JUNIPER SRX系列 PPP配置(命令行)
以及(DHCP配置,跨网段上网)
最近刚入Juniper工程师,之前只是参加过思科相关的网络培训,所以对Juniper是一窍不通,而且公司又不给培训,只是给我一台设备在家练习。
拿到设备之后,在网上找相关资料,资料不少,有用的不多,太多配置都是从原有的机器上复制下来的,没有说明,根本不知道那些配置是什么意思,也不知道哪些配置是必须的,哪些是可以忽略的。所以走了很多弯路。
因此,鉴于上述情况,本人写一篇最精简的Juniper拔号上网的配置以供自己做为学习笔记使用,也可以供后来人学习使用。其它配置有需要再逐步添加。
目录:
1、网络拓扑
2、pppoe拔号设置
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
封装PPPOE
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "ADSL密码"
set interfaces pp0 unit 0 ppp-options chap local-name "adsl帐户"
set interfaces pp0 unit 0 ppp-options chap passive
设置CHAP的认证方式,pp0是一虚拟接口,就相当于是电脑上创建的宽带连接
set interfaces pp0 unit 0 ppp-options pap default-password " ADSL密码"
set interfaces pp0 unit 0 ppp-options pap local-name " adsl帐户"
set interfaces pp0 unit 0 ppp-options pap local-password " ADSL密码"
set interfaces pp0 unit 0 ppp-options pap passive
设置PAP的认证方式,虽然我们国家是chap的认证方式,但建议两条都写上
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
配置在哪个端口上拔号
set interfaces pp0 unit 0 pppoe-options client
配置PPP客户端模式,因为电信那边才是服务器
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
空闲不断开
set interfaces pp0 unit 0 family inet mtu 1492
意义不大,写不写都一样
set interfaces pp0 unit 0 pppoe-options auto-reconnect 2
2秒后自动重连
set interfaces pp0 unit 0 family inet negotiate-address
配置pp0的
set routing-options static route 0.0.0.0/0 next-hop pp0.0
这个比较关键,是一个可以出外网的路由
set security zones security-zone untrust interfaces pp0.0
把这个拔号连接放入到untrust区域
3、在路由器上查看是否拔号成功
配置完之后保存,Juniper的设备有些变态,有些时候不生效,建议你重启:
root@PPPClient# run show interfaces pp0 terse
Interface Admin Link Proto Local Remote
pp0 up up
pp0.0 up up inet 113.116.101.108 --> 113.116.100.1
有那个大网的IP,即表明配置成功
4、删除和配置一些默认配置
有了大网之后,就检查一下能否从路由器到外网,在路由上拼一下:202.96.134.134
root> ping 202.96.134.134
PING 202.96.134.134 (202.96.134.134): 56 data bytes
64 bytes from 202.96.134.134: icmp_seq=0 ttl=251 time=31.862 ms
64 bytes from 202.96.134.134: icmp_seq=1 ttl=251 time=30.383 ms
64 bytes from 202.96.134.134: icmp_seq=2 ttl=251 time=30.554 ms
64 bytes from 202.96.134.134: icmp_seq=3 ttl=251 time=35.351 ms
64 bytes from 202.96.134.134: icmp_seq=4 ttl=251 time=30.601 ms
^C
--- 202.96.134.134 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 30.383/31.750/35.351/1.876 ms
能明显一定是可以拼通的,再拼一下www.baidu.com
如果不通,就说明路由器的DNS服务器没有,或者不对,需要修改:
root# set system name-server 8.8.8.8
再拼一下就OK了。
root> ping www.baidu.com
PING www.a.shifen.com (220.181.111.147): 56 data bytes
64 bytes from 220.181.111.147: icmp_seq=0 ttl=55 time=65.375 ms
64 bytes from 220.181.111.147: icmp_seq=1 ttl=55 time=72.280 ms
64 bytes from 220.181.111.147: icmp_seq=2 ttl=55 time=65.512 ms
64 bytes from 220.181.111.147: icmp_seq=3 ttl=55 time=71.223 ms
64 bytes from 220.18^C
--- www.a.shifen.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 65.375/68.141/72.280/2.984 ms
5、配置私网端口
set interfaces fe-0/0/7 unit 0 family inet address 192.168.1.89/24
设置一个端口网关,不要用VLAN,把vlan的IP改掉
set security zones security-zone trust interfaces fe-0/0/7.0
再把端口加入到trust区域
然后再自己的电脑上配置IP:
Ip 地址:192.168.12
子网掩码:255.255.255.0
默认网关:192.168.1.89
DNS服务器:8.8.8.8
配置完成后,即可上网。因为所有NAT转换和防火墙策略都是允许的,如:
【默认NAT策略】
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
【默认转发策略】
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
6、DHCP配置
如果不想自己手工配置,可以配置一下DHCP服务,如:
delete system services dhcp
set system services dhcp name-server 8.8.8.8
set system services dhcp router 192.168.1.89
在DHCP下面是全局配置,在pool下面是针对一个实例配置
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
#这两条是地址池分配区域
set system services dhcp pool 192.168.1.0/24 exclude-address 192.168.1.89
#保留的IP
set system services dhcp pool 192.168.1.0/24 propagate-settings fe-0/0/7.0
这段DHCP地址池从:fe-0/0/7转发出去
最后在fe-0/0/7上面允许DHCP服务
set security zones security-zone trust interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp
搞定:
Ethernet adapter 本地连接 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : E0-CB-4E-ED-0F-61
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.89
DHCP Server . . . . . . . . . . . : 192.168.1.89
DNS Servers . . . . . . . . . . . : 8.8.8.8
Lease Obtained. . . . . . . . . . : 2013年1月17日 12:30:43
Lease Expires . . . . . . . . . . : 2013年1月18日 12:30:43
7、多网络配置
如果想另外一个端口:fe-0/0/6的IP,在不同一个网段,时间也能上网,那怎么操作呢?
很简单,就是配置一个fe-0/0/6的网关:
set interfaces fe-0/0/6 unit 0 family inet address 192.168.2.89/24
DHCP的配置方法跟上面一样,转发端口改在fe-0/0/6
set security zones security-zone trust interfaces fe-0/0/7.0
再把端口加入到trust区域
这样192.168.2.0网段一样也可以上网了,但是192.168.1.0和192.168.2.0不能相互访问。要让它们能够访问添加一条策略,允许trust到trust区域
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
完
