cisco2621 rate-limit
在日常的工作中,经常有通过一台路由器实现Internet接入的工程,在这些工程中经常涉及到一些限速问题,但是在实现的过程中只有正常的考虑一些注意事项,才能够实现正确的限速功能,主要有以下几点:
1、在实现Internet连接的时候,需要正确的考虑主要数据的传输方向,在正常的Internet接入中,数据流大多是从Internet返回的数据流,而从内部出去的数据流则非常有限,所以建议限速方向为从外部返回的数据流,正确的确定数据流方向才能正确的写出对应的ACL;
2、作用端口的方向,也即Input方向或者Output方向;
3、实现方法,在2600系列路由器上可以有两种实现方法:rate-limit或者service-policy;
4、测试是否能够实现所需功能。
实例如下:
Internet——ADSL——fa0/1(2621)——fa0/0(2621)——Switch
具体做法,主要测试针对局域网内的一台机器(192.168.0.156):
1、建立ACL,2、注意ACL的方向,3、两种方向:
1)access-list 100 permit ip host 192.168.0.156 any
2)access-list 100 permit ip any host 192.168.0.156
针对第一种写法,无论作用在2621的哪一个端口,也无论是Input方向还是Output方向,均无法实现所需功能,所以只能采用第二中方法;
4、作用于端口,5、注意在ACL的第二中写法中,6、源地址为外网地址Any,而7、目标8、地址为内网地址192.168.0.156,9、针对这种情况,10、有两种作用方法:
1)fa0/1的Input方向;
2)fa0/0的Output方向。
理论上两种都可以,但是实际上只有第二种方法可以实现;
11、实现方法:rate-limit和service-policy都可以。
Internet——ADSL——fa0/1(2621)——fa0/0(2621)——Switch
具体做法,主要测试针对局域网内的一台机器(192.168.0.156):
1、建立ACL,2、注意ACL的方向,3、两种方向:
1)access-list 100 permit ip host 192.168.0.156 any
2)access-list 100 permit ip any host 192.168.0.156
针对第一种写法,无论作用在2621的哪一个端口,也无论是Input方向还是Output方向,均无法实现所需功能,所以只能采用第二中方法;
4、作用于端口,5、注意在ACL的第二中写法中,6、源地址为外网地址Any,而7、目标8、地址为内网地址192.168.0.156,9、针对这种情况,10、有两种作用方法:
1)fa0/1的Input方向;
2)fa0/0的Output方向。
理论上两种都可以,但是实际上只有第二种方法可以实现;
11、实现方法:rate-limit和service-policy都可以。
总结以上,具体配置如下(只列出关键配置):
1、 Router#sh run
Building configuration...
1、 Router#sh run
Building configuration...
Current configuration : 2120 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$6dr8$ZGFkAc5mm/l7sXBFZIAGD/
!
ip subnet-zero
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
class-map match-all cisco
match access-group 100
!
!
policy-map cisco
class cisco
police cir 100000 bc 20000
conform-action transmit
exceed-action drop
class class-default!
!
voice call carrier capacity active
!!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 192.168.0.101 255.255.255.0
ip access-group 110 in
service-police output cisco
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *center
ppp chap password 0 apache
ppp pap sent-username *center password 0 apache
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit any
access-list 100 permit ip any host 192.168.0.156
access-list 110 permit ip host 192.168.0.37 any
access-list 110 permit ip host 192.168.0.56 any
access-list 110 permit ip host 192.168.0.96 any
access-list 110 permit ip host 192.168.0.88 any
access-list 110 permit ip host 192.168.0.156 any
access-list 110 permit ip host 192.168.0.168 any
access-list 110 permit ip host 192.168.0.188 any
access-list 110 permit ip host 192.168.0.166 any
access-list 110 permit ip host 192.168.0.74 any
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 110 permit udp 192.168.0.0 0.0.0.255 any eq domain
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
password windows
login
!
end
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$6dr8$ZGFkAc5mm/l7sXBFZIAGD/
!
ip subnet-zero
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
class-map match-all cisco
match access-group 100
!
!
policy-map cisco
class cisco
police cir 100000 bc 20000
conform-action transmit
exceed-action drop
class class-default!
!
voice call carrier capacity active
!!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 192.168.0.101 255.255.255.0
ip access-group 110 in
service-police output cisco
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *center
ppp chap password 0 apache
ppp pap sent-username *center password 0 apache
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit any
access-list 100 permit ip any host 192.168.0.156
access-list 110 permit ip host 192.168.0.37 any
access-list 110 permit ip host 192.168.0.56 any
access-list 110 permit ip host 192.168.0.96 any
access-list 110 permit ip host 192.168.0.88 any
access-list 110 permit ip host 192.168.0.156 any
access-list 110 permit ip host 192.168.0.168 any
access-list 110 permit ip host 192.168.0.188 any
access-list 110 permit ip host 192.168.0.166 any
access-list 110 permit ip host 192.168.0.74 any
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 110 permit udp 192.168.0.0 0.0.0.255 any eq domain
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
password windows
login
!
end
2、Router#sh run
Building configuration...
Current configuration : 2120 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$6dr8$ZGFkAc5mm/l7sXBFZIAGD/
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
voice call carrier capacity active
!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 192.168.0.101 255.255.255.0
ip access-group 110 in
rate-limit output access-group 100 100000 20000 100000 conform-action transmit exceed-action drop
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *center
ppp chap password 0 apache
ppp pap sent-username *center password 0 apache
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit any
access-list 100 permit ip any host 192.168.0.156
access-list 110 permit ip host 192.168.0.37 any
access-list 110 permit ip host 192.168.0.56 any
access-list 110 permit ip host 192.168.0.96 any
access-list 110 permit ip host 192.168.0.88 any
access-list 110 permit ip host 192.168.0.156 any
access-list 110 permit ip host 192.168.0.168 any
access-list 110 permit ip host 192.168.0.188 any
access-list 110 permit ip host 192.168.0.166 any
access-list 110 permit ip host 192.168.0.74 any
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 110 permit udp 192.168.0.0 0.0.0.255 any eq domain
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password windows
login
!
!
end
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$6dr8$ZGFkAc5mm/l7sXBFZIAGD/
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
voice call carrier capacity active
!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 192.168.0.101 255.255.255.0
ip access-group 110 in
rate-limit output access-group 100 100000 20000 100000 conform-action transmit exceed-action drop
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *center
ppp chap password 0 apache
ppp pap sent-username *center password 0 apache
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit any
access-list 100 permit ip any host 192.168.0.156
access-list 110 permit ip host 192.168.0.37 any
access-list 110 permit ip host 192.168.0.56 any
access-list 110 permit ip host 192.168.0.96 any
access-list 110 permit ip host 192.168.0.88 any
access-list 110 permit ip host 192.168.0.156 any
access-list 110 permit ip host 192.168.0.168 any
access-list 110 permit ip host 192.168.0.188 any
access-list 110 permit ip host 192.168.0.166 any
access-list 110 permit ip host 192.168.0.74 any
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 110 permit udp 192.168.0.0 0.0.0.255 any eq domain
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password windows
login
!
!
end