JuniperSRX详细配置手册含注释.docx
《JuniperSRX详细配置手册含注释.docx》由会员分享,可在线阅读,更多相关《JuniperSRX详细配置手册含注释.docx(31页珍藏版)》请在冰豆网上搜索。
JuniperSRX详细配置手册含注释
JuniperSRX标准配置
第一节系统配置
、设备初始化
登陆
首次登录需要使用Console口连接SRX,root用户登陆,密码为空
login:
root
Password:
---JUNOSbuilt2009-07-1615:
04:
30UTC
root%cli /***进入操作模式***/
root>
root>configure
Enteringconfigurationmode /***进入配置模式***/
[edit]
Root#
设置root用户口令
(必须配置root帐号密码,否则后续所有配置及修改都无法提交)
root#setsystemroot-authenticationplain-text-password
root#newpassword:
root123
root#retypenewpassword:
root123
密码将以密文方式显示
root#showsystemroot-authentication
encrypted-password"$1$xavDeUe6$";#SECRET-DATA
注意:
强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
注:
root用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置root口令后,才能执行commit提交后续配置命令。
设置远程登陆管理用户
root#setsystemloginuserlabclasssuper-userauthenticationplain-text-password
root#newpassword:
juniper
root#retypenewpassword:
srx123
注:
此juniper用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2、系统管理
选择时区
srx_admin#setsystemtime-zoneAsia/Shanghai/***亚洲/上海***/
系统时间
手动设定
srx_admin>setdate
srx_admin>showsystemuptime
Currenttime:
2015-11-2015:
37:
14UTC
Systembooted:
2015-11-2015:
21:
48UTC(2d00:
15ago)
Protocolsstarted:
2015-11-2015:
24:
45UTC(2d00:
12ago)
Lastconfigured:
2015-11-2015:
30:
38UTC(00:
06:
36ago)bysrx_admin
3:
37PMup2days,15mins,3users,loadaverages:
,
NTP同步一次
srx_admin>setdatentp
8Feb15:
49:
50ntpdate[6616]:
steptimeserveroffsetsec
NTP服务器
srx_admin#setsystemntpserversystemntpserver系统NTP服务器,设备需要联网可以解析ntp地址,不然命令无法输入***/
srx_admin>showntpstatus
status=c011sync_alarm,sync_unspec,1event,event_restart,
version="ntpdFriNov2015:
44:
16UTC2014
(1)",
processor="octeon",system="",leap=11,stratum=16,
precision=-17,rootdelay=,rootdispersion=,peer=0,
refid=INIT,reftime=Thu,Feb7203614:
28:
poll=4,clock=Sun,Feb820157:
58:
state=0,
offset=,frequency=,jitter=,stability=
srx_admin@holy-shit>showntpassociations
remoterefidsttwhenpollreachdelayoffsetjitter
==============================================================================
3-16641
.INIT.16--640
DNS服务器
srx_admin#setsystemname-server/***SRX系统DNS***/
系统重启
重启系统
srx_admin>requestsystemreboot
关闭系统
srx_admin>requestsystempower-off
Alarm告警处理
告警查看
root#runshowsystemalarms
2alarmscurrentlyactive
AlarmtimeClassDescription
2015-11-2014:
21:
49UTCMinorAutorecoveryinformationneedstobesaved
2015-11-2014:
21:
49UTCMinorRescueconfigurationisnotset
告警处理
告警一处理
root>requestsystemautorecoverystatesave
Savingconfigrecoveryinformation
Savinglicenserecoveryinformation
SavingBSDlabelrecoveryinformation
告警二处理
root>requestsystemconfigurationrescuesave
Root密码重置
SRXRoot密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息。
操作步骤如下:
1.重启防火墙,CRT上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,并输入:
boot–s
Loading/boot/defaults/
/kerneldata=0xb15b3c+0x13464csyms=[0x4+0x8bb00+0x4+0xcac15]
Hit[Enter]tobootimmediately,orspacebarforcommandprompt.
loader>
loader>boot-s
2.执行密码恢复:
在以下提示文字后输入recovery,设备将自动进行重启
Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:
recovery
*****FILESYSTEMWASMODIFIED*****
Systemwatchdogtimerdisabled
Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:
recovery
3.进入配置模式,删除root密码后重新设置root密码,并保存重启
root>configure
Enteringconfigurationmode
[edit]
root#deletesystemroot-authentication
[edit]
root#setsystemroot-authenticationplain-text-password
Newpassword:
Retypenewpassword:
[edit]
root#commit
commitcomplete
[edit]
root#exit
Exitingconfigurationmode
root>requestsystemreboot
Rebootthesystem?
[yes,no](no)yes
第二节网络设置
、Interface
PPPOE
※在外网接口(fe-0/0/0)下封装PPP
srx_admin#setinterfacesfe-0/0/0unit0encapsulationppp-over-ether
※CHAP认证配置
srx_admin#setinterfacespp0unit0ppp-optionschapdefault-chap-secret90
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionschaplocal-namerxgjhygs@163
/***PPPOE的帐号***/
srx_admin#setinterfacespp0unit0ppp-optionschappassive
/***采用被动模式***/
※PAP认证配置
srx_admin#setinterfacespp0unit0ppp-optionspapdefault-password90
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-namerxgjhygs@163
/***PPPOE的帐号***/
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-password90
/***PPPOE的密码***/
srx_admin#setinterfacespp0unit0ppp-optionspappassive
/***采用被动模式***/
※PPP接口调用
srx_admin#setinterfacespp0unit0pppoe-optionsunderlying-interfacefe-0/0/
/***在外网接口(fe-0/0/0)下启用PPPOE拨号***/
※PPPOE拨号属性配置
srx_admin#setinterfacespp0unit0pppoe-optionsidle-timeout0
/***空闲超时值***/
srx_admin#setinterfacespp0unit0pppoe-optionsauto-reconnect3
/***3秒自动重拨***/
srx_admin#setinterfacespp0unit0pppoe-optionsclient
/***表示为PPPOE客户端***/
srx_admin#setinterfacespp0unit0familyinetmtu1492
/***修改此接口的MTU值,改成1492。
因为PPPOE的报头会有一点的开销***/
srx_admin#setinterfacespp0unit0familyinetnegotiate-address
/***自动协商地址,即由服务端分配动态地址***/
※默认路由
srx_admin#setrouting-optionsstaticroutenext-hop
※PPPOE接口划入untrust接口
srx_admin#setsecurityzonessecurity-zoneuntrustinterfaces
※验证PPPoE是否已经拔通,是否获得IP地址
srx_admin#runshowinterfacesterse|matchpp
pp0upup
upupinet-->upup
ppe0upup
注:
PPPOE拨号成功后需要调整MTU值,使上网体验达到最佳(MTU值不合适的话上网会卡)
srx_admin#setinterfacespp0unit0familyinetmtu1304/***调整MTU大小***/
srx_admin#setsecurityflowtcp-mssall-tcpmss1304/***调整TCP分片大小***/
Manual
srx_admin#setinterfacesfe-0/0/0unit0familyinetaddressDHCP
※启用DHCP地址池
srx_admin#setsystemservicesdhcppoolrouter
/***DHCP网关***/
srx_admin#setsystemservicesdhcppooladdress-rangelow
/***DHCP地址池第一个地址***/
srx_admin#setsystemservicesdhcppooladdress-rangehigh地址池最后一个地址***/
srx_admin#setsystemservicesdhcppooldefault-lease-time36000
/***DHCP地址租期***/
srx_admin#setsystemservicesdhcppooldomain-name域名***/
srx_admin#setsystemservicesdhcppoolname-server
/***DHCP分配DNS***/
srx_admin#setsystemservicesdhcppoolname-serversetsystemservicesdhcppropagate-settings/***DHCP分发端口***/
※配置内网接口地址
srx_admin#setinterfacesvlanunit0familyinetaddress内网接口调用DHCP地址池
srx_admin#setsecurityzonessecurity-zonetrustinterfaceshost-inbound-trafficsystem-servicesdhcp
、Routing
StaticRoute
srx_admin#setroute-optionstaticroutenext-hop
/***默认路由***/
srx_admin#setroute-optionstaticroutenext-hop
/***RouteBasicedVPN路由***/
、SNMP
srx_admin#setsnmpcommunityAjitecauthorizationread-only/read-write
/***SNMP监控权限***/
srx_admin#setsnmpclient-listsnmp_srx240
/***SNMP监控主机***/
第三节高级设置
修改服务端口
srx_admin#setsystemservicesweb-managementhttpport8000
/***更改web的http管理端口号***/
srx_admin#setsystemservicesweb-managementhttpsport1443
/***更改web的https管理端口号***/
检查硬件序列号
srx#runshowchassishardware
Hardwareinventory:
ItemVersionPartnumberSerialnumberDescription
ChassisBZ2615AF0491SRX100H2
RoutingEngineREV05650-048781BZ2615AF0491RE-SRX100H2
FPC0FPC
PIC08xFEBasePIC
PowerSupply0
内外网接口启用端口服务
※定义系统服务
srx_admin#setsystemservicesssh
srx_admin#setsystemservicestelnet
srx_admin#setsystemservicesweb-managementhttpinterface
srx_admin#setsystemservicesweb-managementhttpinterfacefe-0/0/
srx_admin#setsystemservicesweb-managementhttpsinterface
srx_admin#setsystemservicesweb-managementmanagement-urladmin
/***后期用,不加就直接跳转***/
※内网接口启用端口服务
srx_admin#setsecurityzonessecurity-zonetrustinterfaceshost-inbound-trafficsystem-servicesping/***开启ping***/
srx_admin#setsecurityzonessecurity-zonetrustinterfaceshost-inbound-trafficsystem-serviceshttp/***开启http***/
srx_admin#setsecurityzonessecurity-zonetrustinterfaceshost-inbound-trafficsystem-servicestelnet/***开启telnet***/
※外网接口启用端口服务
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/host-inbound-trafficsystem-servicesping/***开启ping***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/host-inbound-trafficsystem-servicestelnet/***开启telnet***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/host-inbound-trafficsystem-serviceshttp/***开启http***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/host-inbound-trafficsystem-servicesall/***开启所有服务***/
创建系统服务
srx_admin#setapplicationsapplicationRDPprotocoltcp/***协议选择tcp***/
srx_admin#setapplicationsapplicationRDPsource-port0-65535/***源端口***/
srx_admin#setapplicationsapplicationRDPdestination-port3389/***目的端口***/
srx_admin#setapplicationsapplicationRDPprotocoludp/***协议选择udp***/
srx_admin#setapplicationsapplicationRDPsource-port0-65535/***源端口***/
srx_admin#setapplicationsapplicationRDPdestination-port3389/***目的端口***/
VIP端口映射
※DestinationNAT配置
srx_admin#setsecuritynatdestinationpool22addressNATpool设置,为真实内网地址***/
srx_admin#setsecuritynatdestinationpool22addressport3389
/***DestinationNATpool设置,为内网地址的端口号***/
srx_admin#setsecuritynatdestinationrule-set2fromzoneuntrust
/***DestinationNATRule设置,访问流量从untrust区域过来***/
srx_admin#setsecuritynatdestinationrule-set2rule111matchsource-addressDestinationNATRule设置,访问流量可以任意地址***/
srx_admin#setsecuritynatdestinationrule-set2rule111matchdestination-addressDestinationNATRule设置,访问的目的地址是securitynatdestinationrule-set2rule111matchdestination-port3389
/***DestinationNATRule设置,访问的目的地址的端口号***/
srx_admin#setsecuritynatdestinationrule-set2rule111thendestination-natpool22
/***DestinationNATRule设置,调用pool地址***/
※策略配置
srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrus