 하기위해서는 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/21

[2024][EVE-NG #11] Firepower(FTD) 방화벽 설치하기

안녕하세요. 오늘은 [2024][EVE-NG #11] Firepower6 (FTD) 방화벽 설치하기입니다. 1. 공식적인 사이트 링크는 아래와 같습니다. https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-firepower-6-x-images-set/

itblog-kr.tistory.com

FTD MGMT - Internet Connection - 192.168.10.231

g0/0 - Internet Connection - 192.168.10.232

g0/1 - LAN - Virtual PC에 연결 합니다. - 10.1.1.254/24

Virtual PC IP - 10.1.1.1/24

1. FTD를 부팅하고 더블클릭 합니다.

admin/Admin123 디폴트 로그인 정보입니다.

Enter를 입력합니다.

Enter를 입력합니다.

Password를 새로 입력합니다.

아래처럼 입력합니다.

IP: 192.168.10.231

Sunetmask; 255.255.255.0

Gw: 192.168.10.253

Manger the devies locally? yes를 입력합니다.

PC에서 Ping를 시도합니다.

https://192.168.10.231로 방화벽에 접속 합니다.

FTD를 로그인 합니다.

그렇게 장비 접속이 가능 합니다.

수동으로 장비를 설정할 예정입니다.

아래 처럼 디바이스 설정 건너뛰기를 선택하고 확인 버튼을 클릭합니다.

90일 평가 시작를 체크 하고 확인 버튼을 클릭합니다.

저작자표시 (새창열림)

'CISCO > FTD 방화벽' 카테고리의 다른 글

[FTD#6]-FPR FTD ASA Version Order - FPR3105-ASA-K9 (2)	2025.06.07
[FTD#5]-FPR FTD Convert to ASA Code (0)	2025.06.02
[FTD-#4]- cisco asa code (0)	2025.02.02
[FTD-#3]- FTD managed by FMC (0)	2024.11.11
[FTD-#2]-FTD GUI 503 service unavailable issue troubleshoot (0)	2024.11.08

안녕하세요.

이번에는 Site to Site VPN를 메뉴얼하게 설정해보겠습니다.

토폴로지는 아래와 같습니다.

FW01: WAN 192.168.100.1/24 port1

FW01 LAN port4

VL10 172.17.70.254/24

VL20 172.17.71.254/24

VL30 172.17.72.254/24

VL40 172.17.73.254/24

FW02: WAN 192.168.100.1/24 port1

FW02 LAN 10.1.1.0/24 port4

기본 설정은 아래 글을 확인후 기본 설정을 합니다.

https://itblog-kr.tistory.com/58

[Fortigate-#2]-Site to Site VPN with Wizard

안녕하세요. 이번에는 Site to Site VPN with Wizard을 알아보도록 하겠습니다. EVE-NG에서 아래처럼 토폴로지를 연결 합니다. FW01: Port1 192.168.100.1 MGMT 및 WAN 으로 사용FW01: Port4 Trunk VL10 17

itblog-kr.tistory.com

저는 Site to Site VPN 메뉴얼하게 설정하는 부분만 설정하겠습니다.

FW01에서 VPN 설정합니다.

1. VPN -> IPsec Tunnels -> Create New 클릭 합니다

2. 자동으로 IPsec Wizard로 변경 되지만 아래 사진처럼 Custom를 선택합니다.

3.

Remote Gateway - Static IP address

Ip address -상대방 방화벽 WAN IP입력

Interface - 현재 방화벽 인터넷 WAN port 선택

Local Gateway enable 하고 Primary IP를 선택 합니다.

Pre-shared Key - CiscoCisco

IKE version - v2 선택합니다.

Encryption: DES - 실제 방화벽에서는 aes256 선택합니다 보안상

Authentucation - SHA256

Diffie-Hellman Group - 14

Key LifeTIme - 86400

Name: S2S_VPN_01

Local Address: 172.17.70.0/24

Remote Address: 10.1.1.0/24

Phase2 Proposal - click add button

Encryption - DES - 실제 장비이면 옵션을 변경합니다 보안상 -

Authentication - SHA256

Auto-Nego - 체크박스

VPN이 생성 되었습니다.

4. 이번에는 방화벽 정책을 설정 합니다.

Destination에 Remote Subnet이 없는데 추가서 Addrsss를 생성 하고 아래처럼 정책을 설정 합니다.

이번에는 상대방 방화벽 LAN에서 현재 방화벽 LAN에 접속 가능하게 정책을 추가 합니다.

2개 방화벽이 생성 되었습니다.

5. 이번에는 Static Route를 생성 합니다.

라우팅 확인합니다.

FW01에 대해서 방화벽 설정을 완료 하였습니다

이번에는 FW02에서 설정 하겠습니다.

1. VPN -> IPsec Tunnels -> Create New

2. 이름을 입력하고 Custom를 선택하고 next를 클릭 합니다.

3. IPsec VPN 옵션을 설정합니다.

Phase1

Pre-shared Key - CiscoCisco

Verion - Ike V2선택합니다.

Phase2 설정

Save버튼을 클릭하면 IPsec VPN 터널이 생성 되었습니다.

5. 방화벽 정책을 설정 합니다.

그리고 Reverse 방화벽 정책도 추가 합니다.

아래처럼 방화벽 정책이 설정 하였습니다.

6. Static Route를 설정 합니다.

라우팅 확인 합니다.

1분뒤에 VPN 상태를 확인합니다.

VPN이 Up이 되었습니다.

SW01 설정 입니다.

interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode access
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 30
switchport mode access
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
switchport access vlan 40
switchport mode access
media-type rj45
negotiation auto
!
interface Vlan10
ip address 172.17.70.1 255.255.255.0
!
interface Vlan20
ip address 172.17.71.1 255.255.255.0
!
interface Vlan30
ip address 172.17.72.1 255.255.255.0
!
interface Vlan40
ip address 172.17.73.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.70.254
!
!
!

SW02 설정입니다.

interface GigabitEthernet0/0
no switchport
ip address 10.1.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
!

Virtual PC01 ~ 04 설정입니다.

VPCS> ip 172.17.70.100 255.255.255.0 gateway 172.17.70.254
Checking for duplicate address...
VPCS : 172.17.70.100 255.255.255.0 gateway 172.17.70.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.70.100/24
GATEWAY     : 172.17.70.254
DNS         :
MAC         : 00:50:79:66:68:3f
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.71.100 255.255.255.0 gateway 172.17.71.254
Checking for duplicate address...
VPCS : 172.17.71.100 255.255.255.0 gateway 172.17.71.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.71.100/24
GATEWAY     : 172.17.71.254
DNS         :
MAC         : 00:50:79:66:68:40
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.72.100 255.255.255.0 gateway 172.17.72.254
Checking for duplicate address...
VPCS : 172.17.72.100 255.255.255.0 gateway 172.17.72.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.72.100/24
GATEWAY     : 172.17.72.254
DNS         :
MAC         : 00:50:79:66:68:41
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.73.100 255.255.255.0 gateway 172.17.73.254
Checking for duplicate address...
VPCS : 172.17.73.100 255.255.255.0 gateway 172.17.73.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.73.100/24
GATEWAY     : 172.17.73.254
DNS         :
MAC         : 00:50:79:66:68:42
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS01 ping to 10.1.1.1

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=18.977 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=13.349 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=7.608 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=8.679 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=10.129 ms

VPCS>

VPCS02 ping to 10.1.1.1

VPCS> ping 10.1.1.1

10.1.1.1 icmp_seq=1 timeout
10.1.1.1 icmp_seq=2 timeout
10.1.1.1 icmp_seq=3 timeout
10.1.1.1 icmp_seq=4 timeout
10.1.1.1 icmp_seq=5 timeout
^C
VPCS>

VPCS03 ping to 10.1.1.1

VPCS> ping 10.1.1.1

10.1.1.1 icmp_seq=1 timeout
10.1.1.1 icmp_seq=2 timeout
10.1.1.1 icmp_seq=3 timeout
10.1.1.1 icmp_seq=4 timeout
10.1.1.1 icmp_seq=5 timeout

VPCS>

VPCS04 ping to 10.1.1.1

VPCS> ping 10.1.1.1

10.1.1.1 icmp_seq=1 timeout
10.1.1.1 icmp_seq=2 timeout
10.1.1.1 icmp_seq=3 timeout
10.1.1.1 icmp_seq=4 timeout
10.1.1.1 icmp_seq=5 timeout

VPCS02~04는 PIng이 실패 했습니다.

그 이유는 특정 대역에 대해서 라우팅을 꺽어주어야 합니다.

VPN tunnel 설정할때

Local Network은 172.17.70.0/24만 추가했기때문에 통신이 실패 하였습니다.

이부분을 방화벽에서 수정 합니다.

FW01에서 Address를 생성 합니다.

그리고 Address group을 생성 합니다.

S2S_VPN_LOCAL_GROUP

S2S_VPN_REMOTE_GROUP

Address랑 Address Group를 확인합니다.

FW01에서 VPN Tunnel를 수정 합니다.

아래처럼 수정 합니다.

FW02도 똑같이 Address를 생성 하고 Address Group를 생성 합니다.

Address Group 설정

VPN Tunnel 옵션을 변경 합니다.

아래처럼 수정 합니다.

그리고 방화벽 정책도 수정 합니다.

FW01

FW02

ping를 다시 테스트 합니다.

Virtual PC02

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=6.582 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=9.715 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=8.161 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=7.880 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=15.694 ms

Virtual PC03

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=8.842 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=8.746 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=7.627 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=7.392 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=29.680 ms

Virtual PC04

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=9.869 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=9.737 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=35.077 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=9.397 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=6.285 ms

지금까지 Fortigate Site-to-Site VPN 수동으로 설정 하는 방법에 대해서 알아보았습니다.

글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#5]-Security Profiles (0)	2024.11.22
[Fortigate-#9]- Antivirus Profile - Test (0)	2024.11.22
[Fortigate-#3]-Site to Site VPN with Wizard-Detail (0)	2024.11.07
[Fortigate-#2]-Site to Site VPN with Wizard (1)	2024.11.06
[Fortigate-#1]-MGMT IP Configuration (0)	2024.11.06

안녕하세요.

이전 글에서는 Fortigate Site-to-Site VPN 알아보았습니다.

설정은 간단합니다. 하지만 자동으로 여러가지 설정들이 생성되었기 떄문에 2개 지점에서 서로간에 통신이 가능 했습니다.

Wizard를 사용 했을때 어떤 설정값들이 생성되는지 알아야지 문제가 발생 하였을때 Troubleshooting이 가능 합니다.

실습을 하기전에 아래 글을 확인후 테스트 환경을 구축 합니다.

https://itblog-kr.tistory.com/58

[Fortigate-#2]-Site to Site VPN with Wizard

안녕하세요. 이번에는 Site to Site VPN with Wizard을 알아보도록 하겠습니다. EVE-NG에서 아래처럼 토폴로지를 연결 합니다. FW01: Port1 192.168.100.1 MGMT 및 WAN 으로 사용FW01: Port4 Trunk VL10 17

itblog-kr.tistory.com

토폴로지는 아래와 같습니다.

그럼 FW01에 접속해서 Wizard를 사용했을때 자동으로 어떤 설정값이 생기는지 확인해보겠습니다.

Policy & Objects -> Addresses

1. IP Range/Subnet - Source

파랑색은 Source Subnet 대역에 대해서 자동으로 Address가 생성되었습니다.

빨간색은 Remote Subnet 대역에 대해서 자동으로 Address가 생성되었습니다.

2. Address Group

S2S VPN_Local - Local address subnet이 이 그룹에 소속 됩니다.

S2S VPN_Remote - 상대방 subnet address가 이 그룹에 소속 됩니다.

위에 Address Group는 아래 VPN 설정에 사용 됩니다.

만약에 Source Subnet이나 Remote Subnet를 추가해야하는 경우.

1 address 생성

2. address를 group address에 추가합니다.

3. Static Route가 자동으로 생성 됩니다.

S2S VPN_Remote

상대방으로 가기위해서 Remote Subnet에 대해서 Static Route로 꺽어줍니다.

4. WAN인터페이스에 자동으로 S2S VPN Tunnel Interface가 생성됩니다.

5. 방화벽 정책이 자동으로 생성 됩니다.

빨간색은 상대방 방화벽에서 내 방화벽 내부로 접속을 위한 방화벽 정책

파랑색은 내 내부에 있는 서브넷이 상대방 방화벽 내부로 접속하기 위한 방화벽 정책

필요 이상으로 방화벽 정책이 생성되었습니다.

방화벽 정책을 수정하겠습니다.

이렇게 수정 가능 합니다.

5. 그리고 마지막으로 IPsec Tunnel 이 자동으로 생성 됩니다.

자동으로 생성 되기때문에, Fortigate에서 자동으로 설정 되게 됩니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#9]- Antivirus Profile - Test (0)	2024.11.22
[Fortigate-#4]-Site to Site VPN-Manual Setup (1)	2024.11.07
[Fortigate-#2]-Site to Site VPN with Wizard (1)	2024.11.06
[Fortigate-#1]-MGMT IP Configuration (0)	2024.11.06
[Fortigate]-add new license into forticloud (0)	2024.10.07

안녕하세요.

이번에는 EVE-NG에서 VPC에 대해서 알아보도록 하겠습니다.

테스트 할때 간단하게 Ping을 위해서 PC를 만들고 싶을때가 있습니다. 그렇다고 라우터나 스위치 또는 윈도우 PC를 두기에는 시스템 리소스에 부담이 됩니다.

간단하게 Ping테스트만 할때는 VPC를 생성해서 테스트 가능 합니다.

VPC는 따로 이미지를 업로드 할 필요가 없고 EVE-NG를 설치 하면 자동으로 생성 됩니다.

1. Virtual PC를 선택합니다.

2. Save버튼을 클릭 합니다.

3. VPC이름을 변경후 실행하고 더블클릭하면 콘솔 창이 열립니다.

4. ? 실행해서 사용 가능한 명령어를 확인 합니다.

VPCS> ?
arp                        Shortcut for: show arp. Show arp table
clear ARG                Clear IPv4/IPv6, arp/neighbor cache, command history
dhcp [OPTION]            Shortcut for: ip dhcp. Get IPv4 address via DHCP
disconnect               Exit the telnet session (daemon mode)
echo TEXT                Display TEXT in output. See also  set echo ?
help                     Print help
history                  Shortcut for: show history. List the command history
ip ARG ... [OPTION]      Configure the current VPC's IP settings. See ip ?
load [FILENAME]          Load the configuration/script from the file FILENAME
ping HOST [OPTION ...]   Ping HOST with ICMP (default) or TCP/UDP. See ping ?
quit                     Quit program
relay ARG ...            Configure packet relay between UDP ports. See relay ?
rlogin [ip] port         Telnet to port on host at ip (relative to host PC)
save [FILENAME]          Save the configuration to the file FILENAME
set ARG ...              Set VPC name and other options. Try set ?
show [ARG ...]           Print the information of VPCs (default). See show ?
sleep [seconds] [TEXT]   Print TEXT and pause running script for seconds
trace HOST [OPTION ...]  Print the path packets take to network HOST
version                  Shortcut for: show version

To get command syntax help, please enter '?' as an argument of the command.

VPCS>

5. IP설정 및 Default Gateway 설정하기

VPCS> ip 172.17.70.100 255.255.255.0 gateway 172.17.70.254
Checking for duplicate address...
VPCS : 172.17.70.100 255.255.255.0 gateway 172.17.70.254

6. IP 확인하기

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.70.100/24
GATEWAY     : 172.17.70.254
DNS         :
MAC         : 00:50:79:66:68:3f
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

7. 설정값 저장 하기

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>

8. Default-gateway ping시도

VPCS> ping 172.17.70.254

84 bytes from 172.17.70.254 icmp_seq=1 ttl=255 time=19.576 ms
84 bytes from 172.17.70.254 icmp_seq=2 ttl=255 time=7.160 ms
84 bytes from 172.17.70.254 icmp_seq=3 ttl=255 time=7.819 ms
84 bytes from 172.17.70.254 icmp_seq=4 ttl=255 time=5.114 ms
84 bytes from 172.17.70.254 icmp_seq=5 ttl=255 time=3.110 ms

9. Ping 옵션 확인하기

VPCS> ping ?

ping HOST [OPTION ...]
  Ping the network HOST. HOST can be an ip address or name
    Options:
     -1             ICMP mode, default
     -2             UDP mode
     -3             TCP mode
     -c count       Packet count, default 5
     -D             Set the Don't Fragment bit
     -f FLAG        Tcp header FLAG |C|E|U|A|P|R|S|F|
                               bits |7 6 5 4 3 2 1 0|
     -i ms          Wait ms milliseconds between sending each packet
     -l size        Data size
     -P protocol    Use IP protocol in ping packets
                      1 - ICMP (default), 17 - UDP, 6 - TCP
     -p port        Destination port
     -s port        Source port
     -T ttl         Set ttl, default 64
     -t             Send packets until interrupted by Ctrl+C
     -w ms          Wait ms milliseconds to receive the response

  Notes: 1. Using names requires DNS to be set.
         2. Use Ctrl+C to stop the command.

VPCS>

10. 100 ping 사용 하고 싶을때 옵션을 사용 합니다.

VPCS> ping 172.17.70.254 -c 100

84 bytes from 172.17.70.254 icmp_seq=1 ttl=255 time=8.538 ms
84 bytes from 172.17.70.254 icmp_seq=2 ttl=255 time=4.512 ms
84 bytes from 172.17.70.254 icmp_seq=3 ttl=255 time=4.085 ms
84 bytes from 172.17.70.254 icmp_seq=4 ttl=255 time=2.755 ms
84 bytes from 172.17.70.254 icmp_seq=5 ttl=255 time=7.133 ms

11. Static IP말고 DHCP로 IP를 사용 하고 싶을떄 아래 명령어를 사용 합니다.

VPCS> ip dhcp
DDD
Can't find dhcp server

VPCS>

현재 DHCP기능을 하는 서버가 없어서 IP받기 실패했습니다. 만약에 DHCP기능이 동작중은 서버가 있으면 Virtual-PC는 IP주소를 받아옵니다.

12. 상대방 목적지 까지 hop by hop를 확인 하고 싶을때

VPCS> trace 10.1.1.1
trace to 10.1.1.1, 8 hops max, press Ctrl+C to stop
1   172.17.73.254   4.191 ms  5.657 ms  4.454 ms
2   192.168.100.2   6.383 ms  5.133 ms  3.844 ms
3   *10.1.1.1   20.143 ms (ICMP type:3, code:3, Destination port unreachable)  *

VPCS>

13. arp 확인하기

VPCS> arp

50:00:00:3c:00:03 172.17.73.254 expires in 77 seconds

VPCS>

Virtual PC는 꼭 필요한 기본 기능만 제공하기 때문에 리소를 많이 사용하지 않습니다. 그렇기 때문에 고급 기능도 없습니다.

단순히 PC에 IP를 할당하고 상대방 PIng를 테스트 하고 싶을때 주로 사용합니다.

지금까지 [2024][EVE-NG #18] VPCS 알아보았습니다.

저작자표시 (새창열림)

'EVE-NG' 카테고리의 다른 글

[2024][EVE-NG #19] PaloAlto 설치하기 (0)	2025.01.11
[2024][EVE-NG #18] EVE-NG에 C9800CL Install (2)	2024.10.07
[2024][EVE-NG #17] Upgrade EVE-NG version (0)	2024.07.18
[2024][EVE-NG #16] Juniper QFX 스위치 설치하기 (0)	2024.07.12
[2024][EVE-NG #15] Juniper MX 라우터 설치하기 (0)	2024.07.11

안녕하세요.

이번에는 Site to Site VPN with Wizard을 알아보도록 하겠습니다.

EVE-NG에서 아래처럼 토폴로지를 연결 합니다.

FW01: Port1 192.168.100.1 MGMT 및 WAN 으로 사용

FW01: Port4 Trunk

VL10 172.17.70.254/24 - LAN

VL20 172.17.71.254.24 - LAN

VL30 172.17.72.254.24 - LAN

VL40 172.17.73.254/24- LAN

FW02: Port 192.168.100.2 MGMT 및 WAN으로 사용

FW02: Port4 10.1.1.1/24

SW01: Int vlan10: 172.17.70.1/24

Int vlan20: 172.17.71.1/24

Int vlan30: 172.17.72.1/24

Int vlan40: 172.17.73.1/24

SW02: int Gi/0/0 10.1.1.1

FW01 MGMT Interface를 설정 합니다.

FortiGate-VM64-KVM # show

config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical         set snmp-index 1

디폴트값에서 아래와 같이 수정합니다.

FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port1
FortiGate-VM64-KVM (port1) # set mode static
FortiGate-VM64-KVM (port1) # set ip 192.168.100.1 255.255.255.0

FortiGate-VM64-KVM (port1) # show
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.100.1 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
end

디폴트 게이트웨이를 설정 합니다.

FortiGate-VM64-KVM # config router static

FortiGate-VM64-KVM (static) # edit 1
new entry '1' added
놰
FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0

FortiGate-VM64-KVM (1) # set gateway 192.168.100.253

FortiGate-VM64-KVM (1) # set device port1

FortiGate-VM64-KVM (1) # end

FortiGate-VM64-KVM #

라우팅 테이블 확인

FortiGate-VM64-KVM # get router info routing-table
details      show routing table details information
all          show all routing table entries
rip          show rip routing table
ospf         show ospf routing table
bgp          show bgp routing table
isis         show isis routing table
static       show static routing table
connected    show connected routing table
database     show routing information base

FortiGate-VM64-KVM # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 192.168.100.253, port1, [1/0]
C       192.168.100.0/24 is directly connected, port1

FW01 MGMT에 Ping 확인

FW02 설정하기

IP설정

FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port1
FortiGate-VM64-KVM (port1) # set mode static
FortiGate-VM64-KVM (port1) # set ip 192.168.100.2 255.255.255.0

FortiGate-VM64-KVM (port1) # show
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.100.2 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
end

디폴트게이트웨이 설정

FortiGate-VM64-KVM # config router static

FortiGate-VM64-KVM (static) # edit 1
new entry '1' added
놰
FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0

FortiGate-VM64-KVM (1) # set gateway 192.168.100.253

FortiGate-VM64-KVM (1) # set device port1

FortiGate-VM64-KVM (1) # end

FortiGate-VM64-KVM #

라우팅 테이블 확인

FortiGate-VM64-KVM # get router info routing-table
details      show routing table details information
all          show all routing table entries
rip          show rip routing table
ospf         show ospf routing table
bgp          show bgp routing table
isis         show isis routing table
static       show static routing table
connected    show connected routing table
database     show routing information base

FortiGate-VM64-KVM # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 192.168.100.253, port1, [1/0]
C       192.168.100.0/24 is directly connected, port1

FW02 MGMT IP ping확인

FW01 GUI 장비 접속

FW02 GUI 장비 접속

이렇게 장비 접속까지는 완료 하였습니다.

디폴트 Hostname를 FW01변경 하겠습니다.

System -> Settings -> Host name
아래 처럼 FW01로 변경하고 Save 버튼을 클릭 합니다.

LAN interface 설정하기

Network -> Interfaces -> Create New버튼을 클릭 합니다.

VL10 설정 정보

VL20 설정 정보

VL30 정보

VL40

port4번에 VLAN interface들 확인하기

SW01 기본 설정

en
conf t
no ip domain-lookup
hostname sw01
line con 0
exec-time 0
logg syn
end

Int g0/0 Trunk 설정

en
conf t
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
end

VLAN 설정 그리고 SVI 설정하기

en
conf t
vlan 10
vlan 20
vlan 30
vlan 40
\interface Vlan10
ip address 172.17.70.1 255.255.255.0
no shutdown
interface Vlan20
ip address 172.17.71.1 255.255.255.0
no shutdown
interface Vlan30
ip address 172.17.72.1 255.255.255.0
no shutdown
interface Vlan40
ip address 172.17.73.1 255.255.255.0
no shutdown
end

SVI interface 상태 확인

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
Vlan10                 172.17.70.1     YES manual up                    up
Vlan20                 172.17.71.1     YES manual up                    up
Vlan30                 172.17.72.1     YES manual up                    up
Vlan40                 172.17.73.1     YES manual up                    up
SW1#

Default Gateway 설정

en
conf t
ip route 0.0.0.0 0.0.0.0 172.17.70.254

라우팅 테이블 확인

SW1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.17.70.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.17.70.254
      172.17.0.0/16 is variably subnetted, 8 subnets, 2 masks
C        172.17.70.0/24 is directly connected, Vlan10
L        172.17.70.1/32 is directly connected, Vlan10
C        172.17.71.0/24 is directly connected, Vlan20
L        172.17.71.1/32 is directly connected, Vlan20
C        172.17.72.0/24 is directly connected, Vlan30
L        172.17.72.1/32 is directly connected, Vlan30
C        172.17.73.0/24 is directly connected, Vlan40
L        172.17.73.1/32 is directly connected, Vlan40
SW1#

Default Gateway Ping Test from SW01

SW1#ping 172.17.70.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.70.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/18 ms
SW1#

이렇게 SW01 기본설정 까지 완료 하였습니다.

이번에는 FW02 설정하겠습니다.

디폴트 hostname를 FW02로 변경하고 Apply버튼을 클릭합니다

LAN 인터페이스 설정 정보

SW02 기본설정

en
conf t
no ip domain-lookup
hostname sw02
line con 0
exec-time 0
logg syn
end

Int g0/0 IP설정

interface GigabitEthernet0/0
no switchport
ip address 10.1.1.1 255.255.255.0
no shutdown
end

인터페이스 확인

SW2#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/0     10.1.1.1        YES manual up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
SW2#

Default-gateway 설정

ip route 0.0.0.0 0.0.0.0 10.1.1.254

라우팅 테이블 확인

SW2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.1.254
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/0
L        10.1.1.1/32 is directly connected, GigabitEthernet0/0
SW2#

Default Gateway ping test from SW02

SW2#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
SW2#

Site to SIte VPN를 테스트 하기 위해서 기본 설정을 다 하였습니다.

FW01에서 VPN -> IPsec Wizard

Name: S2S VPN

그리고 next를 클릭 합니다.

Remote IP: 192.168.100.2 -> 상대방 WAN IP주소 입니다. 이 주소는 서로간에 Ping이 가능해야지 IPsec vpn연결이 가능 합니다.

Outgoing Interface: WAN(port1)

Pre-sahre Key: CiscoCisco

그리고 next를 선택 합니다.

Local Subnet:

172.17.70.0/24

172.17.71.0/24

172.17.72.0/24

172.17.73.0/24

Remote Subnet

10.1.1.0/24

Interface access: None를 설정합니다. 이유는 위에 IP대역에 대해서만 IPsec VPN 터널를 타고 마너지 트래픽은 로컬 ISP01인터넷을 사용합니다.

아래 정보를 확인하고 Create를 클릭 합니다.

아래처럼 S2S VPN 터널이 자동으로 생성 되었습니다.

FW02도 똑같이 설정 합니다.

Remote IP: FW01 WAN에 IP를 입력합니다.

outging interface: WAN(port1)

Pre-shared Key: CiscoCisco

Local Subnet: 10.1.1.0/24

Remote Subnet: 172.17.70.0/24

172.17.71.0/24

172.17.72.0/24

172.17.73.0/24

아래 정보값을 확인후 맞으면 Create버튼을 클릭 합니다.

터널을 확인합니다.

현재 Traffic이 없기 때문에 터널이 Down 입니다.

Traffic를 발생해 보겠습니다.

방화벽에서 자체적으로 Tunnel쪽으로 Traffic를 발생 시켜서 Tunnel를 강제로 UP를 유지 할수 있습니다.

아래 처럼 auto-negotiate를 선택하면 자동으로 Autokey keep alive도 선택 됩니다.

FW02도 똑같이 설정합니다.

그리고 터널 인터페이스를 확인 합니다.

터널이 UP되었습니다.

SW01에서 SW02로 Ping시도

SW1#ping 10.1.1.1 source vlan10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.70.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/14/39 ms
SW1#

SW02에서 SW01 ping시도

SW2#ping 172.17.70.1 source g0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.70.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/18 ms
SW2#

이렇게 Site to Site VPN를 통해서 서로 ping이 가능 합니다.

이번에는 VPC 4생성하고 아래와 같이 연결 합니다.

SW01 Gi1/0 VLAN10 - PC01 172.17.70.100/24 GW 172.17.70.254

SW01 Gi1/0 VLAN20 - PC02 172.17.71.100/24 GW 172.17.71.254

SW01 Gi1/0 VLAN30 - PC03 172.17.72.100/24 GW 172.17.72.254

SW01 Gi1/0 VLAN40 - PC04 172.17.73.100/24 GW 172.17.73 254

SW01 설정

en
conf t

interface GigabitEthernet1/0
switchport access vlan 10
switchport mode access
no shutdown

interface GigabitEthernet1/1
switchport access vlan 20
switchport mode access
no shutdown end

interface GigabitEthernet1/2
switchport access vlan 30
switchport mode access
no shutdown

interface GigabitEthernet1/3
switchport access vlan 40
switchport mode access
no shutdown
end

PC01부터 04까지 IP및 디폴트 케이트웨이 설정

VPCS> ip 172.17.70.100 255.255.255.0 gateway 172.17.70.254
Checking for duplicate address...
VPCS : 172.17.70.100 255.255.255.0 gateway 172.17.70.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.70.100/24
GATEWAY     : 172.17.70.254
DNS         :
MAC         : 00:50:79:66:68:3f
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.71.100 255.255.255.0 gateway 172.17.71.254
Checking for duplicate address...
VPCS : 172.17.71.100 255.255.255.0 gateway 172.17.71.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.71.100/24
GATEWAY     : 172.17.71.254
DNS         :
MAC         : 00:50:79:66:68:40
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.72.100 255.255.255.0 gateway 172.17.72.254
Checking for duplicate address...
VPCS : 172.17.72.100 255.255.255.0 gateway 172.17.72.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.72.100/24
GATEWAY     : 172.17.72.254
DNS         :
MAC         : 00:50:79:66:68:41
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

VPCS> ip 172.17.73.100 255.255.255.0 gateway 172.17.73.254
Checking for duplicate address...
VPCS : 172.17.73.100 255.255.255.0 gateway 172.17.73.254

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 172.17.73.100/24
GATEWAY     : 172.17.73.254
DNS         :
MAC         : 00:50:79:66:68:42
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS>

PC01(172.17.70.100)에서 SW02(10.1.1.1) Ping 시도

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=59.607 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=9.527 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=9.599 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=10.493 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=9.694 ms

VPCS>

PC02(172.17.71.100)에서 SW02(10.1.1.1) Ping 시도

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=18.606 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=8.886 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=8.346 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=11.557 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=8.162 ms

VPCS>

PC03(172.17.72.100)에서 SW02(10.1.1.1) Ping 시도

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=10.669 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=54.042 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=15.635 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=62.423 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=418.343 ms

VPCS>

PC04(172.17.73.100)에서 SW02(10.1.1.1) Ping 시도

VPCS> ping 10.1.1.1

84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=8.883 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=7.573 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=10.828 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=12.965 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=8.135 ms

VPCS>

이렇게 두개 지점에 Fortigate 방화벽에 Site to Site VPN를 이용해서 통신 하는 방법에 대해서 알아보았습니다.

다음장에서는 Wizard를 이용해서 Site to Site VPN를 설정했을떄 어떤부분이 자동으로 생성이 되는지 확인해보겠습니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#4]-Site to Site VPN-Manual Setup (1)	2024.11.07
[Fortigate-#3]-Site to Site VPN with Wizard-Detail (0)	2024.11.07
[Fortigate-#1]-MGMT IP Configuration (0)	2024.11.06
[Fortigate]-add new license into forticloud (0)	2024.10.07
[Fortigate]-Firewall register to FortiCloud (0)	2024.10.06

안녕하세요.

오늘은 Fortigate 방화벽 MGMT를 설정해보겠습니다.

Fortigate 방화벽 소규모용은 MGMT Port가 없는 경우가 대부분입니다. Data LAN포트를 MGMT로 사용 합니다.

이번에 고객사에 Fortigate 90G를 설치해야하는 상황인데 이 장비를 기준으로 보시면 MGMT포트가 없습니다.

1. Console port

2. WAN1 and WAN2 port

3. LAN port

Console Port를 연결 합니다.

show 엔터를 누르시고 밑에 edit "lan" 정보를 확인 합니다. 디폴트로 기본 설정이 되어져 있습니다.

그리고 DHCP기능도 동작중이기 떄문에, 케이블 연결하시면 IP 할당 받을수 있습니다.

FortiGate-90G # show

   edit "lan"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh fgfm fabric
        set type hard-switch
        set stp enable
        set role lan
        set snmp-index 15

https://192.168.1.99 접속해서 로그인 합니다.

그리고 Lan인터페이스 정보를 보시면 아래와 같습니다.

장비에 접속 하셔서 사용 설정 하시면 됩니다.

EVE-NG기준으로 이번에는 설명 하겠습니다.

저는 SITE-TO-SITE VPN를 테스트 하기 위해서 기본 랩을 만들었습니다.

FW01 - PORT1를 MGMT 밑 WAN인터페이스로 사용하겠습니다

FW02 - PORT1를 MGMT 밑 WAN인터페이스로 사용하겠습니다.

1. FW01를 부팅하고 더블클릭 합니다. 아래 처름 부팅중임을 확인 가능 합니다.

admin/empty - no admin password by default

패스워드를 수정 합니다.

System is starting...
Formatting shared data partition ... done!
Starting system maintenance...
Serial number is FGVMEVCML31MHVB5

FortiGate-VM64-KVM login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
New passwords don't match.
New Password:
Confirm Password:
Welcome!

FortiGate-VM64-KVM #

디폴트 값으로 IP주소가 없습니다. 장비에 접속 할수 없습니다.

IP주소를 입력합니다.

FortiGate-VM64-KVM # show

config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1

IP주소를 입력합니다

FortiGate-VM64-KVM # config system interface

FortiGate-VM64-KVM (interface) # edit port1

FortiGate-VM64-KVM (port1) # set mode static

FortiGate-VM64-KVM (port1) # set ip 192.168.100.3 255.255.255.0

FortiGate-VM64-KVM (port1) # show
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.100.3 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
end

Default Gateway를 입력합니다

FortiGate-VM64-KVM # config router static

FortiGate-VM64-KVM (static) # edit 1
new entry '1' added
놰
FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0

FortiGate-VM64-KVM (1) # set gateway 192.168.100.253

FortiGate-VM64-KVM (1) # set device port1

FortiGate-VM64-KVM (1) # end

FortiGate-VM64-KVM #

라우팅 테이블을 확인합니다

FortiGate-VM64-KVM # get router info routing-table
details      show routing table details information
all          show all routing table entries
rip          show rip routing table
ospf         show ospf routing table
bgp          show bgp routing table
isis         show isis routing table
static       show static routing table
connected    show connected routing table
database     show routing information base

FortiGate-VM64-KVM # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 192.168.100.253, port1, [1/0]
C       192.168.100.0/24 is directly connected, port1

PC에서 ping를 합니다.

장비에 접속합니다

https://192.168.100.3

접속이 가능합니다.

이렇게 EVE-NG fortigate 기본 설정에 대해서 알아보았습니다. 장비 접속 가능하면 테스트 하고자 하는 토폴로지 구성후 테스트 가능 합니다

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#4]-Site to Site VPN-Manual Setup (1)	2024.11.07
[Fortigate-#3]-Site to Site VPN with Wizard-Detail (0)	2024.11.07
[Fortigate-#2]-Site to Site VPN with Wizard (1)	2024.11.06
[Fortigate]-add new license into forticloud (0)	2024.10.07
[Fortigate]-Firewall register to FortiCloud (0)	2024.10.06

안녕하세요.

오늘은 C9300 스위치에 SSH version2 설정하는 방법에 대해서 알아보겠습니다.

CISCO(config)#crypto key generate rsa usage-keys label tsi modulus 2048
CISCO(config)#ip ssh rsa keypair-name tsi

CISCO(config)#ip ssh time-out 120
CISCO (config)#ip ssh authentication-retries 2
CISCO (config)#ip ssh version 2

IP SSH Version2가 동작중인지 확인합니다

TSI-CORE-1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Authentication timeout: 120 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): tsi
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8nSDDZYuJN/N6SDsUqBMv/U9EXkwwbKVF1Io306Zx
eiflK5kGHYm5yC9EaEagSQcs2LZjS1fa9s6wKo0TId4+J45APh3Y0W2KMmYSCWzaXOgstVbFQMWNzITq
uutzVWZJKvKV5VPCyXORBuavM9AbAlRcSaUlnxyD85OF50pX98XgZoQV50q2QYrVr/nEcv+1hyYefcLh
Zy1UzLpNsUWhX8kU+9EeDNqveX/OMQr/VKxiLCcmJEoIhQ9Yo/ELu0V5VHqAE2WK93fSeDDF02EdzktT
fKvhWVLcKELiuiody/RBVEk2c++q/LBIaWw9pdE2Q1vPxMrouhQa4BGp8ljV
TSI-CORE-1#

테스트를 위해서 int vlan1에 IP를 10.1.1.1 설정합니다.

interface Vlan1
ip address 10.1.1.1 255.255.255.0
end

그리고 VTY를 설정합니다

TSI-CORE-1(config)#line vty 0 15
TSI-CORE-1(config-line)#login local
TSI-CORE-1(config-line)#transport input ssh
TSI-CORE-1(config-line)#end

PC에 IP를 10.1.1.2 설정하고 케이블을 스위치 VLAN1 포트에 연결합니다.

지금까지 C9300 스위치에 SSH version2를 설정하고 테스트 하는 방법에 대해서 알아보았습니다

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 스위칭' 카테고리의 다른 글

[C9300-#1]- Traditional mode/Smart Licensing mode/Smart Licensing with the use of Policy mode (0)	2025.02.03
Cisco IOS recommendation (0)	2025.01.11
C9300-Stack Switch IOS Upgrade (1)	2024.10.24
Cat9300 Switch Stack Installation (1)	2024.10.24
Cat9300L Switch License Registration to cisco CSSM (0)	2024.10.02

안녕하세요.

오늘은 C9300 Stack 스위치 IOS Upgrade에 대해서 알아보도록 하겠습니다.

현재 버전을 확인 하기 위해서 show version을 입력 합니다.

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 41    C9300-24T          17.12.03          CAT9K_IOSXE           INSTALL
     2 41    C9300-24T          17.12.03          CAT9K_IOSXE           INSTALL

시스코 홈페이지를 접속해서 현재 시점에서 C9300-24T에 IOS 추천 버전을 확인 합니다.

https://software.cisco.com/download/home/286313829/type/286308587/release/17.12.4?i=!pp

현재 시스코 추천 IOS는 17.12.04 입니다.

이미지 파일을 다운로드 합니다.

USB를 준비 합니다.

USB에 이미지 파일을 복사 합니다.

그리고 USB를 Master SW에 연결 합니다.

첫번째 로그를 보시면 USB0이 정상적으로 인식 된걸 확인 할 수 있습니다.

그리고 file를 확인해 보면 아래와 같이 2개 파일을 확인 가능합니다.

npe - no payload 이미지 파일입니다.

우리는 payload 이미지 파일을 설치 해보겠습니다

Oct 24 07:32:00.763: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usbflash0 added.

Switch#dir usbflash0: | in 17.12
463 -rwx 1303572959 Oct 12 2024 23:17:02 +00:00 cat9k_iosxe_npe.17.12.04.SPA.bin
464 -rwx 1306917133 Oct 12 2024 22:57:34 +00:00 cat9k_iosxe.17.12.04.SPA.bin

1. usb0에 이미지 파일을 복사하기 전에 불필요한 파일을 삭제합니다.

Switch#install remove inactive
install_remove: START Thu Oct 24 07:35:45 UTC 2024
install_remove: Removing IMG
Cleaning up unnecessary package files
No path specified, will use booted path /flash/packages.conf

Cleaning /flash
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ...
    [R0]: /flash/cat9k-cc_srdriver.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-cc_srdriver.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-espbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-espbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-guestshell.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-guestshell.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-lni.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-lni.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-rpbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-rpbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-sipbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-sipbase.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-sipspa.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-sipspa.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-srdriver.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-srdriver.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-webui.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-webui.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-wlc.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-wlc.17.12.03.SPA.pkg File is in use, will not delete.
    [R0]: /flash/packages.conf File is in use, will not delete.
    [R1]: /flash/packages.conf File is in use, will not delete.
    [R0]: /flash/cat9k-rpboot.17.12.03.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-rpboot.17.12.03.SPA.pkg File is in use, will not delete.

SUCCESS: No extra package or provisioning files found on media. Nothing to clean.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---
Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Thu Oct 24 07:35:45 UTC 2024
Switch#
*Oct 24 07:35:45.573: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_mgr: Started install remove
*Oct 24 07:35:45.690: %INSTALL-5-INSTALL_COMPLETED_INFO: Switch 1 R0/0: install_mgr: Completed install remove
Switch#

2. usb에 있는 이미지 파일을 복사 합니다.

Switch#copy usbflash0:cat9k_iosxe.17.12.04.SPA.bin flash:
Destination filename [cat9k_iosxe.17.12.04.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

3. 이미지 파일이 정상적으로 복사가 되었는지 무결성 검사를 합니다.

1e3ab8c2357b33784373b626c190b907

Switch#verify /md5 flash:/cat9k_iosxe.17.12.04.SPA.bin
...................................

verify /md5 (flash:/cat9k_iosxe.17.12.04.SPA.bin) = 1e3ab8c2357b33784373b626c190b907

4. install mode는 packages.conf 파일을 사용하기 때문에 설정값이 제대로 맞는지 다시 한번 확인합니다.

Switch(config)#boot system flash:packages.conf

Switch#show boot system
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;

Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no
Boot Mode = DEVICE
iPXE Timeout = 0
---------------------------
Switch 2
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;

Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no
Boot Mode = DEVICE
iPXE Timeout = 0

Switch# wr

5. IOS를 업그레이드 합니다.

이미지 파일이 Standby SW에 복사를 시도 합니다. 그리고 IOS 업그레이드 시작합니다.

Switch# install add file flash:cat9k_iosxe.17.12.04.SPA.bin activate commit

Copying flash:cat9k_iosxe.17.12.04.SPA.bin from Switch 1 to Switch 1 2

*Oct 24 07:44:43.996: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_mgr: Started install add_activate_commit flash:cat9k_iosxe.17.12.04.SPA.bi

6. 복사가 완료 되고 IOS 버전 업그레이드를 시작 합니다. 그리고 Y를 선택합니다.

시간이 꽤 걸립니다. 인내심을 가지고 기다립니다.

--- Starting Add ---
Performing Add on all members

Finished Add

install_activate: START Thu Oct 24 07:46:56 UTC 2024
install_activate: Activating IMG
Following packages shall be activated:
/flash/cat9k-cc_srdriver.17.12.04.SPA.pkg
/flash/cat9k-espbase.17.12.04.SPA.pkg
/flash/cat9k-guestshell.17.12.04.SPA.pkg
/flash/cat9k-lni.17.12.04.SPA.pkg
/flash/cat9k-rpbase.17.12.04.SPA.pkg
/flash/cat9k-sipbase.17.12.04.SPA.pkg
/flash/cat9k-sipspa.17.12.04.SPA.pkg
/flash/cat9k-srdriver.17.12.04.SPA.pkg
/flash/cat9k-webui.17.12.04.SPA.pkg
/flash/cat9k-wlc.17.12.04.SPA.pkg
/flash/cat9k-rpboot.17.12.04.SPA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n]
*Oct 24 07:46:56.671: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_mgr: Started install activate NONEy

--- Starting Activate ---
Performing Activate on all members
[1] Activate package(s) on Switch 1
[2] Activate package(s) on Switch 2

7. 부팅이 완료 되면 로그인을 합니다. 그리고 패키지를 확인합니다.

Switch#dir flash:*.pkg
Directory of flash:/*.pkg

Directory of flash:/

155652  -rw-    29475848  Aug 24 2024 14:42:02 +00:00  cat9k-cc_srdriver.17.12.03.SPA.pkg
155653  -rw-   168936452  Aug 24 2024 14:42:02 +00:00  cat9k-espbase.17.12.03.SPA.pkg
155654  -rw-     2155524  Aug 24 2024 14:42:02 +00:00  cat9k-guestshell.17.12.03.SPA.pkg
155655  -rw-   120792064  Aug 24 2024 14:42:02 +00:00  cat9k-lni.17.12.03.SPA.pkg
155656  -rw-   763909120  Aug 24 2024 14:42:04 +00:00  cat9k-rpbase.17.12.03.SPA.pkg
155657  -rw-    48714756  Aug 24 2024 14:42:04 +00:00  cat9k-sipbase.17.12.03.SPA.pkg
155658  -rw-    56374272  Aug 24 2024 14:42:04 +00:00  cat9k-sipspa.17.12.03.SPA.pkg
155659  -rw-    41284612  Aug 24 2024 14:42:05 +00:00  cat9k-srdriver.17.12.03.SPA.pkg
155660  -rw-    17875968  Aug 24 2024 14:42:05 +00:00  cat9k-webui.17.12.03.SPA.pkg
155661  -rw-        9216  Aug 24 2024 14:42:05 +00:00  cat9k-wlc.17.12.03.SPA.pkg
155663  -rw-    61872038  Aug 24 2024 14:42:05 +00:00  cat9k-rpboot.17.12.03.SPA.pkg
327687  -rw-    29471752  Jul 23 2024 17:01:12 +00:00  cat9k-cc_srdriver.17.12.04.SPA.pkg
327688  -rw-   169464836  Jul 23 2024 17:01:58 +00:00  cat9k-espbase.17.12.04.SPA.pkg
327689  -rw-     2155524  Jul 23 2024 17:01:05 +00:00  cat9k-guestshell.17.12.04.SPA.pkg
327690  -rw-   111498240  Jul 23 2024 17:01:38 +00:00  cat9k-lni.17.12.04.SPA.pkg
327691  -rw-   768689152  Jul 23 2024 17:03:45 +00:00  cat9k-rpbase.17.12.04.SPA.pkg
327692  -rw-    48747524  Jul 23 2024 17:01:39 +00:00  cat9k-sipbase.17.12.04.SPA.pkg
327693  -rw-    56431616  Jul 23 2024 17:01:40 +00:00  cat9k-sipspa.17.12.04.SPA.pkg
327694  -rw-    41288708  Jul 23 2024 17:01:30 +00:00  cat9k-srdriver.17.12.04.SPA.pkg
327695  -rw-    17884160  Jul 23 2024 17:01:30 +00:00  cat9k-webui.17.12.04.SPA.pkg
327696  -rw-        9216  Jul 23 2024 17:01:04 +00:00  cat9k-wlc.17.12.04.SPA.pkg
327684  -rw-    61891845  Oct 24 2024 07:45:48 +00:00  cat9k-rpboot.17.12.04.SPA.pkg
11353194496 bytes total (6682238976 bytes free)
Switch#

8. show version으로 버전을 확인합니다.

Switch#show version
Cisco IOS XE Software, Version 17.12.04
Cisco IOS Software [Dublin], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.12.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Tue 23-Jul-24 09:40 by mcpre

9.불필요한 파일들을 삭제합니다.

Switch#install remove inactive
install_remove: START Thu Oct 24 08:03:31 UTC 2024
install_remove: Removing IMG
Cleaning up unnecessary package files
No path specified, will use booted path /flash/packages.conf

Cleaning /flash
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ...
    [R0]: /flash/packages.conf File is in use, will not delete.
    [R1]: /flash/packages.conf File is in use, will not delete.
    [R0]: /flash/cat9k-cc_srdriver.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-cc_srdriver.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-espbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-espbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-guestshell.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-guestshell.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-lni.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-lni.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-rpbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-rpbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-sipbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-sipbase.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-sipspa.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-sipspa.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-srdriver.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-srdriver.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-webui.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-webui.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k-wlc.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-wlc.17.12.04.SPA.pkg File is in use, will not delete.
    [R0]: /flash/cat9k_iosxe.17.12.04.SPA.conf File is in use, will not delete.
    [R1]: /flash/cat9k_iosxe.17.12.04.SPA.conf File is in use, will not delete.
    [R0]: /flash/cat9k-rpboot.17.12.04.SPA.pkg File is in use, will not delete.
    [R1]: /flash/cat9k-rpboot.17.12.04.SPA.pkg File is in use, will not delete.

The following files will be deleted:
    [R0]: /flash/cat9k-cc_srdriver.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-cc_srdriver.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-espbase.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-espbase.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-guestshell.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-guestshell.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-lni.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-lni.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-rpbase.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-rpbase.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-sipbase.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-sipbase.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-sipspa.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-sipspa.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-srdriver.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-srdriver.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-webui.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-webui.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-wlc.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-wlc.17.12.03.SPA.pkg
    [R0]: /flash/cat9k-rpboot.17.12.03.SPA.pkg
    [R1]: /flash/cat9k-rpboot.17.12.03.SPA.pkg
    [R0]: /flash/cat9k_iosxe.17.12.04.SPA.bin
    [R1]: /flash/cat9k_iosxe.17.12.04.SPA.bin

Do you want to remove the above files? [y/n]
                                            *Oct 24 08:03:31.983: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_mgr: Started install remove

[y/n]y

Deleting file /flash/cat9k-cc_srdriver.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-espbase.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-guestshell.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-lni.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-rpbase.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-sipbase.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-sipspa.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-srdriver.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-webui.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-wlc.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k-rpboot.17.12.03.SPA.pkg ... done.
Deleting file /flash/cat9k_iosxe.17.12.04.SPA.bin ... done.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---
Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Thu Oct 24 08:03:43 UTC 2024

Switch#

10. 그리고 저장 합니다.

Switch#wr
Building configuration...
[OK]

정상적으로 17.12.04 IOS 업그레이드가 완료 되었습니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 스위칭' 카테고리의 다른 글

[C9300-#1]- Traditional mode/Smart Licensing mode/Smart Licensing with the use of Policy mode (0)	2025.02.03
Cisco IOS recommendation (0)	2025.01.11
C9300 - Configure SSH2 (0)	2024.10.24
Cat9300 Switch Stack Installation (1)	2024.10.24
Cat9300L Switch License Registration to cisco CSSM (0)	2024.10.02

안녕하세요.

오늘은 C9300 스위치 Stack 설치에 대해서 알아보도록 하겠습니다.

아래 사진처럼 C9300 스위치를 2대 준비합니다.

Stack 케이블을 아래 사진처럼 연결 합니다.

그리고 전원을 연결 합니다.

부팅이 완료 되면 아래처럼 show switch 입력하면 자동으로 Stack 설정이 완료 된것을 확인 할수 있습니다.

Switch#show switch
Switch/Stack Mac Address : 9c66.977a.e000 - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
-------------------------------------------------------------------------------------
*1       Active   9c66.977a.e000     1      V08     Ready
2       Standby  9c66.977a.e080     1      V08     Ready

2대 스위치중에서 어떤 스위치가 Master로 선택 되는지는 알고리즘에 의해서 선정 됩니다.

Master Switch Election

The stack behaves as a single switching unit that is managed by a master switch elected from one of the member switches. The master switch automatically creates and updates all the switching and optional routing tables. Any member of the stack can become the master switch. Upon installation, or reboot of the entire stack, an election process occurs among the switches in the stack. There is a hierarchy of selection criteria for the election.

1. User priority - The network manager can select a switch to be master.

2. Hardware and software priority - This will default to the unit with the most extensive feature set. The Cisco Catalyst 3750 IP Services (IPS) image has the highest priority, followed by Cisco Catalyst 3750 switches with IP Base Software Image (IPB).

Catalyst 3750-E and Catalyst 3750-X run the Universal Image. The feature set on the universal image is determined by the purchased license. The "show version" command will list operating license level for each switch member in the stack.

3. Default configuration - If a switch has preexisting configuration information, it will take precedence over switches that have not been configured.

4. Uptime - The switch that has been running the longest is selected.

5. MAC address - Each switch reports its MAC address to all its neighbors for comparison. The switch with the lowest MAC address is selected

자세한 내용은 아래 링크를 참고 부탁드립니다.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9000/nb-06-cat-9k-stack-wp-cte-en.html

Products - Cisco Catalyst 9000 Platform StackWise Virtual White Paper

Cisco® Catalyst® 9000 platform StackWise® Virtual technology allows the clustering of two physical switches together into a single logical entity. The two switches operate as one; they share the same configuration and forwarding state. This technology a

www.cisco.com

show switch에서는 switch1이 마스터 스위치 선택되었지만 실제 C9300 스위치 두대중에서 어떤 스위치가 마스터인지 확인이 불가능 합니다.

show version 실행합니다.

첫번째 정보가 Switch1에 대한 정보 입니다

두번째 정보가 Switch2에 대한 정보 입니다.

Switch1에 Serial 정보를 실제 장비에 시리얼 번호를 확인 합니다.

Base Ethernet MAC Address          :
Motherboard Assembly Number        :
Motherboard Serial Number          : XXXXXXXXX
Model Revision Number              :
Motherboard Revision Number        :
Model Number                       : C9300-24T
System Serial Number               : XXXXXXXX
CLEI Code Number                   :

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 41    C9300-24T          17.12.03          CAT9K_IOSXE           INSTALL
     2 41    C9300-24T          17.12.03          CAT9K_IOSXE           INSTALL

Switch 02
---------
Switch uptime                      : 25 minutes

Base Ethernet MAC Address          :
Motherboard Assembly Number        :
Motherboard Serial Number          : YYYYYYYYY
Model Revision Number              :
Motherboard Revision Number        :
Model Number                       : C9300-24T
System Serial Number               : YYYYYYYYY
Last reload reason                 :
CLEI Code Number                   :

그리고 장비에 라벨을 프린터 해서 붙입니다.

장비가 재부팅 되더라도 항상 Switch1에 Master로 선정하기 위해서 아래 처럼 Switch Priority 값을 수정 합니다.

Switch#switch 1 priority 14
Switch#switch 2 priority 13

Switch#show switch
Switch#   Role    Mac Address     Priority Version  State
-------------------------------------------------------------------------------------
*1       Active 14     V08     Ready
2       Standby 13     V08     Ready

그리고 장비에 설정값을 저장 합니다

Switch#wr
Building configuration...
[OK]

지금까지 C9300 Stack 관련해서 알아보았습니다.

글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 스위칭' 카테고리의 다른 글

[C9300-#1]- Traditional mode/Smart Licensing mode/Smart Licensing with the use of Policy mode (0)	2025.02.03
Cisco IOS recommendation (0)	2025.01.11
C9300 - Configure SSH2 (0)	2024.10.24
C9300-Stack Switch IOS Upgrade (1)	2024.10.24
Cat9300L Switch License Registration to cisco CSSM (0)	2024.10.02

안녕하세요.

오늘은 기존에 설치 되어진 WLC에다가 AP만 추가하는 방법에 대해서 알아보도록 하겠습니다.

현재 고객사에서 C9800L WLC를 사용하고 있습니다. 기존에 사용하고 있는 오래된 AP를 제거 하고 C9120AXI-S를 설치 해보겠습니다.

1. WLC를 Datacenter에 설치되어져 있습니다

2. AP는 Office에 설치 할 예정입니다. 물리적으로 떨어져있고 같은 L2 Domain이 아니기때문에 자동으로 AP가 등록 되지 않습니다.

3. 현재 고객사는 AP MGMT를 수동으로 IP를 설정 하고 있습니다.

option1: DHCP option를 사용해서 자동으로 AP가 WLC에 등록 하는 방법

option2: AP에 Static IP를 설정하고 WLC IP를 수동으로 입력 합니다

그리고 WLC에서 AP MAC를 등록하고 어떤 Profile를 적용 할지 입력합니다.

현재 고객사가 option2를 사용하고 있기 떄문에 Option2를 사용하여 AP를 기존에 있는 WLC에 등록해보겠습니다.

1. AP를 POE 스위치에 연결하고 노트북 콘솔케이블을 AP에 연결합니다

또는 파워어탭터를 AP에 연결하고 콘솔케이블을 AP에 연결합니다.

AP 설정

capwap ap hostname CISCO-AP-01
capwap ap ip 10.1.1.10 255.255.255.0 10.1.1.254
capwap ap primary-base CISCO-WLC-01 10.2.1.10

capwap ap hostname CISCO-AP-02
capwap ap ip 10.1.1.11 255.255.255.0 10.1.1.254
capwap ap primary-base CISCO-WLC-01 10.2.1.10

capwap ap hostname CISCO-AP-03
capwap ap ip 10.1.1.12 255.255.255.0 10.1.1.254
capwap ap primary-base CISCO-WLC-01 10.2.1.10

capwap ap hostname CISCO-AP-04
capwap ap ip 10.1.1.13 255.255.255.0 10.1.1.254
capwap ap primary-base CISCO-WLC-01 10.2.1.10

WLC설정하기 전에 AP4대에 MAC를 확인합니다.

WLC 설정

ap xxxx.xxxx.xxxx
policy-tag office-PolicyTag
site-tag office
rf-tag default-rf-tag

ap xxxx.xxxx.xxxx
policy-tag office-PolicyTag
site-tag office
rf-tag default-rf-tag

ap xxxx.xxxx.xxxx
policy-tag office-PolicyTag
site-tag office
rf-tag default-rf-tag

ap xxxx.xxxx.xxxx
policy-tag office-PolicyTag
site-tag office
rf-tag default-rf-tag

그리고 고객사 사용하고 있는 천장에 AP를 제거 하고 새 AP를 설치 합니다.

처음에 AP가 WLC에 연결되면 Firmware upgrade 또는 Firmware downgrade때문에 자동으로 AP가 여러번 재부팅 됩니다.

그리고 WLC GUI에 로그인해서 확인해보면 아래와 같이 연결 완료를 확인 할수 있습니다.

고객사 정보 때문에 아래 제한적으로 사진을 캡처 했습니다. 아래 사진처럼 초록색으로 연결 완료 확인 가능 합니다.

AP 색을 확인해보면 초록색이면 정상적으로 WLC에 연결이 되었습니다.

유저가 AP에 접속하면 색이 파랑색으로 표시가 됩니다.

초록색 또는 파랑색은 정상적으로 AP가 WLC에 등록되어 동작중입니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#6]-AP hostname를 이용해서 Tag 할당하기 (0)	2024.12.24
[C9800CL][#5]-AP Join Process - DHCP option 43 (1)	2024.12.24
[C9800CL][#4]-AP Join Process - Manual Method (0)	2024.12.24
[C9800CL][#3]-AP Join Process (0)	2024.12.24
[C9800CL][#1]-WLC Configuration Setup Wizard (0)	2024.10.08

안녕하세요.

오늘은 C9800CL WLC configuration Setup Wizard을 알아보겠습니다.

테스트를 위해서는 C9800CL를 EVE-NG에 설치해야 합니다.

이전 강의를 참고 부탁드립니다.

https://itblog-kr.tistory.com/50

[2024][EVE-NG #18] EVE-NG에 C9800CL Install

안녕하세요. 오늘은 EVE-NG #18- EVE-NG에 C9800CL WLC를 설치 하겠습니다. EVE-NG 공식 문서는 아래와 같습니다.https://www.eve-ng.net/index.php/documentation/howtos/cisco-wireless-c9800-cl/ Cisco Wireless C9800-CL -Versions this

itblog-kr.tistory.com

기본적은 토폴로지는 아래와 같습니다.

WLC - G1 - MGMT IP - VRF MGMT를 생성해서 MGMT Traffix이랑 Data Traffic를 분리하였습니다. 설정 방법은 이전 강의를 참고 부탁드립니다

IP: 192.168.10.227

WLC - G2 - Data Traffic 입니다.

1. WLC 장비를 GUI를 통해서 접속 합니다.

https://192.168.10.227

Deployment Mode: Standalone

Hostname: 적절한 WLC이름을 지정합니다

Country: 설치하고자 하는 나라를 선택합니다.

Date: 오늘 날짜를 선택 합니다.

Time: Timezone를 선택합니다.

NTP Servers - NTP서버를 선택합니다.

MGMT interface 변경을 원하면 수정 합니다.

Static Route Setting: CLI모드에서 추가 했기때문에 수정 할 필요가 없습니다.

만약에 Static Route를 수정를 원하시면 변경 가능 합니다.

0.sg.pool.ntp.org - 203.123.48.1
1.sg.pool.ntp.org - 167.172.70.21
2.sg.pool.ntp.org - 106.10.186.200
3.sg.pool.ntp.org - 203.123.48.1

Next를 클릭하면 Wireless Network Settings 표시 됩니다

2. Add버튼을 클릭해서 Wireless Network를 추가합니다.

Network Name: TEMP-WLC1

Network Type: Employee

Security: WPA2 Personal

Pre-Shared Key: CiscoCisco

3. Next 버튼을 클릭 합니다.

4. RF-GROUP Name: LM-RG1

AP Certificate

Signature Algorithm - SHA256

Password: CiscoCisco

그리고 Summary 버튼을 클릭 합니다.

5. Click Finish버튼을 클릭 합니다.

6. 아래처럼 경고 메시지가 뜨는데 Yes 버튼을 클릭 합니다.

7. 페이지가 자동으로 새로고침 되면서 아래처럼 로그인 페이지를 확인 가능 합니다.

8. 로그인하면 아래처럼 확인가능합니다.

현재는 테스트 AP가 없기떄문에 Access-points에 숫자가 0으로 표시 됩니다.

지금까지 9800CL 초기 기본 설정에 대해서 확인 하였습니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#6]-AP hostname를 이용해서 Tag 할당하기 (0)	2024.12.24
[C9800CL][#5]-AP Join Process - DHCP option 43 (1)	2024.12.24
[C9800CL][#4]-AP Join Process - Manual Method (0)	2024.12.24
[C9800CL][#3]-AP Join Process (0)	2024.12.24
[C9800CL][#2]-AP Installation with existing WLC (1)	2024.10.23

안녕하세요.

오늘은 Fortigate license를 추가적으로 Forticloud에 등록 하는 방법에 대해서 알아보겠습니다.

Forticloud를 접속합니다.

https://www.forticloud.com

LoginMgr

login.forticloud.com

1. Services 클릭

2. Asset Management 클릭합니다.

3. Products -> Product List 선택합니다.

4. 장비 또는 장비 박스에서 시리얼 번호를 확안하고 Product list에서 검색합니다.

장비에서 시리얼번호를 확인하는 방법은 아래와 같습니다.

Dashboard -> Status -> Serial Number 옆에 copy모양을 클릭합니다.

5. 시리얼번호를 입력하면 아래와 같이 장비가 검색됩니다. 시리얼을 클릭 합니다.

6. Add Licenses를 클릭 합니다.

7. Registration Code를 확인합니다.

라이센스를 구매하면 구매한 벤더로부터 라이센스 PDF파일을 받는데, 이 파일을 오픈 합니다.

아래같은 정보를 확인할수 있는데 Contract Registration Code를 복사합니다.

8. 코드를 입력하고 Next 버튼을 클릭 합니다.

9. 라이센스 적용후 다시 시리얼번호를 클릭하고 라이센스 정보를 확인 가능 합니다.

10. 포티넷 방화벽 장비를 로그인 후 라이센스를 확인해보면

아래 처럼 UTM 라이센스가 적용이 안되었는데, 시간이 좀 지나고 forticloud라이센스를 동기화 하면 라이센스 업데이트 된 것을 확인 가능 합니다.

11. 만약에 갱신이 안되었다면 아래처럼 Update license & Defiinitons now 버튼을 클릭 합니다.

버튼을 클릭해서 곧바로 업데이트가 안되고 약 10~20분 기다리면, 업데이트 됩니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#4]-Site to Site VPN-Manual Setup (1)	2024.11.07
[Fortigate-#3]-Site to Site VPN with Wizard-Detail (0)	2024.11.07
[Fortigate-#2]-Site to Site VPN with Wizard (1)	2024.11.06
[Fortigate-#1]-MGMT IP Configuration (0)	2024.11.06
[Fortigate]-Firewall register to FortiCloud (0)	2024.10.06

안녕하세요.

오늘은 EVE-NG #18- EVE-NG에 C9800CL WLC를 설치 하겠습니다.

EVE-NG 공식 문서는 아래와 같습니다.

https://www.eve-ng.net/index.php/documentation/howtos/cisco-wireless-c9800-cl/

Cisco Wireless C9800-CL -

Versions this guide is based on: EVE Image Foldername Downloaded Filename Version CPU RAM NIC Type NICs c9800cl-17.04.01 C9800-CL-universalk9.17.04.01.iso XE IOS C9800-CL-universalk9.17.04.01 4 4096 VMXNET3 3 Instructions Other versions should also be supp

www.eve-ng.net

1. EVE-NG에 SSH로 접속합니다.

root@eve-ng:~# mkdir /opt/unetlab/addons/qemu/c9800cl-17.04.01
root@eve-ng:~# cd /opt/unetlab/addons/qemu/c9800cl-17.04.01
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01#

2. 이미지 파일을 EVE-NG에 전송합니다.

WINSCP를 설치 해야 한다면 아래링크를 클릭후 WINSCP를 설치 합니다.

https://winscp.net/eng/index.php

WinSCP

WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also local-local mode and FTPS, S3, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.

winscp.net

폴더 위치는 아래와 같습니다.

/opt/unetlab/addons/qemu

그리고 폴더를 생성할때 아래와 같은 형식이어야 합니다.

c9800cl-

3. HDD를 생성합니다.

root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# /opt/qemu/bin/qemu-img create -f qcow2 virtioa.qcow2 16G
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# ls -l
total 878884
-rw-r--r-- 1 root root 899770368 Apr 2 02:08 C9800-CL-universalk9.17.04.01.iso
-rw-r--r-- 1 root root 197120 Apr 2 11:22 virtioa.qcow2
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01#

4. 빈 하드에 C9800-CL를 설치 합니다.

/opt/qemu-2.2.0/bin/qemu-system-x86_64 -nographic -drive file=virtioa.qcow2,if=virtio,bus=0,unit=0,cache=none -machine type=pc-1.0,accel=kvm -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -cdrom C9800-CL-universalk9.17.04.01.iso -boot order=dc -m 4096

5. 두번째를 선택하고 Enter를 누릅니다.

Press any key to continue.
Press any key to continue.
Press any key to continue.

         GNU GRUB  version 2.02

+-------------------------------------------------------------------------+
|  C9800-CL Virtual (VGA) Console - 2020-11-27_00.00                      |
|  *C9800-CL Serial Console - 2020-11-27_00.00                            |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
|                                                                         |
+-------------------------------------------------------------------------+

6. 아래 처럼 메시지가 보이면 ctrl+a를 누르고 c를 선택합니다.

*Aug 22 18:19:33.393: %IOSXEBOOT-4-BOOT_SRC: (rp/0): CD-ROM Boot
*Aug 22 18:19:33.417: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Using Serial console
*Aug 22 18:19:33.437: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Installing GRUB to /dev/bootflash
*Aug 22 18:19:34.130: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Copying image to /boot
*Aug 22 18:19:37.777: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Copying image to /bootflash
*Aug 22 18:19:42.965: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Creating grub configuration
*Aug 22 18:19:45.443: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Ejecting CD-ROM tray
*Aug 22 18:19:45.459: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): CD-ROM Installation finished
*Aug 22 18:19:45.466: %IOSXEBOOT-4-BOOT_CDROM: (rp/0): Rebooting from HD

7. 아래처럼 qemu가 표시되면 아래와 같이 quit를 입력하고 엔터를 누릅니다.

(qemu) quit

8. ISO media파일을 삭제하고 권환을 수정 합니다.

root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# ls
C9800-CL-universalk9.17.04.01.iso virtioa.qcow2
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# rm C9800-CL-universalk9.17.04.01.iso
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# ls
virtioa.qcow2
root@eve-ng:/opt/unetlab/addons/qemu/c9800cl-17.04.01# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

9. eve-ng를 접속 합니다.

노드를 추가합니다.

저는 인터넷도 연결하기 위해서 아래와 같이 Cloud가 추가 하여서 케이블은 연결 하였습니다

Gi: MGMT

Gi: DATA

1. MGMT VRF 추가하기

vrf definition MGMT
!
address-family ipv4
exit-address-family

2. Interface Ip설정

interface GigabitEthernet1
no switchport
vrf forwarding MGMT
ip address 192.168.10.227 255.255.255.0
negotiation auto
no mop enabled
no mop sysid

3. 라우팅 테이블 추가

ip route vrf MGMT 0.0.0.0 0.0.0.0 192.168.10.253

4. GUI로그인 유저 생성

username kevin privilege 15 secret <Password>

5. ping to WLC from laptop

6. Access 9800-CL WLC - https://192.168.10.227

7. 아까 CLI에서 생성한 username라 비밀번호를 입력합니다.

아래 사진처럼 기본 설정 페이지가 표시 되면 정상적으로 C9800CL 동작중입니다.

지금까지 C9800CL를 EVE-NG에 설치하고 GUI로 접속 하는 방법에 대해서 알아보았습니다.

저작자표시 (새창열림)

'EVE-NG' 카테고리의 다른 글

[2024][EVE-NG #19] PaloAlto 설치하기 (0)	2025.01.11
[2024][EVE-NG #18] Virtual PC(VPCS) (0)	2024.11.06
[2024][EVE-NG #17] Upgrade EVE-NG version (0)	2024.07.18
[2024][EVE-NG #16] Juniper QFX 스위치 설치하기 (0)	2024.07.12
[2024][EVE-NG #15] Juniper MX 라우터 설치하기 (0)	2024.07.11

안녕하세요.

오늘은 Fortigate 방화벽을 fortiCloud에 등록해서 라이센스등을 적용시켜보겠습니다.

회사에서 사용하는 Forticloud계정이나 고객사가따로 포티넷 방화벽및 다른 제품을 직접 관리하면 고객사 계정으로 포티넷 클라우드를 접속합니다. 계정이 없으신분은 계정을 따로 만드셔야 합니다.

아래처럼 FortiCloud를 접속하고 로그인 합니다.

https://www.forticloud.com

LoginMgr

login.forticloud.com

로그인 하고 Services -> Asset Mangement를 클릭합니다

Product List를 클릭하고 Register More 버튼을 클릭합니다.

시리얼 번호를 확인합니다.

시리얼 번호 확인하는 방법

1. 박스에서 시리얼 번호 확인하기

2. Fortigate Firewall 장비에서 시리얼 확인하기.

3. 콘솔포트를 Console에 연결해서 CLI 모드에서 시리얼 확인하기

4. 케이블을 port1에 연결하면 fortigate 방화벽에 192.168.1.1 DHCP로 할당합니다

그리고 https://192.168.1.99 접속해서 GUI상에서 장비 시리얼 번호 확인하기

1. 시리얼 입력

2. non-government user 선택

3. Next 버튼을 클릭 합니다.

1. Forticloud Key키를 입력합니다. 장비 맨 윗부분에 보면 Forticloud Key를 확인 할수 있습니다.

2. Fortinet Partnet를 선택합니다.

3. 그리고 next버튼을 클릭합니다.

1. 아래 부분를 체크 합니다.

By accepting thses terms, you are activating this support contract and the entitlement period provided can not be changed, if you wish to continue, click "confirm".

2. 그리고 Confirm를 선택합니다.

그리고 등록한 장비를 FortiClud 에서 Product List에 시리얼 번호를 입력하면 검색이 가능 합니다.

Fortigate장비를 WAN포트에 인터넷을 연결하면 장비가 FortiCloud에 자동으로 등록 되면서 라이센스및 contract이 자동으로 등록 됩니다.

이부분은 추후에 다시 업데이트 하겠습니다.

감사합니다.

저작자표시 (새창열림)

'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글

[Fortigate-#4]-Site to Site VPN-Manual Setup (1)	2024.11.07
[Fortigate-#3]-Site to Site VPN with Wizard-Detail (0)	2024.11.07
[Fortigate-#2]-Site to Site VPN with Wizard (1)	2024.11.06
[Fortigate-#1]-MGMT IP Configuration (0)	2024.11.06
[Fortigate]-add new license into forticloud (0)	2024.10.07

안녕하세요.

오늘은 Cat9300L 스위치 라이센스를 CSSM에 등록하는 방법에 대해서 알아보겠습니다.

1. Traditional 방식

2. Smart License

3. Smart License Using Policy

위에 3가지 방법에 대해서는 추후에 자세히 설명 하도록 하겠습니다.

현재 구매한 스위치에 디폴트로 어떤 라이센스 방식을 사용 하는지 확인해보겠습니다.

아래 처럼 Smart License Using Policy 방식을 사용 하고 있습니다.

TSIWL-CSW-01#show license status
Utility:
Status: DISABLED

Smart Licensing Using Policy:
Status: ENABLED

현재 사용하고 있는 IOSXE버전은 아래와 같습니다.

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 29    C9300L-24T-4G      17.12.03          CAT9K_IOSXE           INSTALL

1. 라이센스를 등록하기전에 라이센스가 CSSM - Cisco Account에 등록 되어져 있어야 합니다.

2. CSSM서버에 통신이 가능한지 확인 합니다.

TSIWL-CSW-01#telnet smartreceiver.cisco.com 443
Trying smartreceiver.cisco.com (72.163.15.144, 443)... Open

3. 스위치에 기본 설정을 합니다

TSIWL-CSW-01(config)#license smart transport smart
TSIWL-CSW-01(config)#license smart url default
TSIWL-CSW-01#wr

4. CSSM 로그인후 New Token 클릭 합니다.

5. Create Token 클릭 합니다.

6. 생성된 키를 복사합니다

7. Key를 Cisco 스위치에 등록 합니다.

TSIWL-CSW-01#license smart trust idtoken <copy the token> all force

8. 라이센스 상태를 확인 합니다

Trust Code에보면 정상적으로 라이센스가 설치 된것을 확인 가능 합니다

TSIWL-CSW-01#show license status

Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: **** you can see your SA account *** As of Oct 02 11:43:47 2024 UTC
  Virtual Account: *** the VA account also show ***

Trust Code Installed:
  Active: PID:C9300L-24T-4G,SN:
    INSTALLED on Oct 02 11:43:35 2024 UTC
  Standby: PID:C9300L-24T-4G,SN:
    INSTALLED on Oct 02 11:43:36 2024 UTC

9. CSSM에서 라이센스 확인하기

저작자표시 (새창열림)

'CISCO > 스위칭' 카테고리의 다른 글

[C9300-#1]- Traditional mode/Smart Licensing mode/Smart Licensing with the use of Policy mode (0)	2025.02.03
Cisco IOS recommendation (0)	2025.01.11
C9300 - Configure SSH2 (0)	2024.10.24
C9300-Stack Switch IOS Upgrade (1)	2024.10.24
Cat9300 Switch Stack Installation (1)	2024.10.24

안녕하세요.

오늘은 [ISR4221]-Performance License Install(SLR) 입니다.

고객사에 라우터가 인터넷 접속이 불가능 하여 offline 방식으로 라이센스를 설치해보겠습니다.

Step1 장비 버전 확인 -Smart license 지원

BDKDD02#show version
Cisco IOS XE Software, Version 16.06.08

Step2 Smart license disable

BDKDD02(config)#no license smart enable

Step3 download PAK file from CSSM

시리얼번호는 보안상으로 *처리 하였습니다.

BDKDD02#license smart reservation request local
Enter this request code in the Cisco Smart Software Manager portal:
UDI: PID:ISR4221/K9,SN:FJC**********
Request code: BC-ZISR4221/K9:FJC*********-AfSn9CzT1-76

Step4 CSSM 접속후 라이센스 다운로드

고객사 정보가 있어서 생략 하였습니다.

Step5 USB에 라이센스 파일 저장하기

Step6 USB를 라우터에 삽입하기

Step7 USB 라이센스 확인

BDKDD02#dir usb0:
Directory of usb0:/

54 -rwx 2184 Jul 11 2024 06:24:56 +00:00 FJC***********_20240710110756.lic

Step8 라이센스를 장비에 복사하기

BDKDD02#copy usb0:FJC*******_20240710110756.lic flash:
Destination filename [FJC******_20240710110756.lic]?
Copy in progress...C
2184 bytes copied in 0.057 secs (38316 bytes/sec)

Step9 Flash메모리에 라이센스 제대로 복사 되었는지 확인하기

BDKDD02#dir flash:
Directory of bootflash:/

23 -rw- 2184 Jul 11 2024 08:46:32 +00:00 FJC*******_20240710110756.lic

Step10 라우터 성능 확인

BDKDD02#show platform hardware throughput level
The current throughput level is 35000 kb/s

Step11 라이센스 설치

BDKDD02#license install flash:FJC******_20240710110756.lic
Installing licenses from "flash::FJC******_20240710110756.lic"
Installing...Feature:ipbasek9...Failed:
% Error: Duplicate license
Installing...Feature:throughput...Successful:Supported
1/2 licenses were successfully installed
1/2 licenses were existing licenses
0/2 licenses were failed to install

BDKDD02#
*Jul 11 08:48:39.268: %LICENSE-6-INSTALL: Feature throughput 1.0 was installed in this device. UDI=ISR4221/K9:FJC******; StoreIndex=1:Primary License Storage

Step12 저장후 장비 재부팅

BDKDD02#wr
Building configuration...

[OK]
BDKDD02#reload

Step13 Throughput 75Mbps 변경하기

BDKDD02(config)#platform hardware throughput level 75000

Step14 저장하고 재부팅

BDKDD02#wr
Building configuration...

*Jul 12 06:14:58.126: %SYS-5-CONFIG_I: Configured from console by console[OK]
BDKDD02#
BDKDD02#
*Jul 12 06:15:04.098: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config filereload
Proceed with reload? [confirm]

Step15 확인하기

BDKDD02#show platform hardware throughput level
The current throughput level is 75000 kb/s

Throughput이 75Mbps 변경되었습니다.

저작자표시 (새창열림)

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

이번에는 CISCO ISR4221 IOS Upgrade입니다.

실제 장비에 콘솔을 접속해서 IOS 버전을 확인합니다.

BDKDD02#show version
Cisco IOS XE Software, Version 16.06.08
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS_NPE-M), Version 16.6.8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Thu 23-Apr-20 19:06 by mcpre

현재 IOS XE Softwae version은 16.06.08 입니다.

Cisco 웹사이트에 접속해서 현재 Cisco 추천하는 IOS XE 버전을 확인합니다.

https://software.cisco.com/download/home/286310700/type/282046477/release/Everest-16.6.4

위에 사진처럼 IOS XE software version에 별 모양이 있으면 현재 기준으로 시스코에서 권장하는 IOS버전입니다.

Step1 - Download IOS 파일

저는 ISR 4200 Series IOS XE Universal - no Payload Encryption를 다운로드하겠습니다.

Step2 - IOS파일 USB에 복사

그리고 USB를 통해서 이미지 파일을 업로드합니다.

Step3 - USB를 라우터에 연결합니다.

BDKDD02#
*Jul 11 05:20:04.520: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usb0 added

콘손 프로그램을 확인하면 usb0이 인식되었습니다.

BDKDD02#dir usb0:
Directory of usb0:/

53 -rwx 705554857 Jul 11 2024 13:05:50 +00:00 isr4200-universalk9_ias_npe.17.06.06a.SPA.bin

dir usb0: 커맨드를 입력하면 IOS파일 확인 가능합니다.

Step4: 이미지 파일을 라우터에 복사합니다.

BDKDD02#copy usb0:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin flash:
Destination filename [isr4200-universalk9_ias_npe.17.06.06a.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
705554857 bytes copied in 42.189 secs (16723669 bytes/sec)
BDKDD02#

실제 IOS파일이 제대로 복사되었는지 확인합니다.

BDKDD02#dir flash:
Directory of bootflash:/

   11  -rw-        479963020  Feb 29 2024 13:22:21 +00:00  isr4200-universalk9_ias_npe.16.06.08.SPA.bin
169345  drwx             4096  Jul 11 2024 03:10:05 +00:00  .installer
153217  drwx             4096  Feb 29 2024 13:26:50 +00:00  .ssh
88705  drwx             4096  Feb 29 2024 13:29:43 +00:00  core
64513  drwx             4096  Jul 11 2024 03:12:36 +00:00  .prst_sync
80641  drwx             4096  Feb 29 2024 13:27:04 +00:00  .rollback_timer
   12  -rw-                0  Feb 29 2024 13:27:20 +00:00  tracelogs.Dde
322561  drwx            24576  Jul 11 2024 04:38:11 +00:00  tracelogs
   14  -rw-               34   Jul 9 2024 05:57:22 +00:00  pnp-tech-time
225793  drwx             4096  Feb 29 2024 13:28:15 +00:00  virtual-instance
   13  -rw-               30  Jul 11 2024 03:12:37 +00:00  throughput_monitor_params
   15  -rw-            53302   Jul 9 2024 05:57:31 +00:00  pnp-tech-discovery-summary
   16  drwx             4096   Jul 9 2024 05:53:18 +00:00  lost+found
   17  -rw-        705554857  Jul 11 2024 05:23:22 +00:00  isr4200-universalk9_ias_npe.17.06.06a.SPA.bin

Step5 파일 무결성 확인

BDKDD02#verify flash:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin
Verifying file integrity of bootflash:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin......
Embedded Hash   SHA1 : 87DE4342A2105C5B4A51261F18FF8F1F86DF5361
Computed Hash   SHA1 : 87DE4342A2105C5B4A51261F18FF8F1F86DF5361
Starting image verification
Hash Computation:    70 %
*Jul 11 06:06:54.615: %PLATFORM-4-ELEMENT_WARNING:  SIP0: smand:  RP/0: Used Memory value 89% exceeds warning level100%Done!
Computed Hash   SHA2: 7245b84636792432ce7d79c4715f6261
                      12be90a195fa9d8d1ab4f29d559ef20c
                      70f5993df11344d056520fab0588da60
                      2573f1ba6a9d2e2d8f648a37bb69bd19

Embedded Hash   SHA2: 7245b84636792432ce7d79c4715f6261
                      12be90a195fa9d8d1ab4f29d559ef20c
                      70f5993df11344d056520fab0588da60
                      2573f1ba6a9d2e2d8f648a37bb69bd19

Digital signature successfully verified in file bootflash:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin

BDKDD02#

Step6 - IOS XE 변경

BDKDD02(config)# boot system flash:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin

Step7 - 저장

BDKDD02#wr
Building configuration...

Step8 - 설정값 확인

BDKDD02#show run | in boot
boot-start-marker
boot system flash:isr4200-universalk9_ias_npe.17.06.06a.SPA.bin
boot-end-marker
license boot level appxk9
license boot level securityk9_npe
diagnostic bootup level minimal

Step9 - 재부팅

BDKDD02#reload

Step10- 재부팅 후 version 확인

BDKDD02#show version
Cisco IOS XE Software, Version 17.06.06a
Cisco IOS Software [Bengaluru], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS_NPE-M), Version 17.6.6a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Fri 20-Oct-23 18:26 by mcpre

위와 같이 업그레이드 완료 되었습니다.

지금까지 [ISR4221]-Cisco Router IOS Upgrade 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(SLR) (0)	2024.07.30

안녕하세요.

오늘은 [2024][Juniper SRX #16] password recovery입니다.

기존에 사용하던 방화벽 또는 새로운 구축 또는 유지보수 고객사 방화벽 장비 로그인 정보를 모를 때 password recovery를 진행해야 합니다.

EVE-NG에서 Juniper vSRX를 실행하고 패스워드 리커버리를 테스트할 수 있습니다.

자세한 내용은 주니퍼 홈페이지를 참고 부탁드립니다.

https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/recovering-root-password.html

Recover a Root Password | Junos OS | Juniper Networks

If you forget the root password for the router, you can use the password recovery procedure to reset the root password. Before you begin, note the following: You need console access to recover the root password. To recover the root password:

www.juniper.net

토폴로지입니다.

기본 설정 다 지우고 root 패스워드는 juniperjunuper로 설정합니다.

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system or
^
syntax error.
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# set system host-name srx
root# commit
commit complete

[edit]
root#

그리고 패스워드를 까먹었다고 가정하겠습니다.

root@firewall:~ # cli
root@srx> exit

root@firewall:~ # exit
logout

FreeBSD/amd64 (srx) (ttyu0)

login: root
Password:
Login incorrect
login: ^C

1. 장비를 콘솔 케이블에 연결합니다.

2. putty 또는 Crt 프로그램을 실행하고 장비에 접속합니다.

3. 장비를 재부팅합니다. 파워케이블을 제거 후 다시 연결합니다.

4. Ctrl-C를 입력합니다.

제때 입력하지 못하면 장비가 부팅됩니다.

다시 전원코드를 제거 후 다시 연결합니다.

저희는 eve-ng에서 테스트하기 때문에, 장비를 power off 하고 power on 합니다.

Autoboot in 1 seconds... (press Ctrl-C to interrupt)

Choice:
Main Menu

1.  Boot [J]unos volume
2.  Boot Junos volume in [S]afe mode

3.  [R]eboot

4.  [B]oot menu
5.  [M]ore options

Choice:

그리고 M를 입력합니다.

Options Menu

1.  Recover [J]unos volume
2.  Recovery mode - [C]LI

3.  Check [F]ile system

4.  Enable [V]erbose boot

5.  [B]oot prompt

6.  [M]ain menu

Choice:

그리고 C를 입력합니다.

부팅이 완료될 때까지 기다립니다.

Choice:
Booting Junos in CLI recovery mode ...
Verified /boot/manifest signed by PackageProductionECP256_2021
Verified /boot/loader.rc
Verified /boot/support.4th
Verified /boot/load-dtb.4th
Verified /boot/platform.4th
Verified /boot/platform-load-dtb.4th
-
/ yymmss==[[00xx8++00xx88++00]]  33dd33bb-- boooott//oosddaattaa==ddaattaa==00xx44ffff118eexxtt==00xx5577ee337744  -- siiggnneedd  bby888  || ioonnEECCPP225566__22002211 netstack/../manifest signed by PackageProductionECP256_2021
Veerriiffiieedd  //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//kkeerrnneell
Veerriiffiieedd  //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--vvmmgguueesstt//iinniitt..44tthh
-  ified /packages/sets/active/boot/junos-modules/init.4th
\- ified /packages/sets/active/boot/junos-net-platform/../manifest signed by PackageProductionECP256_2021
Verified /packages/sets/active/boot/junos-vmguest-platform/../manifest signed by PackageProductionECP256_2021
VVeerriiffiieedd  //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//....//mmaanniiffeesstt  ssiiggnneedd  bbyy  PPaacckkaaggeePPrrooddu

부팅이 완료되면, 로그인 없이 바로 root> 모드입니다.

패스워드를 수정합니다. 그리고 재부팅합니다.

이유는 현재 모드는 password recovery 모드입니다.

NOTE: the 'configure' command to make any required changes. For example,
NOTE: to reset the root password, type:
NOTE:    configure
NOTE:    set system root-authentication plain-text-password
NOTE:    (enter the new password when asked)
NOTE:    commit
NOTE:    exit
NOTE:    exit
NOTE: When you exit the CLI, you will be in a shell.
Starting CLI ...

root> configure
root# set system root-authentication plain-text-password
New password:
error: require change of case, digits or punctuation

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

[edit]
root@srx# exit
Exiting configuration mode

root@srx> request system reboot
Reboot the system ? [yes,no] (no) yes

Jun 23 11:12:02 shutdown 16997 - - reboot requested by root at Sun Jun 23 11:12:02 2024
Shutdown NOW!
[pid 16997]
Jun 23 11:12:02 shutdown 16997 - - reboot by root:
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0

부팅이 완료될 때까지 기다립니다.

password recovery mode에서 변경했던 패스워드로 로그인을 시도합니다.

그리고 interface ge-0/0/0 ip주소를 확인합니다.

password-recovery는 단순히 비밀번호만 수정합니다. 다른 설정값은 그대로 남아 있습니다.

login: root
Password:
Last login: Sun Jun 23 10:42:33 on ttyu0

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@srx:~ # ci
ci: Command not found.
root@srx:~ # cli
root@srx> show interfaces terse | match ge-0/0
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.1/24
ge-0/0/1                up    up
ge-0/0/2                up    up

지금까지 [2024][Juniper SRX #16] password recovery 글을 읽어 주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #18] Firmware recommendation (0)	2025.01.11
[2024][Juniper SRX #17] Firmware Upgrade path (0)	2025.01.07
[2024][Juniper SRX #15] commit and rollback (1)	2024.07.27
[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25

안녕하세요.

오늘은 [2024][Juniper SRX #15] commit and rollback 관련 명령어 대해서 알아보겠습니다.

Juniper 장비는 Cisco랑 다르게 commit 명령어를 실행하지 않으면 설정값 명령어들이 적용이 되지 않습니다.

Ex) Cisco Side

en

conf t

int g0/0

ip add 10.1.1.1 255.255.255.0

no sh

명령어 입력 할 때마다 곧바로 적용됩니다. 하지만 저장되지는 않습니다.

저장하기 위해서는 write memory 또는 copy running-config startup-config 저장해야 합니다.

Ex) Juniper

set interface ge-0/0/0 unit 0 family inet address 10.1.1.1/24

입력하면 설정값이 적용되지 않고 저장도 되지 않습니다.

commit 명령어를 입력해야지 적용됩니다 그리고 commit 동시에 저장도 됩니다.

**********************************

Change Configuration --> Condidate Configuration ----> active configuration

Ex) 만약에 설정값을 추가 삭제 변경 했으며 condidate configuration

Ex) 만약에 Commit를 눌렀으면 active configuration

commit check: 설정값에 이상이 있는지 확인

commit: 설정값 적용 및 저장

commit at: 특정 시간에 commit수행

commit confirmed: 설정값을 commit수행하지만 10분 안에 다시 commit를 수행하지 않으면 이전 설정값으로 돌아갑니다.

commit confirmed 1: 디폴트 값이 10분인데 이 값을 1분으로 변경

자세한 내용은 Juniper 공식 사이트 확인 부탁드립니다.

https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/junos-configuration-commit.html

Commit the Configuration | Junos OS | Juniper Networks

The device configuration is saved using a commit model—a candidate configuration is modified as desired and then committed to the system. When a configuration is committed, the device checks the configuration for syntax errors, and if no errors are found

www.juniper.net

테스트해 보겠습니다.

토폴로지

ge-0/0/1에 192.168.1.1/24 설정해 보겠습니다.

기본 설정 다 지우기

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system or
^
syntax error.
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

[edit]
root#

ge-0/0/0 192.168.1.1/24 설정하기

root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

root# run show interfaces terse | match ge-0/0
ge-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/2                up    up

위에 보시면 commit를 누르지 않으면 설정값이 적용되지 않습니다.

현재 어떤 명령어가 commit를 대기 중인지 확인하는 방법

root# show | compare
[edit]
+  interfaces {
+      ge-0/0/0 {
+          unit 0 {
+              family inet {
+                  address 192.168.1.1/24;
+              }
+          }
+      }
+  }

[edit]
root#

만약에 이 상태에서 exit로 밖으로 나가면 위에 설정값은 사라집니다.

root# exit
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes)

no를 선택합니다

commit check은 commit 하기 전에 추가적으로 설정값이 맞는지 확인합니다. 만약에 commit check 없이 바로 commit 했을 때 설정값에 문제가 있다면 error메시지가 출력되면서 commit이 실패합니다.

root# commit check
configuration check succeeds

[edit]
root#

commit 실행

root# commit
commit complete

[edit]
root# exit
Exiting configuration mode

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

재부팅합니다. juniper는 commit 하면 명령어 적용과 저장이 됩니다.

재부팅해서 설정값이 유지되는지 확인해 보겠습니다.

request system reboot

부팅이 완료될 때까지 기다립니다.

root> request system reboot
Reboot the system ? [yes,no] (no) yes


*** FINAL System shutdown message from root@ ***

System going down IMMEDIATELY


Stopping cron.
.

부팅이 완료되면 Interface ge-0/0/0 ip를 확인해 보면 그대로 설정 값이 남아 있습니다.

login: root
Password:
Last login: Sun Jun 23 09:53:36 on ttyu0

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ #
root@:~ #
root@:~ # cli
root>

root> show interfaces terse | match ge-0/0
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.1/24
ge-0/0/1                up    up
ge-0/0/2                up    up

commit and-quit - commit를 수행하고 configuration 모드에서 나갑니다.

root# set system host-name srx

[edit]
root# commit and-quit
commit complete
Exiting configuration mode

root@srx>

commit confirmed - hostname firewall 변경하고 commit 수행합니다. 그리고 10분 안에 commit이 다시 한번 없으면 이전 상태로 돌아갑니다.

root@srx# set system host-name firewall

[edit]
root@srx# commit ?
Possible completions:
  <[Enter]>            Execute this command
  activate             Activate a previously prepared commit
  and-quit             Quit configuration mode if commit succeeds
  at                   Time at which to activate configuration changes
  check                Check correctness of syntax; do not apply changes
  comment              Message to write to commit log
  confirmed            Automatically rollback if not confirmed
  peers-synchronize    Synchronize commit on remote peers
  prepare              Prepare for an upcoming commit activation
  |                    Pipe through a command
[edit]
root@srx# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes unless confirmed
commit complete

# commit confirmed will be rolled back in 10 minutes
[edit]
root@firewall#

테스트를 위해서 10분을 기다립니다. 10분 안에 commit이 없으면 host-name은 이전 설정값은 srx로 변경됩니다.

10분안에 commit을 하지 않았기 때문에 설정값이 이전으로 rollback 되었음

Broadcast Message from root@srx
        (no tty) at 10:25 UTC...

Commit was not confirmed; automatic rollback complete.

[edit]
root@srx#

이번에는 테스트를 위해서 commit confirmed 1으로 하고 1분 안에 commit를 수행합니다.

1분이 지나도 설정값이 rollback 되지 않습니다.

root@srx# set system host-name firewall

[edit]
root@srx# commit confirmed 1
commit confirmed will be automatically rolled back in 1 minutes unless confirmed
commit complete

# commit confirmed will be rolled back in 1 minute
[edit]
root@firewall# commit
commit complete

[edit]
root@firewall#

commit at를 테스트해 보겠습니다

12:00:00에 commit를 수행합니다.

[edit]
root@firewall# set system host-name srxsrx

root@firewall# commit at 12:00:00
configuration check succeeds
commit at will be executed at 2024-06-23 12:00:00 UTC
The configuration has been changed but not committed
Exiting configuration mode

root@firewall>

이번에는 Rollback에 대해서 알아보겠습니다.

설정값 원복(rollback)

설정값을 기존 설정값으로 원복수행(rollback 후 반드시 commit를 수행해야 완료됨)

설정값을 commit 할 때마다 rollback이 생성됩니다.

rollback 0 - 마지막 commit이후 변경한 설정값을 초기화

rollback 1 - 마지막 commit이전 설정값을 원복

rollback 2 - 2번째 전 commit이전 설정값으로 원복

commit 할 때마다 rollback으로 생성되는데 그 시점을 알고 싶을 때 확인 명령어

Possible completions:
  <revision>           Rollback to given configuration revision
  re0-1719138399-8     2024-06-23 10:26:40 UTC by root via cli
  re0-1719138393-7     2024-06-23 10:26:36 UTC by root via cli commit confirmed, rollback in 1mins
  re0-1719138344-6     2024-06-23 10:25:47 UTC by root via other
  re0-1719137740-5     2024-06-23 10:15:43 UTC by root via cli commit confirmed, rollback in 10mins
  re0-1719137710-4     2024-06-23 10:15:13 UTC by root via cli
  re0-1719137288-3     2024-06-23 10:08:11 UTC by root via cli
  re0-1719136430-2     2024-06-23 09:54:02 UTC by root via cli
  re0-1719135583-1     2024-06-23 09:41:04 UTC by root via other
[edit]
root@firewall# rollback revision

rollback에 어떤 명령어가 포함되었는지 확인하는 방법

commit at 명령어가 포함되었습니다.

root@firewall# show | compare rollback 0
[edit system]
-  host-name firewall;
+  host-name srxsrx;

[edit]
root@firewall#

테스트를 해보겠습니다

interface ge-0/0/0 ip 삭제합니다.

root@firewall# delete interfaces ge-0/0/0

[edit]
root@firewall# commit
commit complete

[edit]
root@firewall# exit
Exiting configuration mode

root@firewall>

root@firewall> show interfaces terse | match ge-0/0
ge-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/2                up    up

현재 설정값이랑 commit전에 설정값 비교

root@firewall# show | compare rollback 1
[edit]
-  interfaces {
-      ge-0/0/0 {
-          unit 0 {
-              family inet {
-                  address 192.168.1.1/24;
-              }
-          }
-      }
-  }

Rollback후 interface ge-0/0/0 ip주소 확인

root@firewall# rollback 1
load complete

[edit]
root@firewall# commit
commit complete

[edit]
root@firewall# run show interfaces terse | match ge-0/0
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.1/24
ge-0/0/1                up    up
ge-0/0/2                up    up

[edit]
root@firewall#

rollback 0에 의미

추가설정 없이 show | compare rollback 0 아무것도 없음

현재 설정이랑 rollback 0 설정값이 똑같음

root@firewall# show | compare rollback 0

[edit]

호스트 이름 변경 하지만 commit 하지 않음

host-name srx변경했지만 commit 하지 않았음

현재 condidate-configuration은 hostname srx로 보이고

현재 active-configuration(rollback 0) hostname firewall이기 때문에

다른 부분을 아래에 표시해 줌.

설정을 잘못해서 commit 하기 싫을 때 rollback 0를 누릅니다.

또는 delete system host-name 사용해도 되지만, 명령어가 20줄이라면 rollback 0로 삭제하는 것이 편리합니다.

root@firewall# set system host-name srx

root@firewall# show | compare rollback 0
[edit system]
- host-name firewall;
+ host-name srx;

[edit]
root@firewall#

rollback 숫자 없음 의미는 rollback 0를 의미

rollback 0은 commit이 필요 없음,

이제 condidate-configuration이랑 active-configuration이랑 똑같아서 아래에 show | compare rollback 0를 입력하면

아무것도 없음

root@firewall# rollback
load complete

[edit]
root@firewall# show | compare rollback 0

[edit]
root@firewall#

지금까지 [2024][Juniper SRX #15] commit and rollback 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #17] Firmware Upgrade path (0)	2025.01.07
[2024][Juniper SRX #16] password recovery (0)	2024.07.28
[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24

안녕하세요.

이번에는 [2024][Juniper SRX #14] firewall policy 순서 변경입니다.

방화벽 정책이 여러 개가 있으면 항상 맨 위에서부터 아래로 정책 허용/차단을 확인합니다.

그래서 방화벽 정책 순서는 매우 중요합니다.

추가적으로 방화벽 정책을 변경하지 않으면 새로운 방화벽 정책은 맨 아래에 추가됩니다.

우선 테스트를 하면서 자세히 설명하도록 하겠습니다.

*** 중요 ***

1. Juniper SRX stateful 방화벽입니다

나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return 되는 Traffic은 자동으로 허용됩니다.

자세한 내용은 나중에 다른 강좌에서 설명하겠습니다.

2. 방화벽이 정책이 여러 개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.

3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.

4. 방화벽 정책을 만들 때에는,

4-1 match

4-1-1 source-ip

4-1-2 destination-ip

4-1-3 destination application

위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다

4-2 action

4-2-1 permit - 허용

4-2-2 reject - 차단

4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.

4-2-3-1 session-init - 세션이 시작될 때 로그 생성

4-2-3-2 session-close - 세션이 종료될 때 로그 생성

4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공

permit, log, count를 동시에 설정 가능 합니다.

토폴로지는 아래와 같습니다.

SRX

ge-0/0/0 - dhcp - untrust

ge-0/0/1 - 192.168.1.1/24 - trust

ge-0/0/2 - 172.16.1.1/24 - dmz

SW01

gi0/0 - 192.168.1.2/24

SW02

gi0/0 - 172.16.1.2/24

그리고 아래 서비스를 enable 합니다.

http

https

telnet

ssh

방화벽 정책 1)

192.168.1.2 -> 172.16.1.2 http 허용

방화벽 정책 2)

192.168.1.2 -> 172.16.1.2 https 허용

방화벽 정책 3)

192.168.1.2 -> 172.16.1.2 ssh 허용

기존 방화벽 설정값 삭제

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

2. Inteface에 IP주소를 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family inet dhcp

[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24

[edit]
root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24

[edit]
root# commit

그리고 Interface에 IP주소를 확인합니다.

root# set security zones security-zone unturst
root# set security zones security-zone untrust interfaces ge-0/0/0

root# set security zones security-zone trust
root# set security zones security-zone trust interfaces ge-0/0/1

root# set security zones security-zone dmz
root# set security zones security-zone dmz interfaces ge-0/0/2

root# commit
commit complete

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     192.168.10.105/24
                                                                                        untrust
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
ge-0/0/1.0              up    up   inet     192.168.1.1/24
                                                                                        trust
ge-0/0/2.0              up    up   inet     172.16.1.1/24
                                                                                        dmz
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

Interface에 IP주소를 확인합니다.

저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.

그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up

ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.

set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping

그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.

DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.105/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.

Switch>
Switch>en
Switch#conf t
Switch(config)#ho SW01
SW01(config)#int gigabitEthernet 0/0
SW01(config-if)#no switchport
SW01(config-if)#ip add 192.168.1.2 255.255.255.0
SW01(config-if)#no sh
SW01(config-if)#end
SW01#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms
SW01#

그리고 Default Gatway 설정

SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
SW01(config)#end
SW01#

SW01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
SW01#

SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.

Switch>en
Switch#conf t
Switch(config)#ho SW02
SW02(config)#int gigabitEthernet 0/0
SW02(config-if)#no sw
SW02(config-if)#ip add 172.16.1.2 255.255.255.0
SW02(config-if)#no shutdown
SW02(config-if)#end
SW02#
SW02#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW02#

그리고 Default Gateway 설정

SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
SW02(config)#
SW02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.2/32 is directly connected, GigabitEthernet0/0
SW02#

SW02에 http, https, telnet 그리고 ssh서비스를 Enable 합니다.

SW02#conf t
SW02(config)#ip http server
SW02(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW02(config)#ip domain-name cisco
SW02(config)#crypto key generate rsa
The name for the keys will be: SW02.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW02(config)#username cisco privilege 15 password cisco
SW02(config)#line vty 0 15
SW02(config-line)#login local
SW02(config-line)#transport input all
SW02(config-line)#

Juniper SRX에서 방화벽 정책을 생성하겠습니다.

방화벽 정책 1)

192.168.1.2 -> 172.16.1.2 http 허용

방화벽 정책 2)

192.168.1.2 -> 172.16.1.2 https 허용

방화벽 정책 3)

192.168.1.2 -> 172.16.1.2 ssh 허용

Address-book이랑 application 정

set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32

set applications application T-443 protocol tcp
set applications application T-443 source-port 0-65535
set applications application T-443 destination-port 443
set applications application T-443 inactivity-timeout 20

set applications application T-80 protocol tcp
set applications application T-80 source-port 0-65535
set applications application T-80 destination-port 80
set applications application T-80 inactivity-timeout 20

set applications application T-22 protocol tcp
set applications application T-22 source-port 0-65535
set applications application T-22 destination-port 22
set applications application T-22 inactivity-timeout 20

정책 생성

set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count

set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count

set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count

Firewall 정책 순서 확인

root> show configuration security policies from-zone trust to-zone dmz | display set | no-more

set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count

방화벽 정책 순서 확인 하는 방법

순서는 방화벽 정책을 생성한 순서입니다.

그리고 default 정책은 deny-all인데 순서는 안 보이지만 default policy:에 보시면 deny-all이라고 표시됩니다.

위에서부터 아래까지 방화벽 정책을 확인 후 아무것도 match 되지 않으면 default policy 즉 deny-all이 적용됩니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

SW01에서 SW02로 테스트해 보겠습니다.

192.168.1.2 -> 172.16.1.2 http - 성공

192.168.1.2 -> 172.16.1.2 https - 성공

192.168.1.2 -> 172.16.1.2 ssh - 성공

192.168.1.2 -> 172.16.1.2 telnet - 실패 방화벽 정책이 없어서 default policy - deny-all 적

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 09:04:47 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 172.16.1.2 closed by foreign host]
SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open
^C
^C
[Connection to 172.16.1.2 closed by foreign host]
SW01#ssh -l cisco 172.16.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#exit

[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#telnet 172.16.1.2
Trying 172.16.1.2 ...
% Connection timed out; remote host not responding

hit-count 확인 - 여기에서 index번호는 방화벽 순서를 나타내지 않습니다. 주의 바랍니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz-ssh 1           Permit
2       trust            dmz               trust-to-dmz-http 1          Permit
3       trust            dmz               trust-to-dmz-https 1         Permit

방화벽 순서 확인 하기 위해서 deny-any 정책을 생성하겠습니다. 가시성 있게 deny-all 정책을 만들고 count랑 log를 생성하게 설정하겠습니다.

set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match source-address any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match destination-address any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match application any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then deny
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then count

방화벽 정책 순서 확인- 특정 명령어 없이 방화벽 정책을 생성하면 맨 아래에 생성됩니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

root>

이 상태에서 추가적으로 다른 방화벽 정책을 생성하게 되면 Deny 밑에 방화벽 정책이 생성 되게 됩니다.

우선 테스트를 위해서 192.168.1.2 -> 172.16.1.2 telnet를 허용하는 방화벽 정책을 생성하겠습니다.

set applications application T-22 protocol tcp
set applications application T-22 source-port 0-65535
set applications application T-22 destination-port 22
set applications application T-22 inactivity-timeout 20

set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count

commit

telnet 허용 정책이 deny-any 정책 밑에 생성되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

root>

SW01에서 SW02 telnet 시도 - 실패했습니다.

이유는 Deny-all이 telnet 허용 정책보다 위에 있기 때문입니다.

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ...
% Connection timed out; remote host not responding

SW01#

deny-all 정책에 telnet 트래픽이 차단되어서 count가 증가하였습니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz-https 1         Permit
2       trust            dmz               trust-to-dmz-telnet 0        Permit
3       trust            dmz               trust-to-dmz-deny-all 4      Deny
4       trust            dmz               trust-to-dmz-ssh 1           Permit
5       trust            dmz               trust-to-dmz-http 1          Permit
6       dmz              trust             trsut-to-dmz   8             Permit

Number of policy: 6

trust-to-dmz-telnet 정책을 trust-to-dmz-deny-all 보다 위에 생성하게 설정해 보겠습니다.

delete security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet
commit

set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count

after - 특정 정책 다음에 새로운 방화벽 정책을 생성합니다.

before - 특정 정책 이전에 새로운 방화벽 정책을 생성합니다.

trust-to-dmz-deny-all 이전에 생성해 보겠습니다.

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet ?
Possible completions:
  after                Insert after given data element
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  before               Insert before given data element
> match                Specify security policy match-criteria
> then                 Specify policy action to take when packet match criteria

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet before policy trust-to-dmz-deny-all

commit

방화벽 정책 순서 확인

Deny-all 정책 이전에 telnet허용 정책이 생성되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

root>

또는 insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-ssh

이렇게 사용해도 똑같은 의미를 가집니다.

이번에는 기존에 있는 firewall rule 순서를 변경해 보겠습니다. trust-to-dmz-telnet 정책을 trust-to-dmz-http 밑으로 이동해 보겠습니다.

기존에 있는 방화벽 정책을 삭제 후 새로 생성하고 insert명령어로 이용해서 수정해도 됩니다.

하지만 기존 방화벽 정책을 삭제하지 않고 insert명령어로 곧바로 방화벽 정책 순서를 변경할 수 있습니다.

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-http
commit

방화벽 정책 순서 확인 아래 빨간색 보시면 telnet 정책이 이동되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

지금까지 [2024][Juniper SRX #14] firewall policy 순서 변경 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #16] password recovery (0)	2024.07.28
[2024][Juniper SRX #15] commit and rollback (1)	2024.07.27
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22

안녕하세요.

이번에는 [2024][Juniper SRX #13] firewall policy입니다.

토폴로지는 아래와 같습니다.

SRX

ge-0/0/0 - dhcp - untrust

ge-0/0/1 - 192.168.1.1/24 - trust

ge-0/0/2 - 172.16.1.1/24 - dmz

SW01

gi0/0 - 192.168.1.2/24

그리고 아래 서비스를 enable 합니다.

http

https

telnet

ssh

SW02

gi0/0 - 172.16.1.2/24

그리고 아래 서비스를 enable합니다.

http

https

telnet

ssh

*** 중요 ***

1. Juniper SRX stateful 방화벽입니다

나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return되는 Traffic은 자동으로 허용됩니다.

자세한 내용은 나중에 다른 강좌에서 설명 하겠습니다.

2. 방화벽이 정책이 여러개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.

3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.

4. 방화벽 정책을 만들 때에는,

4-1 match

4-1-1 source-ip

4-1-2 destination-ip

4-1-3 destination application

위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다

4-2 action

4-2-1 permit - 허용

4-2-2 reject - 차단

4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.

4-2-3-1 session-init - 세션이 시작될 때 로그 생성

4-2-3-2 session-close - 세션이 종료될 때 로그 생성

4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공

permit, log, count를 동시에 설정 가능 합니다.

SRX side

1. 기존 설정값을 다 삭제합니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

2. Inteface에 IP주소를 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family inet dhcp

[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24

[edit]
root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24

[edit]
root# commit

그리고 Interface에 IP주소를 확인합니다.

root# set security zones security-zone unturst
root# set security zones security-zone untrust interfaces ge-0/0/0

root# set security zones security-zone trust
root# set security zones security-zone trust interfaces ge-0/0/1

root# set security zones security-zone dmz
root# set security zones security-zone dmz interfaces ge-0/0/2

root# commit
commit complete

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     192.168.10.105/24
                                                                                        untrust
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
ge-0/0/1.0              up    up   inet     192.168.1.1/24
                                                                                        trust
ge-0/0/2.0              up    up   inet     172.16.1.1/24
                                                                                        dmz
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

Interface에 IP주소를 확인합니다.

저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.

그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up

ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.

set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping

그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.

DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.105/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.

Switch>
Switch>en
Switch#conf t
Switch(config)#ho SW01
SW01(config)#int gigabitEthernet 0/0
SW01(config-if)#no switchport
SW01(config-if)#ip add 192.168.1.2 255.255.255.0
SW01(config-if)#no sh
SW01(config-if)#end
SW01#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms
SW01#

그리고 Default Gatway 설정

SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
SW01(config)#end
SW01#

SW01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
SW01#

그리고 SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.

Switch>en
Switch#conf t
Switch(config)#ho SW02
SW02(config)#int gigabitEthernet 0/0
SW02(config-if)#no sw
SW02(config-if)#ip add 172.16.1.2 255.255.255.0
SW02(config-if)#no shutdown
SW02(config-if)#end
SW02#
SW02#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW02#

그리고 Default Gateway 설정

SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
SW02(config)#
SW02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.2/32 is directly connected, GigabitEthernet0/0
SW02#

방화벽 정책을 테스트하기 위해서 SW01과 SW02를 http, https, telnet, ssh를 Enable 합니다.

SW01(config)#ip http server
SW01(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW01(config)#ip domain-name cisco
SW01(config)#crypto key generate rsa
The name for the keys will be: SW01.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW01(config)#username cisco privilege 15 password cisco
SW01(config)#

SW01(config)#line vty 0 15
SW01(config-line)#login local
SW01(config-line)#transport input all

SW02에서도 똑같이 설정합니다.

SW02#conf t
SW02(config)#ip http server
SW02(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW02(config)#ip domain-name cisco
SW02(config)#crypto key generate rsa
The name for the keys will be: SW02.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW02(config)#username cisco privilege 15 password cisco
SW02(config)#line vty 0 15
SW02(config-line)#login local
SW02(config-line)#transport input all
SW02(config-line)#

우선 http, https, telnet, ssh가 제대로 동작하는지 확인하기 위해서 Juniper SRX 방화벽 정책을 Any Any로 먼저 설정하고 테스트를 진행합니다.

turst zone에서 dmz zone으로 가는 Traffic은 모두 허용합니다.

set security policies from-zone trust to-zone dmz policy trsut-to-dmz match source-address any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match destination-address any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match application any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then count

SW01 in trust zone에서 SW02 in dmz zone에 Ping시도

SW01#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/126 ms
SW01#

SW01 in trust zone에서 SW02 in dmz zone에 http, https, telnet, ssh 시도

telnet 172.16.1.2 80 - http 성공

telnet 172.16.1.2 443 - https 성공

telnet 172.16.1.2 23 - telnet 성공

ssh -l cisco 172.16.1.2 - ssh 성공

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 07:37:36 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#
SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open

[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#
SW01#

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#

SW01#
SW01#ssh -l cisco 172.16.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************SW02#
SW02#
SW02#

SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.

Juniper SRX에서 dmz zone에서 trust zone에 방화벽 정책이 없기 때문에 실패합니다.

SW02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#

테스트를 위해서 dmz zone에서 trust zone에 방화벽 정책 any를 설정합니다.

set security policies from-zone dmz to-zone trust policy dmz-to-trust  match source-address any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust match destination-address any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  match application any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then permit
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then log session-init
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then count

SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.

SW02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/15 ms
SW02#

SW02 in trust zone에서 SW01 in dmz zone에 http, https, telnet, ssh 시도

telnet 192.168.1.2 80 - http 성공

telnet 192.168.1.2 443 - https 성공

telnet 192.168.1.2 23 - telnet 성공

ssh -l cisco 192.168.1.2 - ssh 성공

SW02#telnet 192.168.1.2 80
Trying 192.168.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 07:49:11 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 192.168.1.2 closed by foreign host]
SW02#telnet 192.168.1.2 443
Trying 192.168.1.2, 443 ... Open

^C^[[A
[Connection to 192.168.1.2 closed by foreign host]
SW02#telnet 192.168.1.2
Trying 192.168.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW01#

SW01#ssh -l cisco 192.168.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW01#exit

[Connection to 192.168.1.2 closed by foreign host]
SW01#

Juniper SRX방화벽 정책에서 Hit-Count 확인하는 방법

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trsut-to-dmz   9             Permit
2       dmz              trust             trsut-to-dmz   8             Permit

Number of policy: 2

root>

trust zone - SW01에서 dmz zone -SW02에 방화벽 정책

1. 192.168.1.2 -> 172.16.1.2 https 허용

2. 192.168.1.2 -> 172.16.1.2 telnet 허용

나머지는 모두 차단

address-book name

H-192.168.1.2/32 - SW01

H-172.16.1.2/32 - SW02

application은 custom으로 설정

T-23 -> T는 tcp를 의미 23은 포트 번호 의미

T-443

기존 trust zone에서 dmz zone으로 가는 Any 정책 삭제

root# delete security policies from-zone trust to-zone dmz

[edit]
root# commit
commit complete

address-book과 application를 정의합니다.

set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32

set applications application T-23 protocol tcp
set applications application T-23 source-port 0-65535
set applications application T-23 destination-port 23
set applications application T-23 inactivity-timeout 20

set applications application T-443 protocol tcp
set applications application T-443 source-port 0-65535
set applications application T-443 destination-port 443
set applications application T-443 inactivity-timeout 20

방화벽 정책을 생성합니다.

set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count

commit

방화벽 정책 확인하는 방법

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: dmz, To zone: trust
  Policy: trsut-to-dmz, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
From zone: trust, To zone: dmz
  Policy: trust-to-dmz, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23, T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

root>

방화벽 정책 설정값 확인 방법 - 전체

root> show configuration security | display set | no-more
set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz then count
set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone dmz host-inbound-traffic system-services ping
set security zones security-zone dmz interfaces ge-0/0/2.0

root>

방화벽 정책 trust zone에서 dmz zone만 확인 하는 방법

root> show configuration security policies from-zone trust to-zone dmz | display set | no-more
set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz then count

테스트해보겠습니다.

trust zone - SW01에서 dmz zone -SW02에 방화벽 정책

1. 192.168.1.2 -> 172.16.1.2 https 허용

2. 192.168.1.2 -> 172.16.1.2 telnet 허용

3. 192.168.1.2 -> 172.16.1.2 http 차단

4. 192.168.1.2 -> 172.16.1.2 ssh 차단

나머지는 모두 차단

SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open
^C
^^
v
[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#exit

Telnet이랑 SSH는 접속 실패 하였습니다. 방화벽 정책이 없기 때문입니다.

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ...
% Connection timed out; remote host not responding

SW01#ssh -l cisco 172.16.1.2
SW01#

방화벽 정책 hit count를 확인해 보겠습니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz   2             Permit
2       dmz              trust             trsut-to-dmz   8             Permit

현재 방화벽 flow session를 확인하는 방법

SW01 -> SW02 telnet 시도

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#

Juniper SRX에서 show security flow session으로 세션 상태 확인

root> show security flow session
Session ID: 1641, Policy name: trust-to-dmz/4, State: Stand-alone, Timeout: 16, Valid
  In: 192.168.1.2/59113 --> 172.16.1.2/23;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24, Bytes: 1108,
  Out: 172.16.1.2/23 --> 192.168.1.2/59113;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 2171,
Total sessions: 1

지금까지 [2024][Juniper SRX #13] firewall policy 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #15] commit and rollback (1)	2024.07.27
[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21

안녕하세요.

오늘은 [2024][Juniper SRX #12] application and application-set입니다.

Juniper 방화벽 정책을 설정 시 Source port 또는 Destination port에 TCP/UDP, 또는 port number를 지정할 때 사용 합니다.

자세한 내용은 Juniper SRX 공식 홈페이지를 참조 바랍니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/policy-application-sets-configuration.html

Security Policy Applications and Application Sets | Junos OS | Juniper Networks

When you create a policy, you must specify an application, or service, for it to indicate that the policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making it difficult to manag

www.juniper.net

Applications은 두 가지로 분류됩니다.

1. standard

2. custom applications

standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다.

set applications application standard-way application-protocol http

root# set applications application KK application-protocol ?
Possible completions:
  dns                  Domain Name Service
  ftp                  File Transfer Protocol
  ftp-data             File Transfer Protocol Data Session
  gprs-gtp-c           GPRS Tunneling Control Plane
  gprs-gtp-u           GPRS Tunneling User Plane
  gprs-gtp-v0          GPRS Tunneling Version 0
  gprs-sctp            GPRS Stream Control Protocol
  http                 Hypertext Transfer Protocol
  https                Hypertext Transfer Protocol
  ignore               Ignore application type
  ike-esp-nat          IKE/ESP with NAT
  imap                 Internet Mail Access Protocol
  imaps                Internet Mail Access Protocol Over TLS
  mgcp-ca              MGCP-CA
  mgcp-ua              MGCP-UA
  ms-rpc               Microsoft RPC
  none                 None
  pop3                 Post Office Protocol 3 Protocol
  pop3s                Post Office Protocol 3 Protocol Over TLS
  pptp                 Point-to-Point Tunneling Protocol
  q931                 Q.931
  ras                  RAS
  realaudio            RealAudio
  rsh                  Remote Shell
  rtsp                 Real Time Streaming Protocol
  sccp                 Skinny Client Control Protocol
  sip                  Session Initiation Protocol
  smtp                 Simple Mail Transfer Protocol
  smtps                Simple Mail Transfer Protocol Over TLS
  sqlnet-v2            Oracle SQL*Net Version 2
  ssh                  Secure Shell Protocol
  sun-rpc              Sun Microsystems RPC
  talk                 Talk Program
  telnet               Telnet Protocol
  tftp                 Trivial File Transfer Protocol
  twamp                Two Way Active Meaurement Protocol
[edit]

이번에는 custom 방식에 대해서 알아보겠습니다.

Protocol -> tcp

Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다

Destination-port - 23

inactivity-timeout - 20초

set applications application telnet-1 protocol tcp
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20

방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1

만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다

set applications application http-1 protocol tcp
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20

아래처럼 application 정책을 계속 추가해야 합니다.

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1
set security policies from-zone trust to-zone untrust policy p1 match application http-1

하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다.

application-set에 http-1이랑 telnet-1을 할당합니다.

set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

그리고 방화벽 정책에 application-set를 설정합니다.

set security policies from-zone trust to-zone untrust policy p1 match application-set app-group

application 설정값 확인 하는 명령어

root> show configuration applications | display set
set applications application standard-way application-protocol http
set applications application http-1 protocol tcp
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20
set applications application telnet-1 protocol tcp
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20
set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

root>

지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (2)	2024.07.20

안녕하세요.

오늘은 [2024][Juniper SRX #11] address book and address set에 대해서 알아보겠습니다.

Juniper SRX방화벽은 정책을 만들 때 곧바로 IP주소를 입력할 수 없고 Address book를 만들어서 IP주소를 정의해야 합니다.

그래야지 방화벽 정책에서 address book 이름을 불러올 수 있습니다.

자세한 내용은 Juniper 공식 address book이랑 address set에 대한 내용은 확인 부탁드립니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-address-books-sets.html

Address Books and Address Sets | Junos OS | Juniper Networks

In this example, you create source and destination address books, SOUR-ADDR and DES-ADDR, and add source and destination addresses to it. You create source and destination address sets, as1 and as2, and group source and destination addresses to them. Then

www.juniper.net

Address-book은 크게 두 가지로 나누어집니다.

1. global(default) - 모든 zone에서 address book를 불러올 수 있습니다

2. custorm(Must be binded to a zone) - address-book이 특정 Zone에서만 사용할 수 있습니다.

address-book를 정의할 때는 아래와 같이 5가지 사용 가능 합니다.

1. Prefix - EX) 192.168.10.0/24

2. address-range - EX) 192.168.11.10 to 192.168.11.199

3. wildcard_address - EX) 10.0.10.0/255.7.255.0 -

4. DNS_name - EX) cisco.com

5. Any - 모든 트래픽

그럼 Juniper SRX에서 address-book를 설정해 보겠습니다.

1. Prefix를 이용하는 방법

global - global address book 정의

N-192.168.1.0/24 - address book이름

192.168.1.0/24 - Prefix Target IP 정의

set security address-book global address N-192.168.1.0/24 192.168.1.0/24

2. address-range 이용하는 방법

global - global address book 정의

H-192.168.1.0-to-10 - adress book 이름 정의

192.168.1.0 to 192.168.1.10 - 실제 Target IP정의

set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10

3. Wildcard_address 이용하는 방법

global - global address book 정의

wildcard - adress book 이름 정의

192.168.0.11/255.255.0.255 - 192.168.*. 11을 의미 - 즉 192.168.1.11 , 192.168.3.11 - 3번째 octoc은 아무 숫자나 허

set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255

4. dns_name를 이용하는 방법

global - global address book 정의

dns_filter - adress book 이름 정의

cisco.com - dns name이 cisco.com를 정의함.

set security address-book global address dns_filter dns-name cisco.com

이번에는 address-set에 대해서 정의해 보겠습니다.

만약에 위에 모든 정책을 destination IP에 정의를 한다고 하면 똑같은 설정을 4번을 해야 합니다.

방화벽 정책 설정은 추후 강일에서 진행하겠습니다. 아래 설정값은 이해하는 용도로 사용됩니다.

set security policies from-zone trust to-zone untrust policy p1 match destination-address N-192.168.1.0/24
set security policies from-zone trust to-zone untrust policy p1 match destination-address H-192.168.1.0-to-10
set security policies from-zone trust to-zone untrust policy p1 match destination-address wildcard
set security policies from-zone trust to-zone untrust policy p1 match destination-address dns_filter

방화벽 정책 숫자가 적고 source address book과 destination address book이 조금 이면 이렇게 설정해도 상관없지만, adress book수가 많으면, 추후에 정책 설정값을 보거나 show 커맨드로 사용해서 특정값을 출력할 때도 너무 많은 정도들이 올라와서 불편합니다.

address-set를 하나 만들고 여기에 address-book를 포함하면 위에 설정값이 한 줄로 줄어듭니다.

global - global address book 정의

destination-group - adress-set 이름 정의

address N-192.168.1.0/24, H-192.168.1.0-to-10, wildcard 그리고 dns_filter를 address-set destination-group에 포함시킵니다.

set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

그리고 방화벽 정책에서 destination를 정의할 때 한 줄로 사용 가능 합니다.

destination-address에서 destination-group를 불러오면 위에 정의한 address-book 4개를 정의할 수 있습니다.

set security policies from-zone trust to-zone untrust policy p1 match destination-address destination-group

여기까지 Global Address-book에 대해서 설명했습니다. Global address-book은 아무 zone에서 address-book를 불러올 수 있습니다.

trust_zone - global address book이 아닌 name를 정의합니다.

N-10.1.1.0/8 - address book이름 정의

10.1.1.0/8 - 실제 IP대역 target ip address

그리고 trust_zone를 trust zone에게 attach 하면 이 address-book은 turst zone만 사용 가능 하게 됩니다.

set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8
set security address-book trust_zone attach zone trust

지금까지 설정한 address-book 출력하기

주의 사항: root> 여기에서는 show security address-book 커맨드가 없기 때문에 확인 불가능 합니다.

꼭 configuration mode에서 확인하시길 바랍니다.

root# show security address-book | display set | no-more
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter
set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8

또는

root> show configuration security address-book | display set
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

root>

지금까지 [2024][Juniper SRX #11] address book and address set 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

안녕하세요.

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다.

Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.

회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.

토폴로지

Juniper SRX 기본 설정은 아래와 같습니다.

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1"
set system login user juniper uid 2000
set system login user juniper class super-user
set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/"
set system services ssh root-login allow
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set interfaces fxp0 unit 0 family inet address 192.168.10.220/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

Cisco 스위치 기본 설정입니다.

Switch#conf t
Switch(config)#hostname SW1
SW1(config)#int g0/0
SW1(config-if)#no sw
SW1(config-if)#ip add dhcp
SW1(config-if)#no sh

Juniper Interface를 상태를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Cisco Interface를 확인합니다.

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/0     192.168.10.104  YES DHCP   up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
SW1#

Juniper SRX fxp0 IP: 192.168.10.220

Cisco Gi0/0 IP: 192.168.10.104

Cisco에서 Juniper fxp0로 Ping를 시도합니다

SW1#ping 192.168.10.220
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW1#

Telnet Test - 정상적으로 동작합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Thu Jun 20 09:49:37 from 172.16.10.15

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper>

SSH Test - 정상적으로 동작합니다.

SW1#ssh -l root 192.168.10.220
Password:
Last login: Sat Jun 22 06:12:39 2024
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ #

현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.

1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다.

set policy-options prefix-list manager-ip 192.168.10.105/32

2. IP를 이용해서 Filter 정책을 만듭니다.

IP: 192.168.10.105

Protocol: tcp

Destination port: telnet https ssh

만 허용합니다. 그리고 나머지는 차단합니다.

set firewall filter manager-ip term accept_manager from prefix-list manager-ip
set firewall filter manager-ip term accept_manager from protocol tcp
set firewall filter manager-ip term accept_manager from destination-port telnet
set firewall filter manager-ip term accept_manager from destination-port https
set firewall filter manager-ip term accept_manager from destination-port ssh
set firewall filter manager-ip term accept_manager then accept
set firewall filter manager-ip term block_non_manager then discard

3. MGMT interface fxp0에 filter를 적용합니다.

set interfaces fxp0 unit 0 family inet filter input manager-ip

commit

그리고 설정을 적용합니다.

Cisco Side

Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ...
% Connection timed out; remote host not responding

SW1#

SSH를 시도합니다. Juniper Filter정책 때문에 SSH 접속이 실패합니다.

SW1#ssh -l root 192.168.10.220
SW1#

Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.

SW1(config)#int g0/0
SW1(config-if)#ip add 192.168.10.105 255.255.255.0
SW1(config-if)#no sh

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/0     192.168.10.105  YES manual up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
SW1#

Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Sat Jun 22 06:19:21 from 192.168.10.104

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper>

SSH 시도 - 허용된 IP이기 때문에 ssh가 성공합니다.

SW1#ssh -l root 192.168.10.220
Password:

Last login: Sat Jun 22 06:20:40 2024 from 192.168.10.104
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ #

지금까지 [2024][Juniper SRX #10] Administrator access restriction settings for MGMT글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (2)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19

안녕하세요.

[2024][Juniper SRX #9] SSH and Telnet 설정하기입니다.

Juniper SRX은 fxp0이 MGMT interface입니다. 여기에 IP주소를 설정하고 외부에서 SSH나 Telent를 통해서 접속해 보겠습니다.

토폴로지는 아래와 같습니다.

기본적으로 설정값들을 지웁니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

root# set system root-authentication plain-text-password
New password:
Retype new password:

root# commit
commit complete

[edit]
root# commit
commit complete

fxp0에 IP주소를 할당합니다.

DHCP기능이 동작하면 자동으로 IP주소를 받을 수 있고 또는 수동으로 설정 가능 합니다.

DHCP로 IP주소 받기

root# set interfaces fxp0 unit 0 family inet dhcp

[edit]
root# commit

Interface에 IP 확인하기

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

수동으로 IP주소 설정하기

delete interfaces fxp0 unit 0 family inet dhcp
commit

root# set interfaces fxp0 unit 0 family inet address 192.168.10.104/24
root# set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

[edit]
root# commit

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Juniper SRX에 SSH 설정합니다.

root# set system services ssh root-login allow

[edit]
root# commit
commit complete

노트북에서 putty 또는 CRT를 이용해서 접속을 테스트합니다.

정상적으로 동작합니다.

이번에는 Telent를 설정합니다.

root# set system services telnet

[edit]
root# commit
commit complete

telnet은 기본적으로 root를 허용하지 않습니다. root계정으로 로그인을 시도해도 실패합니다.

만약에 telnet를 사용해야 하는 경우에는 user를 따로 생성합니다.

root# set system login user juniper class super-user

[edit]
root# set system login user juniper authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

juniper 계정을 새로 생성하였고 로그인을 시도합니다.

성공적으로 로그인됩니다.

Juniper SRX는 Web 기반에 방화벽에 설정을 지원합니다. 이번에는 j-web를 설정해 보겠습니다.

set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0

테스트를 위해서 fxp0 ip를 입력합니다.

지금까지 [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #8] Zone configuration (2)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (1)	2024.07.17

안녕하세요.

오늘은 [2024][Juniper SRX #8] Zone에 대해서 알아보겠습니다.

Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다.

이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다.

테스트 토폴로지는 아래와 같습니다.

1.vIOS Switch

2.vSRX를 사용 하였습니다.

IP정보는 아래와 같습니다

SRX:

ge-0/0/0 - 10.1.1.1/24 untrust zone

ge-0/0/1 - 172.16.1.1/24 dmz zone

ge-0/0/2 - 192.168.1.1/24 trust zone

fxp0 - dhcp - management zone

SW1

gi0/0 - 10.1.1.2/24

SW2

gi0/0 - 172.16.1.2/24

SW3

gi0/0 - 192.168.1.2/24

Juniper SRX Zone Types

1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management

일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여

MGMT역활한 할 수 있게 설정할 수 있습니다.

2. Security zone - to control traffic between different security zone

3. junos-host - control traffic between security zone and juniper device itself

4. null - discard traffic

현재 생성된 zone 리스트를 출력 하는 명령어

show security zones terse

root> show security zones terse
Zone                        Type
junos-host                  Security

아래 interface를 보면 fxp0이 SRX management interface입니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.

간단하게 제 테스트랩을 설명하겠습니다

1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다.

2. EVE-NG는 VMware ESXi안에 설치되어 있스비다.

3. 팔로알토가 DHCP기능을 수행합니다.

그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다.

아니면 수동으로 설정하셔도 됩니다.

root# set interfaces fxp0 unit 0 family inet dhcp

[edit]
root# commit
commit complete

그리고 Interface에 IP주소를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0

제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.

핑이 성공합니다.

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=4ms TTL=63
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=7ms TTL=63
Reply from 192.168.10.104: bytes=32 time=14ms TTL=63

Ping statistics for 192.168.10.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 14ms, Average = 7ms

C:\Users\admin>

fxp0를 수동으로 IP주소를 설정하기.

set interfaces fxp0 unit 0 family inet address 192.168.10.104/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

PC에서 PIng테스트

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=13ms TTL=63

Ping statistics for 192.168.10.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 13ms, Average = 7ms

어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다.

show interfaces zone terse

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
Null
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

fxp0는 기본적으로 null zone에 할당되어 있습니다.

일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.

테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.

root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

[edit]
root# set security zones functional-zone management interfaces ge-0/0/0

[edit]
root# commit
commit complete

root> show security zones terse
Zone                        Type
management                  Functional
junos-host                  Security

root>

Zone를 확인하고 Interface 할당된 Zone도 확인합니다.

root> show security zones terse
Zone                        Type
management                  Functional
junos-host                  Security

root>

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
                                                                                        Management
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.

delete security zones functional-zone management interfaces ge-0/0/0.0
commit

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
                                                                                        Null
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

2

2. Security zone - to control traffic between different security zone

테스트를 위해서 IP를 설정합니다.

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24

commit

인터페이스를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     172.16.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     192.168.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Zone를 생성합니다.

set security zones security-zone trust
set security zones security-zone untrust
set security zones security-zone dmz

commit

Zone를 생성을 확인합니다.

root> show security zones terse
Zone                        Type
management                  Functional
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root>

Interface를 Zone에 할당합니다.

set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz interfaces ge-0/0/1.0

commit

Zone에 할당된 interface를 확인합니다.

root> show interfaces zone terse | match ge-
ge-0/0/0.0              up    up   inet     10.1.1.1/24
ge-0/0/1.0              up    up   inet     172.16.1.1/24
ge-0/0/2.0              up    up   inet     192.168.1.1/24

root>

Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

SW1 gi0/0 IP를 설정하고 SRX ge-0/0/0 10.1.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 10.1.1.2 255.255.255.0
Switch(config-if)#no sh

Switch(config-if)#end
Switch# ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/146/579 ms
Switch#

SW2 gi0/0 IP를 설정하고 SRX ge-0/0/0 172.16.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 172.16.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#
Switch#ping 172.16.1.1
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/3/4 ms
Switch#

SW3 gi0/0 IP를 설정하고 SRX ge-0/0/0 192.168.1.1로 PIng를 시도합니다.

Switch#conf t
Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 192.168.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

*Jun 20 08:56:02.421: %SYS-5-CONFIG_I: Configured from console by console
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
Switch#

서로 다른 Zone끼리 방화벽 정책이 없기 때문에 서로 간에 통신은 불가능합니다.

지금까지 [2024][Juniper SRX #8] Zone configuration 글을 읽어주셔서 감사합니다.

다음 강좌를 address-book에 대해서 알아보도록 하겠습니다.

감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (1)	2024.07.17
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (1)	2024.07.16

안녕하세요.

오늘은 [2024][Juniper SRX #7] host-inbound-traffic입니다.

주니퍼 SRX장비는 방화벽(보안) 장비이기 때문에, SRX에 interface가 목적지인 경우에는 기본적으로 패킷이 차단됩니다.

방법은 2가지입니다.

1. zone에서 host-inbound-traffic를 허용하는 방법 - Zone안에 있는 Interface에 일괄적으로 적용

2. Interface별로 host-inbound-trafic를 허용하는 방법 - Interface별로 개별 적용.

root# ...rity-zone trust host-inbound-traffic ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> protocols            Protocol type of incoming traffic to accept
> system-services      Type of incoming system-service traffic to accept

Protocols를 선택하면 아래와 같습니다.

root# ...rity-zone trust host-inbound-traffic protocols ?
Possible completions:
  all                  All protocols
  bfd                  Bidirectional Forwarding Detection
  bgp                  Border Gateway Protocol
  dvmrp                Distance Vector Multicast Routing Protocol
  igmp                 Internet Group Management Protocol
  ldp                  Label Distribution Protocol
  msdp                 Multicast Source Discovery Protocol
  nhrp                 Next Hop Resolution Protocol
  ospf                 Open Shortest Path First
  ospf3                Open Shortest Path First version 3
  pgm                  Pragmatic General Multicast
  pim                  Protocol Independent Multicast
  rip                  Routing Information Protocol
  ripng                Routing Information Protocol next generation
  router-discovery     Router Discovery
  rsvp                 Resource Reservation Protocol
  sap                  Session Announcement Protocol
  vrrp                 Virtual Router Redundancy Protocol
[edit]

System-services를 선택하면 아래와 같습니다.

root# ...rity-zone trust host-inbound-traffic system-services ?
Possible completions:
  all                  All system services
  any-service          Enable services on entire port range
  appqoe               APPQOE active probe service
  bootp                Bootp and dhcp relay-agent service
  dhcp                 Dynamic Host Configuration Protocol
  dhcpv6               Enable Dynamic Host Configuration Protocol for IPv6
  dns                  DNS service
  finger               Finger service
  ftp                  FTP
  high-availability    High Availability service
  http                 Web management service using HTTP
  https                Web management service using HTTP secured by SSL
  ident-reset          Send back TCP RST to IDENT request for port 113
  ike                  Internet Key Exchange
  lsping               Label Switched Path ping service
  netconf              NETCONF service
  ntp                  Network Time Protocol service
  ping                 Internet Control Message Protocol echo requests
  r2cp                 Enable Radio-Router Control Protocol service
  reverse-ssh          Reverse SSH service
  reverse-telnet       Reverse telnet service
  rlogin               Rlogin service
  rpm                  Real-time performance monitoring
  rsh                  Rsh service
  snmp                 Simple Network Management Protocol service
  snmp-trap            Simple Network Management Protocol traps
  ssh                  SSH service
  tcp-encap            Tcp encapsulation service
  telnet               Telnet service
  tftp                 TFTP
  traceroute           Traceroute service
  webapi-clear-text    Webapi service using http
  webapi-ssl           Webapi service using HTTP secured by SSL
  xnm-clear-text       JUNOScript API for unencrypted traffic over TCP
  xnm-ssl              JUNOScript API service over SSL
[edit]

테스트를 해보겠습니다.

토폴로지 아래와 같습니다.

Juniper

1. Ge-0/0/0 - 10.1.1.1/24

2. Zone Trust 생성

3. Ge-0/0/0를 Zone Trust 할당

4. OSPF 설정

Cisco

1. g0/0 - 10.1.1.2/24 설정

2. lo0 - 192.168.1.1/24 설정

3. OSPF 설정

테스트

1. Juniper랑 Cisco랑 OSPF 네이버 확인

2. Juniper라우팅 테이블에 192.168.1.0/24 확인

2. Cisco에서 Juniper Interface ge-0/0/0 10.1.1.1로 PIng 시도

위에 테스트를 하기 위해서는 주니퍼에 host-inbound-traffic 기능이 필요합니다.

Juniper Side

1. 설정값을 초기화합니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

2. Juniper Ge-0/0/0에 10.1.1.1/24 IP 할

root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

3. Zone Trust 생성

[edit]
root# set security zones security-zone Trust

[edit]
root# set security zones security-zone Trust interfaces ge-0/0/0

4. Ospf 설정

root# set routing-options router-id 10.1.1.1
root# set protocols ospf area 0.0.0.0 interface ge-0/0/0

Cisco Side

1. Interface에 IP 할당하기

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface gigabitEthernet 0/0
Switch(config-if)#no sw
Switch(config-if)#no switchport
Switch(config-if)#ip address 10.1.1.2 255.255.255.0
Switch(config-if)#no shutdown

Switch(config)#interface loopback 1
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#ip ospf network point-to-point

2. OSPF 설정

Switch(config)#router ospf 1
Switch(config-router)#router-id 10.1.1.2
Switch(config-router)#network 0.0.0.0 0.0.0.0 area 0

테스트

Cisco에서 Juniper Ge-0/0/0 10.1.1.1로 PIng 테스

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Switch#

Cisco랑 Juniper Interface 상태 확인

Switch#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.1.1.2        YES manual up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
Loopback0              unassigned      YES unset  up                    up
Loopback1              192.168.1.1     YES manual up                    up
Switch#

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Interface상태가 모두 다 up인데도 Ping 실패

Juniper Side

Zone에서 ping를 허용하는 host-inbound-traffic system-service 커맨드를 사용하여 허용하겠습니다.

root# set security zones security-zone Trust host-inbound-traffic system-services ping

[edit]
root# commit

Cisco에서 다시 Ping 테스트 시도 합니다

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/94 ms
Switch#

이번에는 Cisco에서 ospf 네이버를 확인하겠습니다. 네이버가 Full 상태가 아니라 INIT상태입니다.

Cisco랑 Juniper 사이에 네이버가 생성되지 않습니다.

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0
Switch#

Juniper Side

Zone에서 host-inbound-traffic protocol 커맨드를 사용하여 ospf를 허용하겠습니다.

root# set security zones security-zone Trust host-inbound-traffic protocols ospf

[edit]
root# commit
commit complete

Cisco에서 네이버를 확인해 보겠습니다.

아래처럼 네이버가 생성되었습니다.

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0

Juniper에서 네이버를 확인합니다. 그리고 라우팅 테이블에 192.168.1.0/24를 Cisco에서 받아 왔는지 확인합니다.

root> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
10.1.1.2         ge-0/0/0.0             Full            10.1.1.2           1    33

root> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.0/24        *[Direct/0] 00:16:43
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:16:43
                       Local via ge-0/0/0.0
192.168.1.0/24     *[OSPF/10] 00:00:29, metric 2
                    >  to 10.1.1.2 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:07:06, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:44:15
                       MultiRecv

root>

아래처럼 Zone에서 host-inbound-traffic 사용하여 해결합니다.

set security zones security-zone Trust host-inbound-traffic system-services ping
set security zones security-zone Trust host-inbound-traffic protocols ospf

이번에는 Zone에 Interface ge-0/0/0에 host-inbound-traffic 사용하여 해결해 보겠습니다.

Juniper Side

Zone에 설정된 host-inbound-traffic를 삭제합니다.

root#security zones security-zone Trust host-inbound-traffic system-services ping
root#security zones security-zone Trust host-inbound-traffic protocols ospf
root# commit
commit complete

Zone에 Interface ge-0/0/0에 host-inbound-traffic 설정

root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf
root#commit

Cisco에서 Ping이랑 OSPF 테스트

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 FULL/DR 00:00:33 10.1.1.1 GigabitEthernet0/0
Switch#

Juniper에서 ospf네이버랑 라우팅 테이블 확인

root> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
10.1.1.2         ge-0/0/0.0             Full            10.1.1.2           1    36

root> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.0/24        *[Direct/0] 00:22:05
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:22:05
                       Local via ge-0/0/0.0
192.168.1.0/24     *[OSPF/10] 00:05:51, metric 2
                    >  to 10.1.1.2 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:12:28, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:49:37
                       MultiRecv

root>

모두 다 정상적으로 동작합니다.

지금까지 [2024][Juniper SRX #7] host-inbound-traffic 글을 읽어 주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (2)	2024.07.20
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (1)	2024.07.17
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (1)	2024.07.16
[2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0)	2024.07.15

안녕하세요.

오늘은 [2024][EVE-NG #17] Upgrade EVE-NG version입니다.

1. 공식 홈페이지입니다.

https://www.eve-ng.net/index.php/how-to-upgrade-eve-community-to-the-newest-version/

How to upgrade EVE Community to the newest version -

How to update EVE CE Community Edition to the newest version Steps how to update your EVE-NG Community to the newest version Internet and DNS resolve the name is a must for your EVE before …

www.eve-ng.net

현재 EVE-NG community 최신 version은 6.2.0-3입니다.

2. 현재 사용 중인 EVE-NG Community version 확인하기

root@eve-ng:~# dpkg -l eve-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================
ii eve-ng 6.2.0-2 amd64 A new generation software for networking labs.
root@eve-ng:~#

3. Update/Upgrade steps

3-1 필요 없는 Package를 삭제합니다.

root@eve-ng:~# apt autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@eve-ng:~#

3-2 Disk 용량을 확인합니다.

root@eve-ng:~# df -h
Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                               13G  1.5M   13G   1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv  244G   15G  218G   7% /
tmpfs                               63G     0   63G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                               63G     0   63G   0% /run/qemu
/dev/sda2                          2.0G  286M  1.6G  16% /boot
tmpfs                               13G  4.0K   13G   1% /run/user/0
root@eve-ng:~#

3-3 인터넷 통신이 되는지 확인합니다.

root@eve-ng:~# ping google.com
PING google.com (74.125.130.101) 56(84) bytes of data.
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=1 ttl=57 time=2.01 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=2 ttl=57 time=2.10 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=3 ttl=57 time=2.06 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=4 ttl=57 time=2.16 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=5 ttl=57 time=2.33 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=6 ttl=57 time=2.17 ms
^C
--- google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5009ms
rtt min/avg/max/mdev = 2.005/2.138/2.334/0.104 ms
root@eve-ng:~#

3-4 업데이트 항목을 확인하고 다운로드합니다.

root@eve-ng:~# apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://www.eve-ng.net/jammy jammy InRelease [1,456 B]
Get:4 http://www.eve-ng.net/jammy jammy/main amd64 Packages [10.9 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1,525 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:7 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [261 kB]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [11.4 kB]
Get:9 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1,937 kB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [330 kB]
Get:11 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [520 B]
Get:12 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [859 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:14 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [166 kB]
Get:15 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB]
Get:16 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.2 kB]
Get:17 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7,588 B]
Get:18 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B]
Get:19 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1,395 kB]
Get:20 http://archive.ubuntu.com/ubuntu jammy/main Translation-en [510 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy/main amd64 c-n-f Metadata [30.3 kB]
Get:22 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [129 kB]
Get:23 http://archive.ubuntu.com/ubuntu jammy/restricted Translation-en [18.6 kB]
Get:24 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 c-n-f Metadata [488 B]
Get:25 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:26 http://archive.ubuntu.com/ubuntu jammy/universe Translation-en [5,652 kB]
Get:27 http://archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB]
Get:28 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:29 http://archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:30 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8,372 B]
Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,734 kB]
Get:32 http://archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [319 kB]
Get:33 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [16.1 kB]
Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1,993 kB]
Get:35 http://archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [339 kB]
Get:36 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [520 B]
Get:37 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,087 kB]
Get:38 http://archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [251 kB]
Get:39 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB]
Get:40 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [43.2 kB]
Get:41 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [10.8 kB]
Get:42 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B]
Get:43 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.1 kB]
Get:44 http://archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.0 kB]
Get:45 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B]
Get:46 http://archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:47 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [27.2 kB]
Get:48 http://archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.3 kB]
Get:49 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B]
Get:50 http://archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 34.2 MB in 31s (1,094 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
118 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@eve-ng:~#

3-5 업그레이드를 시작합니다.

Do you want to contunue? [Y/n] Y를 선택합니다.

root@eve-ng:~# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Get more security updates through Ubuntu Pro with 'esm-apps' enabled:
  libavcodec58 libmagickwand-6.q16-6 libavutil56 libswscale5
  libmagickcore-6.q16-6 libswresample3 imagemagick-6-common libavformat58
  libde265-0
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following NEW packages will be installed:
  linux-headers-5.15.0-112 linux-headers-5.15.0-112-generic linux-image-5.15.0-112-generic
  linux-modules-5.15.0-112-generic linux-modules-extra-5.15.0-112-generic ubuntu-pro-client
The following packages have been kept back:
  python3-update-manager update-manager-core
The following packages will be upgraded:
  apt apt-utils bash bind9-dnsutils bind9-host bind9-libs binutils binutils-common binutils-x86-64-linux-gnu
  bsdextrautils bsdutils cloud-init coreutils cpio curl distro-info-data dpkg eject ethtool eve-ng fdisk
  firmware-sof-signed ghostscript git git-man intel-microcode klibc-utils landscape-common less libapt-pkg6.0
  libarchive13 libbinutils libblkid1 libc-bin libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4 libexpat1 libfdisk1
  libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgif7 libglib2.0-0 libglib2.0-bin
  libglib2.0-data libgnutls30 libgpgme11 libgs9 libgs9-common libklibc libldap-2.5-0 libldap-common libmount1
  libnghttp2-14 libnspr4 libnss3 libsmartcols1 libssl3 libtiff5 libtss2-esys-3.0.2-0 libtss2-mu0 libtss2-sys1
  libtss2-tcti-cmd0 libtss2-tcti-device0 libtss2-tcti-mssim0 libtss2-tcti-swtpm0 libuuid1 libuv1 libvpx7
  libvte-2.91-0 libvte-2.91-common libxml2 linux-firmware linux-generic linux-headers-generic linux-image-generic
  linux-libc-dev locales mount mysql-client-8.0 mysql-client-core-8.0 mysql-server mysql-server-8.0
  mysql-server-core-8.0 openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openssh-client
  openssh-server openssh-sftp-server openssl python3-cryptography python3-idna python3-jinja2 qemu-block-extra
  qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils snapd tcpdump tzdata
  ubuntu-advantage-tools ubuntu-pro-client-l10n update-notifier-common util-linux uuid-runtime vim vim-common
  vim-runtime vim-tiny xxd
116 upgraded, 6 newly installed, 0 to remove and 2 not upgraded.
86 standard LTS security updates
Need to get 648 MB of archives.
After this operation, 589 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Y를 선택하면 업그레이드를 진행합니다

Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bash amd64 5.1-6ubuntu1.1 [769 kB]
Get:2 http://www.eve-ng.net/jammy jammy/main amd64 eve-ng amd64 6.2.0-3 [26.3 MB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bsdutils amd64 1:2.37.2-4ubuntu3.4 [80.9 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 coreutils amd64 8.32-4.1ubuntu1.2 [1,437 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libapt-pkg6.0 amd64 2.4.12 [912 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dpkg amd64 1.21.1ubuntu2.3 [1,239 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 util-linux amd64 2.37.2-4ubuntu3.4 [1,063 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libc-bin amd64 2.35-0ubuntu3.8 [706 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apt amd64 2.4.12 [1,363 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apt-utils amd64 2.4.12 [211 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libgnutls30 amd64 3.7.3-4ubuntu1.5 [966 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mount amd64 2.37.2-4ubuntu3.4 [114 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsmartcols1 amd64 2.37.2-4ubuntu3.4 [50.9 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libuuid1 amd64 2.37.2-4ubuntu3.4 [23.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 uuid-runtime amd64 2.37.2-4ubuntu3.4 [32.0 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssl3 amd64 3.0.2-0ubuntu1.15 [1,905 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 tcpdump amd64 4.99.1-3ubuntu0.2 [501 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-client-core-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [2,762 kB]
Get:19 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-client-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [22.7 kB]
Get:20 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-server-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [1,438 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-server-core-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [17.6 MB]
5% [21 mysql-server-core-8.0 2,495 kB/17.6 MB 14%] [2 eve-ng 133 kB/26.3 MB 1%]

설치가 완료되면, Ok버튼을 클릭합니다.

3-6. EVE-NG Community를 재시작합니다.

부팅이 완료될 때까지 기다립니다.

root@eve-ng:~# reboot

3-7 장비에 접속해서 버전을 확인합니다.

root@eve-ng:~# dpkg -l eve-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================
ii eve-ng 6.2.0-3 amd64 A new generation software for networking labs.
root@eve-ng:~#

버전이 6.2.0-2에서 6.2.0-3으로 업그레이드되었습니다.

3-8 EVE-NG 잘 접속되는지 확인합니다.

지금까지 [2024][EVE-NG #17] Upgrade EVE-NG version 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'EVE-NG' 카테고리의 다른 글

[2024][EVE-NG #18] Virtual PC(VPCS) (0)	2024.11.06
[2024][EVE-NG #18] EVE-NG에 C9800CL Install (2)	2024.10.07
[2024][EVE-NG #16] Juniper QFX 스위치 설치하기 (0)	2024.07.12
[2024][EVE-NG #15] Juniper MX 라우터 설치하기 (0)	2024.07.11
[2024][EVE-NG #14] Juniper SRX 방화벽 설치하기 (0)	2024.07.09

안녕하세요.

오늘은 [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode - L2기반에서 동작하는 Layer3 Interface에 대해서 확인해 보겠습니다.

1. Layer3 Physical Interface - access mode

2. Layer3 Logical Interface - trunk mode

3. RVI IRB - access mode - L2기반에서 동작하는 Layer3 Interface

4. RVI IRB - trunk mode - L2기번에서 동작하는 Layer3 Interface

테스트를 위해서 아래처럼 Node 2개를 생성하고 케이블을 연결합니다

1. vSRX - ge-0/0/0

2. vIOS Switch - G0/0

1. Layer3 Physical Interface 테스트해 보겠습니다.

vSRX Side -

delete 디폴트 설정값을 지웁니다.

set system root-authentication plain-text-password : root 패스워드를 입력합니다.

commit : 설정값을 적용 및 저장합니다.

root@:~ # cli
root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

commit complete

[edit]
root#

2. vSRX side

vlan을 생성합니다.

vlan name: VL10, VL20, V30

vlan-id: 10, 20, 30

그리고 vlan를 확인합니다.

root# set vlans VL10 vlan-id 10

[edit]
root# set vlans VL20 vlan-id 20

[edit]
root# set vlans VL30 vlan-id 30

[edit]
root# commit
commit complete

[edit]
root# exit
Exiting configuration mode

root> show vlans brief

Routing instance        VLAN name             Tag          Interfaces
default-switch          VL10                  10

default-switch          VL20                  20

default-switch          VL30                  30

default-switch          default               1


root>

Interface ge-0/0/0를 Trunk mode를 설정합니다.

그리고 VL10, VL20, VL30만 사용할 수 있도록 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 members VL20 members VL30

IRB를 설정합니다.

IRB10 - 10.1.1.1/24

IRB20 - 20.1.1.1/24

IRB30 - 30.1.1.1/24

root# set interfaces irb unit 10 family inet address 10.1.1.1/24

[edit]
root# set interfaces irb unit 20 family inet address 20.1.1.1/24

[edit]
root# set interfaces irb unit 30 family inet address 30.1.1.1/24

[edit]
root# commit
commit complete

[edit]
root#

IRB interface를 VLAN이랑 mapping를 합니다.

root# set vlans VL10 l3-interface irb.10

[edit]
root# set vlans VL20 l3-interface irb.20

[edit]
root# set vlans VL30 l3-interface irb.30

[edit]
root# commit
commit complete

[edit]

Interface 상태를 확인합니다.

root> show interfaces terse | no-more
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   eth-switch
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
irb.10                  up    up   inet     10.1.1.1/24
irb.20                  up    up   inet     20.1.1.1/24
irb.30                  up    up   inet     30.1.1.1/24
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

Cisco Side

Vlan를 생성합니다.

Vlan 10

Vlan 20

vlan 30

그리고 VLAN를 확인합니다.

Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#end
Switch#show vlan brie

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi1/0
                                                Gi1/1, Gi1/2, Gi1/3
10   VLAN0010                         active    Gi0/0
20   VLAN0020                         active
30   VLAN0030                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#

Interface gi0/0를 Trunk mode로 설정합니다.

그리고 VLAN 10,20,30만 사용 가능 하게 설정합니다.

Switch(config)#interface gigabitEthernet 0/0
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 10,20,30
Switch(config-if)#

SVI를 생성합니다.

SVI 10 - 10.1.1.2/24

SVI 20 - 20.1.1.2/24

SVI 30 - 30.1.1.2/24

Switch(config)#interface vlan 10
Switch(config-if)#ip address 10.1.1.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 20
Switch(config-if)#ip address 20.1.1.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 30
Switch(config-if)#ip address 30.1.1.2 255.255.255.0
Switch(config-if)#no shutdown

Interface 상태를 확인합니다.

Switch#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
Vlan10                 10.1.1.2        YES manual up                    up
Vlan20                 20.1.1.2        YES manual up                    up
Vlan30                 30.1.1.2        YES manual up                    up
Switch#

Cisco Switch에서 vSRX로 ping를 시도합니다.

vSRX는 보안 장비이기 때문에 기본적으로 icmp 패킷을 차단합니다.

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Switch#

vSRX side

Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.

irb.10 -> trust_vl10

irb.20 -> trust_vl20

irb.30 -> trust_vl30

set security zones security-zone trust_vl10 interfaces irb.10
set security zones security-zone trust_vl10 host-inbound-traffic system-services ping
set security zones security-zone trust_vl20 interfaces irb.20
set security zones security-zone trust_vl20 host-inbound-traffic system-services ping

set security zones security-zone trust_vl30 interfaces irb.30
set security zones security-zone trust_vl30 host-inbound-traffic system-services ping

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #8] Zone configuration (2)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (1)	2024.07.16
[2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0)	2024.07.15
[2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface (0)	2024.07.14