CLI: Example for Configuring Bandwidth Management on Public IP Addresses with Source NAT or NAT Server Enabled

This section provides an example for configuring maximum bandwidth for each IP address to restrict the total bandwidth available for enterprise employees to access the Internet and to limit the total maximum available bandwidth for intranet servers to provide services externally.

Networking Requirements

As shown in Figure 1, employees access the Internet through Source NAT. The enterprise applies for four IP addresses (1.1.1.2 to 1.1.1.5) as the post-NAT public IP addresses. The enterprise deploys multiple Web servers which provide Web access services through NAT Server for users on the Internet. The public IP address of the servers is 1.1.1.6. In peak hours, when Internet users access the Web servers, the web pages and pictures fail to be displayed completely. On the other hand, when the Web servers suffer from burst access, the Internet access experience of enterprise employees is also compromised.

The enterprise requires to enable the bandwidth management function on the FW to limit the total bandwidth of the employees that access the Internet and the total bandwidth for Web servers to provide services externally. That is, the FW limits only the bandwidth for the public IP address after Source NAT and before NAT Server. Assign 60 Mbit/s downstream bandwidth (untrust to trust) for intranet users to access the Internet and 40 Mbit/s downstream bandwidth (dmz to untrust) for Internet users to access the Web servers.

Figure 1 Networking diagram for configuring bandwidth management on public IP addresses with Source NAT or NAT Server enabled

Configuration Roadmap

Set interface IP addresses and assign the interfaces to security zones.
Configure a traffic policy for intranet users to access the Internet and reference the traffic profile in which the overall maximum downstream bandwidth is 60 Mbit/s.
Configure a traffic policy for intranet Web servers and reference the traffic profile in which the overall maximum downstream bandwidth is 40 Mbit/s.

Upstream and downstream depend on the direction of FW bandwidth policy. For simplicity, upstream refers to the direction from Trust to Untrust, and downstream refers to Untrust to DMZ in this section.
Assuming that the security zones, routers, and security policies have been configured, this section introduces only how to configure bandwidth management.

Procedure

Set interface IP addresses and assign the interfaces to security zones.

Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface to the untrust zone.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

Set an IP address for interface GigabitEthernet 0/0/3 and add the interface to the trust zone.

[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Set an IP address for interface GigabitEthernet 0/0/2 and add the interface to the dmz.

[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

Configure a traffic profile for employees to access the Internet.

[FW] traffic-policy
[FW-policy-traffic] profile profile_surf
[FW-policy-traffic-profile-profile_surf] bandwidth maximum-bandwidth whole downstream 60000
[FW-policy-traffic-profile-profile_surf] quit

Enable the public IP address matching function for Internet access users.
```
[FW-policy-traffic] public-ip source match enable
```

Configure a traffic policy for employees to access the Internet.

[FW-policy-traffic] rule name policy_surf
[FW-policy-traffic-rule-policy_surf] source-zone trust
[FW-policy-traffic-rule-policy_surf] destination-zone untrust
[FW-policy-traffic-rule-policy_surf] source-address range 1.1.1.2 1.1.1.5
[FW-policy-traffic-rule-policy_surf] action qos profile profile_surf
[FW-policy-traffic-rule-policy_surf] quit

Configure a traffic profile for intranet Web servers.

[FW-policy-traffic] profile profile_websvr
[FW-policy-traffic-profile-profile_websvr] bandwidth maximum-bandwidth whole downstream 40000
[FW-policy-traffic-profile-profile_websvr] quit

Enable the public IP address matching function for Internet access users.
```
[FW-policy-traffic] public-ip destination match enable
```

Configure a traffic policy for intranet Web servers.

[FW-policy-traffic] rule name policy_websvr
[FW-policy-traffic-rule-policy_websvr] source-zone untrust
[FW-policy-traffic-rule-policy_websvr] destination-zone dmz
[FW-policy-traffic-rule-policy_websvr] destination-address 1.1.1.6 32
[FW-policy-traffic-rule-policy_websvr] action qos profile profile_websvr
[FW-policy-traffic-rule-policy_websvr] quit

Configuration Scripts

This section provides only the script related to the example.

#                                                                               
sysname FW           
#                                                                               
 time-range rush_time                                                           
  period-range 15:00:00 to 18:00:00 working-day   
#                                                                               
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/2   
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3   
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1   
#        
firewall zone dmz    
 set priority 50     
 add interface GigabitEthernet0/0/2
#                                                                               
traffic-policy                                                                  
 public-ip destination match enable                                     
 public-ip source match enable
 profile profile_surf                                                           
  bandwidth maximum-bandwidth whole downstream 60000                            
 profile profile_websvr                                                         
  bandwidth maximum-bandwidth whole downstream 40000                            
 rule name policy_surf                                                          
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address range 1.1.1.2 1.1.1.5                                          
  action qos profile profile_surf                                               
 rule name policy_websvr                                                        
  source-zone untrust                                                           
  destination-zone dmz                                                          
  destination-address 1.1.1.6 32                                                
  action qos profile profile_websvr