Ajude-nos a melhorar a sua experiência.

Conte-nos a sua opinião.

Tem dois minutos para uma pesquisa?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Políticas de roteamento, filtros de firewall e guia de usuário de policiais de tráfego Compreensão e configuração das políticas de roteamento do Junos Rastreamento do uso de tráfego com ações de uso de classe de origem e de classe de destino

Políticas de roteamento, filtros de firewall e guia de usuário de policiais de tráfego

keyboard_arrow_up
close
keyboard_arrow_left
Políticas de roteamento, filtros de firewall e guia de usuário de policiais de tráfego
Table of Contents Expand all
list Table of Contents
Nesta página
keyboard_arrow_right

Esta tradução automática foi útil?

starstarstarstarstar
Go to English page
ISENÇÃO DE RESPONSABILIDADE:

Esta página será traduzida com software de tradução por máquina de terceiros. Embora esforços razoáveis tenham sido feitos para fornecer uma tradução de qualidade, a Juniper Networks não pode garantir sua exatidão. Se houver dúvidas sobre a exatidão das informações contidas nesta tradução, consulte a versão em inglês. O PDF para download está disponível apenas em inglês.

Configuração de SCU com VPNs de camada 3

date_range 18-Jan-25
arrow_backward
arrow_forward

Configuração de SCU em uma VPN de Camada 3

Figura 1: Diagrama de topologia de VPN de Camada 3 em SCUDiagrama de topologia de VPN de Camada 3 em SCU

Figura 1 exibe uma topologia VPN de Camada 3. CE1 e CE2 são roteadores de borda do cliente (CE) conectados por uma VPN através dos roteadores provedores PE1, P0 e PE2. O EBGP é estabelecido entre os roteadores CE1 e PE1, o IBGP conecta os roteadores PE1 e PE2 em um núcleo IS-IS/MPLS/LDP, e um segundo fluxos de conexão EBGP entre os roteadores PE2 e CE2.

No Roteador CE1, inicie sua VPN configurando uma conexão EBGP com PE1. Instale uma rota 10.114.1.0/24 estática e anuncie esta rota ao seu vizinho EBGP.

Roteador CE1

content_copy zoom_out_map
[edit]
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.20.250.1/30;
            }
        }
    }
}
routing-options {
    static {
        route 10.114.1.0/24 reject;
    }
    autonomous-system 100;
}
protocols {
    bgp {
        group to-pe1 {
            local-address 10.20.250.1;
            export inject-direct;
            peer-as 300;
            neighbor 10.20.250.2;
        }
    }
}
policy-options {
    policy-statement inject-direct {
        term 1 {
            from {
                protocol static;
                route-filter 10.114.1.0/24 exact;
            }
            then accept;
        }
        term 2 {
            from protocol direct;
            then accept;
        }
    }
}

No PE1, preencha a conexão EBGP com a CE1 por meio de uma instância de roteamento VRF. Defina uma política de exportação para sua instância VRF que coloca o tráfego BGP em uma comunidade, e uma política de importação que aceita como tráfego comunitário de seu vizinho VPN. Por fim, configure uma relação IBGP com o Roteador PE2 que atropela um núcleo IS-IS, MPLS e LDP.

Roteador PE1

content_copy zoom_out_map
[edit]
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.20.250.2/30;
            }
        }
    }
    so-0/2/1 {
        unit 0 {
            family inet {
                address 10.20.251.1/30;
            }
            family iso;
            family mpls;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.250.245.245/32;
            }
            family iso;
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 300;
}
protocols {
    mpls {
        interface so-0/2/1;
    }
    bgp {
        group ibgp {
            type internal;
            local-address 10.250.245.245;
            family inet-vpn {
                unicast;
            }
            neighbor 10.250.71.14;
        }
    }
    isis {
        interface so-0/2/1;
    }
    ldp {
        interface so-0/2/1;
    }
}
policy-options {
    policy-statement red-import {
        from {
            protocol bgp;
            community red-com;
        }
        then accept;
    }
    policy-statement red-export {
        from protocol bgp;
        then {
            community add red-com;
            accept;
        }
    }
    community red-com members target:20:20;
}
routing-instances {
    red {
        instance-type vrf;
        interface ge-0/0/1.0;
        route-distinguisher 10.250.245.245:100;
        vrf-import red-import;
        vrf-export red-export;
        protocols {
            bgp {
                group to-ce1 {
                    local-address 10.20.250.2;
                    peer-as 100;
                    neighbor 10.20.250.1;
                }
            }
        }
    }
}

Na P0, conecte os vizinhos do IBGP localizados em PE1 e PE2. Lembre-se de incluir protocolos relacionados a VPN (MPLS, LDP e IGP) em todas as interfaces.

Roteador P0

content_copy zoom_out_map
[edit]
interfaces {
    so-0/1/0 {
        unit 0 {
            family inet {
                address 10.20.252.1/30;
            }
            family iso;
            family mpls;
        }
    }
    so-0/2/0 {
        unit 0 {
            family inet {
                address 10.20.251.2/30;
            }
            family iso;
            family mpls;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.250.245.246/32;
            }
            family iso;
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 300;
}
protocols {
    mpls {
        interface so-0/1/0;
        interface so-0/2/0;
    }
    isis {
        interface all;
    }
    ldp {
        interface all;
    }
}

No PE2, preencha a relação do IBGP com o Roteador PE1. Estabeleça uma conexão EBGP com o CE2 por meio de uma instância de roteamento VRF. Definir uma política de exportação para a instância VRF que coloca o tráfego BGP em uma comunidade, e uma política de importação que aceita como tráfego comunitário do vizinho VPN. Em seguida, estabeleça uma política que adicione a rota estática do CE1 a uma classe de origem chamada GOLD1. Além disso, exporte essa política de SCU para a tabela de encaminhamento. Por fim, defina sua vt interface como a interface de entrada SCU e estabeleça a interface so-0/0/0 voltada para CE como a interface de saída SCU.

Roteador PE2

content_copy zoom_out_map
[edit]
interfaces {
    so-0/1/1 {
        unit 0 {
            family inet {
                address 10.20.252.2/30;
            }
            family iso;
            family mpls;
        }
    }
    so-0/0/0 {
        unit 0 {
            family inet {
                accounting {
                    source-class-usage {
                        output;
                    }
                }
                address 10.20.253.1/30;
            }
        }
    }
    vt-4/1/0 {
        unit 0 {
            family inet {
                accounting {
                    source-class-usage {
                        input;
                    }
                }
                address 10.250.71.14/32;
            }
            family iso;
            family mpls;
        }
    }
}
routing-options {
    autonomous-system 300;
    forwarding-table {
        export inject-customer2-dest-class;
    }
}
protocols {
    mpls {
        interface so-0/1/1;
        interface vt-4/1/0;
    }
    bgp {
        group ibgp {
            type internal;
            local-address 10.250.71.14;
            family inet-vpn {
                unicast;
            }
            neighbor 10.250.245.245;
        }
    }
    isis {
        interface so-0/1/1;
    }
    ldp {
        interface so-0/1/1;
    }
}
routing-instances {
    red {
        instance-type vrf;
        interface so-0/0/0.0;
        interface vt-4/1/0.0;
        route-distinguisher 10.250.71.14:100;
        vrf-import red-import;
        vrf-export red-export;
        protocols {
            bgp {
                group to-ce2 {
                    local-address 10.20.253.1;
                    peer-as 400;
                    neighbor 10.20.253.2;
                }
            }
        }
    }
}
policy-options {
    policy-statement red-import {
        from {
            protocol bgp;
            community red-com;
        }
        then accept;
    }
    policy-statement red-export {
        from protocol bgp;
        then {
            community add red-com;
            accept;
        }
    }
    policy-statement inject-customer2-dest-class {
        term term-gold1-traffic {
            from {
                route-filter 10.114.1.0/24 exact;
            }
            then source-class GOLD1;
        }
    }
    community red-com members target:20:20;
}

No Roteador CE2, preencha o caminho de VPN terminando a conexão EBGP com PE2.

Roteador CE2

content_copy zoom_out_map
[edit]
interfaces {
    so-0/0/1 {
        unit 0 {
            family inet {
                address 10.20.253.2/30;
            }
        }
    }
}
routing-options {
    autonomous-system 400;
}
protocols {
    bgp {
        group to-pe2 {
            local-address 10.20.253.2;
            export inject-direct;
            peer-as 300;
            neighbor 10.20.253.1;
        }
    }
}
policy-options {
    policy-statement inject-direct {
        from {
            protocol direct;
        }
        then accept;
    }
}

Verificando seu trabalho

Para verificar se o SCU está funcionando corretamente na VPN de Camada 3, use os seguintes comandos:

  • show interfaces interface-name statistics

  • show interfaces source-class source-class-name interface-name

  • show interfaces interface-name (extensive | detail)

  • show route (extensive | detail)

  • clear interface interface-name statistics

Você deve sempre verificar as estatísticas do SCU na interface SCU de saída na qual você configurou a output declaração. Para verificar a funcionalidade do SCU, siga essas etapas:

  1. Libere todos os contadores em seu roteador habilitado para SCU e verifique se eles estão vazios.

  2. Envie um ping do roteador CE de entrada para o segundo roteador CE para gerar tráfego de SCU por toda a rota VPN habilitada para SCU.

  3. Verifique se os contadores estão incrementando corretamente na interface de saída.

A seção a seguir mostra a saída desses comandos usados com o exemplo de configuração.

content_copy zoom_out_map
user@pe2> clear interfaces statistics all

	user@pe2> show interfaces so-0/0/0.0 statistics
  	Logical interface so-0/0/0.0 (Index 6) (SNMP ifIndex 113) 
    Flags: Point-To-Point SNMP-Traps Encapsulation: PPP
    Protocol inet, MTU: 4470
      Source class                             Packets                Bytes
 GOLD1                          0                    0
      Addresses, Flags: Is-Preferred Is-Primary

	user@pe2> show interfaces source-class GOLD1 so-0/0/0.0    
    Protocol inet
      Source class                             Packets                Bytes
GOLD1                          0                    0

user@ce1> ping 10.20.253.2 source 10.114.1.1 rapid count 10000

user@scu>  show interfaces source-class GOLD1 so-0/0/0.0
    Protocol inet
      Source class                             Packets                Bytes
GOLD1                      20000              1680000

user@scu>  show interfaces so-0/0/0.0 statistics
  Logical interface so-0/0/0.0 (Index 6) (SNMP ifIndex 113) 
    Flags: Point-To-Point SNMP-Traps Encapsulation: PPP
    Protocol inet, MTU: 4470
      Source class                             Packets                Bytes
GOLD1                      20000              1680000
      Addresses, Flags: Is-Preferred Is-Primary
         Destination: 10.20.253/24, Local: 10.20.253.1

Tópicos relacionados

arrow_backward PREVIOUS Configuração do SCU
NEXT arrow_forward Exemplo: Prefixos de origem e destino de agrupamento em uma classe de encaminhamento
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top