我在使用class-map和policy-map来限制GNS3中ubuntu PC的带宽时遇到了一些问题。 这是我在GNS3中的拓扑:
-----------cisco-3725-router----------->Internet | | | | | Switch | | | | | | | UBUNTU-PC XP-PC R1是c3725-adventerprisek9-mz.124-25d.bin映像的思科3725路由器,这是我的configuration:
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ip tcp synwait-time 5 ! ! no ip domain lookup ! ! class-map match-all UBUNTU_DW match access-group name UBUNTU_DW class-map match-all UBUNTU_UP match access-group name UBUNTU_UP ! ! policy-map UP class UBUNTU_UP police cir 32000 bc 4000 be 4000 conform-action transmit exceed-action drop violate-action drop policy-map DW class UBUNTU_DW police cir 32000 bc 4000 be 4000 conform-action transmit exceed-action drop violate-action drop ! ! interface FastEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0 no ip address shutdown clock rate 2000000 ! interface FastEthernet0/1 ip address 216.65.200.143 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto service-policy input DW service-policy output UP ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial2/1 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial2/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial2/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! ip route 0.0.0.0 0.0.0.0 216.65.200.3 ! ip flow-top-talkers top 10 sort-by bytes ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! ip access-list extended UBUNTU_DW permit ip any host 10.0.0.51 ip access-list extended UBUNTU_UP permit ip host 10.0.0.51 any ! access-list 1 permit 10.0.0.0 0.0.0.255 no cdp log mismatch duplex ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end
问题是Ubuntu的32kbps限制不起作用。
R1#sh policy-map interface fastEthernet 0/1 FastEthernet0/1 Service-policy input: DW Class-map: UBUNTU_DW (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name UBUNTU_DW police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps, violate 0 bps Class-map: class-default (match-any) 905 packets, 812409 bytes 5 minute offered rate 27000 bps, drop rate 0 bps Match: any Service-policy output: UP Class-map: UBUNTU_UP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name UBUNTU_UP police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps, violate 0 bps Class-map: class-default (match-any) 979 packets, 154180 bytes 5 minute offered rate 7000 bps, drop rate 0 bps Match: any
有没有错误的configuration? 我怎样才能应用这个政策?
可悲的是,NAT在我认为是治安之前就已经发生了。 从而使所有stream量都显示为NAT地址,而不是您在ACL /类映射中指定的内部地址。
一个想法是标记与DSCP值匹配的与Ubuntu服务器匹配的FA0 / 0的stream量。 然后警方根据那个DSCP值。 这将解决您的出站问题。
对于下游,我不太确定为什么缺less这个政策。 即使操作顺序似乎表明它应该是一个非因素,我仍然怀疑NAT问题。 http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
如果下游也是NAT问题,那么你可以在fa0 / 0上使用出站策略器,并且具有相同的阻塞stream的效果。
正如Jason所说,NAT似乎正在发挥作用。 我的build议是尝试f0 / 0的服务政策,而不是改变方向。
这应该在NAT发生之前/之后生效,这应该排除NAT成为问题。
interface FastEthernet0/1 . . service-policy output DW service-policy input UP
希望这可以帮助!