Juniper设备标准配置

1.1.主机名配置

 

groups {

    re0 {

        system {

            host-name ××××; // 配置设备主引擎名字

        }

    }

    re1 {

        system {

            host-name ×××××; // 配置设备备引擎名字

        }

    }

apply-groups [ re0 re1 ];                         //提交配置组

1.2.双引擎可靠性配置

     chassis {

            redundancy {

                failover on-loss-of-keepalives;   //2s内未收到keepalive触发主备引擎切换

                failover on-disk-failure;         // 硬盘故障触发主备引擎切换

                graceful-switchover;           // 开启主备引擎平滑切换

            }

    }

 

1.3.管理员配置

system {

    root-authentication {                             //配置根用户密码

        encrypted-password "!@#¥%……&×()"; ## SECRET-DATA      

    }

    login {

        user lab {                               //添加管理用户admin

            class super-user;

            authentication {

                encrypted-password "!@#¥%……&×()"; ## SECRET-DATA

            }

        }

    }

}

 

1.4.Radius用户认证

system {

      authentication-order [ radius password ];   //采用RADIUS优先方式验证,RADIUS不可达使用本地认证

    radius-server {       // radius-server地址为10.0.0.3,并配置通信密钥

        10.0.0.3 secret "!@#¥%……&×()"; ## SECRET-DATA

    }

 

1.5.SSH配置

system {

   services {

        ssh;                                  //开启SSH服务

}

1.6.Syslog配置

syslog {

    archive size 1m files 5;

    user * {

        any emergency;                 

}

file messages {                          //本地log文件messages

    any notice;                         //抓取任意通告信息

    authorization info;                   //授权信息

}

file interactive-commands {                //抓取任意交换式命令

    interactive-commands any;

}

    host 10.1.1.1 {                             //syslog server地址

        any notice;

    }

    file messages {

        authorization info;

    }

    source-address sourc_addr;                 //发送log的源地址,推荐LOOPBACK地址

1.7.设置NTP服务器

system {

time-zone Asia/Shanghai;                    //设置所在时区

    ntp {                

        server 10.128.1.251 prefer;               //优选的NTP-SERVER

        server 10.128.1.250;

    }

}

 

1.8.SNMP配置

snmp {

    community " 1234567  " {

        authorization read-only;              //添加只读字符串1234567

        }

    community "1234567" {            //添加读写字符串1234567

        authorization read-write;

        }

}

 

 

1.9.安全加固配置

firewall {

    filter manage {                       //定义名字为manage的filter

        term 1 {

            from {                     

                source-address {

                    addr/msk;            //允许访问的地址段

                }

            then accept;

        }

    }

  lo0 {

        unit 0 {                       

            family inet {

                filter {

                    input manage;        //在lo0.0调用filter

                }

            }

        }

 

system {

    ports {

        console log-out-on-disconnect;         //拔出CONSOLE线后,操作用户自动登出

    }

    login {

        retry-options {

            tries-before-disconnect 3;        //限制密码重试次数为3,超出后需重新连接

        }

    }   

 

 

 

 

你可能感兴趣的:(server,filter,System,Authentication,authorization,引擎)