附录:完整 SRX 配置
在前几个部分中,我们选择省略配置的默认部分,以帮助专注于更改所需的内容。
在本附录中,我们提供了本文档书面使用的 SRX380 的完整配置。请记得,此配置的一小部分来自您的 Day One+ 初始入网活动,即主机名称和 root 密码。
以设置格式配置的完整 SRX 配置
[edit] root@branch-srx# show | display set set version 21.4R1.12 set system host-name branch-srx set system root-authentication encrypted-password "$ABCD_dont-load this as a plain text, set your own root password!" set system login user sduser uid 2001 set system login user sduser class super-user set system login user sduser authentication encrypted-password "$6$ma2havhhEP3TAJxx$ubRCVg/nXbEKHpRjD16M1dTy22MKvFdhIwLlmLDC6HlcU30JIiwf1v3DPB7TE1nSdmj0ESjVrQ55nmt1qAa0e." set system services ssh set system services netconf ssh set system services netconf rfc-compliant set system services dhcp-local-server group jdhcp-group interface fxp0.0 set system services dhcp-local-server group jdhcp-group interface irb.0 set system services dhcp-local-server group CONTRACTORS-POOL interface irb.30 set system services dhcp-local-server group GUEST-POOL interface irb.20 set system services web-management https system-generated-certificate set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net device-id 946d0091-e32b-4564-82d4-0ebccb332ee1.JUNOS set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net secret "$9$0NBEOhSrlMNVw8LqmPfzF69AuORLX7-wY1RVwgoGUz3n6p0hclW87lebsg4DjHqm5T39CuRhS0ORSleXxmf5F9A0BIyevz3hSyeW8xNdVwg" set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net keep-alive set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net services netconf set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net srx.sdscale.juniperclouds.net port 7804 set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file interactive-commands interactive-commands any set system syslog file messages any notice set system syslog file messages authorization info set system syslog file sdcloud-messages any any set system syslog file sdcloud-messages match "(UI_COMMIT_COMPLETED)|ifAdminStatus|ifOperStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|(license add)|(license delete)|JSRPD_HA_HEALTH_WEIGHT|PKID_PV_CERT_LOAD|PKID_PV_CERT_DEL" set system syslog file sdcloud-messages structured-data set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw address 172.16.1.1 set security ike gateway ike-gw local-identity hostname branch set security ike gateway ike-gw remote-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security flow traceoptions file flow-debug set security flow traceoptions flag basic-datapath set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security nat source rule-set guests-to-untrust from zone guests set security nat source rule-set guests-to-untrust to zone untrust set security nat source rule-set guests-to-untrust rule guest-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set guests-to-untrust rule guest-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone guests to-zone untrust policy guests-to-untrust match source-address any set security policies from-zone guests to-zone untrust policy guests-to-untrust match destination-address any set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-http set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-https set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-ping set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-dns-udp set security policies from-zone guests to-zone untrust policy guests-to-untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone trust to-zone contractors policy trust-to-contractors match source-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match destination-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-http set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-ping set security policies from-zone trust to-zone contractors policy trust-to-contractors then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp set security zones security-zone contractors host-inbound-traffic system-services dhcp set security zones security-zone contractors host-inbound-traffic system-services ping set security zones security-zone contractors interfaces irb.30 set security zones security-zone guests host-inbound-traffic system-services dhcp set security zones security-zone guests host-inbound-traffic system-services ping set security zones security-zone guests interfaces irb.20 set security zones security-zone vpn host-inbound-traffic system-services ping set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx380 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members guests set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members contractors set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/17 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/18 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/19 unit 0 family inet dhcp vendor-id Juniper-srx380 set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string 1234 set interfaces dl0 unit 0 dialer-options always-on set interfaces fxp0 unit 0 family inet address 192.168.1.1/24 set interfaces irb unit 0 family inet address 192.168.2.1/24 set interfaces irb unit 20 family inet address 192.168.20.1/24 set interfaces irb unit 30 family inet address 192.168.30.1/24 set interfaces st0 unit 0 family inet address 10.0.0.1/24 set access address-assignment pool junosDHCPPool1 family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool1 family inet range junosRange low 192.168.1.2 set access address-assignment pool junosDHCPPool1 family inet range junosRange high 192.168.1.254 set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes router 192.168.1.1 set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes propagate-settings ge-0/0/0.0 set access address-assignment pool junosDHCPPool2 family inet network 192.168.2.0/24 set access address-assignment pool junosDHCPPool2 family inet range junosRange low 192.168.2.2 set access address-assignment pool junosDHCPPool2 family inet range junosRange high 192.168.2.254 set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes router 192.168.2.1 set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes propagate-settings ge-0/0/0.0 set access address-assignment pool CONTRACTORS-POOL family inet network 192.168.30.0/24 set access address-assignment pool CONTRACTORS-POOL family inet range CONTRACTORS-POOL-IP-RANGE low 192.168.30.10 set access address-assignment pool CONTRACTORS-POOL family inet range CONTRACTORS-POOL-IP-RANGE high 192.168.30.100 set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes domain-name srx-branch.com set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes router 192.168.30.1 set access address-assignment pool GUEST-POOL family inet network 192.168.20.0/24 set access address-assignment pool GUEST-POOL family inet range GUEST-POOL---IP-RANGE low 192.168.20.10 set access address-assignment pool GUEST-POOL family inet range GUEST-POOL---IP-RANGE high 192.168.20.100 set access address-assignment pool GUEST-POOL family inet dhcp-attributes domain-name srx-branch.com set access address-assignment pool GUEST-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool GUEST-POOL family inet dhcp-attributes router 192.168.20.1 set vlans contractors vlan-id 30 set vlans contractors l3-interface irb.30 set vlans guests vlan-id 20 set vlans guests l3-interface irb.20 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols rstp interface all set routing-options static route 172.16.200.0/24 next-hop st0.0
粗括号格式的 SRX 配置
有些读者喜欢粗括号格式。给你:
[edit] root@branch-srx# show | no-more root@branch-srx# show | no-more ## Last changed: 2022-04-20 03:39:09 UTC version 21.4R1.12; system { host-name branch-srx; root-authentication { encrypted-password "$ABCD_dont-load this as a plain text, set your own root password!"; ## SECRET-DATA } login { user sduser { uid 2001; class super-user; authentication { encrypted-password "$6$ma2havhhEP3TAJxx$ubRCVg/nXbEKHpRjD16M1dTy22MKvFdhIwLlmLDC6HlcU30JIiwf1v3DPB7TE1nSdmj0ESjVrQ55nmt1qAa0e."; ## SECRET-DATA } } } services { ssh; netconf { ssh; rfc-compliant; } dhcp-local-server { group jdhcp-group { interface fxp0.0; interface irb.0; } group CONTRACTORS-POOL { interface irb.30; } group GUEST-POOL { interface irb.20; } } web-management { https { system-generated-certificate; } } outbound-ssh { client EMS-srx.sdscale.juniperclouds.net { device-id 946d0091-e32b-4564-82d4-0ebccb332ee1.JUNOS; secret "$9$0NBEOhSrlMNVw8LqmPfzF69AuORLX7-wY1RVwgoGUz3n6p0hclW87lebsg4DjHqm5T39CuRhS0ORSleXxmf5F9A0BIyevz3hSyeW8xNdVwg"; ## SECRET-DATA keep-alive; services netconf; srx.sdscale.juniperclouds.net port 7804; } } } name-server { 8.8.8.8; 8.8.4.4; } syslog { archive size 100k files 3; user * { any emergency; } file interactive-commands { interactive-commands any; } file messages { any notice; authorization info; } file sdcloud-messages { any any; match "(UI_COMMIT_COMPLETED)|ifAdminStatus|ifOperStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|(license add)|(license delete)|JSRPD_HA_HEALTH_WEIGHT|PKID_PV_CERT_LOAD|PKID_PV_CERT_DEL"; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } security { ike { proposal standard { authentication-method pre-shared-keys; } policy ike-pol { mode aggressive; proposals standard; pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39"; ## SECRET-DATA } gateway ike-gw { ike-policy ike-pol; address 172.16.1.1; local-identity hostname branch; remote-identity hostname hq; external-interface ge-0/0/0; } } ipsec { proposal standard; policy ipsec-pol { proposals standard; } vpn to_hq { bind-interface st0.0; ike { gateway ike-gw; ipsec-policy ipsec-pol; } establish-tunnels immediately; } } flow { traceoptions { file flow-debug; flag basic-datapath; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set guests-to-untrust { from zone guests; to zone untrust; rule guest-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone guests to-zone untrust { policy guests-to-untrust { match { source-address any; destination-address any; application [ junos-http junos-https junos-ping junos-dns-udp ]; } then { permit; } } } from-zone trust to-zone vpn { policy trust-to-vpn { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone contractors { policy trust-to-contractors { match { source-address any; destination-address any; application [ junos-http junos-ping ]; } then { permit; } } } pre-id-default-policy { then { log { session-close; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; https; ike; ping; } } } xe-0/0/19.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } dl0.0 { host-inbound-traffic { system-services { tftp; } } } } } security-zone contractors { host-inbound-traffic { system-services { dhcp; ping; } } interfaces { irb.30; } } security-zone guests { host-inbound-traffic { system-services { dhcp; ping; } } interfaces { irb.20; } } security-zone vpn { host-inbound-traffic { system-services { ping; } } interfaces { st0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp { vendor-id Juniper-srx380; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members guests; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members contractors; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/15 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/16 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/17 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/18 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/19 { unit 0 { family inet { dhcp { vendor-id Juniper-srx380; } } } } cl-1/0/0 { dialer-options { pool 1 priority 100; } } dl0 { unit 0 { family inet { negotiate-address; } family inet6 { negotiate-address; } dialer-options { pool 1; dial-string 1234; always-on; } } } fxp0 { unit 0 { family inet { address 192.168.1.1/24; } } } irb { unit 0 { family inet { address 192.168.2.1/24; } } unit 20 { family inet { address 192.168.20.1/24; } } unit 30 { family inet { address 192.168.30.1/24; } } } st0 { unit 0 { family inet { address 10.0.0.1/24; } } } } access { address-assignment { pool junosDHCPPool1 { family inet { network 192.168.1.0/24; range junosRange { low 192.168.1.2; high 192.168.1.254; } dhcp-attributes { router { 192.168.1.1; } propagate-settings ge-0/0/0.0; } } } pool junosDHCPPool2 { family inet { network 192.168.2.0/24; range junosRange { low 192.168.2.2; high 192.168.2.254; } dhcp-attributes { router { 192.168.2.1; } propagate-settings ge-0/0/0.0; } } } pool CONTRACTORS-POOL { family inet { network 192.168.30.0/24; range CONTRACTORS-POOL-IP-RANGE { low 192.168.30.10; high 192.168.30.100; } dhcp-attributes { domain-name srx-branch.com; name-server { 8.8.8.8; } router { 192.168.30.1; } } } } pool GUEST-POOL { family inet { network 192.168.20.0/24; range GUEST-POOL---IP-RANGE { low 192.168.20.10; high 192.168.20.100; } dhcp-attributes { domain-name srx-branch.com; name-server { 8.8.8.8; } router { 192.168.20.1; } } } } } } vlans { contractors { vlan-id 30; l3-interface irb.30; } guests { vlan-id 20; l3-interface irb.20; } vlan-trust { vlan-id 3; l3-interface irb.0; } } protocols { l2-learning { global-mode switching; } rstp { interface all; } } routing-options { static { route 172.16.200.0/24 next-hop st0.0; } }