网通流量通过网通进出,其余通过电信
Current configuration (ver 3.4.37): !
configure
!
hostname PAS
terminal length 30
terminal timeout 10
mac-ageing 300
arp locktime 100
port-monitoring disable
gmt-difference 9
resources-status disable
!
! Alias setting
!
!
! Port setting
!
port 1 enable
port 1 duplex auto
port 1 speed auto
port 1 flow-ctrl off
port 2 enable
port 2 duplex auto
port 2 speed auto
port 2 flow-ctrl off
port 3 enable
port 3 duplex auto
port 3 speed auto
port 3 flow-ctrl off
[7m--More--[m
port 4 enable
port 4 duplex auto
port 4 speed auto
port 4 flow-ctrl off
port 5 enable
port 5 duplex auto
port 5 speed auto
port 5 flow-ctrl off
port 6 enable
port 6 duplex auto
port 6 speed auto
port 6 flow-ctrl off
port 7 enable
port 7 duplex auto
port 7 speed auto
port 7 flow-ctrl off
port 8 enable
port 8 duplex auto
port 8 speed auto
port 8 flow-ctrl off
!
! Mirroring setting
!
mirroring disable
!
! VLAN setting
!
vlan lan 80
vlan lan port 3,4,5,6,7,8 untagged
vlan pvid lan port 3
[7m--More--[m
vlan pvid lan port 4
vlan pvid lan port 5
vlan pvid lan port 6
vlan pvid lan port 7
vlan pvid lan port 8
vlan cnc 20
vlan cnc port 2 untagged
vlan pvid cnc port 2
vlan ctc 10
vlan ctc port 1 untagged
vlan pvid ctc port 1
!
! Trunk setting
!
!
! STP setting
!
!
! IP route & IP DNS setting
!
ip address 192.168.1.254/24 interface lan ip address 199.199.21.254/24 interface cnc ip address 199.199.12.254/24 interface ctc ip interface mgmt down
ip route default gateway 199.199.12.1
! IP masquerading setting
!
!
! Port-boundary configuration
[7m--More--[m
![K
port-boundary 8 (这里是内网端口) promisc off
include-mac none
protocol all
sip 0.0.0.0/0
dip 0.0.0.0/0
boundary server
port 3,4,5,6,7,8
enable
apply
port-boundary 12 (这里是外网端口) promisc off
include-mac none
protocol all
sip 0.0.0.0/0
dip 0.0.0.0/0
boundary client
port 1,2
enable
apply
!
! ARP setting
!
!
! Logging setting
!
logging priority all notice
logging buffer 100
logging rotate 0:0
[7m--More--[m
logging server enable
!
! SNMP setting
!
snmp community public
snmp load-timeout 60
snmp disable
! RMON setting
!
!
! RADIUS setting
!
radius
disable
..
!
! Watch-system setting !
watch-system
disable
interval 1000
cpu
disable
threshold 95
apply
memory
disable
threshold 80
apply
[7m--More--[m
apply[K
!
! Email-alarm setting !
email-alarm
disable
ratelimit 60
no cpu
no memory
no temperature
no power
no fan
no packet-processor no link-change
no failover
no real
apply
!
! NTP client setting
!
disable
interval 900
timeout 5
apply
!
! Healthcheck server setting !
hc-server
ftpd
[7m--More--[m
port 21
disable
apply
httpd
port 80
disable
apply
imapd
port 143
disable
apply
pop3d
port 110
disable
apply
smtpd
port 25
disable
apply
..
!
! Session-Timeout setting
!
session-timeout
generic 30
icmp 10
tcp-close 20
tcp-close-wait 20
tcp-established 3600
tcp-fin-wait 20
[7m--More--[m
tcp-time-wait 20
udp 10
udp-stream 180
apply
!
! Session-log setting
!
session-log
disable
buffer 100
rotate 0:0
apply
!
! System environment setting
!
proxy-arp disable
passive-proxy-arp disable
compare-src-mac disable
multicast-bridge disable
high-prio-icmp-hc disable
lb-stat-status disable
flood-rate rate 100
flood-rate broadcast enable
flood-rate multicast disable
!
! Router configuration
!
interface default
..
interface lan
[7m--More--[m
..[K
interface cnc
..
interface ctc
..
!
!
! SLB configuration
!
! Define SLB service 'ctc'
slb ctc (电信的服务器发布)
priority 50
sticky 300
lb-method rr
vip 199.199.12.12 (对外发布服务的电信公网地址)
vport all:0
natmode dest-nat
no session-sync
no backup
fail-skip disable
enable
apply
! Define Reals of SLB service 'ctc'
real 1
name ftp
rip 192.168.1.12 (服务器的真实IP地址)
rport 0
weight 1
graceful-shutdown disable
max-connection 0
[7m--More--[m
enable
apply
! Define Healthcheck of SLB service 'ctc'
health 1
type tcp
timeout 3
interval 5
retry 3
recover 0
port 21
enable
apply
..
! Define SLB service 'cnc'
slb cnc (网通的服务器发布)
priority 50
sticky 300
lb-method rr
vip 199.199.21.21 (对外发布服务的网通公网地址) vport all:0
natmode dest-nat
no session-sync
no backup
fail-skip disable
enable
apply
! Define Reals of SLB service 'cnc'
real 1
name ftp
rip 192.168.1.12 (服务器的真实IP地址)[7m--More--[m
rport 0
weight 1
graceful-shutdown disable
max-connection 0
enable
apply
! Define Healthcheck of SLB service 'cnc' health 1
type tcp
timeout 3
interval 5
retry 3
recover 0
port 21
enable
apply
..
!
!
! Layer7 configuration
!
layer7
..
!
!
! L7SLB configuration
!
!
!
! L7CSLB configuration
[7m--More--[m
![K
!
!
! FWLB configuration
!
!
!
! CSLB configuration
!
!
!
! GWLB configuration
!
! Define GWLB service 'gcnc'
gwlb gcnc (网通链路均衡部分)
priority 50
lb-method rr
sticky 60
enable
backup cncbackup
fail-skip disable
apply
! Define Reals of GWLB service 'gcnc'
real 1
name cnc
rip 199.199.21.2 (网关地址)
mac 00:06:c4:34:04:89(网关MAC地址)
interface cnc
weight 1
graceful-shutdown disable
[7m--More--[m
max-connection 0
enable
apply
real 1
nat 1
type source-nat
priority 1
enable
protocol all
sip 0.0.0.0/0
dip 0.0.0.0/0
natip 199.199.21.222(出去后被NAT的公网地址) apply
apply
! Define Filters of GWLB service 'gcnc'
filter 1
type exclude
protocol all
sip 199.199.21.0/24
sport 0
dip 0.0.0.0/0
dport 0
enable
apply
filter 256
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 199.199.21.0/24(网通的公网地址段)
[7m--More--[m
dport 0
enable
apply
filter 255
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 2.2.2.2/32(网通的公网地址段)
dport 0
enable
apply
filter 254
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 199.199.2.0/24(网通的公网地址段)
dport 0
enable
apply
! Define Healthcheck of GWLB service 'gcnc' health 1
type icmp
timeout 3
interval 5
retry 3
recover 0
port 0
increase-icmp-id disable
[7m--More--[m
enable
apply
..
! Define GWLB service 'gctc'
gwlb gctc
priority 100
lb-method rr
sticky 60
enable
backup ctcbackup
fail-skip disable
apply
! Define Reals of GWLB service 'gctc'
real 1
name ctc
rip 199.199.12.1
mac 00:06:c4:34:03:a7
interface ctc
weight 1
graceful-shutdown disable
max-connection 0
enable
apply
real 1
nat 1
type source-nat
priority 1
enable
protocol all
sip 0.0.0.0/0
[7m--More--[m
dip 0.0.0.0/0
natip 199.199.12.111
apply
apply
! Define Filters of GWLB service 'gctc'
filter 1
type exclude
protocol all
sip 199.199.12.0/24 (源地址是本地对外开放的公网地址将不被NAT出去) sport 0
dip 0.0.0.0/0
dport 0
enable
apply
filter 256
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 0.0.0.0/0
dport 0
enable
apply
! Define Healthcheck of GWLB service 'gctc' health 1
type icmp
timeout 3
interval 5
retry 3
recover 0
[7m--More--[m
port 0
increase-icmp-id disable
enable
apply
..
! Define GWLB service 'cncbackup'
gwlb cncbackup
priority 150
lb-method rr
sticky 60
enable
no backup
fail-skip disable
apply
! Define Reals of GWLB service 'cncbackup' real 1
name ctc
rip 199.199.12.1
mac 00:06:c4:34:03:a7
interface ctc
weight 1
graceful-shutdown disable
max-connection 0
enable
apply
real 1
nat 1
type source-nat
priority 1
enable
[7m--More--[m
protocol all
sip 0.0.0.0/0
dip 0.0.0.0/0
natip 199.199.12.111
apply
apply
! Define Filters of GWLB service 'cncbackup'
filter 1
type exclude
protocol all
sip 199.199.12.0/24(源地址是本地对外开放的公网地址将不被NAT出去) sport 0
dip 0.0.0.0/0
dport 0
enable
apply
filter 256
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 0.0.0.0/0
dport 0
enable
apply
! Define Healthcheck of GWLB service 'cncbackup'
health 1
type icmp
timeout 3
interval 5
[7m--More--[m
retry 3
recover 0
port 0
increase-icmp-id disable
enable
apply
..
! Define GWLB service 'ctcbackup'
gwlb ctcbackup
priority 200
lb-method rr
sticky 60
enable
fail-skip disable
apply
! Define Reals of GWLB service 'ctcbackup'
real 1
name cnc
rip 199.199.21.2
mac 00:06:c4:34:04:89
interface cnc
weight 1
graceful-shutdown disable
max-connection 0
enable
apply
real 1
nat 1
type source-nat
[7m--More--[m
priority 1
enable
protocol all
sip 0.0.0.0/0
dip 0.0.0.0/0
natip 199.199.21.222
apply
apply
! Define Filters of GWLB service 'ctcbackup'
filter 1
type exclude
protocol all
sip 199.199.21.0/24(源地址是本地对外开放的公网地址将不被NAT出去) sport 0
dip 0.0.0.0/0
dport 0
enable
apply
filter 256
type include
protocol all
sip 0.0.0.0/0
sport 0
dip 0.0.0.0/0
dport 0
enable
! Define Healthcheck of GWLB service 'ctcbackup' health 1
type icmp
[7m--More--[m
timeout 3
interval 5
retry 3
recover 0
port 0
increase-icmp-id disable
enable
apply
..
!
!
! Security configuration
!
security
asymmetric-filtering disable
log-forwarding disable
!
! Security system configuration
!
system
!
! Security system protection configuration
!
protection
synflood disable
ipspoof disable
dos dead-timeout 60
dos alive-timeout 7200
dos tcp-retries 15
dosprotect disable
[7m--More--[m
apply
!
! Security system access policy configuration
!
access
default-policy accept
apply
..
!
! Security firewall configuration
!
firewall
! Security firewall content configuration
! Security firewall content group configuration
! Security firewall filter configuration
! Security firewall filter group configuration
! Security firewall policy configuration
..
!
! Advanced security configuration
!
advanced
!
! Security DoS protection configuration (advanced) !
dos
sampling-rate middle
..
!
! Security flood control configuration (advanced) [7m--More--[m
![K
!
! Security scan protection configuration (advanced) !
scan
portscan
weight 21
delay 300
highportweight 1
lowportweight 3
disable
..
osfingerprinting disable
interface any
apply
!
! Security worm protection configuration (advanced) !
worm
ramen disable
sadmind disable
nimda disable
codered disable
sqlslammer disable
blaster disable
welchia disable
sasser1 disable
sasser2 disable
korgo disable
interface any
[7m--More--[m
apply
!
! Security spam mail protection configuration (advanced)
!
interface any
searchlimit 0
apply
!
! Security e-mail worm protection configuration (advanced) !
email-worm
interface any
log disable
searchlimit 0
disable
apply
!
! Security intrusion-prevention configuration (advanced)
!
intrusion-prevention
interface any
log disable
disable
apply
..
..
!
!
!
[7m--More--[m
! QoS configuration
!
qos
!
! IP-QoS configuration
!
ip-qos
..
!
! IEEE 802.1p CoS configuration
!
802.1p
map 0,1,2,3,4,5,6 to 2 weight 1
..
qos-method bandwidth-control
disable
..
! End of QoS configuration
!
!
! Failover configuration
!
failover
! no failover daemon
!
!
! ILB static proximity filter configuration
!
! Define ILB static proximity filter
spfilter
[7m--More--[m
filter 1
name ctc
source-ip 199.199.1.0/24(请求解析的客户端的公网地址) apply
filter 2
name cnc
source-ip 199.199.2.0/24(请求解析的客户端的公网地址) apply
filter 11
name ctc
source-ip 1.1.1.1/32(请求解析的客户端的公网地址)
????apply
??filter 111
name ctc
source-ip 0.0.0.0/0(请求解析的客户端的公网地址)
????apply
????
filter 22
name cnc
source-ip 2.2.2.2/32(请求解析的客户端的公网地址)
apply
! Define ILB static proximity filter
filter-group ctc(通过下面的FILTER命名将不同的源IP挂接到本地CTC组) name ctc
filter 1,11,111
apply
filter-group cnc
name cnc
filter 2,22
apply
..
!
! ILB configuration
!
! Define ILB service 'dns'
[7m--More--[m
ilb dns[K
zone https://www.doczj.com/doc/5517868644.html, (对外解析的域名是https://www.doczj.com/doc/5517868644.html,)
priority 50
mode server (解析处于SERVER模式)
enable
apply
! Define name server of ILB service
ns 1
name ctc (通过NAME命令挂接前面的FILTER-GROUP组)
ip 199.199.12.254(对外开放的解析服务的公网地址)
ttl 10
enable
apply
ns 2
name cnc
ip 199.199.21.254
ttl 10
enable
apply
! Define real server of ILB service
real 1
name ctc
rip 199.199.12.1(电信网关地址)
mac 00:06:c4:34:03:a7(电信网关MAC地址)
interface ctc
weight 1
svcip 199.199.12.12
sp-filter ctc
enable
apply
[7m--More--[m
real 2
name cnc
rip 199.199.21.2
mac 00:06:c4:34:04:89
interface cnc
weight 1
svcip 199.199.21.21
sp-filter cnc
enable
apply
! Define rule of ILB service
rule 1
priority 50
svc-domain ftp(域名的前缀,加上FTP,域名就变成https://www.doczj.com/doc/5517868644.html,)
real-id 1
lb-method sp (采用SP模式,根据不同的用户源IP解析为不同的对外服务地址)
enable
apply
! Define record of ILB service
! Define healthcheck of ILB service
health 1
type icmp
timeout 3
interval 5
retry 3
recover 3
port 0
increase-icmp-id disable
enable
sip 0.0.0.0
[7m--More--[m
tip 0.0.0.0
apply
..
end
PAS(config)#