你说你有版权,来找我啊。。
前些日子认真看了一下Juniper路由器的一些命令。在这里总结一下。方便以后使用
Juniper路由器的命令主要分为两个部分,一个是operational,主要是复杂查看目前网络的配置情况(只能查看,不能修改。感觉权限比较低);另一个是configuration,主要用来查看和修改配置(感觉权限高一些)。刚进入到Juniper路由器时,默认进入的是operation,输入edit命令之后,就进入到了[edit]目录下,也就是进入了configuration。
基础配置命令(如未说明则在[edit]目录下)
1、配置主机名字:set system host-name router1
2、配置域名: set system domain-name mynetwork.com
3、配置fxp0接口(以太网中通过这个接口进行路由器的配置)。Set interfaces fxp0 unit 0 family inet address 192.168.15.1/24
4、配置备份路由器:set system backup-router 192.168.15.2
5、配置DNS服务器:set system name-server 192.168.15.3
6、配置root用户的密码:set system root-authentication plain-text-password(密码中不可以全是大写、全是小写、全是数字)
7、设置ntp服务器: set system ntp server 192.168.2.2
8、提交修改:commit
9、查看提交是否合法: commit check
10、在当天特定时间进行提交 commit at 22:45
11、在特定日期的特定时间提交: commit at “2005-02-26 10:45”
12、取消commit的操作 clear system commit
13、为了避免提交带来意外的损害采用:commit confirmed,会在10分钟以后自动回滚
14、与14相同,但在一分钟以后自动回滚:commit confirmed 1
15、提交信息,并同步到备份路由器上: commit synchronize
配置服务:
1、设置ssh服务:set system services ssh
2、配置ftp服务: set system services ftp
3、删除ftp服务: delete system services ftp
权限设置:
1、设置root用户ssh登录的密码 :set system root-authentication ssh password
2、禁止root用户使用ssh登录:[edit system ] set services ssh root-login deny
3、设置密码要求:[edit system login] set password maximun-length 20 set password minimum-length 8 set password minimum-changes 2
4、设置密码加密算法:set system login password formate md5
5、查看自己的权限,以及可以设置的权限: show cli authorization
进入与退出命令:
1、Edit
2、修改root的配置:configure
3、避免多人修改导致设置丢失采用 configure exclusive
4、查看目前修改区域有谁在线:[edit]status(只能看见比你先登录的人,后面登录的信息看不见)
5、强制要求别人下线:request system logout user mike
6、进入到根目录 top
7、退出configuration 模块:quit
8、退出configuration模块:exit configuration-mode
9、提交并退出:commit and-quit
10、退出当前目录:exit
11、进入到某目录 edit 目录名字
查看命令:
1、查看当前目录地下的设置 [edit]show
2、查看你设置的命令 show | display set
3、查看你新增的命令 show | compare(+表示你增加的命令,-表示你删除的命令。这个命令要求根目录下进行,否则输入 top show | compare)
4、查看本次commit的所有信息:commit | display detail 如果失败了会显示失败的原因
5、查看每次commit的信息:show system commit
6、查看本次与回滚版本的区别:show | compare rollback 1(0表示当前版本)
7、查看指定文件的区别:show |compare qxy@archives:nightly/2015-01-01.conf
8、查看用户信息:> show system login
9、查看当前机器的时间信息:show system uptime
10、查看当前所有在线用户 : >show system users
11、显示硬件信息:>show chassis hardware detail
12、显示所有驱动的信息: > show system storage
13、显示驱动信息并进行筛选:>show system storage | except /dev/vn >show system storage | match ad
14、查看软件版本> show version >show version detail
15、显示正在跑的程序:>show system processes
16、查看RE信息:> show chassis routing-engine
17、查看配置的策略:> show configuration policy-options
18、查看指定日志文件 show log policy-trace-log
命令解释:
1、设置命令解释:例如你先set area 0.0.0.0 interface fe-0/0/0 为了要说明area表示的是什么意思,可以再 annotate area 0.0.0.0 “backone router”(class的类型看文档p114~P115)
2、为commit进行备注:Commit comment “turned on telnet”
添加与删除用户:
1、添加超级用户:set system login user qxy class superuser
Set system login user qxy authentication plain-text-password 输入新的密码
Commit
2、删除 delete system login user qxy
3、创建一般用户:[edit system login]set user name class operator set user name full-name “full name” set user name uid 1991 set user name authentication plain-text-password
回滚版本与备份:
1、回滚到前一个版本 rollback 1
2、查看所有可以回滚的版本: rollback ?
3、设置某一版本为绝对安全版本> request system configuration rescue save 或者#run request system configuration rescue save(这个版本只有一个,如果再执行这个命令,就会把原来的覆盖掉)
4、返回到rescue版本:rollback rescue
5、删除rescue回滚版本 >request system configuration rescue delete
6、备份文件系统中的文件:>request system snapshot
7、还原通过快照备份的文件系统: >request system software reboot media disk
8、当master失效时,切换备份作为master: [edit chassis redundancy]set graceful-switchover enable
9、设置备份与master : [edit chassis] set redundancy routing-engine 0 backup set redundancy routing-engine 1 master commit synchronize
10、撤销备份设置:> delete chassis redundancy
路由器策略和防火墙拦截器
1、创建一个策略。名字叫做send-statics 属于term1 匹配的条件是protocol static:
Set policy-options policy-statement send-statics term 1 from protocol static
2、为上面创建的策略设置操作:
Set policy-options policy-statement send-statics term 1 then accept
3、将ospf协议传入
Set protocols ospf export send-statics
(匹配和操作的列表在文档的p324-p325p327,如果要设置多个条件,可以进入到该statement目录下,使用set from ...命令进行设置 )
4、查看配置的策略:
show policy
5、如果你想让某个策略实施在某个部分:
set group external-group import from-my-customers
6、设置fileter(指定ip前缀):
[edit policy-options] set prefix-list PREFIX-LIST-1 10.10.0.1/24
set prefix-list PREFIX-LIST-1 10.10.0.0/16
[edit policy options policy-statement addresses-to-reject]
set term 1 from prefix-list PREFIX-LIST-1
set term 1 then reject
[edit protocols bgp]
set group external-group import addresses-to-reject
7、设置filter(最长前缀匹配):
[edit policy-options policy-statement long-prefix term 1]
set from route-filter 172.18.20.0/19 longer
[edit protocols bgp]
set then reject
8、filter 可选参数
Longer表示最长匹配;
orlonger表示最长匹配或者精确匹配 ;
0.0.0.0/0 upto /7表示匹配0.0.0.0/0,0.0.0.0/1直到0.0.0.0/7;
0.0.0.0/0 prefix-length-range /25-/30匹配0.0.0.0/25到0.0.0.0/30 ;172.10.20.0/24 exact表示精确匹配
9、快速设置方法:
set from route-filter 0.0.0.0/0 upto/7 accept
10、设置路由策略链:
(方法1)set export [block-private remove-communities send-statics]
(方法2)set then local-preference 300
Set then community set 65500:123456
Set then next policy(这样匹配的的包就会跳进下一个策略)
11、创建策略跟踪文件
[edit policy-options policy-statement outbound-policy term 1]
Set then trace
[edit routing-options]
Set traceoptions file policy-trace-log size 10m files 10
Set traceoptions flag policy
12、设置防火墙:(具体参数选择看p341)
[edit firewall filter incoming-to-me term restrict-telnet-ssh]
Set from protocol tcp
Set from destination-port ssh
Set from source-address 159.226.101.80/32
Set then accept
[edit interfaces]
Set fe-0/0/0 unit 0 family inet filter input incoming-to-me(inet表示是ipv4)
13、设置除此之外的配置
Set term testrict-ssh from source-address 10.10.10.1/32 except
Set from protocol-except tcp
14、更改term的位置(也适用于fillter,防火墙的位置是至关重要的)
Insert term restricp-bgp before term testrict-ssh
15、统计接受的数据包
[edit firewall filter incoming-to-me]
Set term final-accept then count incoming-accepted
Set term final-accept then accept
16、查看接受数据包的统计情况
>show firewall filter incoming-to-me
17、将包的情况传递给日志文件
Set term final-accept then log
查看日志文件
> show firewall log
18、限速
[edit firewall]
Set policer limit-icmp if-exceeding bandwidth-limit 1m
Set policer limit-icmp if-exceeding burst-size-limit 50k
Set policer limit0icmp then discard
[edit firewall filer incoming-to-me]
Set term icmp then policer limit-icmp
19、VPN (ipsec)
隧道接口:
set interfaces st0 unit 3 family inet address 10.10.11.46/30 --------FW的st接口配置
set interfaces st0 unit 3 description to-BeijinMajuqiaoDianxinJifang
隧道接口所属区域及绑定功能服务:
set security zones security-zone vpn-Qiao interfaces st0.3 host-inbound-traffic system-services all
阶段一:
//定义ike安全提议
set security ike proposal ike-maJuQiao-proposal authentication-method pre-shared-keys
set security ike proposal ike-maJuQiao-proposal dh-group group2
set security ike proposal ike-maJuQiao-proposal authentication-algorithm sha1
set security ike proposal ike-maJuQiao-proposal encryption-algorithm aes-128-cbc
//ike安全策略
set security ike policy ike-maJuQiao-policy mode main
set security ike policy ike-maJuQiao-policy proposals ike-maJuQiao-proposal
set security ike policy ike-maJuQiao-policy pre-shared-key ascii-text baiwu2015
补充:ike两种模式,主模式和挑战模式,挑战模式是安全网关的身份太清晰
//ike网关,这个网关会作为发起者发出安全提议列表;
set security ike gateway ike-maJuQiao-gateway ike-policy ike-maJuQiao-policy
set security ike gateway ike-maJuQiao-gateway address 36.110.XX.XX -------对端网关
set security ike gateway ike-maJuQiao-gateway external-interface vlan.2 -------出接口
补充远端网关:它负责进行解密/认证,并把数据发往目的地
阶段二:
//ipsec proposal
set security ipsec proposal vpn-Qiao-proposal protocol esp
set security ipsec proposal vpn-Qiao-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal vpn-Qiao-proposal encryption-algorithm aes-128-cbc
//ipsec(AH/ESP,ESP能认证加密)ESP认证算法是hmac-sha1-96 加密算法是aes-128-cbc
set security ipsec policy vpn-Qiao-policy perfect-forward-secrecy keys group2 ---如果使用PFS(完善的转发机密),每个阶段2协商中,会进行新的Diffie-Hellman交换,确保密钥不依赖以前的任何密钥
set security ipsec policy vpn-Qiao-policy proposals vpn-Qiao-proposal
//绑定隧道
set security ipsec vpn ipsec-Qiao bind-interface st0.3 --------FW的st接口
set security ipsec vpn ipsec-Qiao ike gateway ike-maJuQiao-gateway
set security ipsec vpn ipsec-Qiao ike ipsec-policy vpn-Qiao-policy
set security ipsec vpn ipsec-Qiao establish-tunnels immediately
阶段三
配置双向安全策略:
set security policies from-zone vpn-Qiao to-zone trust policy vpn-shunyi-trust match source-address any
set security policies from-zone vpn-Qiao to-zone trust policy vpn-shunyi-trust match destination-address any
set security policies from-zone vpn-Qiao to-zone trust policy vpn-shunyi-trust match application any
set security policies from-zone vpn-Qiao to-zone trust policy vpn-shunyi-trust then permit
set security policies from-zone trust to-zone vpn-Qiao policy vpn-trust-shunyi match source-address any
set security policies from-zone trust to-zone vpn-Qiao policy vpn-trust-shunyi match destination-address any
set security policies from-zone trust to-zone vpn-Qiao policy vpn-trust-shunyi match application any
set security policies from-zone trust to-zone vpn-Qiao policy vpn-trust-shunyi then permit
配置路由:
set routing-options static route 192.168.120.0/24 next-hop st0.3 --------FW的st接口