PIX/ASA基于IP的限速详解实验配置

实验目的：pix/asa 基于IP的限速

 

注：试验已经经过验证，确认可行。

 

图：  

 测试PC----（inside）pix515

                  （outside）  

                       |
               192.168.104.253 -—交换机—192.168.104.254

 

地址说明：

 

Pc addr:172.16.3.2
PIX inside addr:172.16.3.1
PIX outside addr:192.168.104.1
测试机192.168.104.254 和 253

Pix模式：NAT

 

非常重要的一点，上传和下载也就是input和output的方向是依赖于端口的比如：

inside端口 下载output流量从防火墙传到Pc，上传就是input流量从pc进入pix
Outside端口方向相反 下载 input 流量从外网进入防火网 上传就是output流量从防火墙到外网

 

需求1：限制所有内网主机从192.168.104.253下载的流量。
Access-list all_host extended permit ip host 192.168.104.253 any
Class-map all_host
Match access-list all_host
Policy-map all_host
Class all_host
Police output 56000 10500 conform-action transmit exceed-action drop 可以省略
Service-policy all_host interface inside

 

需求2：限制所有内网主机从192.168.104.253上传的流量。
Access-list all_host extended permit ip any host 192.168.104.253
Class-map all_host

Match access-list all_host
Policy-map all_host
Class all_host
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Service-policy all_host interface inside

 

需求3：限制某个主机从192.168.104.253的上传和下载流量。
Access-list host extended permit ip host 192.168.104.253 host 172.16.3.2
Access-list host extended permit ip host 172.16.3.2 host 192.168.104.253
Class-map host
Match access-list host
Policy-map host
Class host
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Police outtput 56000 10500 conform-action transmit exceed-action drop
Service-policy host interface inside

 

需求4：限制内网其中三台主机到192.168.104.253的不同的上传和下载的流量，其他主机流量全部开放。
Access-list host-2 extended permit ip host 192.168.104.253 host 172.16.3.2
Access-list host-2 extended permit ip host 172.16.3.2 host 192.168.104.253
Access-list host-3 extended permit ip host 192.168.104.253 host 172.16.3.3
Access-list host-3 extended permit ip host 172.16.3.3 host 192.168.104.253
Access-list host-4 extended permit ip host 192.168.104.253 host 172.16.3.4
Access-list host-4 extended permit ip host 172.16.3.4 host 192.168.104.253
Class-map host-2
Match access-list host-2
Class-map host-3
Match access-list host-3
Class-map host-4
Match access-list host-4
Policy-map qos
Class host-2
Police intput 56000 10500 conform-action transmit exceed-action drop 可以省略
Police outtput 56000 10500 conform-action transmit exceed-action drop
Class host-3
Police intput 102400 37500 conform-action transmit exceed-action drop 可以省略
Police outtput 102400 37500 conform-action transmit exceed-action drop
Class host-4
Police intput 1024000000 5000000 conform-action transmit exceed-action drop 可以省略
Police outtput 1024000000 5000000 conform-action transmit exceed-action drop
Service-policy qos interface inside

 

配置完成后，查看流量计数器

1、service-policy 流量计数器
pixfirewall# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 45, drop 0, reset-drop 0
Inspect: ftp, packet 348, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface inside:
Service-policy: qos
Class-map: ip_traffic_2
Input police Interface inside:
cir 56000 bps, bc 10500 bytes
conformed 181 packets, 80384 bytes; actions:transmit
exceeded 26 packets, 33536 bytes; actions:drop
conformed 24 bps, exceed 0 bps
Output police Interface inside:
cir 56000 bps, bc 10500 bytes
conformed 101 packets, 122203 bytes; actions:transmit
exceeded 48 packets, 63072 bytes; actions:drop
conformed 728 bps, exceed 376 bps
Class-map: ip_traffic_3
Input police Interface inside:
cir 1024000 bps, bc 37500 bytes
conformed 2357 packets, 1981143 bytes; actions:transmit
exceeded 300 packets, 371864 bytes; actions:drop
conformed 216 bps, exceed 0 bps

Output police Interface inside:
cir 1024000 bps, bc 37500 bytes
conformed 1166 packets, 1470955 bytes; actions:transmit
exceeded 154 packets, 199524 bytes; actions:drop
conformed 8792 bps, exceed 1192 bps
Class-map: ip_traffic_4
Input police Interface inside:
cir 1000000000 bps, bc 500000 bytes
conformed 4389 packets, 2077796 bytes; actions:transmit
exceeded 0 packets, 0 bytes; actions:drop
conformed 824 bps, exceed 0 bps
Output police Interface inside:
cir 1000000000 bps, bc 500000 bytes
conformed 5091 packets, 5470778 bytes; actions:transmit
exceeded 0 packets, 0 bytes; actions:drop
conformed 32720 bps, exceed 0 bps

 

2、访问控制列表计数器

pixfirewall# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ip_traffic_2; 2 elements
access-list ip_traffic_2 line 1 extended permit ip host 172.16.3.2 host 192.168.104.253 (hitcnt=6) 0x8f698132
access-list ip_traffic_2 line 2 extended permit ip host 192.168.104.253 host 172.16.3.2 (hitcnt=2) 0x2810a423
access-list ip_traffic_3; 2 elements
access-list ip_traffic_3 line 1 extended permit ip host 172.16.3.3 host 192.168.104.253 (hitcnt=5) 0xd680b987
access-list ip_traffic_3 line 2 extended permit ip host 192.168.104.253 host 172.16.3.3 (hitcnt=2) 0x4ead4e72
access-list ip_traffic_4; 2 elements
access-list ip_traffic_4 line 1 extended permit ip host 172.16.3.4 host 192.168.104.253 (hitcnt=9) 0x5c55f7c
access-list ip_traffic_4 line 2 extended permit ip host 192.168.104.253 host 172.16.3.4 (hitcnt=2) 0xb321e07d

 

总结

1、主要步骤（很简单）

步骤1：编写ACL（参考需求中ACL）

需要实现什么样限速只需要将访问控制列嵌套在class-map里面，然后match access-list

步骤2：class-map rate-limit
Match access-list xxx

步骤3：policy-map rate-limit
Class rate-limit
police input 56000 10500 conform-action transmit exceed-action drop
police output 56000 10500 conform-action transmit exceed-action drop

步骤4：service-policy rate-limit interface inside

 

2、这种限制流量的做法不能使用在outside上，因为在outside端口上做PAT，地址经过NAT转换以后，找不到匹配的目的和原地址，但是我试过如果使用any 到 any是可以限制流量的。任何源和目的指定地址限速都不会生效。

 

3、关于速率的问题
在应用police的时候单位是bps 记住是bit 它是速率单位，所以如果要把它换算为存储单位的为需要除以8。

以上写的不一定全对，请牛人指正。