!

!

!

!

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip address 192.168.1.1 255.255.255.0 secondary

ip access-group 130 in

ip verify unicast reverse-path

ip nat inside

ip route-cache same-interface

ip route-cache policy

ip policy route-map qos

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

bandwidth 2048

ip address x.x.x.x 255.255.255.252

ip verify unicast reverse-path

no ip proxy-arp

ip nat outside

rate-limit input 2000000 20000 20000 conform-action transmit exceed-action drop

ip route-cache policy

service-policy output qos_policy_map

no cdp enable

!

ip nat inside source list 10 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 192.168.0.0 255.255.255.0 192.168.1.1

ip route 192.168.1.0 255.255.255.0 192.168.0.1

no ip http server

no ip pim bidir-enable

!

!

access-list 10 remark NAT

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 110 remark normal

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 120 remark premium

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 remark anti BT and anti-virus

access-list 130 deny tcp any any range 6881 6890 time-range work

access-list 130 deny tcp any range 6881 6890 any time-range work

access-list 130 deny tcp any any range 6969 6979 time-range work

access-list 130 deny tcp any range 6969 6979 any time-range work

access-list 130 deny tcp any any range 7000 7100 time-range work

access-list 130 deny tcp any range 7000 7100 any time-range work

access-list 130 deny tcp any any range 9995 9996

access-list 130 deny tcp any range 9995 9996 any

access-list 130 deny tcp any any eq 5554

access-list 130 deny tcp any eq 5554 any

access-list 130 permit ip any any

no cdp run

route-map qos permit 10

match ip address 110

set ip precedence priority

!

route-map qos permit 20

match ip address 120

set ip precedence critical

!

banner motd ^CUnauthorized access will be Prosecuted!!!^C

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password 7 121A0C0411045D5D7C

login

!

time-range work

periodic weekdays 8:30 to 18:00

!

!

end

公司有两个内网段：192.168.0.0/24，192.168.1.0/24。

192.168.0.0/24为低优先级内网段，192.168.1.0/24为高优先级内网段。

在class-map中premium_class类包括了192.168.1.0/24高优先级内网段，采用NBAR匹配实时性较高的应用如：napster、netshow、pcanywhere、realaudio、streamwork、vdolive、cuseeme、telnet等。

normal_class类包括了192.168.0.0/24低优先级内网段，采用NBAR匹配实时性不强的应用如：ftp、pop3、smtp等。

在policy-map中针对不同的class，采取不同的策略。如：CBWFQ、WRED等。因为公司互联网带宽为2M，故考虑WRED中的指数加权因子为4，最小阀值为5，最大阀值为17，标记几率分母为1。

在route-map（PBR）中采用匹配不同的ACL 110#,ACL 120#。设置不同的IP precedence值。

在F 0/0以太口上增加inbound policy--ACL 130#，在上班时间8:30到18:00禁止BT下载。限制震荡波病毒的端口。

在S 0/0串口上采用Input CAR策略。对进入S 0/0串口的流量进行整形。