QOS实验手册(终版).doc

1、试验一、QOS 的基本实验和拓扑的搭建实验、简单的认识 MQC 的一个实验拓扑如上：需求：某公司希望你把 http，ftp ，icmp ，dhcp 都抓取下来，在上面做一些策略。1.r2#sh class-map Class Map match-all TELNET (id 6)Match protocol telnetClass Map match-all OSPF (id 5)Match protocol ospfClass Map match-all ICMP (id 2)Match protocol icmpClass Map match-all HTTP (id 1)Match pr

2、otocol httpClass Map match-all DHCP (id 4)Match protocol dhcpClass Map match-any class-default (id 0)Match any Class Map match-all FTP (id 3)Match protocol ftp2.做策略，调用所有的 class 进入到策略，领导说， 把 icmp 干掉。r2#sh policy-map Policy Map fengClass HTTPClass FTPClass DHCPClass OSPFClass TELNETClass ICMP3我得把策略应用到

3、接口上r2(config)#int s1/0r2(config-if)#service-policy input feng4.查看流量r2#sh policy-map interface s1/0Serial1/0 Service-policy input: fengClass-map: HTTP (match-all)5 packets, 411 bytes5 minute offered rate 0 bpsMatch: protocol httpClass-map: FTP (match-all)4 packets, 184 bytes5 minute offered rate 0 bp

4、sMatch: protocol ftpClass-map: DHCP (match-all)0 packets, 0 bytes5 minute offered rate 0 bpsMatch: protocol dhcpClass-map: OSPF (match-all)6 packets, 504 bytes5 minute offered rate 0 bpsMatch: protocol ospfClass-map: TELNET (match-all)10 packets, 452 bytes5 minute offered rate 0 bpsMatch: protocol t

5、elnetClass-map: ICMP (match-all)14 packets, 1000 bytes5 minute offered rate 0 bpsMatch: protocol icmpClass-map: class-default (match-any)6145 packets, 1249329 bytes5 minute offered rate 39000 bps, drop rate 0 bpsMatch: anyr2(config)#policy-map fengr2(config-pmap)#class ICMPr2(config-pmap-c)#dropr2#s

6、h policy-map int s1/0 in class ICMPSerial1/0 Service-policy input: fengClass-map: ICMP (match-all)71 packets, 5120 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: protocol icmpDrop实验、基本的 NBAR 实验，发现和策略需求，进行 NBAR 的发现，给 HTTP 分配 25k 的带宽r2(config)#ip cefr2(config)#int s1/0r2(config-if)#ip nbar pr

7、otocol-discovery 开启 nbar 的协议发现r2# sh ip nbar protocol-discovery int s1/0 来查看接口下面 flow 里面的协议Serial1/0 Input Output - - Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) - - -icmp 16 16 1120 1120 0 0 0 0 osp

8、f 7 6 588 504 0 0 0 0 telnet 7 7 316 316 0 0 0 0 http 3 4 150 471 0 0 0 0 ftp 4 4 184 184 r2#sh ip nbar port-map 查看它所有的可以识别的端口port-map bgp udp 179 port-map bgp tcp 179 port-map citrix udp 1604 port-map citrix tcp 1494 port-map cuseeme udp 7648 7649 24032 port-map cuseeme tcp 7648 7649 port-map dhcp

9、udp 67 68 port-map dns udp 53 port-map dns tcp 53 port-map edonkey tcp 4662 port-map exchange tcp 135 port-map fasttrack tcp 1214 port-map finger tcp 79 port-map ftp tcp 21 port-map gnutella tcp 6346 6347 6348 6349 6355 5634 port-map gopher udp 70 port-map gopher tcp 70 port-map h323 udp 1300 1718 1

10、719 1720 11720 port-map h323 tcp 1300 1718 1719 1720 11000 - 11999 port-map http tcp 80 port-map imap udp 143 220 port-map imap tcp 143 220 port-map irc udp 194 port-map irc tcp 194 port-map kerberos udp 88 749 port-map kerberos tcp 88 749 port-map l2tp udp 1701 port-map ldap udp 389 port-map ldap t

11、cp 389 port-map mgcp udp 2427 2727 port-map mgcp tcp 2427 2428 2727 port-map netbios udp 137 138 port-map netbios tcp 137 139 port-map netshow tcp 1755 port-map nfs udp 2049 port-map nfs tcp 2049 port-map nntp udp 119 port-map nntp tcp 119 port-map notes udp 1352 port-map notes tcp 1352 port-map nov

12、adigm udp 3460 3461 3462 3463 3464 3465 port-map novadigm tcp 3460 3461 3462 3463 3464 3465 port-map ntp udp 123 port-map ntp tcp 123 port-map pcanywhere udp 22 5632 port-map pcanywhere tcp 65301 5631 port-map pop3 udp 110 port-map pop3 tcp 110 port-map pptp tcp 1723 port-map printer udp 515 port-ma

13、p printer tcp 515 port-map rcmd tcp 512 513 514 port-map rip udp 520 port-map rsvp udp 1698 1699 port-map rtsp tcp 554 port-map secure-ftp tcp 990 port-map secure-http tcp 443 port-map secure-imap udp 585 993 port-map secure-imap tcp 585 993 port-map secure-irc udp 994 port-map secure-irc tcp 994 po

14、rt-map secure-ldap udp 636 port-map secure-ldap tcp 636 port-map secure-nntp udp 563 port-map secure-nntp tcp 563 port-map secure-pop3 udp 995 port-map secure-pop3 tcp 995 port-map secure-telnet tcp 992 port-map sip udp 5060 port-map sip tcp 5060 port-map skinny tcp 2000 2001 2002 port-map smtp tcp

15、25 port-map snmp udp 161 162 port-map snmp tcp 161 162 port-map socks tcp 1080 port-map sqlnet tcp 1521 port-map sqlserver tcp 1433 port-map ssh tcp 22 port-map streamwork udp 1558 port-map sunrpc udp 111 port-map sunrpc tcp 111 port-map syslog udp 514 port-map telnet tcp 23 port-map tftp udp 69 por

16、t-map vdolive tcp 7000 port-map winmx tcp 6699 port-map xwindows tcp 6000 6001 6002 6003r2(config)#ip nbar port-map http tcp 80 8080 增加 8080 进入到 nbar 的http 的端口列表中r2#sh ip nbar port-map http port-map http tcp 80 8080r2(config)#class-map HTTP 抓取 http 的 flow 放入到 HTTP 的 classr2(config-cmap)#match protoc

17、ol httpr2(config)#policy-map fengr2(config-pmap)#class HTTPr2(config-pmap-c)#ban ?Kilo Bits per secondpercent % of total Bandwidthremaining % of the remaining bandwidthr2(config-pmap-c)#ban 25r2(config)#int s1/2r2(config-if)#service-policy output fengr2#sh policy-map interface s1/2 查询 NBAR 是否中招Seria

18、l1/2 Service-policy output: fengClass-map: HTTP (match-all)5 packets, 411 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: protocol httpQueueingOutput Queue: Conversation 25 Bandwidth 25 (kbps)Max Threshold 64 (packets)(pkts matched/bytes matched) 5/411(depth/total drops/no-buffer drops) 0/0/

19、0Class-map: class-default (match-any)5392 packets, 1127630 bytes5 minute offered rate 37000 bps, drop rate 5000 bpsMatch: any实验：、过滤从 R2 上过来的流量，综合性的实验公司要求，从 R1 到 R2 的流量，其中，HTTP 的流量的优先级=5，FTP 的优先级流量=4，telnet 的优先级流量=3，dhcp 的优先级流量=2，icmp 的优先级流量=1，其他的剩余的流量的优先级=0当这些流量从 R2 去往 R3 的时候，根据下表来安排带宽：5 14K4 13K3 1

20、2K2 11K1 10K0 8K步骤：1、我把从 R1 到 R2 过来的不同的流量我抓下来：r2#sh class-map Class Map match-all TELNET (id 3)Match protocol telnetClass Map match-all ICMP (id 5)Match protocol icmpClass Map match-all HTTP (id 1)Match protocol httpClass Map match-all DHCP (id 4)Match protocol dhcpClass Map match-any class-default

21、(id 0)Match any Class Map match-all FTP (id 2)Match protocol ftp2、设置不同流量的不同优先级r2#sh policy-map fengxuhui-inPolicy Map fengxuhui-inClass HTTPset ip precedence 5Class FTPset ip precedence 4Class TELNETset ip precedence 3Class DHCPset ip precedence 2Class ICMPset ip precedence 1Class class-defaultset i

22、p precedence 03、应用到 in 方向的接口r2(config)#int s1/0r2(config-if)#service-policy in fengxuhui-in4、根据优先级来做不同的出接口方向的分类Class Map match-all P-5 (id 6)Match ip precedence 5 Class Map match-all P-4 (id 7)Match ip precedence 4 Class Map match-all P-1 (id 10)Match ip precedence 1 Class Map match-all P-0 (id 11)M

23、atch ip precedence 0 Class Map match-all P-3 (id 8)Match ip precedence 3 Class Map match-all P-2 (id 9)Match ip precedence 25、针对你的抓取的不同的优先级，根据领导优先级带宽分配列表来操作策略r2#sh policy-map fengxuhui-outPolicy Map fengxuhui-outClass P-5Bandwidth 14 (kbps) Max Threshold 64 (packets)Class P-4Bandwidth 13 (kbps) Max

24、Threshold 64 (packets)Class P-3Bandwidth 12 (kbps) Max Threshold 64 (packets)Class P-2Bandwidth 11 (kbps) Max Threshold 64 (packets)Class P-1Bandwidth 10 (kbps) Max Threshold 64 (packets)Class P-0Bandwidth 8 (kbps) Max Threshold 64 (packets)6、应用到出接口方向r2(config-if)#service-policy out fengxuhui-out实验、

25、利用 NBAR 创建 PDLMip nbar custom feng01 tcp 1524 27665ip nbar custom feng02 udp 31335 27444上面所建立的就是一个 DDOS 的攻击特性r2(config)#class-map DDOSr2(config-cmap)#match protocol feng01r2(config-cmap)#match protocol feng02r2(config)#policy-map DDOS-DENYr2(config-pmap)#class DDOSr2(config-pmap-c)#dropr2(config-pma

26、p)#int s1/0r2(config-if)#service-policy in DDOS-DENY实验、利用下载的 PDLM 做过滤R1(config)#ip nbar pdlm tftp:/192.168.0.200/bittorrent.pdlm/ 192.168.0.200 是 tftp 服务器的地址需求：干掉 bt 下载，你从 cisco 网站，下载一个 bt 的pdlm，copy 你的路由器的 flash*你们可以下去下载各种 PDLM实验二、利用 PBR 来做分类1. 需求：客户希望 voip 的流量的优先级为 5，HTTP 的流量优先级为 4，telnet 的流量优先级为

27、3，ftp 的流量优先级为 2，其他的流量优先级为 1.2. 把上面的场景搭建出来，并且配置好流量发生。3. 利用访问控制列表来抓取这个流量r2#sh access-listExtended IP access list 10110 permit ip host 192.168.1.1 host 172.16.1.1 （抓取的是 voip 的流量）Extended IP access list 10210 permit tcp any any eq www （抓取的 www 流量）Extended IP access list 10310 permit tcp any any eq telne

28、t （抓取的 telnet 流量）Extended IP access list 10410 permit tcp any any eq ftp-data （抓取的是 ftp 流量）20 permit tcp any any eq ftp4.利用 PBR 来进行优先级的配置r2#sh route-map fxh 名称叫 fxhroute-map fxh, permit, sequence 10 第一条策略，序号为 10Match clauses:ip address (access-lists): 101 抓取的 acl 是 101Set clauses:ip precedence criti

29、cal 设置的优先级为 5Policy routing matches: 0 packets, 0 bytes （0 代表是策略没有起作用）route-map fxh, permit, sequence 20Match clauses:ip address (access-lists): 102 Set clauses:ip precedence flash-overridePolicy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 30Match clauses:ip address (access-li

30、sts): 103 Set clauses:ip precedence flashPolicy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 40Match clauses:ip address (access-lists): 104 Set clauses:ip precedence immediatePolicy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 50Match clauses:Set clauses:i

31、p precedence priorityPolicy routing matches: 0 packets, 0 bytes4. 调用到接口上r2(config)#int s1/0r2(config-if)#ip policy route-map fxh5. 测试一下配置的结果r2#sh route-maproute-map fxh, permit, sequence 10Match clauses:ip address (access-lists): 101 Set clauses:ip precedence criticalPolicy routing matches: 0 packet

32、s, 0 bytesroute-map fxh, permit, sequence 20Match clauses:ip address (access-lists): 102 Set clauses:ip precedence flash-overridePolicy routing matches: 10 packets, 505 bytesroute-map fxh, permit, sequence 30Match clauses:ip address (access-lists): 103 Set clauses:ip precedence flashPolicy routing m

33、atches: 4 packets, 180 bytesroute-map fxh, permit, sequence 40Match clauses:ip address (access-lists): 104 Set clauses:ip precedence immediatePolicy routing matches: 2 packets, 96 bytesroute-map fxh, permit, sequence 50Match clauses:Set clauses:ip precedence priorityPolicy routing matches: 8231 pack

34、ets, 2033573 bytes6. 查询 cef 快速转发的命令：r1#sh adjacency detail 查询我们的 CEF 的邻居信息，后面必须跟detail 参数Protocol Interface AddressIP Serial1/0 point2point(15)0 packets, 0 bytes0F000800CEF expires: 00:02:01refresh: 00:00:01Epoch: 0r1#sh ip cef 查询的是快速转发表，注意后面的参数试验三、QPPB 的一个试验试验步骤：1. 配置链路层r1#r1#r1#r1#r1#sh runBuildin

35、g configuration.Current configuration : 1419 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r1!boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelmemory-size iomem 5ip cef!no ip domain lookup! !

36、! interface Loopback0ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0no ip addressshutdownduplex autospeed auto!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto!interface Serial1/0ip address 199.99.1.1 255.255.255.0serial restart-delay 0!interface Serial1/1no ip addresss

37、hutdownserial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!router ospf 100router-id 1.1.1.1log-adjacency-changesnetwork 0.0.0.0 255.255.255.255 area 0!router bgp 24no synchronizationbgp router-id 1.1.1.1

38、bgp log-neighbor-changesneighbor 199.99.1.2 remote-as 12no auto-summary!ip http serverno ip http secure-server!control-plane!alias exec a sh ip int briefalias exec b sh ip routealias exec c sh ip route ripalias exec d sh run!line con 0exec-timeout 0 0logging synchronousline aux 0exec-timeout 0 0logging synchronousline vty 0 4exec-timeout 0 0password ciscologin!Endr2#sh runBuilding configuration.Current configuration : 1465 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r2!boot-start-markerboot-end-marker