CSNA网络分析论坛»首页 流量分析 网络分析 请大家帮忙看看我的配置文件,问什么客户机获取ip的时候 ...
返回列表 发帖
查看: 1952|回复: 3

请大家帮忙看看我的配置文件,问什么客户机获取ip的时候特别慢啊?

[复制链接]
rockaka
发表于 2008-1-23 11:24:10 | 显示全部楼层 |阅读模式
单位使用ar18-21路由器,带大约80台机器,以前没有加acl的时候,客户机获取ip地址速度还可以,现在加上acl后,客户机获取ip地址特别慢,还经常失败!请大家帮忙看下我的配置文件,是不是有什么问题,看看还能不能再优化了!?谢谢大家!
clock timezone gmt+08:004 add 08:00:00
#
undo radius client
#
undo local-server
#
cpu-usage cycle 1min
#
firewall enable
#
connection-limit disable
connection-limit default action deny
connection-limit default amount upper-limit 50 lower-limit 20
#
nat aging-time tcp 300
nat aging-time pptp 300
nat aging-time dns 10
nat aging-time ftp-ctrl 300
nat aging-time tcp-fin 10
nat aging-time tcp-syn 10
#
undo icmp redirect send                  
undo icmp unreach send
#
qos carl 1 source-ip-address range 192.168.1.2 to 192.168.1.200 per-address
qos carl 2 destination-ip-address range 192.168.1.2 to 192.168.1.200 per-address
#
DNS resolve
DNS server 202.102.224.68
DNS-proxy enable
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user admin
password cipher ***************
service-type telnet terminal
level 3
service-type ftp
#
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255
acl number 3101                           
rule 10 permit icmp icmp-type echo
rule 20 permit icmp icmp-type echo-reply
rule 30 permit icmp icmp-type ttl-exceeded
rule 40 deny icmp
rule 110 deny tcp destination-port eq 135
rule 120 deny udp destination-port eq 135
rule 130 deny udp destination-port eq netbios-ns
rule 140 deny udp destination-port eq netbios-dgm
rule 150 deny tcp destination-port eq 139
rule 160 deny udp destination-port eq netbios-ssn
rule 170 deny tcp destination-port eq 445
rule 180 deny udp destination-port eq 445
rule 190 deny udp destination-port eq 593
rule 200 deny tcp destination-port eq 593
rule 210 deny tcp destination-port eq 1433
rule 220 deny tcp destination-port eq 1434
rule 230 deny tcp destination-port eq 4444
rule 240 deny tcp destination-port eq 1025
rule 250 deny tcp destination-port eq 1068
rule 260 deny tcp destination-port eq 707
rule 270 deny tcp destination-port eq 5554
rule 280 deny tcp destination-port eq 9996
rule 600 deny tcp destination-port eq 2710
rule 610 deny tcp destination-port eq 6969
rule 620 deny tcp destination-port range 8881 8999
rule 630 deny tcp destination-port eq 10137
rule 640 deny tcp destination-port eq 16881
rule 650 deny tcp destination-port range 4661 4662
rule 660 deny udp destination-port eq 4665
rule 670 deny udp destination-port eq 4672
rule 2000 permit ip
rule 3000 deny ip
acl number 3102
rule 10 permit icmp icmp-type echo
rule 20 permit icmp icmp-type echo-reply
rule 30 permit icmp icmp-type ttl-exceeded
rule 40 deny icmp
rule 110 deny tcp destination-port eq 135
rule 120 deny udp destination-port eq 135
rule 130 deny udp destination-port eq netbios-ns
rule 140 deny udp destination-port eq netbios-dgm
rule 150 deny tcp destination-port eq 139
rule 160 deny udp destination-port eq netbios-ssn
rule 170 deny tcp destination-port eq 445
rule 180 deny udp destination-port eq 445
rule 190 deny udp destination-port eq 593
rule 200 deny tcp destination-port eq 593
rule 210 deny tcp destination-port eq 1433
rule 220 deny tcp destination-port eq 1434
rule 230 deny tcp destination-port eq 4444
rule 240 deny tcp destination-port eq 1025
rule 250 deny tcp destination-port eq 1068
rule 260 deny tcp destination-port eq 707
rule 270 deny tcp destination-port eq 5554
rule 280 deny tcp destination-port eq 9996
rule 600 deny tcp destination-port eq 2710
rule 610 deny tcp destination-port eq 6969
rule 620 deny tcp destination-port range 8881 8999
rule 630 deny tcp destination-port eq 10137
rule 640 deny tcp destination-port eq 16881
rule 650 deny tcp destination-port range 4661 4662
rule 660 deny udp destination-port eq 4665
rule 670 deny udp destination-port eq 4672
rule 2000 permit ip destination 192.168.1.0 0.0.0.255
rule 2010 permit tcp destination-port eq telnet
rule 2020 permit ip source 202.112.10.60 0
rule 2030 permit ip source 207.46.130.100 0
rule 3000 deny ip
#
interface Aux0
async mode flow
#                                         
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 192.168.1.1
arp send-gratuitous-arp 1
firewall packet-filter 3101 inbound
qos car inbound carl 1 cir 200000 cbs 200000 ebs 200000 green pass red discard
qos car outbound carl 2 cir 300000 cbs 300000 ebs 300000 green pass red discard
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet2/0
ip address *.*.*.* 255.255.255.224
firewall packet-filter 3102 inbound
nat outbound 3001
#
interface NULL0
#                                         
dhcp server forbidden-ip 192.168.1.200 192.168.1.255
#
ip route-static 0.0.0.0 0.0.0.0 *.*.*.* preference 60
ip route-static 10.0.0.0 255.0.0.0 NULL 0 preference 60
ip route-static 169.254.0.0 255.255.0.0 NULL 0 preference 60
ip route-static 172.16.0.0 255.240.0.0 NULL 0 preference 60
ip route-static 192.168.0.0 255.255.0.0 NULL 0 preference 60
#
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 207.46.130.100
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
protocol inbound telnet
#
return
回复

使用道具 举报

qzyuanmu
发表于 2008-1-23 12:33:36 | 显示全部楼层
怎么需要定义这么多 ?
回复

使用道具 举报

rockaka
 楼主| 发表于 2008-1-23 14:35:26 | 显示全部楼层
呵呵,也没有什么啊,就是定义了nat转换,dhcp,acl,流量控制这些啊
回复

使用道具 举报

qzyuanmu
发表于 2008-1-23 15:37:48 | 显示全部楼层
就是ACL ,要这么多,我对华为的不太清楚,应该是对应端口的吧
回复

使用道具 举报

返回列表 发帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | CSNA会员注册

本版积分规则

快速回复 返回顶部 返回列表