P2P和IP-CAR一起做引出的问题

发布时间:  2012-07-17 浏览次数:  84 下载次数:  0
问题描述

客户做了P2P和IP-CAR限流之后出现了一个问题,admin的3个ip下载最高只有300K,VIP里的ip下载最高也只有300K,客户的本意是要admin的3个ip的P2P下载最高为50M,VIP的P2P下载最高为16M,其他ip的P2P下载为0Kbps。

告警信息
处理过程
让客户在acl3040下边拒绝掉admin,VIP,里的地址(acl3005和acl3010),就是说,不让IP-CAR限制admin和VIP里的地址,问题解决。
根因

acl number 3005
 description admin
 rule 0 permit ip source 19.133.233.98 0
 rule 5 permit ip source 19.133.233.9 0
 rule 10 permit ip source 19.133.233.66 0
acl number 3010
 description vip
 rule 10 permit ip source 19.133.233.88 0
 rule 15 permit ip source 19.133.233.198 0
 rule 20 permit ip source 19.133.233.12 0
 rule 25 permit ip source 19.133.233.15 0
 rule 30 permit ip source 19.133.233.158 0
 rule 35 permit ip source 19.133.233.229 0
 rule 40 permit ip source 19.133.233.148 0
 rule 45 permit ip source 19.133.233.213 0
 rule 50 permit ip source 19.133.231.37 0
 rule 55 permit ip source 19.133.233.202 0
 rule 60 permit ip source 19.133.233.189 0

acl number 3015
 description p2p-car other ip
 rule 0 permit ip

firewall interzone trust untrust
 p2p-car 3005 class 5 inbound
 p2p-car 3010 class 10 inbound
 p2p-car 3015 class 15 inbound
 p2p-car 3005 class 5 outbound
 p2p-car 3010 class 10 outbound          
 p2p-car 3015 class 15 outbound
 p2p-detect enable
 p2p-detect mode default
 p2p-detect mode behavior

p2p-class 5
 cir default 50000
#
p2p-class 10
 cir default 16000
#
p2p-class 15
 cir default 0 

上面为P2P的配置,下面为IP-CAR的配置

acl number 3020
 description xiaoluyou
 rule 0 permit ip source 19.133.233.208 0
 rule 5 permit ip source 19.133.65.14 0
 rule 10 permit ip source 19.133.232.121 0
 rule 15 permit ip source 19.133.234.168 0
acl number 3030
 description jianjin
 rule 0 permit ip source 19.133.232.92 0
acl number 3040
 description ip-car any ip
 rule 0 permit ip

 firewall car-class 1 5000000
 firewall car-class 2 3000000
 firewall car-class 3 2400000

firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
 statistic enable ip inzone
 statistic enable ip outzone
 statistic car ip inbound 2 acl-number 3020
 statistic car ip outbound 2 acl-number 3020
 statistic car ip inbound 1 acl-number 3030
 statistic car ip outbound 1 acl-number 3030
 statistic car ip inbound 3 acl-number 3040
 statistic car ip outbound 3 acl-number 3040
 

客户先做的P2P,再做的IP-CAR

acl 3005和acl3010里的ip被P2P匹配完之后,又被IP-CAR的acl 3040匹配上了,所以就出现了3005和3010里的ip下载突破不了300k。acl3015里的ip,被限制为0,不会再进入ip-car流程。

建议与总结

先做P2P,再做IP-CAR

   进入p2p流程报文如果被丢了,则不进入ip-car了,否则进入ip-car流程

END