当前位置:首页 >> 信息与通信 >>

JUNIPER NETWORKS SRX Series configuration Guide(中文)V.2.2011.6


JUNIPER NETWORKS SRX Series configuration Guide (中文)
更新了(红色)PPPOE、IPSec VPN、ECMP(Junos 目前有点问题) 、总结。

Ltm V2.0 2011.6

Author:Ltm Email:network-security@hotmail.comwww

.juniper.net QQ 群 15900381

目录
一、概述: .......................................................................................................................................... 4 二、JUNIPER SRX Base ................................................................................................................. 5 三、Interface ..................................................................................................................................... 8 四、Authentication ......................................................................................................................... 10 Source NAT ............................................................................................................................... 11 Static NAT(MIP) ....................................................................................................................... 11 Virtual IP .................................................................................................................................... 12 Destination NAT ...................................................................................................................... 13 五、Security....................................................................................................................................... 14 Zone ............................................................................................................................................ 14 地址簿 .......................................................................................................................................... 14 服务簿 .......................................................................................................................................... 15 时间 .............................................................................................................................................. 16 策略 .............................................................................................................................................. 16 六、VPN .............................................................................................................................................. 16 IPSEC VPN ................................................................................................................................. 16 Dynamic VPN ........................................................................................................................... 21 七、Wireless LAN ............................................................................................................................ 21 八、Switching ................................................................................................................................... 21 九、Routing ....................................................................................................................................... 22 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

十、Class of Service........................................................................................................................ 24 十一、System Properties .............................................................................................................. 24 十二、Chassis Cluster..................................................................................................................... 24 十三、Service .................................................................................................................................... 24 十四、Wizards .................................................................................................................................. 25 十五、CLI Tools................................................................................................................................. 25 十六、Monitor .................................................................................................................................. 25 十七、Syslog ..................................................................................................................................... 25 十八、Show 命令 .............................................................................................................................. 25 十九、命令行结构 ............................................................................................................................. 31

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

一、概述:
JUNOS?软件是帮助瞻博网络在高性能联网领域获得领先地位的值得信赖的网络 操作系统。瞻博网络严格遵守单一源网络操作系统的开发原则,积极驱动 JUNOS 软件 创新,将路由、交换、安全性和其他服务集成在一起。提供全面的产品将企业分支和 地区办事处、中央站点和数据中心、以及城域网和电信运营商网络的核心与边缘连接 在一起。 JUNOS 软件独特的构建方式使其作为网络操作系统得以从市场中脱颖而出 -采用 单一模块化架构的单一操作系统,逐版本实现增强。电信运营商、企业和公共机构都 可通过部署 JUNOS 软件获得以下三项 主要优势: <UL><LI>持续运行的系统:通过高性能的软件设计、高可用性特性、防止人为错 误的功能和主动的运行保护措施来提高网络可用性以及应用和服务的交付能力。 <LI> 自动运行:通过一致的特性实施、防错配置、用于自动执行运行任务的脚本以及单一 软件版本的易于升级特性来提高效率,从而降低运行成本。 <LI>加速创新:JUNOS 软件基于标准的开放设计和平滑的可扩展性,包括使合作伙伴及客户能够公开参与开 发过程的工具,使您能够更灵活地提供新服务和新应用。 </LI></UL>构建方式是 JUNOS 软件作为网络操作系统从市场中脱颖而出的原因--通过单一版本模式和单一的 模块化架构得到增强的单一操作系统。 特性 模块化-JUNOS 软件采用模块化的软件设计,提供卓越的故障恢复能力并确保能 够简单地集成 IPv6 等新功能 路由专业技术 - Juniper 网络公司在 IP 路由方面的专业技术可全面补充增强 用于生产的路由协议 基于标准 - 严格遵守路由和 MPLS 行业标准以及协议平稳重启(Protocol Graceful Restart)等可用性机制,这样可以为客户提高稳定性并降低运行复杂性。 安全性 - JUNOS 软件结合了智能数据包处理功能和卓越的性能,为客户提供了 一个强有力的 IP 安全性工具包 丰富的业务 - 无论是个人用户、企业客户或服务供应商,JUNOS IP 业务系列 使客户能够为各种类型的最终用户提供有保证的体验 策略和控制 - Juniper Networks SDX 和 NMC 平台使客户可以调用并控制这些强 大的 JUNOS 功能;Juniper Networks JUNOScript XML 界面还可简化并加速 OSS 集成 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

二、JUNIPER SRXBase
为了技术之间的交流本人写出了针对 SRX 防火墙产品的技术手册, 此手册会 定期更细,希望大家多多交流。 此文档献给有一定 juniper 产品基础的朋友。

2.1、产品总结
AGL 识别现在问题问题比较多,如果有 ALG 问题可以关闭 ALG 新设备最好 unset all(恢复出厂) NPC-SPC-IOC(转发规则) ,RE-路由表-转发表 不支持 L2TP dynamic +ridius server,10.4r4 以上支持本地认证,所有低端赠送 2 个 USER,高端不支持。 低端功能丰富 高端转发性能强 SRX 优势 支持路由模式 支持安全模式 支持交换模式 支持广域网所有特性 UTM URL 过滤,一种是云端的检查方式,另一种是 websense 服务器 可以下载更新 库,库不能存在本身。 websense redirct local 自定义 AV 是可以存到本地的,KV 是存在本地,还有一个是 Ph 是云端的。 Junos OS [11.1]
数据包转发流程

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

支持本地与远程两种环境配置,支持 Console、telnet、ssh、http、https 管理 Console 参数 数值 波特率 数据位 停止位 校验/流控 telnet 参数 接口 用户名 密码 9600 bit/s 8 1 无 数值 Eth0/1-* Root 空

管理 IP 192.168.1.1 记住默认 telnet 与 Untrust 包括 web)管理不能使用 root 用户, ( 但是管理 web 与 Console 可以。 login: root Password:空 root@% cli root> configure Entering configuration mode [edit] root# SRX 登录时默认密码为空,必须设置 root 密码才能保存设置的配置。 配置 root 密码:4 选 2 原则,比如:test123 这样的组合才可以,如果单是 111111,这样 的是不行的! root#set system root-authentication plain-text-password New password:test123 Retype new password:test123 --------------------------------------root> request system reboot 从启系统 (root# run request system reboot) Reboot the system ? [yes,no] (no) yes 关机命令:request system halt/reboot 初始化管理等: Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

管理方式 set system services web-management http interface ge-0/0/0.0 set system services web-management http port 8080 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http or 管理方式是通过安全域打开的 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services telnet set security zones security-zone untrust host-inbound-traffic system-services ping 使用非根用户管理 添加管理员: set system login user test class super-user <-设置 juniper 用户为超级用户 set system login user test authentication plain-text-password <-设置 juniper 用 户的密码如:test123。 ---------------------------------------关于密码恢复:在系统重起的时候,快速按空格键,第一次进入到 =》bootd ,第二次在 按空格进入到一个停顿的命令下,输入 boot -s 进入到单用户模式,然后输入命令,即可 取消原有密码。 删除 root 密码: root# delete system root-authentication 重新启动后,配置新的 root 密码。 ------------------------------------------------------------------------------恢复出厂:root@ltm# load factory-default 已经把配置清除(无需从新启动) root@ltm# set system root-authentication plain-text-password 需要配置一个密码才 能保存 New password:test123 Retype new password:test123 root# commit 保存 root# exit 退出 root> show configuration | display set 可以查看一下配置 删除 root 密码: (也可不删除 root 密码) root# delete system root-authentication 重新启动后,配置新的 root 密码。 注意!恢复出场可无需从新启动系统。 ------------------------------------------------------------------------------JUNOS 升级: 在 WEB 页面下作升级比较简单,登陆到 web 管理界面下: 9.5 的:junos 版本在 manage=》software=》uploadpackage: 9.6 以上的:junos 版本在 maintain=》software=》uploadpackage:点击 "浏览",找到升 级文件,在打钩 Reboot If Required,然后点击下面的"upload and install package". 升级提示如下: Software Upload PackageInstalling Uploaded Package Installation of software package junos-srxsme-9.6R1.13-domestic.tgz is underway. Installation Progress finished Receive Package File pending Validate Package File pending Check Configuration Compatibility pending Install Package Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

pending Reboot 整个过程下来大概要半个小时左右,甚至更长,请耐心等待!之后会自动从启。

三、Interface
默认情况下除 ge-0/0/0 接口外其它全部为 vlan.0 接口组 set vlansvlan-trust vlan-id 3(默认配置) set vlansvlan-trust l3-interface vlan.0(默认配置) 配置接口信息 set interfaces ge-0/0/0 unit 0 family inet address 192.168.201.209/24 配置接口速率 set interfaces ge-0/0/0 speed 1g link-mode full-duplex 协议模式 set interfaces ge-0/0/0 unit 0 family >ccc Circuit cross-connect parameters >ethernet-switching Ethernet switching parameters >inet IPv4 parameters > inet6 IPv6 protocol parameters >iso OSI ISO protocol parameters >mpls MPLS protocol parameters >tcc Translational cross-connect parameters >vpls Virtual private LAN service parameters show interfaces Aggregate Interface set chassis aggregated-devices ethernet device-count 1 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family inet address 192.168.100.254/24 set interfaces ge-2/0/0 gigether-options 802.3ad ae0 set interfaces ge-2/0/1 gigether-options 802.3ad ae0 set security zones security-zone trust interface ae0 host-inbound-traffic system-services all You can instead define a vlan instead and attach this to your ae0.0: set chassis aggregated-devices ethernet device-count 1 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family ethernet-switching port-mode trunk vlan members all set interfaces ae0 unit 0 family ethernet-switching native-vlan-id 100 set interfaces ge-2/0/0 gigether-options 802.3ad ae0 set interfaces ge-2/0/1 gigether-options 802.3ad ae0 set interfaces vlan.100 family inet 192.168.100.254/24 setvlans vlan100 vlan-id 100 l3-interface vlan.100 set security zones security-zone trust interface vlan.100 host-inbound-traffic system-services all

PPPOE

root@ltm# run show configuration | display set version 11.1R1.10 set system host-name ltm set system time-zone Asia/Shanghai set system root-authentication Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

encrypted-password"$1$x1D.BYMb$joLoLni1ZJhmzajc5h6yQ." set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether set interfaces pp0 unit 0 family inet setinterfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$MHA8Nds24GjH4o69tu1Is2g4DiTz36ApQz" set interfaces pp0 unit 0 ppp-options chap local-name 100110762 set interfaces pp0 unit 0 ppp-options chap passive set interfaces pp0 unit 0 ppp-options pap local-name 100110762 set interfaces pp0 unit 0 ppp-options pap local-password "$9$rbFe8X-Vw4JGwsQF69pu-VbwaZ.P5Qn/mP" set interfaces pp0 unit 0 ppp-options pap passive set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0 set interfaces pp0 unit 0 pppoe-options access-concentrator ispl.com set interfaces pp0 unit 0 pppoe-options service-name juniper@ispl.com set interfaces pp0 unit 0 pppoe-options auto-reconnect 10 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 family inet negotiate-address set routing-options static route 0.0.0.0/0 next-hop pp0.0 或是 IP 地址,但是 PPPOE 是同态的,没有找到建立 PPPOE 时自动生成路由,只能建一条静态的到 pp0.0 不能扔到 untrust 接口。 set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic protocols all commit 在 Screen OS 下 PPPOE 的验证方式默认是 any 的(包含 chap、pap)但是在 SRXweb 上面只 有 chap 的认证(版本 11.1) ,在官方手册例子上也只有 chap 验证,所以大家就把 pap 忽视 了,我测试的 pppoe 验证算法就是使用的 pap,所以就崩溃了。 ---------------------------------------------------------------------------------------------------user@host> show interfaces pp0 or + terse root@ltm# run show interfaces pp0 terse Interface Admin Link Proto Local Remote pp0 up up pp0.0 up upinet 223.20.81.126 --> 223.20.64.1

user@host> show pppoe interfaces pp0.0 Index 67 State: Session up, Session ID: 31, Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

Service name: video@isp1.com, Configured AC name: isp1.com, Session AC name: belur, AC MAC address: 00:90:1a:40:f6:4e, Auto-reconnect timeout: 1 seconds, Underlying interface: ge-0/0/0.0 Index 69 user@host> show pppoe version Point-to-Point Protocol Over Ethernet, version 1. rfc2516 PPPoE protocol = Enabled Maximum Sessions = 256 PADI resend timeout = 2 seconds PADR resend timeout = 16 seconds Max resend timeout = 64 seconds Max Configured AC timeout = 4 seconds

user@host> show pppoe statistics Active PPPoE sessions: 4 PacketType Sent PADI 502 PADO 0 PADR 219 PADS 0 PADT 0 Service name error 0 AC system error 0 Generic error 0 Malformed packets 0 Unknown packets 0 Timeout PADI 42 PADO 0 PADR 0

Received 0 219 0 219 161 0 13 0 41 0

loopback Interface Redundant Interface Tunnel Interface EhternetSub- Interface Redundant Sub- Interface PPPOE Interface

四、Authentication
Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

五、NAT
Source NAT
注意! 做 NAT 时 any(源地址、目的地址)要写成 0.0.0.0/0,与策略不同 做策略时目的地址是私网地址,与 ScreeenOS(MIP 地址)不同。 set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

从内网访问内网的映射(MIP、VIP)请看下个版本的 Guide

Static NAT(MIP)
In ScreenOS, the interface IP address can be used for static NAT (mobile IP). This option is not currently available in Junos OS. 是 MIP 可以做一对一或是多对多。

Example:
Static NAT to a Single Host ScreenOS Configuration setint e0/0 mip 1.1.1.100 host 10.1.1.100 set pol from untrust to trust any mip(1.1.1.100) http permit ----------------------------------------------------------------Junos OS Configuration set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.100 set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.1.1.100 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy static-nat match source-address Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit -------------------------------------------------------------------------------

Example:
Static NAT to a Subnet ScreenOS Configuration setint e0/0 mip 1.1.1.0 host 10.1.1.0 netmask 255.255.255.240 set policy from untrust to trust any mip(1.1.1.0/28) http permit Junos OS Configuration set security zones security-zone trust address-book address webserver-group 10.1.1.0/28 set security nat proxy-arp interface ge-0/0/0 address 1.1.1.0/28 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-set rule rule1 match destination-address 1.1.1.0/28 set security nat static rule-set static-set rule rule1 then static-nat prefix 10.1.1.0/28 set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver-group application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit

Virtual IP

ScreenOS Configuration setint e0/0 vip 1.1.1.100 80 http 10.1.1.100 setint e0/0 vip 1.1.1.100 110 pop3 10.1.1.200 set policy from untrust to trust any vip(1.1.1.100) http permit Junos OS Configuration set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100/32 set security nat destination pool dnat-pool-2 address 10.1.1.200/32 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule rule1 match destination-address Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

1.1.1.100/32 set security nat destination rule-set dst-nat rule rule1 match destination-port 80 set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1 set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.100/32 set security nat destination rule-set dst-nat rule rule2 match destination-port 110 set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2 set security zones security-zone trust address-book address webserver 10.1.1.100 set security zones security-zone trust address-book address mailserver 10.1.1.200 set security zones security-zone trust address-book address-set servergroup address webserver set security zones security-zone trust address-book address-set servergroup address mailserver set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3 set security policies from-zone untrust to-zone trust policy static-nat then permit

Destination NAT
可以定义策略将一个目标 IP 地址转换成另一个地址。可能需要安全设备将一个或 多个公共 IP 地址转换成一个或多个私有 IP 地址。初始目标地址与已转换目标地址 之间的关系可以是一对一、多对一或多对多关系。图 20 说明了一对一和多对一 NAT-dst 关系的概念。 Destination Address Translation to a Single Host In this example, the destination IP and the interface IP are on different subnets.

Example:
ScreenOS Configuration

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

1. 接口 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24 set interface ethernet2 zone dmz set interface ethernet2 ip 10.2.1.1/24 2. 地址 set address dmz oda2 1.2.1.8/32 3. 服务组 set group service http-ftp set group service http-ftp add http set group service http-ftp add ftp 4. 路由 setvrouter trust-vr route 1.2.1.8/32 interface ethernet2 5. 策略 set policy from untrust to dmz any oda2 http-ftp natdstip 10.2.1.8 permit save Junos OS Configuration Commands set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy dst-nat then permit

五、Security
Zone
set security zones security-zone trust interfaces vlan.0 set security zones security-zone untrust interfaces ge-0/0/0.0 root> show security zones

地址簿
是在 zone 里添加 Note: Specify addresses as network prefixes in the prefix/length format. For example, 1.2.3.0/24 is an acceptable address book address because it translates to a network prefix. However, 1.2.3.4/24 is not acceptable for an address book because it exceeds the subnet length of 24 bits. Everything beyond the subnet length must be entered as 0 (zero). In special scenarios, you can enter a hostname because it can use the full 32-bit address length. Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

The address set option has the following features:
? ? ?

You can create address sets in any zone. You can create address sets with existing users, or you can create empty address sets and later fill them with users. You can reference an address set entry in a policy like an individual address book entry.

Note: JUNOS Software applies policies automatically to each address set member, so you do not have to create them one by one for each address. Furthermore, JUNOS Software writes these policies to ASIC, which makes lookups run very fast.
?

When you delete an individual address book entry from the address book, you must remove the address (wherever it is referred) from all the address sets.

Create Address set security zones security-zone trust address-book address trust-net 10.1.1.0/24 set security zones security-zone trust address-book address Bob-PC 10.1.1.1/32 Create Address Set (Groups) set security zones security-zone trust address-book address-set All10 address trust-net set security zones security-zone trust address-book address-set All10 address Bob-PC 不能写范围

服务簿
Below shows a simple example of creating a custom security policy application (service) for SSH: List default Application (Service) Objects show configuration groups junos-defaults applications

Example:
Create Custom Application (Service Object) set applications application my-ssh protocol tcp set applications application my-ssh destination-port 22 set applications application my-ssh inactivity-timeout 3600

Example:
Create Custom Service Objects with multiple ports require "terms" set applications application my-ssh term ssh protocol tcp set applications application my-ssh term ssh destination-port 22 set applications application my-ssh term ssh inactivity-timeout 3600 set applications application my-ssh term ssh1 protocol tcp set applications application my-ssh term ssh1 destination-port ssh Verification To see information about the address books and zones, enter the following command: show configuration security zones To list the default application objects, enter the following command: show configuration groups junos-defaults applications To list the custom application objects, enter the following command: show configuration application Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

时间
set schedulers scheduler test daily start-time 09:00:00 stop-time 12:00:00 set schedulers scheduler test daily start-time 13:00:00 stop-time 17:30:00 set schedulers scheduler test monday all-day

策略

如果想移动策略顺序,请在配置模式下输入 insert、 、top、up。如果想关闭策略状态请在 配置模式下输入 deactivate or activate

Example:
insert security policies from-zone trust to-zone untrust policy Dorp before policy test2

Example:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone untrust policy Dorp then log session-init set security policies from-zone trust to-zone untrust policy Dorp then count set security policies from-zone trust to-zone untrust policy Dorp match source-address 192.168.1.2/32 set security policies from-zone trust to-zone untrust policy Dorp match destination-address any set security policies from-zone trust to-zone untrust policy Dorp match application any set security policies from-zone trust to-zone untrust policy Dorp then deny set security policies from-zone trust to-zone untrust policy Dorp then log session-init set security policies from-zone trust to-zone untrust policy Dorp then count

Example:
deactivate security policies from-zone trust to-zone untrust policy name run show configuration security policies | display set

六、VPN IPSEC VPN
SRX-to-SSG-Hillstone-others 如果要想做静态到静态的, 只要把双向改为静态就可以了, 其他加密协议一样。 按照 ScreenOS 思路做就行了。 SRX 为 pppoe 动态拨号端到 SSG 静态端 切忌 SSG 端隧道口安全域为 untrust SRX 端要做本地子网到远端子网 no NAT ltm@ltm# run show configuration | display set set version 11.1R1.10 set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether set interfaces pp0 unit 0 ppp-options pap local-name 100110762 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

set interfaces pp0 unit 0 ppp-options pap local-password "$9$l79KLxdbsoZUsYz3/Cu0dbwsJGmfTz69Pf" set interfaces pp0 unit 0 ppp-options pap passive set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0 set interfaces pp0 unit 0 pppoe-options access-concentrator ispl.com set interfaces pp0 unit 0 pppoe-options service-name "juniper@ispl.com" set interfaces pp0 unit 0 pppoe-options auto-reconnect 10 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 family inet negotiate-address set interfaces vlan unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop pp0.0 set routing-options static route 192.168.202.0/24 next-hop st0.0 set security ike respond-bad-spi 5 set security ike proposal p1 authentication-method pre-shared-keys set security ike proposal p1 dh-group group2 set security ike proposal p1 authentication-algorithm md5 set security ike proposal p1 encryption-algorithm 3des-cbc set security ike proposal p1 lifetime-seconds 86400 set security ike policy ike_pol_ike mode aggressive set security ike policy ike_pol_ike proposals p1 set security ike policy ike_pol_ike pre-shared-key ascii-text "$9$8vOXdsZUHf5FUD9A0ORE" set security ike gateway gw_ikeike-policy ike_pol_ike set security ike gateway gw_ike address 222.128.70.213 set security ike gateway gw_ike dead-peer-detection always-send set security ike gateway gw_ike local-identity user-at-hostname "ltm@juniper.com" set security ike gateway gw_ike external-interface pp0 set security ipsectraceoptions flag next-hop-tunnel-binding set security ipsecvpn-monitor-options set security ipsec proposal p2 protocol esp set security ipsec proposal p2 authentication-algorithm hmac-md5-96 set security ipsec proposal p2 encryption-algorithm 3des-cbc set security ipsec proposal p2 lifetime-seconds 86400 set security ipsec policy ipsec_pol_ike perfect-forward-secrecy keys group2 set security ipsec policy ipsec_pol_ike proposals p2 set security ipsecvpnike bind-interface st0.0 set security ipsecvpnikevpn-monitor set security ipsecvpnikeike gateway gw_ike set security ipsecvpnikeikeipsec-policy ipsec_pol_ike set security ipsecvpnike establish-tunnels immediately set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

set security nat source rule-set trust-to-untrust rule to-ssg match source-address 192.168.1.0/24 set security nat source rule-set trust-to-untrust rule to-ssg match destination-address 192.168.202.0/24 set security nat source rule-set trust-to-untrust rule to-ssg then source-nat off set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close set security policies from-zone trust to-zone untrust policy trust-to-untrust then count set security policies from-zone untrust to-zone trust policy u-t match source-address any set security policies from-zone untrust to-zone trust policy u-t match destination-address any set security policies from-zone untrust to-zone trust policy u-t match application any set security policies from-zone untrust to-zone trust policy u-t then permit set security policies from-zone untrust to-zone trust policy u-t then log session-init set security policies from-zone untrust to-zone trust policy u-t then log session-close set security policies from-zone untrust to-zone trust policy u-t then count set security policies from-zone trust to-zone trust policy t-t match source-address any set security policies from-zone trust to-zone trust policy t-t match destination-address any set security policies from-zone trust to-zone trust policy t-t match application any set security policies from-zone trust to-zone trust policy t-t then permit set security policies default-policy permit-all 活是可以把策略做缺省允许 set security zones security-zone trust address-book address local-net 192.168.1.0/24 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.0 set security zones security-zone trust interfaces st0.1 set security zones security-zone untrust address-book address remote-net 192.168.201.0/24 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic protocols all set security zones security-zone untrust interfaces st0.0 request support information show log kmd Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

show security ike security-associations show security ike security-associations detail show security ipsec security-associations show security ipsec security-associations detail show security ipsec statistics show security flow session tunnel admin@CORPORATE> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 1 2.2.2.2 UP 744a594d957dd513 1e1307db82f58387 Main 2 3.3.3.3 UP 744a594d957dd513 1e1307db82f58387 Main admin@CORPORATE> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb <32785 2.2.2.2 1398 ESP:3des/sha1 29e26eba 28735/unlim >32785 2.2.2.2 1398 ESP:3des/sha1 6d4e790b 28735/unlim total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb <32786 3.3.3.3 500 ESP:3des/sha1 5c13215d 28782/unlim >32786 3.3.3.3 500 ESP:3des/sha1 18f67b48 28782/unlim

Mon vsys U 0 U 0 Mon vsys - 0 - 0

root@CORPORATE> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 4 2.2.2.2 UP 5e1db3f9d50b0de6 e50865d9ebf134f8 Main root@CORPORATE> show security ike security-associations index 4 detail IKE peer 2.2.2.2, Index 4, Role: Responder, State: UP Initiator cookie: 5e1db3f9d50b0de6, Responder cookie: e50865d9ebf134f8 Exchange type: Main, Authentication method: Pre-shared-keys Local: 1.1.1.2:500, Remote: 2.2.2.2:500 Lifetime: Expires in 28770 seconds Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 852 Output bytes : 856 Input packets: 5 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

Output packets: 4 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Confirm IPsec (Phase 2) Status Once IKE phase 1 is confirmed, you can run the command below to view IPsec (phase 2) security associations. root@CORPORATE> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 2.2.2.2 500 ESP:3des/sha1 a63eb26f 3565/ unlim - 0 >2 2.2.2.2 500 ESP:3des/sha1 a1024ed9 3565/ unlim - 0 root@CORPORATE> show security ipsec security-associations index 2 detail Virtual-system: Root Local Gateway: 1.1.1.2, Remote Gateway: 2.2.2.2 Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24) Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.168.0/24) DF-bit: clear Policy-name: vpnpolicy-unt-tr Direction: inbound, SPI: 2789126767, AUX-SPI: 0 Hard lifetime: Expires in 3558 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2986 seconds Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: enabled, Replay window size: 32 Direction: outbound, SPI: 2701283033, AUX-SPI: 0 Hard lifetime: Expires in 3558 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2986 seconds Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: enabled, Replay window size: 32 root@CORPORATE> show security ipsec statistics index 2 ESP Statistics: Encrypted bytes: 920 Decrypted bytes: 6208 Encrypted packets: 5 Decrypted packets: 87 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@CORPORATE> ping 192.168.168.10 interface ge-0/0/0 count 5 PING 192.168.168.10 (192.168.168.10): 56 data bytes 64 bytes from 192.168.168.10: icmp_seq=0 ttl=127 time=8.287 ms 64 bytes from 192.168.168.10: icmp_seq=1 ttl=127 time=4.119 ms 64 bytes from 192.168.168.10: icmp_seq=2 ttl=127 time=5.399 ms 64 bytes from 192.168.168.10: icmp_seq=3 ttl=127 time=4.361 ms 64 bytes from 192.168.168.10: icmp_seq=4 ttl=127 time=5.137 ms --- 192.168.168.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.119/5.461/8.287/1.490 ms root@CORPORATE> show system storage Filesystem Size Used /dev/ad0s1a 213M 136M devfs 1.0K 1.0K devfs 1.0K 1.0K /dev/md0 144M 144M /cf 213M 136M devfs 1.0K 1.0K procfs 4.0K 4.0K /dev/bo0s1e 24M 13K /dev/md1 168M 7.3M /dev/md2 58M 38K /dev/md3 7.7M 108K devfs 1.0K 1.0K /dev/md4 1.9M 6.0K

Avail Capacity Mounted on 75M 65% / 0B 100% /dev 0B 100% /dev/ 0B 100% /junos 75M 65% /junos/cf 0B 100% /junos/dev/ 0B 100% /proc 24M 0% /config 147M 5% /mfs 53M 0% /jail/tmp 7.0M 1% /jail/var 0B 100% /jail/dev 1.7M 0% /jail/html/oem

Dynamic VPN 七、Wireless LAN 八、Switching
Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

九、Routing
Creating Static Routes The following example configures a static route of 10.2.2.0/24 with a next-hop address of 10.1.1.254: set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254 Creating Default Routes The following example configures an IPv4 default route with a next-hop address of 10.1.1.254: set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 show route terse

ECMP
Junos 的 ECMP 是基于流的,也可以说是基于会话的。不能修改算法(但没具体确认) 。 配置完以后不能通过 tracert 查看跳到哪个网关上。 如需查看可以打开不同的 IP138.com 网页 查看(例如:ip139.com,140,150)。 set policy-options policy-statement load-balance then load-balance per-packet set routing-options static route 0.0.0.0/0 next-hop 192.168.201.251 set routing-options static route 0.0.0.0/0 next-hop 192.168.202.251 set routing-options forwarding-table export lo run monitor interface traffic clear interfaces statistics fe-0/0/1 ltm@ltm# show routing-options static { route 0.0.0.0/0 next-hop [ 192.168.201.251 192.168.202.251 ]; ltm@ltm# run show route terse inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination * 0.0.0.0/0 P Prf S 5 0 0 0 0 0 Metric 1 Metric 2 Next hop AS path >192.168.201.251 192.168.202.251 >vlan.0 Local >ge-0/0/0.0 Local >ge-0/0/1.0

* 192.168.1.0/24 D * 192.168.1.1/32 L * 192.168.201.0/24 D * 192.168.201.207/32 L * 192.168.202.0/24 D

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

* 192.168.202.60/32 L [edit] ltm@ltm#

0

Local

测试步骤: 1. 在防火墙两端配置 pc-1ip 地址为 10.10.10.2,pc-2ip 地址为 192.168.0.100。 2. 在 pc-2 上搭建 ftp、 http 服务器, 并在用 pc-1 同时下 pc-2 载测试文件, 使用 moniter interface traffic 观察数据走向。 3. 断开接口 ge-0/0/0,致使 HA 切换,观察变化是否符合预期结果。

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

测试结果: 1. 在使用 http 下载测试文件时,数据流由 reth1 口进入,reth0 口流出 2. 添加新的 ftp 下载测试文件,并由 pc-1 长 ping pc-2,观察数据流由 reth1 进,reth2 和 reth4 流出 3. 切换 HA,数据流正常。 总结 在 4 条等价路由下的负载均衡,测试通过,实现逐流转发。

十、Class of Service 十一、System Properties 十二、Chassis Cluster 十三、Service
开启 DHCP
root@ltm# run show configuration system services dhcp | display set set system services dhcp name-server 202.106.0.20 set system services dhcp router 192.168.1.1 set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

set system services dhcp propagate-settings vlan.0

十四、Wizards 十五、CLI Tools 十六、Monitor 十七、Syslog 十八、Show 命令
? ?
JUNOS 9.4 and above (with default configuration) JUNOS with Enhanced Services 8.5 through 9.3 (with default configuration)

默认只能在>号模式下去 show 所有的配置,如果想在#以上模式 show,前面需要加 run,方 可在任何模式下 show。 也可以到某个模式下直接输入 show 命令就可以看到当前模式下的所有配置。 root# run show configuration 是以 unix 命令集输出。 root# run show configuration | display set 是以你配置的形式输出。 查看软件版本:root@ltm> show version brief

ScreenOS Session & Interface counters get session get interface get counter stat get counter stat <interface> clear counter stat Debug & Snoop

JUNOS

Notes

> show security flow session > show interface terse > show interface extensive > show interface <interface> extensive > clear interface statistics <interface>

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

debug flow basic

# edit security flow # set traceoptions flag basic-datapath # commit

-creates debugs in default file name: /var/log/security-trace See KB16108 for traceoptions info. Packet-drop is a feature that will be added

set ff

# edit security flow # set traceoptions packet-filter

get ff

> show configuration | match packet-filter | display set

get debug

> show configuration | match traceoptions | display set

get db stream

View stored log: (recommended option) > show log <file name> (enter h to see help options) > show log security-trace (to view 'security flow' debugs) > show log kmd (to view 'security ike' debugs) View real-time: (use this option with caution) > monitor start <debugfilename> ESC-Q (to pause real-time output to screen) ‘monitor stop' stops real-time view , but debugs are still collected in log files

clear db undebug<debug> (stops collecting debugs)

> clear log <filename> (clears contents of file) # edit security flow # deactivate traceoptions OR # delete traceoptions (at the particular hierarchy) # commit

Use ‘file delete <filename> to actually delete file> Deactivate makes it easier to enable/disable. Use activatetraceoptions to activate.

undebug all

Not available. You need to deactivate or delete traceoptions separately.

debug ike detail

# edit security ike # set traceoptions flag ike # commit

-creates debugs in default file name: kmd

snoop (packets THRU the JUNOS device)

Use Packet Capture feature: http://www.juniper.net/techpubs/software/junos-s ecurity/junos-security95/junos-security-admin-gui de/config-pcap-chapter.html#config-pcap-chapter

- Not supported on SRX 3x00/5x00 yet

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

snoop (packets TO the JUNOS device)

> monitor traffic interface <int> layer2-headers write-file option (hidden) read-file (hidden)

-Only captures traffic destined for the RE of router itself. - Excludes PING .

Event Logs get event > show log messages > show log messages | last 20 (helpful cmd because newest log entries are at end of file) get event | include <string> > show log messages | match <string> <string>” Examples: > show log messages | match “error | kernel | panic” > show log messages | last 20 | find error find displays output starting from the first occurrence of the string clear event > clear log messages > show log Config& Software upgrade get config > show config (program structured format) > show config | display set (set command format) get license get chassis (serial numbers) > show system license keys > show chassis hardware detail > show chas environment > show chas routing-engine exec license unset all reset > request system license [add | delete |save] load factory-default set system root-authentication plain-text-passsword commit and-quit request system reboot See KB15725. match displays only the lines that contains the string Note: There is not an equivalent command for ‘get

> show log messages | match “<string> | <string> | event include <string>'.

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

load config from tftp<tftp_server><configfile>

> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then # load override /var/tmp/test.cfg (or full path of config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

load software from tftp<tftp_server><screenosimage> to flash

> request system software add Example: request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domesti c.tgz reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP. -Use ‘request system software rollback' to rollback to previous s/w package See KB16652.

save

# commit OR # commit and-quit

reset Policy get policy get policy from <zone> to <zone> VPN get ike cookie get sa clear ike cookie clear sa NSRP get nsrp

> request system reboot

> show security policies > show security policies from <zone> to <zone>

> show security ike security-associations > show security ipsec security-associations > clear security ike security-associations > clear security ipsec security-associations > show security ipsec stat

> show chassis cluster status > show chassis cluster interfaces > show chassis cluster status redundancy-group <group>

exec nsrpvsd<vsd> mode backup (on master) see KB5885

> request chassis cluster failover redundancy-group <group> node <node>

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

> request chassis cluster failover reset redundancy-group <group> DHCP get dhcp client exec dhcp client <int> renew Routing get route get route ip<ipaddress> get vruntrust-vr route get ospfnei set route 0.0.0.0/0 interface <int> gateway <ip> > show route > show route <ipaddress> > show route instance untrust-vr > show ospf neighbor # set routing-options static route 0.0.0.0/0 next-hop <ip> NAT get vip get mip get dip > show security nat destination-nat summary > show security nat static-nat summary > show security nat source-nat summary > show security nat source-nat pool <pool> Other get perfcpu get net-pak s get file get alg > show chassis routing-engine > show system buffers > show system storage > show configuration groups junos-defaults applications All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will See KB16572. > show system services dhcp client > request system services dhcp renew (or release) See KB15753.

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

also be displayed with this command. get service > show configuration groups junos-defaults applications get tech set console page 0 > request support information > set cli screen-length 0

> file list <path> Example: file list /var/tmp/

Shows directory listing. Note that / is needed at end of path

# = configuration mode prompt > = operational mode prompt

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

十九、命令行结构
Set or Show
system root-authentication name-server 208.67.222.222 208.67.220.220 202.106.0.20 login user ltm authentication encrypted-password Encrypted password string plain-text-password Prompt for plain text password (autoencrypted) class operator permissions [ clear network resettraceview ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ] services web-management > control Control of the web management process >http Unencrypted HTTP connection settings >https Encrypted HTTPS connections management-url URL path for web management access >sessionSession parameters dhcp name-server 202.106.0.20 router 192.168.1.1 pool 192.168.1.0/24 syslog archive user file interfaces ge-0/0/0 unit 0 family inet address 192.168.201.209/24 routing-options static route Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381

0.0.0.0/0 security nat source rule-set destination pool rule-set proxy-arp screen ids-option untrust-screen zones security-zone trust address-book host-inbound-traffic interfaces untrust host-inbound-traffic interfaces policies policy

Author:Ltm Email:network-security@hotmail.comwww.juniper.net QQ 群 15900381


相关文章:
Juniper_SRX中文配置手册及图解
38 前言、版本说明产品:Juniper SRX240 SH 版本:JUNOS Software Release [9.6...2、PPPoE Configuration-Quick Configuration-Interface-pp0(edit)-Add- 在 web ...
JuniperSRX中文配置手册及图解
文档信息举报文档 franklu2010贡献于2011-01-24 0.0分 (0人评价)暂无用户评价 我要评价 贡献者等级:崭露头角 三级 格式:doc 关键词:JuniperSRX中文配置手 ...
juniper srx100 防火墙配置_图文
Junipersrx100 防火墙配置指导 # 一、初始化安装 1...“show configuration” 你 会发现系统本身已经具备...二、应用场景——生产配置实施步骤 2.1 打开浏览器...
JuniperSRX系列中文手册及图解
40 前言、版本说明产品:Juniper SRX240 SH 版本:JUNOS Software Release [9.6...2、PPPoE Configuration-Quick Configuration-Interface-pp0(edit)-Add- 在 web ...
Juniper SRX 防火墙透明模式配置手册
Juniper SRX Series Firewall Juniper SRX 防火墙配置...透明模式配置说明硬件型号 SRX3400 软件版本 9.6R...2 8 192.168.1.0/28 SRX3400-1_L2 0/0/0 ...
Juniper_SRX_配置手册_图文
16 第 2 页共 16 页 Juniper SRX 防火墙简明配置...configuration mode /***进入配置模式***/ [edit]..."$1$xavDeUe6$fNM6olGU.8.M7B62u05D6.";...
juniper srx恢复出厂设置
juniper srx恢复出厂设置_计算机硬件及网络_IT/计算机...configuration on an SRX Series device to the ...collections/config-guide-sy stem-basics/index.html...
Juniper Junos SRX系列Cluster HA配置汇总
Juniper Junos SRX系列HA配置汇总——整理自官方Guide...SRX Series Chassis Cluster Slot Numbering, and ...(Optional) Disables the configuration validation ...
JuniperSRX防火墙批量导入配置
JuniperSRX防火墙批量导入配置_IT/计算机_专业资料。...configuration | save filename.txt 2、 将原有设备...6、将装有配置文件的 U 盘插入交换机或防火墙并...
Juniper srx210-HA 配置实例及图解
SRX-210-HA 配置实例及图解lab@SRX-A# run show configuration | display set...6页 免费 juniper HA 暂无评价 1页 免费 juniper ha配置 2页 1下载券 juniper...
更多相关标签:
juniper srx series | juniper networks | juniper networks下载 | juniper networks 8.1 | juniper networks vpn | juniper networks 7.0 | juniper networks公司 | juniper networks mac |