主要應用:雙出口網關,替代策略路由;MPL ×××;等于思科的vrf,實現路由的網絡隔離
全局路由表 和 虛擬路由表 也是可以互相灌
一,配置:(zones:DMZ--Inside2)
1) 創建虛擬路由器,并放入接口
edit routing-instances [DMZ-Inside2]
set instance-type virtual-router
set interface ge-0/0/4.0
set interface ge-0/0/3.0
2) 測試直連網絡連通性DMZ,Inside2
run ping routing-instances [DMZ-Iside2] 10.1.2.1 //直接ping的話,是找的全局路由表
run ping routing-instances [DMZ-Iside2] 192.168.1.1
3)創建Zone間策略:Security Policis(放行流量DMZ--Inside2)
edit security policies from-zone DMZ to-zone Inside2
edit policy [Permit-ICMP]
set match source-address any
set match destination-address any
set match application junos-ping
set then permit
edit policy [Permit-Telnet]
set match source-address any
set match destination-address any
set match application junos-telnet
set then permit
#show security policies
edit security policies from-zone DMZ to-zone Inside2
#rename policy [Permit-ICMP]to [Permit-ICMP-And-Telnet]
5)DMZ區域的PC機ping 1.1.1.1,telnet 1.1.1.1,查看連通性,及其走的是否是VR(Routing-Instance)
ping 1.1.1.1
4) 查看命令
run show route //查看 全局路由表和虛擬路由表
二,配置(Inside1路由器啟lo:1.1.1.1;Inside2路由器啟lo:1.1.1.1)
全局配置靜態路由 to Inside1
set routing-options static route 1.1.1.1/32 nex-hop 10.1.1.1
#show routing-options
虛擬路由器配置靜態路由 to Inside2
edit routing-instance [DMZ-Iside2] routing-options
set static route 1.1.1.1/32 next-hop 10.1.2.1
#show routing-instance
#run show route //查看 全局路由表和虛擬路由表
