博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2176|回复: 2

高手或版主帮我看一下配置

[复制链接]
发表于 2008-4-11 09:35:57 | 显示全部楼层 |阅读模式
通过PIX做视频会议,  内部是一个办公网,   平时流量较大,  现在想通过QOS 把更多的带宽分给 视频会议用。  
10.104.4.84 和 10.104.4.94 这两个是视频会议的   我们的带宽是10M  , 我现在做的是预留给视频会议的两个IP 5M  ,
帮我看看我做的对吗?     

另外, 是不是做服务级别, 把视频会议的流级别提高,这种QOS更合理呢, 请大家给出意见。
 楼主| 发表于 2008-4-11 09:39:06 | 显示全部楼层
PIX Version 7.2(1)
!
hostname F-FQNP-HX-525
domain-name pixcisco.com
enable password bBYTIZfjRJDpDRGJ encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 218.66.15.178 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.104.253.1 255.255.255.0
!
passwd bBYTIZfjRJDpDRGJ encrypted
!
time-range 24
periodic daily 0:00 to 23:59
!
time-range abc
periodic daily 0:00 to 23:00
periodic daily 23:00 to 23:59
!
time-range hdgs
periodic weekdays 8:00 to 11:30
periodic weekdays 14:00 to 17:30
!
ftp mode passive
clock timezone GMT 8
dns server-group DefaultDNS
domain-name pixcisco.com
object-group service gcgs tcp
port-object eq smtp
port-object eq pop3
port-object eq www
port-object eq https
port-object eq 1863
object-group service 24gs tcp
port-object eq www
port-object eq smtp
port-object eq pop3
port-object eq https
port-object eq 800
port-object eq 211
port-object eq 4899
port-object eq 50822
port-object range 18880 18904
access-list out extended permit udp 10.104.0.0 255.255.0.0 any eq domain
access-list out extended permit ip 10.104.19.0 255.255.255.0 any
access-list out extended permit ip 10.104.21.0 255.255.255.0 any
access-list out extended permit ip 10.104.26.0 255.255.255.0 any
access-list out extended permit ip 10.104.27.0 255.255.255.0 any
access-list out extended permit ip 10.104.2.0 255.255.255.0 any
access-list out extended permit ip 10.104.0.0 255.255.0.0 host 221.238.194.235
access-list out extended permit ip 10.104.0.0 255.255.0.0 10.1.20.0 255.255.255.0
access-list out extended permit ip 10.104.0.0 255.255.0.0 10.136.0.0 255.255.0.0
access-list out extended permit ip 10.104.151.0 255.255.255.0 any
access-list out extended permit ip 10.104.81.0 255.255.255.0 any
access-list out extended permit ip host 10.104.82.2 any
access-list out extended permit ip host 10.104.83.2 any
access-list out extended permit ip host 10.104.84.2 any
access-list out extended permit ip host 10.104.85.2 any
access-list out extended permit tcp 10.104.82.0 255.255.255.0 any object-group gcgs
access-list out extended permit tcp 10.104.83.0 255.255.255.0 any object-group gcgs
access-list out extended permit tcp 10.104.84.0 255.255.255.0 any object-group gcgs
access-list out extended permit tcp 10.104.85.0 255.255.255.0 any object-group gcgs
access-list out extended permit ip host 10.104.152.3 any
access-list out extended permit ip host 10.104.152.2 any
access-list out extended permit ip host 10.104.153.2 any
access-list out extended permit ip host 10.104.153.4 any
access-list out extended permit ip host 10.104.153.3 any
access-list out extended permit ip host 10.104.154.2 any
access-list out extended permit ip host 10.104.155.2 any
access-list out extended deny ip 10.104.22.0 255.255.255.0 any time-range hdgs
access-list out extended deny ip 10.104.23.0 255.255.255.0 any time-range hdgs
access-list out extended deny ip 10.104.24.0 255.255.255.0 any time-range hdgs
access-list out extended deny ip 10.104.25.0 255.255.255.0 any time-range hdgs
access-list out extended permit ip 10.104.22.0 255.255.255.0 any
access-list out extended permit ip 10.104.23.0 255.255.255.0 any
access-list out extended permit ip 10.104.24.0 255.255.255.0 any
access-list out extended permit ip 10.104.25.0 255.255.255.0 any
access-list out extended deny ip 10.104.152.0 255.255.255.0 any time-range 24
access-list out extended deny ip 10.104.153.0 255.255.255.0 any time-range 24
access-list out extended deny ip 10.104.154.0 255.255.255.0 any time-range 24
access-list out extended deny ip 10.104.155.0 255.255.255.0 any time-range 24
access-list out extended permit ip 10.104.152.0 255.255.255.0 any
access-list out extended permit ip 10.104.153.0 255.255.255.0 any
access-list out extended permit ip 10.104.154.0 255.255.255.0 any
access-list out extended permit ip 10.104.155.0 255.255.255.0 any
access-list out extended deny ip host 10.104.81.107 any
access-list out extended deny udp host 10.104.81.107 any
access-list out extended deny tcp host 10.104.81.107 any
access-list out extended permit ip host 10.104.4.94 any
access-list out extended permit ip host 10.104.4.84 any
access-list outside_cryptomap_4 extended permit ip any 10.104.62.0 255.255.255.0
access-list vpn200_splittunnelacl standard permit 10.104.0.0 255.255.0.0
access-list nonat extended permit ip 10.104.0.0 255.255.0.0 10.104.62.0 255.255.255.0
access-list outside_acl extended permit icmp any any echo
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any traceroute
access-list outside_acl extended permit ip any host 218.66.15.155
access-list outside_acl extended permit ip any host 218.66.15.164
access-list outside_acl extended permit ip any host 218.66.15.191
access-list outside_cryptomap extended permit ip any 10.104.62.0 255.255.255.0
access-list outside_mpc extended permit ip host 10.104.4.94 any
access-list outside_mpc extended permit ip host 10.104.4.84 any
access-list outside_mpc extended permit ip any host 10.104.4.84
access-list outside_mpc extended permit ip any host 10.104.4.94
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn200 10.104.62.1-10.104.62.254 mask 255.255.255.0
no failover
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 218.66.15.164 ftp-data 10.104.2.7 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 ftp 10.104.2.7 ftp netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 www 10.104.2.6 www netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 pop3 10.104.2.6 pop3 netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 26 10.104.2.6 26 netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 smtp 10.104.2.10 smtp netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 3839 10.104.2.14 3389 netmask 255.255.255.255
static (inside,outside) tcp 218.66.15.164 3838 10.104.2.8 3389 netmask 255.255.255.255
static (inside,outside) 218.66.15.155 10.104.4.94 netmask 255.255.255.255
static (inside,outside) 218.66.15.191 10.104.4.84 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group out in interface inside
route outside 0.0.0.0 0.0.0.0 218.66.15.254 1
!
router ospf 104
network 10.104.253.0 255.255.255.0 area 104
network 10.104.255.0 255.255.255.252 area 0
area 104 nssa default-information-originate
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn200 internal
group-policy vpn200 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn200_splittunnelacl
user-authentication enable
username tangjg password WBjzccJ.rwg9ycr. encrypted
username tangjg attributes
vpn-group-policy vpn200
username liuxy password GjvWBtOU6dxR7ZGu encrypted
username liuxy attributes
vpn-group-policy vpn200
username lisl password zo.jc.j63130HTZJ encrypted
username lisl attributes
vpn-group-policy vpn200
username chent password U6H72glTrVodV9b/ encrypted
username chent attributes
vpn-group-policy vpn200
http server enable
http 10.104.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set my-vpn-set esp-3des esp-sha-hmac
crypto dynamic-map yhc-Outside 10 set transform-set my-vpn-set
crypto dynamic-map yhc-Outside 10 set security-association lifetime seconds 288000
crypto map Outside_map 10 ipsec-isakmp dynamic yhc-Outside
crypto map Outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 100
tunnel-group my-vpn type ipsec-ra
tunnel-group my-vpn general-attributes
address-pool vpn200
authorization-server-group LOCAL
default-group-policy vpn200
tunnel-group my-vpn ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.104.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.104.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
!
class-map outside-class1
match any
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
policy-map outside-policy
class outside-class
  police output 20000000 20000000 exceed-action transmit
class outside-class1
  police output 5000000 5000000
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:dfdea722d6aa4daa5cae852549505b2e
: end
发表于 2008-4-11 16:17:52 | 显示全部楼层
7.X ASA/PIX QOS部分总结


Qos基本功能介绍:

1,首先防火墙上的Qos配置采用了和router上一样的Modular Policy Framework技术。
2.防火墙上的Qos只支持LLQ和rate-limiting (policing)。(2种qos技术在7.0都是单向的,但是在7.2里police支持双向了)
3.The security appliance can police individual user traffic within a LAN-to-LAN tunnel<能够基于tunnel内部的单个用户运用Qos策略以及整个加密后的tunnel流量作限速>
比如说可以对lan to lan里的vpn加密流量作限速

class-map配置注意点
class-map里只能有一个match,除了tunnel group和default-inspect-traffic可以再match一个以上表里除tunnel group的任意参数
Match时候的注意事项:在上表中的match项除了tunnel group和default-inspect-traffic外,一个class-map里边只能匹配一条,你也可以选择加上tunnel group匹配两条,如果加上了tunnel group就表示你希望匹配一个特定vpn tunnel内部的明文流量。或者match default-inspect-traffic,再match里面的参数
注意!!!policy-map里的class-map是从上往下匹配的,先被前面class-map匹配的流量,不会再被下面的class-map匹配了,只有一个global policy-map能够被调用,当一个接口同时应用了接口的poliy-map和全局的话,接口的policy-map将覆盖全局的配置


police
  1.运用rate limiting的一些限制---不能同时针对一个class开启police和LLQ的功能
  2.当你应用新的策略到接口上对于那些已经建立的vpn或非vpn流量不会立即起作用,需要清掉原有的连接,新建立的连接采会起作用


LLQ-只对出方向有作用
queue-limit---优先队列长度
tx-ring-limit----物理接口队列长度


配置实例:
hostname(config)# priority-queue outside
hostname(config-priority-queue)# queue-limit 2048 ----默认2048,每个包平均长度256个字节,全部传完需要500ms,这是实时流量的最高限制
hostname(config-priority-queue)# tx-ring-limit 128---以1550字节来算的,为了保证10ms的间隔,一般来说设置为128

pixfirewall(config)# sh priority-queue config

Priority-Queue Config interface inside
                current         default         range
queue-limit     0               2048            0 - 2048
tx-ring-limit   -1              80              3 - 128

Priority-Queue Config interface outside
                current         default         range
queue-limit     2048             2048            0 - 2048
tx-ring-limit   128              80              3 - 128


QOS整体配置实例:

试验需求:
1.对源地址为1.1.1.1目的地址为2.2.2.2的流量运用policing(56K)
2,对dscp值等于ef的流量运用LLQ
3. 其它流量限速2M

实现命令:
     (config)#access-list IP-flow permit ip host 1.1.1.1 host 2.2.2.2
     (config)#class-map IP-flow
     (config-cmap)#match access-list IP-flow
     (config)#class-map voice
     (config-cmap)#match dscp ef

     (config)#policy-map Collins
     (config-pmap)#class voice
     (config-pmap-c)#priority
     (config-pmap)#class IP-flow
     (config-pmap-c)#police 56000 10500
     (config-pmap)#class class-default
     (config-pmap-c)#police 2000000 375000
     
     (config)#priority-queue outside
     (config-priority-queue)#queue-limit 2048
     (config-priority-queue)#tx-ring-limit 128

     (config)#service-policy Collins interface inside
注意!!!最后的class-default总是存在的,不能被删除
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-28 02:53 , Processed in 0.085548 second(s), 17 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表