Chinaunix首页 | 论坛 | 博客

Linux 防火墙network527.blog.chinaunix.net

首页 |  博文目录 |  关于我

network527

  • 博客访问: 1413615
  • 博文数量: 269
  • 博客积分: 3602
  • 博客等级: 中校
  • 技术积分: 4536
  • 用 户 组: 普通用户
  • 注册时间: 2012-04-17 21:13
文章分类

全部博文(269)

文章存档

2014年(8)

2013年(139)

2012年(122)

我的朋友
最近访客
推荐博文
cisco 3560 交换机 的限速策略

分类:

2012-07-17 14:55:58

有位网友做的一个小项目,配置觉得比较典型:

以下经过测试

客户要求对每个子网限制速度和dhcp

具体需要:

划分4个子网 分别为客房 办公室 等

每个vlan对应一个子网

分别对每个子网进行限速(其实不用每个子网都限速,我觉得只要把需要控制的子网进行限制就可以了,客户要求)

每个vlan对应的子网 对应一个dhcp pool

还有控制vlan间的访问


Building configuration...

Current configuration : 5340 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname aaa
!
!
no aaa new-model
subnet-zero
ip routing
ip dhcp excluded-address 192.168.2.144

!
ip dhcp pool officedhcp---------定义dhcp pool
network 192.168.6.0 255.255.255.0
dns-server 202.99.96.68
default-router 192.168.6.1
!
ip dhcp pool golfdhcp
network 192.168.2.0 255.255.255.0
dns-server 202.99.96.68
default-router 192.168.2.1
!
ip dhcp pool kefangdhcp
network 192.168.4.0 255.255.255.0
dns-server 202.99.96.68
default-router 192.168.4.1
!
ip dhcp pool hanzhoudhcp
network 192.168.3.0 255.255.255.0
dns-server 202.99.96.68
default-router 192.168.3.1
!
!
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all hanzhoulimit---定义类
match access-group 103
class-map match-all officelimit
match access-group 106
class-map match-all kefanglimit
match access-group 102
class-map match-all golflimit
match access-group 105
!
!
policy-map down----速度限制
class officelimit
police 3072000 160000 exceed-action drop
trust dscp
class golflimit
police 2048000 160000 exceed-action drop
class kefanglimit
police 2048000 16000 exceed-action drop
class hanzhoulimit
police 3072000 16000 exceed-action drop
!
!
!
interface FastEthernet0/1
service-policy input down
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2

interface Vlan1
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2

ip address 192.168.3.1 255.255.255.0
ip access-group 123 in
!
interface Vlan3

ip address 192.168.4.1 255.255.255.0
ip access-group 124 in
!
interface Vlan4

ip address 192.168.2.1 255.255.255.0
ip access-group 122 in
!
interface Vlan5

ip address 192.168.6.1 255.255.255.0
ip access-group 126 in

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
!
!
access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 103 permit ip any 192.168.3.0 0.0.0.255
access-list 105 permit ip any 192.168.5.0 0.0.0.255
access-list 106 permit ip any 192.168.6.0 0.0.0.255
access-list 122 permit ip host 192.168.2.133 192.168.3.0 0.0.0.255
access-list 122 permit ip host 192.168.2.133 192.168.4.0 0.0.0.255
access-list 122 permit ip host 192.168.2.133 192.168.6.0 0.0.0.255
access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 122 permit ip any any
access-list 123 permit ip 192.168.3.0 0.0.0.255 host 192.168.2.144
access-list 123 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 123 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 123 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 123 permit ip any any
access-list 124 permit ip 192.168.4.0 0.0.0.255 host 192.168.2.144
access-list 124 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 124 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 124 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 124 permit ip any any
access-list 126 permit ip 192.168.6.0 0.0.0.255 host 192.168.2.144
access-list 126 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 126 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 126 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 126 permit ip any any
!
control-plane
!
!
line con 0
line vty 5 15
!
!
end

阅读(974) | 评论(0) | 转发(0) |
0

上一篇:Cisco IOS防火墙 CBAC IP inspect

下一篇:思科交换机主流交换机的镜像配置方法

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6