no way to compare when less than two revisions
差異處
這裏顯示兩個版本的差異處。
— | juniper:junos:routing-policy [2012/11/13 16:29] (目前版本) – 建立 jal | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== JUNOS Routing Policy ====== | ||
+ | 在 JUNOS 稱之為 Routing Policy or Filter-Based Forwarding,不過一般我們比較常叫他 Policy Based Route。 | ||
+ | ===== Example ===== | ||
+ | 以下例子為我要將 port 80 的 traffic 從原本的 routing 裡另外轉送到指定的路由器去,如果以 port 80 為例,通常 ISP 是拿來做 TCS(Transparent Cache Switching),且由於 Cache Server 現在都可以帶原本的 Real Client IP 繼續往外送,回來的時候封包再次經過 Cache Server,就可以達到 Cache 的效果了,且使用者完全不會知道。如果是用於 port 25,則是可以處理類似 Transparent SPAM。 | ||
+ | < | ||
+ | routing-options { | ||
+ | interface-routes { | ||
+ | rib-group { | ||
+ | inet fbf-group; | ||
+ | inet6 fbf-group-inet6; | ||
+ | } | ||
+ | } | ||
+ | rib inet.0 { | ||
+ | static { | ||
+ | route 0.0.0.0/0 next-hop 10.255.31.254; | ||
+ | route 10.38.0.0/ | ||
+ | } | ||
+ | } | ||
+ | rib inet6.0 { | ||
+ | static { | ||
+ | route ::/0 next-hop 2001: | ||
+ | route 2001: | ||
+ | } | ||
+ | } | ||
+ | rib-groups { | ||
+ | fbf-group { | ||
+ | import-rib [ inet.0 outgo_to_SLB_inet.inet.0 income_to_SLB_inet.inet.0 ]; | ||
+ | } | ||
+ | fbf-group-inet6 { | ||
+ | import-rib [ inet6.0 income_to_SLB_inet6.inet6.0 outgo_to_SLB_inet6.inet6.0 ]; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | firewall { | ||
+ | family inet { | ||
+ | filter outgo_inet { | ||
+ | term outgo_dst_80 { | ||
+ | from { | ||
+ | source-address { | ||
+ | 10.38.0.0/ | ||
+ | } | ||
+ | destination-port 80; | ||
+ | } | ||
+ | then { | ||
+ | routing-instance outgo_to_SLB_inet; | ||
+ | } | ||
+ | } | ||
+ | term default { | ||
+ | then accept; | ||
+ | } | ||
+ | } | ||
+ | filter income_inet { | ||
+ | term income_src_80 { | ||
+ | from { | ||
+ | destination-address { | ||
+ | 10.38.0.0/ | ||
+ | } | ||
+ | source-port 80; | ||
+ | } | ||
+ | then { | ||
+ | routing-instance income_to_SLB_inet; | ||
+ | } | ||
+ | } | ||
+ | term default { | ||
+ | then accept; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | family inet6 { | ||
+ | filter outgo_inet6 { | ||
+ | term outgo_dst_80 { | ||
+ | from { | ||
+ | source-address { | ||
+ | 2001: | ||
+ | } | ||
+ | destination-port 80; | ||
+ | } | ||
+ | then { | ||
+ | routing-instance outgo_to_SLB_inet6; | ||
+ | } | ||
+ | } | ||
+ | term default { | ||
+ | then accept; | ||
+ | } | ||
+ | } | ||
+ | filter income_inet6 { | ||
+ | term income_src_80 { | ||
+ | from { | ||
+ | destination-address { | ||
+ | 2001: | ||
+ | } | ||
+ | source-port 80; | ||
+ | } | ||
+ | } | ||
+ | term default { | ||
+ | then accept; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | routing-instances { | ||
+ | income_to_SLB_inet { | ||
+ | instance-type forwarding; | ||
+ | routing-options { | ||
+ | static { | ||
+ | route 10.38.0.0/ | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | income_to_SLB_inet6 { | ||
+ | instance-type forwarding; | ||
+ | routing-options { | ||
+ | rib income_to_SLB_inet6.inet6.0 { | ||
+ | static { | ||
+ | route 2001: | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | outgo_to_SLB_inet { | ||
+ | instance-type forwarding; | ||
+ | routing-options { | ||
+ | static { | ||
+ | route 0.0.0.0/0 next-hop 10.255.253.101; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | outgo_to_SLB_inet6 { | ||
+ | instance-type forwarding; | ||
+ | routing-options { | ||
+ | rib outgo_to_SLB_inet6.inet6.0 { | ||
+ | static { | ||
+ | route ::/0 next-hop 2001: | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | interfaces { | ||
+ | vlan { | ||
+ | unit 31 { | ||
+ | family inet { | ||
+ | filter { | ||
+ | input income_inet; | ||
+ | } | ||
+ | } | ||
+ | family inet6 { | ||
+ | filter { | ||
+ | input income_inet6; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | unit 3255 { | ||
+ | family inet { | ||
+ | filter { | ||
+ | input outgo_inet; | ||
+ | } | ||
+ | } | ||
+ | family inet6 { | ||
+ | filter { | ||
+ | input outgo_inet6; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | </ |