Juniper路由器配置操作手冊

Juniper路由器配置操作手冊

ziJuniperOS4.2R1.3路由器配置操作手冊

1系統(tǒng)配置(2)

1.1系統(tǒng)信息基本配置(2)

1.2系統(tǒng)用戶信息(2)

1.3系統(tǒng)服務(wù)配置(3)

2端口配置(4)

2.1juniper■端口介紹(4)

2.2端口配置(4)

3SNMP配置(6)

4Routing-options酉己置(7)

4.1靜態(tài)路由配置(7)

4.2route-id&as(7)

4.3bgp聚合配置⑺

5Routeprotocal配置(8)

5.10spf配置⑻

5.2Bgp配置(9)

6Policy配置(9)

7Firewall配置(12)

8Juniper與Cisco互連端口參數(shù)調(diào)整(12)

9Juniper備份結(jié)構(gòu)與Cisco不同(14)

9.Iconsoleroot登錄(14)

9.2telnet登錄(14)

Juniper所有配置，均在配置狀態(tài)下進行。分為由console進入和

遠程telnet進入。

由console進入JUNOS系統(tǒng)命令操作(由FreeBSD的簡化系統(tǒng))

%cli進入下面的用戶操作

hostname>edit進入下面的用戶配置

hostname#配置操作

由遠程telnet直接進入用戶操作

hostname>edit進入下面的用戶配置

hostname#配置操作

1系統(tǒng)配置

1.1系統(tǒng)信息基本配置

#editsystem進入system配置菜單

#sethost-nameaxi580-a-hzl

#setdomain-name

#settime-zoneAsia/Shanghai

#setsystemroot-authenticationplain-text-password

（console登錄，root口令缺省為空，虛設(shè)新口令）

Newpassword:******

Retypenewpassword:******

#show查看配置

#commit配置生效OR

#commitconfirmed配置生效測試，5分鐘后系統(tǒng)自動會滾，恢

復原來配置。

1.2系統(tǒng)用戶息

1.2.1用戶組的配置

#setloginclasshighidle-timeout30permissionsall

“high"是組名;〃all”用戶將擁有該router的全部權(quán)限。

#setloginclassmediumidle-timeout30permissionsclear

#setloginclassmediumidle-timeout30permissions

configure

#setloginclassmediumidle-timeout30permissions

interface-control

#setloginclassmediumidle-timeout30permissions

network

#setloginclassmediumidle-timeout30permissions

maintenance

"medium”具有多個權(quán)限：clearconfigureinterface-control

network

viewmaintenance0

#setloginclasslowidle-timeout30permissionsview

酉己置了high、medium,low三個權(quán)限組，將在用戶配置時用到。

權(quán)限設(shè)置如下：

adminCanviewuseraccounts

admin-controlCanmodifyuseraccounts

allAllpermissionbitsturnedon

clearCanclearlearnednetworkinformation

configureCanenterconfigurationmode

controlCanmodifyanyconfigurationvalues

editCaneditfullfiles

fieldSpecialforfield(debug)support

firewallCanviewfirewallconfig

firewall-controlCanmodifyfirewallconfig

floppyCanreadandwritethefloppydrive

interfaceCanviewinterfaceconfig

interface-controlCanmodifyinterfaceconfig

maintenanceCanperformsystemmaintenance(aswheel)

networkCanaccessthenetwork

resetCanresetandrestartinterfacesandprocesses

rollbackCanrollbackfordepthgreaterthanzero

routingCanviewroutingconfig

routing-controlCanmodifyroutingconfig

secretCanviewsecretconfig

secret-controlCanmodifysecretconfig

shellCanstartalocalshell

snmpCanviewSNMPconfig

snmp-controlCanmodifySNMPconfig

systemCanviewsystemconfig

system-controlCanmodifysystemconfig

traceCanviewtracefilesettings

trace-controlCanmodifytracefilesettings

viewCanviewcurrentvaluesandstatistics

1.2.2用戶配置

#setloginuseradminfull-namenewwork-adminuid2001

classhighplain-text-passwordNewpassword:******

Retypenewpassword:******

Username為admin;userid為2001;組為high

#setloginusermanagerfull-namenewwork-manageruid

2002classmidium

plain-text-password

Newpassword:******

Retypenewpassword:******

#setloginuserviewerfull-namenewwork-viweruid2003

classlowplain-text-passwordNewpassword:******

Retypenewpassword:******

#commit配置生效OR

#commitconfirmed配置生效測試，5分鐘后系統(tǒng)自動會滾，恢

復原來配置。1.3系統(tǒng)服務(wù)配置

1.3.1telnet服務(wù)配置

#setsystemservicestelnet配置啟用telnet服務(wù)OR

#setsystemservicestelnetconnection-limit5限制telnet的

最大連接數(shù)

#commit配置生效OR

#commitconfirmed配置生效測試，5分鐘后系統(tǒng)自動會滾，恢

復原來配置。1.3.2syslog服務(wù)配置

#setsystemsysloguser*anyemergency

#setsystemsysloghost3anyany所有syslog信

息都寫到遠程主機

#setsystemsyslogfilemessagesanynotice所有notice,

authorization信息寫在本地#setsystemsyslogfilemessages

authorizationinfo

1.3.3ntp服務(wù)配置

ntpclient配置

#setsystemntpserver7

ntpserver酉己置

#setsystemntpboot-server7此處只能寫ip不能

為主機名

#commit配置生效OR

#commitconfirmed配置生效測試，5分鐘后系統(tǒng)自動會滾，恢

復原來配置。

檢查ntp狀態(tài)

#runshowntpstatus

#runshowntpassociations

2端口配置

2.1juniper端口介紹

在juniper的配置中,所有端口皆為邏輯端口，在初始配置中沒有

任何端口信息，如不能準確知道所要配置的端口名稱，可用命令來確

認。

>showchassisfpcpic-statusOR

#runshowchassisfpcpic-status(example)

Slot1Online

PIC0lxOC-48SONET,SMSR為so-1/0/0

PIC1lxOC-48SONETZSMSR

PIC2lxOC-48SONET,SMSR為so-1/2/0

Slot6Online

PIC02xOC-3ATM,SMIR為at-6/0/0;at-6/0/1

PIC1lxG/E,1000BASE-SX為ge-6/1/0

PIC2lxG/E,1000BASE-SX

2.2端口配置

#editinterfaces

sonet端口配置

#setso-1/0/0unit0description"HZtoNB2.5GbSDH"

familyinetaddress/30#show檢查配置

so-1/0/0{

descriptionHZtoNB2.5GbSDH;

unit0{

familyinet{

address/30;

)

)

)

atm端口配置

#setat-6/0/0clockingexternal

#setat-6/0/0atm-optionsvpi1maximum-vcs100

#setat-6/0/0atm-optionsvpi10maximum-vcs200

#setat-6/0/0unit0descriptionHuZhou-HangZhou-ATMvci

10.40familyinetaddress0/30

#setat-6/0/0unit1descriptionHuZhou-NingBo-ATMvci

1.51familyinetaddress50/30

vci號為pvc號

#show

at-6/0/0{

clockingexternal;

atm-options{

vpi1maximum-vcs100;

vpi10maximum-vcs200;

)

unit0{

descriptionHuZhou-HangZhou-ATM;

vci10.40;

familyinet{

address0/30;

)

)

unit1{

descriptionHuZhou-NingBo-ATM;

vci1.51;

familyinet{

address50/30;

)

)

)

ge端口配置

#setge-6/1/0unit0description"ToCatalysta6509gl/0,z

familyinetaddress

93/30

#show

ge-6/1/0{

unit0{

descriptionToCatalysta6509gl/0;

familyinet{

address93/30;

)

)

)

fe端口配置

#setfe-6/2/0unit0description"To2948gl/0/zfamilyinet

address

/24

#show

fe-6/2/0{

unit0{

descriptionTo29481/0;

familyinet{

address/24;

)

)

)

loopback配置

#setloOunit0familyinetaddressaddress81/32

#show

Io0{

unit0{

familyinet{

filter{

inputpopme;

}將firewall在該端口上生效,要使其他端口生效，必須在短配置。

address81/32;

)

)

)

#commit配置生效OR

#commitconfirmed配置生效測試，5分鐘后系統(tǒng)自動會滾,恢

復原來配置。

3SNMP配置

#top返回頂級菜單

#setsnmpcommunitykeepaliveauthorizationread-only

keepalive為communitystrings

#show

snmp{

communitykeepalive{

authorizationread-only;

)

)

4Routing-options酉己置

這里只介紹浙江工程中用到的靜態(tài)、聚合、route-id三點，其他

以后在補充。

4.1靜態(tài)路由配置

#top

#editrouting-options

#setstaticroute/24next-hop2

#setstaticroute/24next-hop3

#show

static{

route/24next-hop2;

route/24next-hop3;

route/26next-hop1;

route4/26next-hop9;

route/21next-hop94;

)

4.2route-id&as

#setroute-id2建議設(shè)為本機的loopback

#setautonomous-system64740根據(jù)實際分配設(shè)定

4.3bgp聚合配置

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/17

#setaggregateroute/17discard

在juniper上BGP對外廣播所有聚合,條件是在本地路由表里有

此路由或比聚合更組的路由，當未啟用的ip段或不能產(chǎn)生本地路由的

網(wǎng)段需要對外廣播時，可采用discard屬性。

#show

aggregate{

route/18;

route/18;

route/18;

route/18;

route/17;

route/17discard;

)

5Routeprotocal配置

這里只介紹ospf、bgp的配置

#top

#editprotocols進入路由協(xié)議配置菜單

5.1Ospf配置

#setospfexportAbgp_dAfault_to_ospf★各由pbgpU攵至U的缺省

路由廣播到ospf路由表中到etospfareainterfaceso-

1/1/0.0

#setospfareainterfaceso-1/0/0.0metric20根據(jù)實際

情況調(diào)整metric

#setospfareainterfaceat-6/1/0.0metric20

#setospfareainterfaceat-6/1/0.3metric20

#show

ospf(

exportebgp_default_to_ospf;需要在路由政策里定義

area{

interfaceso-1/1/0.0;

interfaceso-l/0/0.0{

metric20;

)

interfaceat-6/1/0.0{

metric20;

)

)

area{

interfaceat-6/1/0.3{

metric20;

)

)

)

5.2Bgp配置

#setbgpexportaggregate_to_bgp在policy里定義，將本地

聚合向ibgp、ebgp廣播#editbgpgroupibgp定義ibgp組名

#settypeinternal

#setexportpbgp-aggrpgatA-ibgp在policy里定義,向ibgp

廣播從ebgp收到的路由#setpeer-as64740根據(jù)實際情況配置

#setneighbor50

#setneighbor06

#exit

##editbgpgroupebgp定義ebgp組名

#settypeexternal

#setimportchange-preference在policy里定義，改變收到的

bgplocal-preference#setexportoutbound-control-hzl在policy

里定義，調(diào)整對ebgp廣播的路由特性

#setexportfrom-zj-asl在policy里定義，將所有本地聚合對外

廣播,禁止從4134收到的路由廣播出去。

#setpeer-as4134

#setneighbor

bgp{

exportaggregate_to_bgp;

groupibgp{

typeinternal;

exportebgp-aggregate-ibgp;

peer-as64740;

neighbor50;

neighbor06;

)

groupebgp{

typeexternal;

importchange-preference;

export[outbound-control-hzlfrom-zj-asl];

peer-as4134;

neighbor;

)

)

6Policy配置

具體配置命令請參照前面格式操作。

policy-options{

prefix-listtelnet-list{定義firewall里的telnet列表

/25;

/27;

2/27;

4/27;

/24;

2/27;

)

policy-statementoutbound-control-hzl{

termterml{

from{

protocolaggregate;

route-filter28/25exact;

route-filter/18exact;

route-filter/18exact;

route-filter/18exact;

route-filter/18exact;

route-filter/22exact;

route-filter/22exact;

)

then{

communityadd169comm;將聚合里的169網(wǎng)段,bgp廣播時

添加附加串

nextterm;

)

)

termtArm6{

fromprotocolospf;通過ospf收到路由不對外廣播

thenreject;

)

termterm3{

fromprotocollocal;本地路由不對外廣播

thenreject;

)

termterm5{

fromprotocolstatic;靜態(tài)路由不對外廣播

thenreject;

)

termterm4{

fromprotocoldirect;直連路由不對外廣播

thenreject;

)

)

policy-statementfrom-zj-asl{

termterml{

from{

protocolbgp;

as-pathzj-asl;從4134過來的路由不對外廣播

)

thenreject;

)

termterm2{

thenaccept;

)

)

policy-statementchange-preference{

from{

protocolbgp;

neighbor;

)

then{

local-preference200;將由收至U的路由作調(diào)整。

as-path-prepend"41344134";

)

)

policy-statementaggregate_to_bgp{

fromprotocolaggregate;定義對外廣播本地聚合

thenaccept;

)

policy-statementebgp_default_to_ospf{

from{向ospf廣播bgp的default

protocolbgp;

neighbor;

route-filter/0exact;

)

then{

external{

type1;

)

accept;

)

)

policy-statementebgp-aggregate-ibgp{

termterml{

from{

protocolbgp;

neighbor;

)

thennextterm;

)

termterm2{

fromprotocolaggregate;

thenaccept;

)

)

community169commmembers4134:10;

as-pathzj-asl"4134

)

7Firewall配置

具體配置命令請參照前面格式操作。

firewall{

filterpopme{定義filter

termterml{

from{

prefix-list{

telnet-list;在policy-options定義

)

protocoltcp;

porttelnet;

)

thenaccept;

)

termterm2{

from{

protocoltcp;

porttelnet;

)

then{

reject;拒絕非list地址telnet

)

)

termterm3{

thenaccept;

)

)

8Juniper與Cisco互連端口參數(shù)調(diào)整

Ciscoconf

interfaceATM1/0.11Cisco-Cisco

point-to-pointospf

descriptionTOjiaxingAtm4/0.1

hnndwidth90000

ipaddress2C-5

52

noipdirecled-bruadcasl

Ipospfnetworkbroadcast

atmpvc1())043aal5%nap

noatmcnablc-ilmi>tnip

j

interfaceATM1/0.13pc?int-to-pointCisccHroute>-Juniper

description(oNingBoospf

bandwidth60000

ipaddress

52

noipdirected-broadcast

atmpvc111052aal5snap

noatmcnablc-ilmi-trap

interfaceVlaii6Cisco(switch)-Cisco(route)

descriptionweb-1ospf

ipaddress7

24

noipdirected-broadcast

interfaceVlan6Cisco(switch)-Juniper

descriptionweb-1ospf

ipaddress2C7

24

ipdircctcd-broadcasKrJc者沒/j

此配置)

interfacePOS10/0(與cisco互連)Sdhso-2/1/0{

ipaddress2Cbgpkeepalives:

52encapsulationppp:

noipdircctcd-broadcastsonct-options{

erc32fes16;

clocksourceintenial

pos