Some customers have been asking me if I can limit the downstream speed of some internal machines. I naturally replied: I can limit the speed. In fact, the speed limit is certainly acceptable, but a specific problem needs to be considered. Generally, the Access Router performs address translation, but the following steps are displayed when you understand the operation steps of the router: check input rate limits -------> nat outside to inside -------> check output rate limits. Therefore, the speed limit policy must be applied to some internal hosts. Because the inside local address must be specified in the ACL, therefore, the service-policy output xxx should be applied on the Intranet interface, instead of the service-policy input xxx on the Internet interface! The following is a specific example:
Router#sh runBuilding configuration...Current configuration : 1026 bytes!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!!ip subnet-zero!!no ip domain lookup!!class-map match-all test-classmatch access-group 100!!policy-map speedclass test-classpolice cir 80000 bc 32000conform-action transmitexceed-action drop!!!!!interface FastEthernet0/0ip address 192.168.1.111 255.255.255.0ip nat outsideduplex autospeed auto!interface FastEthernet0/1ip address 172.16.1.1 255.255.255.0ip nat insideduplex autospeed autoservice-policy output speed!ip nat inside source list 1 interface FastEthernet0/0 overload!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1no ip http server!!access-list 1 permit anyaccess-list 100 deny ip any host 172.16.1.100access-list 100 permit ip any any!line con 0line aux 0line vty 0 4!!end |