Juniper-SRX1400-產(chǎn)品配置維護手冊

JuniperSRX1400

產(chǎn)品配置維護培訓

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護SRX1400機箱式設(shè)計(3U)4個插槽最大1塊IOC;1塊NSPC;1塊RE;1塊SYSIOC(GEorXGE)固定接口(SYSIOC)GE型號6-10/100/1000,6SFPXGE型號6-10/100/1000,3SFP,3SFP+模塊化接口16-10/100/1000;16-SFP;2-XFP多核架構(gòu)2電源冗余(1+1)性能防火墻吞吐率(大包)–

10Gbps并發(fā)連接數(shù)–1.5Million*最少需配1NSPC或1SPC+1NPCSRX1400CardsNetworkProcessingCard(NPC)SingleNetworkProcessor(NP)subsystem-10GigthroughputServicesProcessingCard(SPC)SingleHD-CPUsubsystem/10GigthroughputNetworkServicesProcessingCard(NSPC)1GHz,4GBmemory/CPU/10GigthroughputRoutingEngine(RE)1.2Ghzprocessor/w1GBmemoryCompleteseparationofcontrol/dataplanesIncludesCPP(centralPFEcontroller)andCB(controlboard)I/OCards(IOC)3versionsatFRS:2-port10GE-XFP(SR,LR,ER)16-portGE-SFP(SX,LX,LH,T)16-port10/100/1000Copper10Gigfull-duplexthroughput(oversubscribed)

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹(演示)三、SRX1400配置介紹及演示四、SRX1400組網(wǎng)討論內(nèi)容JUNOS基礎(chǔ)知識基本命令介紹基本配置操作模式shell模式$用戶模式>配置模式#cli/exitstartshellconfigure/editexit配置模式配置模式提示符號是

“#“

在>模式下鍵入config進入配置模式#提示符還由用戶名和主機名共同組成如:user@host#配置模式你編輯的配置文件叫candidate配置文件配置修改不是馬上生效，必須通過commit命令提交之后才生效commit提交之后,candidate配置變成active配置文件，然后新的candidate會被再次創(chuàng)建基本命令-show使用show

命令來查看candidate配置文件在哪一層就顯示哪一層的配置在最外層就顯示所有配置可以在最外層直接指定需要顯示的層次#showsystem#showinterfaces#showinterfacesfxp1#showrouting-options#showprotocolsset命令使用set

增加或者改變配置set

參數(shù)有些是增加，有些是覆蓋#setsystemhost-nameDenver覆蓋#setinterfacefxp0unit0familyinetaddress/24增加#setrouting-optionsrouter-id覆蓋set用法有兩種：(1)一種是用edit進入?yún)?shù)層進行修改(2)一種是在最外層直接寫完所有層次參數(shù)如下面的例子：set命令方法一：ab@SRX#editsystem[editsystem]lab@SRX#editlogin[editsystemlogin]lab@SRX#edituserlab[editsystemloginuserlab]lab@SRX#setuid2002[editsystemloginuserlab]lab@SRX#方法一配置繁瑣，但是簡單明了不容易出錯，適合入門者使用方法二：setsystemloginuserlabuid2002方法二操作簡單，命令輸入量少，并且可以直接粘貼，適合熟練者使用基本命令-commit使用commit

命令來使修改后的內(nèi)容生效commit-檢查配置語法并且激活修改后的內(nèi)容commitcheck-僅僅進行語法檢查，不真正激活配置commitand-quit–

如果提交成功就退出commitconfirmed–nextpage…

基本命令-rollback使用rollback

命令來恢復(fù)commit以前的配置rollback只是將配置恢復(fù)到Candidat配置erollback

或者rollback0

恢復(fù)上次commit之前的配置rollback1

上兩次commit之前的配置總共可以恢復(fù)49份配置，rollback后面可以0-49rollback?可以顯示每次commit的時間，確定恢復(fù)那份配置runfileshow/config/juniper.conf.n.gzn為1-3，可以查看需要恢復(fù)配置的內(nèi)容，對應(yīng)于rollback1-3runfileshow/config/juniper.conf.gz對應(yīng)rollback0runfileshow/var/db/config/juniper.conf.n.gzn為4-49，可以查看需要恢復(fù)配置的內(nèi)容，對應(yīng)于rollback4-49配置文件比較ShowdifferencesbetweencandidateconfigurationfileandActiveconfiguration“Rollback”configurationAnysavedconfigurationfile#show|comparerollbacknumber#show|comparefilenameConfigurationmodeonlyLikeUnixdiff加載配置文件ConfigurationinformationcancomefromanASCIIfilepreparedofflineSyntaxload(replace|merge|override)filename只改變candidate配置需要commit

來生效UsetheloadcommandtoOverride

覆蓋已經(jīng)存在的配置要覆蓋整個配置，使用override選項merge

新的配置語句合并到已經(jīng)存在的配置文件中replace

用新的配置替代已經(jīng)存在的配置JUNOSSoftwareVersion?CLIcommandstodisplayinstalledpackagesshowversion

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示

Zone

SecurityPolicies

NetworkAddressTranslationHighAvailabilityClustering

四、SRX1400日常維護ZonesJuniperNetworksDeviceRoutingInstance1RoutingInstance2RoutingInstanceF.T.F.T.ForwardingTableZoneAZoneBZoneCZoneDZonesInterfacesInterfaces、zones、routinginstances之間的關(guān)系示意圖ZoneTypesZoneTypesUser-Defined

(canbeconfigured)System-Defined

(cannotbeconfigured)SecurityFunctionaljunos-globalNullZoneConfigurationProcedureSteps:DefineasecurityorafunctionalzoneAddlogicalinterfacestothezoneOptionally,addservicesandprotocolsthatmustbepermittedintotheservicesgatewaythroughtheinterfacebelongingtothezoneIfthisstepisomitted,notrafficdestinedfortheservicesgatewayispermittedSecurityPoliciesSecurityPolicyDefinedWhatisasecuritypolicy?定義策略組合用于SRX，使其能根據(jù)策略來決定zone之間的數(shù)據(jù)傳輸WhatshouldIdoifapacketcomesinmatching

CriterionA?TransitTrafficExaminationSRX設(shè)備會根據(jù)securitypolicies來判斷數(shù)據(jù)傳輸?shù)霓D(zhuǎn)發(fā)

Doesasecuritypolicymatchthetraffic?ApplydefaultpolicynoPacketinApplypolicyactions

yesDefaultSecurityPoliciesSystem-defaultsecuritypolicy:denyalltrafficthroughtheSRX-seriesservicesgatewayYoucanchangethedefaultpolicytopermitalltrafficFactory-defaultconfigurationhasthreesecuritypolicies:Trusttotrust:permitallTrusttountrust:permitallUntrusttotrust:denyallX123System-defaultsecurity

policiesbehaviorDenyALLtransit

traffic

Factory-defaultsecurity

policiesbehaviortrustzone

untrust

zonePolicyComponentsSummaryfrom-zoneandto-zonecontextMatchingcriteriaMatchingcriteriaActionAction[editsecuritypolicies]from-zonezone-nameto-zonezone-name

{policyname1

{match{source-addressaddress-name1;destination-addressaddress-name1;applicationapplication-name1;}then{<action>;}}policyname2

{match{source-addressaddress-name2;destination-addressaddress-name2;applicationapplication-name2;}then{<action>;}}…}HighAvailabilityClusteringHighAvailabilityCharacteristicsOverviewHAprovides:Active-passivecontrolanddataplaneredundancyStatefulsessionfailover:NATALGIPsecAuthenticationSynchronization:ConfigurationSessionstateChassisclusterChassisClusterComponentsOverviewChassisclustercomponents:Clusteredservicesgatewaysaregroupedbya

cluster-ididNodeswithinaclusterareidentifiedbyanode

idRedundancygroupsChassisclusterinterfaces:fxp1fxp0fabrethcluster-idDetailsSetusingcluster-idid

cluster-idvaluesrangefrom1–15AroutercanbelongtoonlyoneclusteratanygiventimeIfcluster-id=0,HAconfigurationisignoredServicesgatewaywithinaclusterissetbyanodeidChangeincluster-ididandnode

idrequiresservicesgatewayreboot:user@host#setchassisclustercluster-id1node0

warning:Arebootisrequiredforchassisclustertobeenablednode

id

Detailsnode

iduniquelyidentifiestheservicesgatewaywithinaclusterRangesfrom0–1DeterminesoffsetoftheFPCslotvalueintheinterfacenameofaservicesgatewayuser@host>setchassisclustercluster-ididnodeidreboot

Successfullyenabledchassiscluster.Goingtorebootnow...ChassisClusterInterfaces—rethRedundantinterfacecharacteristics:Anewethernetpseudo-interface,calledrethBundlestwophysicalinterfaces(children),onefromeachmemberoftheclusterMemberinterfacesinheritpropertiesofreth,asconfiguredbytheuserMemberinterfacescanbeineitheractiveorpassivemode,butnotinbothThefailoverpropertiesofthememberinterfacesareinheritedfromtheRG-1configurationrethinterfacehasavirtualMACaddress BasedonclusterandinterfaceIDChassisClusterInterfaces—fxp0fxp0interfaceUsedforout-of-bandmanagementAllowsaccesstoeachnodeofaclusterItisgoodpracticeforeachnodetohaveauniqueIPaddressforfxp0interfacerequiresgroupsconfigurationChassisClusterInterfaces—fxp1fxp1interfaceConfiguredSPCportsusedforchassisclustercontrolplanege-0/0/10andge-0/0/11onSYSIOCJUNOSsoftwareassignsaninternalIPaddresstofxp1TrivialNetworkProtocolrunsontheinterfaceJUNOSsoftwaretransmitsheartbeatsignalstodeterminethehealthofthecontrollink—ifthenumberofmissedheartbeatsreachestheconfiguredthreshold,thesystemfailsoverIffxp1fails,JUNOSsoftwaredisablesthesecondarynodeNodeconfigurationfilesareautomaticallysynchronizedoverfxp1ChassisClusterInterfaces—fabfabn=2GigabitEthernetor10GigabitEthernet,usedforHAdataplaneFabricinterfaceisformedn

reflectsthenodeIDandstartsfrom0TwonodesofaclustermusthavefabnonthesameLANfabinterfacespecifics:interfacedoesnotsupportfilters,policies,logicalinterfaces,orservicesMemberinterfacesmustbeofthesametypeJumboframesaresupportedFragmentationisnotsupportedChassisClusterInterfaceSummaryfabnNode0Node1Clusterfxp1fxp0fxp0rethmrethmControlplaneDataplaneManagementManagementRedundantinterfacesa.b.c/24MonitoringClusterStatisticsuser@node0-host>showchassisclusterstatistics

Initialhold:10

RethInformation:rethstatusredundancy-groupreth0downnotconfiguredreth1up1ServicesSynchronized:Service-nameRtos-sentRtos-receivedTranslationContext00IncomingNAT00ResourceManager50Session-create00Session-close00Session-change00Gate-create00Session-Ageout-refresh-request00Session-Ageout-refresh-reply00VPN00FirewallUserAuthentication00MGCPAlg00...InterfaceMonitoring:InterfaceWeightStatusRedundancy-groupge-12/0/0100up1ge-0/0/0100up1chassis-clusterinterfaces:Controllink:up6606heartbeatssent13729heartbeatsreceived1200msinterval5thresholdchassis-clusterinterfaces:Fabriclink:up15505heartbeatpacketssentonfabric-linkinterface13728heartbeatpacketsreceivedonfabric-linkinterfaceManualFailoveruser@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200PrimaryNoNonode1100SecondaryNoNo

user@node0-host>requestchassisclusterfailoverredundancy-group1node1node1:Initiatedmanualfailoverforredundancygroup1user@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200SecondaryNoYesnode1255PrimaryNoYesVerifystatus:Initiatefailover:

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護使用故障檢查資源冷卻系統(tǒng)故障檢查日常性能檢查應(yīng)急預(yù)案

CLI命令行

使用故障檢查資源

對于SRX的硬件、軟件、路由協(xié)議、網(wǎng)絡(luò)連接性的控制和故障檢查、，JUNOS的CLI命令行是主要的使用工具。CLI命令行可以顯示路由表信息，路由協(xié)議的信息，使用ping和traceroute工具體現(xiàn)的網(wǎng)絡(luò)連接信息?？梢酝ㄟ^連接路由引擎上的CONSOLE、ETHERNET、AUX口進入CLI命令行接口。關(guān)于使用CLI顯示端口和機箱產(chǎn)生的告警信息，請參閱“硬件和端口告警信息”。

LED下面描述的LED位于各個組件上，用于顯示各個組件的狀態(tài)。CraftInterfaceLED：SRX1400前面板由一個Craft面板指示系統(tǒng)狀態(tài)，Craft面板上包括路由引擎狀態(tài)指示燈，電源狀態(tài)指示燈，風扇狀態(tài)指示燈和告警指示燈等等ComponentLED：SRX1400的各個系統(tǒng)組件還有自己單獨的狀態(tài)指示燈，比如IOC上的每個端口都有一個LED指示端口狀態(tài)

使用故障檢查資源

硬件和端口告警信息當路由引擎檢測到一個告警的時候，會將前面板上相應(yīng)的紅色或者黃色的告警LED點亮。可以在命令行中使用showchassisalarms顯示詳細的告警描述。uer@host>showchassisalarms這里將描述兩類告警消息：機箱告警（Chassisalarms）——指示機箱組件的告警信息，例如冷卻系統(tǒng)或者電源系統(tǒng)，詳情請查閱下面的表格。端口告警（Interfacealarms）——指示某個端口的問題，詳情請查閱下面的表格。下面的兩個表格中的信息為使用命令showchassisalarms輸出的結(jié)果。表格3?6：機箱告警消息

使用故障檢查資源冷卻系統(tǒng)故障檢查冷卻系統(tǒng)故障檢查冷卻系統(tǒng)包含安裝在機箱側(cè)面的風扇盤來保證SRX工作在一個可以接受的溫度環(huán)境下。要檢查風扇盤，執(zhí)行下面的步驟：通過CLI命令行檢查電源模塊狀態(tài)。通過下面的命令，觀察輸出的Status域的狀態(tài)：root@FW02>showchassisenvironmentClassItemStatusMeasurementFansLeftFan1OKSpinningatnormalspeedLeftFan2OKSpinningatnormalspeedLeftFan3OKSpinningatnormalspeedLeftFan4OKSpinningatnormalspeed...如果有風扇盤發(fā)生故障，可以通過觀察判斷出哪一個風扇除了問題。然后再處理。日常性能檢查

監(jiān)控RECPU利用率SRX1400的路由引擎主要工作是維護路由協(xié)議和路由表root@FW02>showchassisrouting-engineroot@FW02>showchassisrouting-enginenode0:RoutingEnginestatus:Slot0:CurrentstateMasterElectionpriorityMaster(default)DRAM1023MBMemoryutilization29percentCPUutilization:User2percentBackground0percentKernel8percentInterrupt2percentIdle88percentModelRE-SRX1400Starttime2010-01-1922:15:50CSTUptime7days,16hours,45minutes,20secondsLastrebootreason0x1:powercycle/failureLoadaverages:1minute5minute15minute0.010.050.07

日常性能檢查

監(jiān)控SPU利用率由于SRX1400的會話查找，維護都是SPC負責的，因此需要監(jiān)控SPC板卡的利用率。正常工作狀態(tài)下，SPC的CPU利用率應(yīng)該在60%以下，如出現(xiàn)CPU利用率過高情況需給予足夠重視，應(yīng)檢查Session使用情況和各類告警信息，并檢查網(wǎng)絡(luò)中是否存在攻擊流量。SRX防火墻對內(nèi)存采用“預(yù)分配”機制，空載時內(nèi)存使用率為約50-70%，隨著流量不斷增長，內(nèi)存的使用率應(yīng)基本保持穩(wěn)定。如果出現(xiàn)內(nèi)存使用率高達90％時，則需檢查網(wǎng)絡(luò)中是否存在攻擊流量。root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位編號node0:FPC6PIC0CPUutilization:13%（SPC的CPU利用率）

Memoryutilization:64%（SPC的內(nèi)存利用率）

Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767MaxCPsession:2359296node1:日常性能檢查

監(jiān)控并發(fā)會話數(shù)root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位編號root@FW02>showsecuritymonitoringfpc6node0:FPC6PIC0CPUutilization:13%Memoryutilization:64%Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767

（當前并發(fā)為461767）

MaxCPsession:2359296日常性能檢查

監(jiān)控雙機狀態(tài)正常情況（優(yōu)先級為1-255，數(shù)值高則優(yōu)先級高）root@FW02>showchassisclusterstatusClusterID:1NodePriorityStatusPreemptManualfailoverRedundancygroup:0,Failovercount:3node0254primarynoyesnode1100secondarynoyesRedundancygroup:1,Failovercount:3node0254primarynononode1100secondarynono日常性能檢查

切換雙機狀態(tài)方法一：CLI方式root@FW02>requestchassisclusterfailovernode1redundancy-group1(將nod1