Fixed interfaces of the USG2000&5000

27

The USG2000/5000 is delivered with diversified interfaces (with fixed interfaces being one type of standard interfaces). The standard configurations on various models are as follows:
-USG2110-F: two WAN interfaces, eight LAN interfaces, one console port, and one USB interface in standard configuration.
-USG2110-F-W: two WAN interfaces, eight LAN interfaces, one console port, and one USB interface in standard configuration.
-USG2110-A-W: one WAN interface, eight LAN interfaces, one ADSL interface, one console port, and one USB interface in standard configuration.
-USG2110-A-GW (WCDMA 3G): one WAN interface, eight LAN interfaces, one ADSL interface, one console port, and one USB interface in standard configuration.
-USG2110-A-GW (CDMA2000 3G): one WAN interface, eight LAN interfaces, one ADSL interface, one console port, and one USB interface in standard configuration.
-USG2100: one WAN interface, eight LAN interfaces, one console port, one USB interface, and one flash memory interface in standard configuration.
-USG2210/2220/2230/2250/2260: two GE combo interfaces (WAN interfaces), one console port, two USB interfaces, and one Micro-SD card slot in standard configuration.
-USG5120: two Gigabit electrical interfaces (WAN interfaces), two GE combo interfaces (WAN interfaces), one console port, two USB interfaces, and one Micro-SD card slot in standard configuration.
-USG5150/5160: four GE combo interfaces (WAN interface), one console port, two USB interfaces, and one Micro-SD card slot in standard configuration.
-USG5520S/5530S/5530/5550: one console port, one 10/100/1000M management interface, two USB interfaces, four 10/100/1000M Ethernet electrical interfaces, and four GE combo interfaces in standard configuration.
-USG5560: one console port, one 10/100/1000M management interface, two USB interfaces, four 10/100/1000M Ethernet electrical interfaces, four GE combo interfaces, and eight 100/1000M Ethernet optical interfaces in standard configuration.

Other related questions:
Restricting the administrator to access the USG2000&5000&6000 through a fixed source address
Configure the USG2000&5000&6000 to restrict the administrator to access through a fixed source address as follows: Set the VTY authentication mode to AAA on the USG to allow login of only a certain IP address: system-view [USG6600] [USG6600] acl 3000 [USG6600-acl-adv-3000]rule permit ip source 192.168.1.2 0 //192.168.1.2 allowed only. [USG6600-acl-adv-3000]quit [USG6600] user-interface vty 0 4 [USG6600-ui-vty0-4] authentication-mode aaa [USG6600-ui-vty0-4]acl 3000 inbound //The ACL here is deny by default. [USG6600-ui-vty0-4] quit After the preceding configurations, only addresses for which the action is permit in ACL 3000 or specific source addresses can telnet to the firewall.

ACLs for the USG2000&5000
An access control list (ACL) is a general tool for traffic matching. It can filter and match traffic in terms of MAC addresses, IP addresses, protocols, and time ranges. ACL Rule and Matching Order In common cases, any security function can reference multiple ACLs. Therefore, overlaps and conflicts may occur among the traffic defined by these ACLs. Additionally, to effectively use the ACL, an ACL contains multiple ACL rules, each of which can specify certain traffic, and define the permit or deny action accordingly. As a result, the traffic defined by these rules may overlap and actions for overlapped traffic may conflict with each other. Therefore, it is necessary to specify the matching orders of ACLs and of multiple rules in an ACL. The matching orders on the USG are as follows: ? ACLs applied to the same function in the same direction are matched according to the configuration time. The earlier the ACL is created; the earlier it is matched. Once the matching succeeds, no subsequent matching is performed. ? ACL rules in the same ACL are matched according to the specified matching type. Two matching types are available: ? Automatic order: indicates automatic matching. It is also called minimal matching or in-depth matching. Actions are performed according to the rule with the minimal matching range. For example, rule 1 allows packets at 192.168.1.0/24 through; rule 2 denies packets at 192.168.1.100. In this case, the final action for packets at 192.168.1.100 is deny. This is because the IP address range specified by rule 2 is smaller and more accurate. ? Configuration order: indicates that ACL rules are matched based on the rule ID. It is the default matching mode. The smaller the rule ID is; the earlier the matching occurs. Once the matching succeeds, no subsequent matching is performed. Step and Dynamic Insertion of an ACL Rule After an ACL rule is created, its ID cannot be changed. Therefore, it is difficult for you to manually adjust matching orders of rules in ACLs in configuration order mode. You can only delete existing rules and create new ones. To address this issue, the step function is added. During the creation of an ACL rule, if no rule ID is specified, the system automatically assigns a rule ID. Rule IDs increase based on the step. For example, the step is 5. If you create a rule but do not assign a rule ID, the system automatically assigns the minimal ID (which is larger than that of the previous rule and its number takes 5 as the base and increases by 5) to the rule. Suppose that you do not specify the rule ID for rule 1, the system assigns 5 to the rule. When creating rule 2, you assign 12 to it. Then you do not specify the rule ID for rule 3. In this case, the system assigns 15 (larger than 12) to it. Therefore, the IDs of three rules in the ACL are 5, 12, and 15 respectively. After the step mechanism is used, rule IDs are reserved for rules in an ACL for the further use. In this example, to ensure that rule 4 takes effect between rule 2 and rule 3, you can specify 13 as the ID for the rule during the creation. Through the dynamic insertion of new rules between two rules, you can control the valid sequences of rules in the ACL.

Configuring ACLs for the USG2000&5000
The USG2000&5000 series supports configuring ACLs using the CLI. acl [ number ] acl-number [ vpn-instance vpn-instance-name ] [ match-order { config | auto } ] undo acl { all | [ number ] acl-number } The default matching order is config. An access control list contains a series of rules with permit or deny statements. You need to first create an access control list and then configure its rules. Example # Create an ACL numbered 2000. system-view [sysname] acl number 2000 [sysname-acl-basic-2000]

Configuring SSH on the USG2000&5000
Configure SSH on the USG2000&5000 as follows: Configuration roadmap: USG_A serves as the client, and USG_B as the SSH server. 1. Create an SSH user on USG_B. 2. Generate a local key pair on USG_B. 3. Enable the STelnet/SFTP service on USG_B. 4. Log in to USG_B through USG_A on the client.

Changing the administrator level on the USG2000&5000
Change the administrator level on the USG2000&5000 as follows: system-view Enter system view, return user view with Ctrl+Z. [USG5100]aaa [USG5100-aaa]local-user admin level ? INTEGER<0-15> Value audit Audit level //The level available ranges from 0 to 15. In normal cases, the administrator permission of level 3 is proper. The audit level indicates the permission of auditing the administrator.// [USG5100-aaa]local-user admin level 3 //Indicates setting the permission of the admin account to the level-3 management level.//

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top