华为防火墙基于IP地址的带宽管理
作者:互联网
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289258515548.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
1.拓扑的基础配置
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289269606774.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289290289515.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289298823337.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW-GigabitEthernet1/0/1]service-manage ping permit
[FW-GigabitEthernet1/0/2]ip add 10.1.2.1 24
[FW-GigabitEthernet1/0/2]service-manage ping permit
[FW-GigabitEthernet1/0/0]ip add 20.1.1.1 24
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW]firewall zone trust
[FW-zone-trust]add interface g1/0/1
[FW]firewall zone untrust
[FW-zone-untrust]add interface g1/0/0
[FW]firewall zone dmz
[FW-zone-dmz]add interface g1/0/2
2.配置nat策略
[FW] nat server global 20.1.1.50 inside 10.1.2.10 //配置服务器的nat server
[FW]nat address-group nat1 //配置nat地址池
[FW-address-group-nat1]section 20.1.1.100 20.1.1.200
[FW]nat-policy
[FW-policy-nat]rule name source_nat
[FW-policy-nat-rule-source_nat]source-zone trust
[FW-policy-nat-rule-source_nat]destination-zone untrust
[FW-policy-nat-rule-source_nat]action source-nat address-group nat1
3.配置带宽通道
[FW]firewall detect ftp
[FW]traffic-policy
[FW-policy-traffic]profile todmz
[FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole upstream 50000
[FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole downstream 100000
[FW-policy-traffic-profile-todmz]bandwidth connection-limit whole both 20
[FW-policy-traffic]profile trusttountrust
[FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip upstream 10000
[FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip downstream 30000
4.配置带宽策略
[FW-policy-traffic]rule name policy_dmz
[FW-policy-traffic-rule-policy_dmz]source-zone untrust dmz
[FW-policy-traffic-rule-policy_dmz]destination-zone trust
[FW-policy-traffic-rule-policy_dmz]destination-address 10.1.1.0 24
[FW-policy-traffic-rule-policy_dmz]service ftp
[FW-policy-traffic-rule-policy_dmz]action qos profile todmz
[FW-policy-traffic]rule name policy_trusttountrust
[FW-policy-traffic-rule-policy_trusttountrust]source-zone trust
[FW-policy-traffic-rule-policy_trusttountrust]destination-zone untrust
[FW-policy-traffic-rule-policy_trusttountrust]source-address 10.1.1.0 24
[FW-policy-traffic-rule-policy_trusttountrust]action qos profile trusttountrust
5.配置防火墙策略
[FW]security-policy
[FW-policy-security]rule name trust_untrust
[FW-policy-security-rule-trust_untrust]source-zone trust dmz
[FW-policy-security-rule-trust_untrust]destination-zone untrust
[FW-policy-security-rule-trust_untrust]action permit
[FW-policy-security]rule name ftp
[FW-policy-security-rule-ftp]source-zone dmz
[FW-policy-security-rule-ftp]destination-zone trust
[FW-policy-security-rule-ftp]destination-address 10.1.1.0 24
[FW-policy-security-rule-ftp]action permit
标签:zone,FW,防火墙,rule,带宽,traffic,nat,IP地址,policy 来源: https://blog.51cto.com/u_13699905/2935170