华为防火墙USG2000实验文档
USG2000 USG5000系列web界面配置
通过Web方式登录设备通过配置使终端通过Web方式登录设备,实现对设备的配置和管理。
操作步骤1.启动Web管理功能:a.执行命令system-view,进入系统视图。
b.执行命令web-manager { security enable port port-number | enable [ portport-number ] },启动Web管理功能。
Web管理功能启动后,其后续配置才有效。
Web浏览器和Web服务器之间的交互报文为HTTP报文,默认端口号是80,如果选择port port-number,则Web服务器的监听端口修改为port-number。
2.配置Web用户:a.执行命令system-view,进入系统视图。
b.执行命令aaa,进入AAA视图。
c.执行命令local-user user-name password { simple | cipher } password,创建AAA本地用户。
d.执行命令local-user user-name service-type web,配置用户的类型为web。
e.执行命令local-user user-name level level,配置用户的级别。
任务示例∙配置USG的IP地址。
∙<USG> system-view∙[USG] interface GigabitEthernet 0/0/0∙[USG-GigabitEthernet0/0/0] ip address 10.1.1.1 24∙[USG-GigabitEthernet0/0/0] quit∙配置PC的IP地址(略)。
∙启动Web管理功能。
[USG] web-manager enable∙配置Web用户。
∙[USG] aaa∙[USG-aaa] local-user webuser password simple Admin@123∙[USG-aaa] local-user webuser service-type web[USG-aaa] local-user webuser level 3∙检查配置结果。
华为USG2000&5000统一安全网关配置报价操作指导手册
Huawei Confidential
Page 4
USG5500系列板卡支持清单
项目
固定接口 扩展插槽 USB卡 USB-WCDMA 3G USB-CDMA2000 3G USB-TD-SCDMA 3G MIC接口卡 DMIC-2*10G(SFP+) FIC接口卡 FIC-8*GE电 FIC-8*GE光 FIC-2*10G(SFP+) FIC-2*10G(SFP+)+8GE电 FIC-4GE电BYPASS(2路) FIC-GE光BYPASS(2路) DFIC接口卡 DFIC-18FE+2SFP DFIC-16GE+4SFP
产品名称 USG2110-x USG2130 USG2160 USG2210 USG2220 USG2230 USG2250 USG5120 USG5150 USG5160 USG5530S USG5530 USG5550 USG5560
标配接口 2FE+8FE 1FE+8FE 1FE+8FE 2GE combo 2GE combo 2GE combo 2GE combo 2GE+2GE combo 4GE combo 4GE combo 4GE+4GE combo 4GE+4GE combo 4GE+4GE combo 4GE+8GE光+4GE combo
● ● ●
●
● ● ● ● ● ●
● ●
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Confidential
Page 5
Huawei Enterprise A Better Way
Copyright© 2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
USG2000负载分担应用方法
USG2000/5000 系列防火墙负载分担配置,V300R001SPC900版本最多支持8条等价路由,在多出口时,可以实现多条等价路由的负载分担或依据带宽实现按比例负载分担,例如当有2个出口时,一个GE和一个FE接口,希望按带宽比例做负载分担,分担比为10:1。
USG防火墙的负载分担配置十分简单,只有两条命令即可实现负载分担,在系统视图下配置负载分担,在接口视图下配置分担权重,(默认权重为1)即可实现。
192.168.1.1 vlanif1 192.168.1.2┌──eth2/0/1────────Router1──────┐PC1-------------USG2220 ========Internetgi0/0/0 └──gi0/0/1────────-Router2──────┘ 192.168.3.3192.168.2.1 192.168.2.2权重计算假设有n个出接口(n<=8),每个出接口权重依次为w1,w2,......wn;且有n条路由,则接口i(1=<i<=8)的流量分担比为wi/(w1+w2+w3+.....+wn)(1)逐包等价负载分担配置disp curinterface GigabitEthernet0/0/0ip address 192.168.0.1 255.255.255.0#interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0 //缺省权重为1#int vlanif 1 (包含ethernet2/0/1)ip address 192.168.1.1 255.255.255.0 //缺省权重为1#load-balance packet //逐包负载分担#ip route-static 0.0.0.0 0.0.0.0 192.168.2.2ip route-static 0.0.0.0 0.0.0.0 192.168.1.2#return[USG2220]在PC上持续发送变源IP的流量,验证结果如下:[USG2220]display interface GigabitEthernet 0/0/017:58:53 2012/06/23GigabitEthernet0/0/0 current state : UPLine protocol current state : UPGigabitEthernet0/0/0 current firewall zone : trustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/0 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.0.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Media type is twisted pair, loopback not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 100000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 31936376 bits/s, 2776 packets/s //入流量每秒2776包Last 300 seconds output rate 24 bits/s, 0 packets/sInput: 1745827 packets, 2501973859 bytes2199 broadcasts, 1934 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:4187 packets, 4943435 bytes18 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220] disp int gi 0/0/1 //负载分担的出接口117:57:15 2012/06/23GigabitEthernet0/0/1 current state : UPLine protocol current state : UPGigabitEthernet0/0/1 current firewall zone : untrustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.2.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c9Media type is twisted pair, loopback not set, promiscuous mode not set1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 1000000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 15967824 bits/s, 1388 packets/s //出流量1388包约2766的一半Input: 20 packets, 1774 bytes6 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:699743 packets, 1006107662 bytes3 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220]disp int vlan 1 //负载分担的出接口217:57:26 2012/06/23Vlanif1 current state : UPLine protocol current state : UPVlanif1 current firewall zone : dmzDescription : Huawei, USG2200 Series, Vlanif1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytesInternet Address is 192.168.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Physical is VLANIFLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 15962304 bits/s, 1387 packets/s //出流量1387包约2766的一半16 packets input, 1270 bytes, 0 drops720194 packets output, 1035542843 bytes, 24 drops[USG2220]disp int ethe 2/0/1 //VLAN 1 所含的物理接口17:57:37 2012/06/23Ethernet2/0/1 current state : UPLine protocol current state : UPDescription : Huawei, USG2200 Series, Ethernet2/0/1 Interface, Lan Switch PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)PVID:1Port link-type:accessVLAN ID:1Media type is twisted pair, loopback is not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 15983704 bits/s, 1389 packets/sInput: 41 packets, 6716 bytes5 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:739349 packets, 1063096373 bytes3 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220](2)逐包按比例负载分担配置disp curinterface GigabitEthernet0/0/0ip address 192.168.0.1 255.255.255.0#interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0route weight 10 //修改GE接口的权重为10#int vlanif 1 (包含ethernet2/0/1)ip address 192.168.1.1 255.255.255.0 //缺省权重为1#load-balance packet //逐包负载分担#ip route-static 0.0.0.0 0.0.0.0 192.168.2.2ip route-static 0.0.0.0 0.0.0.0 192.168.1.2#return[USG2220]disp int gi 0/0/018:04:19 2012/06/23GigabitEthernet0/0/0 current state : UPLine protocol current state : UPGigabitEthernet0/0/0 current firewall zone : trustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/0 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.0.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8 Media type is twisted pair, loopback not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 100000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 39717672 bits/s, 3452 packets/s //入流量每秒3452包Last 300 seconds output rate 0 bits/s, 0 packets/sInput: 2863396 packets, 4108824781 bytes2297 broadcasts, 1996 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:4187 packets, 4943435 bytes18 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220]display interface GigabitEthernet 0/0/1 //负载分担的出接口118:04:48 2012/06/23GigabitEthernet0/0/1 current state : UPLine protocol current state : UPGigabitEthernet0/0/1 current firewall zone : untrustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.2.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c9Media type is twisted pair, loopback not set, promiscuous mode not set1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 1000000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 35789288 bits/s, 3111 packets/s //GE接口权重为10 流量为总流量的10/11 Input: 21 packets, 1838 bytes7 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:1945061 packets, 2796873572 bytes3 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220]display interface Vlanif 1 //负载分担的出接口218:04:39 2012/06/23Vlanif1 current state : UPLine protocol current state : UPVlanif1 current firewall zone : dmzDescription : Huawei, USG2200 Series, Vlanif1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytesInternet Address is 192.168.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Physical is VLANIFLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 3578312 bits/s, 311 packets/s //FE接口权重为1 流量只有总流量的1/1117 packets input, 1316 bytes, 0 drops1008589 packets output, 1450253475 bytes, 24 drops********************************************************************************************* (3)逐流等价负载分担配置disp curinterface GigabitEthernet0/0/0ip address 192.168.0.1 255.255.255.0#interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0 //缺省权重为1#int vlanif 1 (包含ethernet2/0/1)ip address 192.168.1.1 255.255.255.0 //缺省权重为1#load-balance flow hash source-ip //使用流分担方式,采用源IP哈希算法#ip route-static 0.0.0.0 0.0.0.0 192.168.2.2ip route-static 0.0.0.0 0.0.0.0 192.168.1.2#return验证结果:<USG2220>disp int gi 0/0/009:28:08 2012/06/24GigabitEthernet0/0/0 current state : UPLine protocol current state : UPGigabitEthernet0/0/0 current firewall zone : trustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/0 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.0.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Media type is twisted pair, loopback not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 100000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 40081584 bits/s, 3484 packets/s //入口总流量每秒3484包Last 300 seconds output rate 8 bits/s, 0 packets/sInput: 5709388 packets, 8208644956 bytes451 broadcasts, 246 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:32 packets, 2338 bytes0 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants<USG2220>display interface GigabitEthernet 0/0/1 //负载分担的出接口109:28:16 2012/06/24GigabitEthernet0/0/1 current state : UPLine protocol current state : UPGigabitEthernet0/0/1 current firewall zone : untrustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.2.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c9Media type is twisted pair, loopback not set, promiscuous mode not set1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 1000000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 20119032 bits/s, 1748 packets/s //出口流量每秒1748包约3484的一半Input: 1 packets, 64 bytes0 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:2506159 packets, 3603855268 bytes1 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants<USG2220>display interface vlan 1 //负载分担的出接口209:28:37 2012/06/24Vlanif1 current state : UPLine protocol current state : UPVlanif1 current firewall zone : dmzDescription : Huawei, USG2200 Series, Vlanif1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytesInternet Address is 192.168.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Physical is VLANIFLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 19962864 bits/s, 1735 packets/s //出口流量每秒1735包约3484的一半2 packets input, 92 bytes, 0 drops2536472 packets output, 3646936530 bytes, 0 drops<USG2220> disp int ethe 2/0/1 //VLAN 1 所含的物理接口09:28:47 2012/06/24Ethernet2/0/1 current state : UPLine protocol current state : UPDescription : Huawei, USG2200 Series, Ethernet2/0/1 Interface, Lan Switch PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)PVID:1Port link-type:accessVLAN ID:1Media type is twisted pair, loopback is not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 19961176 bits/s, 1735 packets/sInput: 2 packets, 128 bytes2 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:2563893 packets, 3686357681 bytes0 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants********************************************************(4)逐流比例负载分担配置disp curinterface GigabitEthernet0/0/0ip address 192.168.0.1 255.255.255.0#interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0route weight 10 //权重为10#int vlanif 1 (包含ethernet2/0/1)ip address 192.168.1.1 255.255.255.0 //缺省权重为1#load-balance flow hash source-ip //使用流分担方式,采用源IP哈希算法#ip route-static 0.0.0.0 0.0.0.0 192.168.2.2ip route-static 0.0.0.0 0.0.0.0 192.168.1.2#[USG2220][USG2220]disp int gi 0/0/009:55:35 2012/06/24GigabitEthernet0/0/0 current state : UPLine protocol current state : UPGigabitEthernet0/0/0 current firewall zone : trustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/0 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.0.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Media type is twisted pair, loopback not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 100000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 38260832 bits/s, 3326 packets/s //入流量每秒3326包Last 300 seconds output rate 8 bits/s, 0 packets/sInput: 11302814 packets, 16250808455 bytes804 broadcasts, 422 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:67 packets, 5158 bytes0 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220]display interface GigabitEthernet 0/0/1 //负载分担的出接口109:55:42 2012/06/24GigabitEthernet0/0/1 current state : UPLine protocol current state : UPGigabitEthernet0/0/1 current firewall zone : untrustDescription : Huawei, USG2200 Series, GigabitEthernet0/0/1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)Internet Address is 192.168.2.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c9Media type is twisted pair, loopback not set, promiscuous mode not set1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableQoS max-bandwidth : 1000000 KbpsOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Frag queue : Size/Length/Discards) 0/1000/0Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0Output queue : (FIFO queue : Size/Length/Discards) 0/256/0Last 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 34809656 bits/s, 3026 packets/s //GE口出流量3026包约为3326包的10/11 Input: 3 packets, 192 bytes0 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:6535204 packets, 9397375195 bytes3 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants[USG2220]disp int vlan 1 //负载分担的出接口209:56:05 2012/06/24Vlanif1 current state : UPLine protocol current state : UPVlanif1 current firewall zone : dmzDescription : Huawei, USG2200 Series, Vlanif1 Interface, Route PortThe Maximum Transmit Unit is 1500 bytesInternet Address is 192.168.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-f3c8Physical is VLANIFLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 3451664 bits/s, 300 packets/s3 packets input, 138 bytes, 0 drops4068110 packets output, 5849251402 bytes, 0 drops[USG2220]display interface ethe 2/0/1 //VLAN 1 所含的物理接口09:55:54 2012/06/24Ethernet2/0/1 current state : UPLine protocol current state : UPDescription : Huawei, USG2200 Series, Ethernet2/0/1 Interface, Lan Switch PortThe Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)PVID:1Port link-type:accessVLAN ID:1Media type is twisted pair, loopback is not set, promiscuous mode not set100Mb/s-speed mode, Full-duplex mode, link type is auto negotiationflow control is disableLast 300 seconds input rate 0 bits/s, 0 packets/sLast 300 seconds output rate 3450824 bits/s, 300 packets/s //FE口出流量300包约为3326包的1/11 Input: 3 packets, 192 bytes3 broadcasts, 0 multicasts0 errors, 0 runts, 0 giants, 0 FCS0 length error, 0 code error, 0 align errorsOutput:4073735 packets, 5857327222 bytes0 broadcasts, 0 multicasts0 errors, 0 collisions, 0 late collisions0 ex. collisions, 0 FCS error0 deferred, 0 runts, 0 giants****************************************************注意以下几个个问题:1)分担比例不均匀,多出现在逐流分担情况,此时可调整哈希算法,由于流量统计需要5分钟才能统计准确,因此观察时不能少于5分钟。
usg2000-封攻击端口脚本
#
acl number 3200
description qos_policy_1_to_PPPoE
rule 10 permit tcp destination-port eq www
rule 20 permit tcp destination-port eq 433
rule 240 deny tcp destination-port eq 1025
rule 250 deny tcp destination-port eq 1068
rule 260 deny tcp destination-port eq 707
rule 270 deny tcp destination-port eq 5554
rule 110 deny tcp destination-port eq rpc
rule 120 deny udp destination-port eq rpc
rule 130 deny udp destination-port eq netbios-ns
rule 140 deny udp destination-port eq netbios-dgm
rule 230 deny tcp destination-port eq 4444
rule 240 deny tcp destination-port eq 1025
rule 250 deny tcp destination-port eq 1068
rule 260 deny tcp destination-port eq 707
rule 120 deny udp destination-port eq rpc
网关usg2000mac基本配置
USG2000基本配置<USG2130BSR>lan c改变当前语言环境,确认切换? [Y/N]y改变到中文模式。
<USG2130BSR>sys一.配置用户登录:[USG2130BSR]user-int vty 0 406-05-2010 [USG2130BSR-ui-vty0-4]user privilege level 3[USG2130BSR-ui-vty0-4]authentication-mode password[USG2130BSR-ui-vty0-4]set authentication password simple lds123 [USG2130BSR-ui-vty0-4]q二.配置限速(对vlan3的限速是7B网速)1配置vlan3[USG2130BSR] vlan 3[USG2130BSR-vlan3]q[USG2130BSR]int e1/0/1[USG2130BSR-Ethernet1/0/1]port link-type access[USG2130BSR-Ethernet1/0/1]port access vlan 3[USG2130BSR-Ethernet1/0/1]q[USG2130BSR]int e1/0/2[USG2130BSR-Ethernet1/0/2]port link-type access[USG2130BSR-Ethernet1/0/2]port access vlan 3[USG2130BSR-Ethernet1/0/2]q[USG2130BSR]int vlan 3[USG2130BSR-Vlanif3]ip add 192.168.0.1 255.255.255.0[USG2130BSR-Vlanif3]arp-proxy enableUSG2130BSR-Vlanif3]q[USG2130BSR]firewall zone trust[USG2130BSR-zone-trust]add int vlanif 3[USG2130BSR-zone-trust]qUSG2130BSR]ip route[USG2130BSR]ip route-static 192.168.0.0 255.255.255.0 vlanif 3 2 配置限速[USG2130BSR]acl 3002[USG2130BSR-acl-adv-3002]if-match acl 3002[USG2130BSR-acl-adv-3002]rule permit tcp[USG2130BSR-acl-adv-3002]q[USG2130BSR]traffic classifier class2[USG2130BSR-classifier-class2]if-match acl 3002[USG2130BSR-classifier-class2]q[USG2130BSR]traffic behavior behavior2[USG2130BSR-behavior-behavior2]car cir 14000000 cbs 28000000 ebs 0[USG2130BSR-behavior-behavior2]q[USG2130BSR]qos policy my1policy[USG2130BSR-qospolicy-my1policy]classifier class2 behavior behavior2[USG2130BSR-qospolicy-my1policy]q[USG2130BSR]int vlanif 3[USG2130BSR-Vlanif3]qos apply policy my1policy outbound[USG2130BSR-Vlanif3]q三.mac地址绑定[USG2130BSR]firewall mac-binding enable[USG2130BSR]firewall mac-binding 192.168.1.21 0021-97EB-8B77(mac地址地址是4位一体,共三体,用—连接)(%2010/6/5 11:51:33 USG2130BSR SEC/4/BIND: (vpn: public ) Mac地址<0021-97eb-8b77> 和IP地址<192.168.1.21>绑定)四.保存配置<USG2130BSR>save将把当前的配置保存到存储设备中.你确信吗?[Y/N]y将运行时的配置写入存储设备中........五.上网配置配置接口Ethernet 0/0/0的IP地址,并加入Untrust区域。
USG 2000通过DHCP接入配置手册
通过DHCP接入设备作为Client,通过DHCP协议向Server(运营商设备)申请IP地址,实现接入Internet。
组网需求如图1所示,USG作为出口网关,为局域网内PC提供接入Internet出口。
公司网络规划如下:∙局域网内所有PC都部署在10.1.1.0/24网段,均通过DHCP动态获得IP地址。
∙下行链路:使用LAN以太网接口,通过交换机连接公司内的所有PC。
∙上行链路:使用WAN以太网接口接入Internet。
同时,向运营商申请Internet接入服务。
运营商提供的Internet接入服务使用DHCP协议。
根据以上情况,需要将USG作为DHCP Client,向DHCP Server(运营商设备)获得IP地址、DNS 地址后,实现接入Internet。
图1 DHCP Client接入Internet组网图配置思路1.配置下行链路。
在Vlanif 1上开启DHCP Server服务,为PC动态分配IP地址,指定PC获得的网关和DNS服务器地址均为Vlanif 1接口。
PC上网通常需要解析域名,这就需要为其指定DNS服务器地址。
本例中采用USG作为DNS中继设备。
2.配置上行链路。
在GigabitEthernet 0/0/2上开启DHCP Client。
3.将接口加入到安全区域,并在域间配置NAT和包过滤。
将连接公司局域网的接口加入到高安全等级的区域(Trust),将连接Internet的上行接口加入到低安全等级的区域(Untrust)。
局域网内通常使用私网地址,访问Internet时,必须配置NAT。
本例中,因为上行接口通过拨号获得IP地址,每次拨号获得的IP地址可能不一样,所以采用Easy IP。
4.配置DNS代理。
指定DNS服务器地址为GigabitEthernet 0/0/2接口,从运营商处获得。
说明:设备从DHCP Server处获得IP地址后,通常DHCP Server也会发给DHCP Client缺省路由。
低端安全 Secoway USG2000 主打胶片
2009年9月HUAWEI TECHNOLOGIES CO., LTD.内部公开Secoway USG2000系列统一安全网关主打胶片目录中小企业所面临的安全问题中小企业面临的网络安全威胁终端用户无法下载蠕虫/木马中小型企业内网交换机数据服务器服务器用户终端网络边界缺乏安全防护,无法阻止入侵和攻击远程用户如何安全与机构内通讯机构内部没有安全域划分,无法阻止威胁扩散机构之间如何实现数据安全传输业务系统未作保护,导致数据失窃/被DDos 攻击/网页被纂改越来越多的威胁来自于网络内部大部分邮件都是垃圾P2P 下载占用带宽,网络出口堵塞员工电脑成为“肉鸡”,向外发DDoS攻击恶意攻击,破坏数据服务器遭受SQL 注入攻击,主页被篡改企业商业秘密随邮件泄漏访问反动、色情等不健康网站上班时间聊QQ/MSN ,工作效率低下上班时间玩网络游戏上网看电影,看新闻,炒股…USG 2000系列全面保护中小企业的安全•支持L2TP/GRE/IPSec/SSL/MPLS 完整VPN 解决方案•支持特征库检测,特征库1000+•支持5大协议的协议检查•特征库在线自动升级•SYN Flood •UDP Flood •ICMP Flood •DNS Flood •SMURF •CC •Land •Fraggle •WinNuke •ICMP 重定向•支持RBL 实时黑名单•QQ/MSN 控制•BT/迅雷/电驴/pplive 阻断和限流•游戏、股票软件控制•特征库在线自动升级•支持路由/透明/混合模式•支持ASPF/NAT/QoS/ACL•支持3G 无线上行•支持WiFi 无线下行Secoway 全系列安全网关USG3030/40USG5320/30/50/60USG9310/20中端千兆系列安全网关•10G-80G 性能•海量VPN 接入•分布式架构•NP 加多核处理器•2G-8G 性能•高密度接口•多核处理器•最佳DDoS 防护•1G-2G 性能•高密度接口•P2P 流量控制•E1/T1接口支持•UTM(IPS/反垃圾邮件/P2P阻断和限流/IM 控制)nUSG2000集防火墙+UTM 于一体,全面保护中小企业的网络安全高端万兆系列安全网关USG2220USG2210USG2230E1/CE1/SA/ADSL2+/IPSEC/L2TP/SSL VPNUSG2000系列全面保护中小企业的安全强大的攻击防范能力业务系统正常访问流量中小企业USG2000僵尸网络正常网络用户僵尸网络攻击流量僵尸网络僵尸网络僵尸网络UDP FloodSYN FloodICMP FloodCC 攻击SMURF…n 能防范多种DoS 和DDoS 攻击,可识别SYN Flood, UDP Flood, ICMP Flood 等多种攻击类型,能防御高达10万包/秒的DDoS 攻击动态黑名单主动防御技术支持智能动态黑名单主动防御技术,通过对报文的行为特征检测,可以实现:备USG2000与Secospace联动提高网络安全性分支机构Agent AgentAgentVPN 访问Agent SACG Agent内网认证后 域l l l lAgent:客户端代理 SACG:安全接入控制网关(防火墙) SPS: SRS: 安全策略服务器 安全修复服务器域管理 服务器SRS SPS防病毒 服务器 补丁服 务器安全管理员 安全审计员认证前域HUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 11完整的VPN方案保护数据安全传输机构总部内网Radius & CA性能 卓越 功能 丰富 方案 灵活 安全 可靠 维护 便捷–领先的VPN加密能力和VPN隧道数VPN ManagerUSG5000USG5000 L2TP/SSL VPN–全面VPN功能,支持SSL、IPSEC、MPLS、 GRE等VPN技术 –支持L2TP/IPSEC VPN多实例GRE/IPSEC/ MPLS VPNINTERNET–产品系列丰富,最佳性价比选择 –支持隧道数在线扩展,轻松扩展网络容量分支机构USG2000分支机构USG2000–专业硬件架构,支持热备高可靠特性电信级可 靠性 –支持CA安全特性、移动用户接入–支持VPN Manager集中业务管理 –系列产品支持CLI、WebUI、SNMPHUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 12USG2000系列 保护中小企业内网的安全HUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 13IPS-防御来自网络层和应用层的攻击•支持<特征签名+协议异常检测>抵御来自网络和应用层的攻击 •支持特征库全球在线自动升级 •支持HTTP, SMTP, POP3, IMAP4, FTP等常用协议识别 •支持用户自定义规则蠕虫木马 DDoSInternet病毒间谍软件HUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 14Anti-Spam-过滤垃圾邮件•支持第三方维护的垃圾邮件发送者黑白名单(RBL)eInternete ! ee !e eHUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 15上网行为管理改善工作效率•有效阻断IM软件(QQ/MSN),控制IM病毒传播; •支持电驴/迅雷/BT等P2P软件阻断与限流Web规则库升级InternetHUAWEI TECHNOLOGIES CO., LTD. PDF 文件使用 "pdfFactory Pro" 试用版本创建 Page 16功能强大的P2P阻断和限流功能阻断 限制流量× × √ √ √ √员工老实上班 老板安心喝茶QQ MSN 电驴 BT Bitcomet(比特精灵) 迅雷√ √ √ √ √ √支持协议种类非常丰富,USG2000系列P2P支持的协议有BT. PPLIVE. Thunder. eDeM. FEIDIAN. QQlive. CCIPTV. GNUTELLA. Kazaa. PPSTREAM. COOLSTREAMING. DC. KUGOO. ORINNOAVBT. PPGou. POCO. BaiBao. Maze. TVAnts. UUSee. Vagaa. BBSEE. QQDownload. MYSEE. Filetopia. Soulseek. Sopcast. TVU. BearShare. KOOWO. FENGXING. PPFILM. DOPOOL. Flashget. PP365. BAIDUXIABA. QINGYL. FS2YOU. TVKOO。
信息安全技术之防火墙实验报告
信息安全技术之防火墙实验报告目录一、实验概述 (2)1. 实验目的 (2)2. 实验背景 (3)3. 实验要求 (4)二、实验环境搭建 (5)1. 实验硬件环境 (6)1.1 设备配置与连接 (6)1.2 设备选型及原因 (7)2. 实验软件环境 (8)2.1 系统软件安装与配置 (9)2.2 防火墙软件安装与配置 (10)三、防火墙配置与实现 (12)1. 防火墙策略制定 (12)1.1 访问控制策略 (13)1.2 数据加密策略 (15)1.3 安全审计策略 (16)2. 防火墙具体配置步骤 (17)2.1 配置前准备工作 (18)2.2 配置过程详述 (19)2.3 配置结果验证 (21)四、实验结果与分析 (22)1. 实验结果展示 (23)1.1 防火墙运行日志分析 (24)1.2 网络安全状况分析 (25)2. 结果分析 (27)2.1 防火墙效果分析 (28)2.2 网络安全风险评估与应对方案讨论 (29)五、实验总结与展望 (30)一、实验概述随着信息技术的迅猛发展,网络安全问题日益凸显其重要性。
作为保障网络安全的重要手段之一,防火墙技术广泛应用于各类网络环境中,用以保护内部网络免受外部网络的攻击和威胁。
本次实验旨在通过搭建实验环境,深入理解和掌握防火墙的基本原理、配置方法以及其在实际应用中的重要作用。
在本次实验中,我们将模拟一个企业内部网络环境,并设置相应的防火墙设备。
通过搭建这一实验环境,我们将能够模拟真实的网络安全场景,从而更好地理解防火墙在保障网络安全方面的作用和价值。
通过实验操作,我们将更加深入地掌握防火墙的基本配置方法和步骤,为今后的网络安全工作打下坚实的基础。
通过本次实验,我们还将学习到如何针对不同的网络威胁和攻击类型,合理配置和使用防火墙,以保障网络系统的安全性和稳定性。
这对于提高我们的网络安全意识和技能水平具有重要意义。
1. 实验目的本次实验旨在通过实际操作,深入理解防火墙的工作原理、配置方法及其在网络安全防护中的关键作用。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
[huawei] firewall packet-filter default permit interzone local yi dong direction inbound
批注 [canhong23]: 查看 NAT 转换列表
[huawei]display current-configuration 11:54:30 2010/11/06 # acl number 2000 rule 10 permit source 192.168.1.0 0.0.0.255 # sysname huawei # super password level 3 cipher ^]S*H+DFHFSQ=^Q`MAF4<1!! # web-manager enable # info-center timestamp debugging date # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local un trust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outb ound firewall packet-filter default permit interzone local vzone direction inbound firewall packet-filter default permit interzone local vzone direction outbound firewall packet-filter default permit interzone local dianxin direction inbound firewall packet-filter default permit interzone local dianxin direction outbound firewall packet-filter default permit interzone local yidong direction inbound firewall packet-filter default permit interzone local yidong direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone trust vzone direction inbound firewall packet-filter default permit interzone trust vzone direction outbound firewall packet-filter default permit interzone trust dianxin direction inbound firewall packet-filter default permit interzone trust dianxin direction outbound firewall packet-filter defaulg direction inbound firewall packet-filter default permit interzone trust yidong direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone untrust vzone direction inbo und firewall packet-filter default permit interzone untrust vzone direction outbound firewall packet-filter default permit interzone dmz vzone direction inbound firewall packet-filter default permit interzone dmz vzone direction outbound # dhcp enable
批注 [canhong8]: 退出接口 模式
批注 [canhong9]: 进入信认 区域,信认区域默认安全等级 为 85 批注 [canhong10]: 默认 G0/0/0 和 G0/0/1 属于信认区 域,由于本实验,这两个接口连 接外网,应把这两个接口从信 认区域移出,加入到非信认区 域中. 批注 [canhong11]: 把 VLANIF 1 加入信认区域 批注 [canhong12]: 重新建个 新的区域,命名为 dianxin,设 置安全等级为 4,并把 G0/0/0 加入该区域
<huawei>display firewall session table 11:38:23 2010/11/06 Current total sessions: 3
icmp VPN: public -> public 192.168.1.2:3[202.100.1.1:23088] -->202.100.1.2:3
批注 [canhong1]: 默认用户 名和密码 批注 [canhong2]: 进入配置 模式 批注 [canhong3]: 命名 批注 [canhong4]: 进入接口
批注 [canhong5]: 对接口描 述 批注 [canhong6]: 配置 IP
批注 [canhong7]: 启用接口
[huawei-GigabitEthernet0/0/0]quit [huawei]interface GigabitEthernet 0/0/1 [huawei-GigabitEthernet0/0/1]description ###conn to yidong link### [huawei-GigabitEthernet0/0/1]ip address 202.200.1.1 255.255.255.0 [huawei-GigabitEthernet0/0/1]undo shutdown [huawei-GigabitEthernet0/0/1]quit [huawei]interface Vlanif 1 [huawei-Vlanif1]description ###conn to local### [huawei-Vlanif1]ip address 192.168.1.1 255.255.255.0 [huawei-Vlanif1]undo shutdown [huawei-Vlanif1]quit [huawei]firewall zone trust [huawei-zone-trust]undo add interface GigabitEthernet 0/0/0 [huawei-zone-trust]undo add interface GigabitEthernet 0/0/1
[huawei] firewall packet-filter default permit interzone local yidong direction outbound
[huawei] firewall packet-filter default permit interzone trust yidong direction inbound
批注 [canhong13]: 重新建个 新的区域,命名为 yidong,设置 安全等级为 3,并把 G0/0/1 加 入该区域 批注 [canhong14]: 配置一个 ACL 2000, 设置规则允许内 网 192.168.1.0 的网段
批注 [canhong15]: 进入信认 区域和 dianxin 批注 [canhong16]: 包过滤的 出口方向应用 ACL 2000 批注 [canhong17]: ACL 2000 与接口 G0/0/0 做 PAT
批注 [canhong18]: 同上
批注 [canhong19]: 进入接口 VTY, 启用验证模式为密码 模式
批注 [canhong20]: 配置默认 路由到达电信.