防火墙带宽管理
拓扑
配置
[fw]interface GigabitEthernet 0/0/0
[fw-GigabitEthernet0/0/0]service-manage all permit
[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 12.0.0.1 24
[fw]interface GigabitEthernet 1/0/1
[fw-GigabitEthernet1/0/1]ip address 13.0.0.1 24
[fw]interface GigabitEthernet 1/0/3
[fw-GigabitEthernet1/0/3]ip address 10.1.1.254 24
[fw]interface GigabitEthernet 1/0/2.1
[fw-GigabitEthernet1/0/2.1]ip address 10.1.1.254 2
[fw-GigabitEthernet1/0/2.1]vlan-type dot1q 10
[fw-GigabitEthernet1/0/2.1]interface GigabitEthernet 1/0/2.2
[fw-GigabitEthernet1/0/2.2]ip address 192.168.2.254 24
[fw-GigabitEthernet1/0/2.2]vlan-type dot1q 20
[fw-GigabitEthernet1/0/2.2]interface GigabitEthernet 1/0/2.3
[fw-GigabitEthernet1/0/2.3]ip address 192.168.3.254 24
[fw-GigabitEthernet1/0/2.3]vlan-type dot1q 30
[fw-GigabitEthernet1/0/2.3]interface GigabitEthernet 1/0/2.4
[fw-GigabitEthernet1/0/2.4]ip address 192.168.4.254 24
[fw-GigabitEthernet1/0/2.4]vlan-type dot1q 40
[fw]firewall zone trust
[fw-zone-trust]add interface GigabitEthernet 1/0/2.1
[fw-zone-trust]add interface GigabitEthernet 1/0/2.2
[fw-zone-trust]add interface GigabitEthernet 1/0/2.3
[fw-zone-trust]add interface GigabitEthernet 1/0/2.4
[fw]firewall zone dmz
[fw-zone-dmz]add interface GigabitEthernet 1/0/3
[fw]firewall zone untrust
[fw-zone-untrust]add interface GigabitEthernet 1/0/1
[fw-zone-untrust]add interface GigabitEthernet 1/0/0
[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 12.0.0.2 24
[liantong]interface GigabitEthernet 0/0/0
[liantong-GigabitEthernet0/0/0]ip address 13.0.0.3 24
[sw1]vlan batch 10 20 30 40
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30 40
[sw1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]port default vlan 10
[sw1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 20
[sw1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[sw1-GigabitEthernet0/0/4]port link-type access
[sw1-GigabitEthernet0/0/4]port default vlan 30
[sw1-GigabitEthernet0/0/4]interface GigabitEthernet 0/0/5
[sw1-GigabitEthernet0/0/5]port link-type access
[sw1-GigabitEthernet0/0/5]port default vlan 40需求一
企业组织架构中存在部门A,部门A中存在销售组1和研发组2
销售部门--->业务Email、ERP服务
可以对部门A中的销售组进行带宽资源细分,保证销售员工的业务服务流量正常转发:
1、部门A的下行最大带宽不超过60M
2、部门A中的销售组下行最大带宽不超过30M
3、部门A中的销售组的Email、ERP业务下行最小带宽不低于20M
[fw]traffic-policy
[fw-policy-traffic-profile-01]bandwidth maximum-bandwidth whole downstream 60000
[fw-policy-traffic-profile-01]q
[fw-policy-traffic]rule name 01
[fw-policy-traffic-rule-01]source-zone trust
[fw-policy-traffic-rule-01]destination-zone untrust
[fw-policy-traffic-rule-01]source-address 192.168.1.0 24
[fw-policy-traffic-rule-01]source-address 192.168.2.0 24
[fw-policy-traffic-rule-01]action qos profile 01
测试
需求二
给部门A和部门B划分可使用的带宽资源。要避免P2P业务占据较多的带宽,还需要限制部门A和部门B使用 P2P业务的带宽总和。
1、部门A下行最大带宽60M
2、部门B下行最大带宽40M
3、部门A和部门B的P2P业务下行最大带宽不超过80M
4、P2P流量需要计算到各自部门的总流量中
