說明:設定NBAR、CQ、PQ…等 Orz 我忘了什麼Q...
RO_B#sh run
Building configuration...
Current configuration : 3366 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO_B
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip nbar port-map http tcp 80 8081 8082 把TCP 80 8081 8082設定到http port裡
ip nbar custom MSN_TEXT tcp 1863 設定nbar自定PORT
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
CLASS-MAP之區段
class-map match-all BIG_PING ICMP封包大於512
match protocol icmp
match packet length min 512
class-map match-all ADMIN_ICMP ICMP封包並符合ACL 102
match access-group 102
match protocol icmp
class-map match-any KEYMAN_PRO http ftp telnet符合一項即可
match protocol http
match protocol ftp
match protocol telnet
class-map match-all MSN_FILITER 符合MSN_TEXT port
match protocol MSN_TEXT
class-map match-all HTTP_TEST 網址內有符合edu
match protocol http host "*edu*"
class-map match-all KEYMAN_PROTOCOL 符合cmap KEYMAN_PRO與ACL 102
match access-group 102
match class-map KEYMAN_PRO
class-map match-all IPPC_3 符合pre2
match ip precedence 3
class-map match-all IPPC_2 符合pre3
match ip precedence 2
!
!
POLICY-MAP之區段
policy-map FAS0/1_IN 設定policy-map要綁在F0/1的IN
class ADMIN_ICMP 符合class ADMIN_ICMP設定成pre2
set precedence 2
class KEYMAN_PROTOCOL 符合class KEYMAN_PROTOCOL設定成pre3
set precedence 3
class BIG_PING 符合class BIG_PING就drop
drop
class MSN_FILITER 符合class MSN_FILITER就drop
drop
class HTTP_TEST 符合class HTTP_TEST就drop
drop
class class-default 剩下的沒有其它動作
policy-map S0/0_OUT
class IPPC_2
bandwidth percent 15
class IPPC_3
bandwidth percent 30
class class-default
!
!
!
各介面設定之區段
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel10
ip address 100.12.12.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 10.140.1.2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface Serial0/0
ip address 10.140.2.2 255.255.255.0
ip nbar protocol-discovery 分析經過Serial流量種類
ip nat outside
ip virtual-reassembly
service-policy output S0/0_OUT Policy-map S0/0_OUT設定到此介面的Out
!
interface FastEthernet0/1
ip address 192.168.102.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy input FAS0/1_IN Policy-map FAS0/1_IN設定到此介面的In
!
interface Serial0/1
ip address 200.12.12.2 255.255.255.0
ip tcp header-compression TCP的檔頭做壓縮
priority-group 1
!
!
設定路由之區段
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 100.12.12.0 0.0.0.255 area 0
network 192.168.102.0 0.0.0.255 area 0
network 200.12.12.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.140.2.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Serial0/0 overload 設定PAT
!
!
ACL之區段
access-list 1 permit 192.168.102.100
access-list 100 permit icmp any any
access-list 101 permit ip 192.168.102.0 0.0.0.255 any
access-list 102 permit ip 192.168.102.100 0.0.0.2 any
PQ之區段
priority-list 1 protocol ip high list 1 符合ACL 1放入Queue(High)
priority-list 1 protocol ip medium tcp telnet Telnet放入Queue(Medium)
priority-list 1 protocol ip medium list 100 符合ACL 100放入Queue(Medium)
priority-list 1 protocol ip low tcp ftp FTP放入Queue(Low)
priority-list 1 queue-limit 1024 2048 4096 8192 設定Queue四段長度
!
!
!
control-plane
!
!
設定語音之區段
telephony-service
max-ephones 10
max-dn 20
ip source-address 2.2.2.2 port 2000
max-conferences 4 gain -6
!
!
ephone-dn 1
number 2001
!
!
ephone-dn 2
number 2002
!
!
ephone-dn 3
number 2003
!
!
ephone-dn 4
number 2004
!
!
ephone-dn 5
number 2005
!
!
ephone-dn 6
number 2006
!
!
ephone-dn 7
number 2007
!
!
ephone-dn 8
number 2008
!
!
ephone-dn 9 dual-line
number 2009
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password cisco
no login
!
!
end
備註:有些設定很難解釋,就只能大致上解釋,有解釋不好的或是您有更好的解釋請告知!
還是要謝謝舜超老師啊!附上他一張…熊貓拍手照!
留言列表