NetScreen+命令使用深度解析
初级指南
1.升级ScreenOS分为两种:一是通过Web界面;二是通过命令行界面
通过web界面升级>configuration>update>screenos>keys中选择firmware update(screenos),点击browse选择相关的screenos软件,点击apply即可。
通过命令行界面升级>save software from tftp 192.168.3.1 ns5gt.5.0.0r8.1 to flash 按回车即可。
需要注意的是:通过命令行升级os无须考虑版本问题;而web升级时一定要分段升级
2.恢复出厂默认值:通过命令恢复;通过输入序列号恢复
通过命令恢复 :>unset all 根据提示输入 y 然后再输入 >reset 根据提示输入 n ,y
通过输入序列号恢复 :在命令行模式中当显示要输入用户名和密码时,输入序列号,用户名和密码同为序列号,然后按提示操作即可。
3.查看Netscreen 的License
通过web界面查看:configuration > update > screenos/keys中可以看到
通过命令行:>get license-key
4.为Netscreen导入配置文件
导入新配置覆盖原有配置:a.configuration > update > config file 中选择replace current configuration 点击browse选择配置文件确认,重启防火墙;b.save config from tftp 192.168.3.1 5gt.cfg to flash
导入新配置与原有配置合并:a.configuration > update > config file中选择merge to current configuration点击browse选择配置文件确认,重启防火墙;b.save config from tftp 192.168.3.1 5gt.cfg merge from trust
5.为Netscreen导出配置文件
web界面在configuration > update>config file中点击save to file
命令行界面 >save config from flash to tftp 192.168.3.1 ns5gt.cfg
6.更改Netscreen的管理端口:configuration > admin > managerment中更改HTTP Port
7.alarm灯常亮的关闭方法:
>clear alarm traffic
>clear alarm event
>clear led alarm
NSRP netscreen 的操作模式
一.主动/被动NSRP的配置
1.为NSRP集群ID键入单个编号,将设备放在NSRP集群和VSD组中
>set nsrp cluster id number
2.启用自动RTO同步
>set nsrp rto sync all
3.选择设备要监控的端口,以便在检测到监控的任何一个端口上失去网络连接时设备进行故障切换
范列:
(NetScreen-A)
1). 接口
set interface ethernet7 zone ha
set interface ethernet8 zone ha
set interface ethernet1 zone untrust
set interface ethernet1 ip 210.1.1.1/24
set interface ethernet3 zone trust
set interface ethernet3 ip 10.1.1.1/24
set interface ethernet3 manage-ip 10.1.1.20
set interface ethernet3 nat
2). NSRP
set nsrp rto-mirror sync
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet3
set nsrp cluster id 1
save
(NetScreen-B)
3). 接口
set interface ethernet7 zone ha
set interface ethernet8 zone ha
set interface ethernet1 zone untrust
set interface ethernet1 ip 210.1.1.1/24
set interface ethernet3 zone trust
set interface ethernet3 ip 10.1.1.1/24
set interface ethernet3 manage-ip 10.1.1.21
set interface ethernet3 nat
4). NSRP
set nsrp rto-mirror sync
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet3
set nsrp cluster id 1
save
5).执行此配置后,键入get nsrp 命令,检查设备自动创建的缺省NSRP设置
二.NetScreen集群
1.A.定义集群名称
>set nsrp cluster name name_str
配置SNMP主机名
>set snmp name name_str
认证和加密
>set nsrp auth password pswd_str
>set nsrp encrypt password pswd_str
B.创建NSRP集群
(NetScreen-A)
1). NSRP 集群和通信安全
set nsrp cluster id 1
set nsrp auth password 725dCaIgDL
set nsrp encrypt password WiJoaw4177
save
(NetScreen-B)
2). NSRP 集群和通信安全
set nsrp cluster id 1
set nsrp auth password 725dCaIgDL
set nsrp encrypt password WiJoaw4177
save
3). NSRP 设置
set nsrp cluster name cluster1
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet2
set nsrp secondary-path ethernet2
set nsrp arp 5
save
2.启用RTO同步
>set nsrp rto-mirror sync
>save
3.定义RTO镜像状态时的间隔发送心跳信号
>set nsrp rto-mirror hb-interval number
4.禁用RTO会话同步
>set nsrp rto-mirror session off
5.VSD(虚拟安全设备)组
A. “虚拟安全设备 (VSD)”组是一对物理 NetScreen 设备,它们共同组成一个VSD组。一个物理设备充当 VSD 组的主设备。VSD 的“虚拟安全接口 (VSI)”被绑定到主设备的物理接口上。另一个物理设备充当备份设备。
根据初始 NSRP 配置,优先级编号最接近 0 的 VSD 组成员成为主设备。( 缺省值为 100。) 如果两台设备具有相同的优先级值,则具有最小 MAC 地址的设备成为主设备。
B.抢先选项:通过将要成为主设备的设备设置为抢先模式,可以确定优先级更高的编号 ( 更接近零) 是否能发起故障切换。如果禁用此选项,优先级比备份设备低的主设备可保持其位置 ( 除非某些其它因素,如内部问题或网络连接故障,导致故障切换)。
C.抑制时间:使用抑制时间延迟故障切换,可防止在邻接的交换机端口忽隐忽现时快速故障切换造成的混乱,也可确保在新的主设备可用前,周围的网络设备有足够的时间协商新的链接。
D.启用或者禁用抢先选项
>set/unset nsrp vsd-group id id_num preempt
E.设置抑制时间(0-600s之间)
>set nsrp vsd-group id id_num preempt hold-down number
6.VSD组状态
1.主设备;2.主备份设备;3.备份设备;4.初始;5.无资格;6.不可操作
添加VSD组成员设备
>set nsrp vsd-group id id_num
指定VSD组成员在初始状态中的停留时间(缺省设置为5,暂停初始化 x 心跳信号间隔 = 初始状态抑制时间)
>set nsrp vsd-group init-hold number
设置无资格状态
>set nsrp vsd-group id id_num mode ineligible
设置发送VSD心跳信号的间隔
>set nsrp vsd-group hb-interval number
设置失去心跳信号的临界值
>set nsrp vsd hb-threshold number
Trust 和 Untrust 区段 VSI
范例:
( 设备 A )
1). 接口
set interface ethernet3 zone trust
set interface ethernet3 ip 10.1.1.1/24
set interface ethernet3 manage-ip 10.1.1.21
set interface ethernet3 nat
set interface ethernet1 zone untrust
set interface ethernet1 ip 210.1.1.1/24
( 设备 B )
2). 管理 IP 地址
set interface ethernet3 manage-ip 10.1.1.22
3). 虚拟安全接口
set interface ethernet1:1 ip 210.1.1.2/24
set interface ethernet3:1 ip 10.1.1.1.2/24
4). 路由
set vrouter trust-vr route 0.0.0.0/0 interface ethernet1 gateway 210.1.1.250
set vrouter trust-vr route 0.0.0.0/0 interface ethernet1:1 gateway 210.1.1.250
save
7.同步配置
查看一台设备的配置与另一台设备的配置同步
>exec nsrp sync global-config check-sum
如果不同步,则使用以下命令使其同步
>exec nsrp sync global-config save (需重新启动)
>exec nsrp sync global-config run (无需重新启动)
在同步配置前,如果没有在本地设备上使用 unset all 命令,则本地设备将远程设备的配置附加到现有设置上。但是,在同步配置后,每个复制的设置都将生成一条错误消息。要避免在同步配置时生成错误消息,可执行以下操作:
1). 将本地和远程配置下载到工作站。
2). 使用应用程序 ( 如 WinDiff ) 识别文件间的差异。
3). 在本地设备上手动输入已在远程设备上添加、修改或删除的设置。
8.同步文件
如果需要同步一个特定文件,请在要同步文件的设备上输入以下命令:
>exec nsrp sync file name name_str from peer
如果要同步所有文件,则使用:
>exec nsrp sync file from peer
可使用 RTO 同步或配置同步操作同步 PKI 对象 ( 如本地和 CA 证书、密钥对和 CRL ):
1).如果启用RTO同步
>exec nsrp sync global-config run 然后输入>exec nsrp sync rto pki from peer
2).如果禁用了RTO 同步,则使用:
>exec nsrp sync global-config save 然后重新启动设备
9.同步RTO
如果在集群中的一台设备上启用了 RTO 镜像同步,则设备重新启动时,RTO 会自动重新同步。但是,如果禁用 RTO 镜像同步 ( 可能在设备上执行调试或维护操作),则再次启用 RTO 同步时,必须手动重新同步所有 RTO。要实现此目的,请使用 exec nsrp sync rto all 命令。
如果仅重新同步选定的 RTO ( 如ARP、DNS、会话或 VPN ),则使用一下命令:
>exec nsrp sync rto { arp | auth-table | dhcp | dns | l2tp |phase1-sa | pki | rm | session | vpn }
要使 NSRP 集群中的成员在检测到集群中的其它成员时自动开始 RTO 同步,请使用 set nsrp rto-mirror sync 命令。
当需要手动同步 RTO 时,使用 以下命令:
>exec nsrp sync rto { all | arp | auth-table | dhcp | dns | l2tp | phase1-sa | pki| rm | session | vpn }
10.要禁用 NSRP 时间同步功能
>set ntp no-ha-sync
11.在没有专用 HA 接口的 NetScreen 设备上,可以指定一个接口来绑定到安全区段以处理 HA 控制消息
>set nsrp interface interface
12.禁用数据包的转发
>unset nsrp data-forwarding
13.手动发送链接探查
>exec nsrp probe 接口 对等方MAC地址 count 链接探查数量
例如:exec nsrp probe ethernet8 00e02000080 count 5
14.自动发送链接探查
>set nsrp ha-link probe interval 间隔时间 threshold 临界值
例如:set nsrp ha-link probe interval 3 threshold 4
接口冗余
一.冗余接口
1.创建冗余接口成员等待时间 (命令中的接口名称即为物理接口,必须使用此命令才能让该接口成为冗余组的成员)
>set interface int_port phy holddown num
范例:
( 设备 A )
冗余接口
set interface redundant1 zone untrust
set interface redundant1 ip 210.1.1.1/24
set interface ethernet1/1 group redundant1
set interface ethernet1/2 group redundant1
set interface redundant2 zone trust
set interface redundant2 ip 10.1.1.1/24
set interface redundant2 manage-ip 10.1.1.21
set interface redundant2 nat
set interface ethernet2/1 group redundant2
set interface ethernet2/2 group redundant2
set interface redundant1 primary ethernet1/1
set interface redundant2 primary ethernet2/1
虚拟安全接口
set interface redundant1:1 ip 210.1.1.2/24
set interface redundant2:1 ip 10.1.1.2/24
save
( 设备 B )
set interface redundant2 manage-ip 10.1.1.22
save
二.聚合接口(只有“安全端口模块” (SPM) 支持此功能。)
1.查看系统的可用物理接口
>get interface
范例:
set interface aggregate1 zone trust
set interface aggregate1 ip 10.1.1.0/24
set interface aggregate1 nat
set interface ethernet2/1 aggregate aggregate1
set interface ethernet2/2 aggregate aggregate1
save
2.将信息流强制转发到备份接口
>set failover enable
>save
>exec failover force
3.将信息流从备份接口切换回主接口
>exec failover revert
4.自动改发信息流
>set failover trpe track-ip
>set failover auto
>set failover enable
>set failover holddown 20
>save
5.接口故障切换
1). 端口模式
exec port-mode dual-untrust
出现以下提示:
Change port mode from <trust-untrust> to <dual-untrust> will erase system
configuration and reboot box
Are you sure y/[n] ?
按 Y 键后, NetScreen 设备将重新启动。
2). 登录与接口
再次登录,并设置接口的 IP 地址。然后继续进行以下配置。
3). 自动故障切换和 IP 跟踪
set failover enable
set failover auto
set failover holddown 12
set failover type track-ip
set interface ethernet3 track-ip threshold 10
set interface ethernet3 track-ip ip 2.2.2.2 weight 6
set interface ethernet3 track-ip ip 2.2.2.2 interval 3
set interface ethernet3 track-ip ip 2.2.2.2 threshold 3
set interface ethernet3 track-ip ip 3.3.3.3 weight 4
set interface ethernet3 track-ip ip 3.3.3.3 interval 3
set interface ethernet3 track-ip ip 3.3.3.3 threshold 3
set interface ethernet3 track-ip ip 4.4.4.4 weight 4
set interface ethernet3 track-ip ip 4.4.4.4 interval 3
set interface ethernet3 track-ip ip 4.4.4.4 threshold 3
set interface
6.由活动通道到备份通道的故障切换
CLI (NetScreen-5GT)
1.) 端口模式
exec port-mode trust-untrust
出现以下提示:
Change port mode from <current_port-mode> to <trust-untrust> will erase system
configuration and reboot box
Are you sure y/[n] ?
按 Y 键后, NetScreen 设备将重新启动。
2). 登录与接口
往回登录到 NetScreen 设备。然后继续进行以下配置:
set interface trust ip 10.1.1.1/24
set interface trust nat
set interface serial zone untrust
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface trust
set interface tunnel.2 zone trust
set interface tunnel.2 ip unnumbered interface trust
3). 地址
set address untrust peer1 10.2.2.0/24
4). PPPoE
set pppoe name isp1a
set pppoe name isp1a username ns5gt password juniper
set pppoe name isp1a idle 0
set pppoe name isp1a interface untrust
exec pppoe name isp1a connect
5). VPN 通道
set ike gateway gw1 address 2.2.2.2 aggressive local-id ns5gt
outgoing-interface untrust preshare netscreen1 sec-level compatible
set ike gateway gw2 address 2.2.2.2 aggressive local-id ns5gt
outgoing-interface serial preshare netscreen1 sec-level compatible
set vpn vpn1 gateway gw1 sec-level compatible
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
set vpn vpn2 gateway gw2 sec-level compatible
set vpn vpn2 bind interface tunnel.2
set vpn vpn2 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
6). 非对称 VPN
set zone trust asymmetric-vpn
7). IP 跟踪
set interface untrust monitor track-ip ip
set interface untrust monitor track-ip ip 2.2.2.250 interval 4
set interface untrust monitor track-ip ip 2.2.2.250 threshold 3
set interface untrust monitor track-ip ip 2.2.2.250 weight 255
8). 通道故障切换
set failover enable
set failover auto
set failover holddown 16
set failover type track-ip
set interface untrust track-ip threshold 255
9). 路由
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.2
set vrouter trust-vr route 10.2.2.0/24 interface null metric 100
10). 策略
set policy from trust to untrust any any any permit
set policy from untrust to trust peer1 any any permit
CLI ( 远程对等方 )
1). 接口
set interface ethernet1 zone trust
set interface ethernet1 ip 10.2.2.1/24
set interface ethernet1 nat
set interface ethernet3 zone untrust
set interface ethernet3 ip 2.2.2.2/24
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
2). 地址
set address untrust ns5gt 10.1.1.0/24
3). VPN 通道
set ike gateway ns5gt dynamic ns5gt aggressive outgoing-interface ethernet3
preshare netscreen1 sec-level compatible
set vpn vpn1 gateway ns5gt sec-level compatible
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
4). 路由
set vrouter trust-vr route 10.1.1.0/24 interface tunnel.1
set vrouter trust-vr route 10.1.1.0/24 interface null metric 100
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 2.2.2.250
5). 策略
set policy from untrust to trust ns5gt any any permit
set policy from trust to untrust any ns5gt any permit
save
7.双活动通道(目的是为了支持两个活动VPN通道间的VPN信息流故障切换)
CLI (NetScreen-5GT)
1). 端口模式
exec port-mode dual-untrust
出现以下提示:
Change port mode from <trust-untrust> to <dual-untrust> will erase system
configuration and reboot box
Are you sure y/[n] ?
按 Y 键后, NetScreen 设备将重新启动。
2). 登录与接口
往回登录到 NetScreen 设备。然后继续进行以下配置:
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet1 nat
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
set interface tunnel.2 zone trust
set interface tunnel.2 ip unnumbered interface ethernet1
3). 地址
set address untrust peer1 10.2.2.0/24
4). PPPoE
set pppoe name isp1a
set pppoe name isp1a username ns5gt1a password juniper1a
set pppoe name isp1a idle 0
set pppoe name isp1a interface ethernet3
exec pppoe name isp1a connect
set pppoe name isp1b
set pppoe name isp1b username ns5gt1b password juniper1b
set pppoe name isp1b idle 0
set pppoe name isp1b interface ethernet2
exec pppoe name isp1b connect
5). VPN 通道
set ike gateway gw1 address 2.2.2.2 aggressive local-id 5gt-e3
outgoing-interface ethernet3 preshare netscreen1 sec-level compatible
set ike gateway gw2 address 3.3.3.3 aggressive local-id 5gt-e2
outgoing-interface ethernet2 preshare netscreen2 sec-level compatible
set vpn vpn1 gateway gw1 sec-level compatible
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
set vpn vpn1 monitor source-interface ethernet1 destination-ip 2.2.2.2 rekey
set vpn vpn2 gateway gw2 sec-level compatible
set vpn vpn2 bind interface tunnel.2
set vpn vpn2 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
set vpn vpn2 monitor source-interface ethernet1 destination-ip 3.3.3.3 rekey
6). 双通道
unset failover enable
7). 非对称 VPN
set zone trust asymmetric-vpn
8). 路由
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.2
set vrouter trust-vr route 10.2.2.0/24 interface null metric 100
9). 策略
set policy from trust to untrust any any any permit
set policy from untrust to trust peer1 any any permit
save
CLI ( 远程对等方 )
1). 接口
set interface ethernet1 zone trust
set interface ethernet1 ip 10.2.2.1/24
set interface ethernet1 nat
set interface ethernet3 zone untrust
set interface ethernet3 ip 2.2.2.2/24
set interface ethernet4 zone untrust
set interface ethernet4 ip 3.3.3.3/24
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
set interface tunnel.2 zone trust
set interface tunnel.2 ip unnumbered interface ethernet1
2). 地址
set address untrust ns5gt 10.1.1.0/24
3). VPN 通道
set ike gateway gw1 dynamic ns5gt-e3 aggressive outgoing-interface ethernet3
preshare netscreen1 sec-level compatible
set ike gateway branch2 dynamic ns5gt-e2 aggressive outgoing-interface
ethernet4 preshare netscreen2 sec-level compatible
set vpn vpn1 gateway gw1 sec-level compatible
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
set vpn vpn2 gateway gw2 sec-level compatible
set vpn vpn2 bind interface tunnel.2
set vpn vpn2 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
4). 非对称 VPN
set zone trust asymmetric-vpn
5). 路由
set vrouter trust-vr route 10.1.1.0/24 interface tunnel.1
set vrouter trust-vr route 10.1.1.0/24 interface tunnel.2
set vrouter trust-vr route 10.1.1.0/24 interface null metric 100
6). 策略
set policy from trust to untrust any any any permit
set policy from untrust to trust ns5gt any any permit
save
8.对通道故障切换应用权重
CLI ( 分公司 )
1. 端口模式
exec port-mode dual-untrust
出现以下提示:
Change port mode from <trust-untrust> to <dual-untrust> will erase system
configuration and reboot box
Are you sure y/[n] ?
按 Y 键后, NetScreen 设备将重新启动。
2. 登录与接口
往回登录到 NetScreen 设备。然后继续进行以下配置:
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet1 nat
set interface ethernet3 dhcp client
exec dhcp client ethernet3 renew
set pppoe interface ethernet2
set pppoe username ns5gt password juniper
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
set interface tunnel.2 zone trust
set interface tunnel.2 ip unnumbered interface ethernet1
set interface tunnel.3 zone trust
set interface tunnel.3 ip unnumbered interface ethernet1
set interface tunnel.4 zone trust
set interface tunnel.4 ip unnumbered interface ethernet1
set interface tunnel.5 zone trust
set interface tunnel.5 ip unnumbered interface ethernet1
set interface tunnel.6 zone trust
set interface tunnel.6 ip unnumbered interface ethernet1
3. VPN 通道
set ike gateway corp1 address 2.2.2.2 aggressive local-id 5gt-e3
outgoing-interface ethernet3 preshare netscreen1 sec-level basic
set ike gateway corp2 address 2.2.2.2 aggressive local-id 5gt-e2
outgoing-interface ethernet2 preshare netscreen2 sec-level basic
set vpn vpn1 gateway corp1 sec-level basic
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 DNS
set vpn vpn1 monitor source-interface ethernet1 destination-ip 10.2.2.5 rekey
set vpn vpn2 gateway corp1 sec-level basic
set vpn vpn2 bind interface tunnel.2
set vpn vpn2 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 SMTP5
set vpn vpn2 monitor source-interface ethernet1 destination-ip 10.2.2.10 rekey
set vpn vpn3 gateway corp1 sec-level basic
set vpn vpn3 bind interface tunnel.3
set vpn vpn3 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 HTTP
set vpn vpn3 monitor source-interface ethernet1 destination-ip 10.2.2.15 rekey
set vpn vpn4 gateway corp2 sec-level basic
set vpn vpn4 bind interface tunnel.4
set vpn vpn4 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 DNS
set vpn vpn4 monitor source-interface ethernet1 destination-ip 10.2.2.5 rekey
set vpn vpn5 gateway corp2 sec-level basic
set vpn vpn5 bind interface tunnel.5
set vpn vpn5 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 SMTP
set vpn vpn5 monitor source-interface ethernet1 destination-ip 10.2.2.10 rekey
set vpn vpn6 gateway corp2 sec-level basic
set vpn vpn6 bind interface tunnel.6
set vpn vpn6 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 HTTP
set vpn vpn6 monitor source-interface ethernet1 destination-ip 10.2.2.15 rekey
4. 通道故障切换
set failover type tunnel-if
set failover auto
set vpn vpn1 failover-weight 60
set vpn vpn2 failover-weight 40
set vpn vpn3 failover-weight 40
5. 非对称 VPN
set zone trust asymmetric-vpn
6. 路由
set vrouter trust-vr route 10.2.2.5/32 interface tunnel.1
set vrouter trust-vr route 10.2.2.10/32 interface tunnel.2
set vrouter trust-vr route 10.2.2.15/32 interface tunnel.3
set vrouter trust-vr route 10.2.2.5/32 interface tunnel.4
set vrouter trust-vr route 10.2.2.10/32 interface tunnel.5
set vrouter trust-vr route 10.2.2.15/32 interface tunnel.6
set vrouter trust-vr route 10.2.2.0/24 interface null metric 100
7. 策略
set policy from trust to untrust any any any permit
save
CLI ( 企业 )
1. 接口
set interface ethernet1 zone trust
set interface ethernet1 ip 10.2.2.1/24
set interface ethernet1 nat
set interface ethernet3 zone untrust
set interface ethernet3 ip 2.2.2.2/24
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
set interface tunnel.2 zone trust
set interface tunnel.2 ip unnumbered interface ethernet1
set interface tunnel.3 zone trust
set interface tunnel.3 ip unnumbered interface ethernet1
set interface tunnel.4 zone trust
set interface tunnel.4 ip unnumbered interface ethernet1
set interface tunnel.5 zone trust
set interface tunnel.5 ip unnumbered interface ethernet1
set interface tunnel.6 zone trust
set interface tunnel.6 ip unnumbered interface ethernet1
2. 地址
set address untrust branch 10.1.1.0/24
set address trust DNS-1 10.2.2.5/32
set address trust SMTP-1 10.2.2.10/32
set address trust HTTP-1 10.2.2.15/32
set group address trust servers add DNS-1
set group address trust servers add SMTP-1
set group address trust servers add HTTP-1
3. 服务组
set group service vpn-srv add DNS
set group service vpn-srv add SMTP
set group service vpn-srv add HTTP
set group service vpn-srv add ICMP
4. VPN 通道
set ike gateway branch1 dynamic ns5gt-e3 aggressive outgoing-interface
ethernet3 preshare netscreen1 sec-level basic
set ike gateway branch2 dynamic ns5gt-e2 aggressive outgoing-interface
ethernet3 preshare netscreen2 sec-level basic
set vpn vpn1 gateway branch1 sec-level basic
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 DNS
set vpn vpn2 gateway branch1 sec-level basic
set vpn vpn2 bind interface tunnel.2
set vpn vpn2 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 SMTP
set vpn vpn3 gateway branch1 sec-level basic
set vpn vpn3 bind interface tunnel.3
set vpn vpn3 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 HTTP
set vpn vpn4 gateway branch2 sec-level basic
set vpn vpn4 bind interface tunnel.4
set vpn vpn4 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 DNS
set vpn vpn5 gateway branch2 sec-level basic
set vpn vpn5 bind interface tunnel.5
set vpn vpn5 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 SMTP
set vpn vpn6 gateway branch2 sec-level basic
set vpn vpn6 bind interface tunnel.6
set vpn vpn6 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 HTTP
5. 非对称 VPN
set zone trust asymmetric-vpn
6. 路由
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 2.2.2.250
7. 策略
set policy from untrust to trust branch servers vpn-srv permit
save
三.串行接口
1.配置调制解调器的设置(将调制解调器的空闲时间配置成 20 分钟。还将为新的调制解调器设置定义调制解调器初始化字符串mod1,然后将其激活。)
>set modem idle-time 20
>set modem settings mod1 init-strings AT&FS7=255S32=6
>set modem settings mod1 active
>save
2.配置ISP信息(将配置两个不同 ISP 帐户的信息: isp1 帐户的优先级为 1, isp2 帐户的优先级为 2。也就是说,切换到串
行接口时, ScreenOS 始终首先对 isp1 帐户进行拨号。)
>set modem isp isp1 account login kgreen password 98765432
>set modem isp isp1 primary-number 4085551111 alternative-number 4085552222
>set modem isp isp1 priority 1
>set modem isp isp2 account login kgreen password 12345678
>set modem isp isp2 primary-number 4085551212
>set modem isp isp2 priority 2
>save
3.为串行接口添加缺省路由
>set interface serial zone untrust
>set route 0.0.0.0/0 interface serial
>save
4.指定策略在串行接口故障切换后处于非活动状态
>set policy from trust to untrust source_add destination_add services action no-session-backup
>save
故障切换
一.设备故障切换
1.确保一台设置仍能充当主设备并转发信息流
>set nsrp vsd-group master-always-exist
二.VSD组故障切换(NSRP)
三.为设备或VSD组故障切换配置对象监控
1.监控接口(物理接口)
>set nsrp monitor interface ethernet2/1 weight 100
>save
2.监控接口(区段对象)
>set nsrp monitor zone trust weight 100
>save
3.监控接口(被跟踪IP对象)
>set nsrp track-ip ip 10.10.10.250 weight 100
>save
4.跟踪IP对象的故障临界值
>set nsrp monitor track-ip threshold 125
>save
四.虚拟系统故障切换
NSRP-Lite(不支持RTO或者会话同步,仅支持主动或被动配置,并且接口必须处于路由或 NAT模式)
如对本文有疑问, 点击进行留言回复!!
3GPP RAN6工作组正式关闭:2G/3G再无后路,清频退网进行时
我要评论
网友评论