System配置
set system host-name access-switch01
set system time-zone Asia/Shanghai
set system name-server 223.5.5.5
set system name-server 223.6.6.6
set system root-authentication encrypted-password “$.security/”
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password “security/”
# 生产环境不建议开 telnet,web
set system services ssh
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface all
set system auto-snapshot
# 日志部分
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
# 配置NTP服务
set system ntp boot-server 203.107.6.88
set system ntp server 203.107.6.88
# 接入设备一般没有单独的管理网,忽略掉带外口的告警
set chassis alarm management-ethernet link-down ignore
set chassis alarm ethernet link-down ignore
接口部分
# 以Juniper EX2220-48 为例 ge-0/0/0-47为接入电口 ge-0/1/0-3 为光口
# 接入端口
set interfaces interface-range Access member-range ge-0/0/0 to ge-0/0/47
set interfaces interface-range Access unit 0 family ethernet-switching port-mode access
set interfaces interface-range Access unit 0 family ethernet-switching vlan members vlan2
set interfaces interface-range Access unit 0 family ethernet-switching filter input Access_ACL
# 上联光口
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members vlan2
# 三层接口
set interfaces vlan unit 2 family inet address 172.16.2.253/24
set vlans vlan2 vlan-id 2
set vlans vlan2 l3-interface vlan.2
ACL过滤规则
# 接入端口ACL
set firewall family ethernet-switching Access_ACL term 1 from protocol udp
set firewall family ethernet-switching Access_ACL term 1 from destination-port 1434
set firewall family ethernet-switching Access_ACL term 1 from destination-port 1433
set firewall family ethernet-switching Access_ACL term 1 from destination-port netbios-ns
set firewall family ethernet-switching Access_ACL term 1 from destination-port netbios-dgm
set firewall family ethernet-switching Access_ACL term 1 from destination-port 139
set firewall family ethernet-switching Access_ACL term 1 from destination-port netbios-ssn
set firewall family ethernet-switching Access_ACL term 1 from destination-port 5355
set firewall family ethernet-switching Access_ACL term 1 then discard
set firewall family ethernet-switching Access_ACL term 2 from protocol tcp
set firewall family ethernet-switching Access_ACL term 2 from destination-port 135
set firewall family ethernet-switching Access_ACL term 2 from destination-port 139
set firewall family ethernet-switching Access_ACL term 2 from destination-port 445
set firewall family ethernet-switching Access_ACL term 2 then discard
set firewall family ethernet-switching Access_ACL term Default then accept
# 管理ACL 仅 172.16.254.0/24 可以ssh管理设备
set firewall family inet filter RE_FILTER term 1 from source-address 172.16.254.0/24
set firewall family inet filter RE_FILTER term 1 from protocol tcp
set firewall family inet filter RE_FILTER term 1 from destination-port ssh
set firewall family inet filter RE_FILTER term 1 then count allow.ssh
set firewall family inet filter RE_FILTER term 1 then accept
set firewall family inet filter RE_FILTER term 2 from protocol tcp
set firewall family inet filter RE_FILTER term 2 from destination-port ssh
set firewall family inet filter RE_FILTER term 2 then count discard.ssh
set firewall family inet filter RE_FILTER term 2 then discard
set firewall family inet filter RE_FILTER term Default then accept
set interfaces lo0 unit 0 family inet filter input RE_FILTER
DHCP-Snooping 广播风暴控制
set ethernet-switching-options secure-access-port interface ge-0/1/0.0 dhcp-trusted
set ethernet-switching-options secure-access-port vlan vlan2 arp-inspection
set ethernet-switching-options secure-access-port vlan vlan2 examine-dhcp
set ethernet-switching-options secure-access-port vlan vlan2 ip-source-guard
set ethernet-switching-options port-error-disable disable-timeout 600
set ethernet-switching-options storm-control interface all
set ethernet-switching-options bpdu-block interface Access
其他项目
snmp,igmp 生成树 静态路由
set snmp community public authorization read-only
set routing-options static route 0.0.0.0/0 next-hop 172.16.2.254
set protocols igmp-snooping vlan all
set protocols rstp bridge-priority 60k
set protocols rstp interface allport Access
set protocols lldp interface all
set protocols lldp-med interface all