·¢²¼Ê±¼ä : ÐÇÆÚËÄ ÎÄÕ»ªÎª·À»ðǽÅäÖÃʹÓÃÊÖ²á(×Ô¼ºÐ´)¸üÐÂÍê±Ï¿ªÊ¼ÔĶÁ
[USG5300] dhcp enable (ÆôÓÃdhcp·þÎñ£¬È±Ê¡Çé¿öÏÂÆôÓÃ)
[USG5300] interface Vlan-interface2
[USG5300-Vlanif2] ip address 219.225.149.1 255.255.255.0
[USG5300-Vlanif2] dhcp select interface £¨ÆôÓýӿڵÄDHCP¹¦ÄÜ£©
[USG5300-Vlanif2] dhcp server static-bind ip-address 219.225.149.8 mac-address 00e0-4c58-0d26£¨×öIPÓëmac°ó¶¨, ¶ÔÓÚһЩÌض¨µÄ¿Í»§¶Ë£¨ÀýÈçWWW·þÎñÆ÷£©ÐèÒª¾²Ì¬·ÖÅä¹Ì¶¨IPµØÖ·£¬´Ëʱ¿ÉÒÔÔÚDHCP·þÎñÆ÷²à°ó¶¨IPµØÖ·ºÍÌض¨¿Í»§¶ËMACµØÖ·¡££© [USG5300-Vlanif2] dhcp server dns-list 219.225.128.6 219.225.159.6(Ö¸¶¨DNSµØÖ·£©
[USG5300-Vlanif2] dhcp server ip-range 10.1.1.1 10.1.1.100 (ÅäÖýӿڵØÖ·³ØµÄIPµØÖ··¶Î§, ȱʡÇé¿öÏ£¬½Ó¿ÚµØÖ·³ØµÄµØÖ··¶Î§¾ÍÊǽӿڵÄIPµØÖ·ËùÔÚµÄÍø¶Î)
[USG5300] dhcp server forbidden-ip 10.110.1.1 10.110.1.63 (ÅäÖÃDHCPµØÖ·³ØÖв»²ÎÓë×Ô¶¯·ÖÅäµÄIPµØÖ·)
2.3.2È«¾ÖDHCP¹¦ÄÜ
[USG5300] dhcp enable
[USG5300] dhcp server ip-pool 136 £¨¶¨ÒåÒ»¸öÈ«¾ÖµÄµØÖ·³Ø£¬Ãû×Ó×Ô¼º¶¨Ò壩 [USG5300-dhcp-136]network 219.225.136.0 mask 255.255.255.0£¨Õâ¸öµØÖ·³Ø¿É¹©·ÖÅäµÄIP¶Î£©
[USG5300-dhcp-136]gateway-list 219.225.136.1£¨±ØÐëдÍø¹Ø£¬·ñÔò×Ô¶¯·ÖÅäµÄIPµØÖ·ÎÞÍø¹Ø£©
[USG5300-dhcp-136]dns-list 219.225.128.6£¨DNSÅäÖã©
[USG5300-dhcp-136] static-bind ip -address 10.1.1.1 mask 255.255.255.0 [USG5300-dhcp-136] static-bind mac-address 0000-e03f-0305
#
[USG5300]dhcp server ip-pool 149£¨¶¨ÒåÒ»¸öÈ«¾ÖµÄµØÖ·³Ø£¬Ãû×Ó×Ô¼º¶¨Ò壩 [USG5300-dhcp-149]network 219.225.149.0 mask 255.255.255.0£¨Õâ¸öµØÖ·³Ø¿É¹©·ÖÅäµÄIP¶Î£©
[USG5300-dhcp-149]gateway-list 219.225.149.1£¨×Ô¶¯»ñÈ¡µÄIPÖ÷»ú»ñµÃµÄÍø¹Ø£©
[USG5300-dhcp-149]dns-list 219.225.128.6£¨DNSÅäÖã©
[USG5300]interface Vlan-interface2 (¶¨Òåvlan½Ó¿Ú£¬×ÔÓɶ¨Ò壩
[USG5300-Vlanif2]dhcp select globle(½Ó¿ÚÉÏÆôÓÃdhcp select globle¹¦ÄÜ£©
[USG5300-Vlanif2]ip address 219.225.136.1 255.255.255.0(vlan½Ó¿Ú±ØÐëÒª·ÖÒ»¸öIP£¬¼´ÓëÍø¹ØÏàͬµÄIP,ϵͳ¸ù¾Ý½Ó¿ÚIPÓëÑÚÂëÈ·¶¨×Ô¶¯·ÖÅäÄÄÒ»¸öIP-PoolµÄIP£©
[USG5300] interface Vlan-interface3 (¶¨Òåvlan½Ó¿Ú£¬×ÔÓɶ¨Ò壩
[USG5300-Vlanif3]dhcp select globle(½Ó¿ÚÉÏÆôÓÃdhcp select globle¹¦ÄÜ£©
[USG5300-Vlanif3]ip address 219.225.149.1 255.255.255.0(vlan½Ó¿Ú±ØÐëÒª·ÖÒ»¸öIP£¬¼´ÓëÍø¹ØÏàͬµÄIP,ϵͳ¸ù¾Ý½Ó¿ÚIPÓëÑÚÂëÈ·¶¨×Ô¶¯·ÖÅäÄÄÒ»¸öIP-PoolµÄIP£©
2.4 ÅäÖÃ͸Ã÷ģʽ
Ä¿Ç°»ªÎªµÄ·À»ðǽ²»Ö§³Ö͸Ã÷ģʽµÄÃüÁֻÄÜÓÃVlan£¬°Ñ¶Ë¿Ú¼ÓÈëµ½vlanµÄ·½Ê½¡£ [USG5300] vlan 2
[USG5300] int g0/0/0
[USG5300-GigabitEthernet0/0/0] portswitch
[USG5300-GigabitEthernet0/0/0] port link-type access [USG5300-GigabitEthernet0/0/0] port access vlan 2 [USG5300] int g0/0/1
[USG5300-GigabitEthernet0/0/1]portswitch
[USG5300-GigabitEthernet0/0/1] port link-type access [USG5300-GigabitEthernet0/0/1] port access vlan 2
È»ºó°ÑÏàÓ¦µÄ¶Ë¿Ú¼ÓÈëµ½ÏàÓ¦µÄÇøÓò¾Í¿ÉÒÔÁË£¡Ò»°ãÖ»ÐèÒª¼ÓÎïÀí½Ó¿Ú¼´¿É¡£ Èç¹û·À»ðǽֻÊÇÓÃÔÚ·þÎñÆ÷ºÍÄÚÍøÖ®¼ä£¬Ò»°ã½«Á¬½Ó·þÎñÆ÷½Ó¿ÚÉèÖÃΪtrust£¬½«ÄÚÍøÉèÖÃΪuntrust¡£
×Ó½Ó¿ÚµÄÅäÖ÷½·¨£º×Ó½Ó¿Ú²»ÄÜÅäÖÃportswitchÃüÁ¿ÉÒÔ½«×Ó½Ó¿Ú»®·Öµ½Ä³¸övlan¡£ [USG5300-GigabitEthernet0/0/3]int g0/0/3.1
[USG5300-GigabitEthernet0/0/3.1]vlan-type dot1q 60
ÉèÖÃGigabitEthernet 0/0/3.1ÓëVLAN ID 60Ïà¹ØÁª£¬ÒÔÌ«Íø×Ó½Ó¿ÚGigabitEthernet 0/0/3.1µÄ·â×°¸ñʽΪdot1q
2.5 ÅäÖÃʱÖÓ
Óû§Ä£Ê½ÏÂ
2.6 ϵͳ¸üÐÂ
2.6.1 ʹÓÃÃüÁî½øÐÐÉý¼¶
1¡¢ ÏȽ«Éý¼¶ÎļþÉÏ´«µ½·À»ðǽ
2¡¢
Æô¶¯Ê±Ê¹Óõİ汾Îļþ¡£
ʱʹÓõÄÅäÖÃÎļþ£¬Õâ¸öÊÇ¿ÉÑ¡ÅäÖà 3¡¢ display startup ###ÑéÖ¤ÅäÖÃ
4¡¢ ʹÓÃrebootÖØÆô·À»ðǽ£¬Ö´ÐÐrebootÃüÁîºó£¬É豸½«»áÏÔʾÁ½´ÎÌáʾÐÅÏ¢£¬Ñ¯ÎÊÊÇ·ñ
¼ÌÐø£¬ÇëÄú²»±£´æÅäÖÃÖØÐÂÆô¶¯¡£
5¡¢ Óû§Ä£Ê½ÃüÁî¡£Èç¹ûÓÐlicense¿ÉÒÔͨ¹ýÃüÁî¼ÓÔØlicense¡£ÏµÍ³ÊÓͼÃüÁ
[USG5300]license file license.dat£¬È»ºóʹÓÃrebootÃüÁîÖØÐÂÆô¶¯ÏµÍ³£¬ÖØÐÂÆô¶¯Ê±ÇëÒ»¶¨²»Òª±£´æÅäÖá£
6¡¢ ¼ÓÔز¹¶¡µÄ·½·¨£º
1¡¢ÔÚÈÎÒâÊÓͼÏ£¬Ö´ÐÐdisplay patch-information£¬²é¿´²¹¶¡ÐÅÏ¢¡£ÏÔʾʾÀýÈçÏ£º
2¡¢Èç¹ûûÓв¹¶¡ÐÅÏ¢¿ÉÒÔÖ±½Ó¼ÓÔز¹¶¡£»Èç¹ûÓв¹¶¡ÐÅÏ¢£¬ÐèÒªÏÈɾ³ýÔÓв¹¶¡ÔÙ¼ÓÔØ£¬Ê¾ÀýÈçÏ£º
[USG5300] patch delete V300R001C10SPH101.pat
3¡¢¼ÓÔز¹¶¡£º[USG5300] patch load V300R001C10SPH102.pat 4¡¢¼¤»î²¹¶¡[USG5300] patch active V300R001C10SPH102.pat
5¡¢ÔËÐв¹¶¡[USG5300] patch run V300R001C10SPH102.pat
2.6.2 ʹÓÃͼÐνçÃæÉý¼¶
µã»÷ά»¤¡ªÏµÍ³¸üÐÂ
Ñ¡ÔñÐèÒª¸üеÄϵͳÎļþ£¬µã»÷µ¼Èë¡£
ʹÓÃͼÐνçÃæÉý¼¶µÄʱºò£¬Éý¼¶Íê³Éºó²»ÐèÒª±£´æÅäÖá£Ö±½ÓÖØÆô¾ÍÊÇ¡£
ÓÃͼÐνçÃæ¼ÓÔØLicenseµÄ·½·¨ÈçÏ£ºÑ¡ÔñLicenseÎļþ£¬È»ºóµã»÷¼¤»î¡£
2.7 ·À»ðǽ²ßÂÔµÄÅäÖÃ
²ßÂÔÐèÇó£º
¶ÔÓÚpolicy interzone trust dmz outboundÖ®¼äµÄ²ßÂÔÓÐÒÔÏÂÐèÇó£º 1¡¢Ô´µØַΪ10.28.197.143ÄÜ·ÃÎÊËùÓеÄÄ¿µÄµØÖ·£¬·þÎñÈ«²¿¿ª·Å¡£
2¡¢Ô´µØÖ·ÊÇËùÓеģ¬Ä¿µÄµØÖ·ÊÇ192.168.1.5¡¢192.168.1.6ºÍ192.168.1.7¿ª·Å80¡¢8080¡¢443ºÍ3389¶Ë¿Ú¡£
3¡¢Ô´µØÖ·ÊÇËùÓеķÃÎÊÄ¿µÄµØÖ·ÊÇ192.168.1.10¡¢192.168.1.11µÄ·þÎñÈ«²¿¿ª·Å¡£ ÕâÈý¸ö¶¼ÒªÇ󿪷ÅicmpÐÒé¡£
ÔÚÕâÀïԴΪÓÅÏȼ¶¸ßµÄ10.28.197.XµÄtrustÇø£¬Ä¿µÄΪÓÅÏȼ¶µÍµÄ192.168.1.XµÄdmzÇø¡£
Èç¹û²ßÂÔÀï²»ÖªµÀÔ´ºÍÄ¿µÄ¾ÍÊÇÖ¸any
ÅäÖ÷½·¨£º
ip service-set test1 type object //´´½¨×Ô¶¨Òå·þÎñ service 0 protocol tcp destination-port 8080 service 1 protocol tcp destination-port 3389 Ò²¿ÉÒÔÖ¸¶¨Ò»¸ö·¶Î§£¬±ÈÈ磺
service 1 protocol tcp destination-port 8080 to 8090
ip service-set test type group //´´½¨·þÎñ×飬¿ÉÒÔ½«´´½¨µÄ×Ô¶¨Òå·þÎñ»òÕßÔ¤¶¨ÒåµÄ·þÎñ¼Óµ½·þÎñ×éÀï¡£
service 0 service-set http service 1 service-set https service 2 service-set icmp
service 3 service-set test1 //½«ÒÔÉÏ´´½¨µÄ×Ô¶¨Òå·þÎñÌí¼Óµ½·þÎñ×éÀï
policy interzone trust dmz outbound //ÅäÖÃÓò¼ä°ü¹ýÂ˲ßÂÔ£¬3¸öÐèÇó3¸öpolicy²ßÂÔ policy 0 action permit
policy source 10.28.197.143 mask 255.255.255.255 policy 1