本文共 1636 字,大约阅读时间需要 5 分钟。
1、分类&标记解析
分类方法:ACL或NBAR
ACL仅能简单的根据源目标IP、端口、MAC地址进行分类,而NBAR基于网络的应用层识别,可以根据数量里的内容来分类流量。
全局配置模式:ip nbar pdlm flash://bt.pdlm 加载
接口配置模式:ip nbar protocol-discovery 开启
标记方法:PBR或CBMarking
PBR只能用于入方向,CBMarking则可以同时应用在入和出两个方向。
2、实验拓扑
3、基础配置
enable password cisco
username cisco password cisco
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0
no shutdown
ip http server
ip http authentication enable
line vty 0 4
login local
4、分类及标记配置
分类Telnet、Web流量,标记Telnet流量优先级为2、标记Web流量优先级为3
ACL结合PBR
ip access-list extended Telnet
permit tcp any any eq telnet
ip access-list extended Web
permit tcp any any eq www
route-map PBR permit 10
match ip address Telnet
set ip precedence 2
route-map PBR permit 20
match ip address Web
set ip precedence 3
interface FastEthernet0/0
ip policy route-map PBR
ACL结合CBMaking
ip access-list extended Telnet
permit tcp any any eq telnet
ip access-list extended Web
permit tcp any any eq www
class-map match-all Telnet
match access-group name Telnet
class-map match-all Web
match access-group name Web
policy-map CBMARK
class Telnet
set ip precedence 2
class Web
set ip precedence 3
interface FastEthernet0/0
service-policy input CBMARK
查看匹配情况
show ip access-lists
show policy-map interface f0/0
NBAR结合CBMarking
ip nbar port-map http tcp 80 8080
class-map match-all Telnet
match protocol telnet
class-map match-all Web
match protocol http
policy-map NBAR
class Telnet
set ip precedence 2
class Web
set ip precedence 3
interface FastEthernet0/0
service-policy input NBAR
查看匹配情况
show ip access-lists
show policy-map interface f0/0