1、Juniper_SRX1400_產(chǎn)品配置維護手冊2022/7/23JuniperSRX1400產(chǎn)品配置維護手冊 目 錄一、SRX 1400產(chǎn)品介紹二、JUNOS 基本命令介紹三、SRX 1400配置介紹及演示四、SRX 1400日常維護JuniperSRX1400產(chǎn)品配置維護手冊 目 錄一、SRX 1400產(chǎn)品介紹二、JUNOS 基本命令介紹三、SRX 1400配置介紹及演示四、SRX 1400日常維護JuniperSRX1400產(chǎn)品配置維護手冊SRX 1400 機箱式設計(3U)4個插槽最大 1塊IOC ; 1塊NSPC ; 1塊RE ; 1塊SYSIOC(GE or XGE)固定接口(SY

2、SIOC)GE型號 6-10/100/1000,6SFPXGE型號 6-10/100/1000,3SFP,3SFP+模塊化接口16-10/100/1000;16-SFP;2-XFP多核架構(gòu)2電源冗余(1+1)性能 防火墻吞吐率 (大包) 10 Gbps并發(fā)連接數(shù) 1.5Million*最少需配1NSPC或1SPC+1NPCJuniperSRX1400產(chǎn)品配置維護手冊SRX 1400 CardsNetwork Processing Card (NPC)Single Network Processor (NP) subsystem - 10Gig throughputServices Proces

3、sing Card (SPC)Single HD-CPU subsystem / 10Gig throughputNetwork Services Processing Card (NSPC)1 GHz, 4 GB memory/CPU / 10Gig throughputRouting Engine (RE)1.2Ghz processor /w 1GB memory Complete separation of control / data planesIncludes CPP (central PFE controller) and CB (control board)I/O Cards

4、 (IOC)3 versions at FRS:2-port 10GE-XFP (SR, LR, ER)16-port GE-SFP (SX, LX, LH, T)16-port 10/100/1000 Copper10Gig full-duplex throughput (oversubscribed)JuniperSRX1400產(chǎn)品配置維護手冊 目 錄一、SRX 1400產(chǎn)品介紹二、JUNOS 基本命令介紹(演示)三、SRX 1400配置介紹及演示四、SRX 1400組網(wǎng)討論JuniperSRX1400產(chǎn)品配置維護手冊內(nèi)容JUNOS基礎知識基本命令介紹基本配置JuniperSRX1400產(chǎn)

5、品配置維護手冊操作模式shell模式$用戶模式配置模式#cli/exitstart shellconfigure/editexitJuniperSRX1400產(chǎn)品配置維護手冊配置模式配置模式提示符號是 “#“ 在 模式下鍵入config 進入配置模式#提示符還由用戶名和主機名共同組成如: userhost#JuniperSRX1400產(chǎn)品配置維護手冊配置模式你編輯的配置文件叫 candidate配置文件配置修改不是馬上生效，必須通過commit命令提交之后才生效commit提交之后, candidate配置變成active配置文件，然后新的candidate會被再次創(chuàng)建JuniperSRX14

6、00產(chǎn)品配置維護手冊基本命令-show使用 show 命令來查看candidate配置文件在哪一層就顯示哪一層的配置在最外層就顯示所有配置可以在最外層直接指定需要顯示的層次#show system#show interfaces#show interfaces fxp1#show routing-options#show protocolsJuniperSRX1400產(chǎn)品配置維護手冊set 命令 使用 set 增加或者改變配置set 參數(shù)有些是增加，有些是覆蓋#set system host-name Denver 覆蓋#set interface fxp0 unit 0 family ine

7、t address /24 增加#set routing-options router-id 覆蓋set用法有兩種：(1)一種是用edit進入?yún)?shù)層進行修改(2)一種是在最外層直接寫完所有層次參數(shù)如下面的例子：JuniperSRX1400產(chǎn)品配置維護手冊set 命令方法一： abSRX# edit system edit systemlabSRX# edit login edit system loginlabSRX# edit user lab edit system login user lablabSRX# set uid 2002 edit system

8、login user lablabSRX# 方法一配置繁瑣，但是簡單明了不容易出錯，適合入門者使用方法二：set system login user lab uid 2002方法二操作簡單，命令輸入量少，并且可以直接粘貼 ，適合熟練者使用JuniperSRX1400產(chǎn)品配置維護手冊基本命令-commit使用 commit 命令來使修改后的內(nèi)容生效commit - 檢查配置語法并且激活修改后的內(nèi)容commit check - 僅僅進行語法檢查，不真正激活配置commit and-quit 如果提交成功就退出commit confirmed next pageJuniperSRX1400產(chǎn)品配置維

9、護手冊基本命令-rollback使用 rollback 命令來恢復commit以前的配置rollback只是將配置恢復到Candidat配置erollback 或者 rollback 0 恢復上次commit之前的配置rollback 1 上兩次commit之前的配置總共可以恢復49份配置，rollback后面可以0-49rollback ? 可以顯示每次commit的時間，確定恢復那份配置run file show /config/juniper.conf.n.gzn為1-3，可以查看需要恢復配置的內(nèi)容，對應于rollback 1-3run file show /config/juniper

10、.conf.gz對應rollback 0run file show /var/db/config/juniper.conf.n.gzn為4-49，可以查看需要恢復配置的內(nèi)容，對應于rollback 4-49JuniperSRX1400產(chǎn)品配置維護手冊配置文件比較Show differences between candidate configuration file andActive configuration“Rollback” configurationAny saved configuration file# show | compare rollback number# show |

11、 compare filenameConfiguration mode onlyLike Unix diffJuniperSRX1400產(chǎn)品配置維護手冊加載配置文件Configuration information can come from an ASCII file prepared offlineSyntaxload (replace | merge | override) filename只改變candidate 配置需要 commit 來生效Use the load command toOverride 覆蓋已經(jīng)存在的配置要覆蓋整個配置，使用override 選項merge 新的配置

12、語句合并到已經(jīng)存在的配置文件中replace 用新的配置替代已經(jīng)存在的配置JuniperSRX1400產(chǎn)品配置維護手冊JUNOS Software Version?CLI commands to display installed packagesshow versionJuniperSRX1400產(chǎn)品配置維護手冊 目 錄一、SRX 1400產(chǎn)品介紹二、JUNOS 基本命令介紹三、SRX 1400配置介紹及演示 Zone Security Policies Network Address Translation High Availability Clustering 四、SRX 1400日常

13、維護JuniperSRX1400產(chǎn)品配置維護手冊ZonesJuniperSRX1400產(chǎn)品配置維護手冊Juniper Networks DeviceRouting Instance 1Routing Instance 2Routing InstanceF.T.F.T.Forwarding TableZone AZone BZone CZone DZonesInterfacesInterfaces、zones、routing instances之間的關系示意圖JuniperSRX1400產(chǎn)品配置維護手冊Zone TypesZone TypesUser-Defined (can be config

14、ured)System-Defined (cannot be configured)SecurityFunctionaljunos-globalNullJuniperSRX1400產(chǎn)品配置維護手冊Zone Configuration ProcedureSteps:Define a security or a functional zoneAdd logical interfaces to the zoneOptionally, add services and protocols that must be permitted into the services gateway through

15、the interface belonging to the zoneIf this step is omitted, no traffic destined for the services gateway is permittedJuniperSRX1400產(chǎn)品配置維護手冊Security PoliciesJuniperSRX1400產(chǎn)品配置維護手冊Security Policy DefinedWhat is a security policy?定義策略組合用于SRX，使其能根據(jù)策略來決定zone之間的數(shù)據(jù)傳輸What should I do if a packet comes in ma

16、tching Criterion A?JuniperSRX1400產(chǎn)品配置維護手冊Transit Traffic ExaminationSRX設備會根據(jù)security policies 來判斷數(shù)據(jù)傳輸?shù)霓D(zhuǎn)發(fā) Does a security policy match the traffic?Apply default policynoPacket inApply policy actions yesJuniperSRX1400產(chǎn)品配置維護手冊Default Security PoliciesSystem-default security policy: deny all traffic thr

17、ough the SRX-series services gatewayYou can change the default policy to permit all trafficFactory-default configuration has three security policies:Trust to trust: permit allTrust to untrust: permit allUntrust to trust: deny allX123System-default security policies behaviorDeny ALL transit traffic F

18、actory-default security policies behaviortrust zone untrust zoneJuniperSRX1400產(chǎn)品配置維護手冊Policy Components Summaryfrom-zone and to-zone contextMatching criteriaMatching criteriaActionActionedit security policiesfrom-zone zone-name to-zone zone-name policy name1 match source-address address-name1; desti

19、nation-address address-name1; application application-name1; then ; policy name2 match source-address address-name2; destination-address address-name2; application application-name2; then ; JuniperSRX1400產(chǎn)品配置維護手冊High Availability ClusteringJuniperSRX1400產(chǎn)品配置維護手冊High Availability Characteristics Over

20、viewHA provides:Active-passive control and data plane redundancyStateful session failover:NATALGIPsecAuthenticationSynchronization:ConfigurationSession stateChassis clusterJuniperSRX1400產(chǎn)品配置維護手冊Chassis Cluster Components OverviewChassis cluster components:Clustered services gateways are grouped by a

21、 cluster-id idNodes within a cluster are identified by a node idRedundancy groupsChassis cluster interfaces:fxp1fxp0fab rethJuniperSRX1400產(chǎn)品配置維護手冊cluster-id DetailsSet using cluster-id id cluster-id values range from 115A router can belong to only one cluster at any given timeIf cluster-id = 0, HA c

22、onfiguration is ignoredServices gateway within a cluster is set by a node idChange in cluster-id id and node id requires services gateway reboot:userhost# set chassis cluster cluster-id 1 node 0 warning: A reboot is required for chassis cluster to be enabledJuniperSRX1400產(chǎn)品配置維護手冊node id Detailsnode

23、id uniquely identifies the services gateway within a clusterRanges from 01 Determines offset of the FPC slot value in the interface name of a services gatewayuserhost set chassis cluster cluster-id id node id reboot Successfully enabled chassis cluster. Going to reboot now.JuniperSRX1400產(chǎn)品配置維護手冊Chas

24、sis Cluster InterfacesrethRedundant interface characteristics:A new ethernet pseudo-interface, called rethBundles two physical interfaces (children), one from each member of the clusterMember interfaces inherit properties of reth, as configured by the userMember interfaces can be in either active or

25、 passive mode, but not in bothThe failover properties of the member interfaces are inherited from the RG-1 configurationreth interface has a virtual MAC addressBased on cluster and interface IDJuniperSRX1400產(chǎn)品配置維護手冊Chassis Cluster Interfacesfxp0fxp0 interfaceUsed for out-of-band managementAllows acc

26、ess to each node of a clusterIt is good practice for each node to have a unique IP address for fxp0 interfacerequires groups configurationJuniperSRX1400產(chǎn)品配置維護手冊Chassis Cluster Interfacesfxp1fxp1 interfaceConfigured SPC ports used for chassis cluster control planege-0/0/10 and ge-0/0/11 on SYSIOCJUNO

27、S software assigns an internal IP address to fxp1Trivial Network Protocol runs on the interfaceJUNOS software transmits heartbeat signals to determine the health of the control linkif the number of missed heartbeats reaches the configured threshold, the system fails overIf fxp1 fails, JUNOS software

28、 disables the secondary nodeNode configuration files are automatically synchronized over fxp1JuniperSRX1400產(chǎn)品配置維護手冊Chassis Cluster Interfacesfabfabn = 2 Gigabit Ethernet or 10 GigabitEthernet, used for HA data plane Fabric interface is formed n reflects the node ID and starts from 0Two nodes of a cl

29、uster must have fabn on the same LANfab interface specifics:interface does not support filters, policies, logical interfaces, or servicesMember interfaces must be of the same typeJumbo frames are supportedFragmentation is not supportedJuniperSRX1400產(chǎn)品配置維護手冊Chassis Cluster Interface SummaryfabnNode 0

30、Node 1Clusterfxp1fxp0fxp0rethmrethmControl planeData planeManagementManagementRedundant interfacesa.b.c /24JuniperSRX1400產(chǎn)品配置維護手冊Monitoring Cluster Statisticsusernode0-host show chassis cluster statistics Initial hold: 10 Reth Information: reth status redundancy-group reth0 down not configured reth1

31、 up 1 Services Synchronized: Service-name Rtos-sent Rtos-received Translation Context 0 0 Incoming NAT 0 0 Resource Manager 5 0 Session-create 0 0 Session-close 0 0 Session-change 0 0 Gate-create 0 0 Session-Ageout-refresh-request 0 0 Session-Ageout-refresh-reply 0 0 VPN 0 0 Firewall User Authentica

32、tion 0 0 MGCP Alg 0 0 .Interface Monitoring: Interface Weight Status Redundancy-group ge-12/0/0 100 up 1 ge-0/0/0 100 up 1 chassis-cluster interfaces: Control link: up 6606 heart beats sent 13729 heart beats received 1200 ms interval 5 thresholdchassis-cluster interfaces: Fabric link: up 15505 heart

33、beat packets sent on fabric-link interface 13728 heartbeat packets received on fabric-link interfaceJuniperSRX1400產(chǎn)品配置維護手冊Manual Failoverusernode0-host show chassis cluster status redundancy-group 1 Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual failover node0 200 Primary

34、 No No node1 100 Secondary No No usernode0-host request chassis cluster failover redundancy-group 1 node 1node1:Initiated manual failover for redundancy group 1usernode0-host show chassis cluster status redundancy-group 1 Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual fai

35、lover node0 200 Secondary No Yes node1 255 Primary No YesVerify status:Initiate failover:JuniperSRX1400產(chǎn)品配置維護手冊 目 錄一、SRX 1400產(chǎn)品介紹二、JUNOS 基本命令介紹三、SRX 1400配置介紹及演示四、SRX 1400日常維護JuniperSRX1400產(chǎn)品配置維護手冊使用故障檢查資源冷卻系統(tǒng)故障檢查日常性能檢查應急預案JuniperSRX1400產(chǎn)品配置維護手冊CLI命令行使用故障檢查資源對于SRX的硬件、軟件、路由協(xié)議、網(wǎng)絡連接性的控制和故障檢查、，JUNOS的CLI命

36、令行是主要的使用工具。CLI命令行可以顯示路由表信息，路由協(xié)議的信息，使用ping和traceroute工具體現(xiàn)的網(wǎng)絡連接信息。可以通過連接路由引擎上的CONSOLE、ETHERNET、AUX口進入CLI命令行接口。關于使用CLI顯示端口和機箱產(chǎn)生的告警信息，請參閱“硬件和端口告警信息”。JuniperSRX1400產(chǎn)品配置維護手冊LED 下面描述的LED位于各個組件上，用于顯示各個組件的狀態(tài)。 Craft Interface LED：SRX 1400前面板由一個Craft 面板指示系統(tǒng)狀態(tài)，Craft面板上包括路由引擎狀態(tài)指示燈，電源狀態(tài)指示燈，風扇狀態(tài)指示燈和告警指示燈等等 Compone

37、nt LED：SRX 1400的各個系統(tǒng)組件還有自己單獨的狀態(tài)指示燈，比如IOC上的每個端口都有一個LED指示端口狀態(tài)使用故障檢查資源JuniperSRX1400產(chǎn)品配置維護手冊硬件和端口告警信息當路由引擎檢測到一個告警的時候，會將前面板上相應的紅色或者黃色的告警LED點亮?？梢栽诿钚兄惺褂胹how chassis alarms顯示詳細的告警描述。uerhost show chassis alarms這里將描述兩類告警消息：機箱告警（Chassis alarms）指示機箱組件的告警信息，例如冷卻系統(tǒng)或者電源系統(tǒng)，詳情請查閱下面的表格。端口告警（Interface alarms）指示某個端口的

38、問題，詳情請查閱下面的表格。下面的兩個表格中的信息為使用命令show chassis alarms輸出的結(jié)果。表格 36：機箱告警消息 使用故障檢查資源JuniperSRX1400產(chǎn)品配置維護手冊冷卻系統(tǒng)故障檢查冷卻系統(tǒng)故障檢查冷卻系統(tǒng)包含安裝在機箱側(cè)面的風扇盤來保證SRX工作在一個可以接受的溫度環(huán)境下。要檢查風扇盤，執(zhí)行下面的步驟：通過CLI命令行檢查電源模塊狀態(tài)。通過下面的命令，觀察輸出的Status域的狀態(tài)：rootFW02 show chassis environment Class Item Status MeasurementFans Left Fan 1 OK Spinning

39、at normal speed Left Fan 2 OK Spinning at normal speed Left Fan 3 OK Spinning at normal speed Left Fan 4 OK Spinning at normal speed.如果有風扇盤發(fā)生故障，可以通過觀察判斷出哪一個風扇除了問題。然后再處理。JuniperSRX1400產(chǎn)品配置維護手冊日常性能檢查監(jiān)控RE CPU利用率SRX 1400的路由引擎主要工作是維護路由協(xié)議和路由表rootFW02 show chassis routing-enginerootFW02 show chassis routin

40、g-engine node0:Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 29 percent CPU utilization: User 2 percent Background 0 percent Kernel 8 percent Interrupt 2 percent Idle 88 percent Model RE-SRX 1400 Start time 2010-01-19 22:15:50

41、CST Uptime 7 days, 16 hours, 45 minutes, 20 seconds Last reboot reason 0 x1:power cycle/failure Load averages: 1 minute 5 minute 15 minute 0.01 0.05 0.07JuniperSRX1400產(chǎn)品配置維護手冊日常性能檢查監(jiān)控SPU利用率由于SRX 1400的會話查找，維護都是SPC負責的，因此需要監(jiān)控SPC 板卡的利用率。正常工作狀態(tài)下，SPC的CPU利用率應該在60%以下，如出現(xiàn)CPU利用率過高情況需給予足夠重視，應檢查Session使用情況和各類告警

42、信息，并檢查網(wǎng)絡中是否存在攻擊流量。SRX防火墻對內(nèi)存采用“預分配”機制，空載時內(nèi)存使用率為約50-70%，隨著流量不斷增長，內(nèi)存的使用率應基本保持穩(wěn)定。如果出現(xiàn)內(nèi)存使用率高達90時，則需檢查網(wǎng)絡中是否存在攻擊流量。rootFW02 show security monitoring fpc 6 #”6” 是SPC所在的槽位編號node0:FPC 6 PIC 0 CPU utilization : 13 % （ SPC 的CPU 利用率） Memory utilization : 64 % （ SPC 的內(nèi)存利用率） Current flow session : 73155 Max flow s

43、ession : 524288 Current CP session : 461767 Max CP session : 2359296node1:JuniperSRX1400產(chǎn)品配置維護手冊日常性能檢查監(jiān)控并發(fā)會話數(shù)rootFW02 show security monitoring fpc 6 #”6” 是SPC所在的槽位編號rootFW02 show security monitoring fpc 6 node0:FPC 6 PIC 0CPU utilization : 13 % Memory utilization : 64 % Current flow session : 73155

44、Max flow session : 524288 Current CP session : 461767 （當前并發(fā)為461767） Max CP session : 2359296JuniperSRX1400產(chǎn)品配置維護手冊日常性能檢查監(jiān)控雙機狀態(tài)正常情況（優(yōu)先級為1-255，數(shù)值高則優(yōu)先級高）rootFW02 show chassis cluster statusCluster ID: 1Node Priority Status Preempt Manual failoverRedundancy group: 0 , Failover count: 3 node0 254 primary

45、 no yes node1 100 secondary no yesRedundancy group: 1 , Failover count: 3 node0 254 primary no no node1 100 secondary no noJuniperSRX1400產(chǎn)品配置維護手冊日常性能檢查切換雙機狀態(tài)方法一： CLI 方式rootFW02request chassis cluster failover node 1 redundancy-group 1 (將nod1變?yōu)間roup 1 的主機)rootFW02request chassis cluster failover reset redundancy-group 1 （ 將nod1 的優(yōu)先級恢復為254）