Estou tentando trafegar de forma no meu 5505. Eu posso fazer o policiamento habitual, mas como sempre acontece com o policiamento, ele sobe e desce e não resulta nos melhores resultados.
Eu recebo a mensagem sobre ERROR: 'shape' can only be configured for class "class-default"
, ao tentar criar meu próprio mapa de classe, embora eu não consiga descobrir uma maneira de vincular o mapa padrão de classe pela porta.
Veja o que recebo ao testar minha própria aula e política:
ASA(config)# class-map test
ASA(config-cmap)# match port tcp eq 80
ASA(config-cmap)# exit
ASA(config)# policy-map test
ASA(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
ASA(config-pmap)# class test
ASA(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ASA(config-pmap-c)# shape ?
mpf-policy-map-class mode commands/options:
average configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
interval
ASA(config-pmap-c)# shape av
ASA(config-pmap-c)# shape average ?
mpf-policy-map-class mode commands/options:
<64000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
ASA(config-pmap-c)# shape average 64000
ERROR: 'shape' can only be configured for class "class-default"
ASA(config-pmap-c)#
Agora, saindo da classe default da classe, eis o que posso fazer:
ASA(config)# policy-map tester
ASA(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
Como você pode ver, não tenho opções para limitar por porta, etc.
Alguma idéia de como posso conseguir isso?
Para completar, veja a seguir:
ASA(config-pmap-c)# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ASA up 2 hours 7 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is e05f.b9ab.be21, irq 11
1: Ext: Ethernet0/0 : address is e05f.b9ab.be19, irq 255
2: Ext: Ethernet0/1 : address is e05f.b9ab.be1a, irq 255
3: Ext: Ethernet0/2 : address is e05f.b9ab.be1b, irq 255
4: Ext: Ethernet0/3 : address is e05f.b9ab.be1c, irq 255
<--- More --->
Obrigado