从console口登陆查看接口,标红部分默认从eth0/2-6都属于Trust接口
ssg5-serial-> get interface
A - Active, I - Inactive, U -Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 0.0.0.0/0 Untrust b0a8.6e68.2bc0 - D -
eth0/1 0.0.0.0/0 DMZ b0a8.6e68.2bc5 - D -
bgroup0 192.168.1.1/24 Trust b0a8.6e68.2bcb - U -
eth0/2 N/A N/A N/A - D -
eth0/3 N/A N/A N/A - U -
eth0/4 N/A N/A N/A - D -
eth0/5 N/A N/A N/A - D -
eth0/6 N/A N/A N/A - D -
bgroup1 0.0.0.0/0 Null b0a8.6e68.2bcc - D -
bgroup2 0.0.0.0/0 Null b0a8.6e68.2bcd - D -
bgroup3 0.0.0.0/0 Null b0a8.6e68.2bce - D -
vlan1 0.0.0.0/0 VLAN b0a8.6e68.2bcf 1 D -
null 0.0.0.0/0 Null N/A - U 0
关于SSG5的接口(bgroupx相当于一个接口组,理解为vlan也可以,随意;zone区段)
1、可以将一个或多个接口加入到bgroupx中,然后再将bgroupx加入到zone,最后给bgroupx设置IP地址(bgroupx下的所有接口都将属于bgroupx的IP地址,相当于一个交换区域)
2、如果将接口加入到了bgroupx中那么这个接口将不能配置IP地址等多种操作,你可以理解为这些接口变成了2层口;只要再次脱离bgroupx后,IP地址等多种操作又可以进行,你可以理解为这些接口变回了3层口。
3、如果物理接口处在某个zone下,那么这个物理口将不能直接加入到bgroupx中,除非脱离当前zone。
将接口interface eth0/2 eht0/3加入到bgroup1中(SSG5不支持一次性添加多个端口)
ssg5-serial->set interface bgroup1 port eth0/2
ssg5-serial->set interface bgroup1 port eth0/3
删除用unset (unset interface bgroup1 porteth0/3)
将bgroup1加入到trust中
ssg5-serial->set interface bgroup1 zone trust
删除用unset (unset interface bgroup1 zonetrust)
添加一个zone
ssg5-serial->set zone name web
给bgroup1设置IP地址
要想给bgroup1设置IP地址,必须将bgroup1加入到一个zone中,否则将没有设置IP地址的选项
ssg5-serial-> set interface bgroup1 zone web
设置bgroup1的IP地址
ssg5-serial-> set interface bgroup1 ip2.2.2.1/24
查看刚才做的配置
ssg5-serial->get interface
Interfacesin vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 0.0.0.0/0 Untrust b0a8.6e68.2bc0 - D -
eth0/1 0.0.0.0/0 DMZ b0a8.6e68.2bc5 - D -
eth0/6 0.0.0.0/0 Null b0a8.6e68.2bca - D -
bgroup0 192.168.1.1/24 Trust b0a8.6e68.2bcb - D -
eth0/4 N/A N/A N/A - D -
eth0/5 N/A N/A N/A - D -
bgroup1 2.2.2.1/24 web b0a8.6e68.2bcc - U -
eth0/2 N/A N/A N/A - D -
eth0/3 N/A N/A N/A - U -
bgroup2 0.0.0.0/0 Null b0a8.6e68.2bcd - D -
bgroup3 0.0.0.0/0 Null b0a8.6e68.2bce - D -
vlan1 0.0.0.0/0 VLAN b0a8.6e68.2bcf 1 D -
null 0.0.0.0/0 Null N/A - U 0
查看zone
ssg5-serial->get zon
------------------------------------------------------------------------
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr serial0/0 Root
1 Untrust Sec(L3) Sharedtrust-vr ethernet0/0 Root
2 Trust Sec(L3) trust-vr bgroup0 Root
3 DMZ Sec(L3) trust-vr ethernet0/1 Root
4 Self Func trust-vr self Root
5 MGT Func trust-vr null Root
6 HA Func trust-vr null Root
10 Global Sec(L3) trust-vr null Root
11 V1-Untrust Sec(L2) Sharedtrust-vr v1-untrust Root
12 V1-Trust Sec(L2) Sharedtrust-vr v1-trust Root
13 V1-DMZ Sec(L2) Sharedtrust-vr v1-dmz Root
14 VLAN Func Shared trust-vr vlan1 Root
15 V1-Null Sec(L2) Sharedtrust-vr l2v Root
16 Untrust-Tun Tun trust-vr hidden.1 Root
100 web Sec(L3) trust-vr bgroup1 Root
将SSG5的bgroup0的交换区域取消,全部接口改为3层口
SSG5默认接口规划
ssg5-serial->get interface
Interfacesin vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 0.0.0.0/0 Untrust b0a8.6e68.2bc0 - D -
eth0/1 0.0.0.0/0 DMZ b0a8.6e68.2bc5 - D -
bgroup0 192.168.1.1/24 Trust b0a8.6e68.2bcb - U -
eth0/2 N/A N/A N/A - D -
eth0/3 N/A N/A N/A - U -
eth0/4 N/A N/A N/A - D -
eth0/5 N/A N/A N/A - D -
eth0/6 N/A N/A N/A - D -
bgroup1 0.0.0.0/0 Null b0a8.6e68.2bcc - D -
bgroup2 0.0.0.0/0 Null b0a8.6e68.2bcd - D -
bgroup3 0.0.0.0/0 Null b0a8.6e68.2bce - D -
vlan1 0.0.0.0/0 VLAN b0a8.6e68.2bcf 1 D -
null 0.0.0.0/0 Null N/A - U 0
SSG删除bgroup0的默认
ssg5-serial->unset inter bgroup0 port ethernet0/2
ssg5-serial->unset inter bgroup0 port ethernet0/3
ssg5-serial->unset inter bgroup0 port ethernet0/4
ssg5-serial->unset inter bgroup0 port ethernet0/5
ssg5-serial->unset inter bgroup0 port ethernet0/6
ssg5-serial->unset inter bgroup0 ip
ssg5-serial->unset inter bgroup0 zone
ssg5-serial->get interface
A -Active, I - Inactive, U - Up, D - Down, R - Ready
Interfacesin vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 0.0.0.0/0 Untrust b0a8.6e68.2bc0 - D -
eth0/1 0.0.0.0/0 DMZ b0a8.6e68.2bc5 - D -
eth0/2 0.0.0.0/0 Null b0a8.6e68.2bc6 - D -
eth0/3 0.0.0.0/0 Null b0a8.6e68.2bc7 - U -
eth0/4 0.0.0.0/0 Null b0a8.6e68.2bc8 - D -
eth0/5 0.0.0.0/0 Null b0a8.6e68.2bc9 - D -
eth0/6 0.0.0.0/0 Null b0a8.6e68.2bca - D -
bgroup0 0.0.0.0/0 Null b0a8.6e68.2bcb - D -
bgroup1 0.0.0.0/0 Null b0a8.6e68.2bcc - D -
bgroup2 0.0.0.0/0 Null b0a8.6e68.2bcd - D -
bgroup3 0.0.0.0/0 Null b0a8.6e68.2bce - D -
vlan1 0.0.0.0/0 VLAN b0a8.6e68.2bcf 1 D -
null 0.0.0.0/0 Null N/A - U 0
ssg5-serial->
-----------------------------------------------------------------------------------------------------------------------------------------------
创建zone、设置IP地址及管理接口
创建zone
ssg5-serial->set interface eth0/0 zone dmz
ssg5-serial->set interface eth0/1 zone untrust
ssg5-serial->set interface eth0/2 zone trust
设置IP地址
ssg5-serial->set interface eth0/2 ip 192.168.1.1/24
设置管理接口
ssg5-serial->set interface eth0/2 manage web
注意:有些情况下SSG默认是将所有管理全部enable,我需要先执行unset interface eth0/2 manage,将所有管理关闭,在单独放行需要的管理,如web
修改之后的SSG5
ssg5-serial->get interface
Interfacesin vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 0.0.0.0/0 DMZ b0a8.6e68.2bc0 - D -
eth0/1 0.0.0.0/0 Untrust b0a8.6e68.2bc5 - D -
eth0/2 192.168.1.1/24 Trust b0a8.6e68.2bc6 - U -
eth0/3 0.0.0.0/0 Null b0a8.6e68.2bc7 - D -
eth0/4 0.0.0.0/0 Null b0a8.6e68.2bc8 - D -
eth0/5 0.0.0.0/0 Null b0a8.6e68.2bc9 - D -
eth0/6 0.0.0.0/0 Null b0a8.6e68.2bca - D -
bgroup0 0.0.0.0/0 Null b0a8.6e68.2bcb - D -
bgroup1 0.0.0.0/0 Null b0a8.6e68.2bcc - D -
bgroup2 0.0.0.0/0 Null b0a8.6e68.2bcd - D -
bgroup3 0.0.0.0/0 Null b0a8.6e68.2bce - D -
vlan1 0.0.0.0/0 VLAN b0a8.6e68.2bcf 1 D -
null 0.0.0.0/0 Null N/A - U 0
修改接口模式(只有两种,route/nat)
ssg5-serial->set interface eth0/2 route
ssg5-serial->set interface eth0/2 nat