关闭自动更新:delete chassis auto-image-upgrade
eve的juniper修改密码不顶用的,我这里是添加admin的密码之后,commit报错,再添加root密码,才能够正确修改。操作如下:
set system login idle-timeout 5
set system login user admin uid 2004
set system login user admin class super-user
set system login user admin authentication encrypted-password admin.123
set system root-authentication encrypted-password
注意的地方:
进入配置模式尽量要configure private 命令进去,这个视图下配置的命令只有你commit才会生效,而edit进入的配置是所有人commit都会生效,如果多人登录设备,你在配置。别人commit会存在风险。
允许远程执行Python op脚本
set groups phcd_user_script system scripts op allow-url-for-python
set groups phcd_user_script system scripts language python
set apply-groups phcd_user_script
设置系统提交同步:set system commit synchronize
添加用户
set system login idle-timeout 5
set system login user admin uid 2004
set system login user admin class super-user
set system login user admin authentication encrypted-password admin.123
允许rootssh登录:set system services ssh root-login allow
启用telnet服务:set system services telnet
设置用户名:set system host-name juniper-6666
设置时区:set system time-zone Aisa/地点
设置系统syslog用户*任何紧急情况:set system syslog user * any emergency
设置系统syslog文件消息任何通知:set system syslog file messages any notice
设置系统syslog文件消息授权信息:set system syslog file messages authorization info
设置系统syslog文件交互命令交互命令任意:set system syslog file interactive-commands interactive-commands any
设置DHCP服务启用:set system processes dhcp-service enable
set system processes dhcp-service traceoptions file dhcp_logfile
set system processes dhcp-service traceoptions file size 10m
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag all
配置二层接口、带宽限速
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 1100
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input ge-0/0/1_input
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter output ge-0/0/1_output
set interfaces ge-0/0/1 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/1 speed 1g
set firewall family ethernet-switching filter ge-0/0/1_input interface-specific
set firewall family ethernet-switching filter ge-0/0/1_input term ge-0/0/1_input then policer ge-0/0/1_input
set firewall family ethernet-switching filter ge-0/0/1_output interface-specific
set firewall family ethernet-switching filter ge-0/0/1_output term ge-0/0/1_output then policer ge-0/0/1_output
set firewall policer ge-0/0/1_input if-exceeding bandwidth-limit 30m
set firewall policer ge-0/0/1_input if-exceeding burst-size-limit 128k
set firewall policer ge-0/0/1_input then discard
set firewall policer ge-0/0/1_output if-exceeding bandwidth-limit 100m
set firewall policer ge-0/0/1_output if-exceeding burst-size-limit 128k
set firewall policer ge-0/0/1_output then discard
配置互联接口set interfaces ge-0/2/3 unit 0 family inet address 172.16.1.1/30
配置网关地址
set interfaces irb unit 1100 family inet address 100.110.32.30/27
set interfaces irb unit 1100 family inet address 100.110.32.30/27
set interfaces irb unit 1100 family inet address 100.110.32.30/27
配置loop0口和dhcp配置,snmp配置、ssh、telnet配置
set interfaces lo0 unit 0 family inet filter input local_Filter
set interfaces lo0 unit 0 family inet address 172.16.1.1/32
set interfaces vme unit 0 family inet dhcp
set firewall family inet filter local_Filter term dhcp-client-accept from source-address 0.0.0.0/0
set firewall family inet filter local_Filter term dhcp-client-accept from destination-address 255.255.255.255/32
set firewall family inet filter local_Filter term dhcp-client-accept from protocol udp
set firewall family inet filter local_Filter term dhcp-client-accept from source-port 68
set firewall family inet filter local_Filter term dhcp-client-accept from destination-port 67
set firewall family inet filter local_Filter term dhcp-client-accept then count dhcp-client-accept
set firewall family inet filter local_Filter term dhcp-client-accept then accept
set firewall family inet filter local_Filter term dhcp-server-accept from protocol udp
set firewall family inet filter local_Filter term dhcp-server-accept from source-port 67
set firewall family inet filter local_Filter term dhcp-server-accept from source-port 68
set firewall family inet filter local_Filter term dhcp-server-accept from destination-port 67
set firewall family inet filter local_Filter term dhcp-server-accept from destination-port 68
set firewall family inet filter local_Filter term dhcp-server-accept then count dhcp-server-accept
set firewall family inet filter local_Filter term dhcp-server-accept then accept
set firewall family inet filter local_Filter term snmp_permit from source-address 10.10.10.10/32
set firewall family inet filter local_Filter term snmp_permit from protocol udp
set firewall family inet filter local_Filter term snmp_permit from port snmp
set firewall family inet filter local_Filter term snmp_permit then count snmp_permit
set firewall family inet filter local_Filter term snmp_permit then accept
set firewall family inet filter local_Filter term snmp_block from protocol udp
set firewall family inet filter local_Filter term snmp_block from port snmp
set firewall family inet filter local_Filter term snmp_block then count snmp_permit
set firewall family inet filter local_Filter term snmp_block then discard
set firewall family inet filter local_Filter term allow-telnet from source-address 10.10.0.0/16
set firewall family inet filter local_Filter term allow-telnet from source-address 15.15.15.0/24
set firewall family inet filter local_Filter term allow-telnet from protocol tcp
set firewall family inet filter local_Filter term allow-telnet from port telnet
set firewall family inet filter local_Filter term allow-telnet from port ssh
set firewall family inet filter local_Filter term allow-telnet then log
set firewall family inet filter local_Filter term allow-telnet then accept
set firewall family inet filter local_Filter term block-telnet from protocol tcp
set firewall family inet filter local_Filter term block-telnet from port telnet
set firewall family inet filter local_Filter term block-telnet from port ssh
set firewall family inet filter local_Filter term block-telnet then log
set firewall family inet filter local_Filter term block-telnet then discard
set firewall family inet filter local_Filter term default_accept then accept
snmp配置
set snmp v3 usm local-engine user snmpuser authentication-md5 authentication-key "xxxxxxxx"
set snmp v3 usm local-engine user snmpuser privacy-none
set snmp v3 vacm security-to-group security-model v2c security-name snmpuser group snmpuser
set snmp v3 vacm security-to-group security-model usm security-name snmpuser group snmpuser
set snmp v3 vacm access group snmpuser default-context-prefix security-model any security-level authentication read-view all
set snmp v3 snmp-community snmpuser community-name "xxx"
set snmp v3 snmp-community snmpuser security-name snmpuser
set snmp community public_32 authorization read-only
设置转发选项风暴控制配置文件默认所有
set forwarding-options storm-control-profiles default all
DHCP配置
set forwarding-options dhcp-relay overrides bootp-support
set forwarding-options dhcp-relay forward-only
set forwarding-options dhcp-relay server-group idc 101.1.1.1
set forwarding-options dhcp-relay server-group idc 101.1.1.2
set forwarding-options dhcp-relay server-group idc 101.1.1.3
set forwarding-options dhcp-relay active-server-group idc
set forwarding-options dhcp-relay group idc overrides
set forwarding-options dhcp-relay group idc forward-only
set forwarding-options dhcp-relay group idc interface irb.1100
set forwarding-options dhcp-relay group idc interface irb.1101
set forwarding-options dhcp-relay group idc interface irb.1102
静态路由
set routing-options static route 0.0.0.0/0 next-hop 172.10.1.1
LLDP配置
set protocols lldp interface all
set protocols lldp-med interface all
igmp和rstp配置
set protocols igmp-snooping vlan default
set protocols rstp interface all
创建二层vlan、三层vlan
set vlans L2_1100 vlan-id 1100
set vlans L2_1100 l3-interface irb.1100
set vlans L2_1101 vlan-id 1101
set vlans L2_1101 l3-interface irb.1101
set vlans L2_1102 vlan-id 1102
set vlans L2_1102 l3-interface irb.1102
配置默认vlan和mgt vlan
set vlans default vlan-id 1
set vlans default l3-interface irb.0
set vlans mgt vlan-id 3000
set vlans mgt l3-interface irb.3000