标签:
Handing Fragmented Traffic: reassemble all the fragments of a packet to inspect the contents
Prioritizng Traffic:
Controlling Traffic Bandwidth: Traffic Policing && Traffic shaping
Packets coming into an ASA may be fragmented or whole. The same security policies that inspect whole packets aren’t as effective when inspecting fragments. An ASA can be configured
to intercept packet fragments and virtually reassemble them so that they can be inspected normally.
An ASA can also be configured to identify certain traffic types so that they can be handled in a more efficient manner than is normally done. This allows time- or mission-critical packets to be forwarded ahead of other packets after inspection.
You can also configure an ASA to control the amount of bandwidth used by certain types of traffic. Traffic policing and shaping are two methods to hold traffic bandwidth within predefined limits.
You can verify the interface MTU settings with the show running-config mtu command. If you find that the default MTU value of 1500 needs to be adjusted, you can use the following
command to set the interface MTU from 64 to 65,535 bytes. Be aware that 9216 bytes is a common practical limit known as a “giant” packet.
ciscoasa(config)# mtu interface bytes
Cisco ASAs can participate in MTU discovery along an end-to-end IP routing path. This process follows RFC 1191, where the source and destination are expected to use an MTU value equal to the smallest allowed MTU along the complete path.
What happens when an ASA receives packets that have already been fragmented?
Rather than passing the fragments along toward their destination, an ASA will inspect the fragments to make sure that they aren’t part of some malicious activity.
To do this, the ASA must store each fragment in a cache and virtually reassemble the fragments so that it can inspect the complete original packet and verify the order and integrity of each fragment. If the reassembled packet passes inspection, then the ASA discards the packet and forwards all of the original fragments toward the destination—as if nothing had happened to them.
Naturally, an ASA has to limit the resources it uses for the virtual packet reassembly process. Otherwise, someone could send an endless stream of fragmented packets and exhaust the ASA’s memory. Virtual packet reassembly is limited in the following ways by default:
| Function | Command Syntax |
| Limit the number of packets awaiting reassembly | ciscoasa(config)# fragment size packets [interface] |
| Limit the number of fragments per packet | ciscoasa(config)# fragment chain fragments [interface] |
| Limit the time for all parts of packet to arrive | ciscoasa(config)# fragment timeout seconds [interface] |
You can monitor an ASA’s fragmentation activity with the show fragment EXEC command.
In Example , the outside interface has the default fragment settings (database size 200 packets, chain limit 24 fragments, and timeout limit 5 seconds).
ciscoasa# show fragment outside Interface: outside Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Queue: 2, Assemble: 2562, Fail: 972, Overflow: 713
The output shows that the ASA has reassembled 2562 packets, and two packets are awaiting reassembly. The output also shows that the reassembly process has failed 972 times. This is because the timeout limit expired while the process was waiting for all fragments to arrive. The process has also had overflow conditions, indicating that for 712 different packets, more than 24 fragments arrived and overflowed the packet buffer.
标签:
原文地址:http://www.cnblogs.com/elewei/p/4895943.html
