IOS版本,822-k8(以前自带版本是703,03年的IOS很残疾,不支持定义input 建议刷到723以上)
IX/ASA基于IP的限速详解实验配置
ASA, PIX PIX/ASA基于IP的限速详解实验配置 实验目的:pix/asa 基于IP的限速注:试验已经经过验证,确认可行。
图:
测试PC----(inside)pix515 (outside) | 192.168.104.253 -—交换机—192.168.104.254 地址说明:Pc addr:172.16.3.2 PIX inside addr:172.16.3.1 PIX outside addr:192.168.104.1 测试机192.168.104.254 和 253Pix模式:NAT
非常重要的一点,上传和下载也就是input和output的方向是依赖于端口的
比如:inside端口
下载output流量从防火墙传到Pc 上传就是input流量从pc进入pix Outside端口方向相反 下载 input 流量从外网进入防火网 上传就是output流量从防火墙到外网需求1:限制所有内网主机从192.168.104.253下载的流量。
Access-list all_host extended permit ip host 192.168.104.253 any Class-map all_host Match access-list all_host Policy-map all_host Class all_host Police output 56000 10500 conform-action transmit exceed-action drop 可以省略 Service-policy all_host interface inside需求2:限制所有内网主机从192.168.104.253上传的流量。
Access-list all_host extended permit ip any host 192.168.104.253 Class-map all_hostMatch access-list all_host
Policy-map all_host Class all_host Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略 Service-policy all_host interface inside需求3:限制某个主机从192.168.104.253的上传和下载流量。
Access-list host extended permit ip host 192.168.104.253 host 172.16.3.2 Access-list host extended permit ip host 172.16.3.2 host 192.168.104.253 Class-map host Match access-list host Policy-map host Class host Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略 Police outtput 56000 10500 conform-action transmit exceed-action drop Service-policy host interface inside需求4:限制内网其中三台主机到192.168.104.253的不同的上传和下载的流量,其他主机流量全部开放。
Access-list host-2 extended permit ip host 192.168.104.253 host 172.16.3.2 Access-list host-2 extended permit ip host 172.16.3.2 host 192.168.104.253 Access-list host-3 extended permit ip host 192.168.104.253 host 172.16.3.3 Access-list host-3 extended permit ip host 172.16.3.3 host 192.168.104.253 Access-list host-4 extended permit ip host 192.168.104.253 host 172.16.3.4 Access-list host-4 extended permit ip host 172.16.3.4 host 192.168.104.253 Class-map host-2 Match access-list host-2 Class-map host-3 Match access-list host-3 Class-map host-4 Match access-list host-4 Policy-map qos Class host-2 Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略 Police outtput 56000 10500 conform-action transmit exceed-action drop Class host-3 Police intput 102400 37500 conform-action transmit exceed-action drop 可以省略 Police outtput 102400 37500 conform-action transmit exceed-action drop Class host-4 Police intput 1024000000 5000000 conform-action transmit exceed-action drop 可以省略 Police outtput 1024000000 5000000 conform-action transmit exceed-action drop Service-policy qos interface inside配置完成后,查看流量计数器
1、service-policy 流量计数器 pixfirewall# sh service-policyGlobal policy:
Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 45, drop 0, reset-drop 0 Inspect: ftp, packet 348, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip, packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0Interface inside:
Service-policy: qos Class-map: ip_traffic_2 Input police Interface inside: cir 56000 bps, bc 10500 bytes conformed 181 packets, 80384 bytes; actions: transmit exceeded 26 packets, 33536 bytes; actions: drop conformed 24 bps, exceed 0 bps Output police Interface inside: cir 56000 bps, bc 10500 bytes conformed 101 packets, 122203 bytes; actions: transmit exceeded 48 packets, 63072 bytes; actions: drop conformed 728 bps, exceed 376 bps Class-map: ip_traffic_3 Input police Interface inside: cir 1024000 bps, bc 37500 bytes conformed 2357 packets, 1981143 bytes; actions: transmit exceeded 300 packets, 371864 bytes; actions: drop conformed 216 bps, exceed 0 bpsOutput police Interface inside:
cir 1024000 bps, bc 37500 bytes conformed 1166 packets, 1470955 bytes; actions: transmit exceeded 154 packets, 199524 bytes; actions: drop conformed 8792 bps, exceed 1192 bps Class-map: ip_traffic_4 Input police Interface inside: cir 1000000000 bps, bc 500000 bytes conformed 4389 packets, 2077796 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 824 bps, exceed 0 bps Output police Interface inside: cir 1000000000 bps, bc 500000 bytes conformed 5091 packets, 5470778 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 32720 bps, exceed 0 bps2、访问控制列表计数器
pixfirewall# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ip_traffic_2; 2 elements access-list ip_traffic_2 line 1 extended permit ip host 172.16.3.2 host 192.168.104.253 (hitcnt=6) 0x8f698132 access-list ip_traffic_2 line 2 extended permit ip host 192.168.104.253 host 172.16.3.2 (hitcnt=2) 0x2810a423 access-list ip_traffic_3; 2 elements access-list ip_traffic_3 line 1 extended permit ip host 172.16.3.3 host 192.168.104.253 (hitcnt=5) 0xd680b987 access-list ip_traffic_3 line 2 extended permit ip host 192.168.104.253 host 172.16.3.3 (hitcnt=2) 0x4ead4e72 access-list ip_traffic_4; 2 elements access-list ip_traffic_4 line 1 extended permit ip host 172.16.3.4 host 192.168.104.253 (hitcnt=9) 0x5c55f7c access-list ip_traffic_4 line 2 extended permit ip host 192.168.104.253 host 172.16.3.4 (hitcnt=2) 0xb321e07d总结
1、主要步骤(很简单) 步骤1:编写ACL(参考需求中ACL)需要实现什么样限速只需要将访问控制列嵌套在class-map里面,然后match access-list 步骤2:class-map rate-limit Match access-list xxx 步骤3:policy-map rate-limit Class rate-limit police input 56000 10500 conform-action transmit exceed-action drop police output 56000 10500 conform-action transmit exceed-action drop 步骤4:service-policy rate-limit interface inside2、这种限制流量的做法不能使用在outside上,因为在outside端口上做PAT,地址经过NAT转换以后,找不到匹配的目的和原地址,但是我试过如果使用any 到 any是可以限制流量的。任何源和目的指定地址限速都不会生效。
3、关于速率的问题
在应用police的时候单位是bps 记住是bit 它是速率单位,所以如果要把它换算为存储单位的为需要除以8。