Cisco

使用策略映射限制 Cisco 路由器中的頻寬不起作用

  • April 3, 2015

我在使用類映射和策略映射限制 GNS3 中 ubuntu PC 的頻寬時遇到了問題。這是我在 GNS3 中的拓撲:

            -----------cisco-3725-router----------->Internet
           |
           |
           |
           |      
           |
        Switch
           |
         |   |
      |         |
   |               |
UBUNTU-PC         XP-PC

R1 是帶有 c3725-adventerprisek9-mz.124-25d.bin 映像的 cisco 3725 路由器,這是我的配置:

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip domain lookup
!
!
class-map match-all UBUNTU_DW
match access-group name UBUNTU_DW
class-map match-all UBUNTU_UP
match access-group name UBUNTU_UP
!
!
policy-map UP
class UBUNTU_UP
 police cir 32000 bc 4000 be 4000
   conform-action transmit 
   exceed-action drop 
   violate-action drop 
policy-map DW
class UBUNTU_DW
 police cir 32000 bc 4000 be 4000
   conform-action transmit 
   exceed-action drop 
   violate-action drop 
!
!
interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 216.65.200.143 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy input DW
service-policy output UP
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip route 0.0.0.0 0.0.0.0 216.65.200.3
!
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
ip access-list extended UBUNTU_DW
permit ip any host 10.0.0.51
ip access-list extended UBUNTU_UP
permit ip host 10.0.0.51 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
no cdp log mismatch duplex
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

問題是 ubuntu 的 32kbps 限制不起作用。

R1#sh policy-map interface fastEthernet 0/1
FastEthernet0/1

 Service-policy input: DW

   Class-map: UBUNTU_DW (match-all)
     0 packets, 0 bytes
     5 minute offered rate 0 bps, drop rate 0 bps
     Match: access-group name UBUNTU_DW
     police:
         cir 32000 bps, bc 4000 bytes, be 4000 bytes
       conformed 0 packets, 0 bytes; actions:
         transmit
       exceeded 0 packets, 0 bytes; actions:
         drop
       violated 0 packets, 0 bytes; actions:
         drop
       conformed 0 bps, exceed 0 bps, violate 0 bps

   Class-map: class-default (match-any)
     905 packets, 812409 bytes
     5 minute offered rate 27000 bps, drop rate 0 bps
     Match: any

 Service-policy output: UP

   Class-map: UBUNTU_UP (match-all)
     0 packets, 0 bytes
     5 minute offered rate 0 bps, drop rate 0 bps
     Match: access-group name UBUNTU_UP
     police:
         cir 32000 bps, bc 4000 bytes, be 4000 bytes
       conformed 0 packets, 0 bytes; actions:
         transmit
       exceeded 0 packets, 0 bytes; actions:
         drop
       violated 0 packets, 0 bytes; actions:
         drop
       conformed 0 bps, exceed 0 bps, violate 0 bps

   Class-map: class-default (match-any)
     979 packets, 154180 bytes
     5 minute offered rate 7000 bps, drop rate 0 bps
     Match: any

有沒有錯誤的配置?我如何應用此政策?

可悲的是,NAT 發生在我相信的監管之前。從而使所有流量顯示為經過 NAT 處理的地址,而不是您在 ACL/類映射中指定的內部地址。

一種想法是使用 DSCP 值標記 FA0/0 上的流量匹配 Ubuntu 伺服器。然後根據該 DSCP 值進行警察。這將解決您的出站問題。

對於下游,我不太確定為什麼缺少該政策。我再次懷疑 NAT 問題,即使操作順序似乎表明它應該不是一個因素。 http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

如果事實證明下游也是 NAT 問題,那麼您可以在 fa0/0 上使用出站監管器,並具有相同的阻塞流的效果。

引用自:https://serverfault.com/questions/660386