Juniper命令
juniper之常用命令
OSPF中路由重发布配置
enable ospf export direct [cost <metric> [ase-type-1 | ase-type-2] {tag <number>} | <route map>]
show ospf
show access-list {<name> | port <portlist>}
show access-list-monitor
show ospf area <area identifier>
show ospf area detail
show ospf ase-summary
13.Access-Lists配置
create access-list icmp destination source
create access-list ip destination source ports
create access-list tcp destination source ports
6.port-channel配置
enable sharing <port> grouping <portlist> {port-based | address-based | round-robin}
show port sharing //查看配置
7.stp配置
enable stpd //启动生成树
show diag
show iparp
Juniper防火墙基本命令
Juniper防火墙基本命令Juniper防火墙基本命令常用查看命令Get int查看接口配置信息Get int ethx/x查看指定接口配置信息Get mip查看映射ip关系Get route查看路由表Get policy id x查看指定策略Get nsrp查看nsrp信息,后可接参数查看具体vsd组、端口监控设置等Get per cpu de查看cpu利用率信息Get per session de查看每秒新建会话信息Get session查看当前会话信息,后可匹配源地址、源端口、目的地址、目的端口、协议等选项Get session info查看当前会话数量Get system查看系统信息,包括当前os版本,接口信息,设备运行时间等Get chaiss查看设备及板卡序列号,查看设备运行温度Get counter stat查看所有接口计数信息Get counter stat ethx/x查看指定接口计数信息Get counter flow zone trust/untrust查看指定区域数据流信息Get counter screen zone untrust/trust查看指定区域攻击防护统计信息Get tech-support查看设备状态命令集,一般在出现故障时,收集该信息寻求JTAC支持常用设置命令Set int ethx/x zone trust/untrust/dmz/ha配置指定接口进入指定区域(trust/untrust/dmz/ha等)Set int ethx/x ip x.x.x.x/xx配置指定接口ip地址Set int ethx/x manage配置指定接口管理选项,打开所有管理选项Set int ethx/x manage web/telnet/ssl/ssh配置指定接口指定管理选项Set int ethx/x phy full 100mb配置指定接口速率及双工方式Set int ethx/x phy link-down配置指定接口shutdownSet nsrp vsd id 0 monitor interface ethx/x配置ha监控端口,如此端口断开,则设备发生主/备切换Exec nsrp vsd 0 mode backup手工进行设备主/备切换,在当前的主设备上执行set route 0.0.0.0/0 interface ethernet1/3 gateway 222.92.116.33配置路由,需同时指定下一跳接口及ip地址所有set命令,都可以通过unset命令来取消,相当于cisco中的no所有命令都可以通过“TAB”键进行命令补全,通过“?”来查看后续支持的命令防火墙基本配置create account [admin | user] <username> 回车输入密码:再次输入密码:configure account admin 回车输入密码:再次输入密码:2.port配置config ports <portlist> auto off {speed [10 | 100 | 1000]} duplex [half | full] auto off3.Vlan配置无论是核心还是接入层,都要先创建三个Vlan,并且将所有归于Default Vlan的端口删除:config vlan default del port allcreate vlan Servercreate vlan Usercreate vlan Manger定义802.1q标记config vlan Server tag 10config vlan User tag 20config vlan Manger tag 30设定Vlan网关地址:config vlan Server ipa 192.168.41.1/24config vlan User ipa 192.168.40.1/24config vlan Manger ipa 192.168.*.*/24Enable ipforwarding 启用ip路由转发,即vlan间路由Trunk 配置config vlan Server add port 1-3 tconfig vlan User add port 1-3 tconfig vlan manger add port 1-3 t4.VRRP配置enable vrrpconfigure vrrp add vlan UserVlanconfigure vrrp vlan UserVlan add master vrid 10 192.168.6.254configure vrrp vlan UserVlan authentication simple-password extremeconfigure vrrp vlan UserVlan vrid 10 priority 200configure vrrp vlan UserVlan vrid 10 advertisement-interval 15configure vrrp vlan UserVlan vrid 10 preempt5.端口镜像配置首先将端口从VLAN中删除enable mirroring to port 3 #选择3作为镜像口config mirroring add port 1 #把端口1的流量发送到3config mirroring add port 1 vlan default #把1和vlan default的流量都发送到36.port-channel配置enable sharing <port> grouping <portlist> {port-based | address-based | round-robin}show port sharing //查看配置7.stp配置enable stpd //启动生成树create stpd stp-name //创建一个生成树configure stpd <spanning tree name> add vlan <vlan name> {ports <portlist> [dot1d | emistp | pvst-plus]}configure stpd stpd1 priority 16384configure vlan marketing add ports 2-3 stpd stpd1 emistp8.DHCP 中继配置enable bootprelayconfig bootprelay add <dhcp server ip>9.NA T配置Enable nat #启用natStatic NA T Rule Exampleconfig nat add out_vlan_1 map source 192.168.1.12/32 to 216.52.8.32/32Dynamic NA T Rule Exampleconfig nat add out_vlan_1 map source 192.168.1.0/24 to 216.52.8.1 - 216.52.8.31Portmap NA T Rule Exampleconfig nat add out_vlan_2 map source 192.168.2.0/25 to 216.52.8.32 /28 both portmapPortmap Min-Max Exampleconfig nat add out_vlan_2 map source 192.168.2.128/25 to 216.52.8.64/28 tcp portmap 1024 - 819210.OSPF配置enable ospf 启用OSPF进程create ospf area <area identifier> 创建OSPF区域configure ospf routerid [automatic | <routerid>] 配置Routeridconfigure ospf add vlan [<vlan name> | all] area <area identifier> {passive} 把某个vlan加到某个Area中去,相当于Cisco中的network的作用configure ospf area <area identifier> add range <ipaddress> <mask> [advertise | noadvertise] {type-3 | type-7} 把某个网段加到某个Area中去,相当于Cisco中的network的作用configure ospf vlan <vlan name> neighbor add <ipaddress>OSPF中路由重发布配置enable ospf export direct [cost <metric> [ase-type-1 | ase-type-2] {tag <number>} | <route map>]enable ospf export static [cost <metric> [ase-type-1 | ase-type-2] {tag <number>} | <route map>]enable ospf originate-default {always} cost <metric> [ase-type-1 | ase-type-2] {tag <number>} enable ospf originate-router-id11.SNMP配置enable snmp accessenable snmp trapscreate access-profile <access profile> type [ipaddress | vlan]config snmp access-profile readonly [<access_profile> | none]配置snmp的只读访问列表,none 是去除config snmp access-profile readwrite [<access_profile> | none] 这是控制读写控制config snmp add trapreceiver <ip address> {port <udp_port>} community <communitystring> {from <source ip address>} 配置snmp接收host和团体字符串12.安全配置disable ip-option loose-source-routedisable ip-option strict-source-routedisable ip-option record-routedisable ip-option record-timestampdisable ipforwarding broadcastdisable udp-echo-serverdisable irdp vlan <vlan name>disable icmp redirectdisable web 关闭web方式访问交换机enable cpu-dos-protect13.Access-Lists配置create access-list icmp destination sourcecreate access-list ip destination source portscreate access-list tcp destination source portscreate access-list udp destination source ports14.默认路由配置config iproute add default <gateway>15.恢复出厂值,但不包括用户改的时间和用户帐号信息unconfig switch {all}16.检查配置show versionshow configshow sessionshow management 查看管理信息,以及snmp信息show bannershow ports configurationshow ports utilization ?show memory/show cpu-monitoringshow ospfshow access-list {<name> | port <portlist>}show access-list-monitorshow ospf area <area identifier>show ospf area detailshow ospf ase-summaryshow ospf interfaces {vlan <vlan name> | area <area identifier>} unconfigure ospf {vlan <vlan name> | area <area identifier>}switchshow switchshow configshow diagshow iparpshow iprouteshow ipstatshow logshow tech allshow version detail17.备份和升级软件download image [<hostname> | <ipaddress>] <filename> {primary | secondary}upload image [<hostname> | <ipaddress>] <filename> {primary | secondary}use image [primary | secondary]18.密码恢复。
Juniper华为H3C设备维护通用命令
Juniper华为H3C设备维护通用命令Juniper_华为_H3C设备维护常用命令1、[Router&Swithc]华为/H3C设备常规巡检命令#系统时间display clock#系统以及各单板软件版本display version#设备温度display environment#日志信息display logbuffer#单板运行状态display device#电源状态display device#风扇状态display device#CPU占用状态display cpu-usage#内存占用率display memory limit#接口流量display interface#接口、链路状态display interface#地址分配display current-configuration interface##路由扩散display current-configuration | include ospf#OSPF(Open Shortest Path First)配置display router id#路由信息display ip routing-table#端口统计数据display ip interface#当前配置文件display current-configuration#保存配置文件display saved-configuration端口使用状态display interface GigabitEthernet/T en-GigabitEthernet brief VLAN使用状态display ip interface brief2、脚本—华为display versiondis patch-informationdisplay clockdis dustproofdis frame-typedis healthdisplay cpu-usagedisplay memorydisplay memory limitdisplay devicedisplay device manuinfodisplay powerdisplay fandisplay voltagedir cfcard2:/dir cfcard:display device pic-statusdis switchover statedisplay environmentdisplay interfacedisplay logbufferdis alarmdis bootrom ethernetdisplay current-configurationdisplay current-configuration interface#display router iddisplay ip routing-tabledisplay ip interfacedisplay ip interface briefdisplay current-configurationdisplay saved-configurationdisplay diagnostic-information3、脚本—华为NE40edisplay version 查看VRP版本等信息dis patch-information 查看版本补丁display clock 查看时钟dis dustproof 防尘网信息Dis frame-type 显示NE40E机框类型dis health 显示系统资源的使用情况display cpu-usage 查看1分钟CPU利用率display memory 查看内存使用情况display memory limitdisplay device 查看母板信息display device manuinfodisplay power 查看电源状态display fan 查看风扇状态display voltage 查看板卡电压dir cfcard2:/ 查看设备crash信息dir cfcard: 查看设备cf卡信息display device pic-status 查看子卡型号,序列号(NE40E NE80E) dis switchover state 查看引擎HA情况display environmentdisplay interface 查看接口状态display logbuffer 查看日志dis alarm 查看设备告警dis bootrom ethernet 查看设备bootrom信息display current-configuration查看当前配置display current-configuration interface# 查看设备当前接口配置display router id 查看设备路由IDdisplay ip routing-table 查看设备路由display ip interface 查看设备接口情况display ip interface brief 查看设备接口状态display current-configuration 查看设备当前配置display saved-configuration 查看设备内存配置(相当show start)display diagnostic-information 抓取设备完整信息相对于show tech二、JUNIPER设备常用维护巡检命令1、脚本—JUNIPERshow system uptimeshow version detailshow chassis hardware detailshow chassis environment //显示设备的环境信息,包括温度、风扇状况、电源状况、路由引擎状况。
Juniper路由器配置命令介绍
层级子层级systemrouting-options loopbackPOSGEinterfaceprotocolISISOSPFBGPMPLS-RSVP/LDP MPLS-FRRMPBGPMPLS-VPN COS功能项set system hostname hostnameset system root-authentication plain-text-passwordset system login user lab class super-user authentication plain-text-passwordset system services telnet/ftp/name-ser dns-adds et interface lo0 description descriptionset interface lo0 unit 0 family inet address ip-addressset interface lo0 unit 0 family iso address iso-addressset interface so-slot/pic/port description descriptionset interface so-slot/pic/port mtu mtu-numberset interface so-slot/pic/port hold-time up ms down msset interface so-slot/pic/port encapsultation pppset interface so-slot/pic/port sonet-options fcs [32|16]set interface so-slot/pic/port sonet-options payload-scrambler set interface so-slot/pic/port sonet-options rfc-2615set interface so-slot/pic/port unit 0 family inet address ip-addressset interface so-slot/pic/port unit 0 family isoset interface so-slot/pic/port unit 0 family mplsset interface ge-slot/pic/port description descriptionset interface so-slot/pic/port mtu mtu-numberset interface so-slot/pic/port hold-time up ms down msset interface ge-slot/pic/port unit 0 family inet address ip-addressset interface ge-slot/pic/port unit 0 family isoset interface ge-slot/pic/port unit 0 family mplsset routing-options router-id router-idset routing-options autonomous-system as-numberset routing-options static route network/mask next-hop addressset protocols isis level [ 1 | 2 ] interfaceinterface.logical-numberset protocols isis lsp-lifetime secondsset protocols isis export export-policyset protocols isis spf-delay msset protocols isis rib-group inet rg-nameset protocols isis traffic-engineering shortcutsset protocols isis level [ 1 | 2 ] wide-metrics-onlyset protocols isis level [ 1 | 2 ] preference numberset protocols isis level [ 1 | 2 ] external-preference number set protocols isis level [ 1 | 2 ] disableset protocols isis interface interface-name lsp-interval msset protocols isis interface interface-nam level [ 1 | 2 ] metric numberset protocols isis interface interface-nam level [ 1 | 2 ]hello-interval secondsset protocols isis interface interface-nam level [ 1 | 2 ]hold-time secondsset protocols isis interface interface interface-nam passive set protocols ospf area XX interface interface.logical-number set protocols ospf interface interface.logical-number metric numberset protocols ospf interface interface interface.logical-number passivset protocols ospf traffic-engineeringset protocols bgp interface interface.logical-numberset protocols bgp group group-nameset protocols bgp group group-name type external/internalset protocols bgp group group-name peer-as 1234set protocols bgp group group-name neighbor X.X.X.Xset protocols bgp hold-time secondsset protocols bgp mtu-discoveryset protocols bgp out-delay secondsset protocols bgp log-updownset protocols bgp dampingset protocols bgp group group-name description descriptionet protocols bgp group group-name local-address group-namelocal-address addressset protocols bgp group group-name family inet anyset protocols bgp group group-name neighbor address description descriptionset interfaces interface.logical-number family mplsset protocols mpls interface.logical-numberset protocols ldp interface.logical-numberset protocols rsvp interface.logical-numberset protocols mpls label-switched-path test to 10.0.9.7set protocols mpls label-switched-path test ldp-tunnelingset protocols mpls label-switched-path test link-protectionset protocols rsvp interface so-0/0/3.0 link-protectionset protocols bgp group group-name family [inet|inet-vpn|inet6|inet6-vpn|l2vpn]set routing-instances instance-nameset routing-instances instance-name instance-type VRFset routing-instances instance-name interface interface-number set routing-instances instance-name route-distinguisher xxxx set routing-instances instance-name vrf-target target:xxxx:yyyy set routing-instances instance-name routing-options static route x.x.x.x/z next-hop x.x.x.xset routing-instances instance-name protocols ospf area XX interface interface-name.logical-numberset routing-instances instance-name protocols ospf export bgp-ospfset policy-options policy-statement bgp-ospf term 1 from protocol bgpset policy-options policy-statement bgp-ospf term 1 then accept命令解释备注配置设备名必选为root帐户设置密码新建用户名为lab的帐户,并设定密码配置路由器Telnet/ftp/dns服务配置端口描述配置IP地址配置ISO地址配置端口描述配置端口MTU配置端口up/down的damping时间配置端口封装为PPP配置端口FCS的位数配置端口打开payload-scrambler配置端口FCS 32,打开payload-scrambler,C2字节为0x16配置IP地址端口允许运行ISIS端口允许运行mpls配置端口描述配置端口MTU配置端口up/down的damping时间配置IP地址端口允许运行ISIS端口允许运行mpls配置路由器Router-ID配置路由器的AS号码配置静态路由配置聚合路由配置ISIS接口并将接口加入到相应的ISIS LEVEL里必选配置IS-IS的存活时间,LSP的refresh 时间为lsp-lifetime-317秒配置IS-IS的路由分发策略配置IS-IS的SPF的延迟配置IS-IS使用的路由组配置IS-IS使用TE的shortcuts配置IS-IS的Level使用wide-metric---支持TE必选配置IS-IS内部路由的管理距离配置IS-IS外部路由的管理距离配置IS-IS禁止运行Leve 1或者2配置IS-IS端口发送LSP的间隔配置IS-IS端口的Metric值配置IS-IS端口的IIH的间隔时间配置IS-IS端口的Hold时间配置IS-IS端口运行Passive模式配置OSPF接口并将接口加入到相应的OSPF AREA里必选配置OSPF端口的Metric值配置OSPF端口运行Passive模式配置OSPF支持流量工程(启用OPAQUE LSA)配置o spf端口的IIH的间隔时间配置BGP接口必选配置BGP组必选设定BGP组为EBGP或IBGP必选设定本组内的neighbor的AS号码必选设定本组内neighbor的session IP地址必选配置BGP的Hold-timer时间,Hello时间自动调整为Hold-time的1/3配置BGP的TCP进程的MSS为路径的最大值配置BGP的的路由发送延迟配置路由器纪录BGP的邻居up/down的变化配置BGP路由启用Damping算法配置BGP的组的描述配置和BGP的组内的邻居进行通讯的时候使用的本地地址配置BGP的Group内的邻居允许运行unicast 和multicast配置BGP的邻居的描述端口允许运行mpls配置将接口加到MPLS协议组里配置将接口加到LDP协议组里配置将接口加到rsvp协议组里配置名称为test的RSVP signaled LSP, 此LSP终结点为10.0.9.7在LDP TUNNEL的路由器上配置名称为test的RSVPsignaled, LSP使得LDP能够穿越RSVP LSP启用保护的LSP保护选项在RSVP协议里,启用保护选项配置本group下的BGP session的属性,inet是启用IP路由支持,此项为默认启用,inet-vpn是启用l3mbgp-vpn路由支持,启用任意非INET属性,会将inet禁用配置routing-instances配置routing-instances的VRF将逻辑接口加入到routing-instances里配置RD,确认RD在整个routing-instance里是唯一的配置RT,确认RT在整个routing-instance里是唯一的,并且同一个routing-instance里的多个PE上RT要相同配置PE-CE之间的静态路由,这里要注意,在PE-CE之间为以太网连接的情况下,一定要加一个特定的静态路由,目的地址为PE-CE之间的互联的IP子网,下一跳地址为对端CE的接口IP地址配置PE-CE之间的OSPF路由,这里要注意,一定要加一个特定的POLICY,目的是为了将从对端PE学到的VPN路由注入PE-CE之间运行的OSPF协议,使得两端的CE互相能学到对方的路由。
Juniper路由器配置命令介绍
Juniper路由器配置命令介绍Juniper路由器配置命令介绍⒈系统配置命令⑴ `set system hostname`:设置设备的主机名。
⑵ `set system domn-name`:设置设备的域名。
⑶ `set system login user`:设置设备的登录用户信息。
⒉接口配置命令⑴ `set interfaces interface-name unit logical-unit-number family inet address ip-address/subnet-mask`:配置接口的IP地址和子网掩码。
⑵ `set interfaces interface-name unit logical-unit-number family inet6 address ipv6-address/prefix-length`:配置接口的IPv6地址和前缀长度。
⑶ `set interfaces interface-name unit logical-unit-number vlan-id vlan-tagged`:配置接口的VLAN标签。
⒊路由配置命令⑴ `set routing-options static route destination next-hop`:配置静态路由。
⑵ `set protocols ospf area area-id`:配置OSPF路由协议。
⒋安全配置命令⑴ `set security zones security-zone zone-nameinterfaces interface-name`:将接口分配给安全区域。
⑵ `set security policies from-zone source-zone to-zone destination-zone policy policy-name then permit`:配置安全策略以允许数据流动。
⒌ VPN配置命令⑴ `set security ike proposal proposal-name authentication-method pre-shared-keys`:配置IKE提议的预共享密钥认证方法。
Juniper基础配置命令
1、查看设备的硬件及引擎情况引擎数?有哪些板卡?从上信息可以得出:双引擎设备,RE0是主,RE1是备。
2、查看版本从上可看出:re0的版本是【12.3R4.6】re1的版本是【12.3R4.6】3、引擎切换4、查看当前引擎运行状态设备配置管理Juniper的配置存在2个地方:第一个:其中,juniper.conf.gz是当前的配置第二个:可以查看文件的实际配置内容:查看全局配置:或查看接口查看接口匹配信息查看路由协议信息或查看系统方面的信息查看之前的历史配置信息查看运行的文件回滚载入之前的某一个配置文件批量导入配置命令:带外管理口配置:set groups re0 interfaces fxp0 unit 0 family inet address 172.18.18.30/24set system time-zone Asia/Shanghaiset system root-authentication encrypted-password "$5$hmy2W7ar$TR/KP7qIckZ37QbfzSKJWpFW1QS70m1zAPQCsK4jth0" set system login user lab uid 2000set system login user lab class super-userset system login user lab authentication encrypted-password "$5$.Us1Dtb0$dIi5e/6/xp3IAUS/EXkntfTk3fDqESpZBNBLxrWVLHB"set system services ftpset system services sshset system services telnetset system syslog user * any emergencyset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset logical-systems vr101set logical-systems vr102set interfaces ge-2/0/0 description link_to_Serv1set interfaces ge-2/0/0 unit 0 family inet address 11.1.1.1/24 deactivate interfaces ge-2/0/0 unit 0set interfaces ge-2/0/1 description link_to_Serv2set interfaces ge-2/0/1 unit 0 family inet address 11.1.2.1/24 deactivate interfaces ge-2/0/1 unit 0set routing-options static route 172.0.0.0/8 next-hop 172.18.18.254set routing-options static route 10.0.0.0/8 next-hop 172.18.18.254show configuration | display set |match traceoptionshow bgp summaryshow configuration | display set | match 100.125.154.9set protocols bgp group HZ-OOB2IN75 neighbor 100.125.154.9 export rpFW-ADCN2FW-POPshow bgp neighborshow route forwarding-tableshow configuration interfacesshow configuration policy-optionsshow configuration interfaces gr-0/0/0show configuration protocols bgpping 100.125.154.126 count 100ping 14.143.27.242 rapid count 300show configuration | display set | compare rollback 5 show version detail no-forwardingshow system core-dumps no-forwardingshow chassis alarms no-forwardingshow chassis hardware detail no-forwarding show system processes extensive no-forwarding show pfe statistics errorshow pfe statistics trafficshow chassis routing-engine no-forwarding show chassis environment no-forwarding show chassis firmware no-forwardingshow chassis fpc detailshow system boot-messages no-forwarding show system storage no-forwardingshow system virtual-memory no-forwardingshow system buffer no-forwardingshow system queues no-forwardingshow system statistics no-forwardingshow configuration | except SECRET-DATA | display omit show interfaces extensive no-forwardingshow network-access aaa statistics accountingshow route forwarding-table summaryshow ppp statistics extensiveshow accounting server statisticsshow system resource-monitor summaryshow shm-ipc statisticsshow interfaces diagnostics optics et-0/1/1。
juniper 配置命令
set dynamic-profiles vlan interfaces "$junos-interface-ifd-name" unit "$junos-interfaceunit" no-traps set dynamic-profiles vlan interfaces "$junos-interface-ifd-name" unit "$junos-interfaceunit" vlan-id "$junos-vlan-id" set dynamic-profiles vlan interfaces "$junos-interface-ifd-name" unit "$junos-interfaceunit" family inet policer disable-arp-policer set dynamic-profiles vlan interfaces "$junos-interface-ifd-name" unit "$junos-interfaceunit" family inet6 unnumbered-address lo0.0 set system commit synchronize set system dynamic-profile-options versioning set chassis network-services enhanced-ip set dynamic-profiles pppoe predefined-variable-defaults input-filter 10M set dynamic-profiles pppoe predefined-variable-defaults output-filter 10M set access profile sunrise-test authentication-order none set access profile none authentication-order none set access profile sunrise-test accounting order none set system commit synchronize run request routing-engine login re0 进入低层 可以开ftp 纯交换模式 当交换机用 ssh { + + + root-login deny; protocol-version v2;
juniper命令注解
juniper命令注解netscreen 设备管理配置netscreen 设备管理配置8实例分析:NETSCREEN 现有配置1.1时间设定set clock dst-off /自动调整时间关set clock ntp /设置NTP时间同步set clock timezone 9 /设置时区set vrouter trust-vr sharable /设置虑拟路由器trust-vr可以为其他VSYS系统共享1.2路由导出及自定义服务设定unset vrouter "trust-vr" auto-route-export /禁止路由器trust-vr的路由自动导出set service "CVS" protocol tcp src-port 0-65535 dst-port 2401-2401/自定义CVS服务协议为TCP 源端口为0-65535 目地端口为24011.3认证的设定set auth-server "Local" id 0 /设置认证SERVER为本地认证set auth-server "Local" server-name "Local" /设置本地认证SERVER名为LOCAL set auth default auth server "Local" /设置默认认证服务器为LOCAL1.4管理员的设定set admin name "netscreen" /设置管理员用户名set admin password "XXXXXX" /设置管理员密码set admin user "livedoorcn" password "XXXXXXX" privilege "all"/添加管理员用户livedoorcn及其权限为R-W1.5管理IP的设定set admin manager-ip xxx.174.65.0 255.255.255.0 /设置管理IPset admin manager-ip 10.0.71.136 255.255.255.255 /设置管理IPset admin manager-ip xxx.xxx.xxx.141 255.255.255.192 /设置管理IPset admin manager-ip xxx.xxx.xxx.246 255.255.255.255 /设置管理IPset admin manager-ip 10.0.71.139 255.255.255.255 /设置管理IPset admin manager-ip xxx.xxx.xxx.0 255.255.255.0 /设置管理IP1.6SSH及区域设定set admin scs password disable username netscreen /禁止用户的SSH密码认证set admin scs password disable username livedoorcn /禁止用户的SSH密码认证set admin auth timeout 10 /设置认证时间超时set admin auth server "Local" /设置管理认证服务器set zone "Trust" vrouter "trust-vr" /设置信任区域set zone "Untrust" vrouter "trust-vr" /设置非信任区域set zone "VLAN" vrouter "trust-vr" /设置VLAN区域set zone "Trust" tcp-rst /设置TRUST安全区超时回应RESET信息set zone "Untrust" block /封锁同一安全区中主机之间的信息流unset zone "Untrust" tcp-rst /设置UNTRUST安全区超时不回应RESET信息set zone "MGT" block /封锁同一安全区中主机之间的信息流set zone "VLAN" block /封锁同一安全区中主机之间的信息流set zone "VLAN" tcp-rst /设置TRUST安全区超时回应RESET信息1.7网络攻击保护选项的设定set zone "Trust" screen alarm-without-drop /设置告警但并不丢弃数据包set zone "Trust" screen icmp-flood /设置ICMP泛洪攻击保护set zone "Trust" screen udp-flood /设置UDP泛洪攻击保护set zone "Trust" screen winnuke /设置winnuke攻击保护set zone "Trust" screen port-scan /设置端口扫描攻击保护set zone "Trust" screen ip-sweep /设置IP地址扫描攻击保护set zone "Trust" screen tear-drop /设置tear-drop攻击保护set zone "Trust" screen syn-flood /设置SYN 泛滥攻击保护(DOS)set zone "Trust" screen ip-spoofing /设置IP欺骗攻击保护set zone "Trust" screen ping-death /设置PING-DEATH攻击保护set zone "Trust" screen ip-filter-src /设置禁示使用松散源路由或严格源路由选项set zone "Trust" screen land /设置陆地攻击保护set zone "Trust" screen tcp-no-flag /设置TCP无标志保护set zone "Trust" screen unknown-protocol /设置未知协议保护set zone "Trust" screen ip-bad-option /设置BAD选项保护set zone "Trust" screen ip-record-route /设置记录路由保护set zone "Trust" screen ip-timestamp-opt /设置时间戳保护set zone "Trust" screen ip-security-opt /设置IP安全选项保护(已不用)set zone "Trust" screen ip-loose-src-route /设置松散源路由(记录)set zone "Trust" screen ip-strict-src-route /设置严格源路由(记录)set zone "Trust" screen ip-stream-opt /设置IP选项流ID(费弃选项)set zone "Trust" screen icmp-large /设置icmp大包保护set zone "Trust" screen syn-fin /设置操作系统set zone "Trust" screen fin-no-ack /设置FIN但无ACK标志保护set zone "Trust" screen limit-session source-ip-based /设置源IP会话限制set zone "Trust" screen syn-ack-ack-proxy /设置同步代理泛滥保护set zone "Trust" screen block-frag /设置IP封包的碎片保护set zone "Trust" screen limit-session destination-ip-based /设置目的IP会话限制set zone "Untrust" screen tear-dropset zone "Untrust" screen syn-floodset zone "Untrust" screen ping-deathset zone "Untrust" screen ip-filter-srcset zone "Untrust" screen landset zone "V1-Untrust" screen tear-dropset zone "V1-Untrust" screen syn-floodset zone "V1-Untrust" screen ping-deathset zone "V1-Untrust" screen ip-filter-srcset zone "V1-Untrust" screen landset zone "Trust" screen limit-session destination-ip-based 1280 /设置目的IP会话限制1.8接口的设定set interface "trust" zone "Trust" /将接口trust绑定到trust安全区域set interface "untrust" zone "Untrust" /将接口untrust绑定到untrust安本区域unset interface vlan1 ip /没有设定VLAN IP地址set interface trust ip 10.0.71.1/24 /设置trust接口IP地址set interface trust nat /设置trust接口工作模式set interface untrust ip xxx.xxx.xxx.131/26 /设置untrust接口IP地址set interface untrust route /设置untrust接口工作模式set interface untrust gateway xxx.xxx.xxx.129 /设置untrust接口网关unset interface vlan1 bypass-others-ipsec /阻止NetScreen 设备通过IPSec信息流unset interface vlan1 bypass-non-ip /阻止所有非IP和非ARP 单点传送信息流set interface trust ip manageable /设置trust接口为可管理接口set interface untrust ip manageable /设置untrust接口为可管理接口set interface untrust manage ping /允许untrust接口PINGset interface untrust manage ssh /允许untrust接口可以SSH 管理set interface untrust manage web /允许untrust接口可以WEB 管理1.9MIP地址映射的设定set interface "untrust" mip xxx.xxx.xxx.135 host 10.0.71.135 netmask 255.255.255.255 vrouter "trust-vr" /设置MIP映射地址以下类同:set interface "untrust" mip xxx.xxx.xxx.133 host 10.0.71.133 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.134 host 10.0.71.134 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.136 host 10.0.71.136 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.139 host 10.0.71.139 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.140 host 10.0.71.140 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.132 host 10.0.71.132 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.142 host 10.0.71.142 netmask 255.255.255.255 vrouter "trust-vr"set interface "untrust" mip xxx.xxx.xxx.143 host 10.0.71.143 netmask 255.255.255.255 vrouter "trust-vr"。
Juniper路由器配置命令介绍
Juniper路由器配置命令介绍Juniper路由器配置命令介绍目录1、简介2、配置基础命令2.1 进入操作模式2.2 配置系统参数2.3 设置管理接口2.4 配置路由表3、高级配置命令3.1 OSPF配置3.2 BGP配置3.3 VRF配置3.4 MPLS配置4、安全配置命令4.1 配置防火墙4.2 配置安全策略4.3 配置VPN4.4 配置ACL5、故障排查命令5.1 显示命令5.2 路由故障排查5.3 硬件故障排查5.4 访问控制故障排查6、性能优化命令6.1 接口配置6.2 QoS配置6.3 缓存配置6.4 动态路由配置1、简介Juniper路由器是一种支持多种网络协议的高性能路由器。
本文档介绍了Juniper路由器的配置命令,并根据功能分类进行了细化。
2、配置基础命令2.1 进入操作模式- login:登录路由器- cli:进入命令行操作模式- configure:进入配置操作模式2.2 配置系统参数- set system hostname <hostname>:设置路由器主机名- set system domn-name <domn-name>:设置路由器域名- set system time-zone <time-zone>:设置时区- set system name-server <ip-address>:设置DNS服务器2.3 设置管理接口- set interfaces <interface> unit <unit> family inet address <ip-address/mask>:配置管理接口的IP地质- set interfaces <interface> unit <unit> family inet address dhcp:使用DHCP分配管理接口的IP地质2.4 配置路由表- set routing-options static route <destination> next-hop <next-hop>:配置静态路由- set routing-options router-id <id>:配置路由器ID- set protocols ospf area <area> interface <interface>:配置接口与OSPF区域的关联3、高级配置命令3.1 OSPF配置- set protocols ospf area <area> interface <interface>:配置接口与OSPF区域的关联- show ospf neighbor:显示OSPF邻居信息- show ospf route:显示OSPF路由表3.2 BGP配置- set protocols bgp group <group-name> neighbor<neighbor-address>:配置BGP邻居- set protocols bgp group <group-name> family <family>:配置BGP邻居的地质族- show bgp neighbor:显示BGP邻居信息- show bgp summary:显示BGP邻居摘要信息3.3 VRF配置- set routing-instances <instance-name> interface<interface>:配置接口与VRF的关联- set routing-instances <instance-name> routing-options static route <destination> next-hop <next-hop>:配置静态路由3.4 MPLS配置- set protocols mpls interface <interface>:启用接口的MPLS功能- set protocols mpls label-switched-path <LSP-name> to <destination-address> : 配置LSP的路径4、安全配置命令4.1 配置防火墙- set security policies from-zone <from-zone> to-zone <to-zone> policy <policy-name> match <match-conditions> then permit/deny:配置安全策略4.2 配置安全策略- set security zones security-zone <zone-name> address-book address <address-name> <ip-address>:配置地质对象- set security zones security-zone <zone-name> host-inbound-traffic system-services <services>:配置允许进入防火墙的服务4.3 配置VPN- set security ike proposal <proposal-name> authentication-method <method>:配置IKE提议- set security ike gateway <gateway-name> ike-policy <policy-name>:配置IKE网关- set security ipsec vpn <vpn-name> bind-interface<interface>:绑定VPN到接口4.4 配置ACL- set firewall family inet filter <filter-name> term <term-name> from protocol <protocol>:配置ACL规则- set firewall family inet filter <filter-name> term <term-name> then accept/discard:配置ACL规则动作5、故障排查命令5.1 显示命令- show interfaces <interface> detl:显示接口详细信息- show route <destination> : 显示路由信息- show chassis hardware:显示硬件信息5.2 路由故障排查- show bgp summary:显示BGP邻居摘要信息- show ospf neighbor:显示OSPF邻居信息- show route protocol <protocol>:显示指定协议的路由5.3 硬件故障排查- show chassis hardware:显示硬件信息- show log messages:显示系统日志消息- request support information:收集支持信息文件5.4 访问控制故障排查- show security policies from-zone <from-zone> to-zone <to-zone> policy <policy-name>:显示安全策略信息- show security zones interfaces:显示接口与安全域的关联信息6、性能优化命令6.1 接口配置- set interfaces <interface> mtu <mtu-size>:设置接口MTU大小- set interfaces <interface> description <description>:设置接口描述6.2 QoS配置- set class-of-service interfaces <interface> unit<unit> scheduler-map <map-name>:为接口配置调度器映射- set class-of-service scheduler-maps <map-name> forwarding-class <forwarding-class> scheduler <scheduler-name>:配置调度器映射6.3 缓存配置- set forwarding-options cache hit-cache-size <size>:设置缓存大小- set forwarding-options cache timeout <timeout-value>:设置缓存超时时间6.4 动态路由配置- set protocols ospf area <area> interface <interface> passive:将接口设置为OSPF被动接口- set routing-instances <instance-name> interface <interface> passive:将接口设置为VRF被动接口附件:无法律名词及注释:无。
juniper设备命令
juniper设备命令set system root-authentication plain-text-password 设置root 密码set system login user jianglong class super-user authentication plain-text-password 设置超级用户及密码set system services telnet 开启telnetcommit 提交生效show interfaces diagnostics optics xe-0/0/31 查看端口模块信息show chassis pic fpc-slot 0 pic-slot 0 查看模块信息show system uptime 查看系统时间及设备启动时间show log link-status 查看系统日志show | display set 查看配置show | compare 未保存之前查看做过的配置show chassis hardware 查看模块信息包括SN号show class-of-service 查看端口限速set class-of-service interfaces xe-0/0/5 shaping-rate 2g 端口限速deactivate interfaces xe-1/1/0 unit 3027 (保留端口配置,但使配置失效)activate interfaces xe-1/1/0 unit 3027(使失效的端口配置生效)两台设备之间传输vlan一、设备端口建立相关vlanset interfaces xe-1/1/0 unit 3033 vlan-id 3033 family inet address 118.186.208.141/30 (在xe1/1/0端口建立vlan3033,配IP:118.186.208.141/30)二、建立好在两段设备和传输设备上建立好vlan后在4550交换机上做传输策略show protocols l2circuit (查看传输策略)set protocols l2circuit neighbor 118.186.247.99 interface xe-0/0/24.3033 virtual-circuit-id 13033 encapsulation-typeethernet-vlan (从本端设备的xe0/0/24口将vlan3033传到118.186.247.99这个设备,并定义策略。
JUNIPER路由器中常用命令总结
JUNIPER路由器中常⽤命令总结前些⽇⼦认真看了⼀下Juniper路由器的⼀些命令。
在这⾥总结⼀下。
⽅便以后使⽤Juniper路由器的命令主要分为两个部分,⼀个是operational,主要是复杂查看⽬前⽹络的配置情况(只能查看,不能修改。
感觉权限⽐较低);另⼀个是configuration,主要⽤来查看和修改配置(感觉权限⾼⼀些)。
刚进⼊到Juniper路由器时,默认进⼊的是operation,输⼊edit命令之后,就进⼊到了[edit]⽬录下,也就是进⼊了configuration。
基础配置命令(如未说明则在[edit]⽬录下)1、配置主机名字:set system host-name router12、配置域名: set system domain-name 3、配置fxp0接⼝(以太⽹中通过这个接⼝进⾏路由器的配置)。
Set interfaces fxp0 unit 0 family inet address 192.168.15.1/2 44、配置备份路由器:set system backup-router 192.168.15.25、配置DNS服务器:set system name-server 192.168.15.36、配置root⽤户的密码:set system root-authentication plain-text-password(密码中不可以全是⼤写、全是⼩写、全是数字)7、设置ntp服务器: set system ntp server 192.168.2.28、提交修改:commit9、查看提交是否合法: commit check10、在当天特定时间进⾏提交 commit at 22:4511、在特定⽇期的特定时间提交: commit at “2005-02-26 10:45”12、取消commit的操作 clear system commit13、为了避免提交带来意外的损害采⽤:commit confirmed,会在10分钟以后⾃动回滚14、与14相同,但在⼀分钟以后⾃动回滚:commit confirmed 115、提交信息,并同步到备份路由器上: commit synchronize配置服务:1、设置ssh服务:set system services ssh2、配置ftp服务: set system services ftp3、删除ftp服务: delete system services ftp权限设置:1、设置root⽤户ssh登录的密码:set system root-authentication ssh password2、禁⽌root⽤户使⽤ssh登录:[edit system ] set services ssh root-login deny3、设置密码要求:[edit system login] set password maximun-length 20 set password minimum-length 8 set password mi nimum-changes 24、设置密码加密算法:set system login password formate md55、查看⾃⼰的权限,以及可以设置的权限: show cli authorization进⼊与退出命令:1、Edit2、修改root的配置:configure3、避免多⼈修改导致设置丢失采⽤ configure exclusive4、查看⽬前修改区域有谁在线:[edit]status(只能看见⽐你先登录的⼈,后⾯登录的信息看不见)5、强制要求别⼈下线:request system logout user mike6、进⼊到根⽬录 top7、退出configuration 模块:quit8、退出configuration模块:exit configuration-mode9、提交并退出:commit and-quit10、退出当前⽬录:exit11、进⼊到某⽬录 edit ⽬录名字查看命令:1、查看当前⽬录地下的设置 [edit]show2、查看你设置的命令 show | display set3、查看你新增的命令 show | compare(+表⽰你增加的命令,-表⽰你删除的命令。
juniper 交换机配置命令整理
QinQ 配置
基本的
set ethernet-switching-options dot1q-tunneling ether-type 0x8100 封装协议
set vlans qinqvlan vlan-id 2821
set vlans qinqvlan dot1q-tunneling
##端口为trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
##允许通过Vlan为600
set interfaces ge-0/1/1 unit 0 family ethernet-switching native-vlan-id 600 **由于上联汇聚交换机的端口为Access口所以要透传的Vlan为native-Vlan
##root用户名密码
set system root-authentication encrypted-password "$1$z2Z28Ixe$AScMP7uMvMHY3fy8dgtm11"
##端口模式为acces
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
##端口加入Vlan为600
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 600
set ethernet-switching-options analyzer debug output interface ge-0/0/4.0
Juniper路由器常用命令表
Juniper路由器常用命令表Juniper路由器常用命令表:1·登录与基本操作1·1 连接与登录1·2 登录后的基本操作1·3 退出登录2·系统操作与管理2·1 系统状态与信息查看2·2 系统配置与修改2·3 系统重启与关机2·4 用户管理3·接口配置3·1 物理接口3·1·1 接口状态查看与设置3·1·2 接口带宽与速率限制设置3·2 逻辑接口3·2·1 VLAN接口配置3·2·2 Loopback接口配置4·路由配置4·1 静态路由配置4·2 动态路由配置4·2·1 OSPF配置4·2·2 BGP配置4·2·3 RIP配置5·安全配置5·1 防火墙配置5·1·1 基本防火墙规则配置5·1·2 会话表与连接追踪配置5·1·3 防火墙日志配置5·2 虚拟专用网络(VPN)配置5·2·1 IPsec VPN配置5·2·2 SSL VPN配置6·网络服务配置6·1 DHCP服务配置6·2 DNS服务配置6·3 NAT配置7·系统诊断与故障处理7·1 接口故障排查7·2 路由故障排查7·3 防火墙故障排查7·4 网络连通性测试7·5 系统日志与告警查看附:本文档涉及附件附件:无注释:本文所涉及的法律名词及注释1·路由器:一种计算机网络设备,用于在局域网或广域网之间转发数据包。
2·VLAN:虚拟局域网,将一组逻辑上的设备或用户分组,形成一个局域网。
Juniper路由器常用命令表
user id为2001;
class为high
设置telnet和ftp服务
Line vty 0 4
#set services telnet
设置telnet服务
ip ftp
# set services ftp
设置ftp服务
#set system services telnet connection-limit 5
client的配置
# set ntp boot-server202.96.103.37
ntp server配置
此处只能写ip不能为主机名
SNMP配置
#set snmp community keepalive authorization read-only
SNMP配置
端口数据设置
Interface
#edit interfaces
限制telnet的最大连接数5
syslog服务配置
# set syslog user * any emergency
#set system syslog host202.96.103.73any any
所有syslog信息都写到远程主机
#set system syslog file messages any notice
>show chassis alarms
查看设备告警信息
sh environment all
>show chassis environment
查看详细的硬件温度及状态信息
# run show chassis fpc pic-status
查看办卡信息
show controller intfc
JUNIPER常用命令
参数时区设置虚拟路由器设置ALG认证和管理员属性ZONE设置接口设置Flow设置HA设置SYSLOGSNMP VPN命令set clock dst-offset clock ntpset clock timezone 8set ntp server x.x.x.xset ntp server backup1 "x.x.x.x"set ntp server backup2 "x.x.x.x"set ntp max-adjustment 0set vrouter trust-vr sharableunset vrouter "trust-vr" auto-route-export unset alg sip enableunset alg mgcp enableunset alg sccp enableunset alg sunrpc enableunset alg msrpc enableunset alg rtsp enableunset alg h323 enableset auth-server "Local" id 0set auth-server "Local" server-name "Local" set auth-server "XXXX" id 1set auth-server "XXXX" server-name "x.x.x.x" set auth-server "XXXX" account-type admin set auth default auth server "Local"set auth-server "XXXX" radius secret "xxxx"set auth-server "ACS" radius port 1646set admin name "ccb"set admin password "xxxxxxxxx"set admin manager-ip x.x.x.x x.x.x.xset admin auth timeout 10set admin auth server "XXXX"set admin auth banner console login "Access is….ly" set admin privilege get-externalset admin format dosset zone "Trust" vrouter "untrust-vr"set zone "Untrust" vrouter "untrust-vr"set zone "DMZ" vrouter "untrust-vr"unset zone "Trust" tcp-rstset zone "Trust" blockunset zone "Untrust" tcp-rstset zone "Untrust" blockset zone "Untrust" screen tear-dropset zone "Untrust" screen syn-floodset zone "Untrust" screen ping-deathset zone "Untrust" screen ip-filter-srcset zone "Untrust" screen landset zone "Untrust" screen alarm-without-dropset interface "ethernet1/1" zone "xxx"set interface ethernet1/1 ip x.x.x.x/xset interface ethernet1/1 routeset interface ethernet1/1 manage-ipset interface ethernet1/1 ip manageableset interface ethernet1/1 manage xxxxunset flow tcp-syn-checkset flow tcp-syn-bit-checkset flow syn-proxy syn-cookieset flow reverse-route clear-text peferset flow reverse-route tunnel alwaysset flow no-tcp-seq-checkset nsrp cluster id 1set nsrp rto-mirror syncset nsrp rto-mirror session ageout-ackunset nsrp rto-mirror session pingset nsrp vsd-group id 0 priority 20set nsrp vsd-group id 0 monitor interface ethernet1/1 set nsrp monitor track-ip ipset nsrp monitor track-ip ip x.x.x.x threshold 10set nsrp vsd-group master-always-existset ntp no-ha-syncset syslog enableset syslog config "x.x.x.x"set syslog config " x.x.x.x " facilities local0 local0set snmp community "xxx" Read-Only Trap-on version v1set snmp host "bbb" y.y.y.y 255.255.255.255 trap v2set snmp name xxxxset snmp port listen 161set snmp port trap 162set pki authority default scep mode "auto"set pki x509 default cert-path partialset ike respond-bad-spi 1unset ike ikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset interface tunnel.1 zone untrustset interface tunnel.1 ip unnumbered interface ethernet3set ike gateway To_Paris address 2.2.2.2 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-shaset vpn Tokyo_Paris gateway To_Paris sec-level compatibleset vpn Tokyo_Paris bind interface tunnel.1set vpn Tokyo_Paris proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.2.0/24 anywebConfiguration > Date/Time > Configuration > Date/Time > Configuration > Date/Time > Set Time Zone_hours_minutes from GMT Configuration > Date/Time>Primary Server IP/Name: X.X.X.X Configuration > Date/Time>Backup Server1 IP/Name: X.X.X.X Configuration > Date/Time>Backup Server2 IP/Name: X.X.X.X Configuration >Date/Time>Automatically synchronize with an Internet Time Server (NTP): ( 选择 )Maximum time adjustment seconds:0Network > Routing > Virtual Routers > Edit ( 对于 trust-vr):Shared and accessible by other vsys ( 选择 )Network > Routing > Virtual Router > Edit ( 对于 trust-vr): 取消选择Auto Export Route to Untrust-VR,然后单击 OK。
juniper防火墙常用命令
JUNIPER防火墙常用命令常用查看命令Get int查看接口配置信息Get int ethx/x查看指定接口配置信息Get mip查看映射ip关系Get route 查看路由表Get policy id x 查看指定策略Get nsrp查看nsrp信息,后可接参数查看具体vsd组、端口监控设置等Get per cpu de 查看cpu利用率信息Get per session de 查看每秒新建会话信息Get session查看当前会话信息,后可匹配源地址、源端口、目的地址、目的端口、协议等选项Get session info 查看当前会话数量Get system查看系统信息,包括当前os版本,接口信息,设备运行时间等Get chaiss查看设备及板卡序列号,查看设备运行温度Get counter stat 查看所有接口计数信息Get counter stat ethx/x 查看指定接口计数信息Get counter flow zone trust/untrust 查看指定区域数据流信息Get counter screen zone untrust/trust 查看指定区域攻击防护统计信息Get tech-support查看设备状态命令集,一般在出现故障时,收集该信息寻求JTAC支持常用设置命令Set int ethx/x zone trust/untrust/dmz/ha配置指定接口进入指定区域(trust/untrust/dmz/ha等)Set int ethx/x ip x.x.x.x/xx 配置指定接口ip地址Set int ethx/x manage配置指定接口管理选项,打开所有管理选项Set int ethx/x manage web/telnet/ssl/ssh 配置指定接口指定管理选项Set int ethx/x phy full 100mb 配置指定接口速率及双工方式Set int ethx/x phy link-down 配置指定接口shutdownSet nsrp vsd id 0 monitor interface ethx/x配置ha监控端口,如此端口断开,则设备发生主/备切换Exec nsrp vsd 0 mode backup手工进行设备主/备切换,在当前的主设备上执行set route 0.0.0.0/0 interface ethernet1/3 gateway 222.92.116.33 配置路由,需同时指定下一跳接口及ip地址所有set命令,都可以通过unset命令来取消,相当于cisco中的no所有命令都可以通过“TAB”键进行命令补全,通过“?”来查看后续支持的命令。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Juniper 防火墙的策略配置
• 在Juniper设备中策略是一个重点,因为安全设备基本上都是基于策略的管理和运行,下面就Juniper的如何配置进行 简单的说明. 在Juniper防火墙中,区域是一个比较重要的感念,一般的Juniper设备都设置了Untrust,Trust和DMZ三个区域,也可 以根据实际的需要自行定义区域,比如电信行业经常的BOSS,OA区域。 具体的使用命令: netscreenisg1000->set zone id 1000 "boss" netscreenisg1000->set zone id 1001 "oa" 然后使用命令讲相关的防火墙接口加入Zone中,具体的命令:netscreenisg1000-> set interface "ethernet2/4" zone "boss" netscreenisg1000-> set interface "ethernet2/5" zone "oa" 并且在接口上配置相关的IP地址: netscreeenisg1000-> set interface ethernet2/4 ip 10.10.161.14/25 set interface ethernet2/4 route set interface ethernet2/5 ip 192.168.19.126/28 set interface ethernet2/5 nat 然后就是需要建立MIP/VIP. 比如需要建立一个MIP,私网地址10.10.81.54,公网地址10.10.161.54, 图形界面使用比较简单,比如ethernet1/1 是一个untrust区域的接口地址。 netscreeenisg1000->set policy id 22 from "Untrust" to "Trust" "Any" "MIP(10.10.161.31)" "ANY" permit log netscreeenisg1000->set policy id 19 from "Untrust" to "Trust" "Any" "MIP(10.10.161.105)" "HTTP" permit log 关于policy就写这么多,关于MIP的是使用后面会继续手写。
•
• • • •er 防火墙的管理
• 在实际的网络工程中,Juniper的防火墙产品被大量的应用在网络环境中。但是Juniper防火墙产品的配置也是大家比 较陌生的,下面就通过Juniper防火墙的使用来说明如何配置。 本次介绍的Juniper防火墙产品全部是在Juniper netscreen-ISG1000和Juniper netscreen-ISG2000中实现的.其中 Juniper netscreen-ISG1000的版本Software Version: 5.0.0r10a.4, Type: Firewall+VPN.Juniper netscreen-ISG2000 的版本Software Version: 6.0.0r4.0, Type: Firewall+VPN 1 Juniper防火墙产品的管理 对于防火墙产品的管理和配置主要有以下几个方法: (1)console 方式 Juniper防火墙和Cisco的路由器和防火墙之类的一样,初次配置需要使用console线缆进行配置,具体的参数设置和 Cisco的路由器和防火墙一致。在这里就具体的不说了。 (2)telnet或者ssh 对于使用telnet或者ssh进行管理Juniper防火墙,首先必须配置管理地址并且启用telnet或者ssh服务。在Juniper netscreen-ISG1000中默认的管理地址192.168.1.1,就可以使用telnet或者ssh工具进行远程管理。具体的使用命令 set interface ethernet1/1 manage telnet set interface ethernet1/1 manage ssh 比如;telnet 192.168.1.1 在Juniper netscreen-ISG2000中的默认地址为172.16.70.1/24 ,建议使用命令行进行修改。 set interface mgt ip 192.168.1.1/24 set interface mgt manage telnet, set interface mgt manage ssh, set interface mgt manage web (3)web方式管理 web方式管理和使用telnet或者ssh一样,首先要配置管理地址和启用web服务。 具体的命令为: set interface ethernet1/1 ip 192.168.193.33/28 set interface ethernet1/1 manage web 然后使用http://192.168.193.33来进行管理。
•
Juniper 防火墙常见命令
• Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD mgt 172.16.70.1/24 MGT 001b.c06a.1080 - D eth1/1 192.168.19.33/28 Trust 0010.dbff.c070 - U 0 eth1/2 192.168.19.65/28 Trust 0010.dbff.c080 - U 0 eth1/3 192.168.19.49/28 Trust 0010.dbff.c090 (3) get arp netscreenisg2000-> get arp usage: 9/8192 miss: 0 always-on-dest: disabled ----------------------------------------------------------------------------------------IP Mac VR/Interface State Age Retry PakQue Sess_cnt ----------------------------------------------------------------------------------------192.168.19.161 002255e5c490 trust-vr/eth1/4 VLD 762 0 0 1373 192.168.19.46 000fe265a846 trust-vr/eth1/1 VLD 1167 0 0 56 192.168.19.62 00127fa7e351 trust-vr/eth1/3 VLD 761 0 0 395 192.168.19.30 00000c07ac02 trust-vr/red1 VLD 964 0 0 (4)get mip netscreenisg2000-> get mip Total MIPs under Root configured:78 Max:20000. -------------------------------------------------------------------------------Map IP Host IP Interface VRouter -------------------------------------------------------------------------------219.14.172.6/32 192.168.4.3 ethernet1/5 trust-vr 219.14.172.7/32 192.168.2.80 ethernet1/5 trust-vr 219.14.172.71/32 192.168.12.23 ethernet1/5 trust-vr 219.14.172.72/32 192.168.2.101 ethernet1/5 trust-vr (5)get vip netscreeisg2000-> get vip Virtual IP Interface Port Service Server/Port 219.23.178.10 ethernet3/3 9080 9080 192.168.4.5/9080(OK) 219.23.17.10 ethernet3/3 22 SSH 192.168.4.145/22(OK)
•
• •
• •
Juniper 防火墙常见命令
• 常见的命令 (1)get system netscreenisg2000-> get system Product Name: NetScreen-2000 Serial Number: XXXXXXXX, Control Number: 00000000 Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 6.0.0r4.0, Type: Firewall+VPN OS Loader Version: 1.1.5 Compiled by build_master at: Fri Jan 11 14:27:42 PST 2008 Base Mac: 001b.c06a.1080 File Name: default (nsISG2000.6.0.0r4.0), Checksum: 1e5d880f , Total Memory: 2048MB Date 06/04/2009 08:28:24, Daylight Saving Time disabled The Network Time Protocol is Disabled Up 805 hours 29 minutes 18 seconds Since 01May2009:18:59:06 Total Device Resets: 0 (2) get interface netscreenisg2000-> get interface A - Active, I - Inactive, U - Up, D - Down, R - Ready