Juniper-SRX1400-产品配置维护手册

JuniperSRX1400

产品配置维护培训

目录一、SRX1400产品介绍二、JUNOS基本命令介绍三、SRX1400配置介绍及演示四、SRX1400日常维护

目录一、SRX1400产品介绍二、JUNOS基本命令介绍三、SRX1400配置介绍及演示四、SRX1400日常维护SRX1400机箱式设计(3U)4个插槽最大1块IOC;1块NSPC;1块RE;1块SYSIOC(GEorXGE)固定接口(SYSIOC)GE型号6-10/100/1000,6SFPXGE型号6-10/100/1000,3SFP,3SFP+模块化接口16-10/100/1000;16-SFP;2-XFP多核架构2电源冗余(1+1)性能防火墙吞吐率(大包)–

10Gbps并发连接数–1.5Million*最少需配1NSPC或1SPC+1NPCSRX1400CardsNetworkProcessingCard(NPC)SingleNetworkProcessor(NP)subsystem-10GigthroughputServicesProcessingCard(SPC)SingleHD-CPUsubsystem/10GigthroughputNetworkServicesProcessingCard(NSPC)1GHz,4GBmemory/CPU/10GigthroughputRoutingEngine(RE)1.2Ghzprocessor/w1GBmemoryCompleteseparationofcontrol/dataplanesIncludesCPP(centralPFEcontroller)andCB(controlboard)I/OCards(IOC)3versionsatFRS:2-port10GE-XFP(SR,LR,ER)16-portGE-SFP(SX,LX,LH,T)16-port10/100/1000Copper10Gigfull-duplexthroughput(oversubscribed)

目录一、SRX1400产品介绍二、JUNOS基本命令介绍(演示)三、SRX1400配置介绍及演示四、SRX1400组网讨论内容JUNOS基础知识基本命令介绍基本配置操作模式shell模式$用户模式>配置模式#cli/exitstartshellconfigure/editexit配置模式配置模式提示符号是

“#“

在>模式下键入config进入配置模式#提示符还由用户名和主机名共同组成如:user@host#配置模式你编辑的配置文件叫candidate配置文件配置修改不是马上生效，必须通过commit命令提交之后才生效commit提交之后,candidate配置变成active配置文件，然后新的candidate会被再次创建基本命令-show使用show

命令来查看candidate配置文件在哪一层就显示哪一层的配置在最外层就显示所有配置可以在最外层直接指定需要显示的层次#showsystem#showinterfaces#showinterfacesfxp1#showrouting-options#showprotocolsset命令使用set

增加或者改变配置set

参数有些是增加，有些是覆盖#setsystemhost-nameDenver覆盖#setinterfacefxp0unit0familyinetaddress/24增加#setrouting-optionsrouter-id覆盖set用法有两种：(1)一种是用edit进入参数层进行修改(2)一种是在最外层直接写完所有层次参数如下面的例子：set命令方法一：ab@SRX#editsystem[editsystem]lab@SRX#editlogin[editsystemlogin]lab@SRX#edituserlab[editsystemloginuserlab]lab@SRX#setuid2002[editsystemloginuserlab]lab@SRX#方法一配置繁琐，但是简单明了不容易出错，适合入门者使用方法二：setsystemloginuserlabuid2002方法二操作简单，命令输入量少，并且可以直接粘贴，适合熟练者使用基本命令-commit使用commit

命令来使修改后的内容生效commit-检查配置语法并且激活修改后的内容commitcheck-仅仅进行语法检查，不真正激活配置commitand-quit–

如果提交成功就退出commitconfirmed–nextpage…

基本命令-rollback使用rollback

命令来恢复commit以前的配置rollback只是将配置恢复到Candidat配置erollback

或者rollback0

恢复上次commit之前的配置rollback1

上两次commit之前的配置总共可以恢复49份配置，rollback后面可以0-49rollback?可以显示每次commit的时间，确定恢复那份配置runfileshow/config/juniper.conf.n.gzn为1-3，可以查看需要恢复配置的内容，对应于rollback1-3runfileshow/config/juniper.conf.gz对应rollback0runfileshow/var/db/config/juniper.conf.n.gzn为4-49，可以查看需要恢复配置的内容，对应于rollback4-49配置文件比较ShowdifferencesbetweencandidateconfigurationfileandActiveconfiguration“Rollback”configurationAnysavedconfigurationfile#show|comparerollbacknumber#show|comparefilenameConfigurationmodeonlyLikeUnixdiff加载配置文件ConfigurationinformationcancomefromanASCIIfilepreparedofflineSyntaxload(replace|merge|override)filename只改变candidate配置需要commit

来生效UsetheloadcommandtoOverride

覆盖已经存在的配置要覆盖整个配置，使用override选项merge

新的配置语句合并到已经存在的配置文件中replace

用新的配置替代已经存在的配置JUNOSSoftwareVersion?CLIcommandstodisplayinstalledpackagesshowversion

目录一、SRX1400产品介绍二、JUNOS基本命令介绍三、SRX1400配置介绍及演示

Zone

SecurityPolicies

NetworkAddressTranslationHighAvailabilityClustering

四、SRX1400日常维护ZonesJuniperNetworksDeviceRoutingInstance1RoutingInstance2RoutingInstanceF.T.F.T.ForwardingTableZoneAZoneBZoneCZoneDZonesInterfacesInterfaces、zones、routinginstances之间的关系示意图ZoneTypesZoneTypesUser-Defined

(canbeconfigured)System-Defined

(cannotbeconfigured)SecurityFunctionaljunos-globalNullZoneConfigurationProcedureSteps:DefineasecurityorafunctionalzoneAddlogicalinterfacestothezoneOptionally,addservicesandprotocolsthatmustbepermittedintotheservicesgatewaythroughtheinterfacebelongingtothezoneIfthisstepisomitted,notrafficdestinedfortheservicesgatewayispermittedSecurityPoliciesSecurityPolicyDefinedWhatisasecuritypolicy?定义策略组合用于SRX，使其能根据策略来决定zone之间的数据传输WhatshouldIdoifapacketcomesinmatching

CriterionA?TransitTrafficExaminationSRX设备会根据securitypolicies来判断数据传输的转发

Doesasecuritypolicymatchthetraffic?ApplydefaultpolicynoPacketinApplypolicyactions

yesDefaultSecurityPoliciesSystem-defaultsecuritypolicy:denyalltrafficthroughtheSRX-seriesservicesgatewayYoucanchangethedefaultpolicytopermitalltrafficFactory-defaultconfigurationhasthreesecuritypolicies:Trusttotrust:permitallTrusttountrust:permitallUntrusttotrust:denyallX123System-defaultsecurity

policiesbehaviorDenyALLtransit

traffic

Factory-defaultsecurity

policiesbehaviortrustzone

untrust

zonePolicyComponentsSummaryfrom-zoneandto-zonecontextMatchingcriteriaMatchingcriteriaActionAction[editsecuritypolicies]from-zonezone-nameto-zonezone-name

{policyname1

{match{source-addressaddress-name1;destination-addressaddress-name1;applicationapplication-name1;}then{<action>;}}policyname2

{match{source-addressaddress-name2;destination-addressaddress-name2;applicationapplication-name2;}then{<action>;}}…}HighAvailabilityClusteringHighAvailabilityCharacteristicsOverviewHAprovides:Active-passivecontrolanddataplaneredundancyStatefulsessionfailover:NATALGIPsecAuthenticationSynchronization:ConfigurationSessionstateChassisclusterChassisClusterComponentsOverviewChassisclustercomponents:Clusteredservicesgatewaysaregroupedbya

cluster-ididNodeswithinaclusterareidentifiedbyanode

idRedundancygroupsChassisclusterinterfaces:fxp1fxp0fabrethcluster-idDetailsSetusingcluster-idid

cluster-idvaluesrangefrom1–15AroutercanbelongtoonlyoneclusteratanygiventimeIfcluster-id=0,HAconfigurationisignoredServicesgatewaywithinaclusterissetbyanodeidChangeincluster-ididandnode

idrequiresservicesgatewayreboot:user@host#setchassisclustercluster-id1node0

warning:Arebootisrequiredforchassisclustertobeenablednode

id

Detailsnode

iduniquelyidentifiestheservicesgatewaywithinaclusterRangesfrom0–1DeterminesoffsetoftheFPCslotvalueintheinterfacenameofaservicesgatewayuser@host>setchassisclustercluster-ididnodeidreboot

Successfullyenabledchassiscluster.Goingtorebootnow...ChassisClusterInterfaces—rethRedundantinterfacecharacteristics:Anewethernetpseudo-interface,calledrethBundlestwophysicalinterfaces(children),onefromeachmemberoftheclusterMemberinterfacesinheritpropertiesofreth,asconfiguredbytheuserMemberinterfacescanbeineitheractiveorpassivemode,butnotinbothThefailoverpropertiesofthememberinterfacesareinheritedfromtheRG-1configurationrethinterfacehasavirtualMACaddress BasedonclusterandinterfaceIDChassisClusterInterfaces—fxp0fxp0interfaceUsedforout-of-bandmanagementAllowsaccesstoeachnodeofaclusterItisgoodpracticeforeachnodetohaveauniqueIPaddressforfxp0interfacerequiresgroupsconfigurationChassisClusterInterfaces—fxp1fxp1interfaceConfiguredSPCportsusedforchassisclustercontrolplanege-0/0/10andge-0/0/11onSYSIOCJUNOSsoftwareassignsaninternalIPaddresstofxp1TrivialNetworkProtocolrunsontheinterfaceJUNOSsoftwaretransmitsheartbeatsignalstodeterminethehealthofthecontrollink—ifthenumberofmissedheartbeatsreachestheconfiguredthreshold,thesystemfailsoverIffxp1fails,JUNOSsoftwaredisablesthesecondarynodeNodeconfigurationfilesareautomaticallysynchronizedoverfxp1ChassisClusterInterfaces—fabfabn=2GigabitEthernetor10GigabitEthernet,usedforHAdataplaneFabricinterfaceisformedn

reflectsthenodeIDandstartsfrom0TwonodesofaclustermusthavefabnonthesameLANfabinterfacespecifics:interfacedoesnotsupportfilters,policies,logicalinterfaces,orservicesMemberinterfacesmustbeofthesametypeJumboframesaresupportedFragmentationisnotsupportedChassisClusterInterfaceSummaryfabnNode0Node1Clusterfxp1fxp0fxp0rethmrethmControlplaneDataplaneManagementManagementRedundantinterfacesa.b.c/24MonitoringClusterStatisticsuser@node0-host>showchassisclusterstatistics

Initialhold:10

RethInformation:rethstatusredundancy-groupreth0downnotconfiguredreth1up1ServicesSynchronized:Service-nameRtos-sentRtos-receivedTranslationContext00IncomingNAT00ResourceManager50Session-create00Session-close00Session-change00Gate-create00Session-Ageout-refresh-request00Session-Ageout-refresh-reply00VPN00FirewallUserAuthentication00MGCPAlg00...InterfaceMonitoring:InterfaceWeightStatusRedundancy-groupge-12/0/0100up1ge-0/0/0100up1chassis-clusterinterfaces:Controllink:up6606heartbeatssent13729heartbeatsreceived1200msinterval5thresholdchassis-clusterinterfaces:Fabriclink:up15505heartbeatpacketssentonfabric-linkinterface13728heartbeatpacketsreceivedonfabric-linkinterfaceManualFailoveruser@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200PrimaryNoNonode1100SecondaryNoNo

user@node0-host>requestchassisclusterfailoverredundancy-group1node1node1:Initiatedmanualfailoverforredundancygroup1user@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200SecondaryNoYesnode1255PrimaryNoYesVerifystatus:Initiatefailover:

目录一、SRX1400产品介绍二、JUNOS基本命令介绍三、SRX1400配置介绍及演示四、SRX1400日常维护使用故障检查资源冷却系统故障检查日常性能检查应急预案

CLI命令行

使用故障检查资源

对于SRX的硬件、软件、路由协议、网络连接性的控制和故障检查、，JUNOS的CLI命令行是主要的使用工具。CLI命令行可以显示路由表信息，路由协议的信息，使用ping和traceroute工具体现的网络连接信息。可以通过连接路由引擎上的CONSOLE、ETHERNET、AUX口进入CLI命令行接口。关于使用CLI显示端口和机箱产生的告警信息，请参阅“硬件和端口告警信息”。

LED下面描述的LED位于各个组件上，用于显示各个组件的状态。CraftInterfaceLED：SRX1400前面板由一个Craft面板指示系统状态，Craft面板上包括路由引擎状态指示灯，电源状态指示灯，风扇状态指示灯和告警指示灯等等ComponentLED：SRX1400的各个系统组件还有自己单独的状态指示灯，比如IOC上的每个端口都有一个LED指示端口状态

使用故障检查资源

硬件和端口告警信息当路由引擎检测到一个告警的时候，会将前面板上相应的红色或者黄色的告警LED点亮。可以在命令行中使用showchassisalarms显示详细的告警描述。uer@host>showchassisalarms这里将描述两类告警消息：机箱告警（Chassisalarms）——指示机箱组件的告警信息，例如冷却系统或者电源系统，详情请查阅下面的表格。端口告警（Interfacealarms）——指示某个端口的问题，详情请查阅下面的表格。下面的两个表格中的信息为使用命令showchassisalarms输出的结果。表格3‑6：机箱告警消息

使用故障检查资源冷却系统故障检查冷却系统故障检查冷却系统包含安装在机箱侧面的风扇盘来保证SRX工作在一个可以接受的温度环境下。要检查风扇盘，执行下面的步骤：通过CLI命令行检查电源模块状态。通过下面的命令，观察输出的Status域的状态：root@FW02>showchassisenvironmentClassItemStatusMeasurementFansLeftFan1OKSpinningatnormalspeedLeftFan2OKSpinningatnormalspeedLeftFan3OKSpinningatnormalspeedLeftFan4OKSpinningatnormalspeed...如果有风扇盘发生故障，可以通过观察判断出哪一个风扇除了问题。然后再处理。日常性能检查

监控RECPU利用率SRX1400的路由引擎主要工作是维护路由协议和路由表root@FW02>showchassisrouting-engineroot@FW02>showchassisrouting-enginenode0:RoutingEnginestatus:Slot0:CurrentstateMasterElectionpriorityMaster(default)DRAM1023MBMemoryutilization29percentCPUutilization:User2percentBackground0percentKernel8percentInterrupt2percentIdle88percentModelRE-SRX1400Starttime2010-01-1922:15:50CSTUptime7days,16hours,45minutes,20secondsLastrebootreason0x1:powercycle/failureLoadaverages:1minute5minute15minute0.010.050.07

日常性能检查

监控SPU利用率由于SRX1400的会话查找，维护都是SPC负责的，因此需要监控SPC板卡的利用率。正常工作状态下，SPC的CPU利用率应该在60%以下，如出现CPU利用率过高情况需给予足够重视，应检查Session使用情况和各类告警信息，并检查网络中是否存在攻击流量。SRX防火墙对内存采用“预分配”机制，空载时内存使用率为约50-70%，随着流量不断增长，内存的使用率应基本保持稳定。如果出现内存使用率高达90％时，则需检查网络中是否存在攻击流量。root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位编号node0:FPC6PIC0CPUutilization:13%（SPC的CPU利用率）

Memoryutilization:64%（SPC的内存利用率）

Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767MaxCPsession:2359296node1:日常性能检查

监控并发会话数root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位编号root@FW02>showsecuritymonitoringfpc6node0:FPC6PIC0CPUutilization:13%Memoryutilization:64%Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767

（当前并发为461767）

MaxCPsession:2359296日常性能检查

监控双机状态正常情况（优先级为1-255，数值高则优先级高）root@FW02>showchassisclusterstatusClusterID:1NodePriorityStatusPreemptManualfailoverRedundancygroup:0,Failovercount:3node0254primarynoyesnode1100secondarynoyesRedundancygroup:1,Failovercount:3node0254primarynononode1100secondarynono日常性能检查

切换双机状态方法一：CLI方式root@FW02>requestchassisclusterfailovernode1redundancy-group1(将nod1