前几天公司新申请一条线路给用户使用,由于设备紧缺(在我门的核心路由器7505上面正好剩余2个接口),上端线路提供了128个地址,在
几个工程师商量后,决定用单臂路由、QOS和VLSM给用户提供接入,接入部分配置如下:
interface FastEthernet1/0/1 //与ISP接口
ip address 192.168.249.22 255.255.255.252 //IPS提供的互联地址
ip route-cache policy
no ip mroute-cache
duplex auto
speed auto
no cdp enable
interface FastEthernet1/0/0 //与2950接口
description connect to cache
no ip address
speed auto
full-duplex
!
interface FastEthernet1/0/0.2 //分配给用户的端口
description 4M_acl_20 b-1603_fibr_16ip
encapsulation dot1Q 2
ip address 172.16.10.1 255.255.255.252
rate-limit input access-group 20 4000000 8000 8000 conform-action transmit exce
ed-action drop
rate-limit output access-group 20 4000000 8000 8000 conform-action transmit exc
eed-action drop
ip policy route-map fibr //策略路由
!
interface FastEthernet1/0/0.3 //分配给用户的端口
description 10M acl_21 c-11f_fibr_32IP
encapsulation dot1Q 3
ip address 172.16.10.5 255.255.255.252
rate-limit input 10000000 128000 128000 conform-action transmit exceed-action d
rop
rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-actio
n drop
ip policy route-map fibr //策略路由
interface FastEthernet1/0/1 //与ISP接口
ip address 192.168.249.22 255.255.255.252 //IPS提供的互联地址
ip route-cache policy
no ip mroute-cache
duplex auto
speed auto
no cdp enable
interface FastEthernet1/0/0 //与2950接口
description connect to cache
no ip address
speed auto
full-duplex
!
interface FastEthernet1/0/0.2 //分配给用户的端口
description 4M_acl_20 b-1603_fibr_16ip
encapsulation dot1Q 2
ip address 172.16.10.1 255.255.255.252
rate-limit input access-group 20 4000000 8000 8000 conform-action transmit exce
ed-action drop
rate-limit output access-group 20 4000000 8000 8000 conform-action transmit exc
eed-action drop
ip policy route-map fibr //策略路由
!
interface FastEthernet1/0/0.3 //分配给用户的端口
description 10M acl_21 c-11f_fibr_32IP
encapsulation dot1Q 3
ip address 172.16.10.5 255.255.255.252
rate-limit input 10000000 128000 128000 conform-action transmit exceed-action d
rop
rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-actio
n drop
ip policy route-map fibr //策略路由
access-list 15 permit z.z.z.z 0.0.0.127 //运营商的128个地址
access-list 15 deny any
access-list 20 permit x.x.x.x 0.0.0.15 //用户IP地址,做QOS限制
access-list 20 deny any
access-list 21 permit y.y.y.y 0.0.0.31 //用户IP地址,做QOS限制
access-list 21 deny any
access-list 15 deny any
access-list 20 permit x.x.x.x 0.0.0.15 //用户IP地址,做QOS限制
access-list 20 deny any
access-list 21 permit y.y.y.y 0.0.0.31 //用户IP地址,做QOS限制
access-list 21 deny any
route-map fibr permit 10 //策略路由
match ip address 15
set ip next-hop 192.168.249.21 //运营商端地址
match ip address 15
set ip next-hop 192.168.249.21 //运营商端地址
ip route x.x.x.x 255.255.255.240 172.16.10.2 //给用户端的返回路由
ip route y.y.y.y 255.255.255.224 172.16.10.6 //给用户端的返回路由
ip route y.y.y.y 255.255.255.224 172.16.10.6 //给用户端的返回路由
下面是show子接口信息:
netcen-cisco7505#sho int f1/0/0.2 rate-limit
FastEthernet1/0/0.2 4M_acl_20 b-1603_fibr_16ip
Input
matches: access-group 20
params: 4000000 bps, 8000 limit, 8000 extended limit
conformed 9370685 packets, 4905M bytes; action: transmit
exceeded 645168 packets, 817147468 bytes; action: drop
last packet: 4468ms ago, current burst: 0 bytes
last cleared 2d06h ago, conformed 201000 bps, exceeded 33000 bps
Output
matches: access-group 20
params: 4000000 bps, 8000 limit, 8000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 1059586108ms ago, current burst: 0 bytes
last cleared 2d06h ago, conformed 0 bps, exceeded 0 bps
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
Input
matches: all traffic
params: 10000000 bps, 128000 limit, 128000 extended limit
conformed 2917848 packets, 579572960 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 8ms ago, current burst: 208 bytes
last cleared 00:23:52 ago, conformed 3236000 bps, exceeded 0 bps
Output
matches: all traffic
params: 10000000 bps, 1288000 limit, 1288000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 0ms ago, current burst: 0 bytes
last cleared 00:25:53 ago, conformed 0 bps, exceeded 0 bps
发现2个端口的OUTPUT都没有生效QOS设置,咨询过上级运营商(上级运营商用同样的方法为我门提供接入),得知上级运营商的QOS在子接口直接做,没有启用ACL做限制,这时候我明白了OUTPUT为什么没有流量,因为从接口出去的数据是ANY并不是我做的。X.X.X.X或Y.Y.Y.Y
于是根据运营商提供的方法对端口做了如下改动(只对F1/0/0.3做了改动)
interface FastEthernet1/0/0.3
description 10M acl_21 c-11f_fibr_32IP
encapsulation dot1Q 3
ip address 172.16.10.5 255.255.255.252
rate-limit input 10000000 128000 128000 conform-action transmit exceed-action drop //取消了ACL 21
rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-action drop //取消了ACL 21
ip policy route-map fibr
察看端口SHOW信息如下:
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
Input
matches: all traffic
params: 10000000 bps, 128000 limit, 128000 extended limit
conformed 13685 packets, 2443801 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 8ms ago, current burst: 784 bytes
last cleared 00:00:07 ago, conformed 2725000 bps, exceeded 0 bps
Output
matches: all traffic
params: 10000000 bps, 1288000 limit, 1288000 extended limit
conformed 303002 packets, 161513209 bytes; action: transmit
exceeded 75191 packets, 45039533 bytes; action: drop
last packet: 0ms ago, current burst: 1248321 bytes
last cleared 00:02:08 ago, conformed 10077000 bps, exceeded 2810000 bps
input output都有了QOS数据,但是新的问题出现,只要用户端有一点流量ping 用户端互联地址172.16.10.6开始产生大量的丢包。取消QOS或用访问控制在INPUT上做QOS没任何问题,这个问题一直在困扰我,我试过多个方法也不能解决,我试过更改双工模式,取消策略路由,加大突发值问题依旧存在,(咨询上端运营商,运营商采用同样的方法给我门提供接入,在我们带宽使用达到100%时候,大包ping运营商上端互联地址依旧是正常没有丢包情况)
在此希望高手能给于指点,我自己也在研究问题所在,我会继续完成我没完成的博客。
netcen-cisco7505#sho int f1/0/0.2 rate-limit
FastEthernet1/0/0.2 4M_acl_20 b-1603_fibr_16ip
Input
matches: access-group 20
params: 4000000 bps, 8000 limit, 8000 extended limit
conformed 9370685 packets, 4905M bytes; action: transmit
exceeded 645168 packets, 817147468 bytes; action: drop
last packet: 4468ms ago, current burst: 0 bytes
last cleared 2d06h ago, conformed 201000 bps, exceeded 33000 bps
Output
matches: access-group 20
params: 4000000 bps, 8000 limit, 8000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 1059586108ms ago, current burst: 0 bytes
last cleared 2d06h ago, conformed 0 bps, exceeded 0 bps
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
Input
matches: all traffic
params: 10000000 bps, 128000 limit, 128000 extended limit
conformed 2917848 packets, 579572960 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 8ms ago, current burst: 208 bytes
last cleared 00:23:52 ago, conformed 3236000 bps, exceeded 0 bps
Output
matches: all traffic
params: 10000000 bps, 1288000 limit, 1288000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 0ms ago, current burst: 0 bytes
last cleared 00:25:53 ago, conformed 0 bps, exceeded 0 bps
发现2个端口的OUTPUT都没有生效QOS设置,咨询过上级运营商(上级运营商用同样的方法为我门提供接入),得知上级运营商的QOS在子接口直接做,没有启用ACL做限制,这时候我明白了OUTPUT为什么没有流量,因为从接口出去的数据是ANY并不是我做的。X.X.X.X或Y.Y.Y.Y
于是根据运营商提供的方法对端口做了如下改动(只对F1/0/0.3做了改动)
interface FastEthernet1/0/0.3
description 10M acl_21 c-11f_fibr_32IP
encapsulation dot1Q 3
ip address 172.16.10.5 255.255.255.252
rate-limit input 10000000 128000 128000 conform-action transmit exceed-action drop //取消了ACL 21
rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-action drop //取消了ACL 21
ip policy route-map fibr
察看端口SHOW信息如下:
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
Input
matches: all traffic
params: 10000000 bps, 128000 limit, 128000 extended limit
conformed 13685 packets, 2443801 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 8ms ago, current burst: 784 bytes
last cleared 00:00:07 ago, conformed 2725000 bps, exceeded 0 bps
Output
matches: all traffic
params: 10000000 bps, 1288000 limit, 1288000 extended limit
conformed 303002 packets, 161513209 bytes; action: transmit
exceeded 75191 packets, 45039533 bytes; action: drop
last packet: 0ms ago, current burst: 1248321 bytes
last cleared 00:02:08 ago, conformed 10077000 bps, exceeded 2810000 bps
input output都有了QOS数据,但是新的问题出现,只要用户端有一点流量ping 用户端互联地址172.16.10.6开始产生大量的丢包。取消QOS或用访问控制在INPUT上做QOS没任何问题,这个问题一直在困扰我,我试过多个方法也不能解决,我试过更改双工模式,取消策略路由,加大突发值问题依旧存在,(咨询上端运营商,运营商采用同样的方法给我门提供接入,在我们带宽使用达到100%时候,大包ping运营商上端互联地址依旧是正常没有丢包情况)
在此希望高手能给于指点,我自己也在研究问题所在,我会继续完成我没完成的博客。
