Добрый день!
Подскажите, pls, как эту модную и полезную фичу включить?
В далеком 2010 году в доке упоминалось:
Rate Policing For Zone-Based Policy Firewall
Cisco IOS Software Release 12.4(9)T augments ZFW with rate-limiting by adding the capability to police traffic
matching the definitions of a specific class-map as it traverses the firewall from one security zone to another.
This provides the convenience of offering one configuration point to describe specific traffic, apply firewall policy,
and police that traffic’s bandwidth consumption.
Configuring ZFW Policing
ZFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000
bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes.
ZFW policing can only specify bandwidth use in bytes/second, packet/second and bandwidth percentage policing
are not offered. ZFW policing can be applied with or without interface-based policing. Therefore, if additional policing
capabilities are required, these features can be applied by interface-based policing.
ZFW policing is configured by an additional line of configuration in the policy-map, which is applied after the policy action:
Код:
policy-map type inspect private-allowed-policy
class type inspect http-class
inspect
police rate [bps rate value <8000-2000000000>] burst [value in bytes <1000-512000000>]
https://www.cisco.com/c/en/us/support/d ... l#rate-zbfНо что-то я в IOS-XE 16.9 такой фичи не наблюдаю.
Эту модную аугментацию куда-то перенесли или совсем выпилили?
Есть спецы по security, кто может пролить свет на эту тему?
В обычном policy-map она есть, а в policy-map type inspect - нет.
Код:
policy-map TEST-1
class TEST-1
police rate 50000000 burst 25000 conform-action transmit exceed-action drop
policy-map type inspect TEST
class type inspect TEST
inspect
class class-default
drop
Код:
c1111-VPN(config)#policy-map type inspect TEST
c1111-VPN(config-pmap)# class type inspect TEST
c1111-VPN(config-pmap-c)#inspect
c1111-VPN(config-pmap-c)#?
Policy-map class configuration commands:
cxsc CXSC Inspection
drop Drop the packet
exit Exit from class action configuration mode
inspect ZBFW inspection
no Negate or set default values of a command
pass Pass the packet
service-policy Deep Packet Inspection Engine
(service-policy тут - это не про это).