1、2022-8-8JuniperSRX1400产品配置维护手册Juniper_SRX1400_产产品配置维护手册品配置维护手册JuniperSRX1400产品配置维护手册 目 录一、SRX 1400产品介绍二、JUNOS 基本命令介绍三、SRX 1400配置介绍及演示四、SRX 1400日常维护JuniperSRX1400产品配置维护手册 目 录一、SRX 1400产品介绍二、JUNOS 基本命令介绍三、SRX 1400配置介绍及演示四、SRX 1400日常维护JuniperSRX1400产品配置维护手册SRX 1400 机箱式设计机箱式设计(3U)4个插槽个插槽最大最大 1块块IOC;1块块N
2、SPC;1块块RE;1块块SYSIOC(GE or XGE)固定接口固定接口(SYSIOC)GE型号型号 6-10/100/1000,6SFPXGE型号型号 6-10/100/1000,3SFP,3SFP+模块化接口模块化接口16-10/100/1000;16-SFP;2-XFP 多核架构多核架构 2电源冗余电源冗余(1+1)性能性能 防火墙吞吐率防火墙吞吐率(大包大包)10 Gbps并发连接数并发连接数 1.5Million*最少需配1NSPC或1SPC+1NPCJuniperSRX1400产品配置维护手册SRX 1400 Cards Network Processing Card(NPC)
3、Single Network Processor(NP)subsystem-10Gig throughput Services Processing Card(SPC)Single HD-CPU subsystem/10Gig throughput Network Services Processing Card(NSPC)1 GHz,4 GB memory/CPU/10Gig throughput Routing Engine(RE)1.2Ghz processor/w 1GB memory Complete separation of control/data planesIncludes
4、 CPP(central PFE controller)and CB(control board)I/O Cards(IOC)3 versions at FRS:2-port 10GE-XFP(SR,LR,ER)16-port GE-SFP(SX,LX,LH,T)16-port 10/100/1000 Copper10Gig full-duplex throughput(oversubscribed)JuniperSRX1400产品配置维护手册 目 录一、SRX 1400产品介绍二、JUNOS 基本命令介绍(演示)三、SRX 1400配置介绍及演示四、SRX 1400组网讨论JuniperSR
5、X1400产品配置维护手册内容JUNOS基础知识基本命令介绍基本配置JuniperSRX1400产品配置维护手册操作模式shell模式$用户模式配置模式#cli/exitstart shellconfigure/editexitJuniperSRX1400产品配置维护手册配置模式配置模式提示符号是“#“在 模式下键入config 进入配置模式#提示符还由用户名和主机名共同组成 如:userhost#JuniperSRX1400产品配置维护手册配置模式 你编辑的配置文件叫 candidate配置文件 配置修改不是马上生效,必须通过commit命令提交之后才生效 commit提交之后,candid
6、ate配置变成active配置文件,然后新的candidate会被再次创建JuniperSRX1400产品配置维护手册基本命令-show 使用 show 命令来查看candidate配置文件在哪一层就显示哪一层的配置在最外层就显示所有配置 可以在最外层直接指定需要显示的层次#show system#show interfaces#show interfaces fxp1#show routing-options#show protocolsJuniperSRX1400产品配置维护手册set 命令 使用 set 增加或者改变配置 set 参数有些是增加,有些是覆盖#set system host
7、-name Denver 覆盖#set interface fxp0 unit 0 family inet address 1.1.1.1/24 增加#set routing-options router-id 2.2.2.2 覆盖set用法有两种:(1)一种是用edit进入参数层进行修改(2)一种是在最外层直接写完所有层次参数如下面的例子:JuniperSRX1400产品配置维护手册set 命令方法一:abSRX#edit system edit systemlabSRX#edit login edit system loginlabSRX#edit user lab edit system
8、 login user lablabSRX#set uid 2002 edit system login user lablabSRX#方法一配置繁琐,但是简单明了不容易出错,适合入门者使用方法二:set system login user lab uid 2002方法二操作简单,命令输入量少,并且可以直接粘贴,适合熟练者使用JuniperSRX1400产品配置维护手册基本命令-commit使用 commit 命令来使修改后的内容生效commit -检查配置语法并且激活修改后的内容commit check -仅仅进行语法检查,不真正激活配置commit and-quit 如果提交成功就退出co
9、mmit confirmed next page JuniperSRX1400产品配置维护手册基本命令-rollback 使用 rollback 命令来恢复commit以前的配置 rollback只是将配置恢复到Candidat配置e rollback 或者 rollback 0 恢复上次commit之前的配置 rollback 1 上两次commit之前的配置 总共可以恢复49份配置,rollback后面可以0-49 rollback?可以显示每次commit的时间,确定恢复那份配置 run file show/config/juniper.conf.n.gz n为1-3,可以查看需要恢复配
10、置的内容,对应于rollback 1-3 run file show/config/juniper.conf.gz对应rollback 0 run file show/var/db/config/juniper.conf.n.gz n为4-49,可以查看需要恢复配置的内容,对应于rollback 4-49JuniperSRX1400产品配置维护手册配置文件比较Show differences between candidate configuration file and Active configuration“Rollback”configuration Any saved configu
11、ration file#show|compare rollback number#show|compare filenameConfiguration mode only Like Unix diffJuniperSRX1400产品配置维护手册加载配置文件Configuration information can come from an ASCII file prepared offline Syntax load(replace|merge|override)filename只改变candidate 配置需要 commit 来生效Use the load command to Overri
12、de 覆盖已经存在的配置 要覆盖整个配置,使用override 选项 merge 新的配置语句合并到已经存在的配置文件中 replace 用新的配置替代已经存在的配置JuniperSRX1400产品配置维护手册JUNOS Software Version?CLI commands to display installed packagesshow versionJuniperSRX1400产品配置维护手册 目 录一、SRX 1400产品介绍二、JUNOS 基本命令介绍三、SRX 1400配置介绍及演示 Zone Security Policies Network Address Transla
13、tion High Availability Clustering 四、SRX 1400日常维护JuniperSRX1400产品配置维护手册ZonesJuniperSRX1400产品配置维护手册Juniper Networks DeviceRouting Instance 1Routing Instance 1Routing Instance 2Routing Instance 2Routing InstanceForwarding TableZone AZone AZone BZone BZone CZone CZone DZone DZonesInterfacesInterfaces、zo
14、nes、routing instances之间的关系示意图JuniperSRX1400产品配置维护手册Zone TypesZone TypesZone TypesUser-Defined User-Defined(can be configured)(can be configured)System-Defined System-Defined(cannot be(cannot be configured)configured)SecuritySecurityFunctionalFunctionaljunos-globalNullNullJuniperSRX1400产品配置维护手册Zone C
15、onfiguration ProcedureSteps:Define a security or a functional zone Add logical interfaces to the zone Optionally,add services and protocols that must be permitted into the services gateway through the interface belonging to the zone If this step is omitted,no traffic destined for the services gatewa
16、y is permittedJuniperSRX1400产品配置维护手册Security PoliciesJuniperSRX1400产品配置维护手册Security Policy DefinedWhat is a security policy?定义策略组合用于SRX,使其能根据策略来决定zone之间的数据传输JuniperSRX1400产品配置维护手册Transit Traffic ExaminationSRX设备会根据security policies 来判断数据传输的转发 Does a Does a security security policy match policy match
17、 the the traffic?traffic?Apply defaultApply default policy policynonoPacket Packet ininApply policyApply policy actions actions yesyesJuniperSRX1400产品配置维护手册Default Security PoliciesSystem-default security policy:deny all traffic through the SRX-series services gateway You can change the default poli
18、cy to permit all trafficFactory-default configuration has three security policies:Trust to trust:permit all Trust to untrust:permit all Untrust to trust:deny allX1 12 23 3System-default securitySystem-default security policies behaviorpolicies behaviorDeny ALL transitDeny ALL transit traffictraffic
19、Factory-default securityFactory-default security policies behaviorpolicies behaviortrust zonetrust zone untrustuntrust zonezoneJuniperSRX1400产品配置维护手册Policy Components Summaryfrom-zone and to-zone contextMatching criteriaMatching criteriaActionActionedit security policiesfrom-zone zone-name to-zone z
20、one-name policy name1 match source-address address-name1;destination-address address-name1;application application-name1;then ;policy name2 match source-address address-name2;destination-address address-name2;application application-name2;then ;JuniperSRX1400产品配置维护手册High Availability ClusteringJunip
21、erSRX1400产品配置维护手册High Availability Characteristics OverviewHA provides:Active-passive control and data plane redundancy Stateful session failover:NAT ALG IPsec Authentication Synchronization:Configuration Session stateChassis clusterChassis clusterJuniperSRX1400产品配置维护手册Chassis Cluster Components Ove
22、rviewChassis cluster components:Clustered services gateways are grouped by a cluster-id id Nodes within a cluster are identified by a node id Redundancy groups Chassis cluster interfaces:fxp1 fxp0 fab rethJuniperSRX1400产品配置维护手册cluster-id DetailsSet using cluster-id id cluster-id values range from 11
23、5 A router can belong to only one cluster at any given time If cluster-id=0,HA configuration is ignored Services gateway within a cluster is set by a node id Change in cluster-id id and node id requires services gateway reboot:userhost#set chassis cluster cluster-id 1 node 0 warning:A reboot is requ
24、ired for chassis cluster to be enabledJuniperSRX1400产品配置维护手册node id Detailsnode id uniquely identifies the services gateway within a cluster Ranges from 01 Determines offset of the FPC slot value in the interface name of a services gatewayuserhost set chassis cluster cluster-id id node id reboot Suc
25、cessfully enabled chassis cluster.Going to reboot now.JuniperSRX1400产品配置维护手册Chassis Cluster InterfacesrethRedundant interface characteristics:A new ethernet pseudo-interface,called reth Bundles two physical interfaces(children),one from each member of the cluster Member interfaces inherit properties
26、 of reth,as configured by the user Member interfaces can be in either active or passive mode,but not in both The failover properties of the member interfaces are inherited from the RG-1 configuration reth interface has a virtual MAC address Based on cluster and interface IDJuniperSRX1400产品配置维护手册Chas
27、sis Cluster Interfacesfxp0fxp0 interface Used for out-of-band management Allows access to each node of a cluster It is good practice for each node to have a unique IP address for fxp0 interface requires groups configurationJuniperSRX1400产品配置维护手册Chassis Cluster Interfacesfxp1fxp1 interface Configured
28、 SPC ports used for chassis cluster control plane ge-0/0/10 and ge-0/0/11 on SYSIOC JUNOS software assigns an internal IP address to fxp1 Trivial Network Protocol runs on the interface JUNOS software transmits heartbeat signals to determine the health of the control linkif the number of missed heart
29、beats reaches the configured threshold,the system fails over If fxp1 fails,JUNOS software disables the secondary node Node configuration files are automatically synchronized over fxp1JuniperSRX1400产品配置维护手册Chassis Cluster Interfacesfabfabn=2 Gigabit Ethernet or 10 GigabitEthernet,used for HA data pla
30、ne Fabric interface is formed n reflects the node ID and starts from 0 Two nodes of a cluster must have fabn on the same LANfab interface specifics:interface does not support filters,policies,logical interfaces,or services Member interfaces must be of the same type Jumbo frames are supported Fragmen
31、tation is not supportedJuniperSRX1400产品配置维护手册Chassis Cluster Interface Summaryfabfabn nNode 0Node 0Node 1Node 1ClusterClusterfxp1fxp1fxp0fxp0fxp0fxp0rethrethm mrethrethm mControl planeControl planeData planeData planeManagementManagementManagementManagementRedundantRedundant interfaces interfacesa.b
32、.c/24a.b.c/24JuniperSRX1400产品配置维护手册Monitoring Cluster Statisticsusernode0-host show chassis cluster statistics Initial hold:10 Reth Information:reth status redundancy-group reth0 down not configured reth1 up 1 Services Synchronized:Service-name Rtos-sent Rtos-received Translation Context 0 0 Incomin
33、g NAT 0 0 Resource Manager 5 0 Session-create 0 0 Session-close 0 0 Session-change 0 0 Gate-create 0 0 Session-Ageout-refresh-request 0 0 Session-Ageout-refresh-reply 0 0 VPN 0 0 Firewall User Authentication 0 0 MGCP Alg 0 0 .Interface Monitoring:Interface Weight Status Redundancy-group ge-12/0/0 10
34、0 up 1 ge-0/0/0 100 up 1 chassis-cluster interfaces:Control link:up 6606 heart beats sent 13729 heart beats received 1200 ms interval 5 thresholdchassis-cluster interfaces:Fabric link:up 15505 heartbeat packets sent on fabric-link interface 13728 heartbeat packets received on fabric-link interfaceJu
35、niperSRX1400产品配置维护手册Manual Failoverusernode0-host show chassis cluster status redundancy-group 1 Cluster:1,Redundancy-Group:1 Device name Priority Status Preempt Manual failover node0 200 Primary No No node1 100 Secondary No No usernode0-host request chassis cluster failover redundancy-group 1 node
36、1node1:-Initiated manual failover for redundancy group 1usernode0-host show chassis cluster status redundancy-group 1 Cluster:1,Redundancy-Group:1 Device name Priority Status Preempt Manual failover node0 200 Secondary No Yes node1 255 Primary No YesVerify status:Initiate failover:JuniperSRX1400产品配置
37、维护手册 目 录一、SRX 1400产品介绍二、JUNOS 基本命令介绍三、SRX 1400配置介绍及演示四、SRX 1400日常维护JuniperSRX1400产品配置维护手册使用故障检查资源冷却系统故障检查日常性能检查应急预案JuniperSRX1400产品配置维护手册CLI命令行使用故障检查资源对于SRX的硬件、软件、路由协议、网络连接性的控制和故障检查、,JUNOS的CLI命令行是主要的使用工具。CLI命令行可以显示路由表信息,路由协议的信息,使用ping和traceroute工具体现的网络连接信息。可以通过连接路由引擎上的CONSOLE、ETHERNET、AUX口进入CLI命令行接口
38、。关于使用CLI显示端口和机箱产生的告警信息,请参阅“硬件和端口告警信息”。JuniperSRX1400产品配置维护手册LED 下面描述的LED位于各个组件上,用于显示各个组件的状态。Craft Interface LED:SRX 1400前面板由一个Craft 面板指示系统状态,Craft面板上包括路由引擎状态指示灯,电源状态指示灯,风扇状态指示灯和告警指示灯等等 Component LED:SRX 1400的各个系统组件还有自己单独的状态指示灯,比如IOC上的每个端口都有一个LED指示端口状态使用故障检查资源JuniperSRX1400产品配置维护手册硬件和端口告警信息硬件和端口告警信息
39、当路由引擎检测到一个告警的时候,会将前面板上相应的红色或者黄色的告警LED点亮。可以在命令行中使用show chassis alarms显示详细的告警描述。uerhost show chassis alarmsshow chassis alarms 这里将描述两类告警消息:机箱告警(Chassis alarms)指示机箱组件的告警信息,例如冷却系统或者电源系统,详情请查阅下面的表格。端口告警(Interface alarms)指示某个端口的问题,详情请查阅下面的表格。下面的两个表格中的信息为使用命令show chassis alarms输出的结果。表格 3 6:机箱告警消息 使用故障检查资源使
40、用故障检查资源JuniperSRX1400产品配置维护手册冷却系统故障检查冷却系统故障检查冷却系统故障检查冷却系统故障检查冷却系统包含安装在机箱侧面的风扇盘来保证SRX工作在一个可以接受的温度环境下。要检查风扇盘,执行下面的步骤:通过CLI命令行检查电源模块状态。通过下面的命令,观察输出的Status域的状态:rootFW02 show chassis environment rootFW02 show chassis environment Class Item Status MeasurementFans Left Fan 1 OK Spinning at normal speed Lef
41、t Fan 2 OK Spinning at normal speed Left Fan 3 OK Spinning at normal speed Left Fan 4 OK Spinning at normal speed.如果有风扇盘发生故障,可以通过观察判断出哪一个风扇除了问题。然后再处理。JuniperSRX1400产品配置维护手册日常性能检查日常性能检查监控监控RE CPU利用率利用率SRX 1400SRX 1400的路由引擎主要工作是维护路由协议和路由表的路由引擎主要工作是维护路由协议和路由表rootFW02 show chassis routing-enginerootFW02
42、 show chassis routing-enginerootFW02 show chassis routing-engine node0:-Routing Engine status:Slot 0:Current state Master Election priority Master(default)DRAM 1023 MB Memory utilization 29 percent CPU utilization:User 2 percent Background 0 percent Kernel 8 percent Interrupt 2 percent Idle 88 perce
43、nt Model RE-SRX 1400 Start time 2010-01-19 22:15:50 CST Uptime 7 days,16 hours,45 minutes,20 seconds Last reboot reason 0 x1:power cycle/failure Load averages:1 minute 5 minute 15 minute 0.01 0.05 0.07JuniperSRX1400产品配置维护手册日常性能检查日常性能检查监控监控SPU利用率利用率由于SRX 1400的会话查找,维护都是SPC负责的,因此需要监控SPC 板卡的利用率。正常工作状态下,
44、SPC的CPU利用率应该在60%以下,如出现CPU利用率过高情况需给予足够重视,应检查Session使用情况和各类告警信息,并检查网络中是否存在攻击流量。SRX防火墙对内存采用“预分配”机制,空载时内存使用率为约50-70%,随着流量不断增长,内存的使用率应基本保持稳定。如果出现内存使用率高达90时,则需检查网络中是否存在攻击流量。rootFW02 show security monitoring fpc 6#”6”rootFW02 show security monitoring fpc 6#”6”是是SPCSPC所在的槽位编所在的槽位编号号node0:-FPC 6 PIC 0 CPU ut
45、ilization :13%(SPC 的CPU 利用率)Memory utilization :64%(SPC 的内存利用率)Current flow session:73155 Max flow session :524288 Current CP session :461767 Max CP session :2359296node1:-JuniperSRX1400产品配置维护手册日常性能检查日常性能检查监控并发会话数监控并发会话数rootFW02 show security monitoring fpc 6#”6”rootFW02 show security monitoring fpc
46、 6#”6”是是SPCSPC所在的槽位编号所在的槽位编号rootFW02 show security monitoring fpc 6 node0:-FPC 6 PIC 0CPU utilization :13%Memory utilization :64%Current flow session:73155 Max flow session :524288 Current CP session :461767 (当前并发为461767)Max CP session :2359296JuniperSRX1400产品配置维护手册日常性能检查日常性能检查监控双机状态监控双机状态正常情况(优先级为正
47、常情况(优先级为1-2551-255,数值高则优先级高),数值高则优先级高)rootFW02 show chassis cluster statusrootFW02 show chassis cluster statusCluster ID:1Node Priority Status Preempt Manual failoverRedundancy group:0,Failover count:3 node0 254 primary no yes node1 100 secondary no yesRedundancy group:1,Failover count:3 node0 254 p
48、rimary no no node1 100 secondary no noJuniperSRX1400产品配置维护手册日常性能检查日常性能检查切换双机状态切换双机状态方法一:方法一:CLI CLI 方式方式rootFW02rootFW02request chassis cluster failover node 1 redundancy-group 1 (将nod1变为group 1 的主机)rootFW02rootFW02request chassis cluster failover reset redundancy-group 1 (将nod1 的优先级恢复为254)方法二:物理方式,
49、直接拔线方法二:物理方式,直接拔线JuniperSRX1400产品配置维护手册日常性能检查日常性能检查防火墙的防火墙的debug(用于判断防火墙内部对数据包的处理过程)rootSRX 1400#set security flow traceoptions file flow-trace (定义抓报文件名,此处为flow-trace)rootSRX 1400#set security flow traceoptions flag basic-datapath (定义只捕获设备处理flow 的信息)rootSRX 1400#set security flow traceoptions packet
50、-filter debug source-prefix 10.1.10.5/32 destination-prefix 2.2.2.2/32 (定义需要捕获报文的条件)rootSRX 1400#commit (注意所有配置都需要commit)rootSRX 1400#run monitor start flow-trace (启动该debug功能)(发送测试报文)rootSRX 1400#run monitor stop flow-tace (停止debug 功能)rootSRX 1400#run show log flow-trace (查看捕获报文的信息)JuniperSRX1400产品配