JuniperSRX1400

產(chǎn)品配置維護(hù)培訓(xùn)

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護(hù)

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護(hù)SRX1400機(jī)箱式設(shè)計(jì)(3U)4個(gè)插槽最大1塊IOC;1塊NSPC;1塊RE;1塊SYSIOC(GEorXGE)固定接口(SYSIOC)GE型號(hào)6-10/100/1000,6SFPXGE型號(hào)6-10/100/1000,3SFP,3SFP+模塊化接口16-10/100/1000;16-SFP;2-XFP多核架構(gòu)2電源冗余(1+1)性能防火墻吞吐率(大包)–

10Gbps并發(fā)連接數(shù)–1.5Million*最少需配1NSPC或1SPC+1NPCSRX1400CardsNetworkProcessingCard(NPC)SingleNetworkProcessor(NP)subsystem-10GigthroughputServicesProcessingCard(SPC)SingleHD-CPUsubsystem/10GigthroughputNetworkServicesProcessingCard(NSPC)1GHz,4GBmemory/CPU/10GigthroughputRoutingEngine(RE)1.2Ghzprocessor/w1GBmemoryCompleteseparationofcontrol/dataplanesIncludesCPP(centralPFEcontroller)andCB(controlboard)I/OCards(IOC)3versionsatFRS:2-port10GE-XFP(SR,LR,ER)16-portGE-SFP(SX,LX,LH,T)16-port10/100/1000Copper10Gigfull-duplexthroughput(oversubscribed)

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹(演示)三、SRX1400配置介紹及演示四、SRX1400組網(wǎng)討論內(nèi)容JUNOS基礎(chǔ)知識(shí)基本命令介紹基本配置操作模式shell模式$用戶模式>配置模式#cli/exitstartshellconfigure/editexit配置模式配置模式提示符號(hào)是

“#“

在>模式下鍵入config進(jìn)入配置模式#提示符還由用戶名和主機(jī)名共同組成如:user@host#配置模式你編輯的配置文件叫candidate配置文件配置修改不是馬上生效，必須通過(guò)commit命令提交之后才生效commit提交之后,candidate配置變成active配置文件，然后新的candidate會(huì)被再次創(chuàng)建基本命令-show使用show

命令來(lái)查看candidate配置文件在哪一層就顯示哪一層的配置在最外層就顯示所有配置可以在最外層直接指定需要顯示的層次#showsystem#showinterfaces#showinterfacesfxp1#showrouting-options#showprotocolsset命令使用set

增加或者改變配置set

參數(shù)有些是增加，有些是覆蓋#setsystemhost-nameDenver覆蓋#setinterfacefxp0unit0familyinetaddress/24增加#setrouting-optionsrouter-id覆蓋set用法有兩種：(1)一種是用edit進(jìn)入?yún)?shù)層進(jìn)行修改(2)一種是在最外層直接寫(xiě)完所有層次參數(shù)如下面的例子：set命令方法一：ab@SRX#editsystem[editsystem]lab@SRX#editlogin[editsystemlogin]lab@SRX#edituserlab[editsystemloginuserlab]lab@SRX#setuid2002[editsystemloginuserlab]lab@SRX#方法一配置繁瑣，但是簡(jiǎn)單明了不容易出錯(cuò)，適合入門(mén)者使用方法二：setsystemloginuserlabuid2002方法二操作簡(jiǎn)單，命令輸入量少，并且可以直接粘貼，適合熟練者使用基本命令-commit使用commit

命令來(lái)使修改后的內(nèi)容生效commit-檢查配置語(yǔ)法并且激活修改后的內(nèi)容commitcheck-僅僅進(jìn)行語(yǔ)法檢查，不真正激活配置commitand-quit–

如果提交成功就退出commitconfirmed–nextpage…

基本命令-rollback使用rollback

命令來(lái)恢復(fù)commit以前的配置rollback只是將配置恢復(fù)到Candidat配置erollback

或者rollback0

恢復(fù)上次commit之前的配置rollback1

上兩次commit之前的配置總共可以恢復(fù)49份配置，rollback后面可以0-49rollback?可以顯示每次commit的時(shí)間，確定恢復(fù)那份配置runfileshow/config/juniper.conf.n.gzn為1-3，可以查看需要恢復(fù)配置的內(nèi)容，對(duì)應(yīng)于rollback1-3runfileshow/config/juniper.conf.gz對(duì)應(yīng)rollback0runfileshow/var/db/config/juniper.conf.n.gzn為4-49，可以查看需要恢復(fù)配置的內(nèi)容，對(duì)應(yīng)于rollback4-49配置文件比較ShowdifferencesbetweencandidateconfigurationfileandActiveconfiguration“Rollback”configurationAnysavedconfigurationfile#show|comparerollbacknumber#show|comparefilenameConfigurationmodeonlyLikeUnixdiff加載配置文件ConfigurationinformationcancomefromanASCIIfilepreparedofflineSyntaxload(replace|merge|override)filename只改變candidate配置需要commit

來(lái)生效UsetheloadcommandtoOverride

覆蓋已經(jīng)存在的配置要覆蓋整個(gè)配置，使用override選項(xiàng)merge

新的配置語(yǔ)句合并到已經(jīng)存在的配置文件中replace

用新的配置替代已經(jīng)存在的配置JUNOSSoftwareVersion?CLIcommandstodisplayinstalledpackagesshowversion

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示

Zone

SecurityPolicies

NetworkAddressTranslationHighAvailabilityClustering

四、SRX1400日常維護(hù)ZonesJuniperNetworksDeviceRoutingInstance1RoutingInstance2RoutingInstanceF.T.F.T.ForwardingTableZoneAZoneBZoneCZoneDZonesInterfacesInterfaces、zones、routinginstances之間的關(guān)系示意圖ZoneTypesZoneTypesUser-Defined

(canbeconfigured)System-Defined

(cannotbeconfigured)SecurityFunctionaljunos-globalNullZoneConfigurationProcedureSteps:DefineasecurityorafunctionalzoneAddlogicalinterfacestothezoneOptionally,addservicesandprotocolsthatmustbepermittedintotheservicesgatewaythroughtheinterfacebelongingtothezoneIfthisstepisomitted,notrafficdestinedfortheservicesgatewayispermittedSecurityPoliciesSecurityPolicyDefinedWhatisasecuritypolicy?定義策略組合用于SRX，使其能根據(jù)策略來(lái)決定zone之間的數(shù)據(jù)傳輸WhatshouldIdoifapacketcomesinmatching

CriterionA?TransitTrafficExaminationSRX設(shè)備會(huì)根據(jù)securitypolicies來(lái)判斷數(shù)據(jù)傳輸?shù)霓D(zhuǎn)發(fā)

Doesasecuritypolicymatchthetraffic?ApplydefaultpolicynoPacketinApplypolicyactions

yesDefaultSecurityPoliciesSystem-defaultsecuritypolicy:denyalltrafficthroughtheSRX-seriesservicesgatewayYoucanchangethedefaultpolicytopermitalltrafficFactory-defaultconfigurationhasthreesecuritypolicies:Trusttotrust:permitallTrusttountrust:permitallUntrusttotrust:denyallX123System-defaultsecurity

policiesbehaviorDenyALLtransit

traffic

Factory-defaultsecurity

policiesbehaviortrustzone

untrust

zonePolicyComponentsSummaryfrom-zoneandto-zonecontextMatchingcriteriaMatchingcriteriaActionAction[editsecuritypolicies]from-zonezone-nameto-zonezone-name

{policyname1

{match{source-addressaddress-name1;destination-addressaddress-name1;applicationapplication-name1;}then{<action>;}}policyname2

{match{source-addressaddress-name2;destination-addressaddress-name2;applicationapplication-name2;}then{<action>;}}…}HighAvailabilityClusteringHighAvailabilityCharacteristicsOverviewHAprovides:Active-passivecontrolanddataplaneredundancyStatefulsessionfailover:NATALGIPsecAuthenticationSynchronization:ConfigurationSessionstateChassisclusterChassisClusterComponentsOverviewChassisclustercomponents:Clusteredservicesgatewaysaregroupedbya

cluster-ididNodeswithinaclusterareidentifiedbyanode

idRedundancygroupsChassisclusterinterfaces:fxp1fxp0fabrethcluster-idDetailsSetusingcluster-idid

cluster-idvaluesrangefrom1–15AroutercanbelongtoonlyoneclusteratanygiventimeIfcluster-id=0,HAconfigurationisignoredServicesgatewaywithinaclusterissetbyanodeidChangeincluster-ididandnode

idrequiresservicesgatewayreboot:user@host#setchassisclustercluster-id1node0

warning:Arebootisrequiredforchassisclustertobeenablednode

id

Detailsnode

iduniquelyidentifiestheservicesgatewaywithinaclusterRangesfrom0–1DeterminesoffsetoftheFPCslotvalueintheinterfacenameofaservicesgatewayuser@host>setchassisclustercluster-ididnodeidreboot

Successfullyenabledchassiscluster.Goingtorebootnow...ChassisClusterInterfaces—rethRedundantinterfacecharacteristics:Anewethernetpseudo-interface,calledrethBundlestwophysicalinterfaces(children),onefromeachmemberoftheclusterMemberinterfacesinheritpropertiesofreth,asconfiguredbytheuserMemberinterfacescanbeineitheractiveorpassivemode,butnotinbothThefailoverpropertiesofthememberinterfacesareinheritedfromtheRG-1configurationrethinterfacehasavirtualMACaddress BasedonclusterandinterfaceIDChassisClusterInterfaces—fxp0fxp0interfaceUsedforout-of-bandmanagementAllowsaccesstoeachnodeofaclusterItisgoodpracticeforeachnodetohaveauniqueIPaddressforfxp0interfacerequiresgroupsconfigurationChassisClusterInterfaces—fxp1fxp1interfaceConfiguredSPCportsusedforchassisclustercontrolplanege-0/0/10andge-0/0/11onSYSIOCJUNOSsoftwareassignsaninternalIPaddresstofxp1TrivialNetworkProtocolrunsontheinterfaceJUNOSsoftwaretransmitsheartbeatsignalstodeterminethehealthofthecontrollink—ifthenumberofmissedheartbeatsreachestheconfiguredthreshold,thesystemfailsoverIffxp1fails,JUNOSsoftwaredisablesthesecondarynodeNodeconfigurationfilesareautomaticallysynchronizedoverfxp1ChassisClusterInterfaces—fabfabn=2GigabitEthernetor10GigabitEthernet,usedforHAdataplaneFabricinterfaceisformedn

reflectsthenodeIDandstartsfrom0TwonodesofaclustermusthavefabnonthesameLANfabinterfacespecifics:interfacedoesnotsupportfilters,policies,logicalinterfaces,orservicesMemberinterfacesmustbeofthesametypeJumboframesaresupportedFragmentationisnotsupportedChassisClusterInterfaceSummaryfabnNode0Node1Clusterfxp1fxp0fxp0rethmrethmControlplaneDataplaneManagementManagementRedundantinterfacesa.b.c/24MonitoringClusterStatisticsuser@node0-host>showchassisclusterstatistics

Initialhold:10

RethInformation:rethstatusredundancy-groupreth0downnotconfiguredreth1up1ServicesSynchronized:Service-nameRtos-sentRtos-receivedTranslationContext00IncomingNAT00ResourceManager50Session-create00Session-close00Session-change00Gate-create00Session-Ageout-refresh-request00Session-Ageout-refresh-reply00VPN00FirewallUserAuthentication00MGCPAlg00...InterfaceMonitoring:InterfaceWeightStatusRedundancy-groupge-12/0/0100up1ge-0/0/0100up1chassis-clusterinterfaces:Controllink:up6606heartbeatssent13729heartbeatsreceived1200msinterval5thresholdchassis-clusterinterfaces:Fabriclink:up15505heartbeatpacketssentonfabric-linkinterface13728heartbeatpacketsreceivedonfabric-linkinterfaceManualFailoveruser@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200PrimaryNoNonode1100SecondaryNoNo

user@node0-host>requestchassisclusterfailoverredundancy-group1node1node1:Initiatedmanualfailoverforredundancygroup1user@node0-host>showchassisclusterstatusredundancy-group1

Cluster:1,Redundancy-Group:1DevicenamePriorityStatusPreemptManualfailovernode0200SecondaryNoYesnode1255PrimaryNoYesVerifystatus:Initiatefailover:

目錄一、SRX1400產(chǎn)品介紹二、JUNOS基本命令介紹三、SRX1400配置介紹及演示四、SRX1400日常維護(hù)使用故障檢查資源冷卻系統(tǒng)故障檢查日常性能檢查應(yīng)急預(yù)案

CLI命令行

使用故障檢查資源

對(duì)于SRX的硬件、軟件、路由協(xié)議、網(wǎng)絡(luò)連接性的控制和故障檢查、，JUNOS的CLI命令行是主要的使用工具。CLI命令行可以顯示路由表信息，路由協(xié)議的信息，使用ping和traceroute工具體現(xiàn)的網(wǎng)絡(luò)連接信息。可以通過(guò)連接路由引擎上的CONSOLE、ETHERNET、AUX口進(jìn)入CLI命令行接口。關(guān)于使用CLI顯示端口和機(jī)箱產(chǎn)生的告警信息，請(qǐng)參閱“硬件和端口告警信息”。

LED下面描述的LED位于各個(gè)組件上，用于顯示各個(gè)組件的狀態(tài)。CraftInterfaceLED：SRX1400前面板由一個(gè)Craft面板指示系統(tǒng)狀態(tài)，Craft面板上包括路由引擎狀態(tài)指示燈，電源狀態(tài)指示燈，風(fēng)扇狀態(tài)指示燈和告警指示燈等等ComponentLED：SRX1400的各個(gè)系統(tǒng)組件還有自己?jiǎn)为?dú)的狀態(tài)指示燈，比如IOC上的每個(gè)端口都有一個(gè)LED指示端口狀態(tài)

使用故障檢查資源

硬件和端口告警信息當(dāng)路由引擎檢測(cè)到一個(gè)告警的時(shí)候，會(huì)將前面板上相應(yīng)的紅色或者黃色的告警LED點(diǎn)亮。可以在命令行中使用showchassisalarms顯示詳細(xì)的告警描述。uer@host>showchassisalarms這里將描述兩類告警消息：機(jī)箱告警（Chassisalarms）——指示機(jī)箱組件的告警信息，例如冷卻系統(tǒng)或者電源系統(tǒng)，詳情請(qǐng)查閱下面的表格。端口告警（Interfacealarms）——指示某個(gè)端口的問(wèn)題，詳情請(qǐng)查閱下面的表格。下面的兩個(gè)表格中的信息為使用命令showchassisalarms輸出的結(jié)果。表格3?6：機(jī)箱告警消息

使用故障檢查資源冷卻系統(tǒng)故障檢查冷卻系統(tǒng)故障檢查冷卻系統(tǒng)包含安裝在機(jī)箱側(cè)面的風(fēng)扇盤(pán)來(lái)保證SRX工作在一個(gè)可以接受的溫度環(huán)境下。要檢查風(fēng)扇盤(pán)，執(zhí)行下面的步驟：通過(guò)CLI命令行檢查電源模塊狀態(tài)。通過(guò)下面的命令，觀察輸出的Status域的狀態(tài)：root@FW02>showchassisenvironmentClassItemStatusMeasurementFansLeftFan1OKSpinningatnormalspeedLeftFan2OKSpinningatnormalspeedLeftFan3OKSpinningatnormalspeedLeftFan4OKSpinningatnormalspeed...如果有風(fēng)扇盤(pán)發(fā)生故障，可以通過(guò)觀察判斷出哪一個(gè)風(fēng)扇除了問(wèn)題。然后再處理。日常性能檢查

監(jiān)控RECPU利用率SRX1400的路由引擎主要工作是維護(hù)路由協(xié)議和路由表root@FW02>showchassisrouting-engineroot@FW02>showchassisrouting-enginenode0:RoutingEnginestatus:Slot0:CurrentstateMasterElectionpriorityMaster(default)DRAM1023MBMemoryutilization29percentCPUutilization:User2percentBackground0percentKernel8percentInterrupt2percentIdle88percentModelRE-SRX1400Starttime2010-01-1922:15:50CSTUptime7days,16hours,45minutes,20secondsLastrebootreason0x1:powercycle/failureLoadaverages:1minute5minute15minute0.010.050.07

日常性能檢查

監(jiān)控SPU利用率由于SRX1400的會(huì)話查找，維護(hù)都是SPC負(fù)責(zé)的，因此需要監(jiān)控SPC板卡的利用率。正常工作狀態(tài)下，SPC的CPU利用率應(yīng)該在60%以下，如出現(xiàn)CPU利用率過(guò)高情況需給予足夠重視，應(yīng)檢查Session使用情況和各類告警信息，并檢查網(wǎng)絡(luò)中是否存在攻擊流量。SRX防火墻對(duì)內(nèi)存采用“預(yù)分配”機(jī)制，空載時(shí)內(nèi)存使用率為約50-70%，隨著流量不斷增長(zhǎng)，內(nèi)存的使用率應(yīng)基本保持穩(wěn)定。如果出現(xiàn)內(nèi)存使用率高達(dá)90％時(shí)，則需檢查網(wǎng)絡(luò)中是否存在攻擊流量。root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位編號(hào)node0:FPC6PIC0CPUutilization:13%（SPC的CPU利用率）

Memoryutilization:64%（SPC的內(nèi)存利用率）

Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767MaxCPsession:2359296node1:日常性能檢查

監(jiān)控并發(fā)會(huì)話數(shù)root@FW02>showsecuritymonitoringfpc6#”6”是SPC所在的槽位編號(hào)root@FW02>showsecuritymonitoringfpc6node0:FPC6PIC0CPUutilization:13%Memoryutilization:64%Currentflowsession:73155Maxflowsession:524288CurrentCPsession:461767

（當(dāng)前并發(fā)為461767）

MaxCPsession:2359296日常性能檢查

監(jiān)控雙機(jī)狀態(tài)正常情況（優(yōu)先級(jí)為1-255，數(shù)值高則優(yōu)先級(jí)高）root@FW02>showchassisclusterstatusClusterID:1NodePriorityStatusPreemptManualfailoverRedundancygroup:0,Failovercount:3node0254primarynoyesnode1100secondarynoyesRedundancygroup:1,Failovercount:3node0254primarynononode1100secondarynono日常性能檢查

切換雙機(jī)狀態(tài)方法一：CLI方式root@FW02>requestchassisclusterfailovernode1redundancy-group1(將nod1