Skip to main content

Juniper SRXシリーズの設定

サンプルトポロジーに基づいた、Juniper SRXシリーズの設定例を示します。
なお、以下の例ではge-0/0/0にOCX光 プライベートのONUを接続し、ge-0/0/1~ge-0/0/7に宅内ネットワークを接続していることを前提としています。

対応機種

OCX光 プライベートに対応するCPE
本稿では、SRX300のJUNOS version 23.2R2-S1.3を用いて動作確認をしています。

RA方式とPD方式

Advertisement(RA)方式と Prefix Delegation(PD)方式で設定方法が異なります。
詳しくは「RA方式とPD方式について」をご確認ください。

例 - RA方式

set security forwarding-options family inet6 mode flow-based
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ssh
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set interfaces interface-range lan-interfaces member-range ge-0/0/1 to ge-0/0/7
set interfaces interface-range lan-interfaces unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type autoconfig
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client interface-identifier ::3:4:5:6
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-server
set interfaces ip-0/0/0 unit 1 tunnel encap-type ipv6
set interfaces ip-0/0/0 unit 1 tunnel source-interface ge-0/0/0.0
set interfaces ip-0/0/0 unit 1 tunnel destination 2400:c320:101:a:b:c:d:e
set interfaces ip-0/0/0 unit 1 family inet
set interfaces irb unit 0 family inet address 192.168.50.1/24
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols router-advertisement interface ge-0/0/0.0 passive-mode
set protocols l2-learning global-mode switching
set routing-options static route 192.168.10.0/24 next-hop ip-0/0/0.1

例 - PD方式

set security forwarding-options family inet6 mode flow-based
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security policies from-zone trust to-zone ngn policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone ngn policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone ngn policy trust-to-untrust match application any
set security policies from-zone trust to-zone ngn policy trust-to-untrust then permit
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ssh
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set interfaces interface-range lan-interfaces member-range ge-0/0/1 to ge-0/0/7
set interfaces interface-range lan-interfaces unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type stateful
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-router-advertisement interface irb.0 interface-identifier ::3:4:5:6
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-server
set interfaces ip-0/0/0 unit 1 tunnel encap-type ipv6
set interfaces ip-0/0/0 unit 1 tunnel source-interface irb.0
set interfaces ip-0/0/0 unit 1 tunnel destination 2400:c320:101:a:b:c:d:e
set interfaces ip-0/0/0 unit 1 family inet
set interfaces irb unit 0 family inet address 192.168.50.1/24
set interfaces irb unit 0 family inet6
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols router-advertisement interface ge-0/0/0.0 passive-mode
set protocols l2-learning global-mode switching
set routing-options static route 192.168.10.0/24 next-hop ip-0/0/0.1

テンプレート - RA方式

set security forwarding-options family inet6 mode flow-based
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ssh
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set interfaces interface-range lan-interfaces member-range ge-0/0/1 to ge-0/0/7
set interfaces interface-range lan-interfaces unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type autoconfig
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client interface-identifier {{CPEエンドポイントアドレスで指定された下64bitアドレス(IFID)}}
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-server
set interfaces ip-0/0/0 unit 1 tunnel encap-type ipv6
set interfaces ip-0/0/0 unit 1 tunnel source-interface ge-0/0/0.0
set interfaces ip-0/0/0 unit 1 tunnel destination {{ゲートウェイエンドポイントアドレス}}
set interfaces ip-0/0/0 unit 1 family inet
set interfaces irb unit 0 family inet address {{宅内ネットワーク側IFのIPv4アドレス}}/{{宅内ネットワーク側IFのIPv4プレフィックス長}}
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols router-advertisement interface ge-0/0/0.0 passive-mode
set protocols l2-learning global-mode switching
set routing-options static route {{OCX側ネットワーク}} next-hop ip-0/0/0.1

テンプレート - PD方式

set security forwarding-options family inet6 mode flow-based
set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit
set security policies from-zone trust to-zone ngn policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone ngn policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone ngn policy trust-to-untrust match application any
set security policies from-zone trust to-zone ngn policy trust-to-untrust then permit
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ip-0/0/0.1 host-inbound-traffic system-services ssh
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone ngn interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set interfaces interface-range lan-interfaces member-range ge-0/0/1 to ge-0/0/7
set interfaces interface-range lan-interfaces unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type stateful
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-router-advertisement interface irb.0 interface-identifier {{CPEエンドポイントアドレスで指定された下64bitアドレス(IFID)}}
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-server
set interfaces ip-0/0/0 unit 1 tunnel encap-type ipv6
set interfaces ip-0/0/0 unit 1 tunnel source-interface irb.0
set interfaces ip-0/0/0 unit 1 tunnel destination {{ゲートウェイエンドポイントアドレス}}
set interfaces ip-0/0/0 unit 1 family inet
set interfaces irb unit 0 family inet address {{宅内ネットワーク側IFのIPv4アドレス}}/{{宅内ネットワーク側IFのIPv4プレフィックス長}}
set interfaces irb unit 0 family inet6
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols router-advertisement interface ge-0/0/0.0 passive-mode
set protocols l2-learning global-mode switching
set routing-options static route {{OCX側ネットワーク}} next-hop ip-0/0/0.1