junos配置实例.pptx

1、JUNOS 配置实例,u,v,v,v,v,v,v,v,u,2/63,新开局路由器需要配置什么?路由器基本信息配置,v,主机名root密码以及管理用户telnet和ftp服务路由器时区、日期和时间路由器ntp服务器(可选配置)路由器dns服务器(可选配置),u,端口配置,vvv,配置工作模式配置端口描述设置vlan(可选配置)配置IP地址,u,路由配置,v,配置静态路由配置动态路由(可选配置),uuu,SNMP配置NAT配置VRRP配置GRE Tunnel配置Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,RT

2、01,3/63,实例1 基本配置,211.17.3.0/24DNS 211.17.3.1NTP 211.17.3.2要求：1.内部局域网两个VLAN211.16.1.1/302.内部PC访问10.126.1.0通过RT023.内部PC访问211.17.3.0通过RT01,10.126.1.0/24NMS 10.126.1.1RT0210.126.10.1/30,4.GE端口采用非协商模式5.FE端口设置100M全双工6.采用静态路由7.地址映射192.168.10.2-211.17.4.1192.168.20.2-211.17.4.2,211.16.1.2/30,ge-0/0/0fe-1/0/

3、0,ge-0/0/110.126.10.2/30CE01-M10ivlan10网关：192.168.10.1/24vlan20网关：192.168.20.1/24,8.CE01-M10i和RT02静态路由运行BFD9.CE01-M10i是全新的juniper路由器二层交换机,vlan 10,vlan 20,192.168.10.2,192.168.10.3,192.168.20.2,192.168.20.3,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,u,4/63,system基本配置设置主机名s

4、et system host-name CE01-M10i,u,设置root口令set system root-authentication plain-text-password设置用户名set system login user zte uid 2000set system login user zte class super-userset system login user zte authentication plain-text-password设置telnet和ftp服务set system services ftpset system services telnetJunipe

5、r Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,5/63,system基本配置设置时区set system time-zone Asia/Shanghai设置路由器时间set date 200708091720.00说明：YYYYMMDDhhmm.ss 格式在用户模式下配置,uu,设置ntp服务set date ntp 211.17.3.2set date ntp source-address 211.16.1.2说明：在用户模式下配置设置dns服务set system name-server 211.17.3.

6、1Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,6/63,system基本配置设置时区set system time-zone Asia/Shanghai设置路由器时间set date 200708091720.00说明：YYYYMMDDhhmm.ss 格式在用户模式下配置,uu,设置ntp服务set date ntp 211.17.3.2set date ntp source-address 211.16.1.2说明：在用户模式下配置设置dns服务set system name-server 21

7、1.17.3.1Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,7/63,system基本配置,rootCE01-M10i # show systemhost-name CE01-M10i;,time-zone Asia/Shanghai;root-authentication ,encrypted-password $1$tXnoO0Vm$XVCIVOtrqW/exGNN96nPT0; # SECRET-DATA,name-server ,211.17.3.1;,login ,user zte ,uid 2

8、000;,class super-user;authentication ,encrypted-password $1$Stwwx.mF$OuP039OdflLuz.5FAxXIG/; # SECRET-DATA,services ,ftp;,telnet;,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,8/63,fe-1/0/0端口配置初始化配置中配置文件是空的，不象cisco一样在running-config配置中会显示硬件配置的端口。如果要查看端口号，在用户模式下使用:v show inter

9、faces terse设置工作模式set interfaces fe-1/0/0 speed 100mset interfaces fe-1/0/0 link-mode full-duplex,u,设置vlanset interfaces fe-1/0/0 vlan-taggingset interfaces fe-1/0/0 hold-time up 30000 down 0;set interfaces fe-1/0/0 unit 10 vlan-id 10set interfaces fe-1/0/0 unit 10 description TO VLAN 10set interface

10、s fe-1/0/0 unit 10 family inet address 192.168.10.1/24set interfaces fe-1/0/0 unit 20 vlan-id 20set interfaces fe-1/0/0 unit 20 description TO VLAN 20set interfaces fe-1/0/0 unit 20 family inet address 192.168.20.1/24Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,u,u,9/63,fe-

11、1/0/0端口配置vlan-tagging封装的是802.1Q，在交换机端需要开启802.1Q trunkunit的范围是0.16385，unit号与vlan id没有关系family inet表示配置的是IPV4地址ip地址不是覆盖形式，如输入set interfaces fe-1/0/0 unit 10 family,inet address 192.168.10.1/24和set interfaces fe-1/0/0family inet address 192.168.10.2/24则会显示两个IP地址fe-1/0/0 vlan-tagging;speed 100m;link-mod

12、e full-duplex;unit 2 vlan-id 10;family inet address 192.168.10.1/24;address 192.168.10.2/24;Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,unit 10,fe-1/0/0端口配置fe-1/0/0 vlan-tagging;speed 100m;hold-time up 30000 down 0;link-mode full-duplex;unit 10 description TO VLAN 10;vlan-id 1

13、0;family inet address 192.168.10.1/24;unit 20 description TO VLAN 20;vlan-id 20;family inet address 192.168.20.1/24;,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,10/63,11/63,fe-1/0/0端口配置,abCE01-M10i# show interfaces fe-1/0/0 | display setset interfaces fe-1/0/0 vlan-taggingset

14、interfaces fe-1/0/0 speed 100m,set interfaces fe-1/0/0 hold-time up 30000set interfaces fe-1/0/0 hold-time down 0set interfaces fe-1/0/0 link-mode full-duplex,set interfaces fe-1/0/0 unit 10 description TO VLAN 10set interfaces fe-1/0/0 unit 10 vlan-id 10,set interfaces fe-1/0/0 unit 10 family inet

15、address 192.168.10.1/24set interfaces fe-1/0/0 unit 20 description TO VLAN 20set interfaces fe-1/0/0 unit 20 vlan-id 20,set interfaces fe-1/0/0 unit 20 family inet address 192.168.20.1/24,edit,labCE01-M10i#,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,12/63,ge端口配置设置工作模式set

16、interfaces ge-0/0/0 link-mode full-duplexset interfaces ge-0/0/0 gigether-options no-auto-negotiationset interfaces ge-0/0/1 link-mode full-duplexset interfaces ge-0/0/1 gigether-options no-auto-negotiation,u,设置IPset interfaces ge-0/0/0 unit 0 description TO RT01set interfaces ge-0/0/0 unit 0 family

17、 inet address 211.16.1.2/30set interfaces ge-0/0/1 unit 0 description TO RT02set interfaces ge-0/0/1 unit 0 family inet address 10.126.10.2/30不象cisco，juniper的端口IP即使不划分vlan，也必须要有一个unit单元，通常不划分vlan的端口使用unit 0Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,13/63,ge端口配置,ge-0/0/0 ,link

18、-mode full-duplex;gigether-options no-auto-negotiation;,unit 0 ,description TO RT01;family inet ,address 211.16.1.2/30;,ge-0/0/1 ,link-mode full-duplex;gigether-options no-auto-negotiation;,unit 0 ,description TO RT02;family inet ,address 10.126.10.2/30;,Juniper Networks, Inc. Copyright 2000 - Propr

19、ietary & Confidential,up,up,up,up,u,u,14/63,端口检查zteCE01-M10ishow interfaces terse,Interfacefe-1/0/0fe-1/0/0.10fe-1/3/0.20ge-0/0/0ge-0/0/0.0ge-0/0/1ge-0/0/1.0,Admin Link Protoupupup inetup inetupupup inetupupup inet,Local192.168.10.1/24192.168.20.1/24211.16.1.2/3010.126.10.2/30,Remote,只有在用户模式下show in

20、terfaces terse看到所配置的IP地址才正常，如果看不到配置的IP地址，需要删除然后重新配置端口Admin和Link状态都是up才正常，否则请检查物理链路Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,端口检查zteCE01-M10iping 10.126.10.1PING 10.126.10.1 (10.126.10.1): 56 data bytes64 bytes from 10.126.10.1: icmp_seq=0 ttl=64 time=0.103 ms64 bytes from 10

21、.126.10.1: icmp_seq=1 ttl=64 time=0.098 ms64 bytes from 10.126.10.1: icmp_seq=2 ttl=64 time=0.100 ms64 bytes from 10.126.10.1: icmp_seq=3 ttl=64 time=0.094 ms64 bytes from 10.126.10.1: icmp_seq=4 ttl=64 time=0.099 msC- 10.126.10.1 ping statistics -5 packets transmitted, 5 packets received, 0% packet

22、 lossround-trip min/avg/max/stddev = 0.094/0.099/0.103/0.003 mszteCE01-M10i ping 10.126.10.1 rapidPING 10.126.10.1 (10.126.10.1): 56 data bytes!- 10.126.10.1 ping statistics -5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 0.044/0.058/0.095/0.019 mszteCE01-M1

23、0izteCE01-M10i ping 10.126.10.1 rapid count 1000 size 1500 source 10.126.10.2PING 10.126.10.1 (10.126.10.1): 1500 data bytes!C- 10.126.10.1 ping statistics -261 packets transmitted, 260 packets received, 0% packet lossround-trip min/avg/max/stddev = 2.701/10.956/40.103/5.046 ms,zteCE01-M10i,Juniper

24、Networks, Inc. Copyright 2000 - Proprietary & Confidential,15/63,0,0,0,0,16/63,Juniper errors:,端口检查zteCE01-M10i show interfaces fe-1/0/0 extensivePhysical interface: fe-1/0/0, Enabled, Physical link is UpInterface index: 138, SNMP ifIndex: 33, Generation: 163Link-level type: Ethernet, MTU: 1514, Spe

25、ed: 100mbps, Loopback: Disabled, Source filtering: Disabled,Flow control: EnabledDevice flags : Present RunningInterface flags: SNMP-Traps Internal: 0x4000CoS queues : 8 supported, 8 maximum usable queuesHold-times : Up 30000 ms, Down 0 msCurrent address: 00:05:85:c1:a8:c1, Hardware address: 00:05:8

26、5:c1:a8:c1Last flapped : 2007-07-19 16:52:29 UTC (00:08:01 ago)Statistics last cleared: NeverTraffic statistics:,Input bytes :Output bytes :Input packets:Output packets:,17506911633124512294,0 bps0 bps0 pps0 pps,IPv6 transit statistics:Input bytes :Output bytes :Input packets:Output packets:Input er

27、rors:Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors:115,L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 190Output errors:Carrier transitions: 9, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC err

28、ors:0,MTU errors: 0, Resource Networks,0Inc. Copyright 2000 - Proprietary & Confidential,u,17/63,静态路由配置,u,设置静态路由set routing-options static route 211.17.3.0/24 next-hop 211.16.1.1set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1设置缺省路由(默认路由)set routing-options static route 0/0 next-ho

29、p 211.16.1.1routing-options static route 211.17.3.0/24 next-hop 211.16.1.1;route 10.126.1.0/24 next-hop 10.126.1.1;route 0.0.0.0/0 next-hop 211.16.1.1;Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,18/63,路由检查,带源地址ping 211.17.3.1 source 211.16.1.2,u 带源地址traceroute 211.17.3.1 sou

30、rce 211.16.1.2u show route,问题：, 在路由器上能ping通211.17.3.1，但是内部PC不能ping通。, 在路由器上带源地址211.16.1.2能ping通211.17.3.1，但是带原地址为192.168.10.1,则ping不通,什么问题？,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,u,u,u,u,19/63,静态路由bfd配置bfd=Bidirectional Forwarding Detection (双向转发检测)定期发送自己的hello包给对方，一旦收不到对

31、方发送过来的hello包次数超过设定的阀值，则认为对方不可达，马上消除静态路由作用:加快故障检测，免得产生下一跳已经不可达但是由于路由表还存在而路由器会继续发包的情况动态路由也可以配置bfd,路由器1路由表,我ok,route 0.0.0.0/0 next-hop 211.16.1.1route 10.126.1.0/24 next-hop 10.126.1.1路由器1路由表route 0.0.0.0/0 next-hop 211.16.1.1,路由器1,10.126.10.2/30我ok我ok10.126.10.2/30,10.126.10.1/3010.126.10.1/30,路由器2,路

32、由器1Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,我ok,路由器2,20/63,静态路由bfd配置,u,设置静态路由set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1 bfd-liveness-detection version 1set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1 bfd-liveness-detection minimum-

33、interval 200set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1 bfd-liveness-detection multiplier 2routing-options static route 10.126.1.0/24 next-hop 10.126.1.1;bfd-liveness-detection version 1;minimum-interval 200;multiplier 2;Juniper Networks, Inc. Copyright 2000 - Proprietary & Co

34、nfidential,2,2,21/63,bfd检查,u,设置静态路由set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1 bfd-liveness-detection version 1set routing-options static route 10.126.1.0/24 next-hop 10.126.1.1 bfd-liveness-detection minimum-interval 200set routing-options static route 10.126.1.0/24 next-hop

35、10.126.1.1 bfd-liveness-detection multiplier 2labzte-m7i show bfd sessionTransmit,Address,State,Interface,Detect Time Interval Multiplier,220.0.21.10221.0.21.10,UpUp,fe-0/0/0.0fe-0/0/1.0,0.4000.400,0.2000.200,2 sessions, 2 clientsCumulative transmit rate 10.0 pps, cumulative receive rate 10.0 ppslab

36、zte-m7iJuniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,SNMP配置,u,设置snmp,set snmpset snmpset snmpset snmpset snmpset snmpset snmp,community public authorization read-onlycommunity public clients 10.126.1.1/32community private authorization read-writecommunity private clients 10.126.

37、1.1/32trap-options source-address 10.126.1.2contact engine-id local ,snmp community public authorization read-only;clients 10.126.1.1/32;community private authorization read-write;clients 10.126.1.1/32;trap-options source-address 10.126.1.2;,Juniper Networks, Inc. Copyright 2000 - Proprietary & Conf

38、idential,22/63,u,u,23/63,Juniper Networks, Inc. Copyright 2000 Proprietary &,NAT配置定义output方向的nat规则,setsetsetsetsetsetset,servicesservicesservicesservicesservicesservicesservices,natnatnatnatnatnatnat,rulerulerulerulerulerulerule,nat-outputnat-outputnat-outputnat-outputnat-outputnat-outputnat-output,

39、match-direction outputterm a from source-address 192.168.10.1/32term a then translated source-prefix 211.17.4.1/32term a then translated translation-type source staticterm b from source-address 192.168.20.1/32term b then translated source-prefix 211.17.4.2/32term b then translated translation-type s

40、ource static,定义input方向的nat规则,setsetsetsetsetsetset,servicesservicesservicesservicesservicesservicesservices,natnatnatnatnatnatnat,rulerulerulerulerulerulerule,nat-inputnat-inputnat-inputnat-inputnat-inputnat-inputnat-input,match-direction inputterm a from destination-address 211.17.4.1/32term a then

41、 translated destination-prefix 192.168.10.1/32term a then translated translation-type destination staticterm b from destination-address 211.17.4.2/32term b then translated destination-prefix 192.168.20.1/32term b then translated translation-type destination static,set services service-set nat-servic

42、e-set nat-rules nat-outputset services service-set nat-service-set nat-rules nat-inputset services service-set nat-service-set interface-serviceConfidentialservice-interface sp-0/0/0,u,u,24/63,NAT配置,定义service集合,set services service-set nat-service-set nat-rules nat-outputset services service-set nat

43、-service-set nat-rules nat-input,set services service-set nat-service-set interface-service service-interface sp-0/0/0,将service集合应用到端口,set interfaces ge-0/0/0 unit 0 family inet service input service-set nat-service-setset interfaces ge-0/0/0 unit 0 family inet service output service-set nat-service

44、-set,Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential,25/63,NAT配置,ge-0/0/0 unit 0 family inet service input service-set nat-service-set;output service-set nat-service-set;,then translated source-prefix 211.17.4.1/32;translation-type source static;term b from source-address 192.168.20.1/32;,