QOS實(shí)驗(yàn)手冊(cè)(終版).doc

試驗(yàn)一、QOS的基本實(shí)驗(yàn)和拓?fù)涞拇罱?實(shí)驗(yàn)、簡(jiǎn)單的認(rèn)識(shí)MQC的一個(gè)實(shí)驗(yàn)拓?fù)淙缟希盒枨螅耗彻鞠Ｍ惆裩ttp，ftp，icmp，dhcp都抓取下來(lái)，在上面做一些策略。1.r2#sh class-map Class Map match-all TELNET (id 6) Match protocol telnet Class Map match-all OSPF (id 5) Match protocol ospf Class Map match-all ICMP (id 2) Match protocol icmp Class Map match-all HTTP (id 1) Match protocol http Class Map match-all DHCP (id 4) Match protocol dhcp Class Map match-any class-default (id 0) Match any Class Map match-all FTP (id 3) Match protocol ftp2.做策略，調(diào)用所有的class進(jìn)入到策略，領(lǐng)導(dǎo)說， 把icmp干掉。r2#sh policy-map Policy Map feng Class HTTP Class FTP Class DHCP Class OSPF Class TELNETClass ICMP3我得把策略應(yīng)用到接口上r2(config)#int s1/0r2(config-if)#service-policy input feng4.查看流量r2#sh policy-map interface s1/0 Serial1/0 Service-policy input: feng Class-map: HTTP (match-all) 5 packets, 411 bytes 5 minute offered rate 0 bps Match: protocol http Class-map: FTP (match-all) 4 packets, 184 bytes 5 minute offered rate 0 bps Match: protocol ftp Class-map: DHCP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: protocol dhcp Class-map: OSPF (match-all) 6 packets, 504 bytes 5 minute offered rate 0 bps Match: protocol ospf Class-map: TELNET (match-all) 10 packets, 452 bytes 5 minute offered rate 0 bps Match: protocol telnet Class-map: ICMP (match-all) 14 packets, 1000 bytes 5 minute offered rate 0 bps Match: protocol icmp Class-map: class-default (match-any) 6145 packets, 1249329 bytes 5 minute offered rate 39000 bps, drop rate 0 bps Match: anyr2(config)#policy-map fengr2(config-pmap)#class ICMPr2(config-pmap-c)#dropr2#sh policy-map int s1/0 in class ICMP Serial1/0 Service-policy input: feng Class-map: ICMP (match-all) 71 packets, 5120 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol icmp Drop實(shí)驗(yàn)、基本的NBAR實(shí)驗(yàn)，發(fā)現(xiàn)和策略需求，進(jìn)行NBAR的發(fā)現(xiàn)，給HTTP分配25k的帶寬r2(config)#ip cefr2(config)#int s1/0r2(config-if)#ip nbar protocol-discovery開啟nbar的協(xié)議發(fā)現(xiàn)r2# sh ip nbar protocol-discovery int s1/0 來(lái)查看接口下面flow里面的協(xié)議 Serial1/0 Input Output - - Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) - - - icmp 16 16 1120 1120 0 0 0 0 ospf 7 6 588 504 0 0 0 0 telnet 7 7 316 316 0 0 0 0 http 3 4 150 471 0 0 0 0 ftp 4 4 184 184 r2#sh ip nbar port-map 查看它所有的可以識(shí)別的端口port-map bgp udp 179 port-map bgp tcp 179 port-map citrix udp 1604 port-map citrix tcp 1494 port-map cuseeme udp 7648 7649 24032 port-map cuseeme tcp 7648 7649 port-map dhcp udp 67 68 port-map dns udp 53 port-map dns tcp 53 port-map edonkey tcp 4662 port-map exchange tcp 135 port-map fasttrack tcp 1214 port-map finger tcp 79 port-map ftp tcp 21 port-map gnutella tcp 6346 6347 6348 6349 6355 5634 port-map gopher udp 70 port-map gopher tcp 70 port-map h323 udp 1300 1718 1719 1720 11720 port-map h323 tcp 1300 1718 1719 1720 11000 - 11999 port-map http tcp 80 port-map imap udp 143 220 port-map imap tcp 143 220 port-map irc udp 194 port-map irc tcp 194 port-map kerberos udp 88 749 port-map kerberos tcp 88 749 port-map l2tp udp 1701 port-map ldap udp 389 port-map ldap tcp 389 port-map mgcp udp 2427 2727 port-map mgcp tcp 2427 2428 2727 port-map netbios udp 137 138 port-map netbios tcp 137 139 port-map netshow tcp 1755 port-map nfs udp 2049 port-map nfs tcp 2049 port-map nntp udp 119 port-map nntp tcp 119 port-map notes udp 1352 port-map notes tcp 1352 port-map novadigm udp 3460 3461 3462 3463 3464 3465 port-map novadigm tcp 3460 3461 3462 3463 3464 3465 port-map ntp udp 123 port-map ntp tcp 123 port-map pcanywhere udp 22 5632 port-map pcanywhere tcp 65301 5631 port-map pop3 udp 110 port-map pop3 tcp 110 port-map pptp tcp 1723 port-map printer udp 515 port-map printer tcp 515 port-map rcmd tcp 512 513 514 port-map rip udp 520 port-map rsvp udp 1698 1699 port-map rtsp tcp 554 port-map secure-ftp tcp 990 port-map secure-http tcp 443 port-map secure-imap udp 585 993 port-map secure-imap tcp 585 993 port-map secure-irc udp 994 port-map secure-irc tcp 994 port-map secure-ldap udp 636 port-map secure-ldap tcp 636 port-map secure-nntp udp 563 port-map secure-nntp tcp 563 port-map secure-pop3 udp 995 port-map secure-pop3 tcp 995 port-map secure-telnet tcp 992 port-map sip udp 5060 port-map sip tcp 5060 port-map skinny tcp 2000 2001 2002 port-map smtp tcp 25 port-map snmp udp 161 162 port-map snmp tcp 161 162 port-map socks tcp 1080 port-map sqlnet tcp 1521 port-map sqlserver tcp 1433 port-map ssh tcp 22 port-map streamwork udp 1558 port-map sunrpc udp 111 port-map sunrpc tcp 111 port-map syslog udp 514 port-map telnet tcp 23 port-map tftp udp 69 port-map vdolive tcp 7000 port-map winmx tcp 6699 port-map xwindows tcp 6000 6001 6002 6003r2(config)#ip nbar port-map http tcp 80 8080 增加8080進(jìn)入到nbar的http的端口列表中r2#sh ip nbar port-map http port-map http tcp 80 8080r2(config)#class-map HTTP 抓取http的flow放入到HTTP的classr2(config-cmap)#match protocol httpr2(config)#policy-map fengr2(config-pmap)#class HTTPr2(config-pmap-c)#ban ? Kilo Bits per second percent % of total Bandwidth remaining % of the remaining bandwidthr2(config-pmap-c)#ban 25r2(config)#int s1/2r2(config-if)#service-policy output fengr2#sh policy-map interface s1/2 查詢NBAR是否中招 Serial1/2 Service-policy output: feng Class-map: HTTP (match-all) 5 packets, 411 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http Queueing Output Queue: Conversation 25 Bandwidth 25 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 5/411 (depth/total drops/no-buffer drops) 0/0/0 Class-map: class-default (match-any) 5392 packets, 1127630 bytes 5 minute offered rate 37000 bps, drop rate 5000 bps Match: any實(shí)驗(yàn)：、過濾從R2上過來(lái)的流量，綜合性的實(shí)驗(yàn)公司要求，從R1到R2的流量，其中，HTTP的流量的優(yōu)先級(jí)=5，F(xiàn)TP的優(yōu)先級(jí)流量=4，telnet的優(yōu)先級(jí)流量=3，dhcp的優(yōu)先級(jí)流量=2，icmp的優(yōu)先級(jí)流量=1，其他的剩余的流量的優(yōu)先級(jí)=0當(dāng)這些流量從R2去往R3的時(shí)候，根據(jù)下表來(lái)安排帶寬：514K413K312K211K110K08K步驟：1、我把從R1到R2過來(lái)的不同的流量我抓下來(lái)：r2#sh class-map Class Map match-all TELNET (id 3) Match protocol telnet Class Map match-all ICMP (id 5) Match protocol icmp Class Map match-all HTTP (id 1) Match protocol http Class Map match-all DHCP (id 4) Match protocol dhcp Class Map match-any class-default (id 0) Match any Class Map match-all FTP (id 2) Match protocol ftp2、設(shè)置不同流量的不同優(yōu)先級(jí)r2#sh policy-map fengxuhui-in Policy Map fengxuhui-in Class HTTP set ip precedence 5 Class FTP set ip precedence 4 Class TELNET set ip precedence 3 Class DHCP set ip precedence 2 Class ICMP set ip precedence 1 Class class-default set ip precedence 03、應(yīng)用到in方向的接口r2(config)#int s1/0r2(config-if)#service-policy in fengxuhui-in4、根據(jù)優(yōu)先級(jí)來(lái)做不同的出接口方向的分類 Class Map match-all P-5 (id 6) Match ip precedence 5 Class Map match-all P-4 (id 7) Match ip precedence 4 Class Map match-all P-1 (id 10) Match ip precedence 1 Class Map match-all P-0 (id 11) Match ip precedence 0 Class Map match-all P-3 (id 8) Match ip precedence 3 Class Map match-all P-2 (id 9) Match ip precedence 25、針對(duì)你的抓取的不同的優(yōu)先級(jí)，根據(jù)領(lǐng)導(dǎo)優(yōu)先級(jí)帶寬分配列表來(lái)操作策略r2#sh policy-map fengxuhui-out Policy Map fengxuhui-out Class P-5 Bandwidth 14 (kbps) Max Threshold 64 (packets) Class P-4 Bandwidth 13 (kbps) Max Threshold 64 (packets) Class P-3 Bandwidth 12 (kbps) Max Threshold 64 (packets) Class P-2 Bandwidth 11 (kbps) Max Threshold 64 (packets) Class P-1 Bandwidth 10 (kbps) Max Threshold 64 (packets) Class P-0 Bandwidth 8 (kbps) Max Threshold 64 (packets)6、應(yīng)用到出接口方向r2(config-if)#service-policy out fengxuhui-out實(shí)驗(yàn)、利用NBAR創(chuàng)建PDLMip nbar custom feng01 tcp 1524 27665ip nbar custom feng02 udp 31335 27444上面所建立的就是一個(gè)DDOS的攻擊特性r2(config)#class-map DDOSr2(config-cmap)#match protocol feng01r2(config-cmap)#match protocol feng02r2(config)#policy-map DDOS-DENYr2(config-pmap)#class DDOSr2(config-pmap-c)#dropr2(config-pmap)#int s1/0r2(config-if)#service-policy in DDOS-DENY實(shí)驗(yàn)、利用下載的PDLM做過濾R1(config)#ip nbar pdlm t00/bittorrent.pdlm/ 00是tftp服務(wù)器的地址需求：干掉bt下載，你從cisco網(wǎng)站，下載一個(gè)bt的pdlm，copy你的路由器的flash*你們可以下去下載各種PDLM實(shí)驗(yàn)二、利用PBR來(lái)做分類1. 需求：客戶希望voip的流量的優(yōu)先級(jí)為5，HTTP的流量?jī)?yōu)先級(jí)為4，telnet的流量?jī)?yōu)先級(jí)為3，ftp的流量?jī)?yōu)先級(jí)為2，其他的流量?jī)?yōu)先級(jí)為1.2. 把上面的場(chǎng)景搭建出來(lái)，并且配置好流量發(fā)生。3. 利用訪問控制列表來(lái)抓取這個(gè)流量r2#sh access-listExtended IP access list 101 10 permit ip host host （抓取的是voip的流量）Extended IP access list 102 10 permit tcp any any eq www （抓取的www流量）Extended IP access list 103 10 permit tcp any any eq telnet （抓取的telnet流量）Extended IP access list 104 10 permit tcp any any eq ftp-data （抓取的是ftp流量）20 permit tcp any any eq ftp4.利用PBR來(lái)進(jìn)行優(yōu)先級(jí)的配置r2#sh route-map fxh 名稱叫fxhroute-map fxh, permit, sequence 10 第一條策略，序號(hào)為10 Match clauses: ip address (access-lists): 101 抓取的acl是101 Set clauses: ip precedence critical 設(shè)置的優(yōu)先級(jí)為5 Policy routing matches: 0 packets, 0 bytes （0代表是策略沒有起作用）route-map fxh, permit, sequence 20 Match clauses: ip address (access-lists): 102 Set clauses: ip precedence flash-override Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 30 Match clauses: ip address (access-lists): 103 Set clauses: ip precedence flash Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 40 Match clauses: ip address (access-lists): 104 Set clauses: ip precedence immediate Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 50 Match clauses: Set clauses: ip precedence priority Policy routing matches: 0 packets, 0 bytes4. 調(diào)用到接口上r2(config)#int s1/0r2(config-if)#ip policy route-map fxh5. 測(cè)試一下配置的結(jié)果r2#sh route-maproute-map fxh, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip precedence critical Policy routing matches: 0 packets, 0 bytesroute-map fxh, permit, sequence 20 Match clauses: ip address (access-lists): 102 Set clauses: ip precedence flash-override Policy routing matches: 10 packets, 505 bytesroute-map fxh, permit, sequence 30 Match clauses: ip address (access-lists): 103 Set clauses: ip precedence flash Policy routing matches: 4 packets, 180 bytesroute-map fxh, permit, sequence 40 Match clauses: ip address (access-lists): 104 Set clauses: ip precedence immediate Policy routing matches: 2 packets, 96 bytesroute-map fxh, permit, sequence 50 Match clauses: Set clauses: ip precedence priority Policy routing matches: 8231 packets, 2033573 bytes6. 查詢cef快速轉(zhuǎn)發(fā)的命令：r1#sh adjacency detail 查詢我們的CEF的鄰居信息，后面必須跟detail參數(shù)Protocol Interface AddressIP Serial1/0 point2point(15) 0 packets, 0 bytes 0F000800 CEF expires: 00:02:01 refresh: 00:00:01 Epoch: 0r1#sh ip cef 查詢的是快速轉(zhuǎn)發(fā)表，注意后面的參數(shù)試驗(yàn)三、QPPB的一個(gè)試驗(yàn)試驗(yàn)步驟：1. 配置鏈路層r1#r1#r1#r1#r1#sh runBuilding configuration.Current configuration : 1419 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r1!boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelmemory-size iomem 5ip cef!no ip domain lookup! ! ! interface Loopback0 ip address !interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial1/0 ip address serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!router ospf 100 router-id log-adjacency-changes network 55 area 0!router bgp 24 no synchronization bgp router-id bgp log-neighbor-changes neighbor remote-as 12 no auto-summary!ip http serverno ip http secure-server!control-plane!alias exec a sh ip int briefalias exec b sh ip routealias exec c sh ip route ripalias exec d sh run!line con 0 exec-timeout 0 0 logging synchronousline aux 0 exec-timeout 0 0 logging synchronousline vty 0 4 exec-timeout 0 0 password cisco login!Endr2#sh runBuilding configuration.Current configuration : 1465 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r2!boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelmemory-size iomem 5ip cef!no ip domain lookup! ! ! interface Loopback0 ip address !interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial1/0 ip address serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 ip address serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!router ospf 100 router-id log-adjacency-changes network 55 area 0!router bgp 12 no synchronization bgp router-id bgp log-neighbor-changes neighbor remote-as 24 neighbor remote-as 12 no auto-summary!ip http serverno ip http secure-server!control-plane!alias exec a s