一般最常用的是第五种方式。用户可以使用standard ip access list来确定哪些进行访问(被访问)的IP的流量需要进行rate-limit,也可以用extended ip access list来确定哪些访问(被访问)的IP的协议类型流量(如HTTP,FTP)需要进行rate-limit。例如我们想限制用户到内部网站上浏览网页的速度,则可以采用如下的access list来定义流量:
access-list 101 permit tcp any eq www any
这里值得注意的一点是在配置时要配成any eq www any而不是any any eq www。因为主要的流量不是用户向http server发送的请求(这类请求流量的源端口号为随机,目的端口号为80),而是http server收到用户的请求后发给用户方的网页内容的流量(这部分流量的源端口号为80,目的端口号为发起方的端口号),如果在这个小细节上不加注意则不能对下载的流量进行有效的限制。
last packet: 4809528ms ago, current burst: 0 bytes
last cleared 00:59:42 ago, conformed 0 bps, exceeded 0 bps
这里解释一下show interface rate-limit看到的结果。
Matches是表示该interface配置的traffic matching规则,有多个matches表示该interface配置了多条rate-limit命令,采用了多条matching规则。下面的params表示该规则定义的各项参数,xxx bps表示设定速率值,limit和extended limit表示token bucket的容量。Conformed x packets,y bytes表示对速率限制内的包数量和字节数,action表示对符合规则的包采用的处理方式;exceeded x packets这行也类似地是表示对超过速率限制的包的数量和字节数,action是其处理方式。下面的last packet是表示最新的到来数据包的是多久前到达的,current burst是当前token bucket内的数据大小,last cleared是最近一次清记数器到现在的时间,conform x bps表示速率限制内的包的实际流量速率,exceed y bps 表示超过部分的速率。
注:在CAR里面会用到access-list rate-limit xx mask 0-FF (00表示不匹配任意precedence,FF表示匹配任意precedence),它的作用是通过使用掩码来匹配被设置了优先权(0~7)的包,其使用方法有这么几个步骤:
一:Decide which precedence's you want to assign to this rate-limit access list(决定你要分配给rate-limit ACL的precedence)
二:Convert the precedence's into an 8-bit numbers with each bit corresponding to one
precedence. For example, an IP precedence of 0 corresponds to 00000001, 1 corresponds
to 00000010, 6 corresponds to 01000000, and 7 corresponds to 10000000.(把precedence转换成一个8位数,每一位都对应一个precedence值,如:precedence0 对应00000001,precedence1对应00000010,precedence6对应01000000,precedence7对应10000000,仔细看不难发现其规律)
三: Add the 8-bit numbers for the selected precedence's together. For example, the
mask for precedence's 1 and 6 is 01000010.(把相应的precedence值0~7加到一起组成8位数如:1:00000010+6:01000000=01000010)
四:Convert the binary mark into the corresponding hexadecimal number.(把得到的二进制数转换成相应的十六进制数,如:01000010=0x42)不知道大家明白没有这里我把原文贴出来共享:
Use the mask keyword to assign multiple IP precedence's to the same rate-limit list. To
determine the mask value, perform the following steps:
Step 1 Decide which precedence's you want to assign to this rate-limit access list.
Step 2 Convert the precedence's into an 8-bit numbers with each bit corresponding to one
precedence. For example, an IP precedence of 0 corresponds to 00000001, 1 corresponds
to 00000010, 6 corresponds to 01000000, and 7 corresponds to 10000000.
Step 3 Add the 8-bit numbers for the selected precedence's together. For example, the
mask for precedence's 1 and 6 is 01000010.
Step 4 Convert the binary mark into the corresponding hexadecimal number. For
example, 01000010 becomes 0x42. This value is used in the access-list rate-limit
command. Any packets that have an IP precedence of 1 or 6 will match this access list. A
mask of FF matches any precedence, and 00 does not match any precedence.
In this example, a mask of 07 translates to 00000111, so IP precedence 0, 1, and 2 will be
policed.