Cisco ASA成形

Question

我正试图在我的5505上塑造交通。我可以做通常的警务，但与往常一样，它是上上下下的，并没有得到最好的结果。

当我试图创建自己的类映射时，我得到了关于ERROR: 'shape' can only be configured for class "class-default"的信息，尽管我无法找到通过端口将类默认映射绑定起来的方法。

以下是我在尝试自己的课程和政策时得到的结果：

ASA(config)# class-map test
ASA(config-cmap)# match port tcp eq 80
ASA(config-cmap)# exit
ASA(config)# policy-map test
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class test
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ASA(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
  average  configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
           interval
ASA(config-pmap-c)# shape av
ASA(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
  <64000-154400000>  Target Bit Rate (bits per second), the value needs to be
                     multiple of 8000
ASA(config-pmap-c)# shape average 64000
ERROR: 'shape' can only be configured for class "class-default"
ASA(config-pmap-c)#

现在，离开类默认类，下面是我可以做的事情：

ASA(config)# policy-map tester
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services

正如你所看到的，我没有选择通过端口等限制。

我有什么办法做到这一点吗？

为了完整起见，下面是sh：

ASA(config-pmap-c)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

ASA up 2 hours 7 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is e05f.b9ab.be21, irq 11
 1: Ext: Ethernet0/0         : address is e05f.b9ab.be19, irq 255
 2: Ext: Ethernet0/1         : address is e05f.b9ab.be1a, irq 255
 3: Ext: Ethernet0/2         : address is e05f.b9ab.be1b, irq 255
 4: Ext: Ethernet0/3         : address is e05f.b9ab.be1c, irq 255
<--- More --->

谢谢

Answer 1

简单的回答是，在当前版本(ASA 8.4.2)中，不可能在特定流量上执行传统的QoS shape。ASA只能将给定接口上的所有通信量shape到指定的速率。

使用下面的配置指南中的相关部分作为完整的参考。你可以找到这也很有趣。