Juniper_EX交换机命令整理

juniper交换机命令整理
1.连接VCP
Configure SWA-0 with the virtual m anagement Ethernet (VME) interface for out-of-band m anagement of the Virtual Chassis configuration, if desired. [edit]
user@SWA-0# set interfaces vm e unit 0 fam ily inet /ip-address/mask/
show">user@SWA-0>show virtual-chassis status
Virtual Chassis ID: 0019.e250.47a0
Mastership Neighbor List
Mem ber ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt AK020******* ex4200-48p 128 Master* 1 vcp-0
1 vcp-1
1 (FPC 1) Prsnt AK020******* ex4200-24t 128 Backup 0 vcp-0
0 vcp-1
Mem ber ID for next new m ember: 2 (FPC 2)
user@SWA-0>show virtual-chassis vc-port all-m embers
fpc0:
--------------------------------------------------------------------------
Interface Type Status
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc1:
--------------------------------------------------------------------------
Interface Type Status
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
Modify the m astership priority values(修改VC组成员优先级缺省是128）
[edit virtual-chassis]
user@SWA-1# set m ember 1 m astership-priority 255
缺省情况下EX交换机的端口都配置为L2的方式，如果需要更改为L3接口，需要删除原接口2层封装
del interfaces ge-0/0/0 unit 0 fam ily ethernet-switching
set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.2/24
创建VLAN
set vlans nam e vlan-id xx
配置VLAN的L3接口地址
set vlans nam e l3-interface vlan.xx
set interface vlan xx unit xx family inet address x.x.x.x/24
将某个交换端口添加到创建好的VLAN中
set interface ge-0/0/x unit 0 family ethernet-switching port-m ode access vlan members name
配置T RUNK端口
set interface ge-0/0/23 unit 0 family ethernet-switching port-m ode trunk nativ e-vlan-id 1 vlan m ember xx
配置冗余RE组
set groups re0 system host-nam e GZ_LAB_M10i_1_RE0
set groups re0 interfaces fxp0 unit 0 fam ily inet address 172.27.69.34/24
set groups re0 routing-options static route 0.0.0.0/0 next-hop 172.27.69.1
set groups re1 system host-nam e GZ_LAB_M10i_1_RE1
set groups re1 interfaces fxp0 unit 0 fam ily inet address 172.27.69.35/24
set groups re1 routing-options static route 0.0.0.0/0 next-hop 172.27.69.1
配置VRF并绑定3层VLAN 接口
set routing-instances vrf-1 instance-type vrf
set routing-instances vrf-1 interface vlan.10
set routing-instances vrf-1 route-distinguisher 65000:100
set routing-instances vrf-1 vrf-target target:65000:100
set routing-instances vrf-2 instance-type vrf
set routing-instances vrf-2 interface vlan.20
set routing-instances vrf-2 route-distinguisher 65000:200
set routing-instances vrf-2 vrf-target target:65000:200
show route ter 可以看到路由分类
配置各VRF到PE的路由分别以OSPF和静态举例：====================== ===========================
set routing-instances vrf-1 instance-type vrf
set routing-instances vrf-1 interface vlan.10
set routing-instances vrf-1 route-distinguisher 65000:100
set routing-instances vrf-1 vrf-target target:65000:100
set routing-instances vrf-1 protocols ospf area 0.0.0.0 interface vlan.10
show ospf neighbor instance vrf-1
set routing-instances vrf-2 instance-type vrf
set routing-instances vrf-2 interface vlan.20
set routing-instances vrf-2 route-distinguisher 65000:200
set routing-instances vrf-2 vrf-target target:65000:200
set routing-instances vrf-2 routing-options static route 0.0.0.0/0 next-hop 192. 168.20.2
配置EX交换机上行TRUNK端口的冗余，假设该EX有两个GE上行到两台汇聚层或核心层交换机，===========================
这两个端口都配置为T RUNK 并作为redundant trunk group 时将不再考虑STP的问题[edit]
set ethernet-switching-options redundant-trunk-group group-nam e group1
set ethernet-switching-options redundant-trunk-group group-nam e group1 inter face ge-0/0/9.0 primary
set ethernet-switching-options redundant-trunk-group group-nam e group1 inter face ge-0/0/10.0
配置完成后检查：
user@switch>show redundant-trunk-group group1
EX 3200 系列交换机还提供完整的端口安全特性，包括DHCP
Snooping（动态主机配置协议侦听）、DAI（动态ARP检测）和MAC
限制来抵御内外部侦听、中间人攻击和拒绝服务(DoS)攻击。

安全性
● MAC 地址限制
● 允许的MAC 地址数——可逐端口配置
● 动态ARP 检测（DAI）
● 本地代理ARP
● 静态ARP 支持
● DHCP 侦听
访问控制表（ACL）（JUNOSTM 防火墙过滤器）
● 基于端口的ACL（PACL）——入口
● 基于VLAN 的ACL（VACL）——入口和出口
● 基于路由器的ACL（RACL）——入口和出口
● 每个系统在硬件中支持的ACL 条目（ACE）：7,000
● 用于计算被拒绝的数据包的ACL 计算器
● 用于计算获准数据包的ACL 计算器
● 能够在列表中间添加/ 删除/ 更改ACL 条目（ACL 编辑）
● L2-L4 ACL
● 基于802.1X 端口
● 802.1X 多个请求方
● 采用VLAN 分配机制的802.1X
● 采用验证旁路接入机制的802.1X（基于主机MAC 地址）
● 支持VoIP VLAN 的802.1X
● 基于RADIUS 属性的802.1X 动态ACL
● 802.1X 支持的EAP 类型：MD5，TLS，TTLS，PEAP
● MAC 验证（本地）
● 控制平面DoS 防御
配置EX交换机的port-securit 及DHCP Snooping 端口的MAC限制绑定MAC地址：== ================================
DAI保护EX系列交换机不被ARP欺骗，同时保护在局域网中DHCP侦听数据库的ARP缓存不被攻击。

[edit ethernet-switching-options secure-access-port]
端口的MAC地址数限制
set interface ge-0/0/1 mac-limit 4 action drop
端口的MAC地址绑定
set interface ge-0/0/2 allowed-m ac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-m ac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-m ac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-m ac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-m ac 00:05:85:3A:82:88
set interface ge-0/0/2 mac-limit 4 action drop
配置到DHCP服务器连接端口的信任
set interface ge-0/0/8 dhcp-trusted
配置在需要做端口安全的VLAN加入防止DHCP欺骗参数及在该VLAN中MAC移动的限制：set vlan employee–vlan arp-inspection DAI的配置
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-m ove-limit 5 action drop
配置完成检查：
user@switch>show dhcp snooping binding
user@switch>show arp inspection statisti cs 检查交换机上DAI 的工作情况
user@switch>show ethernet-switching table
配置EX交换机的RSTP功能：================================= ==========
Step-by-Step Procedure
To configure interfaces and RSTP on Switch 1:
Configure the VLANs voice-vlan, em ployee-vlan, guest-vlan, and cam era-vlan: [edit vlans]
user@switch1# set voice-vlan description ―Voice VLAN‖
user@switch1# set voice-vlan vlan-id 10
user@switch1# set employee-vlan description ―Employee VLAN‖
user@switch1# set employee-vlan vlan-id 20
user@switch1# set guest-vlan description ―Guest VLAN‖
user@switch1# set guest-vlan vlan-id 30
user@switch1# set cam era-vlan description ―Camera VLAN‖
user@switch1# set guest-vlan vlan-id 40
Configure the VLANs on the interfaces, including support for the Ethernet Swit ching protocol:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 fam ily ethernet-switching vlan m embers [10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [1 0 20 30 40]
user@switch1# set ge-0/0/11 unit 0 fam ily ethernet-switching vlan m embers [10 20 30 40]
Configure the port m ode for the interfaces:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 fam ily ethernet-switching port-m ode trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-m ode trunk user@switch1# set ge-0/0/11 unit 0 fam ily ethernet-switching port-m ode trunk
Configure RSTP on the switch:
[edit protocols]
user@switch1# rstp bridge-priority 16k
user@switch1# rstp interface ge-0/0/13.0 cost 1000 （配置相同的接口COST和RS TP模式，只参考优先级）
user@switch1# rstp interface ge-0/0/13.0 mode point-to-point
user@switch1# rstp interface ge-0/0/9.0 cost 1000
user@switch1# rstp interface ge-0/0/9.0 mode point-to-point
user@switch1# rstp interface ge-0/0/11.0 cost 1000
user@switch1# rstp interface ge-0/0/11.0 mode point-to-point
配置完成后检查：
user@switch1>show spanning-tree interface
配置EX交换机的MSTP功能：================================== ============
Step-by-Step Procedure
To configure interfaces and MSTP on Switch 1:
Configure the VLANs voice-vlan, em ployee-vlan, guest-vlan, and cam era-vlan: [edit vlans]
user@switch1# set voice-vlan description ―Voice VLAN‖
user@switch1# set voice-vlan vlan-id 10
user@switch1# set employee-vlan description ―Employee VLAN‖
user@switch1# set employee-vlan vlan-id 20
user@switch1# set guest-vlan description ―Guest VLAN‖
user@switch1# set guest-vlan vlan-id 30
user@switch1# set cam era-vlan description ―Camera VLAN‖
user@switch1# set guest-vlan vlan-id 40
Configure the VLANs on the interfaces, including support for the Ethernet Swit ching protocol:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [1 0 20 30 40]
user@switch1# set ge-0/0/11 unit 0 fam ily ethernet-switching vlan m embers [10 20 30 40]
Configure the port m ode for the interfaces:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching port-m ode trun k
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-m ode trunk user@switch1# set ge-0/0/11 unit 0 fam ily ethernet-switching port-m ode trunk
Configure MSTP on the switch, including the two MSTIs:
[edit protocols]
user@switch1# mstp configuration-nam e region1
user@switch1# mstp bridge-priority 16k
user@switch1# mstp interface ge-0/0/13.0 cost 1000
user@switch1# mstp interface ge-0/0/13.0 m ode point-to-point user@switch1# mstp interface ge-0/0/9.0 cost 1000
user@switch1# mstp interface ge-0/0/9.0 mode point-to-point user@switch1# mstp interface ge-0/0/11.0 cost 4000
user@switch1# mstp interface ge-0/0/11.0 m ode point-to-point user@switch1# mstp m sti 1 bridge-priority 16k
user@switch1# mstp m sti 1 vlan [10 20]
user@switch1# mstp m sti 1 interface ge-0/0/11.0 cost 4000 user@switch1# mstp m sti 2 bridge-priority 8k
user@switch1# mstp m sti 2 vlan [30 40]
配置完成后检查：
user@switch1>show spanning-tree interface
user@switch1>show spanning-tree bridge。