edu.51cto.com. 讲师: 大侠唐在飞(小侠唐在飞) 唐志强 edu.51cto.com juniper...
TRANSCRIPT
edu.51cto.com
命令模式Amnesiac (ttyd0)
login: root
--- JUNOS 10.3R1.9 built 2010-08-13 12:15:32 UTC
root@%
root@% cli
root> edit
Entering configuration mode
[edit]
root# exit
Exiting configuration mode
root> configure
Entering configuration mode
[edit]
root#
root> start shell
root@%
edit 和 configure 的区别?
开启本地 UNIX shell 访问
edu.51cto.com
命令模式
Operational mode– Monitor and troubleshoot the software, network connectivity, and
router , hardware
– 监控和处理软件、网络连通性、路由、硬件问题。Configuration mode
– Configure the router, including interfaces, general routing information, routing protocols, user access, and system hardware properties
– 配置路由器(接口、路由、用户、系统硬件参数)
Doug@lab2>
Doug@lab2#[edit]
edu.51cto.com
配置模式
root> configure ?
Possible completions:
<[Enter]> Execute this command
dynamic Work in dynamic database
exclusive Obtain exclusive lock (other users cannot make changes)
private Work in private database (other's changes do not show)
| Pipe through a command
如果有多人在操作设备时,可能会造成配置冲突,不一致,或被人篡改。可以使用 exclusive ,进行排他设备。
edu.51cto.com
操作模式命令
Command hierarchy
brief
exact
protocol
table
terse
bgp
chassis
interfaces
isis
ospf
route
version
clear
configure
monitor
set
show
edu.51cto.com
操作模式命令
Copyright © 2002, Juniper Networks, Inc.
Executed (mainly) from default CLI level (user@host>)– show– request– restart– ping– traceroute– clear– monitor– file– test– telnet– set– ssh– start– quit
edu.51cto.com
管道符 |show interfaces | ?
Possible completions:
compare Compare configuration changes with prior version
count Count occurrences
display Show additional kinds of information
except Show only text that does not match a pattern
find Search for first occurrence of pattern
hold Hold text without exiting the --More-- prompt
last Display end of output only
match Show only text that matches a pattern
no-more Don't paginate output
save Save output text to file
trim Trim specified number of columns from start of line
edu.51cto.com
编辑命令行
lab@omaha> show interfacesCtrl-blab@omaha> show interfacesCtrl-a
lab@omaha> show interfaces
Ctrl-flab@omaha> show interfacesCtrl-elab@omaha> show interfaces
空格、 TAB 键补全命令
回退一个字符 Ctrl-b
回到第一个字符 Ctrl-a
前进一个字符 Ctrl-f
跑到结尾 Ctrl-e
edu.51cto.com
命令帮助?
Type <?> anywhere on command line
lab@omaha> ?Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
…
lab@omaha> show ?Possible completions:
aps Show APS information
arp Show system ARP table entries
as-path Show table of known AS paths
…
edu.51cto.com
常用命令 activate Remove the inactive tag from a statement 激活一个处于非激活状态的配置 deactivate Add the inactive tag to a statement 使一个配置处理非激活状态 commit Commit current set of changes提交当前配置, copy Copy a statement 复制配置 delete Delete a data element 删除配置 insert Insert a new ordered data element 插入配置 set Set a parameter 设置命令 show Show a parameter 显示命令 quit Quit from this level 退出当前级别 rename Rename a statement 改名 replace Replace character string in configuration 移动 rollback Roll back to previous committed configuration 回滚 run Run an operational-mode command 运行操作模式下的命令
edu.51cto.com
层次结构
atm e3 sonet t3
clock fpc
firewall interfaces protocols system more…
ethernet
alarm
chassis
Less Specific
More Specific
top
edu.51cto.com
在不同级别中切换 Moving between levels of the statement hierarchy
– Edit functions like a change directory (CD) command[edit]user@host# edit chassis alarm ethernet[edit chassis alarm ethernet]
atm e3 sonet t3
clock fpc
firewall interfaces protocols system more…
ethernet
alarm
chassis
top
可以理解为子视图模式
edu.51cto.com
跳转 user@host# up[edit chassis alarm]user@host# top[edit]
atm e3 sonet t3
clock fpc
firewall interfaces protocols system more…
ethernet
alarm
chassis
top
top
up
edu.51cto.com
增强命令 Relative configuration commands
– New arguments to top command– Commands can be run from the top of the hierarchy or from higher up
in the hierarchy
[edit interfaces so-5/1/0 unit 0 family inet]root@router# top show system login class superuser-local { permissions all;}[edit interfaces so-5/1/0 unit 0 family inet]root@router# top edit protocols ospf[edit protocols ospf]root@router#
edu.51cto.com
Relative configuration commands– New arguments to top command– Commands can be run from the top of the hierarchy or from higher up
in the hierarchy
[edit interfaces so-5/1/0 unit 0 family inet]root@router# top show system login class superuser-local { permissions all;}[edit interfaces so-5/1/0 unit 0 family inet]root@router# top edit protocols ospf[edit protocols ospf]root@router#
增强命令
edu.51cto.com
查看运行配置show configuration command now takes a configuration path
root@router> show configuration system login class superuser-local { permissions all;}
root@router> show configuration protocols bgp export [ next-hop-self unicast-multicast ];peer-as 10458;group internal { type internal; neighbor 207.17.136.192;}group fred { allow 0.0.0.0/0;}root@router>
edu.51cto.com
查看候选配置 [edit]
user@host# show chassis alarmsonet { lol red; pll yellow; }[edit]user@host# edit chassis alarm[edit chassis alarm]user@host# showsonet { lol red; pll yellow; }[edit chassis alarm]
edu.51cto.com
删除层次[edit]user@host# edit chassis alarm sonet[edit chassis alarm sonet]user@host# delete lol[edit chassis alarm sonet]user@host# delete los[edit chassis alarm sonet]user@host#
edu.51cto.com
命令提交root# set system host-name juniper-R1
[edit]root# commit [edit] 'system' Missing mandatory statement: 'root-authentication'error: commit failed: (missing statements)
[edit]root#
命令配置后,不会马上生效,必须要 commit提交。
新机登陆 root 后,必须要先设置 root 密码,否则无法做其他配置,无法提交配置。
edu.51cto.com
配置 ROOT 密码输入明文密码,即你所输入的密码,就是你下次登陆时需要输入的密码。root# set system root-authentication plain-text-password New password:Retype new password:
[edit]
直接在命令行中输入已加密过的密码,登陆时必须输入加密前的密码root# set system root-authentication encrypted-password "$1$V.ggl9JX$t/Q22Z4sWeaDMngy0DuPq1“
这种方式合适 在设备密码时的安全性,别人无法知道你输入的密码是什么。。
edu.51cto.com
用户管理 新增用户、设置安全级别组root@juniper-R1# set system login user tzq class super-user root@juniper-R1# set system login user tzq authentication plain-text-password New password:Retype new password:
查看用户登陆配置root@juniper-R1# show system login |display setset system login user tzq uid 2001set system login user tzq class super-userset system login user tzq authentication encrypted-password "$1$ojLhdlPR$jklxe
用户安全级别组root@juniper-R1# set system login user tzq class ? Possible completions: <class> Login class operator permissions [ clear network reset trace view ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ]
edu.51cto.com
加载配置 Configuration information can come from an ASCII file prepared
elsewhere The load command
– Overrides an existing configuration load override filename
– Merges new statements into existing configuration load merge filename
– Replaces existing statements in current configuration load replace filename
– Changes candidate configuration only You must commit to activate
– Can take input from the terminal load (replace | merge | override) terminal
show system uptime displays date/time of last active configuration change and who committed it
edu.51cto.com
批量录入root# load set terminal [Type ^D at a new line to end input]et system login user fhj115 uid 2000set system login user fhj115 class super-userset system login user fhj115 authentication encrypted-paterminal:1:(0) unknown command: etssword "$1$JB4EaYIY$Tj/87fx/GkR0G2J4edPkI/"set system services sshset system services telnetset system services web-management http interface vlan.0set system services web-management https system-generated-certificateset system services web-management https interface vlan.0
当我们有大批量配置需要录入时,如果使用粘贴方式,可能会出现问题,因此使用 load set terminal 可以大量的将配置粘贴,直到按 CTRL+D 键结束
edu.51cto.com
退出 Exiting levels
– Use exit from top level– Use exit configuration-mode from any level
Operational Mode
[edit]
[edit chassis]
[edit chassis alarm]
top
exit/up
exit configuration-modeexit
edit/configure
edit chassis
edit alarm
edu.51cto.com
保存配置
Copyright © 2002, Juniper Networks, Inc.
Current candidate configuration from current hierarchy level and below can be saved to ASCII file by using save command
[edit]
cli# save filename
[edit]
cli#
File is saved to user’s home directory unless full pathname is specified
Filename can be:– URL– Target on redundant Routing Engine– SSH user@host:filename notation
edu.51cto.com
接口 Where the interfaces are:
– Interface contained on PIC– PIC plugs into FPC
FPC has room for four PICs– FPC plugs into chassis
Physical Interface
Card
PIC
PIC
PIC
FPC
edu.51cto.com
Names are consistent for all transit interfaces and are based on:
– Interface media type– FPC slot number– PIC slot number within FPC– PIC port number
edu.51cto.com
接口类型 Media types:
– at—ATM over SONET/SDH ports– e1—E1 ports– e3—E3 ports– fe—Fast Ethernet ports– so—SONET/SDH ports– t1—T1 ports– t3—DS-3 ports– ge—Gigabit Ethernet ports– ae—Aggregated Ethernet ports
edu.51cto.com
接口名称Logical interfaces are used to set up Frame
Relay DLCIs or ATM virtual circuits
Interface number is separate in meaning from the actual DLCI or ATM VC and can be any arbitrary value
Suggested convention is to keep them the same whenever possible
so-5/2/3.43
edu.51cto.com
永久接口Router has two permanent interfaces
– Out-of-band management interface is called fxp0
– Internal Routing Engine to Packet Forwarding Engine connection is called fxp1• fxp1 requires no configuration, and
should not be configured by the operator
edu.51cto.com
接口属性 Physical properties
– Clocking– Scrambling– Frame check sequence (FCS)– Maximum transmission unit (MTU)– Data Link Layer protocol, Keepalives– Diagnostic characteristics
Local, remote, and facility loopback BERT
Logical properties– Protocol family (Internet, ISO, MPLS)– Addresses (IP address, ISO NET address)– Virtual circuits (VCI/VPI, DLCI)– Other characteristics
edu.51cto.com
接口配置Standard configuration statement hierarchy
interfaces {interface-name {
physical-properties;[…]unit unit-number {
logical-properties;[…]
}}
}
edu.51cto.com
配置物理接口属性 Configure physical properties of the interface using the set command:set interface so-1/0/3 no-keepalives
Or park yourself in the interfaces section of the hierarchy and set many optionslab@omaha> configure[edit]lab@omaha# edit interfaces so-1/0/3[edit interfaces so-1/0/3]lab@omaha# set no-keepaliveslab@omaha# commit
edu.51cto.com
配置逻辑接口属性 Logical settings
– Protocol family (Internet, ISO, MPLS) Protocol MTU Protocol addressing Other protocol options
– Virtual circuit identifiers (VPI/VCI, DLCI)– Other properties according to circuit characteristics
edu.51cto.com
逻辑接口带宽 Annotating interface speed
– New bandwidth statement in logical unit configuration allows configuration of available bandwidth on the logical interface
– Informational only—does not affect actual bandwidth on the interface– Externalized via ifSpeed MIB object
interface so-1/1/1 {unit 0 {
bandwidth 30m;}
}
edu.51cto.com
单元 unit
Each logical interface has a unit number– Number can be arbitrary
• Typically, the unit number is the same as the VC or DLCI number
Some physical interfaces have only one possible logical interface, and one unit number only, which must be configured as unit zero
Multiple protocol addresses are supported on a single logical unit– Typing in additional addresses does not override previous address
• Watch for multiple addresses when correcting addressing mistakes
edu.51cto.com
配置逻辑接口 Use the set command to configure a logical interface,
using the unit number– For example, set interface so-1/0/3 unit 40 dlci 40
Or park yourself at the unit levellab@omaha> configure[edit]lab@omaha# edit interfaces so-1/0/3 unit 40[edit interfaces so-1/0/3 unit 40]lab@omaha# set dlci 40lab@omaha# commit
edu.51cto.com
配置协议 family
Copyright © 2002, Juniper Networks, Inc.
Minimal sample configuration:lab@omaha> configure[edit]lab@omaha# edit interfaces so-1/0/3[edit interfaces so-1/0/3]lab@omaha# set unit 0 family inet address 10.0.20.1/24lab@omaha# commit
Displayed as:interfaces {
so-1/0/3 {unit 0 {
family inet {address 10.0.20.1/24;
}}
}}
edu.51cto.com
禁用或暂停 Add the inactive: tag to a statement, effectively
commenting out the statement or identifier from the configurationuser@host# deactivate at-5/2/0 [edit interfaces] user@host# show inactive: at-5/2/0
Disable an interface or a logical unit, effectively administratively disableduser@host# set so-1/1/0 disable
[edit interfaces] user@host# show so-1/1/0 so-1/1/0 { disable; # Interface is marked as disabled mtu 8000;
clocking internal; …
edu.51cto.com
查看接口root@juniper-R1> show interfaces terse Interface Admin Link Proto Local Remote
cbp0 up up
demux0 up up
dsc up up
em0 up up
em0.0 up up inet 192.168.1.1/24
em1 up up
em1.0 up up inet 192.168.2.1/24
em2 up up
em3 up up
em4 up up
em5 up up
em6 up up
gre up up
ipip up up
irb up up
lo0 up up
lo0.0 up up inet 1.1.1.1/24
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 128.0.0.4 --> 0/0
可以查看实际存在的端口链路状态、 IP 地址
edu.51cto.com
查看日志 查看日志 root@juniper-R1> show log ?interactive-commands 命令历史messages. 日志信息messages.0.gzmessages.1.gzUser 登陆日志
还有一些其他的日志。。以实际产品为准
edu.51cto.com
当前运行配置
commit
rollback n
CandidateConfiguration
ActiveConfiguration
1 2 ...
0
Rollback files stored in/config/juniper.conf.n (n=1-3)/var/db/config/juniper.conf.n (n=4-9)
Rollback files stored in/config/juniper.conf.n (n=1-3)/var/db/config/juniper.conf.n (n=4-9)
edu.51cto.com
配置确认 Remote configuration changes require caution
– Might disrupt connectivity to router– Might disrupt remote connection
Avoid disadvantages by using commit confirmed– Activates configuration for a few minutes (default is 10 minutes)– If configuration is not confirmed, router returns to previous
configuration automatically– Confirm configuration by issuing a second commit
edu.51cto.com
恢复配置 Use the rollback command to restore one of the
last nine previously committed configurations Use rollback (or rollback 0 ) to reset the
candidate configuration to the configuration currently running (which is the last version committed)
– rollback 1 loads the configuration before that– rollback n loads n configurations before that
Roollback 命令可以进行配置回滚 0 为当前正在运行的配置1 、 为倒数第 1 个配置2 、 为倒数第 2 个配置
edu.51cto.com
配置远程管理服务设置允许远程管理的服务root# set system services ? Possible completions: <[Enter]> Execute this command+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don't inherit configuration data from these groups> database-replication Database replication configuration> dhcp-local-server Dynamic Host Configuration Protocol server configuration> finger Allow finger requests from remote systems> ftp Allow FTP file transfers> netconf Allow NETCONF connections> outbound-ssh Initiate outbound SSH connection> service-deployment Configuration for Service Deployment (SDXD) management application> ssh Allow ssh access> telnet Allow telnet login> xnm-clear-text Allow clear text-based JUNOScript connections> xnm-ssl Allow SSL-based JUNOScript connections | Pipe through a command