安全hcnp課件security cisn實驗手冊

（學員 ISSUE 手冊說 適用范 適用產品描 USG2000產品描 USG5100產品描 USG5500產品描 USG9500產品描 圖 2高級設備管 文件管理實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 AAA方式設備管 實驗目 組網(wǎng)設 實驗拓撲 驗步驟(命令行 實驗步驟 驗證結 BootRoom恢 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 3高級安全特 基于IP地址連接數(shù)限制和帶寬限 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟 實驗步驟 驗證結 負載均衡實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(CLI 實驗步驟 驗證結 4可靠性技 BFD實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 IP-Link實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 雙機熱備實驗（主備備份 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(CLI 實驗步驟 驗證結 Link-group實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 虛擬技 虛擬實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(CLI 實驗步驟 驗證結 6高 技 點到多點 實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 隧道化鏈路備份 實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 主備鏈路備份IPSec實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 設備冗余IPSec實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 驗證結 L2TPOverIPSec實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟(命令行 實驗步驟 驗證結 雙機熱備 實 實驗目 組網(wǎng)設 實驗拓撲 實驗步驟 驗證結 7防范實 搭建測試環(huán) 實驗目 組網(wǎng)設 實驗拓撲 配置步 DHCPSnoo技 實驗目 組網(wǎng)設 實驗拓撲 配置步 結果檢 基于IP地址的SYNFlood防范功 實驗目 組網(wǎng)設 實驗拓撲 配置步驟 結果檢 TCP反向源探測方式的SYNFlood防 實驗目 組網(wǎng)設 實驗拓撲 配置步驟 結果檢 基于接口的ARPFlood防 實驗目 組網(wǎng)設 實驗拓撲 配置步驟 結果檢 配址掃描防范功 實驗目 組網(wǎng)設 實驗拓撲 配置步驟 結果檢 8特性故障排除實 基礎特性故障排 實驗目 組網(wǎng)設 實驗拓撲 特性故障排 實驗目 組網(wǎng)設 實驗拓撲 手冊說適用產品描USG2000USG2100由機箱、擴展接口卡組成。其機箱尺寸如下圖所示，USG21003G數(shù)據(jù)卡接口（USG2130支持、USB接口、FlashUSG21203G數(shù)據(jù)卡接口，其他部分和USG21301.3G數(shù)據(jù)卡接2.USB接3.Flash卡接4.5.如下圖所示，USG2100后面板包括交流電源模塊、MIC(MiniInterfaceCard)插槽、ConsoleWANIP地址，并直接劃到具體的區(qū)域VLANinterfaceVLAN劃到具體的區(qū)域里。1.接地端2.安全鎖3.4.WAN接5.LAN接6.Console7.MIC插8.交流電源開9.交流電源接USG2200由機箱、擴展接口卡組成。其機箱尺寸USG2200的電源和風扇采用內置式，因此從外觀上看不到電源和風扇。USG2200包括USG2210、USG2220、USG2230、USG2250四種型號。這四種型號都支持交流機型，前面接口包括：1Console接口、2GECombo接口、2USB2.0接口、1個閃存接口。1.USB2.0接2.GECombo接3.閃存接4.Console接5.一鍵恢6.交流電源插7.交流電源開8.1.USB2.0接2.GECombo接3.閃存接4.Console接5.一鍵恢6.直流電源插7.直流電源開8.4MIC2FIC插槽。如果選用的插卡為交換插卡，該交換插卡上的接USG2100LAN口配置方法一致。如果選用插卡的接口為路由口，則配置方式與USG3000/USG5000USG2100WAN口配置方式一致。1.MIC1插2.MIC2插3.MIC3插4.MIC4插5.FIC5插6.FIC6插7.槽位標下面介紹USG2200插槽的排列順序及接口編號方法。USG220006個擴展插槽的槽位編號（1～6）采用先從左到右，再從下到MICFIC槽位的編號原則。interface-typeX/0/Y，interface-type為接口類型（如，X0。Y表示接口序號。USG2200的slot1和slot5分別安裝了5FE-SW電接口卡和5FE-SW電接口卡從左到右的Ethernet接口編號：Ethernet1/0/0、Ethernet1/0/1Ethernet1/0/2、Ethernet1/0/3Ethernet1/0/4。2CE1接口卡從左到右接口編號為：controllere15/0/0、e15/0/1GECombo接口從左到右接口編號為：GigabitEthernet0/0/0、USG5100USG5150由機箱、擴展接口卡組成。其機箱尺寸1.指示2.3.Console接5.USB2.0接6.10/100/1000M以網(wǎng)接口7.10/100/1000M以網(wǎng)接口8.GECombo9.GECombo接口孔1.MIC1插2.MIC2插3.MIC3插4.MIC4插5.FIC5/DFIC5插6.FIC6/DFIC6插7.FIC7/DFIC7插8.FIC8插9.槽位標10.接地端USG5150由機箱、擴展接口卡組成。其機箱尺寸.Console接5.閃存接6.USB2.0接7.GECombo接口8.GECombo接口9.GECombo接口10.GECombo接口11.12.ESD13.防塵擋14.交流/直流電源模塊15.交流/直流電源模塊1.MIC1插2.MIC2插3.MIC3插4.MIC4插5.FIC5/DFIC5插6.FIC6/DFIC6插7.FIC7/DFIC7插8.FIC8/DFIC8插9.FIC9插10.FIC10插11.接地端USG5500USG5530S由機箱、擴展接口卡組成。設備的機箱尺寸如下圖所示，USG5530S2FIC1.防靜電手腕帶插2.3.4.Micro-SD5.FIC2插6.7.光電互斥接8.10/100/1000M9.10.Console接11.USB2.0接

1.接地端2.4.交流電源線扎線5.電源接6.USG5530/5550/5560由機箱、擴展接口卡組成。USG5530/5550/5560的機箱尺442mm×414.1mm×130.5mm（寬×深×高19英寸標準機柜中。如下圖所示，USG5530/5550/55606FIC2MIC接口卡擴展插槽。其中，6FIC4個DFIC接口卡擴展插槽，2MIC接口卡1個DMIC接口卡擴展插槽。USG5530/5550/5560MIC和DFIC1.防靜電手腕帶插2.3.USB2.0接4.5.Console接6.Micro-SD7.8.10/100/1000M9.光電互斥接10.100/1000M以太網(wǎng)接11.MIC2/DMIC2插12.MIC3插13.FIC9插14.FIC7/DFIC7插15.16.FIC5/DFIC5插17.FIC8插18.FIC6/DFIC6插19.20.FIC4/DFIC4插21.接地端1.2.電源開3.交流電源線扎線4.電源接5.6.7.防靜電手腕帶插8.USG9500USG9000系列產品都采用機箱可安裝在N68E-22機柜或深度不小于800mm的（InternationalElectrotechnicalCommission）19英寸標準機柜中。USG9000產品外觀如下圖USG9520Figure1-15USG95201.掛2.ESD3.LPU槽4.MPU槽5.6.7.風8.直流電源模9.保護接地端10.11.把USG9520Figure1-16USG95201.掛2.3.交流電源模4.ESD5.LPU槽6.MPU槽7.8.9.風10.保護接地端11.12.把Figure1-17USG95601.2.掛3.4.ESD插5.6.把7.風8.電源濾波模9.保護接地端10.交流電源管理接11.PEM模12.集中模1.2.3.ESD插4.5.掛6.把7.風扇模8.電源濾波模9.PEM模10.交流電源管理接11.集中模12.保護接地端高級設備管文件管理實驗目組網(wǎng)設PC機一臺，USG一臺實驗拓管管理以太網(wǎng)COM串口線網(wǎng)實驗步驟(Setp Setp 開啟設備的FTP功能并配置FTP用戶名、及FTP路徑<USG><USG>system-view[USG]ftpserverenableInfo:StartFTPserver[USG]aaa[USG-aaa]local-userftpuserpasswordcipher[USG-aaa]local-userftpuserservice-type[USG-aaa]local-userftpuserlevel[USG-aaa]local-userftpuserftp-directorySetp3 ftp命令登錄到設備上。使用get命令從設備文件到PCsandSettings\Administrator>ftpConnectedto.220FTPserviceready.User(:(none)):ftpuser331PasswordsandSettings\Administrator>ftpConnectedto.220FTPserviceready.User(:(none)):ftpuser331Passwordrequiredforftpuser.230Userloggedin.ftp>get200Portcommand150OpeningASCIImodedataconnectionforvrpcfg.cfg.226Transfercomplete.ftp:52030.01Seconds346.87Kbytes/sec.ftp>lcdLocaldirectorynow sandftp>ftp>put200Portcommand150OpeningASCIImodedataconnectionforvrpcfg.cfg.226Transfercomplete.ftp:發(fā)送5203字節(jié)，用時 //USG設備中配置命令行<USG>startupsaved-configuration 驗證結AAA方式設備管實驗目組網(wǎng)設PC機一臺，USG系列一臺，裝有Radius服務的PC機一臺實驗拓RadiusRadiusServer驗步驟(命令行Setp [USG2200][USG2200]intGigabitEthernet[USG2200-GigabitEthernet0/0/0]ipaddress[USG2200]firewallzonetrust[USG2200]intGigabitEthernet0/0/1[USG2200]firewallzoneuntrust[USG2200]intGigabitEthernet0/0/2[USG2200-GigabitEthernet0/0/2]ipaddress[USG2200]firewallzonedmzSetp [USG2200][USG2200]firewallpacket-filterdefaultpermitinterzonetrust[USG2200]firewallpacket-filterdefaultpermitinterzonetrust[USG2200]firewallpacket-filterdefaultpermitinterzonedmzSetp [USG2200]iproute-static Setp [USG2200][USG2200]nat-policyinterzoneuntrusttrust[USG2200-nat-policy-interzone-trust-untrust-outbound-0]easy-ipGigabitEthernetSetp 配置DNS服務器，保證內網(wǎng)用戶可以上互聯(lián)網(wǎng)[USG2200]dnsserver Setp RadiusInfo:SucceededinCreatinganewserver#測試USG與RADIUS服務器的連通性。此處的測試用戶名和需要[USG2200-radius-1]radius-servertestusertest Setp7 （radiusserver上以后的用戶名#Jason[USG2200]user-manageuser #創(chuàng)建名為adminJason Setp [USG2200-authpolicy-radius_policy]authentication-modepasswordradiustemplate1實驗步驟Setp Setp 配置域間轉發(fā)策略，保證網(wǎng)絡連通性。選擇>安全策略>轉發(fā)策略，在到untrust區(qū)域的策略單擊，修改策略為“permit”。配置完成后單擊“應用”Setp3 Setp4 IP地址，接口為連接互聯(lián)網(wǎng)的出接口（GE0/0/1。配置完成后單擊“應用”。Setp5 務器列表中輸入DNS服務器地址，單擊“添加”。Setp6 Radius用戶>認證服務器>RADIUS服務器新建，創(chuàng)建一個radius服務器。設置共享為123456。配置完成后單擊“應用”。#測試USG與RADIUS服務器的連通性。點擊配置下的圖標。測試成功后將Setp7 （radiusserver上以后的用戶名#admin的用戶組。選擇用戶>上網(wǎng)用戶>組/用戶，單擊新建，選擇新建#Setp8Radius_Policy。選擇用戶>上網(wǎng)用戶>認證策略，單擊新RADIUS1。單擊應用。驗證結BootRoom恢實驗目提供了清空Console口的功能，可以在用戶使用Console口登錄的時候跳過用戶名檢查。這樣系統(tǒng)啟動后除了不需要輸入console外，與正常啟動相同，也會完成所有配組網(wǎng)設PC機一臺，USG系列一臺實驗拓管管理以太網(wǎng)COM串口線網(wǎng)實驗步驟(Setp 連接到設備consoleSetp2 重啟設備，出現(xiàn)“PressCtrl+BtoEnterBoot 入“O&m15213”后進入BootROM主菜單。Setp （Ctrl+z進入中選擇“RecoverConsole部分設備顯示為“SkipConsole0Password”，該選項功能作用與“RecoverConsoleSetp4 如果主菜單和隱藏菜單均沒有類似選項則說明設備不支持跳過Console口登Setp Setp 進入系統(tǒng)后，以配置Console口用戶名admin、為Admin@123為例<USG><USG>system-[USG]user-interfaceconsole[USG-ui-console0]authentication-modelocaluseradminpasswordcipher[USG-ui-console0]Setp <<USG>Thecurrentconfigurationwillbewrittentothedevice.Areyousuretocontinue?[Y/N]yNowsavingthecurrentconfigurationtotheInfo:Thecurrentconfigurationwassavedtothedevice實驗步驟驗證結高級安全特基于IP地址連接數(shù)限制和帶寬實驗目組網(wǎng)設PC機3臺、USG5000系列1實驗拓FTPServer為防止FTP服務器受限制從Trust區(qū)域和Untrust區(qū)域到FTP端口的連接數(shù)上限為20，并且限制其上傳/帶寬為：5Mbps/10Mbps。400kbps/600kbps實驗步驟Setp USG#USGIP<USG>system- [USG][USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/0]ipaddress[USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/1]ipaddress[USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/2]ipaddress#USG[USG][USG]firewallzone[USG-zone-trust]addinterfaceGigabitEthernet[USG]firewallzone[USG-zone-dmz]addinterfaceGigabitEthernet[USG-zone-dmz][USG]firewallzone[USG-zone-untrust]addinterfaceGigabitEthernet[USG-zone-untrust]Setp Trust域和Untrust域的用戶可以DMZ域的FTP服務器Trust域用戶可以Untrust域[USG][USG]policyinterzonetrustuntrust[USG-policy-interzone-trust-untrust-outbound-1]policysourcemask[USG-policy-interzone-trust-untrust-outbound-1]quit[USG-policy-interzone-trust-untrust-outbound]quit[USG]policyinterzonetrustdmzoutbound[USG-policy-interzone-trust-dmz-outbound-1]policysourcemask[USG-policy-interzone-trust-dmz-outbound-1]policydestination0[USG-policy-interzone-trust-dmz-outbound-1]policyserviceservice-setftp[USG-policy-interzone-trust-dmz-outbound-1]actionpermit[USG][USG]policyinterzoneuntrustdmz[USG-policy-interzone-dmz-untrust-inbound-2]policydestination0[USG-policy-interzone-dmz-untrust-inbound-2]policyserviceservice-setftp[USG-policy-interzone-dmz-untrust-inbound-2]actionpermitSetp NAT[USG][USG]nataddress-group100[USG]nat-policyinterzonetrustuntrustoutbound[USG-nat-policy-interzone-trust-untrust-outbound]policy1[USG-nat-policy-interzone-trust-untrust-outbound-1]policysourcemask[USG-nat-policy-interzone-trust-untrust-outbound-1]actionsource-nat[USG-nat-policy-interzone-trust-untrust-outbound-1]address-group1[USG-nat-policy-interzone-trust-untrust-outbound-1]quitSetp [USG][USG]natserverprotocoltcpglobal00ftpinside[USG]firewallinterzonetrustdmz[USG-interzone-trust-dmz]detectftp[USG-interzone-trust-dmz]quit[USG]firewallinterzonedmzSetp Setp6 DPI應用控制功能，使DPI應用協(xié)議能配限流策略應用，實現(xiàn)對應用協(xié)議的[USG][USG]dpiInfo:InitializeDPI,pleasewait........................................................Setp #trustuntrust區(qū)域到DMZFTP20[USG][USG]car-classclass1type[USG]traffic-policyinterzonedmzuntrustinbound[USG-traffic-policy-interzone-dmz-untrust-inbound-shared-1]policyserviceservice-setftp[USG-traffic-policy-interzone-dmz-untrust-inbound-shared-1]actioncar[USG-traffic-policy-interzone-dmz-untrust-inbound-shared-1]quit[USG-traffic-policy-interzone-dmz-untrust-inbound-shared]quit[USG]traffic-policyinterzonedmztrustoutbound[USG-traffic-policy-interzone-trust-dmz-outbound-shared-1]policyserviceservice-setftp#trustuntrustDMZFTP[USG][USG]car-classclass2typeshared[USG-shared-car-class-class2]car5000[USG-shared-car-class-class2]quit[USG]traffic-policyinterzonedmztrustoutbound[USG-traffic-policy-interzone-trust-dmz-outbound-shared-2]policyserviceservice-setftp[USG-traffic-policy-interzone-trust-dmz-outbound-shared-2]quit[USG-traffic-policy-interzone-trust-dmz-outbound-shared]quit[USG]traffic-policyinterzonedmzuntrustinboundshared[USG-traffic-policy-interzone-dmz-untrust-inbound-shared]policy2[USG-traffic-policy-interzone-dmz-untrust-inbound-shared-2]policyserviceservice-setftp#配置從trust區(qū)域和untrust區(qū)域到DMZ區(qū)域FTP服務器的帶寬限制[USG][USG]car-classclass3typeshared[USG-shared-car-class-class3]car10000[USG-shared-car-class-class3]quit[USG]traffic-policyinterzonedmzuntrustoutbound[USG-traffic-policy-interzone-dmz-untrust-outbound-shared-3]policycar-class[USG-traffic-policy-interzone-dmz-untrust-outbound-shared-3]policyserviceservice-setftp[USG-traffic-policy-interzone-dmz-untrust-outbound-shared-3]quit[USG-traffic-policy-interzone-dmz-untrust-outbound-shared]quit[USG]traffic-policyinterzonedmztrustinboundshared[USG-traffic-policy-interzone-trust-dmz-inbound-shared-3]policysourcepolicyserviceservice-setSetp PC#在Trust到Untrust的Outbound方向上配置每IP限流策略1car-classclass4，400kbps。[USG][USG]car-classclass4typeper-[USG]traffic-policyinterzonetrustuntrustoutboundper-[USG-traffic-policy-interzone-trust-untrust-outbound-per-ip-4][USG-traffic-policy-interzone-trust-untrust-outbound-per-ip-4]policycar-type[USG-traffic-policy-interzone-trust-untrust-outbound-per-ip-4]policysource[USG-traffic-policy-interzone-trust-untrust-outbound-per-ip-4]policycar-class[USG-traffic-policy-interzone-trust-untrust-outbound-per-ip-4]policyserviceservice-setftp#在Trust到Untrust的inbound方向上配置每IP限流策略2car-classclass5，限制P2P最大帶寬為600kbps。[USG][USG]car-classclass5typeper-[USG]traffic-policyinterzonetrustuntrustinboundper-[USG-traffic-policy-interzone-trust-untrust-inbound-per-ip-5]policycar-type[USG-traffic-policy-interzone-trust-untrust-inbound-per-ip-5]policyserviceservice-setftp實驗步驟Setp Setp Setp #創(chuàng)建NAT地址池1選擇“>NAT>源NAT”選擇“NAT地址池”頁簽。在“NAT地址池列表”中單擊 SetpSetp NAT>虛擬服務器”，在“虛擬服務器列表” Setp5 啟用限流策略選擇“>限流策略>基本配置”，選中“限流策略”對應的“啟Setp #創(chuàng)建整體限流class。選擇“>限流策略>整體限流”，選擇“整體限Class”頁簽，單擊，新建整體限流。Class1FTP服務器最大連接數(shù)限制Class2trustuntrustDMZFTP服務器的上傳帶寬限制；class3trustuntrustDMZ區(qū)域FTP服務器的帶寬限制。#配置從trust和untrust區(qū)域到DMZ區(qū)域的FTP連接數(shù)限制，選擇“整體限流”頁 ，新建整體限流策略1，class1。#trustuntrustDMZFTP服務器的上傳帶寬限制#配置從trust區(qū)域和untrust區(qū)域到DMZ區(qū)域FTP服務器的帶寬限制Setp7配置每IP限流,配置PC帶寬限制選擇“>限流策略>每IP限流在“每#IPclass。Class4TrustUntrustOutbound方向上上傳帶寬限制，class5為Trust到Untrust的inbound方向上帶寬限制。#在Trust到Untrust的Outbound方向上配置每IP限流策略1car-classclass4，400kbps。#在Trust到Untrust的inbound方向上配置每IP限流策略2car-classclass5，限制P2P最大帶寬為600kbps。驗證結#FTPIP[USG]displaytraffic-policystatisticper-ipCurrenttotalnode: PassedPackets/Passed DropedPackets/Droped [USG]displaytraffic-policystatisticsharedCurrentTotalNode:0 PolicyID PassedPackets/Passed DropedPackets/DropedBytes [USG]displaytraffic-policystatisticsharedCurrentTotalNode:Policy1121負載均衡實驗目的流量負載均衡。某內部網(wǎng)絡中存在三臺真實服務器對外提供FTP服務，IP地址分別為/24、/24/24IP/24USG的負載均衡功能，保證經(jīng)過USG的流量負載均衡。組網(wǎng)設PC機一臺，USG系列一臺，交換機一臺，三臺可作為服務器的PC機實驗拓實驗步驟(CLISetp USG#GigabitEthernet0/0/1IPUntrust[USG][USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/1]ipaddress[USG][USG]firewallzone[USG-zone-untrust]addinterfaceGigabitEthernet[USG-zone-untrust]#GigabitEthernet0/0/2IPDMZ[USG][USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/2]ipaddress[USG]firewallzone[USG-zone-dmz]addinterfaceGigabitEthernet[USG-zone-dmz]#配置域間濾，以保證網(wǎng)絡基本通信正常[USG][USG]firewallpacket-filterdefaultpermitinterzoneuntrust[USG]firewallpacket-filterdefaultpermitinterzonelocalUSG缺省對真實服務器進行健康檢查，此時需要配置允許健康檢查報文USGLocalDMZ域間出方向流動。若需配置嚴格的域間濾，則需配置域間濾的源或者目的IP地址為真IP。Setp #[USG][USG]slb[USG][USG-slb]rserver1ripweight[USG-slb]rserver2ripweight[USG-slb]rserver3ripweight#[USG-slb][USG-slb]group[USG-slb-group-test]metric[USG-slb-group-test]addrserver[USG-slb-group-test]addrserver[USG-slb-group-test]addrserver#配置虛服務器IP地址和端[USG-slb][USG-slb]vservertestvipgrouptest[USG-slb]實驗步驟Setp USG#GigabitEthernet0/0/1IPUntrust#GigabitEthernet0/0/0IPDMZ#配置域間濾，以保證網(wǎng)絡基本通信正常USG缺省對真實服務器進行健康檢查，此時需要配置允許健康檢查報文USGLocalDMZ域間出方向流動。若需配置嚴格的域間濾，則需配置域間濾的源或者目的IP地址為真IP。Setp #啟用負載均衡功能。選擇“>NAT>負載均衡”，選中“負載均衡功能”后#配置真實服務器加入負載均衡組選擇“>NAT>負載均衡”，在“負載均驗證結<USG>displayfirewallsessionCurrenttotalsessions: :public-->public:3327-- :public-->public<USG>displayfirewallsessionCurrenttotalsessions: :public-->public:3327-- :public-->public:3327-- :public-->public:3327--可靠性技BFD實實驗目組網(wǎng)設USG2臺，交換機一臺實驗拓實驗步驟(Setp IP地址（略Setp [USG_A][USG_A]firewallzone[USG_A-zone-trust]addinterfaceSetp LocalTrust[USG_A][USG_A]policyinterzonelocaltrust[USG_A-policy-interzone-local-trust-outbound-0]policysourceany[USG_A-policy-interzone-local-trust-outbound-0]actionpermit[USG_A-policy-interzone-local-trust-outbound-0]quit[USG_A]policyinterzonelocaltrustSetp USG_AUSG_BBFDSession[USG_A][USG_A][USG_A-bfd][USG_A]bfdaabindpeer-ip[USG_A-bfd-session-aa]discriminatorlocal10[USG_A-bfd-session-aa]discriminatorremote20[USG_A-bfd-session-aa]commitSetp [USG_B][USG_B]firewallzone[USG_B-zone-trust]addinterface[USG_B-zone-trust]addinterfaceSetp LocalTrust[USG_B][USG_B]policyinterzonelocaltrust[USG_B-policy-interzone-local-trust-outbound-0]policysourceany[USG_B-policy-interzone-local-trust-outbound-0]actionpermit[USG_B-policy-interzone-local-trust-outbound-0]quit[USG_B]policyinterzonelocaltrustSetp USG_BUSG_ABFDSession[USG_B][USG_B][USG_B-bfd][USG_B]bfdbbbindpeer-ip[USG_B-bfd-session-bb]discriminatorlocal20[USG_B-bfd-session-bb]discriminatorremote10[USG_B-bfd-session-bb]commitSetp #在USG_A上配置到外部網(wǎng)絡的靜態(tài)缺省路由，并綁定BFD會話aa。[USG_A]iproute-static0trackbfd-sessionaa 驗證結#配置完成后，在USG_AUSG_Bdisplaybfdsessionall命令，可以看到BFDUpdisplaycurrent-configuration|includebfdBFD會話。USG_A上的顯示為例。[USG_A]displaybfdsession-TotalUP/DOWNSessionNumber:1/0[USG_A]displaycurrent-configuration|includebfdbfdaabindpeer-ipiproute-statictrackbfd-session#USG_AIP[USG_A]displayiprouting-RouteFlags:R-relay,D-downloadtoRoutingTables:Destinations:3 Routes:3 Flags Static Direct Direct #USG_BGE1/0/0shutdown[USG_B][USG_B]interfaceGigabitEthernet[USG_A][USG_A]displayiprouting-RouteFlags:R-relay,D-downloadtoRoutingTables:Destinations:Routes: Flags Direct0Eth-Trunk實實驗目Eth-TrunkEth-Trunk的建立，成員組網(wǎng)設USG系列2臺實驗拓實驗步驟(Setp [USG_A][USG_A]interfaceeth-trunk[USG_A-Eth-Trunk1]ipaddressSetp GE1/0/0、GE2/0/0Eth-Trunk1[USG_A][USG_A]interfacegigabitethernet1/0/0[USG_A-GigabitEthernet1/0/0]undoshutdown[USG_A-GigabitEthernet1/0/0]eth-trunk1[USG_A-GigabitEthernet1/0/0]quit[USG_A]interfacegigabitethernet2/0/0[USG_A-GigabitEthernet2/0/0]undoshutdown[USG_A-GigabitEthernet2/0/0]eth-trunk1Setp Eth-Trunk1Trust[USG_A][USG_A]firewallzone[USG_A-zone-trust]addinterfaceeth-trunkSetp [USG_A][USG_A]policyinterzonelocaltrust[USG_A-policy-interzone-local-trust-outbound-0]policysourceany[USG_A-policy-interzone-local-trust-outbound-0]actionpermit[USG_A-policy-interzone-local-trust-outbound-0]quit[USG_A-policy-interzone-local-trust-outbound]quit[USG_A]policyinterzonelocaltrustinbound[USG_A-policy-interzone-local-trust-inbound]policy0[USG_A-policy-interzone-local-trust-inbound-0]policysourceany[USG_A-policy-interzone-local-trust-inbound-0]actionpermit[USG_A-policy-interzone-local-trust-inbound-0]quitSetp [USG_B][USG_B]interfaceeth-trunk[USG_B-Eth-Trunk1]ipaddressSetp GE1/0/0、GE2/0/0Eth-Trunk1[USG_B][USG_B]interfacegigabitethernet1/0/0[USG_B-GigabitEthernet1/0/0]undoshutdown[USG_B-GigabitEthernet1/0/0]eth-trunk1[USG_B-GigabitEthernet1/0/0]quit[USG_B]interfacegigabitethernet2/0/0[USG_B-GigabitEthernet2/0/0]undoshutdown[USG_B-GigabitEthernet2/0/0]eth-trunk1Setp Eth-Trunk1Trust[USG_B][USG_B]firewallzone[USG_B-zone-trust]addinterfaceeth-trunkSetp [USG_B][USG_B]policyinterzonelocaltrust[USG_B-policy-interzone-local-trust-outbound-0]policysourceany[USG_B-policy-interzone-local-trust-outbound-0]actionpermit[USG_B-policy-interzone-local-trust-outbound-0]quit[USG_B-policy-interzone-local-trust-outbound]quit[USG_B]policyinterzonelocaltrustinbound[USG_B-policy-interzone-local-trust-inbound]policy0驗證結在USG_A或USG_B上執(zhí)行displayinterfaceeth-trunkUP。USG_A的顯示為例。[USG_A]displayinterfaceeth-trunkEth-Trunk1currentstate:UPLineprotocolcurrentstate:UPLastlineprotocoluptime:2011-08-1003:57:08UTC+08:00Description:Eth-Trunk1InterfaceRoutePort,Hasharithmetic:Accordingtoflow,alBW:2G,CurrentBW:2G,heumTransmitUnitis1500InternetAddressis/24IPSendingFrames'FormatisPKTFMT_ETHNT_2,HardwareaddressisPhysicalisLast300secondsinputrate0bits/sec,0Last300secondsoutputrate0bits/sec,0Realtime0secondsinputrate0bits/sec,0Realtime0secondsoutputrate0bits/sec,0packets/secInput:0packets,0bytes,0unicast,0broadcast,0multicast0errors,0drops,Output:1packets,640unicast,1broadcast,0multicast0errors,0dropsInputbandwidthutilization :0.00%Outputbandwidthutilization:11TheNumberofPortsinTrunk:TheNumberofUPPortsinTrunk:#USG_A和USG_B的Eth-Trunk接口能夠互 通 -a::56databytes,pressCTRL_CtoReplyfrom:bytes=56Sequence=1ttl=255time=31msReplyfrom:bytes=56Sequence=2ttl=255time=31msReplyfrom:bytes=56Sequence=3ttl=255time=62msReplyfrom:bytes=56Sequence=4ttl=255time=62msReplyfrom:bytes=56Sequence=5ttl=255time=62ms---statistics---5packet(s)transmitted5packet(s)0.00%packetround-tripmin/avg/max=31/49/62IP-Link實實驗目配置靜態(tài)路由與IP-Link聯(lián)動。某公司通過交換機連接兩個路由器，以雙鏈路接入Internet，為了保證在鏈路故障時可以動態(tài)調整靜態(tài)路由，在USG和兩臺路由器之間配置靜2的路由，從而不影響內網(wǎng)用戶正常Internet。組網(wǎng)設PC機兩臺、USG系列一臺、交換機兩臺，路由器兩臺實驗拓IP-

Router

PCPC

GE0/0/1

Switch

Router實驗步驟(<USG>system-[USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/0]ip<USG>system-[USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/0]ipaddress[USG]interfaceGigabitEthernet[USG-GigabitEthernet0/0/1]ipaddress[USG]firewallzone[USG]firewallpacket-filterdefaultpermitinterzoneuntrustSetp 配置NAT策略。使內網(wǎng)PC可以與PC通信[USG][USG]nat-policyinterzonetrustuntrustSetp IP-LinkUSGRouter1Router2[USG][USG]ip-linkcheck[USG]ip-link1destinationmode[USG]ip-link2destinationmodeSetp4 [USG][USG]iproute-statictrackip-link[USG]iproute-staticpreference70trackip-linkSetp Switch1vlanif[SW2][SW2]interfaceVlanif[SW2-Vlanif1]ipaddress05#switch2OSPF/24[SW2][SW2]ospf[SW2-ospf-100]area[SW2-ospf-100-area-]networkSetp #IP[Router1]ospf[Router1-ospf-100]area[Router1-ospf-100-area-]network#在Router1[Router1]ospf[Router1-ospf-100]area[Router1-ospf-100-area-]network實驗步驟Setp Setp Setp 配置NAT策略。使內網(wǎng)PC可以與PC通信Setp IP-LinkUSGRouter1Router2#選擇“系統(tǒng)>高可靠性>IPLink”，選中“IPLink功能”對應的“啟用”IP-Link#在“IPLink列表”中，單擊“新建”IP-linkSetp5配置到Internet“路由>>靜態(tài)路由”“靜態(tài)路由列表”中，單擊“新建”依次輸入或選擇各項參數(shù)，在“IPLink號”一欄中分別綁定各自鏈路的IP-LinkRouter1的路由設置較高的優(yōu)先級。Setp Switch1vlanif[SW2][SW2]interfaceVlanif[SW2-Vlanif1]ipaddress05#switch2OSPF/24[SW2][SW2]ospfSetp #IP[Router1]ospf[Router1-ospf-100]area[Router1-ospf-100-area-]network#在Router1[Router1]ospf[Router1-ospf-100]area[Router1-ospf-100-area-]network驗證結PC1tracertPC2sandSettings\Administrator>tracertTracingrouteto00overumof30123*2<1*2<1 Requesttimedout.2ms <1 Trace在PC1上運行00–t命令。然后在Router1上將接口shutdownrouter1接口down掉時，IP-linkrouter2的鏈路PC2通信。sand 00-ing00with32bytesofReplyfrom00:bytes=32time<1msTTL=125Replyfrom00:bytes=32time<1msTTL=125Replyfrom00:bytes=32time<1msTTL=125Replyfrom00:bytes=32time<1msTTL=125Requesttimedout.Replyfrom00:bytes=32time<1msTTL=125Replyfrom00:bytes=32time<1msReplyfrom00:bytes=32time<1msstatisticsforPackets:Sent=18,Received=17,Lost=1(5%loss),Approximateroundtriptimesinmilli-seconds:Minimum= um=1ms,Average=sandSettings\Administrator>tracertTracingrouteto00oversandSettings\Administrator>tracertTracingrouteto00overumof30123*2<1*2<1 Requesttimedout.2ms <1 Trace 雙機熱備實驗（主備備份實驗目完成雙機熱備和OSPF的結合使用的配置并理解其實現(xiàn)原理，兩臺USG和路由OSPFVRRP協(xié)議。USG的雙機熱備份功能基于VRRPUSG的業(yè)務接口上VRRP備份組VGMPMasterSlave管理組，組成主備備份的組網(wǎng)。組網(wǎng)設兩臺PC機，兩臺，兩臺交換機，兩臺路由器實驗拓

1010030

VRRPGroup1Virtualip

實驗步驟(CLISetp <USG><USG>system-[USG]interfaceGigabitEthernet[USG-GigabitEthernet2/0/0]ipaddress[USG]firewallzone[USG-zone-trust]addinterfaceGigabitEthernet[USG]interfaceGigabitEthernet[USG-GigabitEthernet2/0/1][USG-GigabitEthernet2/0/1]ipaddress[USG]firewallzone[USG-zone-untrust]addinterfaceGigabitEthernet[USG-zone-untrust][USG]interfaceGigabitEthernet[USG-GigabitEthernet2/0/2]ipaddress[USG]firewallzone[USG-zone-dmz]addinterfaceGigabitEthernet[USG-zone-dmz]Setp 在接口GigabitEthernet2/0/0上配置VRRP1IP[USG][USG]interfaceGigabitEthernet[USG-GigabitEthernet2/0/0]vrrpvrid1virtual-ipSetp USGA上配置運行OSPF[USG][USG]ospf[USG-ospf-101]area[USG-ospf-101-area-]networkOSPFUntrustLocal域的域間濾，避免阻塞正常的路由協(xié)議報文。USGAOSPF協(xié)議對外發(fā)布路由時，Setp4USGA[USG][USG]acl[USG-acl-basic-2009]rulepermitsource[USG]route-policyr1permitnode1[USG-route-policy]if-matchacl2009[USG-route-policy]quit[USG]ospf[USG-ospf-101]import-routedirectroute-policy[USG-ospf-101]HRP備份通道接口所在網(wǎng)段的路由。因此必須Setp 配置根據(jù)HRP狀態(tài)調整OSPFCOST[USG]hrpospf-costadjust- USGOSPFSetp6 VGMP管理組的搶占功能為開啟狀態(tài)，且搶占延遲大于故障恢復后OSPF協(xié)[USG]hrppreemptdelay60 OSPF延遲大于OSPF的收斂時間。Setp [USG][USG]interfaceGigabitEthernet[USG-GigabitEthernet2/0/1]hrptrackSetp [USG]hrpmirrorsess