前段时间一直有客户问我路由器可不可以做到限制内部某些机子的下行速率,我很自然的答了句:可以做限速的。其实限速肯定是可以的,但是需要考虑一个具体的问题
一般接入路由器都作了地址转换,但是了解到路由器的操作步骤会发现如下的执行步骤:
check input rate limits ------->nat outside to inside------->check output rate limits
所以针对内部部分主机做限速策略,由于必须在ACL里面指定inside local 地址,所以应该在内网接口上应用service-policy output xxx,而不是在外网接口上的service-policy input xxx!
下面是一个具体的例子:
Router#sh run
Building configuration...
Current configuration : 1026 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
no ip domain lookup
!
!
class-map match-all test-class
match access-group 100
!
!
policy-map speed
class test-class
police cir 80000 bc 32000
conform-action transmit
exceed-action drop
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.111 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
service-policy output speed
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 1 permit any
access-list 100 deny ip any host 172.16.1.100
access-list 100 permit ip any any
!
line con 0
line aux 0
line vty 0 4
!
!
end |
【责任编辑 徐洋】
|