Juniper SRX (Junos OS)初始化安裝(CLI模式)
Juniper
SRX (Junos OS)初始化安裝(CLI模式)
本範例使用Juniper SRX100來示範初始化流程。
當有下列情況發生時,我們就需要進行初始化安裝作業:
當您沒有備份的配置檔時,我們可以直接更改出廠的預設配置,好簡化初始化程序:
/***創建本地系統帳號***/
/***創建一個系統本地帳號"admin",用戶名稱可以根據實際需求安排,分配管理員許可權,設置密碼
***/
|
分類
|
説明
|
|
super-user
|
All permissions。您具有與根帳號相同的許可權,您可以執行所有操作。
|
|
operator
|
Clear,reset,trace,view permissions。clear允許命令和進程重新開機。show命令也可以執行。
|
|
read-only
|
View
permissions。不可能執行配置更改或清除,只能執行顯示命令。
|
|
unauthorized
|
No permissions。
|
關於Juniper SRX 防火牆設備帳號登入安全相關的資料請參考下列的網路連結:
/** 配置設備名稱 srx100 **/
root@srx100# set system host-name srx100
/** 配置WAN端口IP位址 **/
出廠配置預設在WAN介面fe-0/0/0.0並無任何設定,因此我們可以這麼做:
一、直接指定外網(WAN)介面的靜態IP位址
若您有架站需求,向ISP (例如中華電信) 申請的是固定IP位址時。
root@srx100# delete
interfaces fe-0/0/0 unit 0 family inet /** 設定前先清除介面上原有的配置,以避免提交(commit)時出現錯誤訊息 **/
root@srx100# set
interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
當WAN介面為靜態IP位址時,您就必須要設定到公網的預設路由,否則會無法上網,下列命令乃設定將0.0.0 .0/0所有未定義的流量全部送往172.16.200.1(此為舉例,但這個ip通常是中華電信小烏龜的閘道ip)。
root@srx100# set
routing-options static route 0.0.0 .0/0
next-hop 172.16.200.1
二、或是透過DHCP來取得外網介面的動態IP位址
若您沒有架站的需求,向ISP (例如中華電信) 申請的是浮動(動態)IP位址時。
root@srx100# delete
interfaces fe-0/0/0 unit 0 family inet
root@srx100# set
interfaces fe-0/0/0 unit 0 family inet dhcp
/** 配置DNS Server
**/
我們上網所查詢網址靠的就是透過DNS Server來將網址轉換成IP位址,好讓我們能夠到達目的網站。
出廠配置預設的DNS Server如下:
set system name-server
208.67.222.222
set system name-server
208.67.220.220
我們可以把它改成本地最大ISP中華電信的DNS Server,速度會快些:
root@srx100# delete
system name-server
root@srx100# set
system name-server 168.95.1.1
root@srx100# set
system name-server 168.95.192.1
root@srx100# commit
/** 配置Time Server
**/
配置時間伺服器(Time Server)的原因是要讓SRX防火牆能與遠端時間伺服器進行網路自動對時,好讓設備能隨時保持準確的網路時間。
配置時區:
root@srx100# set
system time-zone GMT+8
我們可以配置本地最大ISP中華電信的Time Server:
root@srx100# set
system ntp server 118.163.81.61
root@srx100# set
system ntp server 118.163.81.62
root@srx100# set
system ntp server 118.163.81.63
最後我們可以將上述的命令整理出來並一次全部貼到Juniper SRX100的console主控臺上,可以節省很多時間:
load factory-default
delete
system autoinstallation
set
system host-name srx100
set
interfaces fe-0/0/0 unit 0 family inet dhcp
delete
system name-server
set
system name-server 168.95.1.1
set
system name-server 168.95.192.1
set
system time-zone GMT+8
set
system ntp server 118.163.81.61
set
system ntp server 118.163.81.62
set
system ntp server 118.163.81.63
set system root-authentication
plain-text-password
set
system login user admin class super-user authentication
plain-text-password
commit
如此即可完成CLI模式的初始化安裝作業。
★若您的設備是SRX210,請將上述之fe-0/0/0介面改成ge-0/0/0,fe-0/0/1介面改成ge-0/0/1,因為SRX210的0/0與0/1兩 個介面乃是Gigabits(ge)埠,不是Fastethernet(fe)埠。
若您的設備是Juniper
SRX210則我們可以更改設定如下:
load factory-default
delete
system autoinstallation
set
system host-name srx210
set
interfaces ge-0/0/0 unit 0 family inet dhcp
delete
system name-server
set
system name-server 168.95.1.1
set
system name-server 168.95.192.1
set
system time-zone GMT+8
set
system ntp server 118.163.81.61
set
system ntp server 118.163.81.62
set
system ntp server 118.163.81.63
set system root-authentication
plain-text-password
set
system login user admin class super-user authentication
plain-text-password
commit
以下為實作示範:
下面為貼上命令後console所顯示的實作畫面:
[edit]
root@srx100#
[edit]
root@srx100# load factory-default
: activating factory
configuration
delete system
autoinstallawarning
set system host-name
srx100
set interfaces
fe-0/0/0 unit 0 family inet dhcp
delete system
name-server
set system
name-server 168.95.1.1
set system
name-server 168.95.192.1
set system time-zone
GMT+8
set system ntp server
118.163.81.61
set system ntp server
118.163.81.62
set system ntp server
118.163.81.63
set system
root-authentication plain-text-password
set system login user
admin class super-user authentication plain-text-password
commit
[edit]
root@srx100# delete system autoinstallation
[edit]
root@srx100# set system host-name srx100
[edit]
root@srx100# set interfaces fe-0/0/0 unit 0 family inet dhcp
[edit]
root@srx100# delete system name-server
[edit]
root@srx100# set system name-server 168.95.1.1
[edit]
root@srx100# set system name-server 168.95.192.1
[edit]
root@srx100# set system time-zone GMT+8
[edit]
root@srx100# set system ntp server 118.163.81.61
[edit]
root@srx100# set system ntp server 118.163.81.62
[edit]
root@srx100# set system ntp server 118.163.81.63
[edit]
root@srx100# set system root-authentication plain-text-password
New password: /** 請輸入密碼 **/
Retype new password: /** 確認密碼 **/
[edit]
root@srx100# set system login user admin class super-user
authentication plain-text-password
New password: /** 請輸入密碼 **/
Retype new password: /** 確認密碼 **/
[edit]
root@srx100# commit
commit complete
[edit]
root@srx100#
以下為上述命令執行後所產生的完整配置檔:
system {
host-name srx100;
time-zone GMT+8;
root-authentication {
encrypted-password
"$1$WYqJj0DN$E3ES7ZPdQhR3HbEEQWzB9.";
}
name-server {
168.95.1.1;
168.95.192.1;
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password
"$1$vsObgzb/$AOkcK.lrt46WDIP9aCvcK1";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2
high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url
https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 118.163.81.61;
server 118.163.81.62;
server 118.163.81.63;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0 .0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
完全自行配置的初始化設定
上述設定乃是借用出廠預設配置來進行CLI模式的初始化設定,程序簡單迅速,而我們也可以刪除所有的系統配置,重新建立我們所需的網路環境,請在CLI配置模式下輸入以下命令:
root@srx100# delete
This will
delete the entire configuration
Delete
everything under this level? [yes,no] (no) yes
[edit]
root@srx100# show ##查看設定是否清空了
[edit]
root@srx100# set system
root-authentication plain-text-password
New password:
Retype new
password:
[edit]
root@srx100# commit
commit
complete
[edit]
root@srx100#
系統基線配置
初始化安裝作業賦予系統一些基線配置,讓系統能正常運維(包括系統名稱、介面IP位址、安全區域)等,使本地或是遠端電腦能夠通過telnet\ssh\WebUI等方式來登錄到設備,以及達到通過設備來上網等基本功能。
________________________________________________________________
/***配置設備名稱"srx100"***/
root@srx100# set system host-name srx100
/***配置系統時區***/
root@srx100# set system time-zone Asia/Taipei
/***配置系統預設root帳號密碼,系統不允許修改"root"帳號名稱***/
set
system root-authentication plain-text-password
New password: /** 第一次輸入新密碼,密碼必須至少六個字元,包含字母與數字 **/
Retype new password: /** 重新確認新密碼 **/
注意:root帳號不能用於telnet,但是可以用於console、web和ssh管理登錄到設備
/***創建系統本地帳號***/
創建一個本地系統帳號"admin",分配管理員許可權,設置密碼
有兩種設定方式,第一種方式:
set
system login user admin uid 200
set
system login user admin class super-user
set system login user admin
authentication encrypted-password "srx100"
第二種方式:
set
system login user admin class super-user authentication
plain-text-password
New password: /** 第一次輸入新密碼,密碼必須至少六個字元,包含字母與數字 **/
Retype new password: /** 重新確認新密碼 **/
|
分類
|
説明
|
|
super-user
|
All permissions。您具有與根帳號相同的許可權,您可以執行所有操作。
|
|
operator
|
Clear,reset,trace,view permissions。clear允許命令和進程重新開機。show命令也可以執行。
|
|
read-only
|
View permissions。不可能執行配置更改或清除,只能執行顯示命令。
|
|
unauthorized
|
No permissions。
|
/***配置中華電信DNS伺服器,以便能查詢網址之真實IP***/
set system name-server 168.95.1.1
/***配置NTP伺服器,以便能同步SRX設備的網路時間***/
set system ntp server 118.163.81.61
set system ntp server 118.163.81.62
set system ntp server 118.163.81.63
/***設定系統事件日誌接收主機***/
set system syslog host 192.168.1.11 any any
/***定義系統配置檔變更並提交(commit)後,可以存放在flash中的最大容許數量(0..49)***/
set
system max-configuration-rollbacks 15 /** 容許回滾(回復)的數量 **/
set
system max-configurations-on-flash 49 /** 系統配置檔存放在flash中的容許數量 **/
/***定義內網介面同時定義安全區域並將介面加入到安全區域,介面的選擇根據實際需求安排***/
/***將介面加入vlan.0***/
set
interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set
interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces
fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set
interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set
interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set
interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set
interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
/***指定vlan.0內網閘道IP地址***/
set
interfaces vlan unit 0 family inet address 192.168.1.1/24
set
vlans vlan-trust vlan-id 3
set
vlans vlan-trust l3-interface vlan.0
/***將vlan.0加入到trust安全區,並指定內網介面開放全部的服務與協定***/
set
security zones security-zone trust interfaces vlan.0 host-inbound-traffic
system-services all
set
security zones security-zone trust interfaces vlan.0 host-inbound-traffic
protocols all
/***指定vlan.0內網閘道為DHCP伺服器,及內網IP位址取得範圍***/
set
system services dhcp router 192.168.1.1
set
system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set
system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set
system services dhcp pool 192.168.1.0/24 propagate-settings vlan.0
/***直接指定外網介面的靜態IP位址***/(二擇一)
set
interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
/***設定到公網的預設路由,當指定外網介面為靜態IP位址時所必需 ***/
set routing-options static
route 0.0.0 .0/0 next-hop 172.16.200.1
/***或是透過DHCP來取得外網介面的動態IP位址***/(二擇一)
set
interfaces fe-0/0/0 unit 0 family inet dhcp
/***配置管理系統服務的項目內容,ssh\telnet\http\https ***/
set system services telnet
set system services ssh
set system services ssh root-login allow
set system services ftp
set system services netconf ssh
/***配置系統服務http\https的內容,只有vlan.0 介面及fe-0/0/0.0介面能使用http\https服務***/
set
system services web-management http interface vlan.0
set
system services web-management http interface fe-0/0/0.0
set
system services web-management https system-generated-certificate
set
system services web-management https interface vlan.0
set system services
web-management https interface fe-0/0/0.0
上面5行命令效果等同執行下列命令:
root@srx100# edit system services web-management
[edit system services web-management]
root@srx100# set http interface vlan.0
[edit system services web-management]
root@srx100# set http interface fe-0/0/0.0
[edit system services web-management]
root@srx100# set https interface system-generated-certificate
[edit system services web-management]
root@srx100# set https interface vlan.0
[edit system services web-management]
root@srx100# set https interface fe-0/0/0.0
[edit system services web-management]
root@srx100# top
/***將介面加入到安全區域,並指定外網介面開放的服務***/
/*** 讓WAN介面fe-0/0/0.0能接收DHCP訊息、被PING、以及從外網使用WebUI來登入管理設備***/
set
security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services dhcp
set
security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services http
set
security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services https
set security zones
security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ping
上面4行命令效果等同執行下列命令:
edit
security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services
set
dhcp
set
http
set
https
set
ping
top
/***配置來源NAT策略,轉換內網到外網IP,讓內網能夠上網 ***/
set
security nat source rule-set trust-to-untrust from zone trust
set
security nat source rule-set trust-to-untrust to zone untrust
set
security nat source rule-set trust-to-untrust rule source-nat-rule match
source-address 0.0.0 .0/0
set security nat source
rule-set trust-to-untrust rule source-nat-rule then source-nat interface
上面4行命令效果等同執行下列命令:
edit
security nat source rule-set trust-to-untrust
set
from zone trust
set to
zone untrust
set
rule source-nat-rule match source-address 0.0.0 .0/0
set
rule source-nat-rule then source-nat interface
top
/***配置基本策略,開放內網能夠自由上網 ***/
set security
policies from-zone trust to-zone untrust policy trust-to-untrust match
source-address any
set
security policies from-zone trust to-zone untrust policy trust-to-untrust match
destination-address any
set
security policies from-zone trust to-zone untrust policy trust-to-untrust match
application any
set security policies from-zone
trust to-zone untrust policy trust-to-untrust then permit
上面4行命令效果等同執行下列命令:
edit
security policies from-zone trust to-zone untrust policy trust-to-untrust
set
match source-address any
set
match destination-address any
set
match application any
set
then permit
top
★至此系統的基線配置完成,其中防火牆的fe-0/0/0埠為wan介面,連接到外網Internet,而防火牆的fe-0/0/1~ fe-0/0/7埠則為內網lan介面,內網可自由上網及管理設備,外網儘開放http與https服務來管理設備。
★若您的設備是SRX210,請將上述之fe-0/0/0介面改成ge-0/0/0,fe-0/0/1介面改成ge-0/0/1,因為SRX210的0/0與0/1兩 個介面乃是Gigabits(ge)埠,不是Fastethernet(fe)埠。
下列為上述CLI設定所產生的配置檔:
system {
host-name srx100;
time-zone Asia/Taipei;
root-authentication {
encrypted-password
"$1$sp75icQ0$R40jIhcciJZ6H6MKu.Gni.";
}
name-server {
168.95.1.1;
}
login {
user admin {
uid 200;
class super-user;
authentication {
encrypted-password srx100;
}
}
}
services {
ftp;
ssh {
root-login allow;
}
telnet;
netconf {
ssh;
}
web-management {
http {
interface [
vlan.0 fe-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [
vlan.0 fe-0/0/0.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24
{
address-range
low 192.168.1.11 high 192.168.1.200;
propagate-settings vlan.0;
}
}
}
syslog {
host 192.168.1.1 {
any any;
}
host 192.168.1.11 {
any any;
}
}
max-configuration-rollbacks
15;
max-configurations-on-flash
49;
ntp {
server 118.163.81.61;
server 118.163.81.62;
server 118.163.81.63;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
fe-0/0/1 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family
ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members
vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address
192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0 .0/0
next-hop 172.16.200.1;
}
}
security {
nat {
source {
rule-set
trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0 .0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone
untrust {
policy
trust-to-untrust {
match {
source-address any;
destination-address
any;
application
any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
http;
https;
ping;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
您還可以參考下列的網路連結:
