JuniperSRX Filter-Based Forwarding

就是策略路由

1) 創建routing-instance(SP1,SP2),instance-type為fowarding

edit routing-instance [SP1] instance-type forwading

    set routing-options static route 0/0 nex-hop 202.100.1.1

edit routing-instance [SP2] instance-type forwading

    set routing-options static route 0/0 nex-hop 202.100.2.1

2)創建firewall filter

edit friewall filter [Inside1] term [1] 

    set from source-address 10.1.1.0/24

    set then routing-instance SP1

    set term [Default-Permit-All] then accept

set firewall filter [Inside1] term [1] from source-address 10.1.1.0/24

set firewall filter [Inside1] term [1] from source-port xxxx

set firewall filter [Inside1] term [1] destination-address x.x.x.x/x

set firewall filter [Inside1] term [1] destination-port xxxx

set firewall filter [Inside1] term [1] then routing-instance SP1

set firewall filter [Inside1] term [Default-Permit] then accept

edit firewall filter [Inside2] term [2]

    set from source-address 

    set then routing-instance SP2

    set term [Default-Permit-All] then accept

3)接口 調用filter

set interface ge-0/0/2.0 family inet filter input Inside1

set interfaes ge-0/0/3.0 family inet filter input Inside2

4)合并路由表

run show route    //查看全局路由表中，是沒有前面定義的routing-instance中的路由的

show routing-instances

edit routing-options 

    set interface-routes rib-group inet [Policy-Routing]

    edit rib-groups [Policy-Routing]

        set import-rib [inet.0 SP1.inet.0 SP2.inet.0]

run show route    //查看合并后的路由表

5）創建Zone間策略:Security Policis(放行流量Inside1->Outside;Inside2->Outside)

set security policies from-zone Inside1 to-zone Outside policy Default-Permit-All

    set match source-address any

    set match destination-address any

    set match application any

    set then permit

set security policies from-zone Inside2 to-zone Outside policy Default-Permit-All

    set match sourc-address any

    set match destination-address any

    set match application-address any

    set then permit

#show security policies

#run show security flow session