預設帳號 : root
預設密碼 : no
%cli //進入 cli 介面模式
>configure 或 >edit //進入特權模式
>show system processes extensive //工作管理員
>show system processes extensive //工作管理員
基本設定
#edit system //進入 system 目錄
#set host-name switch //設定主機名稱
#set root-authentication plain-text-password //設定 root 管理帳號密碼 (之後才能存檔)
#set system login user (name) class super-user //設定使用者為超級己用者
#set
system login user (username) authentication plain-text-password (password)
//設定使用者密碼
*** 設定密碼時使用 plain-text-password 會自動進行加密,之後 show 設定時會顯示亂碼***
//設定使用者密碼
*** 設定密碼時使用 plain-text-password 會自動進行加密,之後 show 設定時會顯示亂碼***
#commit //儲存設定
#commit check //儲存設定並檢查語法是否有錯誤
#rollback 0 //回到running config,還沒commit的設定全部都會消失
#rollback 1 //回到上一次commit設定
# show | compare rollback 0 //確認與上次儲存的差異
>request system halt (power-off) //關機
>request system reboot //重新開機
#load factory-authentication //回復出廠預設值
#set system root-authentication plain-text-password
//需先設定root密碼再commit才會回復出廠預設值
>request system storage cleanup //清除硬碟內的檔案及log(設定不變)
# show | compare rollback 0 //確認與上次儲存的差異
>request system halt (power-off) //關機
>request system reboot //重新開機
#load factory-authentication //回復出廠預設值
#set system root-authentication plain-text-password
//需先設定root密碼再commit才會回復出廠預設值
>request system storage cleanup //清除硬碟內的檔案及log(設定不變)
#set services telnet //啟動 Telnet 服務
#set services ssh //啟動 SSH 服務
#set services web-management http //啟動 Web 服務 (使用 Web 介面進行管理)
預設 IP : 192.168.1.1
#set time-zone Asia/Taipei //設定時區
預設 IP : 192.168.1.1
#set time-zone Asia/Taipei //設定時區
#set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254 //指定 DefaultGateway
#set routing-options static route 192.168.10.0/24 next-hop 192.168.1.254 //新增一筆靜態路由
#set interfaces me0 unit 0 family inet address 192.168.1.254 //指定管理介面 IP Address
# set interface ge-0/0/0 unit 0 family inet address.192.168.1 .1/24 //設定ip
# delet interface ge-0/0/0 unit 0 family inet address.192.168.1 .1/24 //刪除ip
設定 VLAN
#set vlans (name) vlan-id (id) //新增一個VLAN (name不能只有數字)
#set interfaces vlan unit (id) family inet address 192.168.1.254/24 //設定VLAN IP
#set vlans (name) l3-interface vlan (id) //將此VLAN設為L3層
#set interface ge-0/0/0 unit 0 family ethernet-switching vlan members (id) //將port加入VLAN
#set interface interface-range (name) member-range ge-0/0/0 to ge-0/0/23
//將多個port加入VLAN
設定 LACP
#set chassis aggregated-devices ethernet device-count 1 //指定數量
#set interfaces ge-0/0/1 ether-option 802.3ad ae0 //指定 LAG port
#set interfaces ge-0/0/2 ether-option 802.3ad ae0 //指定 LAG port
#set interfaces ae0 aggregated-ether-options lacp active //設定 LACP port
#set interfaces ae0 aggregated-ether-options lacp periodic fast //設定 LACP port
#set interfaces ae0 unit 0 family ethernet-switching port-mode access //設定存取模式
#set interfaces ae0 unit 0 family ethernet-switching vlan members VLAN2 //設定 VLAN
#show interface terse | grep ae //檢視 LAG port
#show lacp interface //檢視 LACP
設定 SNMP
#set snmp (community-name) public authorization read-only //指定為 SNMP Server
#set snmp trap-group trap targets 192.168.1.1 // 加入 SNMP Server
Loader 下更新 OS
一、檔案在 USB 根目錄 ( 沒試過幾次 )
1.開機時狂按空白鍵進入 loader>
2.loader> install file:///jinstall-ex-2200-11.4R2.14-domestic-signed.tgz
二、使用 TFTP Server
1.開機時狂按空白鍵進入 loader>
2.loader> set ipaddr=192.168.100.1
3.loader> set netmask=255.255.255.0
4.loader> set serverip=192.168.100.10
5.loader> show --確認 IP 有沒有錯誤
6.loader> install tftp://192.168.100.10/jinstall-ex-2200-11.4R2.14-domestic-signed.tgz
shell
>start shell
進入shell模式,進入後系統為Linux
MAC 查 port
>ping 192.168.10.40 //先 ping IP 收集 arp 表
>show arp | match 192.168.10.40 //再從 arp 表用 IP 去找 MAC
>show ethernet-switching table | match MAC //最後從交換表去查 MAC 是從哪個 port 進來的
過程跟 Cisco 教的一樣,只是指令不同而已
硬碟相關
遇到硬碟容量問題
>show system storage //檢視資料夾容量,可以看到各資料夾容量大小及使用量
>request system storage cleanup //清空硬碟,除了設定檔之類必要的以外,其他檔案會被清空,連log都會被清掉
virtual-chassis 堆疊
>show virtual-chassis //檢視機器堆疊的狀態
>request virtual-chassis vc-port set pic-slot 1 port 0 member 0 //設定1/0/0加入member0的堆疊
>request virtual-chassis vc-port delete pic-slot 1 port 0 //刪除堆疊port
#set virtual-chassis member 0 mastership-priority 255 //設定master值(255為最大)
>request virtual-chassis recycle member-id //回收member-id
Firewall Filter (類似 Cisco ACL)
會設定這東西是因為 2014年2月開始流行起來的 NTP 的 DDOS 攻擊
remote-login ( filter name )
allow-ntp、 deny-ntp ( term name )
set firewall family inet filter remote-login term allow-ntp from source-address 59.124.196.84/32 //設定來源IP
set firewall family inet filter remote-login term allow-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term allow-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term allow-ntp then accep //符合條件的話允許通過
下列的 term 不同,因為一個 port 只能套用一條 filter ,因此想要設定多項過濾設定就必須用 term 來做區分。
set firewall family inet filter remote-login term deny-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term deny-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term deny-ntp then discard //符合條件的話就阻擋
set interfaces lo0 unit 1 family inet filter input remote-login //套用在 lookback 1的 port 上
set system ntp server 59.124.196.84 prefer //設定 NTP Server IP ,prefer 為優先使用
set system ntp server 192.168.1.254 //設定 NTP Server IP
set system ntp source-address 192.168.1.1 //限制 NTP 的封包來源
上面是 switch 的設定,下列是 route的設定,只差在開頭不同。
set firewall filter ntp term allow-ntp from source-address 59.124.196.84/32
set firewall filter ntp term allow-ntp from protocol udp
set firewall filter ntp term allow-ntp from destination-port ntp
set firewall filter ntp term allow-ntp then accept
set firewall filter ntp term deny-ntp from protocol udp
set firewall filter ntp term deny-ntp from destination-port ntp
set firewall filter ntp term deny-ntp then discard
set firewall filter ntp term not-ntp then accept
# set interface ge-0/0/0 unit 0 family inet address.
# delet interface ge-0/0/0 unit 0 family inet address.
設定 VLAN
#set vlans (name) vlan-id (id) //新增一個VLAN (name不能只有數字)
#set interfaces vlan unit (id) family inet address 192.168.1.254/24 //設定VLAN IP
#set vlans (name) l3-interface vlan (id) //將此VLAN設為L3層
#set interface ge-0/0/0 unit 0 family ethernet-switching vlan members (id) //將port加入VLAN
#set interface interface-range (name) member-range ge-0/0/0 to ge-0/0/23
//將多個port加入VLAN
設定 LACP
#set chassis aggregated-devices ethernet device-count 1 //指定數量
#set interfaces ge-0/0/1 ether-option 802.3ad ae0 //指定 LAG port
#set interfaces ge-0/0/2 ether-option 802.3ad ae0 //指定 LAG port
#set interfaces ae0 aggregated-ether-options lacp active //設定 LACP port
#set interfaces ae0 aggregated-ether-options lacp periodic fast //設定 LACP port
#set interfaces ae0 unit 0 family ethernet-switching port-mode access //設定存取模式
#set interfaces ae0 unit 0 family ethernet-switching vlan members VLAN2 //設定 VLAN
#show interface terse | grep ae //檢視 LAG port
#show lacp interface //檢視 LACP
設定 SNMP
#set snmp (community-name) public authorization read-only //指定為 SNMP Server
#set snmp trap-group trap targets 192.168.1.1 // 加入 SNMP Server
Loader 下更新 OS
一、檔案在 USB 根目錄 ( 沒試過幾次 )
1.開機時狂按空白鍵進入 loader>
2.loader> install file:///jinstall-ex-2200-11.4R2.14-domestic-signed.tgz
二、使用 TFTP Server
1.開機時狂按空白鍵進入 loader>
2.loader> set ipaddr=192.168.100.1
3.loader> set netmask=255.255.255.0
4.loader> set serverip=192.168.100.10
5.loader> show --確認 IP 有沒有錯誤
6.loader> install tftp://192.168.100.10/jinstall-ex-2200-11.4R2.14-domestic-signed.tgz
shell
>start shell
進入shell模式,進入後系統為Linux
MAC 查 port
>ping 192.168.10.40 //先 ping IP 收集 arp 表
>show arp | match 192.168.10.40 //再從 arp 表用 IP 去找 MAC
>show ethernet-switching table | match MAC //最後從交換表去查 MAC 是從哪個 port 進來的
過程跟 Cisco 教的一樣,只是指令不同而已
硬碟相關
遇到硬碟容量問題
>show system storage //檢視資料夾容量,可以看到各資料夾容量大小及使用量
>request system storage cleanup //清空硬碟,除了設定檔之類必要的以外,其他檔案會被清空,連log都會被清掉
virtual-chassis 堆疊
>show virtual-chassis //檢視機器堆疊的狀態
>request virtual-chassis vc-port set pic-slot 1 port 0 member 0 //設定1/0/0加入member0的堆疊
>request virtual-chassis vc-port delete pic-slot 1 port 0 //刪除堆疊port
#set virtual-chassis member 0 mastership-priority 255 //設定master值(255為最大)
>request virtual-chassis recycle member-id //回收member-id
Firewall Filter (類似 Cisco ACL)
會設定這東西是因為 2014年2月開始流行起來的 NTP 的 DDOS 攻擊
remote-login ( filter name )
allow-ntp、 deny-ntp ( term name )
set firewall family inet filter remote-login term allow-ntp from source-address 59.124.196.84/32 //設定來源IP
set firewall family inet filter remote-login term allow-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term allow-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term allow-ntp then accep //符合條件的話允許通過
下列的 term 不同,因為一個 port 只能套用一條 filter ,因此想要設定多項過濾設定就必須用 term 來做區分。
set firewall family inet filter remote-login term deny-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term deny-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term deny-ntp then discard //符合條件的話就阻擋
set interfaces lo0 unit 1 family inet filter input remote-login //套用在 lookback 1的 port 上
set system ntp server 59.124.196.84 prefer //設定 NTP Server IP ,prefer 為優先使用
set system ntp server 192.168.1.254 //設定 NTP Server IP
set system ntp source-address 192.168.1.1 //限制 NTP 的封包來源
上面是 switch 的設定,下列是 route的設定,只差在開頭不同。
set firewall filter ntp term allow-ntp from source-address 59.124.196.84/32
set firewall filter ntp term allow-ntp from protocol udp
set firewall filter ntp term allow-ntp from destination-port ntp
set firewall filter ntp term allow-ntp then accept
set firewall filter ntp term deny-ntp from protocol udp
set firewall filter ntp term deny-ntp from destination-port ntp
set firewall filter ntp term deny-ntp then discard
set firewall filter ntp term not-ntp then accept
沒有留言:
張貼留言