在运营商/数据中心网络中，我们有时候会需要对服务器做出限速。传统的方法有对接口的限速或者对IP的限速，但是这种方法在某些情景下不太适用——比如说，如果只是想对某个方向做限速，比如欧洲方向，或者只对中国内地方向做限速，那么传统的接口或者IP限速就不太实用了。这里我们就需要用一些更弹性的方法来实现该需求。

这次的文章我们来讲解如何在 Juniper 以及 Cisco (IOS-XE) 路由器上实现该功能。

快速开始：什么是QPPB？

众所周知，QoS 策略在普通情景下是不能通过 AS-PATH 或者 BGP community 来进行操作的。而在复杂的运营商网络/数据中心网络中，针对目的 ASN /源 ASN 的 QoS 则是刚需。但是使用 ACL 来进行操作很不现实，大量的 ACL 会消耗路由器等网络设备的 TCAM，这种情况下我们就需要引入 QPPB 技术来实现该需求。

QPPB（QOS Policy Propagation Through the Border Gateway Protocol）技术是一项通过 BGP 路由策略部署 QOS 的技术，通过基于 BGP 路由的 community-list, AS paths list 和 ACL, Prefix-list 等属性进行路由分类，对不同的分类应用不同的QOS策略。

也就是说，我们可以通过该技术实现基于目标/源 ASN 的 QoS，包括限速/排队等功能，本文章着重介绍其中的限速功能。

拓扑图和需求信息如下：

AS-LITTLEWOLF 决定对去往不同方向的流量进行限速，需求分别如下：

• 去往 CNC 的流量，限速至 5Mbps
• 去往 CT 的流量，限速至 10Mbps
• 去往 Asia – Intl 的流量，限速至 50Mbps
• 去往 NA – Intl 的流量，限速至 200Mbps

前期准备：QPPB 是怎么工作的？

普通的限速的步骤大致为以下几步：

• 对感兴趣的 Dest/Src IP地址或接口进行匹配
• 使用 Class-map 调用该 ACL （或者略过 1 阶段，直接默认全部匹配）
• 使用 Policy-map 调用 Class-map，并定义限速动作 ( Shaping or CIR )
• 接口调用 Policy-map，实现限速

但是在 QPPB 下，步骤则分为了这些：

• 对感兴趣的 BGP 路由进行抓取，写入 route-map 对感兴趣的路由进行预定义
• 使用 Table-map 对感兴趣的路由压入 QoS 标记 ( qos-group, ip precedence )
• 使用 Class-map 对 QoS 标记进行调用
• 使用 Policy-map 调用 Class-map，并定义限速动作 ( Shaping or CIR )
• 对感兴趣的流方向接口启动 BGP-policy，以启动 QPPB 功能（否则 Policy-map 不会生效）
• 接口调用 Policy-map，实现限速

Cisco 平台该功能名称为 QPPB，Juniper 平台则叫 SCU/DCU，实现都是同样的功能，只是配置略微有点不同。Juniper 平台我会在稍微后面再讲。

开始实验：配置 Cisco 的 QPPB 功能

我们决定使用 community 来实现标记功能，所以需要定义从每条链路收到的 Community （该部分配置已经省略），链路定义如下：

• 从 CT 收到的路由 – 100:1
• 从 Asia 收到的路由 – 100:2
• 从 NA 收到的路由 – 100:3
• 通过 CT 收到的 CNC 路由 – 9929:0

所有 community 均为标准 community。

ip community-list standard na permit 100:3
ip community-list standard asia permit 100:2
ip community-list standard ct permit 100:1
ip community-list standard cnc permit 9929:0
// 预先定义 community list （路由内的 community 为上游发过来已携带的值）

route-map qppb permit 100 ordering-seq 100
 match community na
 set ip qos-group 1
!
route-map qppb permit 110 ordering-seq 110
 match community asia
 set ip qos-group 2
!
route-map qppb permit 115 ordering-seq 115
 match community cnc
 set ip qos-group 4
!
route-map qppb permit 120 ordering-seq 120
 match community ct
 set ip qos-group 3
!
route-map qppb permit 9999 ordering-seq 9999
!
named-ordering-route-map enable

使用 Routemap 做好分组后，进入 BGP 进程使用 Table-map 压入 QoS Group

router bgp 65000
 table-map qppb // 调用写好的 route-map，对感兴趣的路由压入 QoS Group，做好标记

做好路由的 QoS 标记后，开始写 Class-map 以及 Policy-map，定义限速动作

class-map match-all na
 match qos-group 1 // 匹配预定义好的组（ BGP 中的 Table-map 规则里面定义好的组）
class-map match-all ct
 match qos-group 3
class-map match-all asia
 match qos-group 2
class-map match-all cnc
 match qos-group 4
!
policy-map traffic-shaping
 class na
  shape average 200000000 // 调用 class-map，对指定方向进行限速
 class asia
  shape average 50000000
 class ct
  shape average 10000000
 class cnc
  shape average 5000000

到这里，规则就已经定义好了，调用的逻辑如下：

对感兴趣的路由压入 QoS Group 标记（这里使用 community 来进行匹配） –> Class-map 调用 QoS Group –> Policy-map 调用 Class-map 并规定限速动作 –> 接口激活 BGP-policy 后，调用 policy-map 进行限速

由于 traffic-shaping 是出站概念（排队概念），与 Policer CIR 概念不同，所以需要在出接口上调用。

interface GigabitEthernet2 (Upstream)
 ip address 100.64.0.5 255.255.255.254
 (...protocol config ignored)
 service-policy output traffic-shaping 
// 在这个接口上调用 shaping policy，实现限速功能

interface GigabitEthernet3 (Downstream)
 ip address 172.0.2.1 255.255.255.0
 (...protocol config ignored)
 bgp-policy destination ip-qos-map 
// 为 BGP QPPB 激活接口功能，激活 Upstream 的 shaping policy 
// 激活的是基于目的地址的匹配，匹配流量去往的目的地。如果是 Policy CIR 则是在该接口 inbound 方向调用 Policy-map

如果只是限制出网流量，则以上配置已经足够。但是如果要限制入站流量，则需要以下配置：

interface GigabitEthernet2 (Upstream)
 ip address 100.64.0.5 255.255.255.254
 (...protocol config ignored)
 bgp-policy source ip-qos-map
// 为 BGP QPPB 激活接口功能，激活 Downstream 的 shaping policy 
// 激活的是基于源地址的匹配，匹配流量的来源。如果是 Policy CIR 则是在该接口 inbound 方向调用 Policy-map

interface GigabitEthernet3 (Downstream)
 ip address 172.0.2.1 255.255.255.0
 (...protocol config ignored)
 service-policy output traffic-shaping 
// 在这个接口上调用 shaping policy，实现限速功能

配置完成，我们在下接 Cisco 路由器的服务器上来测试一下上下行：

root@localhost:~# iperf3 -c 100.64.1.2 -p 443 -t 5 // 去往 CT 的流量
Connecting to host 100.64.1.2, port 443
[  5] local 172.0.2.2 port 15888 connected to 100.64.1.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.26 MBytes  10.5 Mbits/sec   42   33.9 KBytes
[  5]   1.00-2.00   sec  1.13 MBytes  9.49 Mbits/sec    0   28.3 KBytes
[  5]   2.00-3.00   sec  1.13 MBytes  9.46 Mbits/sec    0   25.5 KBytes
[  5]   3.00-4.00   sec  1.13 MBytes  9.46 Mbits/sec    0   28.3 KBytes
[  5]   4.00-5.00   sec  1.13 MBytes  9.50 Mbits/sec    0   28.3 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  5.78 MBytes  9.69 Mbits/sec   42             sender
[  5]   0.00-5.06   sec  5.73 MBytes  9.51 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.1.2 -p 443 -t 5 -R // 来自于 CT 的流量
Connecting to host 100.64.1.2, port 443
Reverse mode, remote host 100.64.1.2 is sending
[  5] local 172.0.2.2 port 15892 connected to 100.64.1.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  1.24 MBytes  10.4 Mbits/sec
[  5]   1.00-2.00   sec  1.14 MBytes  9.57 Mbits/sec
[  5]   2.00-3.00   sec  1.14 MBytes  9.57 Mbits/sec
[  5]   3.00-4.00   sec  1.14 MBytes  9.57 Mbits/sec
[  5]   4.00-5.00   sec  1.14 MBytes  9.56 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  5.86 MBytes  9.76 Mbits/sec  443             sender
[  5]   0.00-5.00   sec  5.80 MBytes  9.74 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.2.2 -p 443 -t 5 // 去往 CNC 的流量
Connecting to host 100.64.2.2, port 443
[  5] local 172.0.2.2 port 22762 connected to 100.64.2.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   739 KBytes  6.05 Mbits/sec   26   67.9 KBytes
[  5]   1.00-2.00   sec   498 KBytes  4.08 Mbits/sec    0   22.6 KBytes
[  5]   2.00-3.00   sec   581 KBytes  4.76 Mbits/sec    0   22.6 KBytes
[  5]   3.00-4.00   sec   602 KBytes  4.94 Mbits/sec    0   28.3 KBytes
[  5]   4.00-5.00   sec   580 KBytes  4.75 Mbits/sec    0   22.6 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  2.93 MBytes  4.92 Mbits/sec   26             sender
[  5]   0.00-5.08   sec  2.88 MBytes  4.76 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.2.2 -p 443 -t 5 -R // 来自于 CNC 的流量
Connecting to host 100.64.2.2, port 443
Reverse mode, remote host 100.64.2.2 is sending
[  5] local 172.0.2.2 port 22766 connected to 100.64.2.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   636 KBytes  5.21 Mbits/sec
[  5]   1.00-2.00   sec   584 KBytes  4.78 Mbits/sec
[  5]   2.00-3.00   sec   584 KBytes  4.79 Mbits/sec
[  5]   3.00-4.00   sec   584 KBytes  4.78 Mbits/sec
[  5]   4.00-5.00   sec   583 KBytes  4.77 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  2.95 MBytes  4.92 Mbits/sec    0             sender
[  5]   0.00-5.00   sec  2.90 MBytes  4.87 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.3.2 -p 443 -t 5 // 去往 Asia 的流量
Connecting to host 100.64.3.2, port 443
[  5] local 172.0.2.2 port 46002 connected to 100.64.3.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  6.06 MBytes  50.8 Mbits/sec  2212    110 KBytes
[  5]   1.00-2.00   sec  5.65 MBytes  47.4 Mbits/sec    0   73.5 KBytes
[  5]   2.00-3.00   sec  5.64 MBytes  47.3 Mbits/sec    0   70.7 KBytes
[  5]   3.00-4.00   sec  5.66 MBytes  47.5 Mbits/sec    0   73.5 KBytes
[  5]   4.00-5.00   sec  5.67 MBytes  47.5 Mbits/sec    0   65.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  28.7 MBytes  48.1 Mbits/sec  2212             sender
[  5]   0.00-5.07   sec  28.6 MBytes  47.4 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.3.2 -p 443 -t 5 -R // 来自于 Asia 的流量
Connecting to host 100.64.3.2, port 443
Reverse mode, remote host 100.64.3.2 is sending
[  5] local 172.0.2.2 port 46006 connected to 100.64.3.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  6.03 MBytes  50.6 Mbits/sec
[  5]   1.00-2.00   sec  5.70 MBytes  47.8 Mbits/sec
[  5]   2.00-3.00   sec  5.70 MBytes  47.8 Mbits/sec
[  5]   3.00-4.00   sec  5.70 MBytes  47.8 Mbits/sec
[  5]   4.00-5.00   sec  5.70 MBytes  47.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  28.9 MBytes  48.1 Mbits/sec  835             sender
[  5]   0.00-5.00   sec  28.8 MBytes  48.4 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.4.2 -p 443 -t 5 // 去往 NA 的流量
Connecting to host 100.64.4.2, port 443
[  5] local 172.0.2.2 port 18818 connected to 100.64.4.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  24.3 MBytes   204 Mbits/sec  1233    407 KBytes
[  5]   1.00-2.00   sec  22.9 MBytes   192 Mbits/sec   71    450 KBytes
[  5]   2.00-3.00   sec  22.5 MBytes   189 Mbits/sec  192    229 KBytes
[  5]   3.00-4.00   sec  22.9 MBytes   192 Mbits/sec    0    283 KBytes
[  5]   4.00-5.00   sec  22.8 MBytes   191 Mbits/sec    0    272 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec   115 MBytes   193 Mbits/sec  1496             sender
[  5]   0.00-5.04   sec   115 MBytes   192 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.4.2 -p 443 -t 5 -R // 来自于 NA 的流量
Connecting to host 100.64.4.2, port 443
Reverse mode, remote host 100.64.4.2 is sending
[  5] local 172.0.2.2 port 18822 connected to 100.64.4.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  23.9 MBytes   201 Mbits/sec
[  5]   1.00-2.00   sec  22.8 MBytes   191 Mbits/sec
[  5]   2.00-3.00   sec  22.8 MBytes   191 Mbits/sec
[  5]   3.00-4.00   sec  22.8 MBytes   191 Mbits/sec
[  5]   4.00-5.00   sec  22.8 MBytes   191 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec   116 MBytes   193 Mbits/sec   19             sender
[  5]   0.00-5.00   sec   115 MBytes   193 Mbits/sec                  receiver

这样 Cisco (IOS-XE) 就搞定了，符合需求。接下来我们来配置 Juniper 平台。

扩展学习：Juniper 平台使用 SCU/DCU 针对 ASN 进行限速

Juniper 的配置相对来说要易于理解，且调用逻辑比 Cisco IOS-XE 要清晰。接下来就是详细配置：

root@access> show policy-options...
community import-cnc-via-ct members [ 100:1 9929:0 ]; 
community import-from-asia members 100:2;
community import-from-ct members 100:1;
community import-from-na members 100:3;
// 预先定义 community list （ 路由内的 community 为上游发过来已携带的值 ）

root@access> show policy-options policy-statement export-dcu-scu | no-more
term cnc {
    from community import-cnc-via-ct;
    then {
        destination-class cnc-dcu; // 将该路由定义 Destination Class，用于匹配去往该区域的流量
        source-class cnc-scu; // 将该路由定义 Source Class，用于匹配来自于该区域的流量
        next policy; // 匹配上后，跳到下一个 policy （ 该处省略，lab 中为负载均衡 policy ）
    }
}
term ct {
    from community import-from-ct;
    then {
        destination-class ct-dcu;
        source-class ct-scu;
        next policy;
    }
}
term asia {
    from community import-from-asia;
    then {
        destination-class asia-dcu;
        source-class asia-scu;
        next policy;
    }
}
term na {
    from community import-from-na;
    then {
        destination-class na-dcu;
        source-class na-scu;
        next policy;
    }
}
term last {
    then next policy;
}

root@access> show configuration routing-options forwarding-table
export [ export-dcu-scu lb-export ];  
//  对转发表应用规则，压入 Source Class + Destination Class，为之后限速做准备

定义好 SC/DC 后，我们来编写限速规则。

root@access> show firewall policer...

policer cnc-via-ct {
    if-exceeding {
        bandwidth-limit 5m;
        burst-size-limit 1m;
    }
    then discard;
}
policer asia {
    if-exceeding {
        bandwidth-limit 50m;
        burst-size-limit 1m;
    }
    then discard;
}
policer na {
    if-exceeding {
        bandwidth-limit 200m;
        burst-size-limit 1m;
    }
    then discard;
}
policer ct {
    if-exceeding {
        bandwidth-limit 10m;
        burst-size-limit 1m;
    }
    then discard;
}

定义好限速 Policer 后，我们编写防火墙规则来调用 Policer （ Junos是使用防火墙规则调用的，和 Cisco 不一样 ）

root@access> show firewall family inet filter scu-dcu-shaping | no-more
term dest:na {
    from {
        destination-class na-dcu; // 匹配去往 NA 的流量
        source-address {
            172.0.0.0/24;
        }
    }
    then policer na; // 调用限速 Policer 
}
term dest:asia {
    from {
        destination-class asia-dcu;
        source-address {
            172.0.0.0/24;
        }
    }
    then policer asia;
}
term dest:ct {
    from {
        destination-class ct-dcu;
        source-address {
            172.0.0.0/24;
        }
    }
    then policer ct;
}
term dest:cnc {
    from {
        destination-class cnc-dcu;
        source-address {
            172.0.0.0/24;
        }
    }
    then policer cnc-via-ct;
}
term src:cnc {
    from {
        source-class cnc-scu; // 匹配来自于 CNC 的流量
    }
    then policer cnc-via-ct; // 调用 Policer
}
term src:ct {
    from {
        source-class ct-scu;
    }
    then policer ct;
}
term src:asia {
    from {
        source-class asia-scu;
    }
    then policer asia;
}
term src:na {
    from {
        source-class na-scu;
    }
    then policer na;
}
term last {
    then accept;
}

root@access> show configuration forwarding-options
family inet {
    filter {
        output scu-dcu-shaping;
    }
}
// 将该防火墙规则应用到全局的 forarding-option 上面。
// Juniper 也支持将策略应用于接口，但是 SCP/DCP 必须应用于 Output 方向，Input 方向会不起作用。
// Lab 模拟环境内应用于接口有 bug，所以这里决定应用于 forwarding-options，实机中两种方式均可以。

配置完毕了，我们在下接 Juniper 路由器的服务器上测试效果：

root@localhost:~# iperf3 -c 100.64.1.2 -p 443 -t 5 // 去往 CT 的流量
Connecting to host 100.64.1.2, port 443
[  5] local 172.0.0.2 port 14538 connected to 100.64.1.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.79 MBytes  15.0 Mbits/sec  708   50.9 KBytes
[  5]   1.00-2.00   sec  1.22 MBytes  10.2 Mbits/sec  202   17.0 KBytes
[  5]   2.00-3.00   sec  1.19 MBytes  9.99 Mbits/sec  157   33.9 KBytes
[  5]   3.00-4.00   sec  1.16 MBytes  9.77 Mbits/sec   47   14.1 KBytes
[  5]   4.00-5.00   sec  1.12 MBytes  9.37 Mbits/sec   86   25.5 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  6.48 MBytes  10.9 Mbits/sec  1200             sender
[  5]   0.00-5.04   sec  6.42 MBytes  10.7 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.1.2 -p 443 -t 5 -R // 来自于 CT 的流量
Connecting to host 100.64.1.2, port 443
Reverse mode, remote host 100.64.1.2 is sending
[  5] local 172.0.0.2 port 14542 connected to 100.64.1.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  1.73 MBytes  14.5 Mbits/sec
[  5]   1.00-2.00   sec  1.28 MBytes  10.7 Mbits/sec
[  5]   2.00-3.00   sec  1.15 MBytes  9.65 Mbits/sec
[  5]   3.00-4.00   sec  1.16 MBytes  9.73 Mbits/sec
[  5]   4.00-5.00   sec  1.13 MBytes  9.44 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  6.53 MBytes  10.9 Mbits/sec  1148             sender
[  5]   0.00-5.00   sec  6.45 MBytes  10.8 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.2.2 -p 443 -t 5 // 去往 CNC 的流量
Connecting to host 100.64.2.2, port 443
[  5] local 172.0.0.2 port 18480 connected to 100.64.2.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.10 MBytes  9.23 Mbits/sec  510   11.3 KBytes
[  5]   1.00-2.00   sec   421 KBytes  3.45 Mbits/sec  250   56.6 KBytes
[  5]   2.00-3.00   sec   619 KBytes  5.07 Mbits/sec   47   22.6 KBytes
[  5]   3.00-4.00   sec   577 KBytes  4.73 Mbits/sec   46   22.6 KBytes
[  5]   4.00-5.00   sec   568 KBytes  4.66 Mbits/sec   69   25.5 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  3.24 MBytes  5.43 Mbits/sec  922             sender
[  5]   0.00-5.05   sec  3.21 MBytes  5.33 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.2.2 -p 443 -t 5 -R // 来自于 CNC 的流量
Connecting to host 100.64.2.2, port 443
Reverse mode, remote host 100.64.2.2 is sending
[  5] local 172.0.0.2 port 18484 connected to 100.64.2.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   834 KBytes  6.83 Mbits/sec
[  5]   1.00-2.00   sec   699 KBytes  5.72 Mbits/sec
[  5]   2.00-3.00   sec   467 KBytes  3.82 Mbits/sec
[  5]   3.00-4.00   sec   718 KBytes  5.89 Mbits/sec
[  5]   4.00-5.00   sec   595 KBytes  4.88 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  3.31 MBytes  5.52 Mbits/sec  966             sender
[  5]   0.00-5.00   sec  3.24 MBytes  5.43 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.3.2 -p 443 -t 5 // 去往 Asia 的流量
Connecting to host 100.64.3.2, port 443
[  5] local 172.0.0.2 port 58888 connected to 100.64.3.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  6.48 MBytes  54.3 Mbits/sec  1969    481 KBytes
[  5]   1.00-2.00   sec  5.55 MBytes  46.6 Mbits/sec  2273    997 KBytes
[  5]   2.00-3.00   sec  5.21 MBytes  43.7 Mbits/sec  2681    417 KBytes
[  5]   3.00-4.00   sec  4.80 MBytes  40.2 Mbits/sec  2244    625 KBytes
[  5]   4.00-5.00   sec  4.58 MBytes  38.4 Mbits/sec  1464    533 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  26.6 MBytes  44.6 Mbits/sec  10631             sender
[  5]   0.00-5.04   sec  25.9 MBytes  43.1 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.3.2 -p 443 -t 5 -R // 来自于 Asia 的流量
Connecting to host 100.64.3.2, port 443
Reverse mode, remote host 100.64.3.2 is sending
[  5] local 172.0.0.2 port 58892 connected to 100.64.3.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  4.99 MBytes  41.8 Mbits/sec
[  5]   1.00-2.00   sec  5.78 MBytes  48.5 Mbits/sec
[  5]   2.00-3.00   sec  5.03 MBytes  42.2 Mbits/sec
[  5]   3.00-4.00   sec  5.33 MBytes  44.7 Mbits/sec
[  5]   4.00-5.00   sec  4.43 MBytes  37.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec  26.5 MBytes  44.2 Mbits/sec  10458             sender
[  5]   0.00-5.00   sec  25.6 MBytes  42.9 Mbits/sec                  receiver

root@localhost:~# iperf3 -c 100.64.4.2 -p 443 -t 5 -b 400M // 去往 NA 的流量
Connecting to host 100.64.4.2, port 443
[  5] local 172.0.0.2 port 50024 connected to 100.64.4.2 port 443
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  19.8 MBytes   166 Mbits/sec  3853    452 KBytes
[  5]   1.00-2.00   sec  18.9 MBytes   159 Mbits/sec  3799    314 KBytes
[  5]   2.00-3.00   sec  22.9 MBytes   192 Mbits/sec  1522    123 KBytes
[  5]   3.00-4.00   sec  23.2 MBytes   194 Mbits/sec  1132    478 KBytes
[  5]   4.00-5.00   sec  23.3 MBytes   195 Mbits/sec  2893    574 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec   108 MBytes   181 Mbits/sec  13199             sender
[  5]   0.00-5.03   sec   107 MBytes   179 Mbits/sec                  receiver

iperf Done.
root@localhost:~# iperf3 -c 100.64.4.2 -p 443 -t 5 -b 400M -R // 来自于 NA 的流量
Connecting to host 100.64.4.2, port 443
Reverse mode, remote host 100.64.4.2 is sending
[  5] local 172.0.0.2 port 50028 connected to 100.64.4.2 port 443
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  11.1 MBytes  93.1 Mbits/sec
[  5]   1.00-2.00   sec  23.0 MBytes   193 Mbits/sec
[  5]   2.00-3.00   sec  23.0 MBytes   193 Mbits/sec
[  5]   3.00-4.00   sec  23.1 MBytes   194 Mbits/sec
[  5]   4.00-5.00   sec  23.2 MBytes   195 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.04   sec   104 MBytes   173 Mbits/sec  14906             sender
[  5]   0.00-5.00   sec   103 MBytes   174 Mbits/sec                  receiver

实验完成目标，符合需求。

由于这里使用了 Policer CIR，并不是 Shaping，TCP Flow 会在尝试突破限制的时候被丢弃，所以 Retry 比较多。

可以根据具体生产环境需求来使用 Traffic Shaping.

参考资料：

[ Cisco ] ASR9000/XR: Implementing QOS policy propagation for BGP (QPPB)

[ Juniper ] Accounting Options, Source Class, and Destination Class