SRX240的透明模式

第1步：準(zhǔn)備工作
如果是新機(jī)器無(wú)配置，可直接跳到第2步
如果配置較多，建議初始化配置load factory-default / commit命令可恢復(fù)到出廠缺省配置。
load factory-default
恢復(fù)出廠后,必須立刻設(shè)置ROOT帳號(hào)密碼<默認(rèn)密碼至少6位數(shù)：字母加數(shù)字>
2.1.3 設(shè)置root用戶口令
root# set system root-authentication plain-text-password
root# new password : root123   
root# retype new password: root123
commit
//srx所有命令生效，都需要commit提交，建議每個(gè)命令提交下

第2步：?jiǎn)⒂猛该髂Ｊ?
***由于web界面不支持透明模式管理，需要用超級(jí)終端先調(diào)試成透明模式***
set bridge-domains bd1 domain-type bridge
set bridge-domains bd1 vlan-id 3
set interfaces irb unit 0 family inet address 10.34.208.199/24
set bridge-domains bd1 routing-interface irb.0
//bd1是任意指定的橋域名

第3步：接口啟用透明模式
***要?jiǎng)h掉所有接口的unit 0，srx240 為ge-0/0/0~ge-0/0/15***
delete interfaces ge-0/0/10 unit 0
delete interfaces ge-0/0/11 unit 0
***將接口加入透明橋
set interfaces ge-0/0/0 unit 0 description L2-Untrust
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/1 unit 0 description L2-Untrust
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/2 unit 0 description L2-Trust
set interfaces ge-0/0/2 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/2 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/3 unit 0 description L2-Trust
set interfaces ge-0/0/3 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/3 unit 0 family bridge vlan-id-list 3
//有提示重啟表示透明模式生效
root#quit
root> request system reboot
//重啟命令，注意在>模式下輸入

第三步：配置接口
delete security zones security-zone untrust interfaces ge0/0/0.0
delete security zones security-zone trust interfaces vlan.0
//把要加入L2-Zone的接口從默認(rèn)zone里面刪除，一個(gè)接口只能屬于一個(gè)zone
set security zones security-zone L2-Trust host-inbound-traffic system-services all
set security zones security-zone L2-Trust host-inbound-traffic protocols all
set security zones security-zone L2-Untrust host-inbound-traffic system-services ping
set security zones security-zone L2-Untrust host-inbound-traffic system-services http
set security zones security-zone L2-Untrust host-inbound-traffic system-services telnet
set security zones security-zone L2-Untrust interfaces ge-0/0/0.0
set security zones security-zone L2-Untrust interfaces ge-0/0/1.0
set security zones security-zone L2-Trust interfaces ge-0/0/2.0
set security zones security-zone L2-Trust interfaces ge-0/0/3.0

第四步：
set system services web-management http interface irb.0
//irb可以web管理
通過(guò)http://10.34.208.199
***irb.0管理口的ip，一般默認(rèn)設(shè)置密碼root/root123
web可以訪問(wèn)后，以下步驟都可以在web界面配置

第五步：加訪問(wèn)策略
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match source-address any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match destination-address any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match application any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL then permit
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match source-address any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match destination-address any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match application any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL then permit

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
//默認(rèn)路由