这一篇配合之前的命令讲解,我会做一系列的实验,实验内容各种各样,没耐心的可以跳过,通过实验可以对Junos进行更深层次的了解。
我先配了一套没有问题的远程管理配置,可以web访问,可以SSH
我把配置完整的贴一root# show |no-more
## Last changed: 2017-07-06 22:26:39 UTC
version 12.1X44-D35.5;
system {
root-authentication {
encrypted-password "$1$DbW07ruZ$8p.9xGJudjOPQ.N53GMFo/"; ## SECRET-DATA
}
login {
user XXX {
uid 2001;
class read-only;
authentication {
encrypted-password "$1$/pVNU7P9$TJn3tc9uZ3a7PeapAv8vi/"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login allow;
protocol-version v2;
connection-limit 3;
rate-limit 3;
}
web-management {
https {
port 443;
system-generated-certificate;
}
session {
idle-timeout 30;
session-limit 3;
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
inactive: filter {
input web-manage;
}
}
}
}
}
security {
zones {
security-zone Inside {
host-inbound-traffic {
system-services {
https;
ping;
ssh;
}
}
interfaces {
fe-0/0/0.0;
fe-0/0/1.0;
}
}
}
}
我用一台IP为1.1.1.10的pc连着Juniper的fe-0/0/0口,完成测试。
-----------------------------------------------------------------------------------------------------------
我们先玩弄web
root# show system services web-management
https {
port 443;
system-generated-certificate;
}
session {
idle-timeout 30;
session-limit 3;
}
看过之前一篇的就知道,在配置https的时候是可以指定接口的,这里我没有指定也可以访问web,是不是说明没有指定就是Permit Any?我先回答你:是的!那指定接口的话,是不是会在最后加上一条Deny Any?我们Try一下
先看一下接口状态:
(我这里就用display set去显示了)
set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces fe-0/0/1 unit 0 family inet address 2.2.2.1/24
看一下接口所在zone:
set security zones security-zone Inside host-inbound-traffic system-services https
set security zones security-zone Inside host-inbound-traffic system-services ping
set security zones security-zone Inside host-inbound-traffic system-services ssh
set security zones security-zone Inside interfaces fe-0/0/0.0
set security zones security-zone Inside interfaces fe-0/0/1.0
两个接口都在一个zone里面并且允许了inbound流量
我现在开始改:
[edit system services web-management https]
root# set interface fe-0/0/1
在https下我就加入这一句,(PC连的是fe-0/0/0)
然后我们看一下结果(记得commit)
浏览器显示:
Access Error: 401 -- Unauthorized
Interface is not authorized for HTTP access
翻译一下:接口未被授权去访问http
那我换个接口试试?我把pc接到fe-0/0/1配置IP2.2.2.10测试一下
瞬间成功!!我就不贴图了懒得贴了。。。。。。
我们在玩弄一下web,前面看到我在zone里面允许的https,既然我web添加fe-0/0/1,这条策略还需要么?我们把他删掉试试。黑喂狗!
[edit security zones security-zone Inside]
root# delete host-inbound-traffic system-services https
浏览器直接告诉我页面载入出错了,这说明还没有连接到web流量就被干掉了,没有像之前一样的反馈了。这里我想总结一下web:
1、接口流量控制的优先级大于system service(web就在system service里)。
2、Junos的层级非常明显,就算第一层你能进,第二层设置了限制你还是会被干掉。
重点:没事不要去玩loopback口。RE是会影响ospf、rip等路由协议流量的,除非你做过很严谨的测试,不然就不要去随便乱动了。