juniper路由器开局指导书

1、彩信中心彩信中心 J6350 开局指导书开局指导书 V1.0JuniperJuniper Networks.Networks.20082008 年年 9 9 月月Juniper Networks 2目录目录1.网络结构说明网络结构说明.32.安装步骤安装步骤.52.1.硬件安装.52.2.端口连接表.52.3.IP 地址分配表 .53.配置步骤配置步骤.73.1.system 基本配置.83.2.路由器之间互联配置.113.3.与 ENI 互联配置.123.4.防火墙内部互联配置.143.4.1.VRRP 配置(第 1 台).143.4.2.VRRP 配置(第 2 台).163.4.3.VRR

2、P 检查 .173.4.4.访问路由配置.193.4.5.路由检查.203.5.其它配置.213.5.1.SNMP 配置.213.5.2.时间配置.233.5.3.设置管理地址.244.测试方案测试方案.254.1.1.联通性测试.254.1.2.防火墙 VRRP 测试 .255.配置文件配置文件.275.1.J6350-1 配置：.275.2.J6350-2 配置：.28Juniper Networks 31. 网络结构说明网络结构说明 在本次彩信中心项目中，可能部分节点会利用到两台 Juniper 的 J6350 路由器来与电信ENI 进行连接。 J6350 内部连接中兴 T40G 局域网

3、交换机的 VLAN 20 端口，采用 VRRP 的方式。与ENI 连接是在防火墙上采用 NAT 地址转换实现，将内部服务器映射成 ENI 的地址。 下图是项目例子，本文档所有配置均是基于安装规范表以及以下结构图来进行。在实际项目中需要更改的只是 IP 地址。涉及到 J6350 的工作如下：(1) 向电信申请 ENI 互联地址，掩码是 48。地址划分根据安装规范表的建议来进行。(2) 向移动公司申请 ENI 的 NAT 地址转换 IP，掩码是 48。Juniper Networks 4VLAN 30VLAN 30J6350-1J6350-2防火

4、墙-2防火墙-1ENI中兴T40G-1中兴T40G-/30/302/294(VIP)3/294(VIP)(VIP)业务地址/24 Juniper Networks 52. 安装步骤安装步骤2.1.硬件安装硬件安装 在加电之前先调整板卡，将 E1 卡安装在第 1 槽，如下图： 2.2.端口连接表端口连接表序号本端设备端口号对端设备对端端口说明1J6350-1ge-0/0/0到内部中兴 T40G12J6350-1ge-0/0/1到

5、 ENI 路由器 13J6350-1ge-0/0/2J6350-2电口 15J6350-2ge-0/0/0到内部中兴 T40G16J6350-2ge-0/0/1到 ENI 路由器 17J6350-2ge-0/0/2J6350-1电口 1 2.3.IP 地址分配表地址分配表 序号本端设备端口号IP 地址说明1J6350-1ge-0/0/02/29VIP 4，防火Juniper Networks 6墙 VIP 是 2J6350-1ge-0/0/1/30由电信分配3J6350-1ge-0/0/21.1.1.

6、1/305J6350-2ge-0/0/03/29VIP 4，防火墙 VIP 是 6J6350-2ge-0/0/1/30由电信分配7J6350-2ge-0/0//30Juniper Networks 73. 配置步骤配置步骤利用超级终端接入路由器的 console，超级终端设置如下： 路由器在第一次加电，通过 console 进入系统，输入 root 用户，在密码提示的时候直接回车进入系统(root 的初始化密码为空)：J6350-01 (ttyd0)login: rootPasswor

7、d:第一次进入路由器，是进入 shell 模式，提示符是%,输入 cli 进入 CLI 用户模式：- JUNOS 8.0R2.8 built 2006-09-29 09:22:36 UTCroot% root% cliroot输入 config 进入配置模式：root configure Entering configuration modeeditroot# Juniper Networks 8按照下面步骤利用 set 命令进行配置，每次 set 之后使用 commit 命令进行提交： 3.1.system 基本配置基本配置第第 1 1 台主用台主用 J6350J6350 配置：配置：1 设

8、置设置 root 密码密码rootJ6350-01# set system root-authentication plain-text-password New password:Retype new password:editrootJ6350-01#rootJ6350-01# commit commit completeeditrootJ6350-01#2 设置主机名设置主机名rootJ6350-01# set system host-name J6350-01 editrootJ6350-01# commit commit completeeditrootJ6350-01#3 设置用户

9、和密码设置用户和密码rootJ6350-01# set system login user zte uid 2001 editrootJ6350-01# set system login user zte class super-user editrootJ6350-01# set system login user zte authentication plain-text-password New password:Retype new password:editJuniper Networks 9rootJ6350-01# commit commit completeeditrootJ6

10、350-01#4 设置设置 telnet 和和 ftp 服务服务rootJ6350-01# set system services telnet editrootJ6350-01# set system services ftp editrootJ6350-01# commit commit completeeditrootJ6350-01#5 设置设置 syslog 服务器服务器rootJ6350-01# set system syslog host any warning edit rootJ6350-01# set system syslog file mess

11、age any notice editrootJ6350-01# set system syslog file mess authorization info editrootJ6350-01# set system syslog file interactive-commands interactive-commands any editrootJ6350-01#editrootJ6350-01# commit commit completerootJ6350-01# show system host-name J6350-01;root-authentication encrypted-p

12、assword $1$RO6Fzf8O$ZDwwBh6qLopK4BKnxR/HN/; # SECRET-DATAlogin Juniper Networks 10 user zte uid 2001; class super-user; authentication encrypted-password $1$XU.MK6GQ$NnjAJYU0If1woC.jdxfON.; # SECRET-DATA services ftp; telnet;syslog user * any emergency; host any warning; file message an

13、y notice; file mess authorization info; file interactive-commands interactive-commands any; Juniper Networks 11editrootJ6350-01#第第 2 2 台备用台备用 J6350J6350 配置：配置：与第 1 台主用 J6350 配置方法一样。3.2.路由器之间互联配置路由器之间互联配置第第 1 1 台主用台主用 J6350J6350 配置：配置： rootJ6350-01# set interfaces ge-0/0/2 description TO-J6350-02 edi

14、trootJ6350-01# set interfaces ge-0/0/2 unit 0 family inet address /30 editrootJ6350-01# commit commit completeeditrootJ6350-01#rootJ6350-01# show interfaces ge-0/0/2 description TO-J6350-02;unit 0 family inet address /30; editrootJ6350-01#Juniper Networks 12第第 2 2 台备用台备用 J6350J6350 配置：

15、配置： rootJ6350-02# set interfaces ge-0/0/2 description TO-J6350-01 editrootJ6350-02# set interfaces ge-0/0/2 unit 0 family inet address /30 editrootJ6350-02# commit commit completeeditrootJ6350-02# rootJ6350-02# show interfaces ge-0/0/3 description TO-J6350-02;unit 0 family inet address 1.1.1.

16、2/30; editrootJ6350-02#3.3.与与 ENI 互联配置互联配置第第 1 1 台主用台主用 J6350J6350 配置：配置： rootJ6350-01# set interfaces ge-0/0/1 description TO-ENI editrootJ6350-01# set interfaces ge-0/0/1 unit 0 family inet address /30 Juniper Networks 13editrootJ6350-01# commit commit completeeditrootJ6350-01#rootJ6350

17、-01# show interfaces ge-0/0/1 description TO-J6350-02;unit 0 family inet address /30; editrootJ6350-01#第第 2 2 台备用台备用 J6350J6350 配置：配置： rootJ6350-02# set interfaces ge-0/0/1 description TO-ENI-02 editrootJ6350-02# set interfaces ge-0/0/1 unit 0 family inet address /30 editrootJ6350-

18、02# commit commit completeeditrootJ6350-02# rootJ6350-02# show interfaces ge-0/0/1 description TO-J6350-02;unit 0 family inet address /30;Juniper Networks 14 editrootJ6350-02#3.4.防火墙内部互联配置防火墙内部互联配置3.4.1. VRRP 配置配置(第第 1 台台)rootJ6350-01# set interfaces ge-0/0/0 description TO-LAN-SWITCH-01

19、editrootJ6350-01# set interfaces ge-0/0/0 link-mode full-duplex editrootJ6350-01# set interfaces ge-0/0/0 speed 100m editrootJ6350-01#set interfaces ge-0/0/0 unit 0 family inet address 2/29editrootJ6350-01# set interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0e

20、dit interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0rootJ6350-01# set virtual-address edit interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0rootJ6350-01# set priority 120 edit interfaces ge-0/0/0 unit 0 family inet address 192.168.2

21、0.12/29 vrrp-group 0rootJ6350-01# set preempt hold-time 30 edit interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0rootJ6350-01# set accept-data Juniper Networks 15edit interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0rootJ6350-01# top editrootJ635

22、0-01# commit commit completeeditrootJ6350-01#rootJ6350-01# show interfaces ge-0/0/0 description TO-LAN-SWITCH-01;speed 100m;link-mode full-duplex;unit 0 family inet address 2/29 vrrp-group 0 virtual-address 4; priority 120; preempt hold-time 30; accept-data; editrootJ6350-01#

23、Juniper Networks 163.4.2. VRRP 配置配置(第第 2 台台)rootJ6350-01# set interfaces ge-0/0/0 description TO-LAN-SWITCH-02 editrootJ6350-01# set interfaces ge-0/0/0 link-mode full-duplex editrootJ6350-01# set interfaces ge-0/0/0 speed 100m editrootJ6350-02# set interfaces ge-0/0/0 unit 0 family inet address 192

24、.168.20.13/29 editrootJ6350-02# edit interfaces ge-0/0/0 unit 0 family inet address 3/29 vrrp-group 0 edit interfaces ge-0/0/0 unit 0 family inet address 3/29 vrrp-group 0rootJ6350-02# set virtual-address 4 edit interfaces ge-0/0/0 unit 0 family inet address 192.1

25、68.20.13/29 vrrp-group 0rootJ6350-02# set priority 100 edit interfaces ge-0/0/0 unit 0 family inet address 3/29 vrrp-group 0rootJ6350-02# set accept-data edit interfaces ge-0/0/0 unit 0 family inet address 3/29 vrrp-group 0rootJ6350-02# top editrootJ6350-02# commit commit com

26、pleteeditrootJ6350-02#editrootJ6350-02# show interfaces ge-0/0/0 unit 0 family inet address 3/29 Juniper Networks 17 vrrp-group 0 virtual-address 4; priority 100; accept-data; edit3.4.3. VRRP 检查检查第第 1 1 台检查：台检查：editrootJ6350-01# exit Exiting configuration moderootJ6350-01 sho

27、w vrrp Interface Unit Group Type Address Int state VR state Timerge-0/0/2 0 0 lcl 2 up master A 0.110 vip 4rootJ6350-01rootJ6350-01 ping 3 rapid 另外一台 J6350 地址PING 3 (3): 56 data bytes!- 3 ping statistics -5 packets transmitted,

28、5 packets received, 0% packet lossround-trip min/avg/max/stddev = 6.008/9.212/10.175/1.608 msrootJ6350-01rootJ6350-01 ping rapid 防火墙地址PING (): 56 data bytes!Juniper Networks 18- ping statistics -5 packets transmitted, 5 packets received, 0% packet los

29、sround-trip min/avg/max/stddev = 6.801/9.243/10.067/1.234 msrootJ6350-01第第 2 2 台检查：台检查：editzteJ6350-02# exit Exiting configuration modezteJ6350-02 show vrrp Interface Unit Group Type Address Int state VR state Timerge-0/0/2 0 0 lcl 3 up backup D 0.348 vip 4 mas 2z

30、teJ6350-02zteJ6350-02 ping 2 rapid另外一台 J6350 地址PING 2 (2): 56 data bytes!- 2 ping statistics -5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 3.332/10.538/20.111/5.395 mszteJ6350-02 ping 3 rapid 本机地址

31、PING 3 (3): 56 data bytes!- 3 ping statistics -5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 0.016/0.107/0.413/0.154 mszteJ6350-02 ping 4 rapid 浮动 VIP 地址PING 4 (4): 56 data bytes!- 192.

32、168.20.14 ping statistics -5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 9.544/15.190/29.725/7.715 mszteJ6350-02 ping rapid 防火墙地址Juniper Networks 19PING (): 56 data bytes!- ping statistics -5 packets transmit

33、ted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 5.930/8.885/9.996/1.490 mszteJ6350-02切换测试方法：切换测试方法：(1) 拔掉第一台主用 J6350 连接局域网交换机的网线，VRRP 会切换。利用上面的检查方法会发现第 2 台变成了 Mster，第 1 台是 down 和 init 状态。(2) 把第 1 台主用 J6350 的网线接起来，那么在恢复正常 30 秒钟之后，第一台会自动变成 master，第二台会变成 backup 状态。3.4.4. 访问路由配置访问

34、路由配置第第 1 1 台设置：台设置：editrootJ6350-01# set routing-options static route 0/0 next-hop qualified-next-hop preference 10 editrootJ6350-01# commit commit completeeditrootJ6350-01# rootJ6350-01# show routing-options static route /0 next-hop ; qualified-next-hop 1.1.1

35、.2 preference 10; Juniper Networks 20edit第第 2 2 台设置：台设置：editrootJ6350-02# set routing-options static route 0/0 next-hop qualified-next-hop preference 10 editrootJ6350-02# commit commit completeeditrootJ6350-02#zteJ6350-02# show routing-options static route /0 next-hop 192

36、.168.20.9; qualified-next-hop preference 10; editzteJ6350-02#3.4.5. 路由检查路由检查第第 1 1 台检查：台检查：editrootJ6350-01# exit Exiting configuration modeJuniper Networks 21rootJ6350-01 show route inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Bo

37、th/0 *Static/5 00:21:09 to via ge-0/0/2.0 Static/10 00:02:57 to via ge-0/0/3.0第第 2 2 台检查：台检查：editzteJ6350-02# exit Exiting configuration modezteJ6350-02 show route inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0

38、.0.0.0/0 *Static/5 00:13:46 to via ge-0/0/2.0 Static/10 00:01:05 to via ge-0/0/3.03.5.其它配置其它配置3.5.1. SNMP 配置配置rootJ6350-01# set snmp community zte-public authorization read-only editrootJ6350-01# set snmp community zte-public clients editrootJ6350-01# set snmp commun

39、ity zte-private authorization read-write editrootJ6350-01# set snmp community zte-private clients Juniper Networks 22editrootJ6350-01# set snmp trap-group snmptrap categories authentication editrootJ6350-01# set snmp trap-group snmptrap categories chassis editrootJ6350-01# set snmp trap

40、-group snmptrap categories link editrootJ6350-01# set snmp trap-group snmptrap categories startup editrootJ6350-01# set snmp trap-group snmptrap targets editrootJ6350-01#rootJ6350-01# commit commit completeeditrootJ6350-01#rootJ6350-01# show snmp community zte-public authorization read-

41、only; clients /32; community zte-private authorization read-write; clients /32; trap-group snmptrap categories Juniper Networks 23 authentication; chassis; link; startup; targets ; editrootJ6350-01#3.5.2. 时间配置时间配置zteJ6350-01# set system time-zone Asia/Shanghai edi

42、tzteJ6350-01# commit commit completeeditzteJ6350-01#zteJ6350-01# exit Exiting configuration modezteJ6350-01 set date 200708081407.00 Wed Aug 8 14:07:00 CST 2007zteJ6350-01zteJ6350-01set date ntp zteJ6350-01set date ntp source-address 47Juniper Networks 243.5.3. 设

43、置管理地址设置管理地址第第 1 台主用路由器设置：台主用路由器设置：editzteJ6350-01# set interfaces fxp0 unit 0 family inet address /24 editzteJ6350-01# commit commit completeeditzteJ6350-01# editzteJ6350-01#第第 2 台主用路由器设置：台主用路由器设置：editzteJ6350-02# set interfaces fxp0 unit 0 family inet address /24 editzteJ635

44、0-02# commit commit completeeditzteJ6350-02#Juniper Networks 254.测试方案测试方案4.1.1. 联通性测试联通性测试序号检查内容检查命令正确结果实际结果1路由器之间连通性ping ping 在两台路由器上都能 ping 通2ENI 联通性ping x.x.x.xx.x.x.x 为 ENI 地址在两台路由器上都能 ping 通3防火墙联通性ping 在两台路由器上都能 ping 通4.1.2. 防火墙防火墙 VRRP 测试测试序号检查内容检查命令正确结果实际结果1VRRP 状态检查

45、show vrrp第 1 台路由器为主用，第 2 台路由器为备用2断开第 1 台路由器连接中兴T40G 的网线show vrrp第 2 台路由器为主用，第 1 台路由器状态为 down/init3网络正常性检查ping 能 ping 通防火墙内部地址4业务访问内部服务器访问BOSS 和短信中心服务器访问正常5恢复第 1 台路由器连接中兴T40G 的网线show vrrp30 秒钟之后第 1 台路由器恢复为主用，第 2 台路由器为备用6断开第 2 台路由器连接中兴show vrrp第 1 台路由器为主用，第 2 台路由器状态为 down/initJuniper Netwo

46、rks 26T40G 的网线7网络正常性检查ping 能 ping 通防火墙内部地址8业务访问内部服务器访问BOSS 和短信中心服务器访问正常 Juniper Networks 275. 配置文件配置文件.J6350-1配置：配置：zteJ6350-01 show configuration | display set |no-more set version 8.0R2.8set system host-name J6350-01set system time-zone Asia/Shanghaiset system root-authenticatio

47、n encrypted-password $1$RO6Fzf8O$ZDwwBh6qLopK4BKnxR/HN/set system login user zte uid 2001set system login user zte class super-userset system login user zte authentication encrypted-password $1$SMfNY4H7$HOF9cxb3D116lEo8TGm5p0set system services ftpset system services telnetset system syslog user * a

48、ny emergencyset system syslog host any warningset system syslog file message any noticeset system syslog file mess authorization infoset system syslog file interactive-commands interactive-commands any set interfaces ge-0/0/0 description TO-LAN-SWITCH-01set interfaces ge-0/0/0 unit 0 fa

49、mily inet address 2/29 vrrp-group 0 priority 120 set interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0 preempt hold-time 30set interfaces ge-0/0/0 unit 0 family inet address 2/29 vrrp-group 0 accept-dataset interfaces ge-0/0/1 speed 100mset interfac

50、es ge-0/0/1 link-mode full-duplexset interfaces ge-0/0/1 unit 0 family inet address /30 set interfaces ge-0/0/1 description TO-EIN-ROUTER-01Juniper Networks 28set interfaces ge-0/0/2 speed 100mset interfaces ge-0/0/2 link-mode full-duplexset interfaces ge-0/0/2 description TO-J6350-02set

51、interfaces ge-0/0/2 unit 0 family inet address /30 set snmp community zte-public authorization read-onlyset snmp community zte-public clients /32set snmp community zte-private authorization read-writeset snmp community zte-private clients /32set snmp trap-group snmptra

52、p categories authenticationset snmp trap-group snmptrap categories chassisset snmp trap-group snmptrap categories linkset snmp trap-group snmptrap categories startupset snmp trap-group snmptrap targets set routing-options static route /0 next-hop set routing-options static route /0 qualified-next-hop preference 10set routing-options static route /24 next-hop set routing-options static route /24 qualified-next-hop preference 10set routing-options static route /24 next-hop set routing-op