收藏 分享(赏)

ciscoasa下行带宽限制.docx

上传人:ysd1539 文档编号:6814234 上传时间:2019-04-23 格式:DOCX 页数:6 大小:21.56KB
下载 相关 举报
ciscoasa下行带宽限制.docx_第1页
第1页 / 共6页
ciscoasa下行带宽限制.docx_第2页
第2页 / 共6页
ciscoasa下行带宽限制.docx_第3页
第3页 / 共6页
ciscoasa下行带宽限制.docx_第4页
第4页 / 共6页
ciscoasa下行带宽限制.docx_第5页
第5页 / 共6页
点击查看更多>>
资源描述

1、ciscoasa# show run: Saved:ASA Version 7.2(4) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address pppoe setroute !

2、interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2! interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passivedns domain-lookup insidedns server-group DefaultDNSname-server 202.96.209.5name-ser

3、ver 202.96.209.133access-list 100 extended permit icmp any any access-list 101 extended permit ip host 192.168.1.3 any access-list 102 extended permit ip any host 192.168.1.2 access-list 102 extended permit ip any host 192.168.1.4 access-list 10 standard permit host 192.168.1.2 pager lines 24logging

4、 asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:

5、00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutehttp server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server location

6、no snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh timeout 5console timeout 0vpdn group adsl request dialout pppoevpdn group adsl localname ad44307623vpdn group adsl ppp authentication papvpdn username ad443076

7、23 password * dhcpd auto_config outside!dhcpd address 192.168.1.2-192.168.1.129 insidedhcpd enable inside!class-map camatch access-list 102!policy-map saclass capolice output 300000 1000 conform-action droppolice input 300000 1000 conform-action drop!service-policy sa interface insideprompt hostname

8、 context Cryptochecksum:50b9469aa380be259190f5776ab24376: endciscoasa#ASA5520 上做限速2009-08-14 15:22客户需求要求:10M 的线路,要求制定某个网段 2M,另外一个网段 4M。避免内部人员 bt 影响其他网段的速度。现在模拟环境如下:192.168.1.34(Ftp server)-ASA-192.168.2.2outside : 192.168.1.55inside: 192.168.2.2测试下载工具: 飞秋、迅雷interface GigabitEthernet0/0nameif outside

9、security-level 0ip address 192.168.1.55 255.255.255.0 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.2.1 255.255.255.0 !access-list 200k extended permit ip any host 192.168.2.2 access-list 500k extended permit ip any host 192.168.2.3global (outside) 1 interfacenat (in

10、side) 1 0.0.0.0 0.0.0.0route outside 0.0.0.0 0.0.0.0 192.168.1.1 1class-map 200kmatch access-list 200kpolicy-map xiansu 2 个方向都必须使用,否则不管用。必须应用到内网口。外网口不管用class 200kpolice input 2096000 1048police output 2096000 1048service-policy xiansu interface inside经过测试,限速成功!总结一下:asa 由于 nat 的原因,qos 只能在 inside 接口做!

11、另外 police input 2096000 1048police output 2096000 1048 进出都加上其中突发流量:可以按照 最大流量/8 *1.5 这个公式来算。ASA5520 上做限速 客户需求要求:10M 的线路,要求制定某个网段 2M,另外一个网段 4M。避免内部人员bt 影响其他网段的速度。现在模拟环境如下:192.168.1.34(Ftp server)-ASA-192.168.2.2outside : 192.168.1.55inside: 192.168.2.2测试下载工具: 飞秋、迅雷interface GigabitEthernet0/0nameif ou

12、tsidesecurity-level 0ip address 192.168.1.55 255.255.255.0 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.2.1 255.255.255.0 !access-list 200k extended permit ip any host 192.168.2.2 access-list 500k extended permit ip any host 192.168.2.3global (outside) 1 interfacena

13、t (inside) 1 0.0.0.0 0.0.0.0route outside 0.0.0.0 0.0.0.0 192.168.1.1 1class-map 200kmatch access-list 200kpolicy-map xiansu 2 个方向都必须使用,否则不管用。必须应用到内网口。外网口不管用class 200kpolice input 2096000 1048police output 2096000 1048service-policy xiansu interface inside经过测试,限速成功!总结一下:asa 由于 nat 的原因,qos 只能在 inside

14、 接口做!另外 police input 2096000 1048police output 2096000 1048 进出都加上其中突发流量:可以按照 最大流量/8 *1.5 这个公式来算。最佳答案 定义访问控制列表,x.x.x.x 是被限制下行速度的单点 IP,如果需要被限的 ip 多的话,可以依次写,也可以利用 object-group network 命令定义access-list 101 extender permit ip any host x.x.x.x access-list 101 extender permit ip any host y.y.y.y定义一个 class,如

15、下:class-map xiansumatch access-list 101定义策略,*是允许的流量,后面的*代表突发流量,可以自己试着做policy-map xiansuclass xiansupolicy input * *policy output * *应用到接口上service-policy xiansu interface outsideasa 5510 限速的问题access-list host112 extended permit ip host 192.168.100.112 any access-list host112 extended permit ip any ho

16、st 192.168.100.112 class-map map112match access-list host112class-map inspection_defaultmatch default-inspection-trafficpolicy-map map112class map112police output 819000 1228800police input 819000 1228800service-policy map112 interface inside用 show service-policy interface insideInterface inside:Ser

17、vice-policy: map112Class-map: map112Output police Interface inside:cir 819000 bps, bc 1228800 bytesconformed 86658 packets, 85958899 bytes; actions: transmitexceeded 21015 packets, 12632393 bytes; actions: dropconformed 0 bps, exceed 0 bpsInput police Interface inside:cir 819000 bps, bc 1228800 bytesconformed 72053 packets, 13242533 bytes; actions: transmitexceeded 0 packets, 0 bytes; actions: dropconformed 0 bps, exceed 0 bps看出来已经成功了,但是我现在想对某个网段不限制速度,比如 10.0.0.0 255.0.0.0 access-list 怎么配置呢?

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 企业管理 > 管理学资料

本站链接:文库   一言   我酷   合作


客服QQ:2549714901微博号:道客多多官方知乎号:道客多多

经营许可证编号: 粤ICP备2021046453号世界地图

道客多多©版权所有2020-2025营业执照举报