rate-limit output access-group

[V1talya]

Создаю правило:

rate-limit output access-group 104 32000 6000 6000 conform-action transmit exceed-action drop

 

не создав еще access-group 104 у меня уже правило rate-limit output работает...

Как так может быть ?

 

GigabitEthernet0/1 Connect to NOIP

Output

matches: access-group 104

params: 32000 bps, 6000 limit, 6000 extended limit

conformed 12186 packets, 1555008 bytes; action: transmit

exceeded 5011 packets, 2493186 bytes; action: drop

last packet: 12ms ago, current burst: 5926 bytes

last cleared 00:06:27 ago, conformed 32000 bps, exceeded 51000 bps

( access-group 104 у меня нету... а правило работает, получается на весь интерфейс )

 

Как же быть ? ( мне нужно ограничить исх. скорость с инт Gi0/1, ip src: 1.1.1.1 dst:2.2.2.2 eq 80 )

 

[V1talya]

создал сначала access-group вроде все правильно заработало :)

[Andrei]

Реализуем аналогичным образом ночное удвоение скорости. Абоненты авторизуются по pptp, NAS - cisco, учетки в радиус-агенте ЛБ.

На циске добавили:

===

time-range day

periodic weekdays 8:00 to 23:59

!

time-range night

periodic weekdays 0:00 to 7:59

!

access-list 135 permit ip any any time-range night

access-list 136 permit ip any any time-range day

===

 

Из биллинга радиус-атрибутами выделяем полосу:

lcp:interface-config#1=rate-limit input access-group 136 1024000 384000 384000 conform-action transmit exceed-action drop

lcp:interface-config#3=rate-limit input access-group 135 2048000 768000 768000 conform-action transmit exceed-action drop

и аналогично для output

 

А на деле абоненты получают вообще неограниченную полосу :(

 

C3725#sh int vi6 rate
Virtual-Access6
 Input
   matches: access-group 136
     params:  1024000 bps, 384000 limit, 384000 extended limit
     conformed 0 packets, 0 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 2977639972ms ago, current burst: 0 bytes
     last cleared 00:01:20 ago, conformed 0 bps, exceeded 0 bps
   matches: access-group 135
     params:  2048000 bps, 768000 limit, 768000 extended limit
     conformed 0 packets, 0 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 2977639976ms ago, current burst: 0 bytes
     last cleared 00:01:20 ago, conformed 0 bps, exceeded 0 bps
 Output
   matches: access-group 136
     params:  1024000 bps, 384000 limit, 384000 extended limit
     conformed 0 packets, 0 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 2977639976ms ago, current burst: 0 bytes
     last cleared 00:01:20 ago, conformed 0 bps, exceeded 0 bps
   matches: access-group 135
     params:  2048000 bps, 768000 limit, 768000 extended limit
     conformed 0 packets, 0 bytes; action: transmit
     exceeded 0 packets, 0 bytes; action: drop
     last packet: 2977639976ms ago, current burst: 0 bytes
     last cleared 00:01:20 ago, conformed 0 bps, exceeded 0 bps
C3725#sh int vi6 conf
Virtual-Access6 is an VPDN link (sub)interface

Derived configuration : 809 bytes
!
interface Virtual-Access6
ip unnumbered FastEthernet0/0
no ip redirects
ip nat inside
no ip virtual-reassembly
rate-limit input access-group 136 1024000 384000 384000 conform-action transmit exceed-action drop
rate-limit input access-group 135 2048000 768000 768000 conform-action transmit exceed-action drop
rate-limit output access-group 136 1024000 384000 384000 conform-action transmit exceed-action drop
rate-limit output access-group 135 2048000 768000 768000 conform-action transmit exceed-action drop
ip policy route-map nat_to_sovintel
no logging event link-status
autodetect encapsulation ppp
peer default ip address pool for_dialup
keepalive 100
ppp authentication pap chap callin via_lb
ppp authorization via_lb
ppp accounting via_lb
ppp ipcp dns 192.168.10.1 87.226.191.1
end

 

Т.е. в rate-limit ничего не матчитася access-group-ами.

А iftop-ом видно, что абонент качает на скорости около 8,5 Мбит/сек:

TX:             cumm:   199KB   peak:    286Kb                      rates:    286Kb   266Kb   266Kb
RX:                    4.96MB           8.52Mb                               4.58Mb  6.62Mb  6.62Mb

Почему бы это?

[Andrei]

C3725#sh time-range
time-range entry: day (inactive)
  periodic weekdays 8:00 to 23:59
  used in: IP ACL entry
time-range entry: night (inactive)
  periodic weekdays 0:00 to 7:59
  used in: IP ACL entry

почему оба inactive?!

[Andrei]

Сам протупил - надо было:

time-range day

periodic daily 8:00 to 23:59

!

time-range night

periodic daily 0:00 to 7:59

 

тогда

sh time-range

time-range entry: day (active)

periodic daily 8:00 to 23:59

used in: IP ACL entry

time-range entry: night (inactive)

periodic daily 0:00 to 7:59

used in: IP ACL entry