VRRP双ISP装置

Question

我有一个项目，我正在挣扎，并想知道是否有人可以提供一些建议，以实现我的目标最好的方式(我是新来的Juniper)。

目前我有两个juniper SRX240s，一个连接100 Mb光纤，另一个连接10 Mb EFM。

我的目标是将它们设置为允许从一个ISP自动切换到另一个ISP。这样的想法是，如果主100 in出现故障，备份就会自动启动。

我还需要设置3个虚拟路由实例和两个DMZ，其思想是有一个用于WAN、Internet和VOIP流量的实例。附件是一张图片，以帮助解释设置。

该公司希望使用VRRP而不是底盘集群。

我已经设置了VRRP，然而，两个路由器都处于主状态，他们发送广告，但没有收到。我怀疑安全配置有问题，但我似乎找不到它是什么。有人能看看我什么时候出问题了吗？

在这个阶段，我想要标准的VRRP局域网侧(172.16范围)，然后使用VRRP路由实例跟踪的广域网。

这是配置：

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 126 description DMZ-1
set interfaces ge-0/0/0 unit 126 vlan-id 126
set interfaces ge-0/0/0 unit 126 family inet address 172.16.126.253/24
set interfaces ge-0/0/0 unit 137 description backup-mpls
set interfaces ge-0/0/0 unit 137 vlan-id 137
set interfaces ge-0/0/0 unit 346 vlan-id 346
set interfaces ge-0/0/0 unit 346 family inet address x.x.x.x/30
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 20 description users-data
set interfaces ge-0/0/4 unit 20 vlan-id 20
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 virtual-address 172.16.93.254
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 priority 100
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 accept-data trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols vrrp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic protocols all
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone mpls host-inbound-traffic system-services all
set security zones security-zone mpls host-inbound-traffic protocols all
set routing-instances cce instance-type virtual-router
set routing-instances cce interface ge-0/0/4.20
set routing-instances internet instance-type virtual-router
set routing-instances internet interface ge-0/0/0.346
set routing-instances internet routing-options static route 0.0.0.0/0 next-hop x.x.x.141
set routing-instances voip instance-type virtual-router
set routing-instances voip interface ge-0/0/4.70
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

如果你能看到我错过了什么那就太好了。

Answer 1

从配置的外观来看，ge-0/0/4.20不在trust安全区域。

 set security zone security-zones trust interface ge-0/0/4.20

应该解决问题，并建立你的VRRP邻接。

如果要在trust和untrust之间执行策略，则还需要删除路由实例。

路由-实例总是看起来是隔离的正确答案，但它们增加了许多不必要的复杂性。区域和政策运作得很好。