文档库 最新最全的文档下载
当前位置:文档库 › juniper 交换机配置命令整理

juniper 交换机配置命令整理

设置交换机名字
set system host-name BaoGaoTing

端口镜像
set ethernet-switching-options analyzer debug input ingress interface ge-0/0/0.0
set ethernet-switching-options analyzer debug input egress interface ge-0/0/0.0
set ethernet-switching-options analyzer debug output interface ge-0/0/4.0



Dual-partition的主要目的:解决异常断电设备无法启动的问题
request system snapshot media internal slice alternate
request system snapshot slice alternate //主备之间备份

request system reboot slice alternate media internal // 指定从另外一个分区启动, 下一次启动就会默认从上次启动的分区启动junos os,记忆功能

QinQ 配置
基本的

set ethernet-switching-options dot1q-tunneling ether-type 0x8100 封装协议
set vlans qinqvlan vlan-id 2821
set vlans qinqvlan dot1q-tunneling

set interfaces ge-0/0/28 unit 0 family ethernet-switching vlan members 2821 上行端口

set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans cust1 vlan-id 100
set vlans cust1 interface ge-0/0/1.0
set vlans cust1 interface ge-0/0/2.0

灵活的

set ethernet-switching-options dot1q-tunneling ether-type 0x8100 ##

set interfaces ge-0/0/27 unit 0 family ethernet-switching port-mode access ##下行端口
set interfaces ge-0/0/27 unit 0 family ethernet-switching vlan members qinq ##用户Vlan为qinq 管理Vlan为Vlan600是透传上去的
set interfaces ge-0/0/27 unit 0 family ethernet-switching vlan members vlan600 ** 注意点:一般情况下是不可以同时两个access的,--那样就做成trunk模式
** 除非有一个vlan是dot1q-tunnel,而且需要tunnel vlan必须得有customer-vlan的,没有 customer-vlan是无法提交成功的
set vlans qinq vlan-id 4000 ##//灵活qinq,对于内层标签2-150的tag加上外层4000
set vlans qinq interface ge-0/0/27.0
set vlans qinq dot1q-tunneling customer-vlans 2-150

接入交换机配置
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 2
set interfaces ge-0/1/1 unit 0 family ethernet-switching native-vlan-id 600 **由于上联汇聚交换机的端口为Access口所以要透传的Vlan为native-Vlan


##root用户名密码
set system root-authentication encrypted-password "$1$z2Z28Ixe$AScMP7uMvMHY3fy8dgtm11"



##用户id
set system login user juniper uid 2100


##设置root用户为超级用户
set system login user juniper class super-user



##远程用户名和密码
set system login user juniper authentication encrypted-password "$1$qUdu0s0Z$vGS88V0jrjhsPnQOTF9oy/"


##启用 telnet
set system services telnet connection-limit 10
set system services telnet rate-limit 10


##端口模式为acces
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access

##端口加入Vlan为600
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 600

##端口为trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk

##允许通过Vlan为600
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members 600

##设置Vlan600的ip地址
set interfaces vlan unit 600 family inet address 172.30.0.16/24


##设置默认网关
set routing-options static route 0.0.0.0/0 next-hop 172.30.0.1

##开启Vlan的三层接口
set vlans default l3-interface vlan.0

##创建Vlan 名字为mgt id 为 600

set vlans mgt vlan-id 600

##开启Vlans mgt的三层接口
set vlans mgt l3-interface vlan.600

##开启Vlans mgt的三层接口
set poe interface all X


配置VLAN的L3接口地址

set vlans name l3-interface vlan.xx
set interface vlan xx unit xx family inet address x.x.x.x/24

将某个交换端口添加到创建好的VLAN中
set interface ge-0/0/x unit 0 family ethernet-switching port-mode access vlan members name

配置TRUNK端口
set interface ge-0/0/23 unit 0 family ethernet-switching port-mode trunk native-vlan-id 1 vlan member xx

预提交
commit check

清除LED灯报警

clear alarm traffic

clear alarm event


EX2200 ALARM告警灯亮红灯:

show chassis alarm
show system alarm

request system configuration rescue save/delete

set chassis alarm management-ethernet link-down ignore 管理口状态警告信息灯关闭
set chassis alarm ethernet link-down ignore 交换机端口状态警告信息灯关闭


igmp 开启
set protocols igmp-snooping vlan all
deactivate protocols igmp-snooping

开启生成树


Set protocol stp

恢复出厂设置
load factory default

Dual-partition的主要目的:解决异常断电设备无法启动的问题

request system snapshot media internal slice alternate //主备之间备份

request system reboot slice alternate media internal // 指定从另外一个分区启动, 下一次启动就会默认从上次启动的分区启动jun

os os,记忆功能

dhcp 配置

set system services dhcp pool 100.1.1.0/24 address-range low 100.1.1.10
set system services dhcp pool 100.1.1.0/24 address-range high 100.1.1.200
set system services dhcp pool 100.1.1.0/24 default-lease-time 7200
set system services dhcp pool 100.1.1.0/24 router 100.1.1.254


将端口设置为三层模式。
配置步骤:
lab@EX4200-1# top
[edit]
lab@EX4200-1#
lab@EX4200-1# edit interfaces ge-0/0/1
[edit interfaces ge-0/0/1]
lab@EX4200-1# delete unit 0 family inet #"删除端口三层信息"
lab@EX4200-1# set unit 0 family ethernet-switching #"设置为二层端口"
lab@EX4200-1# delete unit 0 family ethernet-switching #"删除二层信息"
lab@EX4200-1# set unit 0 family inet #设置为三层端口
lab@EX4200-1# set unit 0 family inet address 192.168.1.1/30 #"设置三层IP地址"
lab@EX4200-1# delete unit 0 #"删除端口二层、三层信息"


#"设置输出电压,范围是(1-19watts),不能是小数"
lab@EX4200-1# set poe guard-band 15


指定光接口为1G并关闭自适应
set interfaces ge-0/1/2 ether-options no-auto-negotiation link-mode full-duplex speed 1g

跟踪多播路径
mtrace

跟踪路由到主机
traceroute


1.连接VCP
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/


user@SWA-0>show virtual-chassis status
Virtual Chassis ID: 0019.e250.47a0
Mastership Neighbor List
Member ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt AK020******* ex4200-48p 128 Master* 1 vcp-0
1 vcp-1
1 (FPC 1) Prsnt AK020******* ex4200-24t 128 Backup 0 vcp-0
0 vcp-1
Member ID for next new member: 2 (FPC 2)

user@SWA-0> show virtual-chassis vc-port all-members
fpc0:
--------------------------------------------------------------------------
Interface Type Status
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc1:
--------------------------------------------------------------------------
Interface Type Status
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up

Modify the mastership priority values(修改VC组成员优先级缺省是128)
[edit virtual-chassis]
user@SWA-1# set member 1 mastership-priority 255

缺省情况下EX交换机的端口都配置为L2的方式,如果需要更改为L3接口,需要删除原接口2层封装
del interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.2/24
创建VLAN

set vlans name vlan-id xx
配置VLAN的L3接口地址

set vlans name l3-interface vlan.xx
set interface vlan xx unit xx family inet address x.x.x.x/24

将某个交换端口添加到创建好的VLAN中
set interface ge-0/0/x unit 0 family ethernet-switching port-mode access vlan members name
配置TRUNK端口
set interface ge-0/0/23 unit 0 family ethernet-switchi

ng port-mode trunk native-vlan-id 1 vlan member xx
配置冗余RE组
set groups re0 system host-name GZ_LAB_M10i_1_RE0
set groups re0 interfaces fxp0 unit 0 family inet address 172.27.69.34/24
set groups re0 routing-options static route 0.0.0.0/0 next-hop 172.27.69.1
set groups re1 system host-name GZ_LAB_M10i_1_RE1
set groups re1 interfaces fxp0 unit 0 family inet address 172.27.69.35/24
set groups re1 routing-options static route 0.0.0.0/0 next-hop 172.27.69.1

配置VRF并绑定3层VLAN 接口
set routing-instances vrf-1 instance-type vrf
set routing-instances vrf-1 interface vlan.10
set routing-instances vrf-1 route-distinguisher 65000:100
set routing-instances vrf-1 vrf-target target:65000:100
set routing-instances vrf-2 instance-type vrf
set routing-instances vrf-2 interface vlan.20
set routing-instances vrf-2 route-distinguisher 65000:200
set routing-instances vrf-2 vrf-target target:65000:200

show route ter 可以看到路由分类

配置各VRF到PE的路由分别以OSPF和静态举例:=================================================
set routing-instances vrf-1 instance-type vrf
set routing-instances vrf-1 interface vlan.10
set routing-instances vrf-1 route-distinguisher 65000:100
set routing-instances vrf-1 vrf-target target:65000:100
set routing-instances vrf-1 protocols ospf area 0.0.0.0 interface vlan.10
show ospf neighbor instance vrf-1

set routing-instances vrf-2 instance-type vrf
set routing-instances vrf-2 interface vlan.20
set routing-instances vrf-2 route-distinguisher 65000:200
set routing-instances vrf-2 vrf-target target:65000:200
set routing-instances vrf-2 routing-options static route 0.0.0.0/0 next-hop 192.168.20.2

配置EX交换机上行TRUNK端口的冗余,假设该EX有两个GE上行到两台汇聚层或核心层交换机,===========================
这两个端口都配置为TRUNK 并作为redundant trunk group 时将不再考虑STP的问题
[edit]

set ethernet-switching-options redundant-trunk-group group-name group1
set ethernet-switching-options redundant-trunk-group group-name group1 interface ge-0/0/9.0 primary
set ethernet-switching-options redundant-trunk-group group-name group1 interface ge-0/0/10.0
配置完成后检查:
user@switch> show redundant-trunk-group group1


EX 3200 系列交换机还提供完整的端口安全特性,包括DHCP
Snooping(动态主机配置协议侦听)、DAI(动态ARP检测)和MAC
限制来抵御内外部侦听、中间人攻击和拒绝服务(DoS)攻击。
安全性
● MAC 地址限制
● 允许的MAC 地址数——可逐端口配置
● 动态 ARP 检测(DAI)
● 本地代理ARP
● 静态ARP 支持
● DHCP 侦听
访问控制表(ACL)(JUNOSTM 防火墙过滤器)
● 基于端口的ACL(PACL)——入口
● 基于VLAN 的ACL(VACL)——入口和出口
● 基于路由器的 ACL(RACL)——入口和出口
● 每个系统在硬件中支持的ACL 条目(ACE)

:7,000
● 用于计算被拒绝的数据包的ACL 计算器
● 用于计算获准数据包的ACL 计算器
● 能够在列表中间添加/ 删除/ 更改ACL 条目(ACL 编辑)
● L2-L4 ACL
● 基于802.1X 端口
● 802.1X 多个请求方
● 采用VLAN 分配机制的802.1X
● 采用验证旁路接入机制的802.1X(基于主机MAC 地址)
● 支持VoIP VLAN 的802.1X
● 基于RADIUS 属性的802.1X 动态ACL
● 802.1X 支持的EAP 类型:MD5,TLS,TTLS,PEAP
● MAC 验证(本地)
● 控制平面DoS 防御

配置EX交换机的port-securit 及DHCP Snooping 端口的MAC限制绑定MAC地址:==================================
DAI保护EX系列交换机不被 ARP欺骗,同时保护在局域网中DHCP侦听数据库的 ARP缓存不 被攻击。
[edit ethernet-switching-options secure-access-port]
端口的MAC地址数限制
set interface ge-0/0/1 mac-limit 4 action drop
端口的MAC地址绑定
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
set interface ge-0/0/2 mac-limit 4 action drop
配置到DHCP服务器连接端口的信任
set interface ge-0/0/8 dhcp-trusted

配置在需要做端口安全的VLAN加入防止DHCP欺骗参数及在该VLAN中MAC移动的限制:
set vlan employee–vlan arp-inspection DAI的配置
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5 action drop
配置完成检查:
user@switch> show dhcp snooping binding
user@switch> show arp inspection statistics 检查交换机上DAI 的工作情况
user@switch> show ethernet-switching table


配置EX交换机的RSTP功能 :===========================================
Step-by-Step Procedure
To configure interfaces and RSTP on Switch 1:

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:
[edit vlans]
user@switch1# set voice-vlan description “Voice VLAN”
user@switch1# set voice-vlan vlan-id 10
user@switch1# set employee-vlan description “Employee VLAN”
user@switch1# set employee-vlan vlan-id 20
user@switch1# set guest-vlan description “Guest VLAN”
user@switch1# set guest-vlan vlan-id 30
user@switch1# set camera-vlan description “Camera VLAN”
user@switch1# set guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]

Configure the port mode for the interfaces:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching por

t-mode trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
Configure RSTP on the switch:
[edit protocols]

user@switch1# rstp bridge-priority 16k
user@switch1# rstp interface ge-0/0/13.0 cost 1000 (配置相同的接口COST和RSTP模式,只参考优先级)
user@switch1# rstp interface ge-0/0/13.0 mode point-to-point
user@switch1# rstp interface ge-0/0/9.0 cost 1000
user@switch1# rstp interface ge-0/0/9.0 mode point-to-point
user@switch1# rstp interface ge-0/0/11.0 cost 1000
user@switch1# rstp interface ge-0/0/11.0 mode point-to-point
配置完成后检查 :
user@switch1> show spanning-tree interface

配置EX交换机的MSTP功能:==============================================
Step-by-Step Procedure
To configure interfaces and MSTP on Switch 1:

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:
[edit vlans]
user@switch1# set voice-vlan description “Voice VLAN”
user@switch1# set voice-vlan vlan-id 10
user@switch1# set employee-vlan description “Employee VLAN”
user@switch1# set employee-vlan vlan-id 20
user@switch1# set guest-vlan description “Guest VLAN”
user@switch1# set guest-vlan vlan-id 30
user@switch1# set camera-vlan description “Camera VLAN”
user@switch1# set guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]

Configure the port mode for the interfaces:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching port-mode trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
Configure MSTP on the switch, including the two MSTIs:
[edit protocols]
user@switch1# mstp configuration-name region1
user@switch1# mstp bridge-priority 16k
user@switch1# mstp interface ge-0/0/13.0 cost 1000
user@switch1# mstp interface ge-0/0/13.0 mode point-to-point
user@switch1# mstp interface ge-0/0/9.0 cost 1000
user@switch1# mstp interface ge-0/0/9.0 mode point-to-point
user@switch1# mstp interface ge-0/0/11.0 cost 4000
user@switch1# mstp interface ge-0/0/11.0 mode point-to-point
user@switch1# mstp msti 1 bridge-priority 16k
user@switch1# mstp msti 1 vlan [10 20]
user@switch1# mstp msti 1 interface ge-0/0/11.0 cost 4000
user@switch1# mstp msti 2 bridge-priority 8k
user@switch1# mstp msti 2 vlan [30 40]


配置完成后检查:
user@switch1> show spanning-tree interface
user@switch1> show spanning-tree bridge









配置的

差异更新
root@router# show | compare
[edit interfaces]
[edit]
root@router# show | compare | save /var/tmp/patch.cfg
Wrote 9 lines of output to '/var/tmp/patch.cfg'
[edit]
root@router# load patch /var/tmp/patch.cfg
load complete



show chassis hardware 查看交换机序列号

相关文档