تخصيص ترافيك در روتر

[majestic]

سلام 1 سوال
حالا اگه بخوايم به 1 رنج اي پي متلا 8 تا اپي مجموعا مثلا 128 كيلو اختصاسبديم چي كنيم . دقيقا مثل پناي بندي كه مخابرات به اي اس پي ها ميده.
ايا فقط كافيهست كه اكسس ليست رو اصلاح كنيم.
بازم تاكيد ميكونمكهبه 8 ايپي مجموعا128 كيلو. درواقع پهني باند 128 شير براي 8اي پي.
با تشكر.

[majestic]

مثل اينكه از اساتيد محترم خبري نيست.

[netgiant]

salam be hame------agar daraye multilayer switch bashi be komake qos mitooni in karo kheyli rahat anjam bedi
ya be komake firewall va pix haye cisco ke man khodam bamodele 515e ashnayi daram va midoonam ke rahat mishe oono anjam dad

[sshokri]

دوستان عزیز کسی راهی برای ایجاد محدودیت در سویچهای سیسکو بلد هست بر روی سویچهای سیسکو دستور trafic-shaip ,rate-limit کار نمی کند دستور دیگری سراغ دارید؟
با تشکر فراوان

[sshokri]

دوستان عزیز
کسی راهی برای ایجاد محدودیت سرعت در سویچهای سیسکو بلد هست در سویچهای سیسکو دستور trafic-shaip ,rate-limit کار نمی کند دستور دیگری سراغ دارید؟
با تشکر فراوان

[matrixco.sec]

سلام 1 سوال
حالا اگه بخوايم به 1 رنج اي پي متلا 8 تا اپي مجموعا مثلا 128 كيلو اختصاسبديم چي كنيم . دقيقا مثل پناي بندي كه مخابرات به اي اس پي ها ميده.
ايا فقط كافيهست كه اكسس ليست رو اصلاح كنيم.
بازم تاكيد ميكونمكهبه 8 ايپي مجموعا128 كيلو. درواقع پهني باند 128 شير براي 8اي پي.
با تشكر.

دوست عزيز شما براي اين كار بايد از پروتكل هاي مثل : RIP استفاده كنيد .

[hyund]

دوستان عزيز با سلام .

من شبكه اي دارم كه خط Leased مخابرات به يك روتر سيسكو 2651 وارد شده و روتر به يك سوييچ Core سيسكو مدل 4506 ارتباط دارد و روي سوييچ 4506 تعداد 15 عدد Vlan تعريف كردم . مي خام ببينم ميشه روي هركدوم از اين Vlan ها براي ارتباط با اينترنت محدوديت بزارم. بطوريكه شبكه داخلي دچار محدوديت پهناي باند نشه و فقط Packet هايي كه به روتر مي ره شامل محدوديت روي Vlan بشه . ممنون مي شم جوابمو بدين .

[taysay]

سلام 1 سوال
حالا اگه بخوايم به 1 رنج اي پي متلا 8 تا اپي مجموعا مثلا 128 كيلو اختصاسبديم چي كنيم . دقيقا مثل پناي بندي كه مخابرات به اي اس پي ها ميده.
ايا فقط كافيهست كه اكسس ليست رو اصلاح كنيم.
بازم تاكيد ميكونمكهبه 8 ايپي مجموعا128 كيلو. درواقع پهني باند 128 شير براي 8اي پي.
با تشكر.

ببینید دوست عزیز
چیزی که شما می خواهید با کاری که مخابرات می کنه فرق داره.
مخابرات در واقع عرض باند رو برای IP های شما محدود نمی کنه بلکه در سمت خودش (حالا روی روتر یا سوئیچی که پورت مربوط به شما روی اون قرار داره)، ترافیک رو برای اون پورت خاص محدود می کنه . بعد هم که به اون پورت یک رنج IP مشخص تخصیص می ده.
ولی اگه شما بخواهید در حالت کلی برای یه رنج IP ترافیک محدود کنید باید روی اینترفیس مربوطه با اکسس لیست اینکارو بکنید.

[hyund]

دوستان عزيز با سلام .

من شبكه اي دارم كه خط Leased مخابرات به يك روتر سيسكو 2651 وارد شده و روتر به يك سوييچ Core سيسكو مدل 4506 ارتباط دارد و روي سوييچ 4506 تعداد 15 عدد Vlan تعريف كردم . مي خام ببينم ميشه روي هركدوم از اين Vlan ها براي ارتباط با اينترنت محدوديت بزارم. بطوريكه شبكه داخلي دچار محدوديت پهناي باند نشه و فقط Packet هايي كه به روتر مي ره شامل محدوديت روي Vlan بشه . ممنون مي شم جوابمو بدين .

دوستان خبري نشد ؟

[masoud727]

Sample Cisco router configuration file for a simple Internet
! connection, with one Serial port to an ISP and one Ethernet.
! This example shows a Frame Relay serial connection. You may
! have a standard leased line which will differ slightly.
!
! This example includes extensive sample use of access lists
! to control network, host, TCP, and UDP access.
!
! Cisco's web site contains full details on configurations,
! including samples and command summaries, at:
! http://www.cisco.com
!
! Prevent router from answering service requests.
!
no service udp-small-servers
no service tcp-small-servers
!
! Required to allocate more buffers to this config file, needed because
! of its size of access lists.
!
boot buffersize 50000
!
! This specifies the name of the router, a hostname.
!
hostname router-gw
!
! enable password is the equivalent of the "root" password on a Unix system.
! The virtual terminal password (at the end of the config) is the
! unprivileged one.
! Replace the sample password with a well chosen password
!
enable password PickAGoodPassword
!
ip subnet-zero
!
! Turn off source routing. This prevents people from masquerading as
! other than their real IP addresses onto your network.
!
no ip source-route
!
interface Ethernet0
description To your network -- example network 192.168.1.0 shown
! Router IP address shown as 192.168.1.1 as an EXAMPLE -- use your real address
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
!
interface Serial0.1 point-to-point
ip unnumbered Ethernet0
bandwidth 56
frame-relay interface-dlci 145 IETF
!
interface Serial1
no ip address
shutdown
!
! insert your real domain name in place of example.com
!
ip domain-name example.com
!
! we run our own primary nameserver on host 192.168.1.10,
! use your real IP addresses.
!
ip name-server 192.168.1.10
!
! specify a secondary nameserver as supplied by your ISP
!
! ip name-server XXX.XXX.XXX.XXX
!
! We use classless routing
!
ip classless
!
! Only a default route upstream to our ISP
!
ip route 0.0.0.0 0.0.0.0 Serial0.1
!
! ------------------------ Access Lists ---------------------
! Access list to control virtual terminal access to our router.
! We don't allow access from anywhere except inside our own network.
!
! Note that ALL access lists are CLEARED first, then reapplied.
! In the configuration file, "no access-list" is used to clear
! the old list from router memory, so as it reads in
! subsequent "access-list" statements, they are stored in
! router memory in order.
!
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
!
! Access list to control traffic FROM the Internet TO our network.
! It is applied as an OUTBOUND access list on the ETHERNET.
! This may seem counter-intuitive, but the access list is applied
! in the direction of data flow. Traffic in this example is
! INBOUND on the Serial port, and OUTBOUND on the Ethernet port.
!
! Clear the old list from router memory first.
!
no access-list 101
!
! The established keyword allows any traffic originating from
! inside your network to be allowed back in. This allows you
! to use services such as WWW, telnet, etc., without allowing
! others to access those ports inside your network.
!
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
! ----------------------- Begin blocked sites ------------------
! Sites/Nets we outright block.
! --------------------------------------------------------------
! marathon4com.net, auntmimi.net
access-list 101 deny tcp 209.16.106.0 0.0.0.255 192.168.1.0 0.0.0.255
! joinusnow.com
access-list 101 deny tcp 209.1.197.0 0.0.0.255 192.168.1.0 0.0.0.255
! --------------------------------------------------------------
! PSI's unsecured mail relays
! relay1.smtp.psi.net
access-list 101 deny tcp 38.8.14.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay2.smtp.psi.net
access-list 101 deny tcp 38.8.188.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay3.smtp.psi.net
access-list 101 deny tcp 38.8.210.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay4.smtp.psi.net
access-list 101 deny tcp 38.9.52.2 0.0.0.0 192.168.1.0 0.0.0.255
! ----------------------- End blocked sites ------------------
! Begin port filtering. TCP first, then UDP.
!
! TCP ports to allow. To be secure, you should allow services
! to as FEW hosts as possible, and those hosts should have
! a VERY thorough security policy.
!
! Everything not explicity permitted below 1024 is denied
! 20 - ftp-data
access-list 101 permit tcp any host 192.168.1.10 eq ftp-data
! 21 - ftp
access-list 101 permit tcp any host 192.168.1.10 eq ftp
! 23 - telnet
! We don't allow telnet into our network.
! 25 - smtp
access-list 101 permit tcp any host 192.168.1.10 eq smtp
! 53 - DNS (TCP and UDP)
access-list 101 permit tcp any host 192.168.1.10 eq domain
! 79 - finger
access-list 101 permit tcp any host 192.168.1.10 eq finger
! 80 - www
access-list 101 permit tcp any host 192.168.1.10 eq www
! 110 - pop3
access-list 101 permit tcp any host 192.168.1.10 eq pop3
! 123 - ntp (TCP and UDP)
access-list 101 permit tcp any host 192.168.1.10 eq 123
! 517 - talk
access-list 101 permit tcp any host 192.168.1.10 eq talk
! ----------------------------------------------------------------
!
! TCP ports above 1023 are considered OPEN, so we need to
! explicity CLOSE those which we do not want the Internet
! to access.
!
! This is due to FTP having seperate control and data channels,
! and makes configuration complex. If you will NOT need
! to FTP from the Internet, you can greatly simplify
! this by just blocking everything above 1023.
!
! Block ports above 1023 which we don't want people to get to
! 1524 - ingreslock
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 1524
! 2000-2010 - X server (OpenWindows)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 range 2000 2010
! 2049 - nfsd (TCP and UDP)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 2049
! 2766 - listen
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 2766
! 4045 - lockd (TCP and UDP)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 4045
! 6000-6010 - X server
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 range 6000 6010
! 6112 - dtspc CDE subprocess
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 6112
! 7100 - fs - font server
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 7100
! Permit any TCP ports above 1023 (required for FTP to build connections)
access-list 101 permit tcp any host 192.168.1.10 gt 1023
! ----------------------------------------------------------------
! UDP
! Exceptions
! allow our router to tftp from its boot host (udp 69)
access-list 101 permit udp host 192.168.1.1 host 192.168.1.10 eq 69
! allow our router to get to loghost (udp 514)
access-list 101 permit udp host 192.168.1.1 host 192.168.1.10 eq 514
! Denied UDP ports
! 7 echo - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 7
! 9 discard - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 9
! 13 daytime - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 13
! 19 chargen - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 19
! 37 time
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 37
! 42 name
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 42
! 69 tftp
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 69
! 111 sunrpc - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 111
! 512 biff
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 512
! 513 who
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 513
! 514 syslog
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 514
! 520 route
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 520
! 550 new-rwho
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 550
! 560 rmonitor
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 560
! 561 monitor
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 561
! 750 kerberos
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 750
! 1008 ufsd
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 1008
! 2049 - nfsd (TCP and UDP)
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 2049
! 4045 - lockd (TCP and UDP)
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 4045
! We allow the following well known UDP ports:
! 53 domain (DNS)
! 123 ntp
! 517 talk
!
! Allow any other UDP connections to the WHOLE NETWORK.
! This is to make life simple for RealAudio, etc.
! You may want a STRICTER POLICY than this.
!
access-list 101 permit udp any any
! ----------------------------------------------------------------
! All ICMP allowed. Many sites do not allow ICMP
! at all, and DENY all ICMP. It will cause services
! such as "traceroute" to be unusable, however.
!
access-list 101 permit icmp any any
! ------------------------ End Access Lists ---------------------
!
! If your ISP uses SNMP, you should receive instructions
! from them on how to fill in this parameters. You will need
! to also decomment (remove the leading !s) from these lines.
!
! snmp-server community Community-String RO
! snmp-server trap-authentication
! snmp-server host ISPs-Host-Addr-for-SNMP
! snmp-server contact Your contact info, such as phone number
!
! Logging to your loghost. A open port above in the filters allows
! this traffic in to your loghost ONLY from your router.
!
logging 192.168.1.10
!
! Do not log to the cisco console (unless you really have a hardwired
! terminal physically connected to the console port).
!
no logging console
!
! Specify a Message Of The Day banner which will be displayed when
! someone connects either via telnet or the console port.
!
! Clear the old banner.
!
no banner exec
no banner motd
!
! Specify a new one, customize to your site policy.
! AVOID using "Welcome to ...". The courts have decided
! that using the phrase "Welcome" implies access is allowed
! even to unauthorized parties. Use a more generic phrase, as shown.
!
banner motd /
Unauthorized use of this facility is prohibited.
/
!
! Console port definitions
!
line con 0
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
! Auxiliary port (used for modem) definitions.
!
line aux 0
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
! Virtual terminal ports (used to telnet to the router).
! Note use of access-class to restrict who can access
! the router. IN GENERAL, only hosts INSIDE your
! network should be allowed access. Your ISP may have
! differing policies and require access to your router,
! you should verify this with them.
!
line vty 0 4
access-class 10 in
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
end
حتما" با دقت و حوصله بخون

[afshinsm]

salam .baryae estefadeh az in dastorha rate-limite faghat dar router ha kar mikonad.va dastore policy-map dar switch ha kar mikoad.
baraye rate-limite kardan dar router intori emal mikonim masalan mikhahi recive groupe ma 512kbs bashad va send anha 128kbps

rate-limit output access-group 101 <<limit>> <<max-limit>>

mesal:
rate-limit input access-group 101 128000 8000
rate-limit output access-group 101 512000 8000
===============================
ok movafagh bashid.

[aghnader]

در switch روی خود interface با دستور srr-queue bandwidth میتوان عمل limit و shape و share را انجام داد

interface GigabitEthernet0/1
srr-queue bandwidth shape 10 0 0 0
or!
srr-queue bandwidth share 10 10 60 20

البته راه حل اصلی توی QOS چون تمام کنترل ها روی traffic بر اساس Queue که از packet هاتشکیل شده انجام میشه در همه Ethernetها bydefault به صورت fifo عمل QOS میشود که برای انجام هر نوع تغیر باید QOS Policy عوض شود

[samansarai]

rate-limit input 288000 54000 108000 conform-action transmit exceed-action drop
rate-limit output 1088000 204000 408000 conform-action transmit exceed-action drop