前几天公司新申请一条线路给用户使用，由于设备紧缺（在我门的核心路由器7505上面正好剩余2个接口），上端线路提供了128个地址，在

几个工程师商量后，决定用单臂路由、QOS和VLSM给用户提供接入，接入部分配置如下：
interface FastEthernet1/0/1 //与ISP接口
 ip address 192.168.249.22 255.255.255.252 //IPS提供的互联地址
 ip route-cache policy
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
interface FastEthernet1/0/0 //与2950接口
 description connect to cache
 no ip address
 speed auto
 full-duplex
!
interface FastEthernet1/0/0.2 //分配给用户的端口
 description 4M_acl_20 b-1603_fibr_16ip
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.252
 rate-limit input access-group 20 4000000 8000 8000 conform-action transmit exce
ed-action drop
 rate-limit output access-group 20 4000000 8000 8000 conform-action transmit exc
eed-action drop
 ip policy route-map fibr //策略路由
!
interface FastEthernet1/0/0.3 //分配给用户的端口
 description 10M acl_21 c-11f_fibr_32IP
 encapsulation dot1Q 3
 ip address 172.16.10.5 255.255.255.252
 rate-limit input 10000000 128000 128000 conform-action transmit exceed-action d
rop
 rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-actio
n drop
 ip policy route-map fibr //策略路由

access-list 15 permit z.z.z.z 0.0.0.127 //运营商的128个地址
access-list 15 deny   any
access-list 20 permit x.x.x.x 0.0.0.15 //用户IP地址，做QOS限制
access-list 20 deny   any
access-list 21 permit y.y.y.y 0.0.0.31 //用户IP地址，做QOS限制
access-list 21 deny   any

route-map fibr permit 10 //策略路由
match ip address 15
set ip next-hop 192.168.249.21 //运营商端地址

ip route x.x.x.x 255.255.255.240 172.16.10.2 //给用户端的返回路由
ip route y.y.y.y 255.255.255.224 172.16.10.6 //给用户端的返回路由

下面是show子接口信息：
netcen-cisco7505#sho int f1/0/0.2 rate-limit
FastEthernet1/0/0.2 4M_acl_20 b-1603_fibr_16ip
  Input
    matches: access-group 20
      params:  4000000 bps, 8000 limit, 8000 extended limit
      conformed 9370685 packets, 4905M bytes; action: transmit
      exceeded 645168 packets, 817147468 bytes; action: drop
      last packet: 4468ms ago, current burst: 0 bytes
      last cleared 2d06h ago, conformed 201000 bps, exceeded 33000 bps
  Output
    matches: access-group 20
      params:  4000000 bps, 8000 limit, 8000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 1059586108ms ago, current burst: 0 bytes
      last cleared 2d06h ago, conformed 0 bps, exceeded 0 bps
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
  Input
    matches: all traffic
      params:  10000000 bps, 128000 limit, 128000 extended limit
      conformed 2917848 packets, 579572960 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 8ms ago, current burst: 208 bytes
      last cleared 00:23:52 ago, conformed 3236000 bps, exceeded 0 bps
  Output
    matches: all traffic
      params:  10000000 bps, 1288000 limit, 1288000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 0ms ago, current burst: 0 bytes
      last cleared 00:25:53 ago, conformed 0 bps, exceeded 0 bps
发现2个端口的OUTPUT都没有生效QOS设置，咨询过上级运营商（上级运营商用同样的方法为我门提供接入），得知上级运营商的QOS在子接口直接做，没有启用ACL做限制，这时候我明白了OUTPUT为什么没有流量，因为从接口出去的数据是ANY并不是我做的。X.X.X.X或Y.Y.Y.Y
于是根据运营商提供的方法对端口做了如下改动（只对F1/0/0.3做了改动）
interface FastEthernet1/0/0.3
 description 10M acl_21 c-11f_fibr_32IP
 encapsulation dot1Q 3
 ip address 172.16.10.5 255.255.255.252
 rate-limit input 10000000 128000 128000 conform-action transmit exceed-action drop //取消了ACL 21
 rate-limit output 10000000 1288000 1288000 conform-action transmit exceed-action drop //取消了ACL 21
 ip policy route-map fibr
察看端口SHOW信息如下：
netcen-cisco7505#sho int f1/0/0.3 rate-limit
FastEthernet1/0/0.3 10M acl_21 c-11f_fibr_32IP
  Input
    matches: all traffic
      params:  10000000 bps, 128000 limit, 128000 extended limit
      conformed 13685 packets, 2443801 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 8ms ago, current burst: 784 bytes
      last cleared 00:00:07 ago, conformed 2725000 bps, exceeded 0 bps
  Output
    matches: all traffic
      params:  10000000 bps, 1288000 limit, 1288000 extended limit
      conformed 303002 packets, 161513209 bytes; action: transmit
      exceeded 75191 packets, 45039533 bytes; action: drop
      last packet: 0ms ago, current burst: 1248321 bytes
      last cleared 00:02:08 ago, conformed 10077000 bps, exceeded 2810000 bps
input output都有了QOS数据，但是新的问题出现，只要用户端有一点流量ping 用户端互联地址172.16.10.6开始产生大量的丢包。取消QOS或用访问控制在ＩＮＰＵＴ上做ＱＯＳ没任何问题，这个问题一直在困扰我，我试过多个方法也不能解决，我试过更改双工模式，取消策略路由，加大突发值问题依旧存在，（咨询上端运营商，运营商采用同样的方法给我门提供接入，在我们带宽使用达到100%时候，大包ping运营商上端互联地址依旧是正常没有丢包情况）
在此希望高手能给于指点，我自己也在研究问题所在，我会继续完成我没完成的博客。