QOS实验手册(终版).doc

试验一、QOS的基本实验和拓扑的搭建 实验、简单的认识MQC的一个实验拓扑如上：需求：某公司希望你把http，ftp，icmp，dhcp都抓取下来，在上面做一些策略。1.r2#sh class-map Class Map match-all TELNET (id 6) Match protocol telnet Class Map match-all OSPF (id 5) Match protocol ospf Class Map match-all ICMP (id 2) Match protocol icmp Class Map match-all HTTP (id 1) Match protocol http Class Map match-all DHCP (id 4) Match protocol dhcp Class Map match-any class-default (id 0) Match any Class Map match-all FTP (id 3) Match protocol ftp2.做策略，调用所有的class进入到策略，领导说， 把icmp干掉。r2#sh policy-map Policy Map feng Class HTTP Class FTP Class DHCP Class OSPF Class TELNETClass ICMP3我得把策略应用到接口上r2(config)#int s1/0r2(config-if)#service-policy input feng4.查看流量r2#sh policy-map interface s1/0 Serial1/0 Service-policy input: feng Class-map: HTTP (match-all) 5 packets, 411 bytes 5 minute offered rate 0 bps Match: protocol http Class-map: FTP (match-all) 4 packets, 184 bytes 5 minute offered rate 0 bps Match: protocol ftp Class-map: DHCP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: protocol dhcp Class-map: OSPF (match-all) 6 packets, 504 bytes 5 minute offered rate 0 bps Match: protocol ospf Class-map: TELNET (match-all) 10 packets, 452 bytes 5 minute offered rate 0 bps Match: protocol telnet Class-map: ICMP (match-all) 14 packets, 1000 bytes 5 minute offered rate 0 bps Match: protocol icmp Class-map: class-default (match-any) 6145 packets, 1249329 bytes 5 minute offered rate 39000 bps, drop rate 0 bps Match: anyr2(config)#policy-map fengr2(config-pmap)#class ICMPr2(config-pmap-c)#dropr2#sh policy-map int s1/0 in class ICMP Serial1/0 Service-policy input: feng Class-map: ICMP (match-all) 71 packets, 5120 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol icmp Drop实验、基本的NBAR实验，发现和策略需求，进行NBAR的发现，给HTTP分配25k的带宽r2(config)#ip cefr2(config)#int s1/0r2(config-if)#ip nbar protocol-discovery开启nbar的协议发现r2# sh ip nbar protocol-discovery int s1/0 来查看接口下面flow里面的协议 Serial1/0 Input Output - - Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) - - - icmp 16 16 1120 1120 0 0 0 0 ospf 7 6 588 504 0 0 0 0 telnet 7 7 316 316 0 0 0 0 http 3 4 150 471 0 0 0 0 ftp 4 4 184 184 r2#sh ip nbar port-map 查看它所有的可以识别的端口port-map bgp udp 179 port-map bgp tcp 179 port-map citrix udp 1604 port-map citrix tcp 1494 port-map cuseeme udp 7648 7649 24032 port-map cuseeme tcp 7648 7649 port-map dhcp udp 67 68 port-map dns udp 53 port-map dns tcp 53 port-map edonkey tcp 4662 port-map exchange tcp 135 port-map fasttrack tcp 1214 port-map finger tcp 79 port-map ftp tcp 21 port-map gnutella tcp 6346 6347 6348 6349 6355 5634 port-map gopher udp 70 port-map gopher tcp 70 port-map h323 udp 1300 1718 1719 1720 11720 port-map h323 tcp 1300 1718 1719 1720 11000 - 11999 port-map http tcp 80 port-map imap udp 143 220 port-map imap tcp 143 220 port-map irc udp 194 port-map irc tcp 194 port-map kerberos udp 88 749 port-map kerberos tcp 88 749 port-map l2tp udp 1701 port-map ldap udp 389 port-map ldap tcp 389 port-map mgcp udp 2427 2727 port-map mgcp tcp 2427 2428 2727 port-map netbios udp 137 138 port-map netbios tcp 137 139 port-map netshow tcp 1755 port-map nfs udp 2049 port-map nfs tcp 2049 port-map nntp udp 119 port-map nntp tcp 119 port-map notes udp 1352 port-map notes tcp 1352 port-map novadigm udp 3460 3461 3462 3463 3464 3465 port-map novadigm tcp 3460 3461 3462 3463 3464 3465 port-map ntp udp 123 port-map ntp tcp 123 port-map pcanywhere udp 22 5632 port-map pcanywhere tcp 65301 5631 port-map pop3 udp 110 port-map pop3 tcp 110 port-map pptp tcp 1723 port-map printer udp 515 port-map printer tcp 515 port-map rcmd tcp 512 513 514 port-map rip udp 520 port-map rsvp udp 1698 1699 port-map rtsp tcp 554 port-map secure-ftp tcp 990 port-map secure-http tcp 443 port-map secure-imap udp 585 993 port-map secure-imap tcp 585 993 port-map secure-irc udp 994 port-map secure-irc tcp 994 port-map secure-ldap udp 636 port-map secure-ldap tcp 636 port-map secure-nntp udp 563 port-map secure-nntp tcp 563 port-map secure-pop3 udp 995 port-map secure-pop3 tcp 995 port-map secure-telnet tcp 992 port-map sip udp 5060 port-map sip tcp 5060 port-map skinny tcp 2000 2001 2002 port-map smtp tcp 25 port-map snmp udp 161 162 port-map snmp tcp 161 162 port-map socks tcp 1080 port-map sqlnet tcp 1521 port-map sqlserver tcp 1433 port-map ssh tcp 22 port-map streamwork udp 1558 port-map sunrpc udp 111 port-map sunrpc tcp 111 port-map syslog udp 514 port-map telnet tcp 23 port-map tftp udp 69 port-map vdolive tcp 7000 port-map winmx tcp 6699 port-map xwindows tcp 6000 6001 6002 6003r2(config)#ip nbar port-map http tcp 80 8080 增加8080进入到nbar的http的端口列表中r2#sh ip nbar port-map http port-map http tcp 80 8080r2(config)#class-map HTTP 抓取http的flow放入到HTTP的classr2(config-cmap)#match protocol httpr2(config)#policy-map fengr2(config-pmap)#class HTTPr2(config-pmap-c)#ban ? Kilo Bits per second percent % of total Bandwidth remaining % of the remaining bandwidthr2(config-pmap-c)#ban 25r2(config)#int s1/2r2(config-if)#service-policy output fengr2#sh policy-map interface s1/2 查询NBAR是否中招 Serial1/2 Service-policy output: feng Class-map: HTTP (match-all) 5 packets, 411 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http Queueing Output Queue: Conversation 25 Bandwidth 25 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 5/411 (depth/total drops/no-buffer drops) 0/0/0 Class-map: class-default (match-any) 5392 packets, 1127630 bytes 5 minute offered rate 37000 bps, drop rate 5000 bps Match: any实验：、过滤从R2上过来的流量，综合性的实验公司要求，从R1到R2的流量，其中，HTTP的流量的优先级=5，FTP的优先级流量=4，telnet的优先级流量=3，dhcp的优先级流量=2，icmp的优先级流量=1，其他的剩余的流量的优先级=0当这些流量从R2去往R3的时候，根据下表来安排带宽：514K413K312K211K110K08K步骤：1、我把从R1到R2过来的不同的流量我抓下来：r2#sh class-map Class Map match-all TELNET (id 3) Match protocol telnet Class Map match-all ICMP (id 5) Match protocol icmp Class Map match-all HTTP (id 1) Match protocol http Class Map match-all DHCP (id 4) Match protocol dhcp Class Map match-any class-default (id 0) Match any Class Map match-all FTP (id 2) Match protocol ftp2、设置不同流量的不同优先级r2#sh policy-map fengxuhui-in Policy Map fengxuhui-in Class HTTP set ip precedence 5 Class FTP set ip precedence 4 Class TELNET set ip precedence 3 Class DHCP set ip precedence 2 Class ICMP set ip precedence 1 Class class-default set ip precedence 03、应用到in方向的接口r2(config)#int s1/0r2(config-if)#service-policy in fengxuhui-in4、根据优先级来做不同的出接口方向的分类 Class Map match-all P-5 (id 6) Match ip precedence 5 Class Map match-all P-4 (id 7) Match ip precedence 4 Class Map match-all P-1 (id 10) Match ip precedence 1 Class Map match-all P-0 (id 11) Match ip precedence 0 Class Map match-all P-3 (id 8) Match ip precedence 3 Class Map match-all P-2 (id 9) Match ip precedence 25、针对你的抓取的不同的优先级，根据领导优先级带宽分配列表来操作策略r2#sh policy-map fengxuhui-out Policy Map fengxuhui-out Class P-5 Bandwidth 14 (kbps) Max Threshold 64 (packets) Class P-4 Bandwidth 13 (kbps) Max Threshold 64 (packets) Class P-3 Bandwidth 12 (kbps) Max Threshold 64 (packets) Class P-2 Bandwidth 11 (kbps) Max Threshold 64 (packets) Class P-1 Bandwidth 10 (kbps) Max Threshold 64 (packets) Class P-0 Bandwidth 8 (kbps) Max Threshold 64 (packets)6、应用到出接口方向r2(config-if)#service-policy out fengxuhui-out实验、利用NBAR创建PDLMip nbar custom feng01 tcp 1524 27665ip nbar custom feng02 udp 31335 27444上面所建立的就是一个DDOS的攻击特性r2(config)#class-map DDOSr2(config-cmap)#match protocol feng01r2(config-cmap)#match protocol feng02r2(config)#policy-map DDOS-DENYr2(config-pmap)#class DDOSr2(config-pmap-c)#dropr2(config-pmap)#int s1/0r2(config-if)#service-policy in DDOS-DENY实验、利用下载的PDLM做过滤R1(config)#ip nbar pdlm t00/bittorrent.pdlm/ 00是tftp服务器的地址需求：干掉bt下载，你从cisco网站，下载一个bt的pdlm，copy你的路由器的flash*你们可以下去下载各种PDLM实验二、利用PBR来做分类1. 需求：客户希望voip的流量的优先级为5，HTTP的流量优先级为4，telnet的流量优先级为3，ftp的流量优先级为2，其他的流量优先级为1.2. 把上面的场景搭建出来，并且配置好流量发生。3. 利用访问控制列表来抓取这个流量r2#sh access-listExtended IP access list 101 10 permit ip host host （抓取的是voip的流量）Extended IP access list 102 10 permit tcp any any eq www （抓取的www流量）Extended IP access list 103 10 permit tcp any any eq telnet （抓取的telnet流量）Extended IP access list 104 10 permit tcp any any eq ftp-data （抓取的是ftp流量）20 permit tcp any any eq ftp4.利用PBR来进行优先级的配置r2#sh route-map fxh 名称叫fxhroute-map fxh, permit, sequence 10 第一条策略，序号为10 Match clauses: ip address (access-lists): 101 抓取的acl是101 Set clauses: ip precedence critical 设置的优先级为5 Policy routing matches: 0 packets, 0 bytes （0代表是策略没有起作用）route-map fxh, permit, sequence 20 Match clauses: ip address (access-lists): 102 Set clauses: ip precedence flash-override Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 30 Match clauses: ip address (access-lists): 103 Set clauses: ip precedence flash Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 40 Match clauses: ip address (access-lists): 104 Set clauses: ip precedence immediate Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 50 Match clauses: Set clauses: ip precedence priority Policy routing matches: 0 packets, 0 bytes4. 调用到接口上r2(config)#int s1/0r2(config-if)#ip policy route-map fxh5. 测试一下配置的结果r2#sh route-maproute-map fxh, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip precedence critical Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 20 Match clauses: ip address (access-lists): 102 Set clauses: ip precedence flash-override Policy routing matches: 10 packets, 505 bytesroute-map fxh, permit, sequence 30 Match clauses: ip address (access-lists): 103 Set clauses: ip precedence flash Policy routing matches: 4 packets, 180 bytesroute-map fxh, permit, sequence 40 Match clauses: ip address (access-lists): 104 Set clauses: ip precedence immediate Policy routing matches: 2 packets, 96 bytesroute-map fxh, permit, sequence 50 Match clauses: Set clauses: ip precedence priority Policy routing matches: 8231 packets, 2033573 bytes6. 查询cef快速转发的命令：r1#sh adjacency detail 查询我们的CEF的邻居信息，后面必须跟detail参数Protocol Interface AddressIP Serial1/0 point2point(15) 0 packets, 0 bytes 0F000800 CEF expires: 00:02:01 refresh: 00:00:01 Epoch: 0r1#sh ip cef 查询的是快速转发表，注意后面的参数试验三、QPPB的一个试验试验步骤：1. 配置链路层r1#r1#r1#r1#r1#sh runBuilding configuration.Current configuration : 1419 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r1!boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelmemory-size iomem 5ip cef!no ip domain lookup! ! ! interface Loopback0 ip address !interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial1/0 ip address serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!router ospf 100 router-id log-adjacency-changes network 55 area 0!router bgp 24 no synchronization bgp router-id bgp log-neighbor-changes neighbor remote-as 12 no auto-summary!ip http serverno ip http secure-server!control-plane!alias exec a sh ip int briefalias exec b sh ip routealias exec c sh ip route ripalias exec d sh run!line con 0 exec-timeout 0 0 logging synchronousline aux 0 exec-timeout 0 0 logging synchronousline vty 0 4 exec-timeout 0 0 password cisco login!Endr2#sh runBuilding configuration.Current configuration : 1465 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r2!boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelmemory-size iomem 5ip cef!no ip domain lookup! ! ! interface Loopback0 ip address !interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial1/0 ip address serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 ip address serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!router ospf 100 router-id log-adjacency-changes network 55 area 0!router bgp 12 no synchronization bgp router-id bgp log-neighbor-changes neighbor remote-as 24 neighbor remote-as 12 no auto-summary!ip http serverno ip http secure-server!control-plane!alias exec a s