Cisco-Asa

思科 ASA 整形

  • December 28, 2011

我正在嘗試在我的 5505 上調整形狀。我可以進行通常的監管,但與監管一樣,它會上下波動,不會產生最佳結果。

在嘗試創建自己的類映射時,我收到有關 的消息ERROR: 'shape' can only be configured for class "class-default",但我無法找到一種方法來通過埠綁定類預設映射。

這是我在嘗試自己的課程和政策時得到的:

ASA(config)# class-map test
ASA(config-cmap)# match port tcp eq 80
ASA(config-cmap)# exit
ASA(config)# policy-map test
ASA(config-pmap)# ?

MPF policy-map configuration commands
 class        Policy criteria
 description  Specify policy-map description
 exit         Exit from MPF policy-map configuration mode
 help         Help for MPF policy-map configuration commands
 no           Negate or set default values of a command
 rename       Rename this policy-map
 <cr>
ASA(config-pmap)# class test
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
 exit             Exit from MPF class action configuration mode
 help             Help for MPF policy-map class/match submode commands
 no               Negate or set default values of a command
 police           Rate limit traffic for this class
 priority         Strict scheduling priority for this class
 quit             Exit from MPF class action configuration mode
 service-policy   Configure QoS Service Policy
 set              Set connection values
 shape            Traffic Shaping
 user-statistics  configure user statistics for identity firewall
 <cr>
 csc              Content Security and Control service module
 flow-export      Configure filters for NetFlow events
 inspect          Protocol inspection services
 ips              Intrusion prevention services
ASA(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
 average  configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
          interval
ASA(config-pmap-c)# shape av
ASA(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
 <64000-154400000>  Target Bit Rate (bits per second), the value needs to be
                    multiple of 8000
ASA(config-pmap-c)# shape average 64000
ERROR: 'shape' can only be configured for class "class-default"
ASA(config-pmap-c)#

現在,離開類預設類,這是我可以做的:

ASA(config)# policy-map tester
ASA(config-pmap)# ?

MPF policy-map configuration commands
 class        Policy criteria
 description  Specify policy-map description
 exit         Exit from MPF policy-map configuration mode
 help         Help for MPF policy-map configuration commands
 no           Negate or set default values of a command
 rename       Rename this policy-map
 <cr>
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
 exit             Exit from MPF class action configuration mode
 help             Help for MPF policy-map class/match submode commands
 no               Negate or set default values of a command
 police           Rate limit traffic for this class
 priority         Strict scheduling priority for this class
 quit             Exit from MPF class action configuration mode
 service-policy   Configure QoS Service Policy
 set              Set connection values
 shape            Traffic Shaping
 user-statistics  configure user statistics for identity firewall
 <cr>
 csc              Content Security and Control service module
 flow-export      Configure filters for NetFlow events
 inspect          Protocol inspection services
 ips              Intrusion prevention services

如您所見,我沒有選擇通過埠等限制。

有什麼想法可以實現這一目標嗎?

為了完整起見,這裡是 sh 版本:

ASA(config-pmap-c)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

ASA up 2 hours 7 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                            Boot microcode        : CN1000-MC-BOOT-2.00
                            SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                            IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                            Number of accelerators: 1

0: Int: Internal-Data0/0    : address is e05f.b9ab.be21, irq 11
1: Ext: Ethernet0/0         : address is e05f.b9ab.be19, irq 255
2: Ext: Ethernet0/1         : address is e05f.b9ab.be1a, irq 255
3: Ext: Ethernet0/2         : address is e05f.b9ab.be1b, irq 255
4: Ext: Ethernet0/3         : address is e05f.b9ab.be1c, irq 255
<--- More --->

謝謝

簡短的回答是,從目前版本 (ASA 8.4.2) 開始,無法shape對特定流量執行傳統 QoS。ASA 只能將給定介面上的shape 所有流量以指定速率。

使用 ASA QoS 配置指南中的以下相關部分作為完整參考。您可能也會覺得這很有趣

引用自:https://serverfault.com/questions/344106