1、ciscoasa# show run: Saved:ASA Version 7.2(4) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address pppoe setroute !
2、interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2! interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passivedns domain-lookup insidedns server-group DefaultDNSname-server 202.96.209.5name-ser
3、ver 202.96.209.133access-list 100 extended permit icmp any any access-list 101 extended permit ip host 192.168.1.3 any access-list 102 extended permit ip any host 192.168.1.2 access-list 102 extended permit ip any host 192.168.1.4 access-list 10 standard permit host 192.168.1.2 pager lines 24logging
4、 asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:
5、00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutehttp server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server location
6、no snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh timeout 5console timeout 0vpdn group adsl request dialout pppoevpdn group adsl localname ad44307623vpdn group adsl ppp authentication papvpdn username ad443076
7、23 password * dhcpd auto_config outside!dhcpd address 192.168.1.2-192.168.1.129 insidedhcpd enable inside!class-map camatch access-list 102!policy-map saclass capolice output 300000 1000 conform-action droppolice input 300000 1000 conform-action drop!service-policy sa interface insideprompt hostname
8、 context Cryptochecksum:50b9469aa380be259190f5776ab24376: endciscoasa#ASA5520 上做限速2009-08-14 15:22客户需求要求:10M 的线路,要求制定某个网段 2M,另外一个网段 4M。避免内部人员 bt 影响其他网段的速度。现在模拟环境如下:192.168.1.34(Ftp server)-ASA-192.168.2.2outside : 192.168.1.55inside: 192.168.2.2测试下载工具: 飞秋、迅雷interface GigabitEthernet0/0nameif outside
9、security-level 0ip address 192.168.1.55 255.255.255.0 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.2.1 255.255.255.0 !access-list 200k extended permit ip any host 192.168.2.2 access-list 500k extended permit ip any host 192.168.2.3global (outside) 1 interfacenat (in
10、side) 1 0.0.0.0 0.0.0.0route outside 0.0.0.0 0.0.0.0 192.168.1.1 1class-map 200kmatch access-list 200kpolicy-map xiansu 2 个方向都必须使用,否则不管用。必须应用到内网口。外网口不管用class 200kpolice input 2096000 1048police output 2096000 1048service-policy xiansu interface inside经过测试,限速成功!总结一下:asa 由于 nat 的原因,qos 只能在 inside 接口做!
11、另外 police input 2096000 1048police output 2096000 1048 进出都加上其中突发流量:可以按照 最大流量/8 *1.5 这个公式来算。ASA5520 上做限速 客户需求要求:10M 的线路,要求制定某个网段 2M,另外一个网段 4M。避免内部人员bt 影响其他网段的速度。现在模拟环境如下:192.168.1.34(Ftp server)-ASA-192.168.2.2outside : 192.168.1.55inside: 192.168.2.2测试下载工具: 飞秋、迅雷interface GigabitEthernet0/0nameif ou
12、tsidesecurity-level 0ip address 192.168.1.55 255.255.255.0 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.2.1 255.255.255.0 !access-list 200k extended permit ip any host 192.168.2.2 access-list 500k extended permit ip any host 192.168.2.3global (outside) 1 interfacena
13、t (inside) 1 0.0.0.0 0.0.0.0route outside 0.0.0.0 0.0.0.0 192.168.1.1 1class-map 200kmatch access-list 200kpolicy-map xiansu 2 个方向都必须使用,否则不管用。必须应用到内网口。外网口不管用class 200kpolice input 2096000 1048police output 2096000 1048service-policy xiansu interface inside经过测试,限速成功!总结一下:asa 由于 nat 的原因,qos 只能在 inside
14、 接口做!另外 police input 2096000 1048police output 2096000 1048 进出都加上其中突发流量:可以按照 最大流量/8 *1.5 这个公式来算。最佳答案 定义访问控制列表,x.x.x.x 是被限制下行速度的单点 IP,如果需要被限的 ip 多的话,可以依次写,也可以利用 object-group network 命令定义access-list 101 extender permit ip any host x.x.x.x access-list 101 extender permit ip any host y.y.y.y定义一个 class,如
15、下:class-map xiansumatch access-list 101定义策略,*是允许的流量,后面的*代表突发流量,可以自己试着做policy-map xiansuclass xiansupolicy input * *policy output * *应用到接口上service-policy xiansu interface outsideasa 5510 限速的问题access-list host112 extended permit ip host 192.168.100.112 any access-list host112 extended permit ip any ho
16、st 192.168.100.112 class-map map112match access-list host112class-map inspection_defaultmatch default-inspection-trafficpolicy-map map112class map112police output 819000 1228800police input 819000 1228800service-policy map112 interface inside用 show service-policy interface insideInterface inside:Ser
17、vice-policy: map112Class-map: map112Output police Interface inside:cir 819000 bps, bc 1228800 bytesconformed 86658 packets, 85958899 bytes; actions: transmitexceeded 21015 packets, 12632393 bytes; actions: dropconformed 0 bps, exceed 0 bpsInput police Interface inside:cir 819000 bps, bc 1228800 bytesconformed 72053 packets, 13242533 bytes; actions: transmitexceeded 0 packets, 0 bytes; actions: dropconformed 0 bps, exceed 0 bps看出来已经成功了,但是我现在想对某个网段不限制速度,比如 10.0.0.0 255.0.0.0 access-list 怎么配置呢?