ES 3526XA v2 Policy Map: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
| (не показаны 22 промежуточные версии этого же участника) | |||
| Строка 1: | Строка 1: | ||
| + | [[Категория:Networking]] |
||
| + | [[Категория:EdgeCore]] |
||
=Работа с Policy Map= |
=Работа с Policy Map= |
||
| + | ==Простой шейпинг (пример 1) == |
||
| + | ===ACL=== |
||
| + | <PRE> |
||
| + | access-list IP extended shaper-1 |
||
| + | deny 10.199.0.0 255.255.0.0 any |
||
| + | ! |
||
| + | </PRE> |
||
| + | Внимание! Насколько я проверил, правильно именно так а не |
||
| + | <PRE> |
||
| + | access-list IP extended shaper-1 |
||
| + | permit 10.199.0.0 255.255.0.0 any |
||
| + | ! |
||
| + | </PRE> |
||
| + | как было бы логично предположить. |
||
| − | == |
+ | ===Class-Map=== |
| − | ping (про ip-over-icmp "забыли" полка) |
||
<PRE> |
<PRE> |
||
| + | class-map shaper-1 match-any |
||
| − | access-list IP extended icmp-no-auth |
||
| + | match access-list shaper-1 |
||
| − | permit 1 any any |
||
| + | exit |
||
| + | </PRE> |
||
| + | |||
| + | ===Policy-Map=== |
||
| + | <PRE> |
||
| + | ! |
||
| + | policy-map shaper-1 |
||
| + | class shaper-1 |
||
| + | set cos 0 |
||
| + | police 64 1522 exceed-action drop |
||
| + | exit |
||
| + | exit |
||
! |
! |
||
</PRE> |
</PRE> |
||
| + | ===Interface Config=== |
||
| − | Доступ на биллинг. (сеть 192.168.95.0/24) |
||
<PRE> |
<PRE> |
||
| + | ! |
||
| − | access-list IP extended to-billing |
||
| + | interface ethernet 1/1 |
||
| − | permit any 192.168.95.0 255.255.255.0 |
||
| + | ip source-guard sip-mac |
||
| + | ... |
||
| + | service-policy input shaper-1 |
||
! |
! |
||
</PRE> |
</PRE> |
||
| + | =="шейпинг по направлением" == |
||
| − | Неавторизованые (10.199.0.0/16) клиенты |
||
| + | |||
| + | ===ACL=== |
||
| + | ACL неавторизованных пользователей. Первый ACL описывает то что нужно разрешить (но ограничить скорость в 1 мбит) |
||
| + | <PRE> |
||
| + | access-list IP extended noauth-permit |
||
| + | deny 1 10.199.0.0 255.255.0.0 any |
||
| + | deny 10.199.0.0 255.255.0.0 192.168.95.0 255.255.255.0 |
||
| + | </PRE> |
||
| + | |||
| + | Этот ACL описывает то что нужно запретить (т.е. установить скорость в 1) |
||
<PRE> |
<PRE> |
||
access-list IP extended unauth |
access-list IP extended unauth |
||
| − | + | deny 10.199.0.0 255.255.0.0 any |
|
| + | </PRE> |
||
| + | |||
| + | ===Class-Map=== |
||
| + | |||
| + | <PRE> |
||
| + | class-map noauth-permit match-any |
||
| + | match access-list noauth-permit |
||
| + | exit |
||
| + | </PRE> |
||
| + | |||
| + | ==!!!== |
||
| + | <PRE> |
||
! |
! |
||
| + | access-list IP extended m3 |
||
| + | permit any host 10.199.0.100 |
||
| + | deny 10.199.0.0 255.255.0.0 any |
||
| + | ! |
||
| + | class-map m3 match-any |
||
| + | match access-list m3 |
||
| + | exit |
||
| + | ! |
||
| + | policy-map m3 |
||
| + | class m3 |
||
| + | set cos 0 |
||
| + | police 1 64 exceed-action drop |
||
| + | exit |
||
| + | exit |
||
| + | ! |
||
| + | |||
| + | </PRE> |
||
| + | |||
| + | ==!!!!== |
||
| + | <PRE> |
||
| + | access-list IP extended m4 |
||
| + | permit 10.199.0.0 255.255.0.0 host 10.199.0.100 |
||
| + | permit 10.200.0.0 255.255.0.0 host 192.168.95.22 |
||
| + | deny 10.199.0.0 255.255.0.0 any |
||
| + | exit |
||
| + | |||
| + | class-map m4 match-any |
||
| + | match access-list m4 |
||
| + | exit |
||
| + | |||
| + | policy-map m4 |
||
| + | class m4 |
||
| + | set cos 0 |
||
| + | police 1 64 exceed-action drop |
||
| + | exit |
||
| + | exit |
||
| + | |||
| + | </PRE> |
||
| + | |||
| + | =Номера протоколов= |
||
| + | <PRE> |
||
| + | Номер Ключевое Протокол |
||
| + | слово |
||
| + | ======= ======= ============== |
||
| + | 0 HOPOPT IPv6 Hop-by-Hop Option |
||
| + | 1 ICMP Internet Control Message |
||
| + | 2 IGMP Internet Group Management |
||
| + | 3 GGP Gateway-to-Gateway |
||
| + | 4 IP IP in IP (инкапсуляция) |
||
| + | 5 ST Stream |
||
| + | 6 TCP Transmission Control |
||
| + | 7 CBT CBT |
||
| + | 8 EGP Exterior Gateway Protocol |
||
| + | 9 IGP любой частный внутренний шлюз |
||
| + | (используется компанией Cisco для протокола IGRP) |
||
| + | 10 BBN-RCC-MON BBN RCC Monitoring |
||
| + | 11 NVP-II Network Voice Protocol |
||
| + | 12 PUP PUP |
||
| + | 13 ARGUS ARGUS |
||
| + | 14 EMCON EMCON |
||
| + | 15 XNET Cross Net Debugger |
||
| + | 16 CHAOS Chaos |
||
| + | 17 UDP User Datagram |
||
| + | 18 MUX Multiplexing |
||
| + | 19 DCN-MEAS DCN Measurement Subsystems |
||
| + | 20 HMP Host Monitoring |
||
| + | 21 PRM Packet Radio Measurement |
||
| + | 22 XNS-IDP XEROX NS IDP |
||
| + | 23 TRUNK-1 Trunk-1 |
||
| + | 24 TRUNK-2 Trunk-2 |
||
| + | 25 LEAF-1 Leaf-1 |
||
| + | 26 LEAF-2 Leaf-2 |
||
| + | 27 RDP Reliable Data Protocol |
||
| + | 28 IRTP Internet Reliable Transaction |
||
| + | 29 ISO-TP4 ISO Transport Protocol Class 4 |
||
| + | 30 NETBLT Bulk Data Transfer Protocol |
||
| + | 31 MFE-NSP MFE Network Services Protocol |
||
| + | 32 MERIT-INP MERIT Internodal Protocol |
||
| + | 33 SEP Sequential Exchange Protocol |
||
| + | 34 3PC Third Party Connect Protocol |
||
| + | 35 IDPR Inter-Domain Policy Routing Protocol |
||
| + | 36 XTP XTP |
||
| + | 37 DDP Datagram Delivery Protocol |
||
| + | 38 IDPR-CMTP IDPR Control Message Transport Proto |
||
| + | 39 TP++ TP++ Transport Protocol |
||
| + | 40 IL IL Transport Protocol |
||
| + | 41 IPv6 Ipv6 |
||
| + | 42 SDRP Source Demand Routing Protocol |
||
| + | 43 IPv6-Route Routing Header for IPv6 |
||
| + | 44 IPv6-Frag Fragment Header for IPv6 |
||
| + | 45 IDRP Inter-Domain Routing Protocol |
||
| + | 46 RSVP Reservation Protocol |
||
| + | 47 GRE General Routing Encapsulation |
||
| + | 48 MHRP Mobile Host Routing Protocol |
||
| + | 49 BNA BNA |
||
| + | 50 ESP Encap Security Payload for IPv6 |
||
| + | 51 AH Authentication Header for IPv6 |
||
| + | 52 I-NLSP Integrated Net Layer Security TUBA |
||
| + | 53 SWIPE IP with Encryption |
||
| + | 54 NARP NBMA Address Resolution Protocol |
||
| + | 55 MOBILE IP Mobility |
||
| + | 56 TLSP Transport Layer Security Protocol |
||
| + | с использованием обработки ключей Kryptonet |
||
| + | 57 SKIP SKIP |
||
| + | 58 IPv6-ICMP ICMP for IPv6 |
||
| + | 59 IPv6-NoNxt No Next Header for IPv6 |
||
| + | 60 IPv6-Opts Destination Options for IPv6 |
||
| + | 61 любой внутренний протокол узла |
||
| + | 62 CFTP CFTP |
||
| + | 63 любая локальная сеть |
||
| + | 64 SAT-EXPAK SATNET и Backroom EXPAK |
||
| + | 65 KRYPTOLAN Kryptolan |
||
| + | 66 RVD MIT Remote Virtual Disk Protocol |
||
| + | 67 IPPC Internet Pluribus Packet Core |
||
| + | 68 любая распределенная файловая система |
||
| + | 69 SAT-MON SATNET Monitoring |
||
| + | 70 VISA VISA Protocol |
||
| + | 71 IPCV Internet Packet Core Utility |
||
| + | 72 CPNX Computer Protocol Network Executive |
||
| + | 73 CPHB Computer Protocol Heart Beat |
||
| + | 74 WSN Wang Span Network |
||
| + | 75 PVP Packet Video Protocol |
||
| + | 76 BR-SAT-MON Backroom SATNET Monitoring |
||
| + | 77 SUN-ND SUN ND PROTOCOL-Temporary |
||
| + | 78 WB-MON WIDEBAND Monitoring |
||
| + | 79 WB-EXPAK WIDEBAND EXPAK |
||
| + | 80 ISO-IP ISO Internet Protocol |
||
| + | 81 VMTP VMTP |
||
| + | 82 SECURE-VMTP SECURE-VMTP |
||
| + | 83 VINES VINES |
||
| + | 84 TTP TTP |
||
| + | 85 NSFNET-IGP NSFNET-IGP |
||
| + | 86 DGP Dissimilar Gateway Protocol |
||
| + | 87 TCF TCF |
||
| + | 88 EIGRP EIGRP |
||
| + | 89 OSPFIGP OSPFIGP |
||
| + | 90 Sprite-RPC Sprite RPC Protocol |
||
| + | 91 LARP Locus Address Resolution Protocol |
||
| + | 92 MTP Multicast Transport Protocol |
||
| + | 93 AX.25 AX.25 Frames |
||
| + | 94 IPIP IP-within-IP Encapsulation Protocol |
||
| + | 95 MICP Mobile Internetworking Control Pro. |
||
| + | 96 SCC-SP Semaphore Communications Sec. Pro. |
||
| + | 97 ETHERIP Ethernet-within-IP Encapsulation |
||
| + | 98 ENCAP Encapsulation Header |
||
| + | 99 любая частная схема шифрования |
||
| + | 100 GMTP GMTP |
||
| + | 101 IFMP Ipsilon Flow Management Protocol |
||
| + | 102 PNNI PNNI over IP |
||
| + | 103 PIM Protocol Independent Multicast |
||
| + | 104 ARIS ARIS |
||
| + | 105 SCPS SCPS |
||
| + | 106 QNX QNX |
||
| + | 107 A/N Active Networks |
||
| + | 108 IPComp IP Payload Compression Protocol |
||
| + | 109 SNP Sitara Networks Protocol |
||
| + | 110 Compaq-Peer Compaq Peer Protocol |
||
| + | 111 IPX-in-IP IPX in IP |
||
| + | 112 VRRP Virtual Router Redundancy Protocol |
||
| + | 113 PGM PGM Reliable Transport Protocol |
||
| + | 114 любой протокол 0-hop |
||
| + | 115 L2TP Layer Two Tunneling Protocol |
||
| + | 116 DDX D-II Data Exchange (DDX) |
||
| + | 117 IATP Interactive Agent Transfer Protocol |
||
| + | 118 STP Schedule Transfer Protocol |
||
| + | 119 SRP SpectraLink Radio Protocol |
||
| + | 120 UTI UTI |
||
| + | 121 SMP Simple Message Protocol |
||
| + | 122 SM SM |
||
| + | 123 PTP Performance Transparency Protocol |
||
| + | 124 ISIS over IPv4 |
||
| + | 125 FIRE |
||
| + | 126 CRTP Combat Radio Transport Protocol |
||
| + | 127 CRUDP Combat Radio User Datagram |
||
| + | 128 SSCOPMCE |
||
| + | 129 IPLT |
||
| + | 130 SPS Secure Packet Shield |
||
| + | 131 PIPE Private IP Encapsulation within IP |
||
| + | 132 SCTP Stream Control Transmission Protocol |
||
| + | 133 FC Fibre Channel |
||
| + | 134-254 свободные номера |
||
| + | 255 зарезервированный номер |
||
</PRE> |
</PRE> |
||
Текущая версия на 15:50, 28 сентября 2012
Работа с Policy Map
Простой шейпинг (пример 1)
ACL
access-list IP extended shaper-1 deny 10.199.0.0 255.255.0.0 any !
Внимание! Насколько я проверил, правильно именно так а не
access-list IP extended shaper-1 permit 10.199.0.0 255.255.0.0 any !
как было бы логично предположить.
Class-Map
class-map shaper-1 match-any match access-list shaper-1 exit
Policy-Map
! policy-map shaper-1 class shaper-1 set cos 0 police 64 1522 exceed-action drop exit exit !
Interface Config
! interface ethernet 1/1 ip source-guard sip-mac ... service-policy input shaper-1 !
"шейпинг по направлением"
ACL
ACL неавторизованных пользователей. Первый ACL описывает то что нужно разрешить (но ограничить скорость в 1 мбит)
access-list IP extended noauth-permit deny 1 10.199.0.0 255.255.0.0 any deny 10.199.0.0 255.255.0.0 192.168.95.0 255.255.255.0
Этот ACL описывает то что нужно запретить (т.е. установить скорость в 1)
access-list IP extended unauth deny 10.199.0.0 255.255.0.0 any
Class-Map
class-map noauth-permit match-any match access-list noauth-permit exit
!!!
! access-list IP extended m3 permit any host 10.199.0.100 deny 10.199.0.0 255.255.0.0 any ! class-map m3 match-any match access-list m3 exit ! policy-map m3 class m3 set cos 0 police 1 64 exceed-action drop exit exit !
!!!!
access-list IP extended m4 permit 10.199.0.0 255.255.0.0 host 10.199.0.100 permit 10.200.0.0 255.255.0.0 host 192.168.95.22 deny 10.199.0.0 255.255.0.0 any exit class-map m4 match-any match access-list m4 exit policy-map m4 class m4 set cos 0 police 1 64 exceed-action drop exit exit
Номера протоколов
Номер Ключевое Протокол
слово
======= ======= ==============
0 HOPOPT IPv6 Hop-by-Hop Option
1 ICMP Internet Control Message
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IP IP in IP (инкапсуляция)
5 ST Stream
6 TCP Transmission Control
7 CBT CBT
8 EGP Exterior Gateway Protocol
9 IGP любой частный внутренний шлюз
(используется компанией Cisco для протокола IGRP)
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Network Voice Protocol
12 PUP PUP
13 ARGUS ARGUS
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Packet Radio Measurement
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Trunk-1
24 TRUNK-2 Trunk-2
25 LEAF-1 Leaf-1
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 SEP Sequential Exchange Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP
37 DDP Datagram Delivery Protocol
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol
40 IL IL Transport Protocol
41 IPv6 Ipv6
42 SDRP Source Demand Routing Protocol
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 MHRP Mobile Host Routing Protocol
49 BNA BNA
50 ESP Encap Security Payload for IPv6
51 AH Authentication Header for IPv6
52 I-NLSP Integrated Net Layer Security TUBA
53 SWIPE IP with Encryption
54 NARP NBMA Address Resolution Protocol
55 MOBILE IP Mobility
56 TLSP Transport Layer Security Protocol
с использованием обработки ключей Kryptonet
57 SKIP SKIP
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
61 любой внутренний протокол узла
62 CFTP CFTP
63 любая локальная сеть
64 SAT-EXPAK SATNET и Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68 любая распределенная файловая система
69 SAT-MON SATNET Monitoring
70 VISA VISA Protocol
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK
80 ISO-IP ISO Internet Protocol
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 EIGRP EIGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99 любая частная схема шифрования
100 GMTP GMTP
101 IFMP Ipsilon Flow Management Protocol
102 PNNI PNNI over IP
103 PIM Protocol Independent Multicast
104 ARIS ARIS
105 SCPS SCPS
106 QNX QNX
107 A/N Active Networks
108 IPComp IP Payload Compression Protocol
109 SNP Sitara Networks Protocol
110 Compaq-Peer Compaq Peer Protocol
111 IPX-in-IP IPX in IP
112 VRRP Virtual Router Redundancy Protocol
113 PGM PGM Reliable Transport Protocol
114 любой протокол 0-hop
115 L2TP Layer Two Tunneling Protocol
116 DDX D-II Data Exchange (DDX)
117 IATP Interactive Agent Transfer Protocol
118 STP Schedule Transfer Protocol
119 SRP SpectraLink Radio Protocol
120 UTI UTI
121 SMP Simple Message Protocol
122 SM SM
123 PTP Performance Transparency Protocol
124 ISIS over IPv4
125 FIRE
126 CRTP Combat Radio Transport Protocol
127 CRUDP Combat Radio User Datagram
128 SSCOPMCE
129 IPLT
130 SPS Secure Packet Shield
131 PIPE Private IP Encapsulation within IP
132 SCTP Stream Control Transmission Protocol
133 FC Fibre Channel
134-254 свободные номера
255 зарезервированный номер
