JuniperSRX详细配置手册含注释.docx
《JuniperSRX详细配置手册含注释.docx》由会员分享,可在线阅读,更多相关《JuniperSRX详细配置手册含注释.docx(26页珍藏版)》请在冰豆网上搜索。
JuniperSRX详细配置手册含注释
Juniper-SRX详细配置手册(含注释)
JuniperSRX标准配置
super-userauthenticationplain-text-password
root#newpassword:
juniper
root#retypenewpassword:
srx123
注:
此juniper用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2、系统管理
1.2.1选择时区
srx_admin#setsystemtime-zoneAsia/Shanghai/***亚洲/上海***/
1.2.2系统时间
1.2.2.1手动设定
srx_admin>setdate201511201537.00
srx_admin>showsystemuptime
Currenttime:
2015-11-2015:
37:
14UTC
Systembooted:
2015-11-2015:
21:
48UTC(2d00:
15ago)
Protocolsstarted:
2015-11-2015:
24:
45UTC(2d00:
12ago)
Lastconfigured:
2015-11-2015:
30:
38UTC(00:
06:
36ago)bysrx_admin
3:
37PMup2days,15mins,3users,loadaverages:
0.07,0.17,0.14
1.2.2.2NTP同步一次
srx_admin>setdatentp202.120.2.101
8Feb15:
49:
50ntpdate[6616]:
steptimeserver202.120.2.101offset-28796.357071sec
1.2.2.3NTP服务器
srx_admin#setsystemntpserver202.100.102.1
srx_admin#setsystemntpserverntp.api.bz
/***SRX系统NTP服务器,设备需要联网可以解析ntp地址,不然命令无法输入***/
srx_admin>showntpstatus
status=c011sync_alarm,sync_unspec,1event,event_restart,
version="ntpd4.2.0-aFriNov2015:
44:
16UTC2014
(1)",
processor="octeon",system="JUNOS12.1X44-D35.5",leap=11,stratum=16,
precision=-17,rootdelay=0.000,rootdispersion=0.105,peer=0,
refid=INIT,reftime=00000000.00000000Thu,Feb7203614:
28:
16.000,
poll=4,clock=d88195bc.562dc2dbSun,Feb820157:
58:
52.336,state=0,
offset=0.000,frequency=0.000,jitter=0.008,stability=0.000
srx_admin@holy-shit>showntpassociations
remoterefidsttwhenpollreachdelayoffsetjitter
==============================================================================
15.179.156.2483-166415.473-0.9530.008
202.100.102.1.INIT.16--6400.0000.0004000.00
1.2.3DNS服务器
srx_admin#setsystemname-server202.96.209.5/***SRX系统DNS***/
1.2.4系统重启
1.2.4.1重启系统
srx_admin>requestsystemreboot
1.2.4.2关闭系统
srx_admin>requestsystempower-off
1.2.5Alarm告警处理
1.2.5.1告警查看
root#runshowsystemalarms
2alarmscurrentlyactive
AlarmtimeClassDescription
2015-11-2014:
21:
49UTCMinorAutorecoveryinformationneedstobesaved
2015-11-2014:
21:
49UTCMinorRescueconfigurationisnotset
1.2.5.2告警处理
告警一处理
root>requestsystemautorecoverystatesave
Savingconfigrecoveryinformation
Savinglicenserecoveryinformation
SavingBSDlabelrecoveryinformation
告警二处理
root>requestsystemconfigurationrescuesave
1.2.6Root密码重置
SRXRoot密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息。
操作步骤如下:
1.重启防火墙,CRT上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,并输入:
boot–s
Loading/boot/defaults/loader.conf
/kerneldata=0xb15b3c+0x13464csyms=[0x4+0x8bb00+0x4+0xcac15]
Hit[Enter]tobootimmediately,orspacebarforcommandprompt.
loader>
loader>boot-s
2.执行密码恢复:
在以下提示文字后输入recovery,设备将自动进行重启
Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:
recovery
*****FILESYSTEMWASMODIFIED*****
Systemwatchdogtimerdisabled
Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:
recovery
3.进入配置模式,删除root密码后重新设置root密码,并保存重启
root>configure
Enteringconfigurationmode
[edit]
root#deletesystemroot-authentication
[edit]
root#setsystemroot-authenticationplain-text-password
Newpassword:
Retypenewpassword:
[edit]
root#commit
commitcomplete
[edit]
root#exit
Exitingconfigurationmode
root>requestsystemreboot
Rebootthesystem?
[yes,no](no)yes
第二节网络设置
2.1、Interface
2.1.1PPPOE
※在外网接口(fe-0/0/0)下封装PPP
srx_admin#setinterfacesfe-0/0/0unit0encapsulationppp-over-ether
※CHAP认证配置
srx_admin#setinterfacespp0unit0ppp-optionschapdefault-chap-secret1234567890
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionschaplocal-namerxgjhygs@163
/***PPPOE的帐号***/
srx_admin#setinterfacespp0unit0ppp-optionschappassive
/***采用被动模式***/
※PAP认证配置
srx_admin#setinterfacespp0unit0ppp-optionspapdefault-password1234567890
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-namerxgjhygs@163
/***PPPOE的帐号***/
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-password1234567890
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionspappassive
/***采用被动模式***/
※PPP接口调用
srx_admin#setinterfacespp0unit0pppoe-optionsunderlying-interfacefe-0/0/0.0
/***在外网接口(fe-0/0/0)下启用PPPOE拨号***/
※PPPOE拨号属性配置
srx_admin#setinterfacespp0unit0pppoe-optionsidle-timeout0
/***空闲超时值***/
srx_admin#setinterfacespp0unit0pppoe-optionsauto-reconnect3
/***3秒自动重拨***/
srx_admin#setinterfacespp0unit0pppoe-optionsclient
/***表示为PPPOE客户端***/
srx_admin#setinterfacespp0unit0familyinetmtu1492
/***修改此接口的MTU值,改成1492。
因为PPPOE的报头会有一点的开销***/
srx_admin#setinterfacespp0unit0familyinetnegotiate-address
/***自动协商地址,即由服务端分配动态地址***/
※默认路由
srx_admin#setrouting-optionsstaticroute0.0.0.0/0next-hoppp0.0
※PPPOE接口划入untrust接口
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacespp0.0
※验证PPPoE是否已经拔通,是否获得IP地址
srx_admin#runshowinterfacesterse|matchpp
pp0upup
pp0.0upupinet192.168.163.1-->1.1.1.1
ppd0upup
ppe0upup
注:
PPPOE拨号成功后需要调整MTU值,使上网体验达到最佳(MTU值不合适的话上网会卡)
srx_admin#setinterfacespp0unit0familyinetmtu1304/***调整MTU大小***/
srx_admin#setsecurityflowtcp-mssall-tcpmss1304/***调整TCP分片大小***/
2.1.2Manual
srx_admin#setinterfacesfe-0/0/0unit0familyinetaddress202.105.41.138/29
2.1.3DHCP
※启用DHCP地址池
srx_admin#setsystemservicesdhcppool192.168.1.0/24router192.168.1.1
/***DHCP网关***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24address-rangelow192.168.1.2
/***DHCP地址池第一个地址***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24address-rangehigh192.168.1.254
/***DHCP地址池最后一个地址***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24default-lease-time36000
/***DHCP地址租期***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24domain-name
/***DHCP域名***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24name-server202.96.209.133
/***DHCP分配DNS***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24name-server202.96.209.5
srx_admin#setsystemservicesdhcppropagate-settingsvlan.0/***DHCP分发端口***/
※配置内网接口地址
srx_admin#setinterfacesvlanunit0familyinetaddress192.168.1.1/24
※内网接口调用DHCP地址池
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesdhcp
2.2、Routing
StaticRoute
srx_admin#setroute-optionstaticroute0.0.0.0/0next-hop116.228.60.153
/***默认路由***/
srx_admin#setroute-optionstaticroute10.50.10.0/24next-hopst0.0
/***RouteBasicedVPN路由***/
2.3、SNMP
srx_admin#setsnmpcommunityAjitecauthorizationread-only/read-write
/***SNMP监控权限***/
srx_admin#setsnmpclient-listsnmp_srx24010.192.8.99/32
/***SNMP监控主机***/
第三节高级设置
3.1.1修改服务端口
srx_admin#setsystemservicesweb-managementhttpport8000
/***更改web的http管理端口号***/
srx_admin#setsystemservicesweb-managementhttpsport1443
/***更改web的https管理端口号***/
3.1.2检查硬件序列号
srx#runshowchassishardware
Hardwareinventory:
ItemVersionPartnumberSerialnumberDescription
ChassisBZ2615AF0491SRX100H2
RoutingEngineREV05650-048781BZ2615AF0491RE-SRX100H2
FPC0FPC
PIC08xFEBasePIC
PowerSupply0
3.1.3内外网接口启用端口服务
※定义系统服务
srx_admin#setsystemservicesssh
srx_admin#setsystemservicestelnet
srx_admin#setsystemservicesweb-managementhttpinterfacevlan.0
srx_admin#setsystemservicesweb-managementhttpinterfacefe-0/0/0.0
srx_admin#setsystemservicesweb-managementhttpsinterfacevlan.0
srx_admin#setsystemservicesweb-managementmanagement-urladmin
/***后期用https:
//ip/admin就可以登录管理页面,不加就直接跳转***/
※内网接口启用端口服务
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesping/***开启ping***/
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-serviceshttp/***开启http***/
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicestelnet/***开启telnet***/
※外网接口启用端口服务
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesping/***开启ping***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicestelnet/***开启telnet***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-serviceshttp/***开启http***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesall/***开启所有服务***/
3.1.4创建系统服务
srx_admin#setapplicationsapplicationRDPprotocoltcp/***协议选择tcp***/
srx_admin#setapplicationsapplicationRDPsource-port0-65535/***源端口***/
srx_admin#setapplicationsapplicationRDPdestination-port3389/***目的端口***/
srx_admin#setapplicationsapplicationRDPprotocoludp/***协议选择udp***/
srx_admin#setapplicationsapplicationRDPsource-port0-65535/***源端口***/
srx_admin#setapplicationsapplicationRDPdestination-port3389/***目的端口***/
3.1.5VIP端口映射
※DestinationNAT配置
srx_admin#setsecuritynatdestinationpool22address192.168.1.20/32
/***DestinationNATpool设置,为真实内网地址***/
srx_admin#setsecuritynatdestinationpool22addressport3389
/***DestinationNATpool设置,为内网地址的端口号***/
srx_admin#setsecuritynatdestinationrule-set2fromzoneuntrust
/***DestinationNATRule设置,访问流量从untrust区域过来***/
srx_admin#setsecuritynatdestinationrule-set2rule111matchsource-address0.0.0.0/0
/***DestinationNATRule设置,访问流量可以任意地址***/
srx_admin#setsecuritynatdestinationrule-set2rule111matchdestination-address116.228.60.154/32
/***DestinationNATRule设置,访问的目的地址是116.228.60.157***/
srx_admin#setsecuritynatdestinationrule-set2rule
升级会员 