CAR--CommittedAccessRateCAROverviewCAR可以通过限速来做策略和分类.比如通过IP优先级对数据包进行分类.在配置CAR之前,先要在接口下启用CEF.CAR通常使用在网络边界路由器的接口上,用来限制进入或离开该网络的流量速率.每个接口可以配置多个CAR策略,当数据包进入使用了多个策略的接口时,路由器将检查每个策略,直到数据包和某个策略相匹配;如果没有找到匹配的策略,默认操作是转发该数据包.Restrictions1.CAR只能对IP流量限速.2.CAR不支持快速以太网信道(FastEtherChannel).3.CAR不支持隧道接口.4.CAR不支持ISDNPRI接口.配置CAR:Router(config-if)#rate-limit{input|output}{CIRBcBe}conform-action{action}exceed-action{action}一些动作选项:命令含义continue继续执行下一条CAR语句drop丢弃该数据包set-prec-continue{precedence}设置IP优先级并继续执行下一条CAR语句set-prec-trasnmit{precedence}设置IP优先级并转发该数据包set-dscp-continue{dscp}设置IPDSCP值并继续执行下一条CAR语句set-dscp-trasnmit{dscp}设置IPDSCP值并转发该数据包set-qos-continue{groupID}设置QoS组ID并继续执行下一条CAR语句set-qos-transmit{groupID}设置QoS组ID并发送该数据包transmit转发该数据包设置CAR的策略的步骤如下:1.定义限速ACL.可选:Router(config)#access-listrate-limit{ACL}{precedence|mac-address}2.针对每个类别的流量设置CAR限速策略,可以调用ACL,也可以调用限速ACL,还可以基于IPDSCP值进行限速:Router(config-if)#rate-limit{input|output}[dscpdscp]access-group[rate-limit]{ACL}{CIRBcBe}conform-action{action}exceed-action{action}例1:对IP优先级为3的出站流量进行限速:interfaceSerial1ipaddress10.0.0.1255.255.255.252rate-limitoutputaccess-grouprate-limit1200000002400032000conform-actiontransmitexceed-actiondropaccess-listrate-limit13例2:对IPDSCP值为1的出站流量进行限速:!interfaceSerial1ipaddress10.0.0.1255.255.255.252rate-limitoutputdscp1200000002400032000conform-actiontransmitexceed-actiondrop对匹配192.168.0.0/24的出站流量进行限速:!interfaceSerial1ipaddress10.0.0.1255.255.255.252rate-limitoutputaccess-group1200000002400032000conform-actiontransmitexceed-actiondropaccess-list1permit192.168.0.00.0.0.255查看CAR一些辅助性的命令:1.查看限速ACL:Router#showaccess-listsrate-limit[ACL]2.查看接口的限速信息:Router#showinterfaces[interface]rate-limit例3:把来自192.168.10.0/24的出站telnet流量的IP优先级设置为5,其他的出站流量的IP优先级设置为access-list133permittcp192.168.10.00.0.0.255anyeqtelnetclass-mapmatch-alltelnetmatchaccess-group133policy-mapMyPolicyclasstelnetsetipprecedence3classclass-defaultsetipprecedence1!interfaceSerial1ipaddress10.0.0.1255.255.255.252service-policyoutputMyPolicy例4:用NBAR识别BitTorrent程序流量:1.加载bittorrent.pdlm到路由器闪存里:Router(config)#ipnbarpdlmflash://bittorrent.pdlm2.定义classmap,识别BitTorrent程序流量,并对进站的BitTorrent程序流量做出丢弃策略:!ipcefclass-mapbittorrentmatchprotocolbittorrentpolicy-mapdrop-bittorrentclassbittorrentdropinterfaceSerial0ipaddress192.168.0.1255.255.255.0service-policyinputdrop-bittorrent例5:用NBAR对进站的HTTP流量下载进行限速,速率为100kbps,下载的图象格式包括jpg,jpeg和gif:ipcefclass-mapmatch-allHTTPmatchprocotolhttpurl*.jpeg|*.jpgmatchprocotolhttpurl*.gifpolicy-mapMyPolicyclassHTTPpolice100000conform-actiontransmitexceed-actiondrop!interfaceSerial0ipaddress10.0.0.1255.255.255.252service-policyinputMyPolicy例6:用NBAR来防止红色代码(CodeRed)和尼姆达(Nimda)蠕虫病毒:ipcefclass-mapmatch-allDENY-ATTACKmatchprotocolhttpurl*.ida*matchprotocolhttpurl*cmd.exe*matchprotocolhttpurl*root.exe*matchprotocolhttpurl*readme.eml*policy-mapMyPolicyclassDENY-ATTACKdrop!interfaceSerial0ipaddress10.0.0.1255.255.255.252service-policyinputMyPolicy例7:限制源自192.168.10.0/24的流量的带宽为1000kbps:class-mapmatch-allMyClassmatchaccess-group1policy-mapMyPolicyclassMyClassbandwidth1000queue-limit30classclass-default!interfaceSerial1ipaddress172.16.10.1255.255.255.252service-policyoutputMyPolicy!access-list1permit192.168.10.00.0.0.255例8:限制来自192.168.0.0/24的进站数据包的平均速率为8000bps,突发流量(Bc)为2000字节,额外突发流量(Be)为4000字节.对突发流量和额外突发流量分别采取转发和设置QoS组ID为25的策略;对违反突发流量和额外突发流量的数据流量采取丢弃的策略:class-mapmatch-allMyClassmatchaccess-group1policy-mapMyPolicyclassMyClasspolice800020004000conform-actiontransmitexceed-actionset-qos-transmit25violate-actiondrop!interfaceSerial1ipaddress172.16.0.1255.255.255.252service-policyinputMyPolicyaccess-list1permit192.168.0.00.0.0.255Catalyst6500/6000交换机的队列Catalyst6500/6000交换机的QoS配置:1、EnableQoS2、Mapeachpossibleclassofservice(CoS)valuetoaqueueandathreshold(optional)3、ConfiguretheWRRweight(optional)4、Configurethebuffersthatareassignedtoeachqueue(optional)5、Configurethethresholdlevelforeachqueue(optional)cosmos(config)#mlsqos例子:1p2q2tcosmos#configureterminalcosmos(config)#interfacegigabitethernet1/1cosmos(config-if)#priority-queuecos-map15!---AssignaCoSof5topriorityqueue.cos-mapconfiguredon:Gi1/1Gi1/2cosmos(config-if)#wrr-queuecos-map1101!---AssignCoS0and1tothefirstthresholdoflow-priorityWRRqueue.cos-mapconfiguredon:Gi1/1Gi1/2cosmos(config-if)#wrr-queuecos-map1223!---AssignCoS2and3tothesecondthresholdoflow-priorityWRRqueue.cos-mapconfiguredon:Gi1/1Gi1/2cosmos(config-if)#wrr-queuecos-map2146!---AssignCoS4and6tothefirstthresholdofhigh-priorityWRRqueue.cos-mapconfiguredon:Gi1/1Gi1/2cosmos(config-if)#wrr-queuecos-map227!---AssignCoS7tothefirstthresholdofhigh-priorityWRRqueue.cos-mapconfiguredon:Gi1/1Gi1/22q2t:队列1服务20%时间,队列2服务80%时间。cosmos#configureterminalEnterconfigurationcommands,oneperline.EndwithCNTL/Z.cosmos(config)#interfacegigabitethernet1/1cosmos(config-if)#wrr-queuebandwidth?1-255enterbandwidthweightbetween1and255cosmos(config-if)#wrr-queuebandwidth2080!---Queue1isserved20%ofthetime,andqueue2isserved!---80%ofthetime.cosmos(config-if)#Checktheconfiguration:cosmos#showqueueinginterfacegigabitethernet1/1InterfaceGi