某职教中心使用S5800作为接入交换机,在S5800上启用Portal认证对接入用户进行控制。客户希望能对每位上线用户进行限速。大部分中低端交换机不支持IMC直接下发带宽限速,但可以使用user-profile与IMC配合进行限速。
当前配置限速是成功的用户下载速度在400KB左右,限速成功。
客户有内网FTP服务器,希望对这些FTP服务器地址不做限速。增加一个CB对,放通部分地址,配置如下:
acl number 3000
description TO-FWQ
rule 1 permit ip destination 10.1.129.0 0.0.0.255
rule 5 permit ip source 10.1.140.0 0.0.0.255
rule 6 permit ip destination 10.1.140.0 0.0.0.255
rule 10 permit ip source 10.1.130.0 0.0.0.255
rule 20 permit ip destination 10.1.130.0 0.0.0.255
qos policy xiansu
classifier 3000 behavior 3000
classifier 3001 behavior 3001
qos policy xiansu-xia
classifier 3000 behavior 3000(增加的配置)
classifier 3002 behavior 3002
#
user-profile xiansu
qos apply policy xiansu inbound
qos apply policy xiansu-xia outbound
增加配置后,发现限速会失效,用户下载速度会达到1MB以上。
1、查看当前配置
acl number 3000
description TO-FWQ
rule 1 permit ip destination 10.1.129.0 0.0.0.255
rule 5 permit ip source 10.1.140.0 0.0.0.255
rule 6 permit ip destination 10.1.140.0 0.0.0.255
rule 10 permit ip source 10.1.130.0 0.0.0.255
rule 20 permit ip destination 10.1.130.0 0.0.0.255
acl number 3001
description shangwang
rule 10 permit ip source 10.1.0.0 0.0.255.255
acl number 3002
rule 10 permit ip destination 10.1.0.0 0.0.255.255
acl number 3003
rule 10 permit ip source 10.1.130.0 0.0.0.255
rule 20 permit ip destination 10.1.130.0 0.0.0.255
traffic behavior 3001
car cir 2000 cbs 125000 ebs 512 green pass red discard yellow pass
traffic behavior 3002
car cir 4000 cbs 25000 ebs 512 green pass red discard yellow pass
traffic behavior 3000
filter permit
qos policy xiansu
classifier 3000 behavior 3000
classifier 3001 behavior 3001
qos policy xiansu-xia
classifier 3000 behavior 3000
classifier 3002 behavior 3002
user-profile xiansu
qos apply policy xiansu inbound
qos apply policy xiansu-xia outbound
配置无问题,查看底层ACL下发情况。
2、查看底层ACL下发
Acl-Type MQC UserProfile , Stage IFP, GroupPri 13, EntryID 157, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 15,Slice 2,SliceIdx 0
Rule Match --------
Ports: 0x4000000000000, 0x7c3fc3ffffffff
Lookup: STP forwarding, 0x18, 0x18
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.133.20, 255.255.255.255
Dest IP: 10.1.129.0, 255.255.255.0
IP Type: Any IPv4 packet
Actions --------
Redirect do NOT
Permit
Acl-Type MQC UserProfile , Stage IFP, GroupPri 13, EntryID 158, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 15,Slice 2,SliceIdx 1
Rule Match --------
Ports: 0x4000000000000, 0x7c3fc3ffffffff
Lookup: STP forwarding, 0x18, 0x18
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Redirect do NOT
Permit
Acl-Type MQC UserProfile , Stage IFP, GroupPri 13, EntryID 159, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 15,Slice 2,SliceIdx 2
Rule Match --------
Ports: 0x4000000000000, 0x7c3fc3ffffffff
Lookup: STP forwarding, 0x18, 0x18
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.133.20, 255.255.255.255
Dest IP: 10.1.140.0, 255.255.255.0
IP Type: Any IPv4 packet
Actions --------
Redirect do NOT
Permit
Acl-Type MQC UserProfile , Stage IFP, GroupPri 13, EntryID 160, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 15,Slice 2,SliceIdx 3
Rule Match --------
Ports: 0x4000000000000, 0x7c3fc3ffffffff
Lookup: STP forwarding, 0x18, 0x18
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Redirect do NOT
Permit
Acl-Type MQC UserProfile , Stage EFP, GroupPri 515, EntryID 423, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 262, Prio_Sub 15,Slice 0,SliceIdx 0
Rule Match --------
Out Port: 50
Outer Vlan: 0x83, 0xfff
Dest IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Permit
Acl-Type MQC UserProfile , Stage EFP, GroupPri 515, EntryID 428, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 262, Prio_Sub 15,Slice 0,SliceIdx 5
Rule Match --------
Out Port: 50
Outer Vlan: 0x83, 0xfff
Dest IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
CAR cir 0xfa0, cbs 0xc8, pir 0xfa0, pbs 0x4, mode srTCM color blind
Account mode packets, green and red
Grn Permit
Red Deny
Yel Permit
以上是截取的部分底层ACL下发信息,以入方向的某条ACL下发为例:
这是底层下发的ACL
Acl-Type MQC UserProfile , Stage IFP, GroupPri 13, EntryID 157, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 15,Slice 2,SliceIdx 0
Rule Match --------
Ports: 0x4000000000000, 0x7c3fc3ffffffff
Lookup: STP forwarding, 0x18, 0x18
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.133.20, 255.255.255.255
Dest IP: 10.1.129.0, 255.255.255.0
IP Type: Any IPv4 packet
Actions --------
Redirect do NOT
Permit
这是实际配置的ACL
acl number 3000
rule 1 permit ip destination 10.1.129.0 0.0.0.255
qos policy xiansu
classifier 3000 behavior 3000
classifier 3001 behavior 3001
user-profile xiansu
qos apply policy xiansu inbound
从实际配置和下发的情况来看,入方向(inbound)的策略里,SIP字段会被用户IP代替。
再看出方向
这是底层下发的ACL
Acl-Type MQC UserProfile , Stage EFP, GroupPri 515, EntryID 426, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 262, Prio_Sub 15,Slice 0,SliceIdx 3
Rule Match --------
Out Port: 50
Outer Vlan: 0x83, 0xfff
Source IP: 10.1.130.0, 255.255.255.0
Dest IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Permit
这是实际配置的ACL
acl number 3000
rule 10 permit ip source 10.1.130.0 0.0.0.255
qos policy xiansu-xia
classifier 3000 behavior 3000
classifier 3002 behavior 3002
user-profile xiansu
qos apply policy xiansu-xia outbound
从实际配置和下发的情况来看,出方向(outbound)的策略里,DIP字段会被用户IP代替。
之所以增加出方向CB对3000会导致限速失效也是因为其rule 1中的permit ip destination 10.1.129.0 0.0.0.255在出方向时被替换成客户端自身的IP地址10.1.133.20。
qos policy xiansu-xia
classifier 3000 behavior 3000(增加的配置)
acl number 3000
description TO-FWQ
rule 1 permit ip destination 10.1.129.0 0.0.0.255
rule 5 permit ip source 10.1.140.0 0.0.0.255
rule 6 permit ip destination 10.1.140.0 0.0.0.255
rule 10 permit ip source 10.1.130.0 0.0.0.255
rule 20 permit ip destination 10.1.130.0 0.0.0.255
Acl-Type MQC UserProfile , Stage EFP, GroupPri 515, EntryID 423, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 262, Prio_Sub 15,Slice 0,SliceIdx 0
Rule Match --------
Out Port: 50
Outer Vlan: 0x83, 0xfff
Dest IP: 10.1.133.20, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Permit
因而该客户端下行方向数据包直接通过,未匹配限速的规则。
对于基于user-profile的MQC策略,如果下发到出方向(outbound),那么策略中的rule不能配置DIP,因为这个字段会被上线用户的IP所替换。
同理,下发到入方向(inbound)的策略里,也不能包括SIP,这个字段也会被用户IP替换。
所以,现场的配置有些问题,需要调整。在入方向要删除带有SIP字段的rule,出方向删除带有DIP的rule。在入方向,SIP为客户端IP,只需对DIP做限制;在出方向,DIP为客户端IP,只需对SIP做限制。修改配置也不会影响效果。
因user-profile调用时不会检查ACL的配置,所以需要大家提前了解规避。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作