No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Depend on single USG5310 to achieve special policy control.

Publication Date:  2012-10-18 Views:  143 Downloads:  0

Issue Description

1.1 topology

1.2 synopsis
As the picture to display, USG5320 connects layer 2 accessing switch, this switch connects internal network server and user PC,we hope achieve a special request to behave students using PC behavior:if the students use this PC, it can only access internal network resource, if the teachers use this PC ,it not only can access internal network resource but also access external network resource.
1.3 failure symptom description
(1) we cannot achieve the  request of client ,if we use packet filter to limit which is based on the source IP address. Because the IP address of the PC is fixed, no matter it is used by students or teachers, the IP address of the PC won’t be changed. No matter the students or teachers use the PC, they can access external network as long as the USG5320 allows the IP address of this PC to progress NAT tansition. So we cannot control the accessing internet behavior of the students.

Alarm Information


Handling Process

How to achieve this special request of the client depend on the single USG5320? We cannot achieve packet filter control and NAT policy control by matching source IP address, also cannot control access internet behavior by differentiating IP address. If we can differentiate students and teachers by identity authentication? Because the USG5320 cannot achieve the correlation function of TSM, how to configure to achieve identity authentication which is similarty to TSM depend on single USG5320? After thinking audaciously and analysing carefully, we can achieve client request by the mode of dialing, let teacher dial L2TP to USG5320 by account and password,USG5320 will send a virtual IP address to this PC after dialing successfully, then only the IP address which is send by L2TP can be allowed to progress NAT transition in the NAT configuration of USG5320, only the IP address which is got in the address pool after passing L2TP dialing successfully can access external network in this way, then only the teacher knows the user name and password of dialing ,but the students don’t know, so when students use the PC, it can only access internal network, when teachers use the PC ,if they want to access external network, they can use the user name and password to progress L2TP dialing,after passing the dialing authentication, they can access external network(PPPoE dialing is also doable for this request).

Root Cause



We must have a adventruous vision and validate carefully for multifarious request which is advanced by client. Don’t reply client it cannot be achieve when we refer to seldom question, we must get the conclusion after thinking carefully or analysing even to establish the experiment environment.