其他分享
首页 > 其他分享> > 华为防火墙基于IP地址的带宽管理

华为防火墙基于IP地址的带宽管理

作者:互联网

![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289258515548.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 1.拓扑的基础配置 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289269606774.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289290289515.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210621/1624289298823337.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW-GigabitEthernet1/0/1]ip add 10.1.1.1 24 [FW-GigabitEthernet1/0/1]service-manage ping permit [FW-GigabitEthernet1/0/2]ip add 10.1.2.1 24 [FW-GigabitEthernet1/0/2]service-manage ping permit [FW-GigabitEthernet1/0/0]ip add 20.1.1.1 24 [FW-GigabitEthernet1/0/0]service-manage ping permit [FW]firewall zone trust [FW-zone-trust]add interface g1/0/1 [FW]firewall zone untrust [FW-zone-untrust]add interface g1/0/0 [FW]firewall zone dmz [FW-zone-dmz]add interface g1/0/2 2.配置nat策略 [FW] nat server global 20.1.1.50 inside 10.1.2.10 //配置服务器的nat server [FW]nat address-group nat1 //配置nat地址池 [FW-address-group-nat1]section 20.1.1.100 20.1.1.200 [FW]nat-policy [FW-policy-nat]rule name source_nat [FW-policy-nat-rule-source_nat]source-zone trust [FW-policy-nat-rule-source_nat]destination-zone untrust [FW-policy-nat-rule-source_nat]action source-nat address-group nat1 3.配置带宽通道 [FW]firewall detect ftp [FW]traffic-policy [FW-policy-traffic]profile todmz [FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole upstream 50000 [FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole downstream 100000 [FW-policy-traffic-profile-todmz]bandwidth connection-limit whole both 20 [FW-policy-traffic]profile trusttountrust [FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip upstream 10000 [FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip downstream 30000 4.配置带宽策略 [FW-policy-traffic]rule name policy_dmz [FW-policy-traffic-rule-policy_dmz]source-zone untrust dmz [FW-policy-traffic-rule-policy_dmz]destination-zone trust [FW-policy-traffic-rule-policy_dmz]destination-address 10.1.1.0 24 [FW-policy-traffic-rule-policy_dmz]service ftp [FW-policy-traffic-rule-policy_dmz]action qos profile todmz [FW-policy-traffic]rule name policy_trusttountrust [FW-policy-traffic-rule-policy_trusttountrust]source-zone trust [FW-policy-traffic-rule-policy_trusttountrust]destination-zone untrust [FW-policy-traffic-rule-policy_trusttountrust]source-address 10.1.1.0 24 [FW-policy-traffic-rule-policy_trusttountrust]action qos profile trusttountrust 5.配置防火墙策略 [FW]security-policy [FW-policy-security]rule name trust_untrust [FW-policy-security-rule-trust_untrust]source-zone trust dmz [FW-policy-security-rule-trust_untrust]destination-zone untrust [FW-policy-security-rule-trust_untrust]action permit [FW-policy-security]rule name ftp [FW-policy-security-rule-ftp]source-zone dmz [FW-policy-security-rule-ftp]destination-zone trust [FW-policy-security-rule-ftp]destination-address 10.1.1.0 24 [FW-policy-security-rule-ftp]action permit

标签:zone,FW,防火墙,rule,带宽,traffic,nat,IP地址,policy
来源: https://blog.51cto.com/u_13699905/2935170