查看完整版本: Cisco 封堵QQ解决方案

Cisco 封堵QQ解决方案

CNC-FTTB#sh run
CNC-FTTB#sh running-config
Building configuration...

Current configuration : 9248 bytes
!
! Last configuration change at 01:00:58 Beijing Sat Mar 6 1993 by lguo
! NVRAM config last updated at 01:00:59 Beijing Sat Mar 6 1993 by lguo
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CNC-FTTB
!
logging buffered 4096 debugging
aaa new-model
enable password 7 022717520A151632021C5A3B
!
username swang password 7 035D095B5F5D711D1B3614140414
username zhjli password 7 070E321D1B5149544E425C5D5572
username lguo password 7 1505040D0D2922372B3C
username sandy password 7 011F09125E11130030454F07
memory-size iomem 15
clock timezone Beijing 0
ip subnet-zero
!
ip nbar pdlm bittorrent.pdlm
ip nbar pdlm eDonkey.pdlm
!
no ip domain-lookup
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.100.111
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 172.16.0.129 172.16.0.254
ip dhcp excluded-address 192.168.100.129 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.20
ip dhcp excluded-address 172.16.0.88
ip dhcp excluded-address 172.16.0.66
!
ip dhcp pool 172
   network 172.16.0.0 255.255.255.0
   netbios-node-type h-node
   netbios-name-server 172.16.0.211 192.168.100.210
   default-router 172.16.0.1
   dns-server 202.96.199.133 210.22.70.3 202.96.209.5
   lease 8
!
ip dhcp pool 192
   network 192.168.100.0 255.255.255.0
   netbios-node-type h-node
   netbios-name-server 172.16.0.211 192.168.100.210
   default-router 192.168.100.1
   dns-server 202.96.199.133 210.22.70.3 202.96.209.5
   lease 8
!
ip dhcp pool rock
   host 172.16.0.88 255.255.255.0
   client-identifier 0100.16d3.3c71.1b
   default-router 172.16.0.1
   dns-server 202.96.199.133 210.22.70.3 202.96.209.5
   client-name rock
   netbios-name-server 172.16.0.211 192.168.100.210
!
ip dhcp pool rock-wlan
   host 172.16.0.66 255.255.255.0
   client-identifier 0100.19d2.c078.a4
   dns-server 202.96.199.133 210.22.70.3 202.96.209.5
   default-router 172.16.0.1
   netbios-name-server 172.16.0.211 192.168.100.210
   client-name rock
!
ip cef
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!         
!
!
!
class-map match-any ed
  match protocol edonkey
class-map match-any bt
  match protocol bittorrent
class-map match-any yiqier
  match access-group name yiqier
class-map match-all qijiu
  match access-group name qijiu
class-map match-any yibai
  match access-group name yibai
!
!
policy-map do-bt
  class bt
     police 8000 1500 1500 conform-action transmit exceed-action drop
  class ed
!
!
!
interface FastEthernet0/0
description Connest to ISP-CNC
ip address 220.248.27.92 255.255.255.248
ip nat outside
service-policy input do-bt
service-policy output do-bt
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Connect to Asiasys-LAN
no ip address
ip accounting output-packets
ip nat inside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.100.1 255.255.255.0
ip access-group qqgame1 in
ip accounting output-packets
ip nat inside
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.0.1 255.255.0.0
ip access-group qqgame1 in
ip accounting output-packets
ip nat inside
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface FastEthernet0/1.3
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface FastEthernet0/1.32
no ip route-cache
no cdp enable
!
ip nat pool asiasys-pool 220.248.27.92 220.248.27.92 netmask 255.255.255.248
ip nat inside source list 1 pool asiasys-pool overload
ip nat inside source static 192.168.100.210 220.248.27.90
ip nat inside source static 172.16.0.211 220.248.27.91
ip nat inside source static 172.16.0.206 220.248.27.94
ip classless
ip route 0.0.0.0 0.0.0.0 220.248.27.89
no ip http server
!
!
ip access-list extended qqgame1
deny   ip 172.16.0.0 0.0.0.255 host 58.61.166.136
deny   ip 172.16.0.0 0.0.0.255 host 59.74.42.217
deny   ip 172.16.0.0 0.0.0.255 host 60.28.232.12
deny   ip 172.16.0.0 0.0.0.255 host 202.205.3.202
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.159
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.227
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.216
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.198
deny   ip 172.16.0.0 0.0.0.255 host 202.104.241.19
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.161
deny   ip 172.16.0.0 0.0.0.255 host 202.104.241.6
deny   ip 172.16.0.0 0.0.0.255 host 218.60.11.4
deny   ip 172.16.0.0 0.0.0.255 host 58.61.164.174
deny   ip 172.16.0.0 0.0.0.255 host 58.61.165.164
deny   ip 172.16.0.0 0.0.0.255 host 58.60.11.34
deny   ip 172.16.0.0 0.0.0.255 host 58.61.165.163
deny   ip 172.16.0.0 0.0.0.255 host 202.104.241.5
deny   ip 172.16.0.0 0.0.0.255 host 218.60.11.41
deny   ip 172.16.0.0 0.0.0.255 host 221.236.11.199
deny   ip 172.16.0.0 0.0.0.255 host 221.236.11.61
deny   ip 172.16.0.0 0.0.0.255 host 222.213.0.144
deny   ip 172.16.0.0 0.0.0.255 host 60.28.232.14
deny   ip 172.16.0.0 0.0.0.255 host 218.60.11.42
deny   ip 172.16.0.0 0.0.0.255 host 60.28.1.136
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.226
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.87
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.246
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.17
deny   ip 172.16.0.0 0.0.0.255 host 219.133.38.249
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.160
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.152
deny   ip 172.16.0.0 0.0.0.255 host 219.133.38.247
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.16
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.147
deny   ip 172.16.0.0 0.0.0.255 host 210.22.23.197
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.108
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.155
deny   ip 172.16.0.0 0.0.0.255 host 219.133.38.250
deny   ip 172.16.0.0 0.0.0.255 host 219.133.38.248
deny   ip 172.16.0.0 0.0.0.255 host 210.22.23.14
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.148
deny   ip 172.16.0.0 0.0.0.255 host 219.133.38.246
deny   ip 172.16.0.0 0.0.0.255 host 219.133.41.168
deny   ip 172.16.0.0 0.0.0.255 host 58.60.11.32
deny   ip 172.16.0.0 0.0.0.255 host 61.172.204.188
deny   ip 192.168.100.0 0.0.0.255 host 58.61.166.136
deny   ip 192.168.100.0 0.0.0.255 host 59.74.42.217
deny   ip 192.168.100.0 0.0.0.255 host 60.28.232.12
deny   ip 192.168.100.0 0.0.0.255 host 202.205.3.202
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.159
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.227
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.216
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.198
deny   ip 192.168.100.0 0.0.0.255 host 202.104.241.19
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.161
deny   ip 192.168.100.0 0.0.0.255 host 202.104.241.6
deny   ip 192.168.100.0 0.0.0.255 host 218.60.11.4
deny   ip 192.168.100.0 0.0.0.255 host 58.61.164.174
deny   ip 192.168.100.0 0.0.0.255 host 58.61.165.164
deny   ip 192.168.100.0 0.0.0.255 host 58.60.11.34
deny   ip 192.168.100.0 0.0.0.255 host 58.61.165.163
deny   ip 192.168.100.0 0.0.0.255 host 202.104.241.5
deny   ip 192.168.100.0 0.0.0.255 host 218.60.11.41
deny   ip 192.168.100.0 0.0.0.255 host 221.236.11.199
deny   ip 192.168.100.0 0.0.0.255 host 221.236.11.61
deny   ip 192.168.100.0 0.0.0.255 host 222.213.0.144
deny   ip 192.168.100.0 0.0.0.255 host 60.28.232.14
deny   ip 192.168.100.0 0.0.0.255 host 218.60.11.42
deny   ip 192.168.100.0 0.0.0.255 host 60.28.1.136
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.226
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.87
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.246
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.17
deny   ip 192.168.100.0 0.0.0.255 host 219.133.38.249
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.160
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.152
deny   ip 192.168.100.0 0.0.0.255 host 219.133.38.247
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.16
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.147
deny   ip 192.168.100.0 0.0.0.255 host 210.22.23.197
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.108
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.155
deny   ip 192.168.100.0 0.0.0.255 host 219.133.38.250
deny   ip 192.168.100.0 0.0.0.255 host 219.133.38.248
deny   ip 192.168.100.0 0.0.0.255 host 210.22.23.14
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.148
deny   ip 192.168.100.0 0.0.0.255 host 219.133.38.246
deny   ip 192.168.100.0 0.0.0.255 host 219.133.41.168
deny   ip 192.168.100.0 0.0.0.255 host 58.60.11.32
deny   ip 192.168.100.0 0.0.0.255 host 61.172.204.188
permit ip any any
ip access-list extended test
logging 172.16.0.211
access-list 1 permit 192.168.100.0 0.0.0.127
access-list 1 permit 172.16.0.0 0.0.0.127
no cdp advertise-v2
no cdp run
!
snmp-server community asiasys RO
snmp-server community Asiasys RW
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
!
line con 0
password 7 00071A150754
line aux 0
line vty 0 4
password 7 02050D480809
!
ntp clock-period 17208802
ntp source FastEthernet0/0
ntp master 4
ntp server 137.189.6.18
end

CNC-FTTB#  


这个方案不能封堵使用代理登陆QQ游戏，如果需要可以把源地址的内网网段改成any

但只要是QQ增加了服务器的地址就不好用了

貌似不好用啊！

这个办法不完美，很容易失灵
之前使用isa
也同样这样设置
效果是有的，但是不咋样

可以考虑FPM技术。

不就是QQ吗？？？？

你去看他们的机器，有QQ的就回家不就行了。:lol:

不行的，他要是通过代理的模式上呢

只能是通过内容检测，CISCO好像是要下载软件吧，我们后来是用的深信服的5100-AC，那的确很厉害的，就是会影响网速！

是啊，要是换个服务器就没作用了，这个方法不太好

还有没有比此更好的方法呢。那个FPM是什么意思呢，指教一下

你也开个QQ和他聊啊  他上线就可以kill了啊

还是在防火墙上做比较好一点

如果真的有这个必要,用packeteer吧.感觉还不错.呵呵...
[url]http://www.packeteer.com/[/url]

恐怕只是封IP地址不行吧~看着累！

貌似有点机械繁琐。。。:P

超级傻的办法，呵呵呵
在高端一点的路由器上，比如cisco 7200往上，可以使用上面某位兄弟说的FPM

好像不怎么好用哦。最后在后面注明一下语句的作用。