第二部分-01usg v500r001c60操作指引验收手册基础版

操作指 T01系统功能验 T01-01操作终端登录验 T01- T01-02显示系统信息功能验 T01-0201显示操作日志功能验 T01-0202显示告警信息功能验 T01-03以太网口双工模式功能验 T01-0301以太网口100M半双工模式功能验 T01-0302以太网口100M全双工模式功能验 T01-0303以太网口1000M全双工模式功能验 T01-04以太网接口配置功能验 T02DUT安全功能验 T02-01GRE功能验 T02-0101GRE功能验 T02-02BFD功能验 T02-0201静态BFD会话功能验 T02-03虚拟系统功能验 T02-0301虚拟系统功能验 T02-04IPSEC功能验 T02-05L2TP功能验 T02-0501L2TPLNS功能验 T02-06统计功能验 T02-0601系统统计功能验 T02-0702内部服务器功能验 T02-0801DetectFtp功能验 T02-09长连接功能验 T02-0901长连接功能验 T02-10Netstream功能验 T02-1001入接口采样功能验 操作指T01系统功能T01-01T01-0101net登录功能验验证产品的net功能正常无正确连接DUTGEPCDUTGE接口的IP配置PC机的IP地址，使PC能够正常通DUT上各个相应接口的在DUT上正确配置net参数PC1上启动net客户端程序，从DUT主控板上的GE0/0/0接口登PC2上启动net客户端程序，从DUT接口板上的GE接口登录DUT，步骤1、2的net均执行成功，可以配置DUT无T01-T01-0102SSH登录功能验DUTSSH无通过交换机正确连接DUTGEPCGE接口的IP配置各PC的IP地址，使各PC能够正常通DUT上各个相应接口IPDUT上正确配置SSH[DUT]EnterPassword:@123ConfirmPassword:[DUT-aaa-manager-user-test]service-typessh[DUT-aaa-manager-user-test]level3[DUT-aaa-manager-user-test][DUT-aaa]bindmanager-usertestrolesystem-admin[DUT-aaa]quit[DUT]user-interfacevty0[DUT-ui-vty0-4]authentication-modeaaa[DUT-ui-vty0-4]protocolinboundssh[DUT-ui-vty0-4]quit[DUT]sshuser[DUT]sshusertestauthentication-typepassword[DUT]sshusertestservice-typesnet[DUT]rsalocal-key-paircreate[DUT]snetserverenablePCSSHDUTGE接口登录DUT无T01-T01-02T01-0201显示操作日志功能验无正确连接DUTConsolePCcdcfcard2:<DUT>cd输入dir命令，显示硬 <DUT>logfile<DUT>cdlogfile<DUT><DUT>more无T01-T01-0202显示告警信息功能验DUT无正确连接DUTConsolePCdisplayalarmall<DUT>displayalarm无T01-T01-03T01-0301以太网口100M半双工模式功能验 1、DUTDUT3PC终端与DUT100M[DUT]interfaceGigabitEthernet1/0/0[DUT-GigabitEthernet1/0/0]undonegotiationauto[DUT-GigabitEthernet1/0/0]speed100[DUT-GigabitEthernet1/0/0]duplexhalf[DUT-GigabitEthernet1/0/0]undoshutdown[DUT-GigabitEthernet1/0/0]quit无T01-T01-0302以太网口100M全双工模式功能验1、DUT3PC终端与DUT100M[DUT]interfaceGigabitEthernet1/0/0[DUT-GigabitEthernet1/0/0]undonegotiationauto[DUT-GigabitEthernet1/0/0]speed100[DUT-GigabitEthernet1/0/0]duplexfull[DUT-GigabitEthernet1/0/0]undoshutdown[DUT-GigabitEthernet1/0/0]quit无T01-T01-0303以太网口1000M全双工模式功能验2PC终端与DUT1000M[DUT]interfaceGigabitEthernet1/0/0[DUT-GigabitEthernet1/0/0]undonegotiationauto[DUT-GigabitEthernet1/0/0]speed1000无T03-T01-04T01-0401MTU配置功能MTU 1、DUTPC2shutdown、undoshutdownMTU无T01-T02DUT安全功能验T02-01GRET02-0101GRE功能验GREPCIPPC1PC2PC2PC1配置DUT接口IP，将接口加入域，域间滤策略打开DUT_A[DUT_A]interfaceTunnel819[DUT_A-Tunnel819]quit[DUT_A]iproute-static24Tunnel819[DUT_A]firewallzonetrust[DUT_A-zone-trust]addinterfaceTunnel819DUT_B[DUT_B-Tunnel819]ipaddress[DUT_B-Tunnel819]source[DUT_B]iproute-static24Tunnel819[DUT_B]firewallzonetrust[DUT_B-zone-trust]addinterfaceTunnel[DUT_B-zone-DUT_A能够通：99PC2能够通：无T02-T02-02BFDT02-0201静态BFD会话功能验BFDDUT_A的接口板的接口IP/24DUT_A与DUT_B可以互相通DUT_ABFD,BFD[DUT_A]bfd[DUT_A]bfdtestbindpeer-ip[DUT_A-bfd-session-test]discriminatorlocal10[DUT_A-bfd-session-test]discriminatorremote20DUT_BBFD,BFD[DUT_B]bfd[DUT_B]bfdtestbindpeer-ip[DUT_B-bfd-session-test]discriminatorlocal20[DUT_B-bfd-session-test]discriminatorremote10[DUT_B-bfd-session- DUT_ADUT_BBFD1 DUT_ADUT_BBFD无T02-T02-03T02-0301虚拟系统功能DUT创建虚拟系 [DUT]vsys [DUT]resource-class[DUT-resource-class-r1]resource-item-limitpolicy-number10[DUT-resource-class-r1]resource-item-limitsession-number100um[DUT]vsysname1[DUT-vsys-1]assigninterfaceGigabitEthernet1/0/0[DUT-vsys-1]assigninterfaceGigabitEthernet1/0/1[DUT-vsys-1]assignresource-classr1[DUT-vsys-DUT接口，并将其加入对应虚拟系统安全域，配置虚拟系统域间安全策略[DUT]switchvsys<DUT-1>system- 1-GigabitEthernet1/0/0]ipaddress24 1-GigabitEthernet1/0/1]ipaddress8 1]firewallzone 1-zone-trust]addinterfaceGigabitEthernet1/0/0 1]firewallzone 1-zone-untrust]addinterfaceGigabitEthernet1/0/1 1]security- 1-policy-security]rulename 1-policy-security-rule-0]servicetcp 1-policy-security-rule-0]actionpermit 1-policy-[DUT-1]firewallinterzonetrustuntrust[DUT-1-interzone-trust-untrust]detectftp[DUT-1-interzone-trust-untrust]quit[DUT-<DUT- PC1通过FTPPC2，可看到结果1 PC1通过FTPPC2成功，可以进行正常数据传输无T02-T02-04IPSECT02-0401ISAKMP自协商PCIPPC1PC2PC2PC1配置DUT接口IP，将接口加入域，打开滤[DUT_A]iproute-static24[DUT_B]iproute-static24DUT_A[DUT_A]acl[DUT_A-acl-adv-3302]rulepermitipsource55[DUT_A]ikeproposal16[DUT_A-ike-proposal-16]authentication-methodpre-share[DUT_A-ike-proposal-16]dhgroup5[DUT_A-ike-proposal-16]quit[DUT_A]ikepeer[DUT_A-ike-peer-mpeer]exchange-modemain[DUT_A-ike-peer-mpeer]ike-proposal16[DUT_A-ike-peer-mpeer]local-id-typeip[DUT_A-ike-peer-mpeer]pre-shared-keymaintest[DUT_A-ike-peer-mpeer]quit[DUT_A]ipsecproposal[DUT_A-ipsec-proposal-mppl]transformesp[DUT_A-ipsec-proposal-mppl]espauthentication-algorithmsha2-256[DUT_A-ipsec-proposal-mppl]espencryption-algorithmaes-256[DUT_A-ipsec-proposal-mppl]quit[DUT_A]ipsecpolicympolicy1[DUT_A-ipsec-policy-isakmp-mpolicy-1]undopfs[DUT_A-ipsec-policy-isakmp-mpolicy-1]proposalmppl[DUT_A-ipsec-policy-isakmp-mpolicy-1]securityacl3302[DUT_A-ipsec-policy-isakmp-mpolicy-1]quit[DUT_A-GigabitEthernet1/0/20]ipsecpolicyDUT_B[DUT_B]acl[DUT_B-acl-adv-3302]rulepermitipsource55[DUT_B]ikeproposal16[DUT_B-ike-proposal-16]authentication-methodpre-share[DUT_B-ike-proposal-16]dhgroup5[DUT_B-ike-proposal-16]quit[DUT_B]ikepeer[DUT_B-ike-peer-mpeer]exchange-modemain[DUT_B-ike-peer-mpeer]ike-proposal16[DUT_B-ike-peer-mpeer]local-id-typeip[DUT_B-ike-peer-mpeer]undoversion2[DUT_B-ike-peer-mpeer]quit[DUT_B]ipsecproposal[DUT_B-ipsec-proposal-mppl]transformesp[DUT_B-ipsec-proposal-mppl]espauthentication-algorithmsha2-256[DUT_B-ipsec-proposal-mppl]espencryption-algorithmaes-256[DUT_B-ipsec-proposal-mppl]quit[DUT_B]ipsecpolicympolicy1[DUT_B-ipsec-policy-isakmp-mpolicy-1]undopfs[DUT_B-ipsec-policy-isakmp-mpolicy-1]proposalmppl[DUT_B-ipsec-policy-isakmp-mpolicy-1]securityacl3302[DUT_B-ipsec-policy-isakmp-mpolicy-1]quit[DUT_B-GigabitEthernet4/0/0]ipsecpolicyPC1去PC2，可以得到结果1PC1可以通PC2DUT_A、DUT_BIPSecsa无T02-T02-0402Manual手工方式协商功能验PCIPPC1PC2PC2PC1配置DUT接口IP，将接口加入域，打开滤[DUT_A]iproute-static24[DUT_B]iproute-static24DUT_A[DUT_A]acl[DUT_A-acl-adv-3001]rulepermitipsource55[DUT_A-acl-adv-3001]quit[DUT_A]ipsecproposaltest[DUT_A-ipsec-proposal-test]transformesp[DUT_A-ipsec-proposal-test]espauthentication-algorithmsha2-256[DUT_A-ipsec-proposal-test]espencryption-algorithmaes-256[DUT_A-ipsec-proposal-test]quit[DUT_A]ipsecpolicytest11[DUT_A-ipsec-policy-manual-test1-1]securityacl3001[DUT_A-ipsec-policy-manual-test1-1]proposaltest[DUT_A-ipsec-policy-manual-test1-1]tunnelremote[DUT_A-ipsec-policy-manual-test1-1]tunnellocal[DUT_A-ipsec-policy-manual-test1-1]saspiinboundesp12345[DUT_A-ipsec-policy-manual-test1-1]saspioutboundesp54321[DUT_A-ipsec-policy-manual-test1-1]sastring-keyinboundespabcdefg[DUT_A-ipsec-policy-manual-test1-1]sastring-keyoutboundespgfedcba[DUT_A-ipsec-policy-manual-test1-1]quit[DUT_A-GigabitEthernet1/0/20]ipsecpolicy DUT_B[DUT_B]acl[DUT_B-acl-adv-3001]rulepermitipsource55[DUT_B-acl-adv-3001]quit[DUT_B]ipsecproposaltest[DUT_B-ipsec-proposal-test]transformesp[DUT_B-ipsec-proposal-test]espauthentication-algorithmsha2-256[DUT_B-ipsec-proposal-test]espencryption-algorithmaes-256[DUT_B-ipsec-proposal-test]quit[DUT_B]ipsecpolicytest11[DUT_B-ipsec-policy-manual-test1-1]securityacl3001[DUT_B-ipsec-policy-manual-test1-1]proposaltest[DUT_B-ipsec-policy-manual-test1-1]tunnelremote[DUT_B-ipsec-policy-manual-test1-1]tunnellocal[DUT_B-ipsec-policy-manual-test1-1]saspiinboundesp54321[DUT_B-ipsec-policy-manual-test1-1]saspioutboundesp12345[DUT_B-ipsec-policy-manual-test1-1]sastring-keyinboundespgfedcba[DUT_B-ipsec-policy-manual-test1-1]sastring-keyoutboundespabcdefg[DUT_B-ipsec-policy-manual-test1-1]quit[DUT_B-GigabitEthernet4/0/0]ipsecpolicyPC1可以通PC2DUT_A、DUT_BdisplayipsecsaIPSecSA的信无T02-T02-0403Templat模板功能验TemplatePCIPPC1PC2PC2PC1PC1上已配置安全提议和安全策略，DUTPC1配置DUT接口IP，将接口加入域，打开滤DUT[DUT]acl[DUT-acl-adv-3302]rulepermitip[DUT-acl-adv-3302]quit[DUT]ikeproposal[DUT-ike-proposal-16]authentication-methodpre-share[DUT-ike-proposal-16]dhgroup5[DUT-ike-proposal-16]quit[DUT]ikepeer[DUT-ike-peer-mpeer]exchange-modemain[DUT-ike-peer-mpeer]ike-proposal16[DUT-ike-peer-mpeer]local-id-typeip[DUT-ike-peer-mpeer]pre-shared-keymaintest[DUT-ike-peer-mpeer]undoversion2[DUT]ipsecproposal[DUT-ipsec-proposal-mppl]transformesp[DUT-ipsec-proposal-mppl]espauthentication-algorithmsha2-256[DUT-ipsec-proposal-mppl]espencryption-algorithmaes-256[DUT-ipsec-proposal-mppl]quit[DUT]ipsecpolicy-templatemtemp[DUT-ipsec-policy-templet-mtemp-1]ike-peermpeer[DUT-ipsec-policy-templet-mtemp-1]proposalmppl[DUT-ipsec-policy-templet-mtemp-1]securityacl3302[DUT-ipsec-policy-templet-mtemp-1]quit[DUT]ipsecpolicympolicy1isakmptemplatemtemp[DUT]interfaceGigabitEthernet1/0/1[DUT-GigabitEthernet1/0/1]ipsecpolicyPC1能够通PC2DUTdisplayipsecsa能够得到IPSecsa无T02-T02-05L2TPT02-0501L2TPLNS功能验DUT做为L2TPLNSPCIP地址以及主机名称、Sever的IPFTP，网关IPPCIPclient，网关IP PC的拨号地址为DUT上配置的地址。[DUT]l2tpenable[DUT]ippool[DUT-ip-pool-l2tp]section000[DUT-ip-pool-l2tp]quit[DUT-aaa]manager-user ]passwordcipherAdmin@123 [DUT-aaa]service-scheme[DUT-[DUT-Virtual-Template10]ipaddress[DUT-Virtual-Template10]remoteservice-schemel2tp[DUT-Virtual-Template10]pppauthentication-modeThecommandisusedtoconfigurethePPPauthenticationmodeonthelocalend.ConfirmthatthepeerendadoptsthecorrespondingPPPauthentication.Info:PAPisnotasecureprotocol,andCHAPis [DUT-Virtual-Template10]quit[DUT]l2tp-group[DUT-l2tp10]undotunnelWarning:Deletetunnelauthentication,mayleadingtosecuirtyContinue?[DUT-l2tp10]allowl2tpvirtual-template10remoteclient[DUT]user-manageuserl2tpuser[DUT]firewallzonedmz[DUT-zone-dmz]addinterfaceGigabitEthernet1/0/12[DUT-zone-dmz]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceVirtual-Template10[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/20[DUT-zone-untrust]quit[DUT]security-[DUT-policy-security]defaultactionWarning:SettingthedefaultpacketfilteringtopermitposessecurityYouareadvisedtoconfigurethesecuritypolicyontheactualdataflows.AreyousureyouwanttoPC上能够使用用户名为test、为Admin@123的用户正常拨号成PC能够通过虚拟网卡FTP服务上提供的服务无T02-T02-06统计功能验T02-0601系统统计功能测试DUT统计功PCIP两台PC上均安装并启动 <DUT>system-[DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT-GigabitEthernet1/0/1]ipaddress8[DUT-GigabitEthernet1/0/1]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/1[DUT-zone-untrust]quit[DUT]security-[DUT-policy-security]defaultactionWarning:Settingthedefaultpacketfilteringtopermitposessecurityrisks.Youareadvisedtoconfigurethesecuritypolicybasedontheactualdataflows.Areyousureyouwanttocontinue?[Y/N]y[DUT-policy-[DUT]displayfirewallstatisticsystem无T02-T02-07NATT02-0701域间出方向NAT功能DUT的域间出方向NAT PCIPPC1PC2PC2FTP[DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT-GigabitEthernet1/0/1]ipaddress8[DUT-GigabitEthernet1/0/1]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/1[DUT-zone-untrust]quit配置域间滤策略、ASPF及出方向NAT策略[DUT]security-[DUT-policy-security]rulename[DUT-policy-security-rule-test]source-zone[DUT-policy-security-rule-test]actionpermit[DUT-policy-security-rule-[DUT-policy-[DUT]nat-[DUT-policy-nat]rulename[DUT-policy-nat-rule-test]source-zone[DUT-policy-nat-rule-test]destination-zone[DUT-policy-nat-rule-test]actionnataddress-grouptest[DUT-diagnose]displaypolicyacceleratestatusCPU1inslot2:Policyaccelerated,thestatusisuptodate.CPU3inslot2:Policyaccelerated,thestatusisuptodate[DUT]firewallinterzonetrustuntrust[DUT-interzone-trust-untrust]detect PC1通过FTPPC2，同时查看DUT会话表，可看到预期结果PC1通过FTPPC2成功，查看DUT会话表Session已做地址转换无T02-T02-0702内部服务器功能验DUT的内部服务器NatServer PCIPPC1PC2PC1FTP[DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT-GigabitEthernet1/0/1]ipaddress8[DUT-GigabitEthernet1/0/1]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/1[DUT-zone-untrust]quit[DUT]natservertestglobal9inside配置域间滤策略、ASPF及出方向NAT策略[DUT]security-[DUT-policy-security]rulename[DUT-policy-security-rule-test]source-zone[DUT-policy-security-rule-test]actionpermit[DUT]nat-[DUT-policy-nat]rulename[DUT-policy-nat-rule-test]source-zone[DUT-policy-nat-rule-test]destination-zone[DUT-policy-nat-rule-test]actionnataddress-grouptest[DUT-diagnose]displaypolicyacceleratestatusCPU1inslot2:Policyaccelerated,thestatusisuptodate.CPU3inslot2:Policyaccelerated,thestatusisuptodate[DUT]firewallinterzonetrustuntrust[DUT-interzone-trust-untrust]detectPC2通过FTP9，同时查看DUT会话表，可看到预期结果PC2通过FTP9成功，可以进行正常数据传输，查看DUT会话Session无T02-T02-0703PCP功能DUTPCP [DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT-GigabitEthernet1/0/1]ipaddress8[DUT-GigabitEthernet1/0/1]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/1[DUT-zone-untrust]quitPCP[DUT]nataddress-grouptest[DUT-address-group-test]section0配置域间滤策略和PCP策略[DUT]security-[DUT-policy-security]rulename[DUT-policy-security-rule-test]source-zone[DUT-policy-security-rule-test]actionpermit[DUT-policy-security]rulenametest2[DUT-policy-security-rule-test2]source-zone[DUT-policy-security-rule-test2]destination-zone[DUT-policy-security-rule-test2]actionpermit[DUT-policy-pcp]rulename[DUT-policy-pcp-rule-test]source-zone[DUT-policy-pcp-rule-test]actionnataddress-grouptest[DUT-policy-TesterPort_1PCPMAPIPDUT会Servermap1。5351，servermap广播，类PCP，servermap转换关系正确。无T02-T02-08ASPFT02-0801DetectFtp功能验DUTFTPPCIPPCFTP[DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT]firewallzonetrust[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEthernet1/0/1[DUT-zone-untrust]quit配置域间滤策略[DUT]security-[DUT-policy-security]rulename[DUT-policy-security-rule-1]source-zone[DUT-policy-security-rule-1]serviceftpPC1通过FTPPC2，看到预期结果1。DUTFTP[DUT]firewallinterzonetrustuntrust[DUT-interzone-trust-untrust]detectftp[DUT-interzone-trust-untrust]quitPC1通过FTPPC2，看到预期结果2PC1通过FTPPC2，数据传输不成功PC1通过FTPPC2成功，能够正常传输数据无T02-T02-0802DetectUser-Defined功能验PCIPPC2上安装并启动Tftp[DUT-GigabitEthernet1/0/0]ipaddress24[DUT-GigabitEthernet1/0/0]quit[DUT-GigabitEthernet1/0/1]ipaddress8[DUT-GigabitEthernet1/0/1]quit[DUT]firewallzone[DUT-zone-trust]addinterfaceGigabitEthernet1/0/0[DUT-zone-trust]quit[DUT]firewallzone[DUT-zone-untrust]addinterfaceGigabitEth