juniper_srx650配置手册

buhui配置前准备工作：

SRX默认出厂设置：

用户名：root 密码为空；

Console口：

Srx% 输入cli

Srx>

进入配置状态srx>config

Srx#

恢复出厂默认：srx# load factory-default

配置root密码：

Set system root-authentication plain-text-password

#root密码最少6位并且有字母及数字

提交配置commit

#所有操作必须执行commit 后才能生效

Commit check #配置的检测

清空所有配置：srx#delete

设置irb.99 为管理电信IP：

set system services web-management http interface irb.99

set system services web-management https system-generated-certificate

set system services web-management https interface irb.99

设置irb.199 为管理电信IP：

set system services web-management http interface irb.199

set system services web-management https system-generated-certificate set system services web-management https interface irb.199

设置irb.99的管理地址

set interfaces irb unit 99 family inet address 192.168.2.99/32

set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1

设置irb.199的管理地址

set interfaces irb unit 99 family inet address 192.168.10.199/32

set routing-options static route 0.0.0.0/0 next-hop 192.168.10.199.1

设置ge-0/0/0 和ge-0/0/2 为同一vlan-id10中，作为联通线路的通道set interfaces ge-0/0/0 unit 0 family bridge interface-mode access

#透明模式

set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10

set interfaces ge-0/0/2 unit 0 family bridge interface-mode access

set interfaces ge-0/0/2 unit 0 family bridge vlan-id 10

设置ge-0/0/1 和ge-0/0/3 为同一vlan-id 11中，作为电信线路的通道

set interfaces ge-0/0/1 unit 0 family bridge interface-mode access

set interfaces ge-0/0/1 unit 0 family bridge vlan-id 11

set interfaces ge-0/0/3 unit 0 family bridge interface-mode access

set interfaces ge-0/0/3 unit 0 family bridge vlan-id 11

将端口划分到不同区域并开启相关服务

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone luntrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all

set security zones security-zone ltrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all

set bridge-domains jcn vlan-id 10

set bridge-domains jcn routing-interface irb.199

set bridge-domains ltj vlan-id 11

set bridge-domains jcn routing-interface irb.99

set bridge-domains jcn domain-type bridge

set bridge-domains ltj domain-type bridge

commit

# 注意irb 子接口创建的再多也没用通一个vlan-id内只有一个irb 子接口的生效，即新创建的那个是有效的。

设置安全策略（安全和非安全区域互访）：

set security policies from-zone trust to-zone untrust policy 1 match source-address any destination-address any application any

set security policies from-zone trust to-zone untrust policy 1 then permit

set security policies from-zone ltrust to-zone luntrust policy 2 match source-address any destination-address any application any

set security policies from-zone ltrust to-zone luntrust policy 2 then permit

set security policies from-zone untrust to-zone trust policy 3 match

source-address any destination-address any application any

set security policies from-zone untrust to-zone trust policy 1 then permit

set security policies from-zone luntrust to-zone ltrust policy 4 match source-address any destination-address any application any

set security policies from-zone luntrust to-zone ltrust policy 4 then permit

commit

关闭防火墙：

te

重启防火墙：Request system reboot

密码恢复：

回滚到上次配置：

commit就生效了。用rollback 1可以恢复到这次commit之前的那次

commit的内容。

设置只允许IP1 IP2 ip3的IP管理防火墙：

set interfaces irb unit 99 family inet filter input login-control

set interfaces irb unit 199 family inet filter input login-control

set firewall family inet filter login-control term 20 from source-address IP1/32

set firewall family inet filter login-control term 20 from source-address IP2/24

set firewall family inet filter login-control term 20 from source-address IP3/25

set firewall family inet filter login-control term 20 from

destination-address 192.168.2.99/32

set firewall family inet filter login-control term 20 from destination-address 192.168.10.199/32

set firewall family inet filter login-control term 20 then accept

set firewall family inet filter login-control term 30 from source-address 0/0

set firewall family inet filter login-control term 30 from destination-address 192.168.2.99/32

set firewall family inet filter login-control term 30 from destination-address 192.168.10.199/32

set firewall family inet filter login-control term 30 then discard

set firewall family inet filter login-control term 100 then accept

开启snmp服务：

set snmp community public authorization read-only

set snmp community public clients 192.168.2.99/32

set snmp community public clients 192.168.2.0/24

set snmp community public clients 192.168.10.25/32

set snmp community public clients 192.168.10.0/24

set snmp community public clients 0.0.0.0/0 restrict

日志服务器：

set system syslog host 192.168.10.248 any any

set system syslog host 192.168.10.7 any any

set system syslog host 192.168.10.248 source-address 192.168.10.199

set system syslog host 192.168.2.7 source-address 192.168.2.99

有八个日志事件级别：

?local0到== 调试水平。因此，调试级以上（即ALL）事件记录

?LOCAL1 == 信息级别（信息/通知/警告/错误/关键/警报/紧急级别事件记录）?Local2 == 通知水平（通知/登录警告/错误/关键/警报/紧急级别的事件?Local3 == 警告级别（警告/错误/关键/警报/紧急级别事件记录

?LOCAL4 == 错误级别（错误/关键/警报/紧急级别事件记录）

?local5表示== 关键级（严重/警报/紧急级别事件记录）

?Local6 == 警报级别（警报和紧急级别的事件记录）。

?LOCAL7 == 紧急级别（仅限紧急级别事件记录）。

Log：

root@srx650> show log messages

root@srx650> file list /cf/var/log

root@srx650>file delete /cf/var/log/srx650_logs.7.gz show log chassis