Juniper路由器配置操作手册

Juniper路由器配置操作手册

ziJuniperOS4.2R1.3路由器配置操作手册

1系统配置(2)

1.1系统信息基本配置(2)

1.2系统用户信息(2)

1.3系统服务配置(3)

2端口配置(4)

2.1juniper■端口介绍(4)

2.2端口配置(4)

3SNMP配置(6)

4Routing-options酉己置(7)

4.1静态路由配置(7)

4.2route-id&as(7)

4.3bgp聚合配置⑺

5Routeprotocal配置(8)

5.10spf配置⑻

5.2Bgp配置(9)

6Policy配置(9)

7Firewall配置(12)

8Juniper与Cisco互连端口参数调整(12)

9Juniper备份结构与Cisco不同(14)

9.Iconsoleroot登录(14)

9.2telnet登录(14)

Juniper所有配置，均在配置状态下进行。分为由console进入和

远程telnet进入。

由console进入JUNOS系统命令操作(由FreeBSD的简化系统)

%cli进入下面的用户操作

hostname>edit进入下面的用户配置

hostname#配置操作

由远程telnet直接进入用户操作

hostname>edit进入下面的用户配置

hostname#配置操作

1系统配置

1.1系统信息基本配置

#editsystem进入system配置菜单

#sethost-nameaxi580-a-hzl

#setdomain-name

#settime-zoneAsia/Shanghai

#setsystemroot-authenticationplain-text-password

（console登录，root口令缺省为空，虚设新口令）

Newpassword:******

Retypenewpassword:******

#show查看配置

#commit配置生效OR

#commitconfirmed配置生效测试，5分钟后系统自动会滚，恢

复原来配置。

1.2系统用户息

1.2.1用户组的配置

#setloginclasshighidle-timeout30permissionsall

“high"是组名;〃all”用户将拥有该router的全部权限。

#setloginclassmediumidle-timeout30permissionsclear

#setloginclassmediumidle-timeout30permissions

configure

#setloginclassmediumidle-timeout30permissions

interface-control

#setloginclassmediumidle-timeout30permissions

network

#setloginclassmediumidle-timeout30permissions

maintenance

"medium”具有多个权限：clearconfigureinterface-control

network

viewmaintenance0

#setloginclasslowidle-timeout30permissionsview

酉己置了high、medium,low三个权限组，将在用户配置时用到。

权限设置如下：

adminCanviewuseraccounts

admin-controlCanmodifyuseraccounts

allAllpermissionbitsturnedon

clearCanclearlearnednetworkinformation

configureCanenterconfigurationmode

controlCanmodifyanyconfigurationvalues

editCaneditfullfiles

fieldSpecialforfield(debug)support

firewallCanviewfirewallconfig

firewall-controlCanmodifyfirewallconfig

floppyCanreadandwritethefloppydrive

interfaceCanviewinterfaceconfig

interface-controlCanmodifyinterfaceconfig

maintenanceCanperformsystemmaintenance(aswheel)

networkCanaccessthenetwork

resetCanresetandrestartinterfacesandprocesses

rollbackCanrollbackfordepthgreaterthanzero

routingCanviewroutingconfig

routing-controlCanmodifyroutingconfig

secretCanviewsecretconfig

secret-controlCanmodifysecretconfig

shellCanstartalocalshell

snmpCanviewSNMPconfig

snmp-controlCanmodifySNMPconfig

systemCanviewsystemconfig

system-controlCanmodifysystemconfig

traceCanviewtracefilesettings

trace-controlCanmodifytracefilesettings

viewCanviewcurrentvaluesandstatistics

1.2.2用户配置

#setloginuseradminfull-namenewwork-adminuid2001

classhighplain-text-passwordNewpassword:******

Retypenewpassword:******

Username为admin;userid为2001;组为high

#setloginusermanagerfull-namenewwork-manageruid

2002classmidium

plain-text-password

Newpassword:******

Retypenewpassword:******

#setloginuserviewerfull-namenewwork-viweruid2003

classlowplain-text-passwordNewpassword:******

Retypenewpassword:******

#commit配置生效OR

#commitconfirmed配置生效测试，5分钟后系统自动会滚，恢

复原来配置。1.3系统服务配置

1.3.1telnet服务配置

#setsystemservicestelnet配置启用telnet服务OR

#setsystemservicestelnetconnection-limit5限制telnet的

最大连接数

#commit配置生效OR

#commitconfirmed配置生效测试，5分钟后系统自动会滚，恢

复原来配置。1.3.2syslog服务配置

#setsystemsysloguser*anyemergency

#setsystemsysloghost3anyany所有syslog信

息都写到远程主机

#setsystemsyslogfilemessagesanynotice所有notice,

authorization信息写在本地#setsystemsyslogfilemessages

authorizationinfo

1.3.3ntp服务配置

ntpclient配置

#setsystemntpserver7

ntpserver酉己置

#setsystemntpboot-server7此处只能写ip不能

为主机名

#commit配置生效OR

#commitconfirmed配置生效测试，5分钟后系统自动会滚，恢

复原来配置。

检查ntp状态

#runshowntpstatus

#runshowntpassociations

2端口配置

2.1juniper端口介绍

在juniper的配置中,所有端口皆为逻辑端口，在初始配置中没有

任何端口信息，如不能准确知道所要配置的端口名称，可用命令来确

认。

>showchassisfpcpic-statusOR

#runshowchassisfpcpic-status(example)

Slot1Online

PIC0lxOC-48SONET,SMSR为so-1/0/0

PIC1lxOC-48SONETZSMSR

PIC2lxOC-48SONET,SMSR为so-1/2/0

Slot6Online

PIC02xOC-3ATM,SMIR为at-6/0/0;at-6/0/1

PIC1lxG/E,1000BASE-SX为ge-6/1/0

PIC2lxG/E,1000BASE-SX

2.2端口配置

#editinterfaces

sonet端口配置

#setso-1/0/0unit0description"HZtoNB2.5GbSDH"

familyinetaddress/30#show检查配置

so-1/0/0{

descriptionHZtoNB2.5GbSDH;

unit0{

familyinet{

address/30;

)

)

)

atm端口配置

#setat-6/0/0clockingexternal

#setat-6/0/0atm-optionsvpi1maximum-vcs100

#setat-6/0/0atm-optionsvpi10maximum-vcs200

#setat-6/0/0unit0descriptionHuZhou-HangZhou-ATMvci

10.40familyinetaddress0/30

#setat-6/0/0unit1descriptionHuZhou-NingBo-ATMvci

1.51familyinetaddress50/30

vci号为pvc号

#show

at-6/0/0{

clockingexternal;

atm-options{

vpi1maximum-vcs100;

vpi10maximum-vcs200;

)

unit0{

descriptionHuZhou-HangZhou-ATM;

vci10.40;

familyinet{

address0/30;

)

)

unit1{

descriptionHuZhou-NingBo-ATM;

vci1.51;

familyinet{

address50/30;

)

)

)

ge端口配置

#setge-6/1/0unit0description"ToCatalysta6509gl/0,z

familyinetaddress

93/30

#show

ge-6/1/0{

unit0{

descriptionToCatalysta6509gl/0;

familyinet{

address93/30;

)

)

)

fe端口配置

#setfe-6/2/0unit0description"To2948gl/0/zfamilyinet

address

/24

#show

fe-6/2/0{

unit0{

descriptionTo29481/0;

familyinet{

address/24;

)

)

)

loopback配置

#setloOunit0familyinetaddressaddress81/32

#show

Io0{

unit0{

familyinet{

filter{

inputpopme;

}将firewall在该端口上生效,要使其他端口生效，必须在短配置。

address81/32;

)

)

)

#commit配置生效OR

#commitconfirmed配置生效测试，5分钟后系统自动会滚,恢

复原来配置。

3SNMP配置

#top返回顶级菜单

#setsnmpcommunitykeepaliveauthorizationread-only

keepalive为communitystrings

#show

snmp{

communitykeepalive{

authorizationread-only;

)

)

4Routing-options酉己置

这里只介绍浙江工程中用到的静态、聚合、route-id三点，其他

以后在补充。

4.1静态路由配置

#top

#editrouting-options

#setstaticroute/24next-hop2

#setstaticroute/24next-hop3

#show

static{

route/24next-hop2;

route/24next-hop3;

route/26next-hop1;

route4/26next-hop9;

route/21next-hop94;

)

4.2route-id&as

#setroute-id2建议设为本机的loopback

#setautonomous-system64740根据实际分配设定

4.3bgp聚合配置

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/18

#setaggregateroute/17

#setaggregateroute/17discard

在juniper上BGP对外广播所有聚合,条件是在本地路由表里有

此路由或比聚合更组的路由，当未启用的ip段或不能产生本地路由的

网段需要对外广播时，可采用discard属性。

#show

aggregate{

route/18;

route/18;

route/18;

route/18;

route/17;

route/17discard;

)

5Routeprotocal配置

这里只介绍ospf、bgp的配置

#top

#editprotocols进入路由协议配置菜单

5.1Ospf配置

#setospfexportAbgp_dAfault_to_ospf★各由pbgpU攵至U的缺省

路由广播到ospf路由表中到etospfareainterfaceso-

1/1/0.0

#setospfareainterfaceso-1/0/0.0metric20根据实际

情况调整metric

#setospfareainterfaceat-6/1/0.0metric20

#setospfareainterfaceat-6/1/0.3metric20

#show

ospf(

exportebgp_default_to_ospf;需要在路由政策里定义

area{

interfaceso-1/1/0.0;

interfaceso-l/0/0.0{

metric20;

)

interfaceat-6/1/0.0{

metric20;

)

)

area{

interfaceat-6/1/0.3{

metric20;

)

)

)

5.2Bgp配置

#setbgpexportaggregate_to_bgp在policy里定义，将本地

聚合向ibgp、ebgp广播#editbgpgroupibgp定义ibgp组名

#settypeinternal

#setexportpbgp-aggrpgatA-ibgp在policy里定义,向ibgp

广播从ebgp收到的路由#setpeer-as64740根据实际情况配置

#setneighbor50

#setneighbor06

#exit

##editbgpgroupebgp定义ebgp组名

#settypeexternal

#setimportchange-preference在policy里定义，改变收到的

bgplocal-preference#setexportoutbound-control-hzl在policy

里定义，调整对ebgp广播的路由特性

#setexportfrom-zj-asl在policy里定义，将所有本地聚合对外

广播,禁止从4134收到的路由广播出去。

#setpeer-as4134

#setneighbor

bgp{

exportaggregate_to_bgp;

groupibgp{

typeinternal;

exportebgp-aggregate-ibgp;

peer-as64740;

neighbor50;

neighbor06;

)

groupebgp{

typeexternal;

importchange-preference;

export[outbound-control-hzlfrom-zj-asl];

peer-as4134;

neighbor;

)

)

6Policy配置

具体配置命令请参照前面格式操作。

policy-options{

prefix-listtelnet-list{定义firewall里的telnet列表

/25;

/27;

2/27;

4/27;

/24;

2/27;

)

policy-statementoutbound-control-hzl{

termterml{

from{

protocolaggregate;

route-filter28/25exact;

route-filter/18exact;

route-filter/18exact;

route-filter/18exact;

route-filter/18exact;

route-filter/22exact;

route-filter/22exact;

)

then{

communityadd169comm;将聚合里的169网段,bgp广播时

添加附加串

nextterm;

)

)

termtArm6{

fromprotocolospf;通过ospf收到路由不对外广播

thenreject;

)

termterm3{

fromprotocollocal;本地路由不对外广播

thenreject;

)

termterm5{

fromprotocolstatic;静态路由不对外广播

thenreject;

)

termterm4{

fromprotocoldirect;直连路由不对外广播

thenreject;

)

)

policy-statementfrom-zj-asl{

termterml{

from{

protocolbgp;

as-pathzj-asl;从4134过来的路由不对外广播

)

thenreject;

)

termterm2{

thenaccept;

)

)

policy-statementchange-preference{

from{

protocolbgp;

neighbor;

)

then{

local-preference200;将由收至U的路由作调整。

as-path-prepend"41344134";

)

)

policy-statementaggregate_to_bgp{

fromprotocolaggregate;定义对外广播本地聚合

thenaccept;

)

policy-statementebgp_default_to_ospf{

from{向ospf广播bgp的default

protocolbgp;

neighbor;

route-filter/0exact;

)

then{

external{

type1;

)

accept;

)

)

policy-statementebgp-aggregate-ibgp{

termterml{

from{

protocolbgp;

neighbor;

)

thennextterm;

)

termterm2{

fromprotocolaggregate;

thenaccept;

)

)

community169commmembers4134:10;

as-pathzj-asl"4134

)

7Firewall配置

具体配置命令请参照前面格式操作。

firewall{

filterpopme{定义filter

termterml{

from{

prefix-list{

telnet-list;在policy-options定义

)

protocoltcp;

porttelnet;

)

thenaccept;

)

termterm2{

from{

protocoltcp;

porttelnet;

)

then{

reject;拒绝非list地址telnet

)

)

termterm3{

thenaccept;

)

)

8Juniper与Cisco互连端口参数调整

Ciscoconf

interfaceATM1/0.11Cisco-Cisco

point-to-pointospf

descriptionTOjiaxingAtm4/0.1

hnndwidth90000

ipaddress2C-5

52

noipdirecled-bruadcasl

Ipospfnetworkbroadcast

atmpvc1())043aal5%nap

noatmcnablc-ilmi>tnip

j

interfaceATM1/0.13pc«int-to-pointCisccHroute>-Juniper

description(oNingBoospf

bandwidth60000

ipaddress

52

noipdirected-broadcast

atmpvc111052aal5snap

noatmcnablc-ilmi-trap

interfaceVlaii6Cisco(switch)-Cisco(route)

descriptionweb-1ospf

ipaddress7

24

noipdirected-broadcast

interfaceVlan6Cisco(switch)-Juniper

descriptionweb-1ospf

ipaddress2C7

24

ipdircctcd-broadcasKrJc者没/j

此配置)

interfacePOS10/0(与cisco互连)Sdhso-2/1/0{

ipaddress2Cbgpkeepalives:

52encapsulationppp:

noipdircctcd-broadcastsonct-options{

erc32fes16;

clocksourceintenial

pos