Juniper Common Commands (ii)

Juniper Firewall basic Commands

Common View Commands

Get int View interface configuration information
Get int ethx/x View specified interface configuration information
Get MIP View Map IP relationships
Get Route View Route table
Get Policy ID x view specified policies
Get NSRP View NSRP information, then can take parameters to see the specific VSD group, port monitoring settings, etc.
Get per CPU de view CPU utilization information
Get per Sessionde View new session information per second
Get Session View current session information, can match the source address, source port, destination address, destination port, protocol and other options
Get Session info To view the current number of sessions
Get system to view information including current OS version, interface information, equipment uptime, etc.
Get Chaiss View device and board serial number to view device operating temperature
Get Counter stat View all interface count information
Get counter stat ethx/x View specified interface count information
Get Counter Flow Zone Trust/untrust view specified area data flow information
Get counter screen Zone Untrust/trust View specific area attack protection statistics
Get tech-support View Device status command set, typically collects this information for JTAC support in the event of a failure

Common Settings commands

Set intethx/x Zone trust/untrust/dmz/ha configuration Specifies the interface to enter the specified area (trust/untrust/dmz/ha, etc.)
Set int ethx/x IP x.x.x.x/xx Configuration Specify interface IP address
Set int ethx/x Manage configuration Specify interface management options, open all management options
Set int ethx/x Manage WEB/TELNET/SSL/SSH Configuration Specify interface Specify management options
Set int ethx/x PHY full 100MB configuration Specifies interface rate and duplex mode
The Set int ethx/x PHY Link-down configuration specifies the interface shutdown
Set NSRP VSD ID 0 Monitor interface ethx/x Configure the HA monitoring port, this port is disconnected, the device has a master/standby switch
Exec NSRP VSD 0 Mode backup manual device master/standby switchover, performed on the current master device
Set route 0.0.0.0/0 Interface ETHERNET1/3 Gateway 222.92.116.33 Configure routing to specify the next hop interface and IP address
All set commands can be canceled by the unset command, which is equivalent to the No in Cisco
All commands can be complete with the "tab" key through the "?" command. To view subsequent supported commands

Firewall Basic Configuration

CreateAccount [admin | user]<username> (create account) enter

Enter Password:

Enter the password again:

Configureaccount Admin (config account) enter

Enter Password:

Enter the password again:

2.port Configuration

Configports <portlist> Auto Off{speed [ten | |]} DUPLEX [Half | full]auto off configure Port speed limit and operating mode (full and half)

3.Vlan Configuration

For both the core and the access layer, create three VLANs and delete all the ports that are attributed to the default VLAN:

Configvlan default del port all clears all the ports inside the VLAN

Create VLAN Server

Createvlan user Create VLAN server user and Manger

Createvlan Manger

Defining 802.1q Tags

Configvlan Server Tag 10

Configvlan User Tag 20

Configvlan Manger Tag 30

Set VLAN gateway address:

Configvlan Server IPA 192.168.41.1/24

Configvlan User IPA 192.168.40.1/24

Configvlan Manger IPA 192.168.*.*/24

enableipforwarding Enable IP routing forwarding, that is, inter-VLAN routing

Trunk Configuration

Configvlan Server Add Port 1-3 t

Configvlan User Add Port 1-3 t

Configvlan Manger Add Port 1-3 t

4.VRRP Configuration

ENABLEVRRP Open Virtual Routing Redundancy protocol

CONFIGUREVRRP Add VLAN Uservlan adds VRRP inside the VLAN

CONFIGUREVRRP VLAN Uservlan Add Master Vrid 10 192.168.6.254

CONFIGUREVRRP VLAN Uservlan authentication Simple-passwordextreme

CONFIGUREVRRP VLAN Uservlan Vrid Priority 200

CONFIGUREVRRP VLAN Uservlan Vrid advertisement-interval15

CONFIGUREVRRP VLAN Uservlan Vrid preempt

5. Port Mirroring Configuration

First remove the port from the VLAN

Enablemirroring to Port 3 # Select 3 as the Mirror port

configmirroring Add Port 1 # to send traffic to ports 1 to 3

configmirroring Add port 1 VLAN Default # sends 1 and VLANDEFAULT traffic to 3

6.port-channel Configuration

Enablesharing <port> grouping<portlist> {port-based |address-based |round-robin}

Showport Sharing//view configuration

7.STP Configuration

ENABLESTPD//start spanning tree

CREATESTPD stp-name//Create a spanning tree

CONFIGURESTPD <spanning treename> Add vlan <vlanname> {PORTS<PORTLIST>[DOT1D | emistp |pvst-plus]}

CONFIGURESTPD STPD1 Priority 16384

Configurevlan Marketing Add ports 2-3 stpd STPD1 EMISTP

8.DHCP Trunk Configuration

Enablebootprelay

Configbootprelay Add <dhcp serverip>

9.NAT Configuration

Enablenat # Enable NAT

Staticnat Rule Example

Confignat Add out_vlan_1 map source 192.168.1.12/32 to216.52.8.32/32

Dynamicnat Rule Example

Confignat Add out_vlan_1 map source 192.168.1.0/24 to216.52.8.1-216.52.8.31

Portmapnat Rule Example

Confignat Add out_vlan_2 map source 192.168.2.0/25 To216.52.8.32/28 both Portmap

Portmapmin-max Example

Confignat Add out_vlan_2 Map source 192.168.2.128/25 to216.52.8.64/28 TCP portmap1024-8192

10.OSPF Configuration

ENABLEOSPF enabling the OSPF process

CREATEOSPF area <area identifier> Creating an OSPF zone

CONFIGUREOSPF Routerid [automatic |<routerid>] Configuration Routerid

CONFIGUREOSPF Add VLAN [<vlanname> | all] area <areaidentifier> {passive} add a VLAN to an area, equivalent to the one in Cisco

The role of network

CONFIGUREOSPF area <areaidentifier> Add range<ipaddress><mask>[advertise | noadvertise]{type-3 | TYPE-7} to add a network segment to

An area that corresponds to the role of network in Cisco

CONFIGUREOSPF VLAN <vlan Name>neighbor Add <ipaddress>

OSPF Middle by re-release configuration

ENABLEOSPF Export Direct [cost<metric> [ase-type-1 | ase-type-2]{tag<number>} |<route Map>]

ENABLEOSPF export static [cost<metric> [ase-type-1 | ase-type-2]{tag<number>} |<route Map>]

ENABLEOSPF Originate-default {always} cost<metric> [ase-type-1 |ase-type-2]{tag <number>}

ENABLEOSPF Originate-router-id

11.SNMP Configuration

ENABLESNMP Access enables SNMP access

ENABLESNMP traps Enable SNMP throttling

Createaccess-profile <accessprofile> Type [ipaddress | vlan]

CONFIGSNMP access-profile readonly[<access_profile> |none] Configure the read-only access list for SNMP, none is to remove

Configsnmp Access-profile readwrite[<access_profile> | None] This is control read and write control

Configsnmp add trapreceiver <ipaddress> {port<udp_port>}community<communitystring> {from< Source IP address>} Configure SNMP connection

Receive host and community strings

12. Security Configuration

Disableip-option Loose-source-route prohibit distribution of source routes

Disableip-option strict-source-route disable static source routing

Disableip-option Record-route Disabling Routing Records

Disableip-option Record-timestamp prohibit recording time label

Disableipforwarding Broadcast prohibit forwarding broadcast

Disableudp-echo-server Disable UPD response

DISABLEIRDP VLAN <vlan name> disable VLAN publishing IRDP

DISABLEICMP redirect disabling ICMP redirection

Disableweb Disabling Web Access switches

Enablecpu-dos-protect Using CPU DOS protection

13.access-lists Configuring ACLs

Createaccess-list ICMP Destination Source

Create Access-listip Destination Source ports

Createaccess-list TCP Destination Source ports

Createaccess-list UDP Destination Source ports

14. Default Routing Configuration

Configiproute Add default<gateway>

15. Restore the factory value, but do not include user change time and user account information

Unconfigswitch {All}

16. Check the configuration

Showversion

Showconfig

ShowSession

Showmanagement viewing management information, as well as SNMP information

Showbanner

Showports Configuration

Showports utilization?

Showmemory/show cpu-monitoring

Showospf

Showaccess-list {<name> | Port<portlist>}

Showaccess-list-monitor

SHOWOSPF Area <areaidentifier>

SHOWOSPF Area Detail

SHOWOSPF ase-summary

SHOWOSPF interfaces {VLAN <vlanname> | area <areaidentifier>}

UNCONFIGUREOSPF {VLAN <vlan name>| area <area identifier>}

Switch

Showswitch

Showconfig

Showdiag

Showiparp

Showiproute

Showipstat

Showlog

Showtech All

Showversion Detail

17. Backup and upgrade software

Downloadimage [

Uploadimage [

Useimage [primary | secondary]

18. Password recovery.

Extreme switch after you lose or forget the password, you need to restart the switch, often press SPACEBAR, enter Bootrom mode, enter "H",

Select "D:force Factory default Configuration" to clear the configuration file, and finally select "F:bootonboard Flash"

Password will be erased after reboot. Note: Once the password is restored, the previous profile will be emptied.

For extremex450e-48p enter bootrom after entering h, then boot 1 back to the car can

18.switchlicese Additions:

Enablelicese xxxx-xxxx-xxxx-xxxx-xxxx

Will prompt to add success, show advanced Edge for success

hn-huaihua-anquan-ls1.33# Show Licenses

Enabledlicense level:

Advancededge

Enabledfeature Packs:

None

Step: a,hn-huaihua-anquan-ls1.34 # Show version

switch:800190-00-04 0804g-80211 Rev 4.0 bootrom:1.0.2.2 img:11.6.1.9

Xgm2-1:

Image:extremexos version 11.6.1.9 v1161b9 Byrelease-manager

On Wednov 22:40:47 PST 2006

bootrom:1.0.2.2

Where 0804g-80211 is the serial number of the switch

B and find voucher serial number in an envelope with Licese

C based on these two serial number on the designated site to find liceses key total 16 bits,

D then enable Licese enter the key value

NS Series firewall installation and management
NetScreen Firewall supports a variety of management methods: Web Management, CLI (Telnet) management, due to general debugging work, we are most commonly used in the previous two kinds.

(ScreenOS4.0) First, configure with the console port

1. Plug one end of the distribution line into the console port of the firewall, and the other end of the line is plugged into the serial port of the PC.

2. Open the Windows Attachment-"communications-" HyperTerminal, select the serial connection with the console line. (Set serial Port properties: 9600-8-none-hardware)

3. Enter your account password after the prompt symbol to enter the Setup command line interface. (Default account: Netscreen; password Netscreen)

4. Go to the NetScreen command line management interface

Web Management connection Settings

1. Set the interface IP;
If all interfaces are not configured with IP (NetScreen device initialization settings), you need to set up a port IP to connect to the Web management interface, where the trust port is set, and in command-line mode, enter:
Ns5xt->set INT Trust IP *

Command description: A.B.C.D is an IP address, usually set to an intranet address, E is the mask bit of the IP address, usually set to 24.

The Port status information (similar to the Ciscoshow Interface command) can be seen through the GetInterface command at this time

2. Start the Web management function of the interface;
Ns5xt->set Int Trust Manage Web

3. Connect the network between the PC and the firewall, set up the DW through the Web interface of the browser,

Established for ns-5,ns-10,ns-100 Firewall, PC and trust port, the DMZ port adopts straight-through cable connection, the connection between PC and Untrust Port adopts crossover line. For ns-25,ns-200 and above products, the PC is connected to all ports in the firewall using a straight-through cable.

Note: The IP address of the PC network card is set to the same network segment as the management IP of the corresponding port of the firewall;

Open IE Browser, type the firewall management IP, open the login screen;

Firewall Basic settings:

1. Set the Access timeout time:
Web: Enabelweb Management Idle timeout in configuration>admin>management in the web fills in the number of minutes of access timeout and is checked in front.
Cli:
Ns5xt->set Admin Auth Timeout

2.Netscreen administrative rights: Set up Super Administrator (Root)
WEB: Enter Configuration>admin>administrators, where you can manage all the administrators.
Cli:ns5xt->set Admin Name
Ns5xt->set Admin Password

Add Local Administrator
WEB: Click on the new link to open the configuration page. Enter an administrator login and password, specify the permissions (optional all or read_only,all indicates that the administrator has permission to change the configuration, read_only indicates that the administrator can only view the configuration and not have permissions to change).

Cli:ns5xt->set Admin user Password privilege< p>

3. Set up DNS
Web: Open network>dns page, configurable hostname (hostname), domain name, Primary DNS Server (primary domain name server), Second dnsserver (co-name server), There is also the time that DNS is updated daily. After configuration, press apply button to implement.
Cli:
Ns5xt->set hostname HMRR6
Ns5xt->set Domain B
Ns5xt->set DNS Host

4. Set zone (safe zone)
Web: Opens the Network>zones page to configure all zones that already exist on the NetScreen device (not all zones can be configured, there are many default zones that are not allowed to be configured, and no edit occurs in configure). Press the New button to add a zone.
Cli:hons5xt->set Zone Vrouter Owv6js

5. Setting interface (interface)
WEB: Open network>interfaces, select the corresponding property page for the interface you want to configure (there are four optional interfaces trust, Untrust, DMZ, and tunnel, where trust, untrust, and DMZ are physical interfaces, The tunnel interface is a logical interface for VPN. For NS-5 series firewalls, no DMZ ports).

Click the edit link in the corresponding interface configure column to open the Interface configuration window. (for different modes of interface, the configuration will be different after the entry, here with the NAT mode for example, transparent mode will be less configuration of content) Zone Name: Sets the dependent security zone;

Ipaddress/netmask: Set the IP and mask of the interface; MANAGEIP: Sets the management IP for this interface, which must be in the same network segment as the interface IP if the system IP is set to 0. 0.0.0, the MANAGEIP defaults to the interface IP.

Interfacemode: Sets the interface mode, only the trust interface has the item. You can select NAT mode or route mode. When the trust interface is working in NAT mode, any packets entering the interface are forced to address translation.　 When the interface is working in route mode, the firewall's default work is equivalent to a router, and if you want to implement a policy-based NAT function for the firewall, set the trust interface to this mode. Managementservices: Select or clear the Web, Telnet, SNMP, and so on check boxes to enable or disable the appropriate management functions for this interface. If you clear the Web check box and then click the Save button, the Web Management feature of the interface is turned off, and the user cannot enter the Web management interface through the management IP of the interface, and all the Web management connections on that interface will be lost. Wf=w. da2

Click the Apply button to record the settings when you are done.
Cli:

To set the interface IP:
Ns5xt->set Interface IP

Set up interface gateways: $NS 5xt->set Interface <TRUST|UNTRUST|DMZ > Gateway J

Start the management function of the interface:
Ns5xt->set Interface Manage

To turn off the management of the interface:
Ns5xt->unset Interface Manage

Set the Trust interface operating mode: Ns5xt->set Interface Trust

With the CLI and the Web, we can easily get ns done.

Juniper Common Commands (ii)