命令配置手册
目 录
1 交换机基础知识 6
1.1 认识Juniper交换机 6
1.2 Junos操作系统基础 8
1.2.1 交换机配置模式 8
1.2.2 交换机配置结构 9
1.2.3 TAB和空格键的使用 12
1.2.4 用户模式和配置模式show的区别 13
1.2.5 如何将配置转换成set命令 16
1.2.6 commit和rollback 16
1.3 EX交换机命令菜单结构 18
2 操作指导 30
2.1 通过console线连接交换机 30
2.2 system系统参数配置 31
2.2.1 设置root密码 32
2.2.2 设置主机名 32
2.2.3 设置DNS服务器 32
2.2.4 设置日期时间 32
2.2.5 设置NTP服务器 33
2.2.6 开启远程Telnet登陆服务 33
2.2.7 开启远程Ftp服务 33
2.2.8 开启远程ssh登陆 34
2.2.9 开启远程http登陆服务 34
2.2.10 添加/删除用户 34
2.2.10.1 添加用户 34
2.2.10.2 修改用户类别 35
2.2.10.3 修改用户密码 35
2.2.10.4 删除用户 35
2.2.11 用户权限设置 35
2.3 VLAN配置 36
2.3.1 VLAN配置步骤 37
2.3.2 VLAN配置规范要求 37
2.3.3 添加VLAN 37
2.3.4 修改端口VLAN 39
2.3.5 删除VLAN 39
2.3.6 配置VLAN网关IP 40
2.4 Trunk配置 40
2.4.1 Trunk配置步骤 40
2.4.2 如何设置Trunk 40
2.4.3 允许/禁止VLAN通过Trunk 40
2.5 端口配置 41
2.5.1 端口配置规范要求 41
2.5.2 修改端口速率 41
2.5.3 修改端口工作模式 41
2.5.4 修改端口为L3模式 42
2.5.5 修改端口为L2模式 42
2.6 生成树配置 42
2.6.1 STP配置实例 43
2.6.2 RSTP配置实例 44
2.6.3 MSTP配置 实例 47
2.7 端口捆绑 50
2.7.1 端口捆绑步骤 50
2.7.2 L2端口捆绑 51
2.7.3 L3端口捆绑 51
2.8 ECMP负载均衡配置 52
2.9 路由协议配置 53
2.9.1 静态路由配置 53
2.9.1.1 添加静态路由 53
2.9.1.2 删除静态路由 53
2.9.1.3 调整静态路由优先值 53
2.9.1.4 设置备份静态路由 53
2.9.1.5 指定静态路由下一跳端口 54
2.9.2 OSPF配置 54
2.9.2.1 OSPF配置步骤 54
2.9.2.2 OSPF配置实例 57
2.9.2.3 OSPF路由过滤 59
2.10 端口镜像 59
2.10.1 端口输入输出流量镜像 60
2.10.2 带过滤条件的端口镜像 60
2.11 端口MAC地址限制 61
2.12 端口广播风暴控制 61
2.13 VRRP配置 61
2.13.1 如何配置VRRP 61
2.13.2 如何检查VRRP状态 62
2.13.3 如何切换VRRP 63
2.14 BFD配置 63
2.14.1 OSPF中配置BFD 63
2.14.2 静态路由中配置BFD 63
2.15 交换机Firewall限制功能 64
2.15.1 限制IP地 64
2.15.2 限制MAC地址 64
2.16 Virtual-Chassis设置 65
2.17 VC知识 65
2.17.1 如何建立VC组 66
2.17.2 如何扩充VC组交换机 67
2.17.3 如何利用uplink链路组成VC 68
2.17.4 如何对VC组进行切换 70
2.18 SNMP配置 70
2.19 Syslog配置 72
2.20 multi-vrf配置 72
2.21 multi-vrf OSPF配置 73
3 交换机维护操作 74
3.1 交换机启动和关闭 74
3.1.1 重新启动 74
3.1.2 关闭 74
3.2 配置备份和恢复 75
3.2.1 配置备份 75
3.2.2 配置恢复 76
3.3 如何升级交换机OS 76
3.4 如何恢复出厂设置 77
3.5 密码恢复 77
3.6 日常维护命令 78
3.6.1 查看序列号show chassis hardware 79
3.6.2 查看硬件show chassis hardware 79
3.6.3 查看软件版本show version 79
3.6.4 查看CPU show chassis routing-engine 79
3.6.5 ping命令 79
3.6.6 查看设备告警信息 show chassis alarms 79
3.6.7 查看详细的硬件温度及状态信息 show chassis environment 79
3.6.8 查看接口VRRP状态信息show vrrp 79
3.6.9 收集CASE需要的信息request support information 79
4 如何获取技术支持 79
4.1 技术资料获取 79
4.2 EX交换机故障技术支持流程 80
4.2.1 故障申报流程 80
4.2.1.1 传真/电话申报 80
4.2.1.2 邮件申报 80
4.2.1.3 网上申报 80
4.2.2 CASE客户网上处理指南 80
4.2.2.1 网上登录 80
4.2.2.2 更改密码 81
4.2.2.3 新建CASE 81
4.2.2.4 更新CASE信息/上传附件 83
4.2.2.5 更改CASE故障信息 85
4.2.2.6 重开CASE 86
4.2.2.7 CASE统计 87
1 交换机基础知识
1.1 Junos操作系统基础
Juniper交换机支持两种配置方式:采用命令行的CLI(command-line interface)配置方式,以及采用web浏览器界面JWeb配置方式。本指导书主要是采用命令行的配置方式。
交换机配置可以采用console终端配置方式,也可以采用远程telnet方式进行配置,第一次配置的时候必须采用console方式,然后在交换机上打开telnet服务并且配置网络IP地址以及设置用户名和密码,然后才可以进行远程telnet配置。系统初始化用户名是root,密码是空。
1.1.1 交换机配置模式
CLI有两种模式:用户模式和配置模式,用户模式的提示符是>,配置模式的提示符是#,在数用户模式下输入configure或者edit可以进入配置模式:
用户模式:
lab@EX4200> #用户模式
在用户模式下可以显示交换机的配置、端口状态、路由信息等。登录到交换机上即进入交换机的用户模式:
Example:
login: EX42
Password:
lab@EX4200>
配置模式:
lab@EX4200# #配置模式
通过在用户模式使用edit命令或者configure命令进入配置模式:
Example:
lab@EX4200> edit
Entering configuration mode
{master}[edit]
lab@EX4200#
Example:
lab@EX4200> configure
Entering configuration mode
{master}[edit]
lab@EX4200#
1.1.2 交换机配置结构
Juniper交换机的配置是一种层次化的配置模式,如下图所示:第一层次protocols协议层里面,可以包含bgp、isis和ospf等第二层次参数配置,而ospf层次里面,又可以定义第三层参数,比如area和traceoptions等,area下面又可以定义interface、area-range等第四层参数,而dead-interval、hello-interval等第五层参数则属于第四层interface下面的参数。
由于是层次化结构,因此配置一个参数有两种方式,一是在最外层使用一条set命令将所有层的参数一次写完,另外一种方式是利用edit逐层进入需要配置参数的层次,然后用set命令直接设置参数。例如要在ospf协议area 0中将interface ge-0/0/1.0的hello-interval时间设置为10秒,那么可以有两种设置方式:
方法一:
lab@EX4200# set protocols ospf area 0 interface ge-0/0/1.0 hello-interval 10
方法二:
lab@EX4200# edit protocols
[edit protocols]
lab@EX4200# edit ospf
[edit protocols ospf]
lab@EX4200# edit area 0
[edit protocols ospf area 0.0.0.0]
lab@EX4200# edit interface ge-0/0/1.0
[edit protocols ospf area 0.0.0.0 interface ge-0/0/1.0]
lab@EX4200# set hello-interval 10
[edit protocols ospf area 0.0.0.0 interface ge-0/0/1.0]
lab@EX4200#
在edit这种方式中,exit可以退回上一次用edit进入以前的层,直接输入top则退回最上层:
lab@EX4200# edit protocols
[edit protocols]
lab@EX4200# edit ospf
[edit protocols ospf]
lab@EX4200# exit
[edit protocols]
lab@EX4200#
分两次输入edit进入ospf,最后输入exit退回protols那层。
lab@EX4200# edit protocols ospf
[edit protocols ospf]
lab@EX4200# exit
[edit]
lab@EX4200#
分一次edit进入ospf,最后输入exit退回最外层.
lab@EX4200# edit protocols
[edit protocols]
lab@EX4200# edit ospf
[edit protocols ospf]
lab@EX4200# top
[edit]
lab@EX4200#
输入top直接退出到最外层。
另外,juniper的配置参数有些可以一次写几个,比如要一次配置ospf的hello-time和dead-time可以按照下面写法:
lab@EX4200# set protocols ospf area 0 interface ge-0/0/1.0 hello-interval 10 dead-interval 10
输入以上命令之后,交换机的配置如下:
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0 {
hello-interval 10;
}
}
}
}
注意:如果不知道一条命令里面后面是否还可以跟其它配置参数,那么最好使用 ? 帮助一下:
lab@EX4200# set protocols ospf area 0 interface ge-0/0/1.0 hello-interval 10 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> authentication
> bfd-liveness-detection Bidirectional Forwarding Detection options
dead-interval Dead interval (seconds) (1..65535)
demand-circuit Interface functions as a demand circuit
disable Disable OSPF on this interface
interface-type Type of interface
ipsec-sa IPSec security association name
> ldp-synchronization Advertise maximum metric until LDP is operational
metric Interface metric (1..65535)
> neighbor NBMA neighbor
no-neighbor-down-notification Don't inform other protocols about neighbor down events
> passive Do not run OSPF, but advertise it
poll-interval Poll interval for NBMA interfaces (1..65535)
priority Designated router priority (0..255)
retransmit-interval Retransmission interval (seconds) (1..65535)
te-metric Traffic engineering metric (1..65535)
transit-delay Transit delay (seconds) (1..65535)
| Pipe through a command
[edit]
1.1.3 TAB和空格键的使用
交换机JUNOS命令配置中,可以使用TAB键和空格键来进行参数的补全,在补全系统参数中两个键的作用是一样的,例如:
lab@EX4200# set pro <-输入TAB键或者空格键,则会补全protocols
lab@EX4200# set protocols
而对于用户自己定义的参数,则只能用TAB来补全,比如我们定义了一个Test_Policy_1的策略,要在ospf中配置时可以使用 ?来显示:
lab@EX4200# set protocols ospf export ?
Possible completions:
<value> Export policy
( Open an expression
Test_Policy_1
[ Open a set of values
[edit]
也可以直接输入T之后按TAB键来补全,而此时按空格键则无法补全:
lab@EX4200# set protocols ospf export T <-输入TAB键,则会补全Test_Policy_1
lab@EX4200# set protocols ospf export Test_Policy_1
1.1.4 用户模式和配置模式show的区别
在用户模式下,是无法进行配置操作的,而只能查看系统的一些参数。所以用户模式下的show命令是查看系统参数。要看系统配置则使用show configure命令。例如用户模式下show interface是查看端口信息:
lab@EX4200> show interfaces
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 31
Link-level type: Ethernet, MTU: 1518, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
CoS queues : 4 supported, 4 maximum usable queues
Current address: 00:05:85:dc:cc:db, Hardware address: 00:05:85:dc:cc:db
Last flapped : 2007-06-29 20:37:17 HKT (1w2d 00:31 ago)
Input rate : 280 bps (0 pps)
Output rate : 1280 bps (1 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/1.0 (Index 83) (SNMP ifIndex 71)
Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.33 ] Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol inet, MTU: 1500
Flags: None
lab@EX4200>
而在配置下show命令是显示相关的配置,比如show interface则是显示interface部分的配置:
lab@EX4200# show interfaces
ge-0/0/1 {
unit 0 {
family ethernet-switching vlan members 10 ;
family inet;
}
}
[edit]
lab@EX4200#
因此说用户模式和配置模式下的show命令是不同的,如果要在配置模式下运行用户模式命令,则需要在命令前面加一个run
lab@EX4200# run show interfaces
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 31
Link-level type: Ethernet, MTU: 1518, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
CoS queues : 4 supported, 4 maximum usable queues
Current address: 00:05:85:dc:cc:db, Hardware address: 00:05:85:dc:cc:db
Last flapped : 2007-06-29 20:37:17 HKT (1w2d 00:36 ago)
Input rate : 792 bps (0 pps)
Output rate : 672 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/1.0 (Index 83) (SNMP ifIndex 71)
Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.33 ] Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol inet, MTU: 1500
Flags: None
[edit]
lab@EX4200#
lab@EX4200# run ping 172.27.69.8
PING 172.27.69.8 (172.27.69.8): 56 data bytes
64 bytes from 172.27.69.8: icmp_seq=0 ttl=64 time=5.118 ms
64 bytes from 172.27.69.8: icmp_seq=1 ttl=64 time=7.949 ms
64 bytes from 172.27.69.8: icmp_seq=2 ttl=64 time=7.018 ms
^C
--- 172.27.69.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.118/6.695/7.949/1.178 ms
[edit]
lab@EX4200#
lab@EX4200# run ping 172.27.69.8命令等同于lab@EX4200> ping 172.27.69.8
1.1.5 如何将配置转换成set命令
在配置模式下使用show或者在用户模式下使用show configure命令,输出结果是“程序化”的配置,这样的配置并不能直接粘贴到另外一台交换机上,不过可以在show后面使用管道符号加上display set将其转换成set格式命令,然后可以直接粘贴到其它交换机上:
lab@EX4200# show protocols ospf
export Test_Policy_1;
area 0.0.0.0 {
interface ge-0/0/1.0 {
hello-interval 10;
}
}
[edit]
lab@EX4200# show protocols ospf | display set
set protocols ospf export Test_Policy_1
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 hello-interval 10
[edit]
lab@EX4200#
1.1.6 commit和rollback
在cisco中只要输入命令,回车之后命令马上生效,因为我们修改的就是系统正在使用的running-config配置文件。而在JUNOS中完全不同,我们操作(增加、删除、修改)的那份配置文件只是一个候选文件(candidate configure),并不是正在运行的配置文件,只有将候选文件通过commit提交之后,配置才会真正的应用到当前系统使用的active配置文件中,从而使得修改的配置生效。
为了检查配置是否有错,可以在commit之前使用commit check来对配置进行语法检查。
为了避免提交时出错,建议不要同时两个人修改配置。
如果提交之后,可以使用rollback进行回滚,rollback 1回滚上一次提前之前的配置,rollback 2则是回滚上2次提交之前的配置:
lab@EX4200# show system host-name
host-name EX4200;
[edit]
lab@EX4200# set system host-name R1
[edit]
lab@EX4200# commit
commit complete
[edit]
lab@EX4200# show system host-name
host-name EX4200;
[edit]
lab@EX4200# rollback 1
load complete
[edit]
lab@EX4200# show system host-name
host-name EX4200;
[edit]
lab@EX4200# commit
commit complete
[edit]
lab@EX4200#
1.2 EX交换机命令菜单结构
vlans {
vlan-name { //vlan名字,自定义,下面所有 参数都是针对该vlan
mac-limit action; //设置vlan允许的最大mac
description text-description; //vlan描述
filter input filter-name; //设置VLAN输入流量过滤条件
filter output filter-name; //设置VLAN输出流量过滤条件
l3-interface vlan.logical-interface-number; //将vlan绑定到L3的vlan子端口
mac-table-aging-time seconds; //设置vlan 的mac表生存时间
vlan-id number; //设置vlan id
vlan-range vlan-id-low-vlan-id-high; //同时创建多个vlan
}
}
chassis {
aggregated-devices {
ethernet {
device-count number; //设置聚合端口数量,范围是0-64
}
}
}
interfaces {
ae-x {
aggregated-ether-options { //设置聚合端口参数
lacp mode { //设置lacp模式
periodic fast/slow; //设置lacp包发送间隔时间,选择fast则隔1秒发送,选择
//slow每隔30秒发送
}
}
}
ge-chassis/pic/port { //设置ge端口参数
description text; //设置描述
ether-options { //ether-options参数
802.3ad aex; //指定加入的聚合端口
auto-negotiation; //自动协商
flow-control; //流控制
link-mode mode; //设置端口工作模式
speed (speed | auto-negotiation | no-autonegotiation); //设置端口速率
}
mtu bytes; //设置端口MTU值,默认是1514
unit logical-unit-number { //设置逻辑单元参数
family ethernet-switching { //设置L2参数
filter input filter-name; //设置二层输入包过滤条件
filter output filter-name; //设置二层输出包过滤条件
l3-interface interface-name-logical-unit-number; //在Trunk端口模式下设置允许通过的
//L3端口流量
native-vlan-id vlan-id //指定navite vlan id
port-mode mode; //设置端口L2工作模式,为Trunk或者access模式
vlan {
members [ (names | vlan-ids) ]; //设置端口属于哪个VLAN或者允许哪些VLAN通过
}
}
vlan-id vlan-id-number; //仅对GE或者ae端口有效,范围是1 t到 4094
}
vlan-tagging; //设置端口为vlan-tagging
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
Interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp { //设置链路层自动检测协议(Link Layer Detection Protocol)
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>;
flag flag;
}
}
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>;
}
}
}
firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
}
snmp {
rmon {
history index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
}
}
virtual-chassis {
mac-persistence-timer seconds;
preprovisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match regex>;
flag flag ;
}
}
2 操作指导
2.1 通过console线连接交换机
使用下面的步骤连接路由器的Console接口:
1.准备好EX交换机设备自带的Console线缆(如果没有的话,采用Cisco或者安耐特等厂家的Console线也可可以)
2.将Console线缆的DB9插头一头插到PC或者笔记本电脑的COM口上,另外一端插到路由器的CONSOLE口上。
3.打开计算机中的终端软件工具。例如:CRT或者Windows自带的超级终端。设置如下:
端口:选择第二步中Console线缆插入到PC上的端口,通常为COM 1或者COM 2
波特率:9600
数据位:8位
奇偶校验:无
停止位:1位
数据流控制:无
4.打开配置到的CRT或者超级终端,按“Enter”键,屏幕出现登陆的提示符,即连接成功。如果没有显示,请检查线缆或者终端的配置是否正确。
2.2 system系统参数配置
system是属于EX交换机基本配置部分,在进行其它配置之前需要先完成该部分内容配置 ,主要配置工作如下:
(1)设置root密码
(2)设置主机名
(3)设置日期时间
(4)添加用户
(5)开启ssh/telnet/http服务
(6)设置DNS(可选配置)
(7)分配新的用户权限(可选配置)
(8)设置NTP服务器(可选配置)
2.2.1 设置root密码
交换机初始化用户名是root是没有密码的,在进行commit之前必须修改root密码。修改root密码命令:
set system root-authentication plain-text-password
New password:
Retype new password:
2.2.2 设置主机名
设置命令:
set system host-name EX4200-1 //EX4200-1为主机名
2.2.3 设置DNS服务器
设置命令:
set system name-server 192.168.1.1
删除命令:
delete system name-server 192.168.1.1
2.2.4 设置日期时间
设置命令:
set system time-zone Asia/Shanghai //设置时区
set date 200810301407.00 //设置时间,在用户模式下配置,YYYYMMDDhhmm.ss格式
2.2.5 设置NTP服务器
设置命令:
set system ntp server 192.168.1.1 //设置NTP服务器地址
set system ntp authentication-key 1 type md5 value "password" //设置NTP认证key
set system ntp source-address 192.168.1.254 //设置NTP数据发送源IP地址
删除命令:
delete system ntp
2.2.6 开启远程Telnet登陆服务
说明:在默认缺省配置下,EX交换机只是开放了http远程登陆方式,因此如果想通过telnet登陆到交换机上,必须在系统中打开telnet服务。
设置命令:
set system services telnet
删除命令:
delete system services telnet
2.2.7 开启远程Ftp服务
说明:在默认缺省配置下,EX交换机只是开放了http远程登陆方式,因此如果想通过ftp上传文件,例如OS或者配置到交换机上,必须在系统中打开ftp服务。
设置命令:
set system services ftp
删除命令:
delete system services ftp
2.2.8 开启远程ssh登陆
说明:如果想通过更加安全的ssh登陆到交换机,需要在交换机上打开ssh服务。
设置命令:
set system services ftp
删除命令:
delete system services ftp
2.2.9 开启远程http登陆服务
说明:在默认缺省配置下,EX交换机已经开放了http远程登陆方式。
设置命令:
set system services web-management http
删除命令:
delete system services web-management http
2.2.10 添加/删除用户
2.2.10.1 添加用户
set system login user EX42 class super-user //添加EX42用户为超级用户类别
set system login user EX42 authentication plain-text-password //设置EX42密码
New password:
Retype new password:
2.2.10.2 修改用户类别
set system login user EX42 class read-only //修改EX42用户为只读用户
用户类别分为:
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
2.2.10.3 修改用户密码
set system login user EX42 class read-only //修改EX42用户为只读用户
2.2.10.4 删除用户
delete system login user EX42 //删除EX42用户
2.2.11 用户权限设置
先创建一个新的用户类别,指定该用户类别具有的权限
set system login class EX42_class permissions view //添加EX42_class具有view权限
//下面命令添加EX42_class具有configure权限
set system login class EX42_class permissions configure
set system login class EX42_class idle-timeout 10 //设置登陆idle-time为10分钟
权限列表可以选择:
access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
flow-tap-operation Can tap flows
interface Can view interface configuration
interface-control Can modify interface configuration
maintenance Can become the super-user
network Can access the network
reset Can reset/restart interfaces and daemons
rollback Can rollback to previous configurations
routing Can view routing configuration
routing-control Can modify routing configuration
secret Can view secret statements
secret-control Can modify secret statements
security Can view security configuration
security-control Can modify security configuration
shell Can start a local shell
snmp Can view SNMP configuration
snmp-control Can modify SNMP configuration
system Can view system configuration
system-control Can modify system configuration
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
view-configuration Can view all configuration (not including secrets)
新建/修改用户并指定该用户类别为刚才创建的类别:
set system login user EX42 class EX42_class //设置用户为新建用户类别
2.3 VLAN配置
VLAN是交换机最重要的一个功能。EX交换机关于VLAN配置的菜单有三层,首先是vlans菜单层次,在vlans(通过edit vlans可以进入vlans菜单里面)里面可以创建vlan,而创建vlan的时候可以指定名字和vlan id。
在EX端口下面,可以指定该端口属于哪个VLAN。
EX交换机支持三层功能,如果要在交换机上配置三层VLAN 网关,需要先创建一个vlan interface子端口,然后将这个只端口和VLAN号关联起来. interfaces vlan是EX的三层端口,而不同VLAN通过不同的unit xx子端口来产生(xx为子端口号),子端口号最好能跟VLAN号统一起来。(例如 interface vlan.100表示interface vlan unit 100,类似于cisco的interface vlan100)
2.3.1 VLAN配置步骤
如果创建一个名字为EX42_vlan的VLAN 10,并且网关设置为192.168.1.1/24,ge-0/0/1属于该VLAN。
步骤:
(1)创建一个VLAN,指定VLAN名称和ID号
set vlans “EX42_vlan” vlan id 10
(2)将交换机端口修改为access模式加入到新创建的VLAN中
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
(3)创建3层VLAN子端口,并且将子端口和VLAN关联:
set interfaces vlan unit 10 family inet address 192.168.1.1/24
set vlans vlan l3-interface vlan.10 //vlan子端口和VLAN对应起来
2.3.2 VLAN配置规范要求
(1)指定VLAN名称
(2)设置端口VLAN的时候指定端口为access模式
(3)设置interface vlan子端口的时候,unit子端口号要跟vlan id一致。
2.3.3 添加VLAN
创建vlan
set vlans “EX42_vlan” vlan id 10 //创建vlan id 为10,名字为 EX42_vlan
set vlans juniper_vlan vlan-id 20
将端口加入到指定vlan
//下面命令修改ge-0/0/1端口模式为access模式
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
//下面命令将vlan加入到端口
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20
或者
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members “EX42_vlan”
Vlan检查命令
show vlans
show ethernet-switching interfaces
输出例子:
lab@EX4200-1# run show vlans
Name Tag Interfaces
default
ge-0/0/7.0*, ge-0/0/14.0*, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0
juniper_vlan 20
ge-0/0/2.0
EX42_vlan 10
ge-0/0/1.0
mgmt
bme0.32769
[edit]
lab@EX4200-1#
lab@EX4200-1> show ethernet-switching interfaces
Interface State VLAN members Blocking
bme0.32769 down mgmt unblocked
ge-0/0/7.0 up default unblocked
ge-0/0/14.0 up default unblocked
ge-0/0/17.0 down default unblocked
ge-0/0/18.0 down default unblocked
ge-0/0/19.0 down default unblocked
ge-0/0/20.0 down default unblocked
ge-0/0/21.0 down default unblocked
ge-0/0/22.0 down default unblocked
ge-0/0/23.0 down default unblocked
ge-1/0/1.0 down EX42_vlan unblocked
ge-1/0/2.0 down juniper_vlan unblocked
[edit]
lab@EX4200-1#
2.3.4 修改端口VLAN
将端口加入到指定vlan
//下面命令修改ge-0/0/1端口模式为access模式
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
//下面命令将ge-0/0/1修改为vlan 10 或者EX42_vlan
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
或者
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members “new_vlan”
2.3.5 删除VLAN
1.删除端口vlan
delete interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
//下面命令将ge-0/0/1加入到vlan 10 或者EX42_vlan
delete interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
或者
delete interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members “EX42_vlan”
2.删除vlan对应的L3子端口
delete vlans vlan l3-interface vlan.10
3.接着删除vlan配置
delete vlans “EX42_vlan”
2.3.6 配置VLAN网关IP
set vlans EX42 vlan-id 100 //创建vlan 100
//下面命令设置vlan子端口IP地址
set interfaces vlan unit 100 family inet address 192.0.2.129/25
set vlans vlan l3-interface vlan.100 //vlan子端口和VLAN对应起来
2.4 Trunk配置
2.4.1 Trunk配置步骤
(1)指定需要成为Trunk的端口模式为Trunk
(2)设置Trunk端口允许通过的VLAN id。
2.4.2 如何设置Trunk
端口修改成trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
删除端口trunk模式
delete interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
2.4.3 允许/禁止VLAN通过Trunk
允许通过:允许vlan 10和vlan 20通过
//下面命令允许vlan id为10和20的VLAN通过Trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20]
禁止VLAN通过:不允许vlan 10通过
delete interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
2.5 端口配置
2.5.1 端口配置规范要求
(1)在连接路由器或者交换机的时候要求指定速率和工作模式。
(2)对于普通网线要求不能将端口设置为1000M速率。
(3)和其它厂家互联,一定要在两边设置指定工作模式和端口速率,不能采用自动协商(避免协商出现问题)
2.5.2 修改端口速率
set interfaces ge-0/0/1 ether-options speed 1g //设置端口为1g速率
set interfaces ge-0/0/1 ether-options speed auto-negotiation //设置速率为自动协商
set interfaces ge-0/0/1 ether-options speed后面可以跟的参数是:
auto-negotiation Enable auto-negotiation
10m 10Mbps
100m 100Mbps
1g 1Gbps
2.5.3 修改端口工作模式
set interfaces ge-0/0/1 ether-options link-mode full-duplex //设置端口全双工模式
set interfaces ge-0/0/1 ether-options link-mode automatic //设置工作模式为自动协商
set interfaces ge-0/0/1 ether-options link-mode后面可以跟的参数是:
automatic Automatic negotiate duplex
full-duplex Full-duplex operation
half-duplex Half-duplex operation
2.5.4 修改端口为L3模式
delete interfaces ge-0/0/1 unit 0 family ethernet-switching //删除端口L2参数
set interfaces ge-0/0/1 unit 0 family inet //设置端口为L3模式
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/30 //设置端口IP地址
2.5.5 修改端口为L2模式
delete interfaces ge-0/0/1 unit 0 family inet //删除端口为L3模式参数
set interfaces ge-0/0/15 unit 0 family ethernet-switching //将端口设置为L2模式
2.6 生成树配置
生成树协议(Spanning Tree)是一种链路管理协议,它为网络提供二层路径冗余同时防止产生环路。IEEE制定的生成树协议包括:STP、RSTP、MSTP,EX系列交换机全面支持这些协议,同时还能兼容PVST+。
2.6.1 STP配置实例
S1交换机:
set protocols stp enable //打开stp功能
set protocols stp bridge-priority 8k //设置stp的优优先值,值从0-65535,值大优先
set protocols stp interface ge-0/0/1.0 priority 8 //设置stp端口优先值,值从0-255,较小优先
set protocols stp interface ge-0/0/2.0 priority 8
S2交换机:
set protocols stp enable
set protocols stp bridge-priority 16k
set protocols stp interface ge-0/0/1.0 priority 16
set protocols stp interface ge-0/0/2.0 priority 16
S3交换机:
set protocols stp enable
set protocols stp bridge-priority 32k
set protocols stp interface ge-0/0/1.0 priority 32
set protocols stp interface ge-0/0/2.0 priority 32
检查命令:
Show span-tree bridge
2.6.2 RSTP配置实例
1.S1交换机上创建VLAN并且配置交换机端口VLAN和Trunk和RSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/3 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 16k //设置rstp的优优先值
set protocols rstp interface ge-0/0/1.0 cost 1000 //设置rstp端口权值
set protocols rstp interface ge-0/0/1.0 mode point-to-point //设置rstp端口模式
set protocols rstp interface ge-0/0/2.0 cost 1000
set protocols rstp interface ge-0/0/2.0 mode point-to-point
set protocols rstp interface ge-0/0/3.0 cost 1000
set protocols rstp interface ge-0/0/3.0 mode point-to-point
2.S2交换机上创建VLAN并且配置交换机端口VLAN和Trunk和RSTP协议:
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 32k
set protocols rstp interface ge-0/0/1.0 cost 1000
set protocols rstp interface ge-0/0/1.0 mode point-to-point
set protocols rstp interface ge-0/0/2.0 cost 1000
set protocols rstp interface ge-0/0/2.0 mode point-to-point
3.S3交换机上创建VLAN并且配置交换机端口VLAN和Trunk和RSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/3 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 8k
set protocols rstp interface ge-0/0/1.0 cost 1000
set protocols rstp interface ge-0/0/1.0 mode point-to-point
set protocols rstp interface ge-0/0/2.0 cost 1000
set protocols rstp interface ge-0/0/2.0 mode point-to-point
set protocols rstp interface ge-0/0/3.0 cost 1000
set protocols rstp interface ge-0/0/3.0 mode point-to-point
4.S4交换机上创建VLAN并且配置交换机端口VLAN和Trunk和RSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 16k
set protocols rstp interface ge-0/0/1.0 cost 1000
set protocols rstp interface ge-0/0/1.0 mode point-to-point
set protocols rstp interface ge-0/0/2.0 cost 1000
set protocols rstp interface ge-0/0/2.0 mode point-to-point
5.利用show spanning-tree interface命令查看4台交换机STP状态。
2.6.3 MSTP配置 实例
1.S1交换机上创建VLAN并且配置交换机端口VLAN和Trunk和MSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan—id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/3 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1 //设置MSTP MSI
set protocols mstp bridge-priority 16k //设置Mstp的优优先值
set protocols mstp interface ge-0/0/1.0 cost 1000 //设置Mstp端口权值
set protocols mstp interface ge-0/0/1.0 mode point-to-point
set protocols mstp interface ge-0/0/2.0 cost 1000
set protocols mstp interface ge-0/0/2.0 mode point-to-point
set protocols mstp interface ge-0/0/3.0 cost 1000
set protocols mstp interface ge-0/0/3.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 1 interface ge-0/0/3.0 cost 4000
set protocols mstp msti 2 bridge-priority 8k
set protocols mstp msti 2 vlan [30 40]
2.在S2交换机上创建VLAN并且配置交换机端口VLAN和Trunk和MSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan—id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan-id 40
set interfaces ge–0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 32k
set protocols mstp interface ge-0/0/1.0 cost 1000
set protocols mstp interface ge-0/0/1.0 mode point-to-point
set protocols mstp interface ge-0/0/2.0 cost 1000
set protocols mstp interface ge-0/0/2.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 32k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 4k
set protocols mstp msti 2 vlan [30 40]
3.在S3交换机上创建VLAN并且配置交换机端口VLAN和Trunk和MSTP协议
set vlans voice-vlan description “Voice VLAN"
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN"
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN"
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description “Camera VLAN"
set vlans camera-vlan vlan—id 40
set interfaces ge–0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge–0/0/2 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces 0/0/3 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 8k
set protocols mstp interface ge-0/0/1.0 cost 1000
set protocols mstp interface ge-0/0/1.0 mode point-to-point
set protocols mstp interface ge-0/0/2.0 cost 1000
set protocols mstp interface ge-0/0/2.0 mode point-to-point
set protocols mstp interface ge-0/0/24.0 cost 1000
set protocols mstp interface ge-0/0/24.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 4k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 16k
set protocols mstp msti 2 vlan [30 40]
4.在S4交换机上创建VLAN并且配置交换机端口VLAN和Trunk和MSTP协议
set vlans voice–vlan description “Voice VLAN"
set vlans voice-vlan vlan–id 10
set vlans employee—vlan description “Employee VLAN"
set vlans employee—vlan vlan—id 20
set vlans guest—vlan description “Guest VLAN"
set vlans guest—vlan vlan—id 30
set vlans camera—vlan description “Camera VLAN"
set vlans camera—vlan vlan—id 40
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge-00/0/2 unit 0 family ethernet-switching vlan members [10 20 30 40]
set interfaces ge—0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge—00/0/2 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge—0/0/1.0 cost 1000
set protocols mstp interface ge—0/0/1.0 mode point-to-point
set protocols mstp interface ge—00/0/2.0 cost 1000
set protocols mstp interface ge—00/0/2.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 32k
set protocols mstp msti 2 vlan [30 40]
2.7 端口捆绑
EX交换机最多可以进行8条链路的捆绑,捆绑之后端口可以成为二层的,也可以成为三层端口。捆绑之后多条链路进行流量负载分担,EX支持三层和四层的负载分担算法,源IP地址、目的IP地址、源端口和目的端口都会作为计算元素参与分担的Hash算法。
注意:在需要捆绑的端口不能设置link-mode工作模式,如果已经设置了,需要使用delete命令删除,否则commit提交会失败。
2.7.1 端口捆绑步骤
(1)设置聚合端口数量,让系统产生聚合端口。当使用下面命令之后,系统会产生2个名字为ae0和ae1的聚合端口。device-count最多可以支持64个,如果先长生一个ae0,以后再修改device-count多产生几个ae端口,这对已经存在的ae0没有影响。
set chassis aggregated-devices ethernet device-count 2 (2表示支持2个聚合口)
(2)删除需要捆绑的端口参数,然后设置需要捆绑的速率。
delete interfaces ge-0/0/1 unit 0这个命令就可以把ge-0/0/1的unit 0后面的参数删除了,例如后面的family ethernet-switching和family inet都删除了。
备注:在做捆绑的时候先执行上面的命令把端口下的配置都删掉,否则会报错,举例;
root@Backup-3-6-5-1-J3300-10.195.3.200.SHHP# commit
[edit interfaces xe-0/1/1]
'unit 0'
logical unit is not allowed on aggregated links
error: configuration check-out failed
{master:0}[edit]
(3)将需要捆绑的端口加入到指定的ae聚合端,例如下面将ge-0/0/1和ge-0/0/2捆绑到一起,绑定到ae0聚合端口
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ge-0/0/2 ether-options 802.3ad ae0
(4)将端口绑定之后,ae聚合端口就相当于是普通端口一样,可以设置为VLAN端口或者3层端口了
2.7.2 L2端口捆绑
set chassis aggregated-devices ethernet device-count 2 //设置系统生成聚合端口数量,最大为128
delete interfaces ge-0/0/1 unit 0 //删除端口L2和L3参数
delete interfaces ge-0/0/2 unit 0
set interfaces ge-0/0/1 speed 1g //设置端口速率
set interfaces ge-0/0/2 speed 1g
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ge-0/0/2 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family ethernet-switching //设置聚合端口L2模式
set interfaces ae0 unit 0 family ethernet-switching port-mode access //设置为vlan模式
set interfaces ae0 unit 0 family ethernet-switching vlan members 10 //设置为vlan 10
2.7.3 L3端口捆绑
set chassis aggregated-devices ethernet device-count 2 //设置系统生成聚合端口数量,最大为128
delete interfaces ge-0/0/1 unit 0 //删除端口L2和L3参数
delete interfaces ge-0/0/2 unit 0
set interfaces ge-0/0/1 speed 1g //设置端口速率
set interfaces ge-0/0/2 speed 1g
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ge-0/0/2 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 1.1.1.1/24 //设置聚合端口L3地址
2.8 ECMP负载均衡配置
EX交换机支持ECMP(Equal-Cost MultiPath),最多支持8条等价路由负载均衡。通常在EX上配置ECMP,是将多个端口修改成三层模式,然后配置端口IP地址,设置静态路由指向多个等价下一跳。ECMP是根据源IP地址、目的IP地址,源端口,目的端口,以及协议来计算Hash值,根据hash值来选择路由的下一条实现负载均衡。设置步骤如下:
(1)设置多条等价路由
(2)创建load-banlance policy
(3)将load-banlance policy应用到转表中
例子:
SW1和SW2设置了4条链路,现在要在SW1上设置4条到192.168.1.0/24网段的等价路由,然后实现ECMP负载均衡。
SW1设置方法:
(1)设置多条等价路由
set routing-options static route 192.168.1.0/24 next-hop 1.1.1.2
set routing-options static route 192.168.1.0/24 next-hop 2.2.2.2
set routing-options static route 192.168.1.0/24 next-hop 3.3.3.2
set routing-options static route 192.168.1.0/24 next-hop 4.4.4.2
(2)设置load-bance policy
set policy-options policy-statement ECMP term 1 then load-balance per-packet
(3)将policy应用到forwarding table转发表
set routing-options forwarding-table export ECMP
查看命令:
show route
show route forwarding-table
2.9 路由协议配置
2.9.1 静态路由配置
在设置静态路由的时候,可以通过next-hop和qualified-next-hop来指定下一跳地址,它们之间的区别是next-hop后面仅仅可以跟IP地址,而qualified-next-hop除了可以跟下一条IP地址之外,还可以指定下一跳的端口。
2.9.1.1 添加静态路由
//设置172.16.1.0/24网段指向下一跳地址192.168.1.253
set routing-options static route 172.16.1.0/24 next-hop 192.168.1.253
2.9.1.2 删除静态路由
delete routing-options static route 172.16.1.0/24
2.9.1.3 调整静态路由优先值
set routing-options static route 172.16.1.0/24 next-hop 10.1.1.1 preference 100
2.9.1.4 设置备份静态路由
//设置主用路由优先值为100
set routing-options static route 172.16.1.0/24 next-hop 10.1.1.1 preference 100
//设置备份路由优先值为200,注意只能用qualified-next-hop指定下一跳地址
set routing-options static route 0.0.0.0/0 qualified-next-hop 20.1.1.1 preference 200
2.9.1.5 指定静态路由下一跳端口
set routing-options static route 0.0.0.0/0 qualified-next-hop 20.1.1.1 interface ge-0/0/1.0
2.9.2 OSPF配置
Juniper EX交换机中,如果启用了OSPF协议,那么EX交换机不会自动将本机上的静态路由/直连路由等通告给邻居,因此需要编写policy进行路由重分布
2.9.2.1 OSPF配置步骤
(1)配置router id
(2)配置启动ospf协议
(3)配置OSPF端口参数
(4)配置OSPF export策略(路由重定向)
OSPF命令层次结构:
/* 配置router-id */
routing-options {
router-id [router-id];
graceful-restart; //启动Graceful Restart技术
}
/* 启动OSPF */
protocols {
ospf {
/* 调整OSPF管理距离 */
preference [preference];
external-preference [ext-preference];
/* 启动graceful-restart */
graceful-restart {
notify-duration [notify-seconds];
restart-duration [restart-seconds];
}
/* 设置骨干或一般区域 */
area [area-id] {
/* 定义认证方式 */
authentication-type [auth-type];
/* 设置OSPF逻辑端口 */
interface [interface-name] {
[disable];
[passive];
/* 设置认证 */
authentication {
[auth-type] [key-id] key “[key-value]”;
}
hello-interval [hello-interval];
dead-interval [dead-interval];
retransmit-interval [retransmit-interval];
priority [priority-number];
}
}
area [area-id] {
authentication-type [auth-type];
/* 将区域设置为NSSA */
nssa {
area-range [network/mask-length];
default-lsa {
default-metric [metric]; //设定缺省路由的Metric值
metric-type [metric_type]; //设定外部路由的类型,1或者2
type-7; //如果配置了no-summaries,则产生Type 7的缺省LSA
}
/* 控制Summary LSA进入NSSA区域 */
[no-summaries | summaries];
}
interface [interface-name] {
[disable];
[passive];
authentication {
[auth-type] [key-id] key "[key-value]";
}
hello-interval [hello-interval];
dead-interval [dead-interval];
retransmit-interval [retransmit-interval];
priority [priority-number];
/* 启动BFD加快OSPF收敛 */
bfd-liveness-detection {
minimum-interval [int-msec];
minimum-receive-interval [rx-msec];
minimum-transmit-interval [tx-msec];
multiplier [multiply-number];
}
}
}
}
}
重要参数说明:
参数名称 参数说明 参数规范
router-id router-id地址
preference 内部OSPF管理距离 0 – 255,缺省值:10
ext-preference 外部OSPF管理距离 0 – 255,缺省值:150
notify-seconds 送出purged LSA的秒数 缺省值:30秒
restart-seconds 重新建立full邻居的秒数 缺省值:180秒
area-id 区域ID 0.0.0.0:表示为骨干区域
auth-type 认证编码方式 md5或者simple
interface-name 需要运行OSPF的逻辑端口名
disable 关闭逻辑端口OSPF的运行 缺省值:无
(表示启动OSPF)
passive 将逻辑端口设置为被动端口
key-id 认证id 范围0 – 255,相连两端口key-id值必须相同
key-value 认证密码 长度1 – 16 字元(使用MD5时)
hello-interval Hello Packet的间隔秒数 建议值:5秒
dead-interval 持续为收到Hello,认定邻居为down的秒数 建议值:20秒
必须为hello-interval的4倍
retransmit-interval 当没有收到LS ACK时,重新送出LSA的秒数 缺省值:5秒
priority-number DR的priority 缺省值为128
int-msec BFD传送及接收的最小间隔毫秒数
rx-msec BFD接收的最小间隔毫秒数
tx-msec BFD传送的最小间隔毫秒数
multiply-number BFD侦测为失效的间隔时间倍数
network/mask-length 网络地址及掩码长度
no-summaries | summaries 允许或防止Summary LSA进入NSSA区域
2.9.2.2 OSPF配置实例
1.设置端口互联,将交换机互联端口设置为三层互联:
delete interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/30
delete interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.2/30
2.创建VLAN,设置网关
set vlans vlan10 vlan-id 10
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan10
3.设置OSPF:
//设置rooter id,通常设置为loopback地址
set routing-options router-id 192.168.1.1
set protocols ospf preference 200 //调整OSPF的管理距离,缺省为10
//设置送出purged LSA的秒数,缺省是30秒
set protocols ospf graceful-restart notify-duration 100
//设置重新建立full邻居的秒数,缺省是180秒
set protocols ospf graceful-restart restart-duration 200
//设置邻居端口类型为P2P,可以选择的类型是nbma,p2mp,p2p:
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 interface-type p2p
//设置OSPF端口优先值为100,缺省是128
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 priority 100
//设置OSPF当没有收到LS ACK时,重新送出LSA的秒数,缺省是5秒
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 retransmit-interval 10
//设置Hello Packet的间隔秒数
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 hello-interval 5
//设置持续为收到Hello,认定邻居为down的秒数
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 dead-interval 10
//设置认证方式和密码,认证方式分为MDF和simple-password
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 authentication simple-password "EX42"
//将逻辑端口设置为被动端
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 passive
//将策略中的指定路由发布给OSPF邻居
set protocols ospf export direct2ospf
//定义需要发布的路由策略
set policy-options policy-statement direct2ospf from protocol direct
set policy-options policy-statement direct2ospf then accept
4.分别在三台交换机上检查OSPF路由协议是否正常,检查命令:
show route
show ospf neighbor
2.9.2.3 OSPF路由过滤
//定义需要发布的路由策略
set policy-options policy-statement ospf_export term 1 from route-filter 192.168.1.0/24 exact
set policy-options policy-statement ospf_export term 1 from route-filter 192.168.2.0/24 exact
set policy-options policy-statement ospf_export term 1 then accept
set policy-options policy-statement ospf_export term 2 then reject
//定义需要接收的路由策略
set policy-options policy-statement ospf_import term 1 from route-filter 10.10.1.0/24 exact
set policy-options policy-statement ospf_import term 1 from route-filter 10.10.2.0/24 exact
set policy-options policy-statement ospf_import term 1 then accept
set policy-options policy-statement ospf_import term 2 then reject
//在OSPF中export需要发布的策略
set protocols ospf export ospf_export
//在OSPF中import需要发布的策略
set protocols ospf import ospf_import
2.10 端口镜像
EX交换机的端口镜像实现对端口入流量,或者出流量单独进行镜像,而且通过ethernet-switching的firewall filter,可以指定符合条件的流量进行镜像,例如指定IP地址或者MAC地址的流量,或者指定协议(例如Http)的流量镜像。
2.10.1 端口输入输出流量镜像
操作步骤:
(1)建立一个端口镜像名称,并且指定需要作镜像的端口,同一个镜像名称可以指定多个要镜像的端口的。
(2)创建镜像名称之后,指定需要镜像的输出端口,然后在输出端口接个sniffer就可以抓取镜像的流量了。
//设置要镜像的端口流量,egress是镜像端口出流量,ingress是镜像端口1入流量,//port_monitor是镜像名称
set ethernet-switching-options analyzer port_monitor input egress interface ge-0/0/11.0
set ethernet-switching-options analyzer port_monitor input ingress interface ge-0/0/10.0
//设置要输出镜像到哪个端口,下面命令是镜像流量输出到ge-0/0/1端口
set ethernet-switching-options analyzer port_monitor output interface ge-0/0/1.0
备注:2个接口要先配置为二层口,同时不能有vlan配置,input和out方向都配置完成后再统一commit
2.10.2 带过滤条件的端口镜像
//设置镜像输出端口
set ethernet-switching-options analyzer port_monitor output interface ge-0/0/10.0
//设置过滤条件,具体条件设置请参考JUNOS的filter设置说明
//指定目的IP地址
set firewall family ethernet-switching filter mirror_filter term 1 from destination-address 192.0.2.16/28
//指定源IP地址
set firewall family ethernet-switching filter mirror_filter term 1 from source-address 192.0.2.16/28
//指定目的端口
set firewall family ethernet-switching filter mirror_filter term 1 from destination-port 80
//定义符合条件进行镜像动作,port_monitor就是上面定义的镜像名称
set firewall family ethernet-switching filter mirror_filter term 1 then analyzer port_monitor
//其它流量不镜像
set firewall family ethernet-switching filter mirror_filter term 2 then accept
//设置需要镜像端口的filter参数
set interfaces set ge-0/0/0 unit 0 family ethernet-switching filter input mirror_filter
检查命令输出例子:
user@switch> show analyzer
Analyzer name : employee-monitor
Analyzer mirror ratio : 1
Analyzer loss priority : Low
Analyzer ingress monitored interfaces: ge-0/0/0.0
ge-0/0/1.0
Analyzer egress monitored interfaces : None
Analyzer port_monitor interface : ge-0/0/10.0
Analyzer port_monitor VLAN : None
2.11 端口MAC地址限制
//设置EX3200的ge-0/0/10端口下最大只允许100个MAC地址通过。
set ethernet-switching-options secure-access-port interface ge-0/0/10.0 mac-limit 100
set ethernet-switching-options secure-access-port interface ge-0/0/10.0 mac-limit action drop
2.12 端口广播风暴控制
//设置端口的广播包最大占带宽的百分比,目前交换机只支持百分比的控制,而不支持限制多少//pps的控制。
set ethernet-switching-options storm-control interface ge-0/0/10.0 level 15
2.13 VRRP配置
2.13.1 如何配置VRRP
//创建VLAN和VLAN三层子端口
set vlans EX42 vlan-id 100
set interfaces vlan unit 100 family inet
set vlans EX42 l3-interface vlan.100
//设置VRRP参数
主用交换机设置:
edit interfaces vlan unit 100 family inet address 192.168.1.1/24 //进入端口IP配置
set vrrp-group 0 virtual-address 192.168.1.254 //设置VRRP虚拟IP地址
set vrrp-group 0 priority 200 //设置优先值,优先值越大越优先成为主用
set vrrp-group 0 fast-interval 2000 //设置hello包间隔时间为2秒(默认是1秒)
set vrrp-group 0 preempt hold-time 30 //设置抢占模式,并且等待30秒才切换
set vrrp-group 0 accept-data //设置虚拟IP可以ping通(默认虚拟IP不允许ping)
备用交换机设置:
edit interfaces vlan unit 100 family inet address 192.168.1.2/24 //进入端口IP配置
set vrrp-group 0 virtual-address 192.168.1.254 //设置VRRP虚拟IP地址
set vrrp-group 0 priority 100 //设置优先值,优先值越大越优先成为主用
set vrrp-group 0 fast-interval 2000 //设置hello包间隔时间为2秒(默认是1秒)
set vrrp-group 0 preempt hold-time 30 //设置抢占模式,并且等待30秒才切换
set vrrp-group 0 accept-data //设置虚拟IP可以ping通(默认虚拟IP不允许ping)
2.13.2 如何检查VRRP状态
lab@EX4200> show vrrp
Interface Unit Group Type Address Int state VR state Timer
ge-0/1/0 0 1 lcl 10.157.232.3 up backup D 0.329
vip 10.157.232.1
mas 10.157.232.2
lab@EX4200> exit
2.13.3 如何切换VRRP
1.通过拔网线或者shutdown端口进行切换。
2.通过降低主用优先值进行切换。
3.重新启动交换机进行切换。
2.14 BFD配置
2.14.1 OSPF中配置BFD
//设置bfd的版本
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection version 1
//设置bfd传送及接收的最小间隔毫秒数
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection minimum-interval 200
//设置bfd接收的最小间隔毫秒数
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection minimum-receive-interval 200
//设置bfd侦测为失效的间隔时间倍数
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection multiplier 3
2.14.2 静态路由中配置BFD
//设置bfd的版本
set routing-options static route 172.16.1.0/24 bfd-liveness-detection version 1
//设置bfd传送及接收的最小间隔毫秒数
set routing-options static route 172.16.1.0/24 bfd-liveness-detection minimum-interval 200
//设置bfd接收的最小间隔毫秒数
set routing-options static route 172.16.1.0/24 bfd-liveness-detection minimum-receive-interval 200
//设置bfd侦测为失效的间隔时间倍数
set routing-options static route 172.16.1.0/24 bfd-liveness-detection multiplier 3
2.15 交换机Firewall限制功能
2.15.1 限制IP地
//建立过滤策略
//指定过滤条件:源IP
set firewall family Ethernet-switching filter ipfilter term 1 from source-address 192.168.1.1
//指定过滤符合条件:目的IP
set firewall family Ethernet-switching filter ipfilter term 1 from destination-address 192.168.1.254
//指定符合条件的流量所做的动作:accept或者discard
set firewall family Ethernet-switching filter ipfilter term 1 then accept
//指定其它不符合条件的动作
set firewall family Ethernet-switching filter ipfilter term 2 discard
//将过滤条件应用到端口上
set interface ge-0/0/10 unit 0 family Ethernet-switching filter input ipfilter
2.15.2 限制MAC地址
//建立过滤策略
//指定过滤条件:源MAC
set firewall family Ethernet-switching filter macfilter term 1 from source-mac-address aa:aa:aa:aa:aa:aa
//指定过滤符合条件:目的MAC
set firewall family Ethernet-switching filter macfilter term 1 from destination-mac-address bb:bb:bb:bb:bb:bb
//指定符合条件的流量所做的动作:accept或者discard
set firewall family Ethernet-switching filter macfilter term 1 then accept
//指定其它不符合条件的动作
set firewall family Ethernet-switching filter macfilter term 2 discard
//将过滤条件应用到端口上
set interface ge-0/0/10 unit 0 family Ethernet-switching filter input macfilter
2.16 Virtual-Chassis设置
2.17 VC知识
EX4200交换机支持灵活的Virtual Chassis(虚拟机框)。你可以将多台独立的EX4200交换机互相连接起来形成一个单元(unit)并且当成一个单独机框来管理,叫虚拟机框。Juniper最多支持10台EX4200组成一个VC提供480个端口。每台EX4200通过背后面板有两个告诉的VCP虚拟交换机端口(Virtual Chassiss port),每个端口可以提供32Gbps的全双工带宽,当交换机组成一个环,则每台交换机可以提供64Gbps的全双工带宽,因为两个端口是同时独立工作。
当多台EX4200组成VC之后,在VC中就会选择产生master和backup交换机,master交换机就相当于master RE(Routing Engine引擎),backup就相当于backup RE。RE提供如下功能:
运行各种协议。
提供转发表给VC中所有交换机的FPE(Packet Forwarding Engine)包转发引擎。
运行其它管理和控制进程,用来对VC进行配置。
你可以在VC中配置GRES( graceful Routing Engine switchover平滑路由引擎切换 ),允许VC从主用路由引擎切换到备用路由引擎的时候对网络中断影响最小,当你配置了GRES之后,备用路由引擎就会自动同步主用路由引擎的核心信息以及转发状态,主用路由引擎的所有更新都会copy一份给备用路由引擎,当主用路由引擎出现故障,备用路由引擎就会接替它工作。VC中的其它交换机在重新连接到新的路由引擎的时候,并不会重新初始化自己的转发信息状态,因此即使路由引擎切换了,对网络的影响也非常小。
2.17.1 如何建立VC组
VC建立内容:
(1)将交换机恢复出厂设置。
(2)连接VCP线。
(3)开启主用交换机,并且设置主用交换机优先值。
(4)设置VC的管理端口vme0地址
(5)配置GRES
(6)开启备用交换机,并且设置备用交换机优先值(要比主用优先值小)。
1.将两台交换机恢复出厂设置。
2.按照下图连接交换机:
3.启动第一台交换机配置,设置优先值为200,配置vme0地址:
set virtual-chassis member 0 mastership-priority 200
set interfaces vme0 unit 0 family inet address 192.168.1.100/24
4.配置冗余切换参数GRES
set chassis redundancy graceful-switchover
5.启动第二台换机,设置优先值为100:
set virtual-chassis member 0 mastership-priority 100
6.两台交换机自动组建成VC,一台是master状态,另外一台是backup状态。
7.利用show virtual-chassis status显示VC状态,显示结构应该类似下面:
lab@EX4200-1> show virtual-chassis status
Virtual Chassis ID: 001f.1238.0200
Mastership Neighbor List
Member ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt BR0208248684 ex4200-24f 128 Master* 1 vcp-0
vcp-1
1 (FPC 1) Prsnt BQ0208211466 ex4200-48p 128 Backup 0 vcp-0
vcp-1
Member ID for next new member: 2 (FPC 2)
lab@EX4200-1>
2.17.2 如何扩充VC组交换机
1.假设原来VC已经组建好。
2.将需要加入的第三台交换机恢复出厂设置。
3.设置原来两台交换机的优先值为255,以保持原来交换机的状态不变:
set virtual-chassis member 0 mastership-priority 255
set virtual-chassis member 1 mastership-priority 255
4.连接第三台交换机的VC线,然后启动第三台交换机。
5.检查三台交换机的状态是否正常,正常状态应该类似于:
user@SWA-0> show virtual-chassis status
Virtual Chassis ID: 0000.e255.00e0
Mastership Neighbor List
Member ID Status Serial No Model Priority Role ID Interface
0 (FPC 0) Prsnt abc123 ex4200-48p 255 Master* 1 vcp-0
2 vcp-1
1 (FPC 1) Prsnt def456 ex4200-24t 255 Backup 2 vcp-0
0 vcp-1
2 (FPC 2) Prsnt abd231 ex4200-24p 128 Linecard 0 vcp-0
1 vcp-1
2.17.3 如何利用uplink链路组成VC
假设已经有两组VC(每组VC有两台交换机)通过VCP端口进行连接,两个VC独立工作。现在通过Uplink线将两组VC建成新的VC,需要重新调整配置。下面是调整前的VC组:
经过调整之后,四台交换机组成一个新的VC,结构图如下:
交换机的关系如下:
交换机 member id 角色 priority优先值 up Link端口 所属VC
SWA-0 0 master 255 xe-0/1/0 VC A
SWA-1 1 linecard 128 xe-1/1/0 VC A
SWA-2 2 backup 255 xe-0/1/0 VC B
SWA-3 3 linecard 128 xe-3/1/0 VC B
配置步骤:
(1)设置VCA中的swa-0的优先值为255:
user@SWA-0#set virtual-chassis member 0 mastership-priority 255
(2)在VCA中设置SWA-1为member 1,SWA-1加入到VCA之后,交换机就成为了FPC 1
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 1
(3)修改SWA-2交换机的优先值,以便加入VCA之后不产生切换:
user@SWA-2# set member 0 mastership-priority 255
(4)设置SWA-3交换机的VC端口
user@SWA-2>request virtual-chassis vc-port set pic-slot 1 port 0
(5)关闭SWA-2交换机,然后通过uplink连接到SWA-0交换机上,在重新启动SWA-2交换机,SWA-2自动加入到VC中成为backup。
(6)设置SWA-1和SWA-3之间的uplink作为冗余链路
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 3
显示配置:
user@SWA-0# show
virtual-chassis {
member 0 {
mastership-priority 255;
}
member 1 {
mastership-priority 128;
}
member 2 {
mastership-priority 255;
}
member 3 {
mastership-priority 128;
}
}
2.17.4 如何对VC组进行切换
利用下面命令进行切换:
request chassis routing-engine master switch
2.18 SNMP配置
//设置只读community串为ex-public
set snmp community ex-public authorization read-only
//设置只读community串的客户端IP,只有这些IP能通过snmp的只读串访问交换机
set snmp community ex-public clients 192.168.1.1
//设置读写community串为ex-private
set snmp community ex-private authorization read-write
//设置读写community串的客户端IP,只有这些IP能通过snmp的读写串访问交换机
set snmp community ex-private clients 192.168.1.1
//设置SNMP trap
set snmp trap-group snmptrap categories authentication //authentication失败发送trap
set snmp trap-group snmptrap categories chassis //chassiss机框故障发送trap
set snmp trap-group snmptrap categories link //链路故障发送trap
set snmp trap-group snmptrap categories startup // 交换机重启发送trap
set snmp trap-group snmptrap categories vrrp-events //设置VRRP切换发送trap
set snmp trap-group snmptrap targets 192.168.1.1 //设置发送trap的源IP地址
检查命令:
lab@EX4200# run show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 0, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0
[edit]
lab@EX4200#
2.19 Syslog配置
set system syslog host 192.168.1.254 any error //设置syslog服务器
//接收交互式命令warning级别错误日志
set system syslog host 192.168.1.254 interactive-commands warning
2.20 multi-vrf配置
set interfaces ge-0/0/7 vlan-tagging //设置端口ge-0/0/7为vlan 封装
set interfaces ge-0/0/7 unit 1 vlan-id 1//设置子端口ge-0/0/7.1的VLAN-ID为1
set interfaces ge-0/0/7 unit 1 family inet address 10.10.10.1/24//设置子端口ge-0/0/7.1的IP地址是10.10.10.1/24
set interfaces ge-0/0/7 unit 2 vlan-id 2//设置子端口ge-0/0/7.2的VLAN-ID为2
set interfaces ge-0/0/7 unit 2 family inet address 10.10.10.1/24//设置子端口ge-0/0/7.2的IP地址是10.10.10.1/24
//请注意,ge-0/0/7.1和ge-0/0/7.2的地址是相同的,这只有在将这两个端口放入不同的VRF情况下才能正常提交(commit)
set routing-instances vrfa instance-type virtual-router//设置vrfa类型为vritual-router
set routing-instances vrfa interface ge-0/0/7.1//将端口ge-0/0/7.1植入vrfa
set routing-instances vrfb instance-type virtual-router//设置vrfb类型为vritual-router
set routing-instances vrfb interface ge-0/0/7.2//将端口ge-0/0/7.2植入vrfb
验证结果:
lab@EX4200-1# run show route table vrfa
vrfa.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Direct/0] 00:02:43
> via ge-0/0/7.1
10.10.10.1/32 *[Local/0] 00:02:43
Local via ge-0/0/7.1
{master}[edit]
lab@EX4200-1# run show route table vrfb
vrfb.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Direct/0] 00:02:49
> via ge-0/0/7.2
10.10.10.1/32 *[Local/0] 00:02:49
Local via ge-0/0/7.2
2.21 multi-vrf OSPF配置
set interfaces ge-0/0/7 vlan-tagging //设置端口ge-0/0/7为vlan 封装
set interfaces ge-0/0/7 unit 1 vlan-id 1//设置子端口ge-0/0/7.1的VLAN-ID为1
set interfaces ge-0/0/7 unit 1 family inet address 10.10.10.1/24//设置子端口ge-0/0/7.1的IP地址是10.10.10.1/24
set interfaces ge-0/0/7 unit 2 vlan-id 2//设置子端口ge-0/0/7.2的VLAN-ID为2
set interfaces ge-0/0/7 unit 2 family inet address 10.10.10.1/24//设置子端口ge-0/0/7.2的IP地址是10.10.10.1/24
//请注意,ge-0/0/7.1和ge-0/0/7.2的地址是相同的,这只有在将这两个端口放入不同的VRF情况下才能正常提交(commit)
set routing-instances vrfa instance-type virtual-router
set routing-instances vrfa interface ge-0/0/7.1
set routing-instances vrfa protocols ospf area 0.0.0.0 interface ge-0/0/7.1//在vrfa中设定OSPF端口为ge-0/0/7.1
set routing-instances vrfb instance-type virtual-router
set routing-instances vrfb interface ge-0/0/7.2
set routing-instances vrfb protocols ospf area 0.0.0.0 interface ge-0/0/7.2//在vrfa中设定OSPF端口为ge-0/0/7.2
验证结果:
lab@EX4200-1# run show ospf interface instance vrfa
Interface State Area DR ID BDR ID Nbrs
ge-0/0/7.1 DR 0.0.0.0 10.10.10.1 0.0.0.0 0
{master}[edit]
lab@EX4200-1# run show ospf interface instance vrfb
Interface State Area DR ID BDR ID Nbrs
ge-0/0/7.2 DR 0.0.0.0 10.10.10.1 0.0.0.0 0
3 交换机维护操作
3.1 交换机启动和关闭
3.1.1 重新启动
1.使用具有足够权限的用户名和密码登陆CLI命令行界面。
2.在提示符下输入下面的命令:
user@ex4200> request system reboot
3.等待console设备的输出,确认交换机软件已经重新启动。
3.1.2 关闭
1. 使用具有足够权限的用户名和密码登陆CLI命令行界面。
2.在提示符下输入下面的命令:
user@ex4200> request system halt
The operating system has halted.
Please press any key to reboot
3.等待console设备的出现上面的输出,确认交换机软件已经停止运行。
4.关闭机箱背后电源模块电源。
警告:在关闭交换机电源之前必须先利用命令关闭交换机
3.2 配置备份和恢复
3.2.1 配置备份
在完成安装调试之后,可以将配置文件进行备份。备份有两种方式,一种是通过ftp备份到PC机上;另外一种是保存在交换机上(交换机默认保存50份配置文件)。
FTP备份方式
下面是通过FTP备份的操作步骤:
lab@EX4200> show configuration | save EX4200CONFIG.txt
Wrote 169 lines of output to 'EX4200CONFIG.txt'
lab@EX4200>
lab@EX4200> ftp 10.0.0.132
Connected to 10.0.0.132.
220 EX4200 FTP server (Version 6.00LS) ready.
Name (10.0.0.132:EX42): EX42
331 Password required for EX42.
Password:
230 User EX42 logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> asc
200 Type set to A.
ftp> put EX4200CONFIG.txt
local: EX4200CONFIG.txt remote: EX4200CONFIG.txt
200 PORT command successful.
150 Opening ASCII mode data connection for ' EX4200CONFIG.txt. '
100% |********************** ***********************************| 3751
226 Transfer complete.
3751 bytes sent in 0.00 seconds (2.33 MB/s)
ftp> put EX4200CONFIG.txt
local: EX4200CONFIG.txt remote: EX4200CONFIG.txt
200 PORT command successful.
150 Opening ASCII mode data connection for 'EX4200CONFIG.txt'.
100% |*****************************************| 4228
226 Transfer complete.
4228 bytes sent in 0.00 seconds (2.62 MB/s)
ftp> bye
221 Goodbye.
lab@EX4200>
由于juniper的配置文件有两种格式,因此在进行备份的时候同时备份另外一种set格式的命令(可以直接粘贴到交换机)
3.2.2 配置恢复
对于通过FTP备份的配置,需要将配置文件上传到交换机上,然后通过load命令加载配置
lab@EX4200# load override ?
Possible completions:
<filename> Filename (URL, local, remote, or floppy)
EX4200CONFIG.txt Size: 681, Last changed: Nov 27 11:53:17
terminal Use login terminal
[edit]
lab@EX4200# load override EX4200CONFIG.txt
load complete
[edit]
lab@EX4200# commit
commit complete
[edit]
lab@EX4200#
3.3 如何升级交换机OS
要将交换机OS升级到jinstall-ex-9.2R2.15-domestic-signed.tgz.gz版本,操作步骤如下:
1.添加一个super-user用户lab(或者其它用户)
2.打开系统FTP服务:
set system services ftp
3.通过FTP将jinstall-ex-9.2R2.15-domestic-signed.tgz.gz版本上传到EX交换机上,利用刚才添加的用户lab上传,选择ftp的bin上传模式。
4.利用刚才添加的lab用户登陆交换机,然后在用户模式下使用下面命令升级:
request system software add validate jinstall-ex-9.2R2.15-domestic-signed.tgz.gz
5.在安装完OS之后,重新启动交换机:
EX4200>request system reboot
Reboot the system ? [yes,no] (no) yes
3.4 如何恢复出厂设置
在交换机液晶面板上按菜单,当出现reset factiory之后按确定进入。
3.5 密码恢复
如果交换机的Root密码丢失,而且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断交换机的正常功能。
要进行密码恢复,请按照下面操作进行:
1.重新启动交换机。
2.在启动过程中,console上出现下面的提示的时候,按任意键中断正常启动方式,然后再进入单用户状态:
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds...
< Press any key other than return >
ok boot –s
3.执行密码恢复:在以下提示文字后输入recovery
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
NOTE: Once in the CLI, you will need to enter configuration mode using
NOTE: the 'configure' command to make any required changes. For example,
NOTE: to reset the root password, type:
NOTE: configure
NOTE: set system root-authentication plain-text-password
NOTE: (enter the new password when asked)
NOTE: commit
NOTE: exit
NOTE: exit
NOTE: When you exit the CLI, you will be asked if you want to reboot
NOTE: the system
Starting CLI ...
root>
4.进入配置模式,删除root密码:
root> configure
Entering configuration mode
[edit]
root# delete system root-authentication
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> exit
Reboot the system? [y/n] y
Terminated
5.重新启动后,配置新的root密码,交换机恢复正常。
3.6 日常维护命令
3.6.1 查看序列号show chassis hardware
3.6.2 查看硬件show chassis hardware
3.6.3 查看软件版本show version
3.6.4 查看CPU show chassis routing-engine
3.6.5 ping命令
ping 192.168.1.254 rapid //快速ping地址
3.6.6 查看设备告警信息 show chassis alarms
3.6.7 查看详细的硬件温度及状态信息 show chassis environment
3.6.8 查看接口VRRP状态信息show vrrp
Interface State Group VR state Timer Type Address
fe-1/3/1.21 up 21 master A 0.922 lcl 10.0.4.6
vip 10.0.4.5
正常情况下,主交换机VR state栏应显示为master,备用交换机应显示为backup.当主交换机线路出现故障时,备用交换机VR state栏将显示为master,并进行主备链路的切换。
3.6.9 收集CASE需要的信息request support information
如果出现故障,需要手机交换机信息的时候,就可用此命令进行收集。类似于Cisco的show tech命令。
