JuniperSRX详细配置综合手册含注释Word下载.docx
- 文档编号:19990850
- 上传时间:2023-01-13
- 格式:DOCX
- 页数:26
- 大小:216.76KB
JuniperSRX详细配置综合手册含注释Word下载.docx
《JuniperSRX详细配置综合手册含注释Word下载.docx》由会员分享,可在线阅读,更多相关《JuniperSRX详细配置综合手册含注释Word下载.docx(26页珍藏版)》请在冰豆网上搜索。
密码将以密文方式显示
root#showsystemroot-authentication
encrypted-password"
$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."
;
#SECRET-DATA
注意:
强烈建议不要使用其他加密选项来加密root和其他user口令(如encrypted-password加密方式),此配备参数规定输入口令应是经加密算法加密后字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
注:
root顾客仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必要成功设立root口令后,才干执行commit提交后续配备命令。
1.1.3设立远程登陆管理顾客
root#setsystemloginuserlabclasssuper-userauthenticationplain-text-password
juniper
srx123
此juniper顾客拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其他不同管理权限顾客。
2、系统管理
1.2.1选取时区
srx_admin#setsystemtime-zoneAsia/Shanghai/***亚洲/上海***/
1.2.2系统时间
1.2.2.1手动设定
srx_admin>
setdate1137.00
showsystemuptime
Currenttime:
-11-2015:
37:
14UTC
Systembooted:
21:
48UTC(2d00:
15ago)
Protocolsstarted:
24:
45UTC(2d00:
12ago)
Lastconfigured:
30:
38UTC(00:
06:
36ago)bysrx_admin
3:
37PMup2days,15mins,3users,loadaverages:
0.07,0.17,0.14
1.2.2.2NTP同步一次
setdatentp202.120.2.101
8Feb15:
49:
50ntpdate[6616]:
steptimeserver202.120.2.101offset-28796.357071sec
1.2.2.3NTP服务器
srx_admin#setsystemntpserver202.100.102.1
srx_admin#setsystemntpserverntp.api.bz
/***SRX系统NTP服务器,设备需要联网可以解析ntp地址,否则命令无法输入***/
showntpstatus
status=c011sync_alarm,sync_unspec,1event,event_restart,
version="
ntpd4.2.0-aFriNov2015:
44:
16UTC
(1)"
processor="
octeon"
,system="
JUNOS12.1X44-D35.5"
,leap=11,stratum=16,
precision=-17,rootdelay=0.000,rootdispersion=0.105,peer=0,
refid=INIT,reftime=00000000.00000000Thu,Feb7203614:
28:
16.000,
poll=4,clock=d88195bc.562dc2dbSun,Feb87:
58:
52.336,state=0,
offset=0.000,frequency=0.000,jitter=0.008,stability=0.000
srx_admin@holy-shit>
showntpassociations
remoterefidsttwhenpollreachdelayoffsetjitter
==============================================================================
15.179.156.2483-166415.473-0.9530.008
202.100.102.1.INIT.16--6400.0000.0004000.00
1.2.3DNS服务器
srx_admin#setsystemname-server202.96.209.5/***SRX系统DNS***/
1.2.4系统重启
1.2.4.1重启系统
srx_admin>
requestsystemreboot
1.2.4.2关闭系统
requestsystempower-off
1.2.5Alarm告警解决
1.2.5.1告警查看
root#runshowsystemalarms
2alarmscurrentlyactive
AlarmtimeClassDescription
-11-2014:
49UTCMinorAutorecoveryinformationneedstobesaved
49UTCMinorRescueconfigurationisnotset
1.2.5.2告警解决
告警一解决
requestsystemautorecoverystatesave
Savingconfigrecoveryinformation
Savinglicenserecoveryinformation
SavingBSDlabelrecoveryinformation
告警二解决
requestsystemconfigurationrescuesave
1.2.6Root密码重置
SRXRoot密码丢失,并且没有其她超级顾客权限,那么就需要执行密码恢复,该操作需要中断设备正常运营,但不会丢失配备信息。
操作环节如下:
1.重启防火墙,CRT上浮现下面提示时,按空格键中断正常启动,然后再进入单顾客状态,并输入:
boot–s
Loading/boot/defaults/loader.conf
/kerneldata=0xb15b3c+0x13464csyms=[0x4+0x8bb00+0x4+0xcac15]
Hit[Enter]tobootimmediately,orspacebarforcommandprompt.
loader>
boot-s
2.执行密码恢复:
在如下提示文字后输入recovery,设备将自动进行重启
Enterfullpathnameofshellor'
recovery'
forrootpasswordrecoveryorRETURNfor/bin/sh:
recovery
*****FILESYSTEMWASMODIFIED*****
Systemwatchdogtimerdisabled
3.进入配备模式,删除root密码后重新设立root密码,并保存重启
Enteringconfigurationmode
[edit]
root#deletesystemroot-authentication
root#setsystemroot-authenticationplain-text-password
Newpassword:
Retypenewpassword:
root#commit
commitcomplete
root#exit
Exitingconfigurationmode
requestsystemreboot
Rebootthesystem?
[yes,no](no)yes
第二节网络设立
2.1、Interface
2.1.1PPPOE
※在外网接口(fe-0/0/0)下封装PPP
srx_admin#setinterfacesfe-0/0/0unit0encapsulationppp-over-ether
※CHAP认证配备
srx_admin#setinterfacespp0unit0ppp-optionschapdefault-chap-secret
/***PPPOE密码***/
srx_admin#setinterfacespp0unit0ppp-optionschaplocal-namerxgjhygs@163
/***PPPOE帐号***/
srx_admin#setinterfacespp0unit0ppp-optionschappassive
/***采用被动模式***/
※PAP认证配备
srx_admin#setinterfacespp0unit0ppp-optionspapdefault-password
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-namerxgjhygs@163
srx_admin#setinterfacespp0unit0ppp-optionspaplocal-password
srx_admin#setinterfacespp0unit0ppp-optionspappassive
※PPP接口调用
srx_admin#setinterfacespp0unit0pppoe-optionsunderlying-interfacefe-0/0/0.0
/***在外网接口(fe-0/0/0)下启用PPPOE拨号***/
※PPPOE拨号属性配备
srx_admin#setinterfacespp0unit0pppoe-optionsidle-timeout0
/***空闲超时值***/
srx_admin#setinterfacespp0unit0pppoe-optionsauto-reconnect3
/***3秒自动重拨***/
srx_admin#setinterfacespp0unit0pppoe-optionsclient
/***表达为PPPOE客户端***/
srx_admin#setinterfacespp0unit0familyinetmtu1492
/***修改此接口MTU值,改成1492。
由于PPPOE报头会有一点开销***/
srx_admin#setinterfacespp0unit0familyinetnegotiate-address
/***自动协商地址,即由服务端分派动态地址***/
※默认路由
srx_admin#setrouting-optionsstaticroute0.0.0.0/0next-hoppp0.0
※PPPOE接口划入untrust接口
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacespp0.0
※验证PPPoE与否已经拔通,与否获得IP地址
srx_admin#runshowinterfacesterse|matchpp
pp0upup
pp0.0upupinet192.168.163.1-->
1.1.1.1
ppd0upup
ppe0upup
PPPOE拨号成功后需要调节MTU值,使上网体验达到最佳(MTU值不适当话上网会卡)
srx_admin#setinterfacespp0unit0familyinetmtu1304/***调节MTU大小***/
srx_admin#setsecurityflowtcp-mssall-tcpmss1304/***调节TCP分片大小***/
2.1.2Manual
srx_admin#setinterfacesfe-0/0/0unit0familyinetaddress202.105.41.138/29
2.1.3DHCP
※启用DHCP地址池
srx_admin#setsystemservicesdhcppool192.168.1.0/24router192.168.1.1
/***DHCP网关***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24address-rangelow192.168.1.2
/***DHCP地址池第一种地址***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24address-rangehigh192.168.1.254
/***DHCP地址池最后一种地址***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24default-lease-time36000
/***DHCP地址租期***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24domain-name
/***DHCP域名***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24name-server202.96.209.133
/***DHCP分派DNS***/
srx_admin#setsystemservicesdhcppool192.168.1.0/24name-server202.96.209.5
srx_admin#setsystemservicesdhcppropagate-settingsvlan.0/***DHCP分发端口***/
※配备内网接口地址
srx_admin#setinterfacesvlanunit0familyinetaddress192.168.1.1/24
※内网接口调用DHCP地址池
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesdhcp
2.2、Routing
StaticRoute
srx_admin#setroute-optionstaticroute0.0.0.0/0next-hop116.228.60.153
/***默认路由***/
srx_admin#setroute-optionstaticroute10.50.10.0/24next-hopst0.0
/***RouteBasicedVPN路由***/
2.3、SNMP
srx_admin#setsnmpcommunityAjitecauthorizationread-only/read-write
/***SNMP监控权限***/
srx_admin#setsnmpclient-listsnmp_srx24010.192.8.99/32
/***SNMP监控主机***/
第三节高档设立
3.1.1修改服务端口
srx_admin#setsystemservicesweb-managementhttpport8000
/***更改webhttp管理端标语***/
srx_admin#setsystemservicesweb-managementhttpsport1443
/***更改webhttps管理端标语***/
3.1.2检查硬件序列号
srx#runshowchassishardware
Hardwareinventory:
ItemVersionPartnumberSerialnumberDescription
ChassisBZ2615AF0491SRX100H2
RoutingEngineREV05BZ2615AF0491RE-SRX100H2
FPC0FPC
PIC08xFEBasePIC
PowerSupply0
3.1.3内外网接口启用端口服务
※定义系统服务
srx_admin#setsystemservicesssh
srx_admin#setsystemservicestelnet
srx_admin#setsystemservicesweb-managementhttpinterfacevlan.0
srx_admin#setsystemservicesweb-managementhttpinterfacefe-0/0/0.0
srx_admin#setsystemservicesweb-managementhttpsinterfacevlan.0
srx_admin#setsystemservicesweb-managementmanagement-urladmin
/***后期用https:
//ip/admin就可以登录管理页面,不加就直接跳转***/
※内网接口启用端口服务
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesping/***启动ping***/
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-serviceshttp/***启动http***/
srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicestelnet/***启动telnet***/
※外网接口启用端口服务
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesping/***启动ping***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicestelnet/***启动telnet***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-serviceshttp/***启动http***/
srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesall/***启动所有服务***/
3.1.4创立系统服务
srx_admin#setapplicationsapplicationRDPprotocoltcp/***合同选取tcp***/
srx_admin#setapplicationsapplicationRDPsource-port0-65535/***源端口***/
srx_admin#setapplicationsapplicationRDPdestination-port3389/***目端口***/
srx_admin#setapplicationsapplicationRDPprotocoludp/***合同选取udp***/
3.1.5VIP端口映射
※DestinationNAT配备
srx_admin#setsecuritynatde
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- JuniperSRX 详细 配置 综合 手册 注释