华为防火墙基于IP地址的带宽管理

1.拓扑的基础配置

[FW-GigabitEthernet1/0/1]ip add 10.1.1.1 24

[FW-GigabitEthernet1/0/1]service-manage ping permit

[FW-GigabitEthernet1/0/2]ip add 10.1.2.1 24

[FW-GigabitEthernet1/0/2]service-manage ping permit

[FW-GigabitEthernet1/0/0]ip add 20.1.1.1 24

[FW-GigabitEthernet1/0/0]service-manage ping permit

[FW]firewall zone trust

[FW-zone-trust]add interface g1/0/1

[FW]firewall zone untrust

[FW-zone-untrust]add interface g1/0/0

[FW]firewall zone dmz

[FW-zone-dmz]add interface g1/0/2

2.配置nat策略

[FW] nat server global 20.1.1.50 inside 10.1.2.10 //配置服务器的nat server

[FW]nat address-group nat1 //配置nat地址池

[FW-address-group-nat1]section 20.1.1.100 20.1.1.200

[FW]nat-policy

[FW-policy-nat]rule name source_nat

[FW-policy-nat-rule-source_nat]source-zone trust

[FW-policy-nat-rule-source_nat]destination-zone untrust

[FW-policy-nat-rule-source_nat]action source-nat address-group nat1

3.配置带宽通道

[FW]firewall detect ftp

[FW]traffic-policy

[FW-policy-traffic]profile todmz

[FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole upstream 50000

[FW-policy-traffic-profile-todmz]bandwidth maximum-bandwidth whole downstream 100000

[FW-policy-traffic-profile-todmz]bandwidth connection-limit whole both 20

[FW-policy-traffic]profile trusttountrust

[FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip upstream 10000

[FW-policy-traffic-profile-trusttountrust]bandwidth maximum-bandwidth per-ip downstream 30000

4.配置带宽策略

[FW-policy-traffic]rule name policy_dmz

[FW-policy-traffic-rule-policy_dmz]source-zone untrust dmz

[FW-policy-traffic-rule-policy_dmz]destination-zone trust

[FW-policy-traffic-rule-policy_dmz]destination-address 10.1.1.0 24

[FW-policy-traffic-rule-policy_dmz]service ftp

[FW-policy-traffic-rule-policy_dmz]action qos profile todmz

[FW-policy-traffic]rule name policy_trusttountrust

[FW-policy-traffic-rule-policy_trusttountrust]source-zone trust

[FW-policy-traffic-rule-policy_trusttountrust]destination-zone untrust

[FW-policy-traffic-rule-policy_trusttountrust]source-address 10.1.1.0 24

[FW-policy-traffic-rule-policy_trusttountrust]action qos profile trusttountrust

5.配置防火墙策略

[FW]security-policy

[FW-policy-security]rule name trust_untrust

[FW-policy-security-rule-trust_untrust]source-zone trust dmz

[FW-policy-security-rule-trust_untrust]destination-zone untrust

[FW-policy-security-rule-trust_untrust]action permit

[FW-policy-security]rule name ftp

[FW-policy-security-rule-ftp]source-zone dmz

[FW-policy-security-rule-ftp]destination-zone trust

[FW-policy-security-rule-ftp]destination-address 10.1.1.0 24

[FW-policy-security-rule-ftp]action permit