Juniper-路由器配置操作手册

Juniper OS 4.2R1.3 路由器配置操作手册 1 系统配置.2 1.1 系统信息基本配置.2 1.2 系统用户信息.2 1.3 系统服务配置.3 2 端口配置.4 2.1 juniper 端口介绍.4 2.2 端口配置.4 3 SNMP 配置.6 4 Routing- options 配置.7 4.1 静态路由配置.7 4.2 route- id at- 6/0/1 PIC 1 1x G/E, 1000 BASE- SX 为 ge- 6/1/0 PIC 2 1x G/E, 1000 BASE- SX 2.2 端口配置 # edit interfaces ?sonet 端口配置 # set so- 1/0/0 unit 0 description HZ to NB 2.5Gb SDH family inet address 202.96.117.1/30 #show 检查配置 so- 1/0/0 description HZ to NB 2.5Gb SDH; unit 0 family inet address 202.96.117.1/30; ?atm 端口配置 #set at- 6/0/0 clocking external #set at- 6/0/0 atm- options vpi 1 maximum- vcs 100 #set at- 6/0/0 atm- options vpi 10 maximum- vcs 200 #set at- 6/0/0 unit 0 description HuZhou- HangZhou- ATM vci 10.40 family inet address 202.96.117.50/30 #set at- 6/0/0 unit 1 description HuZhou- NingBo- ATM vci 1.51 family inet address 202.96.117.150/30 vci 号为 pvc号 #show at- 6/0/0 clocking external; atm- options vpi 1 maximum- vcs 100; vpi 10 maximum- vcs 200; unit 0 description HuZhou- HangZhou- ATM; vci 10.40; family inet address 202.96.117.50/30; unit 1 description HuZhou- NingBo- A TM; vci 1.51; family inet address 202.96.117.150/30; ?ge 端口配置 #set ge- 6/1/0 unit 0 description “ To Catalysta6509 g1/0” family inet address 202.96.111.193/30 #show ge- 6/1/0 unit 0 description To Catalysta6509 g1/0; family inet address 202.96.111.193/30; ?fe 端口配置 #set fe- 6/2/0 unit 0 description “ To 2948 g1/0” family inet address 202.96.118.1/24 #show fe- 6/2/0 unit 0 description To 2948 1/0; family inet address 202.96.118.1/24; ?loopback 配置 #set lo0 unit 0 family inet address address 202.96.101.181/32 #show lo0 unit 0 family inet filter input popme; 将 firewall 在该端口上生效，要使其他端口生效，必须在短配置。 address 202.96.101.181/32; #commit 配置生效 OR #commit confirmed 配置生效测试，5 分钟后系统自动会滚，恢复原来配置。 3 SNMP 配置 #top 返回顶级菜单 #set snmp community keepalive authorization read- only keepalive 为 community strings #show snmp community keepalive authorization read- only; 4 Routing- options 配置 这里只介绍浙江工程中用到的静态、聚合、route- id 三点，其他以后在补充。 4.1 静态路由配置 #top #edit routing- options #set static route 61.130.49.0/24 next- hop 202.96.113.52 #set static route 61.130.50.0/24 next- hop 202.96.113.53 #show static route 61.130.49.0/24 next- hop 202.96.113.52; route 61.130.50.0/24 next- hop 202.96.113.53; route 61.130.51.0/26 next- hop 202.96.113.51; route 61.130.51.64/26 next- hop 202.96.113.49; route 61.175.144.0/21 next- hop 202.107.247.194; 4.2 route- id route 61.130.64.0/18; route 61.130.128.0/18; route 61.130.192.0/18; route 61.174.0.0/17; route 61.174.128.0/17 discard; 5 Route protocal配置 这里只介绍 ospf、bgp 的配置 #top #edit protocols 进入路由协议配置菜单 5.1 Ospf 配置 #set ospf export ebgp_default_to_ospf 将由 ebgp 收到的缺省路由广播到 ospf 路由表中 #set ospf area 0.0.0.0 interface so- 1/1/0.0 #set ospf area 0.0.0.0 interface so- 1/0/0.0 metric 20 根据实际情况调整 metric #set ospf area 0.0.0.0 interface at- 6/1/0.0 metric 20 #set ospf area 0.0.0.1 interface at- 6/1/0.3 metric 20 #show ospf export ebgp_default_to_ospf; 需要在路由政策里定义 area 0.0.0.0 interface so- 1/1/0.0; interface so- 1/0/0.0 metric 20; interface at- 6/1/0.0 metric 20; area 0.0.0.1 interface at- 6/1/0.3 metric 20; 5.2 Bgp 配置 #set bgp export aggregate_to_bgp 在 policy 里定义，将本地聚合向 ibgp、ebgp 广播 #edit bgp group ibgp 定义 ibgp 组名 #set type internal #set export ebgp- aggregate- ibgp 在 policy 里定义，向 ibgp 广播从 ebgp 收到的路由 #set peer- as 64740 根据实际情况配置 #set neighbor 202.96.117.250 #set neighbor 202.96.117.206 #exit #edit bgp group ebgp 定义 ebgp 组名 #set type external #set import change- preference 在 policy 里定义，改变收到的 bgp local- preference #set export outbound- control- hz1 在 policy 里定义,调整对 ebgp 广播的路由特性 #set export from- zj- as1 在 policy 里定义，将所有本地聚合对外广播，禁止 从 4134 收到的路由广播出去。 #set peer- as 4134 #set neighbor 202.107.253.1 bgp export aggregate_to_bgp; group ibgp type internal; export ebgp- aggregate- ibgp; peer- as 64740; neighbor 202.96.117.250; neighbor 202.96.117.206; group ebgp type external; import change- preference; export outbound- control- hz1 from- zj- as1 ; peer- as 4134; neighbor 202.107.253.1; 6 Policy 配置 具体配置命令请参照前面格式操作。 policy- options prefix- list telnet- list 定义 firewall 里的 telnet 列表 202.96.96.0/25; 202.96.102.0/27; 202.96.103.32/27; 202.96.103.64/27; 202.96.117.0/24; 202.101.166.32/27; policy- statement outbound- control- hz1 term term1 from protocol aggregate; route- filter 202.101.169.128/25 exact; route- filter 61.130.64.0/18 exact; route- filter 61.130.192.0/18 exact; route- filter 61.153.192.0/18 exact; route- filter 61.164.128.0/18 exact; route- filter 202.101.180.0/22 exact; route- filter 202.101.184.0/22 exact; then community add 169comm; 将聚合里的 169 网段， bgp 广播时添加附加串 next term; term term6 from protocol ospf; 通过 ospf 收到路由不对外广播 then reject; term term3 from protocol local; 本地路由不对外广播 then reject; term term5 from protocol static; 静态路由不对外广播 then reject; term term4 from protocol direct; 直连路由不对外广播 then reject; policy- statement from- zj- as1 term term1 from protocol bgp; as- path zj- as1; 从 4134 过来的路由不对外广播 then reject; term term2 then accept; policy- statement change- preference from protocol bgp; neighbor 202.107.253.1; then local- preference 200; 将由 202.107.253.1 收到的路由作调整。 as- path- prepend 4134 4134; policy- statement aggregate_to_bgp from protocol aggregate; 定义对外广播本地聚合 then accept; policy- statement ebgp_default_to_ospf from 向 ospf 广播 bgp 的 default protocol bgp; neighbor 202.107.253.1; route- filter 0.0.0.0/0 exact; then external type 1; accept; policy- statement ebgp- aggregate- ibgp term term1 from protocol bgp; neighbor 202.107.253.1; then next term; term term2 from protocol aggregate; then accept; community 169comm members 4134:10; as- path zj- as1 4134 .*; 7 Firewall 配置 具体配置命令请参照前面格式操作。 firewall filter popme 定义 filter term term1 from prefix- list telnet- list; 在 policy- options 定义 protocol tcp; port telnet; then accept; term term2 from protocol tcp; port telnet; then reject; 拒绝非 list 地址 telnet term term3 then accept; 8 Juniper 与 Cisco 互连端口参数调整 Cisco conf interface ATM1/0.11 point- to- point description TO jiaxing Atm 4/0.1 bandwidth 20000 ip address 202.96.117.25 255.255.255.252 no ip directed- broadcast ip ospf network broadcast atm pvc 10 10 43 aal5snap no atm enable- ilmi- trap ! Cisco- Cisco ospf interface ATM1/0.13 point- to- point description to NingBo bandwidth 60000 ip address 202.96.117.1 255.255.255.252 no ip directed- broadcast atm pvc 11 10 52 aal5snap no atm enable- ilmi- trap Cisco(route)- Juniper ospf interface Vlan6 description web- 1 ip address 202.96.105.97 255.255.255.224 no ip directed- broadcast Cisco(switch)- Cisco(route) ospf interface Vlan6 description web- 1 ip address 202.96.105.97 255.255.255.224 ip directed- broadcast(或者没有 此配置) Cisco(switch)- Juniper ospf interface POS10/0(与 cisc