注意,這個是12.1 和12.3 版本或是之前的基本配置案例,15.1或之後的配置有細微區別,有需要可以找找KB或是官方文檔。
set bridge-domains bd1 domain-type bridge vlan-id 10
set interface irb unit 0 family inet address 10.1.1.1/24 web-authentication http
set bridge-domains bd1 routing-interface irb.0
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
set systemservices web-management http
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 10
set security zones security-zone l2-trust interfaces ge-0/0/0.0 host-inbound-traffic systemservices all
set security zones security-zone l2-untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices ftp
set security zones security-zone l2-untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices ping
set security zones security-zone l2-untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices http
set security zones security-zone l2-untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices https
set security zones security-zone l2-untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices ssh
set security policies from-zone l2-trust to-zone l2-untrust policy p1 match source-address 10.1.1.1/24
set security policies from-zone l2-trust to-zone l2-untrust policy p1 match destination-address 20.1.1.1/32
set security policies from-zone l2-trust to-zone l2-untrust policy p1 match application http
set security policies from-zone l2-trust to-zone l2-untrust policy p1 then permit
set security policies from-zone l2-trust to-zone l2-untrust policy p2 match source-address 10.1.1.1/24
set security policies from-zone l2-trust to-zone l2-untrust policy p2 match destination-address 20.1.1.1/32
set security policies from-zone l2-trust to-zone l2-untrust policy p2 match application ping
set security policies from-zone l2-trust to-zone l2-untrust policy p2 then permit
set security policies from-zone l2-trust to-zone l2-untrust policy p3 match source-address 10.1.1.1/24
set security policies from-zone l2-trust to-zone l2-untrust policy p3 match destination-address 20.1.1.1/32
set security policies from-zone l2-trust to-zone l2-untrust policy p3 match application ssh
set security policies from-zone l2-trust to-zone l2-untrust policy p3 then permit