1 系统配置 2
1.1 系统信息基本配置 2
1.2 系统用户信息 2
1.3 系统服务配置 3
2 端口配置 4
2.1 juniper端口介绍 4
2.2 端口配置 4
3 SNMP配置 6
4 Routing-options配置 7
4.1 静态路由配置 7
4.2 route-id&as 7
4.3 bgp聚合配置 7
5 Route protocal配置 8
5.1 Ospf配置 8
5.2 Bgp 配置 9
6 Policy 配置 9
7 Firewall 配置 12
8 Juniper与Cisco互连端口参数调整 12
9 Juniper备份结构与Cisco不同 14
9.1 console root登录 14
9.2 telnet登录 14
Juniper所有配置,均在配置状态下进行。分为由console进入和远程telnet进入。
由console进入JUNOS系统命令操作(由FreeBSD的简化系统)
%cli 进入下面的用户操作
hostname>edit 进入下面的用户配置
hostname# 配置操作
由远程telnet直接进入用户操作
hostname>edit 进入下面的用户配置
hostname# 配置操作
1系统配置
1.1系统信息基本配置
#edit system 进入system配置菜单
#set host-name axi580-a-hz1
#set domain-name zj.cn.net
#set time-zone Asia/Shanghai
# set system root-authentication plain-text-password (console登录,root口令缺省为空,虚设新口令)
New password:******
Retype new password:******
#show 查看配置
#commit 配置生效 OR
#commit confirmed 配置生效测试,5分钟后系统自动会滚,恢复原来配置。
1.2系统用户息
1.2.1 用户组的配置
#set login class high idle-timeout 30 permissions all
“high” 是组名;”all” 用户将拥有该router的全部权限。
#set login class medium idle-timeout 30 permissions clear
#set login class medium idle-timeout 30 permissions configure
#set login class medium idle-timeout 30 permissions interface-control
#set login class medium idle-timeout 30 permissions network
#set login class medium idle-timeout 30 permissions maintenance
“medium”具有多个权限,” clear configure interface-control network
view maintenance”
#set login class low idle-timeout 30 permissions view
配置了high、medium、low三个权限组,将在用户配置时用到。
权限设置如下:
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network information
configure Can enter configuration mode
control Can modify any configuration values
edit Can edit full files
field Special for field (debug) support
firewall Can view firewall config
firewall-control Can modify firewall config
floppy Can read and write the floppy drive
interface Can view interface config
interface-control Can modify interface config
maintenance Can perform system maintenance (as wheel)
network Can access the network
reset Can reset and restart interfaces and processes
rollback Can rollback for depth greater than zero
routing Can view routing config
routing-control Can modify routing config
secret Can view secret config
secret-control Can modify secret config
shell Can start a local shell
snmp Can view SNMP config
snmp-control Can modify SNMP config
system Can view system config
system-control Can modify system config
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
1.2.2 用户配置
#set login user admin full-name newwork-admin uid 2001 class high plain-text-password
New password:******
Retype new password:******
Username 为admin;user id 为2001;组为high
#set login user manager full-name newwork-manager uid 2002 class midium
plain-text-password
New password:******
Retype new password:******
#set login user viewer full-name newwork-viwer uid 2003 class low plain-text-password
New password:******
Retype new password:******
#commit 配置生效 OR
#commit confirmed 配置生效测试,5分钟后系统自动会滚,恢复原来配置。
1.3系统服务配置
1.3.1 telnet服务配置
# set system services telnet 配置启用telnet服务 OR
# set system services telnet connection-limit 5 telnet的最大连接数
#commit 配置生效 OR
#commit confirmed 配置生效测试,5分钟后系统自动会滚,恢复原来配置。
1.3.2 syslog 服务配置
#set system syslog user * any emergency
#set system syslog host 202.96.103.73 any any 所有syslog信息都写到远程主机
#set system syslog file messages any notice 所有notice,authorization信息写在本地
#set system syslog file messages authorization info
1.3.3 ntp 服务配置
ntp client 配置
#set system ntp server 202.96.103.37
ntp server 配置
#set system ntp boot-server 202.96.103.37 此处只能写ip不能为主机名
#commit 配置生效 OR
#commit confirmed 配置生效测试,5分钟后系统自动会滚,恢复原来配置。
检查ntp状态
# run show ntp status
# run show ntp associations
2端口配置
2.1juniper端口介绍
在juniper的配置中,所有端口皆为逻辑端口,在初始配置中没有任何端口信息,如不能准确知道所要配置的端口名称,可用命令来确认。
>show chassis fpc pic-status OR
#run show chassis fpc pic-status (example)
Slot 1 Online
PIC 0 1x OC-48 SONET, SMSR 为 so-1/0/0
PIC 1 1x OC-48 SONET, SMSR
PIC 2 1x OC-48 SONET, SMSR 为 so-1/2/0
Slot 6 Online
PIC 0 2x OC-3 ATM, SMIR 为 at-6/0/0; at-6/0/1
PIC 1 1x G/E, 1000 BASE-SX 为 ge-6/1/0
PIC 2 1x G/E, 1000 BASE-SX
2.2端口配置
# edit interfaces
sonet端口配置
# set so-1/0/0 unit 0 description "HZ to NB 2.5Gb SDH" family inet address 202.96.117.1/30
#show 检查配置
so-1/0/0 {
description HZ to NB 2.5Gb SDH;
unit 0 {
family inet {
address 202.96.117.1/30;
}
}
}
atm端口配置
#set at-6/0/0 clocking external
#set at-6/0/0 atm-options vpi 1 maximum-vcs 100
#set at-6/0/0 atm-options vpi 10 maximum-vcs 200
#set at-6/0/0 unit 0 description HuZhou-HangZhou-ATM vci 10.40 family inet address 202.96.117.50/30
#set at-6/0/0 unit 1 description HuZhou-NingBo-ATM vci 1.51 family inet address 202.96.117.150/30
vci 号为pvc号
#show
at-6/0/0 {
clocking external;
atm-options {
vpi 1 maximum-vcs 100;
vpi 10 maximum-vcs 200;
}
unit 0 {
description HuZhou-HangZhou-ATM;
vci 10.40;
family inet {
address 202.96.117.50/30;
}
}
unit 1 {
description HuZhou-NingBo-ATM;
vci 1.51;
family inet {
address 202.96.117.150/30;
}
}
}
ge端口配置
#set ge-6/1/0 unit 0 description “To Catalysta6509 g1/0” family inet address
202.96.111.193/30
#show
ge-6/1/0 {
unit 0 {
description To Catalysta6509 g1/0;
family inet {
address 202.96.111.193/30;
}
}
}
fe端口配置
#set fe-6/2/0 unit 0 description “To 2948 g1/0” family inet address
202.96.118.1/24
#show
fe-6/2/0 {
unit 0 {
description To 2948 1/0;
family inet {
address 202.96.118.1/24;
}
}
}
loopback配置
#set lo0 unit 0 family inet address address 202.96.101.181/32
#show
lo0 {
unit 0 {
family inet {
filter {
input popme;
}将firewall在该端口上生效,要使其他端口生效,必须在短配置。
address 202.96.101.181/32;
}
}
}
#commit 配置生效 OR
#commit confirmed 配置生效测试,5分钟后系统自动会滚,恢复原来配置。
3SNMP配置
#top 返回顶级菜单
#set snmp community keepalive authorization read-only
keepalive 为community strings
#show
snmp {
community keepalive {
authorization read-only;
}
}
4Routing-options配置
这里只介绍浙江工程中用到的静态、聚合、route-id三点,其他以后在补充。
4.1静态路由配置
#top
#edit routing-options
#set static route 61.130.49.0/24 next-hop 202.96.113.52
#set static route 61.130.50.0/24 next-hop 202.96.113.53
……
#show
static {
route 61.130.49.0/24 next-hop 202.96.113.52;
route 61.130.50.0/24 next-hop 202.96.113.53;
route 61.130.51.0/26 next-hop 202.96.113.51;
route 61.130.51./26 next-hop 202.96.113.49;
route 61.175.144.0/21 next-hop 202.107.247.194;
}
4.2route-id&as
#set route-id 202.96.101.12 建议设为本机的loopback
#set autonomous-system 740 根据实际分配设定
4.3bgp聚合配置
#set aggregate route 61.130.0.0/18
#set aggregate route 61.130..0/18
#set aggregate route 61.130.128.0/18
#set aggregate route 61.130.192.0/18
#set aggregate route 61.174.0.0/17
#set aggregate route 61.174.128.0/17 discard
……
在juniper上BGP对外广播所有聚合,条件是在本地路由表里有此路由或比聚合更细的路由,当未启用的ip段或不能产生本地路由的网段需要对外广播时,可采用discard属性。
#show
aggregate {
route 61.130.0.0/18;
route 61.130..0/18;
route 61.130.128.0/18;
route 61.130.192.0/18;
route 61.174.0.0/17;
route 61.174.128.0/17 discard;
……
}
5Route protocal配置
这里只介绍ospf、bgp的配置
#top
#edit protocols 进入路由协议配置菜单
5.1Ospf配置
#set ospf export ebgp_default_to_ospf 将由ebgp收到的缺省路由广播到ospf路由表中
#set ospf area 0.0.0.0 interface so-1/1/0.0
#set ospf area 0.0.0.0 interface so-1/0/0.0 metric 20 根据实际情况调整metric
#set ospf area 0.0.0.0 interface at-6/1/0.0 metric 20
#set ospf area 0.0.0.1 interface at-6/1/0.3 metric 20
……
#show
ospf {
export ebgp_default_to_ospf; 需要在路由里定义
area 0.0.0.0 {
interface so-1/1/0.0;
interface so-1/0/0.0{
metric 20;
}
interface at-6/1/0.0 {
metric 20;
}
}
area 0.0.0.1 {
interface at-6/1/0.3 {
metric 20;
}
}
}
5.2Bgp 配置
#set bgp export aggregate_to_bgp 在policy里定义,将本地聚合向ibgp、ebgp广播
#edit bgp group ibgp 定义ibgp组名
#set type internal
#set export ebgp-aggregate-ibgp 在policy里定义,向ibgp广播从ebgp收到的路由
#set peer-as 740 根据实际情况配置
#set neighbor 202.96.117.250
#set neighbor 202.96.117.206
#exit
##edit bgp group ebgp 定义ebgp组名
#set type external
#set import change-preference 在policy里定义,改变收到的bgp local-preference
#set export outbound-control-hz1 在policy里定义,调整对ebgp广播的路由特性
#set export from-zj-as1 在policy里定义,将所有本地聚合对外广播,禁止从4134收到的路由广播出去。
#set peer-as 4134
#set neighbor 202.107.253.1
bgp {
export aggregate_to_bgp;
group ibgp {
type internal;
export ebgp-aggregate-ibgp;
peer-as 740;
neighbor 202.96.117.250;
neighbor 202.96.117.206;
}
group ebgp {
type external;
import change-preference;
export [ outbound-control-hz1 from-zj-as1 ];
peer-as 4134;
neighbor 202.107.253.1;
}
}
6Policy 配置
具体配置命令请参照前面格式操作。
policy-options {
prefix-list telnet-list { 定义firewall里的telnet 列表
202.96.96.0/25;
202.96.102.0/27;
202.96.103.32/27;
202.96.103./27;
202.96.117.0/24;
202.101.166.32/27;
}
policy-statement outbound-control-hz1 {
term term1 {
from {
protocol aggregate;
route-filter 202.101.169.128/25 exact;
route-filter 61.130..0/18 exact;
route-filter 61.130.192.0/18 exact;
route-filter 61.153.192.0/18 exact;
route-filter 61.1.128.0/18 exact;
route-filter 202.101.180.0/22 exact;
route-filter 202.101.184.0/22 exact;
}
then {
community add 169comm; 将聚合里的169网段,bgp广播时添加附加串
next term;
}
}
term term6 {
from protocol ospf; 通过ospf收到路由不对外广播
then reject;
}
term term3 {
from protocol local; 本地路由不对外广播
then reject;
}
term term5 {
from protocol static; 静态路由不对外广播
then reject;
}
term term4 {
from protocol direct; 直连路由不对外广播
then reject;
}
}
policy-statement from-zj-as1 {
term term1 {
from {
protocol bgp;
as-path zj-as1; 从4134过来的路由不对外广播
}
then reject;
}
term term2 {
then accept;
}
}
policy-statement change-preference {
from {
protocol bgp;
neighbor 202.107.253.1;
}
then {
local-preference 200; 将由202.107.253.1收到的路由作调整。
as-path-prepend "4134 4134";
}
}
policy-statement aggregate_to_bgp {
from protocol aggregate; 定义对外广播本地聚合
then accept;
}
policy-statement ebgp_default_to_ospf {
from { 向ospf广播bgp的default
protocol bgp;
neighbor 202.107.253.1;
route-filter 0.0.0.0/0 exact;
}
then {
external {
type 1;
}
accept;
}
}
policy-statement ebgp-aggregate-ibgp {
term term1 {
from {
protocol bgp;
neighbor 202.107.253.1;
}
then next term;
}
term term2 {
from protocol aggregate;
then accept;
}
}
community 169comm members 4134:10;
as-path zj-as1 "4134 .*";
}
7Firewall 配置
具体配置命令请参照前面格式操作。
firewall {
filter popme { 定义filter
term term1 {
from {
prefix-list {
telnet-list; 在policy-options 定义
}
protocol tcp;
port telnet;
}
then accept;
}
term term2 {
from {
protocol tcp;
port telnet;
}
then {
reject; 拒绝非list地址telnet
}
}
term term3 {
then accept;
}
}
8Juniper与Cisco互连端口参数调整
| Cisco conf | ||
| interface ATM1/0.11 point-to-point description TO jiaxing Atm 4/0.1 bandwidth 20000 ip address 202.96.117.25 255.255.255.252 no ip directed-broadcast ip ospf network broadcast atm pvc 10 10 43 aal5snap no atm enable-ilmi-trap ! | Cisco- Cisco ospf | |
| interface ATM1/0.13 point-to-point description to NingBo bandwidth 60000 ip address 202.96.117.1 255.255.255.252 no ip directed-broadcast atm pvc 11 10 52 aal5snap no atm enable-ilmi-trap | Cisco(route)- Juniper ospf | |
| interface Vlan6 description web-1 ip address 202.96.105.97 255.255.255.224 no ip directed-broadcast | Cisco(switch)- Cisco(route) ospf | |
| interface Vlan6 description web-1 ip address 202.96.105.97 255.255.255.224 ip directed-broadcast(或者没有此配置) | Cisco(switch)- Juniper ospf | |
| interface POS10/0(与cisco互连) ip address 202.107.253.2 255.255.255.252 no ip directed-broadcast crc 32 clock source internal pos scramble-atm pos flag c2 22 改为: interface POS10/0(与juniper互连) ip address 202.107.253.2 255.255.255.252 no ip directed-broadcast crc 16 | Sdh bgp | so-2/1/0 { keepalives; encapsulation ppp; sonet-options { fcs 16; no-payload-scrambler; } unit 0 { description "580 HZ-DaQu-GSR 2.5G"; family inet { address 202.107.253.2/30; } } |
Cisco route 在保存配置时会自动更新slave ,但juniper不是这样的设计的(现在没有),他有两种方式同步配置:
9.1console root登录
root>edit
root#save re1:/config/juniper.conf
9.2telnet登录
user>start shell
user%su – root
passwd:
root%cli
root>request routing-engine login re1
root%cli
root>edit
root>load re0:/config/juniper.conf
root>commit下载本文
