RIP configuration of USG firewalls

31

Configure the RIP on the USG2000 or USG5000 as follows:
1. Run the system-view command to enter the system view.

2. Run the rip [ process-id ] command to enable the RIP route process and enter the RIP view.

If the RIP commands are configured in the interface view before the RIP is enabled, the configuration only takes effect after the RIP is enabled.
3. Run the network network-address command to enable the RIP in the specified network segment.
The RIP runs only at the interface in the specified network segment. For other interfaces, the RIP does not receive and send routes or does not forward the interface route. Therefore, after the RIP is enabled, you must specify the network segment. The network-address indicates the address in the natural network segment.
By default, the RIP is disabled at all interfaces after it is enabled.
Note:
The RIP does not support different addresses specified for different RIP processes of the same physical interface.

4. By default, the interface receives RIP-1 and RIP-2 packets but sends only RIP-1 packets. When the interface version is RIP-2, you can specify the packet sending mode. If the RIP version is not configured for the interface, the global version shall prevail.
Configure the global RIP version by running the version { 1 | 2 } command.
Configure the RIP version for the interface.
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the interface view.
c. Run the rip version { 1 | 2 [ broadcast | multicast ] } command to specify the RIP version of the interface.

Other related questions:
RIP authentication mode of USG firewalls
The RIP authentication mode of USG2000, USG5000, and USG6000 is configured as follows: rip authentication-mode Command function: The rip authentication-mode command is used to configure the RIP-2 packet authentication mode and parameters. Each authentication supports only one authentication word. The new authentication word overwrites the old authentication word. The undo rip authentication-mode command is used to cancel all authentication. Command format: rip authentication-mode { simple password | md5 { nonstandard password key-id | usual password } } undo rip authentication-mode Parameter description: Parameter Parameter Description Value simple Plain-text authentication mode - Message Digest 5 (MD5) The MD5 is used for cipher-text authentication. - nonstandard It indicates that the MD5-based authentication packets are in the non-standard packet format (private standard). - password Keyword for cipher text authentication The character string can be: Plain text with a length ranging from 1 to 16 Cipher text with a length of 32 All passwords used to query profiles are in cipher text. usual It indicates that the MD5-based authentication packets are in the universal packet format (IETF standard). - key-id MD5 Cipher text authentication identifier Value range: 1-255 Example: # Set the MD5 authentication in the universal format and the authentication word to rose. system-view, [sysname] interface GigabitEthernet 0/0/1 [sysname-GigabitEthernet 0/0/1] rip authentication-mode md5 usual rose

Configuring the RIP priority on the firewall
The method for modifying the RIP priority on the USG2000&5000&6000 is as follows: -Modifying the RIP priority: [USG]rip [USG-rip-1]preference 80

USG firewall configuration saving
If the configuration is not saved or fails to be saved, it is lost. You can save the configuration files on USG firewalls as follows: 1. CLI save //Save the input information.// 11:36:31 2015/03/04 The current configuration will be written to the device. Are you sure you want to continue?[Y/N]y //Click Y to configure the saving.// Now saving the current configuration to the device............................................ Info: The current configuration was saved to the device successfully. 2. Web UI: Click the Save button in the upper right corner on the web UI. In the displayed window, click Overwrite the profile used for next boot and then click OK.

Configuration of the security association on the USG firewalls
Configuration of the security association on the USG firewalls Create an IPSec SA in IKE negotiation mode. 1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration procedure is as follows: [USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route. [USG_A] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure the IKE security proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure the IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface. [USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route. [USG_B] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure the IKE security proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure the IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

DHCP snooping configuration on USG firewalls
You can configure the DHCP snooping on USG firewalls as follows: The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP. The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers. The key configuration is as follows: 1. Enable the global and interface DHCP snooping. [USG] dhcp snooping enable [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] dhcp snooping enable [USG-GigabitEthernet0/0/1] quit [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping enable [USG-GigabitEthernet0/0/2] quit 2. Configure the Trusted interface to prevent DHCP server spoofing. Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default). [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping trusted [USG-GigabitEthernet0/0/2] quit Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch. For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top