這一篇配合之前的命令講解,我會做一系列的實驗,實驗內容各種各樣,沒耐心的可以跳過,通過實驗可以對Junos進行更深層次的瞭解。
我先配了一套沒有問題的遠程管理配置,可以web訪問,可以SSH
我把配置完整的貼一root# show |no-more
## Last changed: 2017-07-06 22:26:39 UTC
version 12.1X44-D35.5;
system {
root-authentication {
encrypted-password "$1$DbW07ruZ$8p.9xGJudjOPQ.N53GMFo/"; ## SECRET-DATA
}
login {
user XXX {
uid 2001;
class read-only;
authentication {
encrypted-password "$1$/pVNU7P9$TJn3tc9uZ3a7PeapAv8vi/"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login allow;
protocol-version v2;
connection-limit 3;
rate-limit 3;
}
web-management {
https {
port 443;
system-generated-certificate;
}
session {
idle-timeout 30;
session-limit 3;
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
inactive: filter {
input web-manage;
}
}
}
}
}
security {
zones {
security-zone Inside {
host-inbound-traffic {
system-services {
https;
ping;
ssh;
}
}
interfaces {
fe-0/0/0.0;
fe-0/0/1.0;
}
}
}
}
我用一臺IP爲1.1.1.10的pc連着Juniper的fe-0/0/0口,完成測試。
-----------------------------------------------------------------------------------------------------------
我們先玩弄web
root# show system services web-management
https {
port 443;
system-generated-certificate;
}
session {
idle-timeout 30;
session-limit 3;
}
看過之前一篇的就知道,在配置https的時候是可以指定接口的,這裏我沒有指定也可以訪問web,是不是說明沒有指定就是Permit Any?我先回答你:是的!那指定接口的話,是不是會在最後加上一條Deny Any?我們Try一下
先看一下接口狀態:
(我這裏就用display set去顯示了)
set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces fe-0/0/1 unit 0 family inet address 2.2.2.1/24
看一下接口所在zone:
set security zones security-zone Inside host-inbound-traffic system-services https
set security zones security-zone Inside host-inbound-traffic system-services ping
set security zones security-zone Inside host-inbound-traffic system-services ssh
set security zones security-zone Inside interfaces fe-0/0/0.0
set security zones security-zone Inside interfaces fe-0/0/1.0
兩個接口都在一個zone裏面並且允許了inbound流量
我現在開始改:
[edit system services web-management https]
root# set interface fe-0/0/1
在https下我就加入這一句,(PC連的是fe-0/0/0)
然後我們看一下結果(記得commit)
瀏覽器顯示:
Access Error: 401 -- Unauthorized
Interface is not authorized for HTTP access
翻譯一下:接口未被授權去訪問http
那我換個接口試試?我把pc接到fe-0/0/1配置IP2.2.2.10測試一下
瞬間成功!!我就不貼圖了懶得貼了。。。。。。
我們在玩弄一下web,前面看到我在zone裏面允許的https,既然我web添加fe-0/0/1,這條策略還需要麼?我們把他刪掉試試。黑喂狗!
[edit security zones security-zone Inside]
root# delete host-inbound-traffic system-services https
瀏覽器直接告訴我頁面載入出錯了,這說明還沒有連接到web流量就被幹掉了,沒有像之前一樣的反饋了。這裏我想總結一下web:
1、接口流量控制的優先級大於system service(web就在system service裏)。
2、Junos的層級非常明顯,就算第一層你能進,第二層設置了限制你還是會被幹掉。
重點:沒事不要去玩loopback口。RE是會影響ospf、rip等路由協議流量的,除非你做過很嚴謹的測試,不然就不要去隨便亂動了。