Modelagem Cisco ASA

1

Estou tentando trafegar de forma no meu 5505. Eu posso fazer o policiamento habitual, mas como sempre acontece com o policiamento, ele sobe e desce e não resulta nos melhores resultados.

Eu recebo a mensagem sobre ERROR: 'shape' can only be configured for class "class-default" , ao tentar criar meu próprio mapa de classe, embora eu não consiga descobrir uma maneira de vincular o mapa padrão de classe pela porta.

Veja o que recebo ao testar minha própria aula e política:

ASA(config)# class-map test
ASA(config-cmap)# match port tcp eq 80
ASA(config-cmap)# exit
ASA(config)# policy-map test
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class test
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ASA(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
  average  configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
           interval
ASA(config-pmap-c)# shape av
ASA(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
  <64000-154400000>  Target Bit Rate (bits per second), the value needs to be
                     multiple of 8000
ASA(config-pmap-c)# shape average 64000
ERROR: 'shape' can only be configured for class "class-default"
ASA(config-pmap-c)#

Agora, saindo da classe default da classe, eis o que posso fazer:

ASA(config)# policy-map tester
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services

Como você pode ver, não tenho opções para limitar por porta, etc.

Alguma idéia de como posso conseguir isso?

Para completar, veja a seguir:

ASA(config-pmap-c)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

ASA up 2 hours 7 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is e05f.b9ab.be21, irq 11
 1: Ext: Ethernet0/0         : address is e05f.b9ab.be19, irq 255
 2: Ext: Ethernet0/1         : address is e05f.b9ab.be1a, irq 255
 3: Ext: Ethernet0/2         : address is e05f.b9ab.be1b, irq 255
 4: Ext: Ethernet0/3         : address is e05f.b9ab.be1c, irq 255
<--- More --->

Obrigado

    
por fdf33 26.12.2011 / 01:34

1 resposta

1

A resposta curta é que, a partir do release atual (ASA 8.4.2), não é possível executar o QoS shape tradicional em tráfego específico. O ASA pode apenas shape todo tráfego em uma determinada interface para uma taxa especificada.

Use a seguinte seção relevante no ASA QoS Guia de Configuração como referência completa. Você pode encontrar também este .

    
por 28.12.2011 / 03:30

Tags