IOS版本,822-k8(以前自带版本是703,03年的IOS很残疾,不支持定义input 建议刷到723以上)

 

IX/ASA基于IP的限速详解实验配置
ASA, PIX
PIX/ASA基于IP的限速详解实验配置
实验目的:pix/asa 基于IP的限速

注:试验已经经过验证,确认可行。

图:
测试PC----(inside)pix515 (outside)
|
192.168.104.253 -—交换机—192.168.104.254


地址说明:Pc addr:172.16.3.2
PIX inside addr:172.16.3.1
PIX outside addr:192.168.104.1
测试机192.168.104.254 和 253

Pix模式:NAT

非常重要的一点,上传和下载也就是input和output的方向是依赖于端口的

比如:inside端口
下载output流量从防火墙传到Pc
上传就是input流量从pc进入pix
Outside端口方向相反
下载 input 流量从外网进入防火网 上传就是output流量从防火墙到外网

需求1:限制所有内网主机从192.168.104.253下载的流量。
Access-list all_host extended permit ip host 192.168.104.253 any
Class-map all_host
Match access-list all_host
Policy-map all_host
Class all_host
Police output 56000 10500 conform-action transmit exceed-action drop 可以省略
Service-policy all_host interface inside

需求2:限制所有内网主机从192.168.104.253上传的流量。
Access-list all_host extended permit ip any host 192.168.104.253
Class-map all_host

Match access-list all_host
Policy-map all_host
Class all_host
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Service-policy all_host interface inside

需求3:限制某个主机从192.168.104.253的上传和下载流量。
Access-list host extended permit ip host 192.168.104.253 host 172.16.3.2
Access-list host extended permit ip host 172.16.3.2 host 192.168.104.253
Class-map host
Match access-list host
Policy-map host
Class host
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Police outtput 56000 10500 conform-action transmit exceed-action drop
Service-policy host interface inside

需求4:限制内网其中三台主机到192.168.104.253的不同的上传和下载的流量,其他主机流量全部开放。
Access-list host-2 extended permit ip host 192.168.104.253 host 172.16.3.2
Access-list host-2 extended permit ip host 172.16.3.2 host 192.168.104.253
Access-list host-3 extended permit ip host 192.168.104.253 host 172.16.3.3
Access-list host-3 extended permit ip host 172.16.3.3 host 192.168.104.253
Access-list host-4 extended permit ip host 192.168.104.253 host 172.16.3.4
Access-list host-4 extended permit ip host 172.16.3.4 host 192.168.104.253
Class-map host-2
Match access-list host-2
Class-map host-3
Match access-list host-3
Class-map host-4
Match access-list host-4
Policy-map qos
Class host-2
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Police outtput 56000 10500 conform-action transmit exceed-action drop
Class host-3
Police intput 102400 37500 conform-action transmit exceed-action drop 可以省略
Police outtput 102400 37500 conform-action transmit exceed-action drop
Class host-4
Police intput 1024000000 5000000 conform-action transmit exceed-action drop 可以省略
Police outtput 1024000000 5000000 conform-action transmit exceed-action drop
Service-policy qos interface inside

配置完成后,查看流量计数器
1、service-policy 流量计数器
pixfirewall# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 45, drop 0, reset-drop 0
Inspect: ftp, packet 348, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface inside:
Service-policy: qos
Class-map: ip_traffic_2
Input police Interface inside:
cir 56000 bps, bc 10500 bytes
conformed 181 packets, 80384 bytes; actions:
transmit
exceeded 26 packets, 33536 bytes; actions:
drop
conformed 24 bps, exceed 0 bps
Output police Interface inside:
cir 56000 bps, bc 10500 bytes
conformed 101 packets, 122203 bytes; actions:
transmit
exceeded 48 packets, 63072 bytes; actions:
drop
conformed 728 bps, exceed 376 bps
Class-map: ip_traffic_3
Input police Interface inside:
cir 1024000 bps, bc 37500 bytes
conformed 2357 packets, 1981143 bytes; actions:
transmit
exceeded 300 packets, 371864 bytes; actions:
drop
conformed 216 bps, exceed 0 bps

Output police Interface inside:
cir 1024000 bps, bc 37500 bytes
conformed 1166 packets, 1470955 bytes; actions:
transmit
exceeded 154 packets, 199524 bytes; actions:
drop
conformed 8792 bps, exceed 1192 bps
Class-map: ip_traffic_4
Input police Interface inside:
cir 1000000000 bps, bc 500000 bytes
conformed 4389 packets, 2077796 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 824 bps, exceed 0 bps
Output police Interface inside:
cir 1000000000 bps, bc 500000 bytes
conformed 5091 packets, 5470778 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 32720 bps, exceed 0 bps

2、访问控制列表计数器
pixfirewall# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ip_traffic_2; 2 elements
access-list ip_traffic_2 line 1 extended permit ip host 172.16.3.2 host 192.168.104.253 (hitcnt=6) 0x8f698132
access-list ip_traffic_2 line 2 extended permit ip host 192.168.104.253 host 172.16.3.2 (hitcnt=2) 0x2810a423
access-list ip_traffic_3; 2 elements
access-list ip_traffic_3 line 1 extended permit ip host 172.16.3.3 host 192.168.104.253 (hitcnt=5) 0xd680b987
access-list ip_traffic_3 line 2 extended permit ip host 192.168.104.253 host 172.16.3.3 (hitcnt=2) 0x4ead4e72
access-list ip_traffic_4; 2 elements
access-list ip_traffic_4 line 1 extended permit ip host 172.16.3.4 host 192.168.104.253 (hitcnt=9) 0x5c55f7c
access-list ip_traffic_4 line 2 extended permit ip host 192.168.104.253 host 172.16.3.4 (hitcnt=2) 0xb321e07d

总结
1、主要步骤(很简单)
步骤1:编写ACL(参考需求中ACL)需要实现什么样限速只需要将访问控制列嵌套在class-map里面,然后match access-list
步骤2:class-map rate-limit
Match
access-list xxx
步骤3:policy-map rate-limit
Class rate-limit
police input 56000 10500 conform-action transmit exceed-action drop
police output 56000 10500 conform-action transmit exceed-action drop
步骤4:service-policy rate-limit interface inside

2、这种限制流量的做法不能使用在outside上,因为在outside端口上做PAT,地址经过NAT转换以后,找不到匹配的目的和原地址,但是我试过如果使用any 到 any是可以限制流量的。任何源和目的指定地址限速都不会生效。

3、关于速率的问题
在应用police的时候单位是bps 记住是bit 它是速率单位,所以如果要把它换算为存储单位的为需要除以8。