Asa-handing Traffic

Source: Internet
Author: User

Topics:

Handing fragmented traffic:reassemble all the fragments of a packet to inspect the contents

Prioritizng Traffic:

Controlling traffic bandwidth:traffic policing && traffic shaping

Packets coming into a ASA may be fragmented or whole. The same security policies that inspect whole packets aren ' t as effective when inspecting fragments. An ASA can be configured
To intercept packet fragments, and virtually reassemble them so, they can be inspected normally.

An ASA can also is configured to identify certain traffic types so that they can is handled in a more efficient manner tha n is normally done. This allows time-or mission-critical packets to being forwarded ahead of other packets after inspection.

You can also configure a ASA to control the amount of bandwidth used by certain types of traffic. Traffic policing and shaping are, methods to hold traffic bandwidth within predefined limits.

Part 1:handling Fragmented traffic

You can verify the interface MTU settings with the show Running-config MTU command. If you find the default MTU value of $ needs to is adjusted, you can use the following
command to set the interface MTU from-to-65,535 bytes. Be aware this 9216 bytes is a common practical limit known as a "giant" packet.

Ciscoasa (config) # MTU Interface bytes

Cisco ASAs can participate in MTU discovery along an end-to-end IP routing path. This process follows RFC 1191, where the source and destination is expected to use the MTU value equal to the smallest all Owed MTU along the complete path.

What happens if an ASA receives packets that has already been fragmented?

Rather than passing the fragments along toward their destination, an ASA would inspect the fragments to make sure that they Aren ' t part of some malicious activity.

To does this, the ASA must store each fragment in a cache and virtually reassemble the fragments so that it can inspect the Complete original packet and verify the order and integrity of each fragment. If The reassembled packet passes inspection, then the ASA discards the packet and forwards all of the original fragments T Oward the Destination-as if nothing had happened to them.

Naturally, an ASA have to limit the resources it uses for the virtual packet reassembly process. Otherwise, someone could send an endless stream of fragmented packets and exhaust the ASA ' s memory. Virtual Packet reassembly is limited in the following ways by default:

    • A maximum of the unique packets that can be reassembled, per interface
    • A maximum of fragments for a single packet
    • A maximum time of 5 seconds for all fragments of a packet to arrive

/tr>
Commands used to Configure Virtual Packet reassembly Limits
function command Syntax
limit the Number of packets awaiting reassembly ciscoasa (config) # fragment size Packets [Interface]
limit the number of fragments per packet ciscoasa (config) # fragment chain fragments [interface]
limit the time for all parts of packet to arrive ciscoasa (config) # fragment timeout seconds [interface]

You can monitor an ASA's fragmentation activity with the show fragment EXEC command.
In Example, the outside interface have the default fragment settings (database size packets, chain limit fragments, and timeout limit 5 seconds).

 $  - 5  22562972713

The output shows the ASA has reassembled 2562 packets, and both packets are awaiting reassembly. The output also shows the reassembly process has failed 972 times. This is because the timeout limit expired and the process was waiting for all fragments to arrive. The process has also had overflow conditions, indicating. For 712 different packets, more than in fragments arrived an D overflowed the packet buffer.

Part 2:prioritizing Traffic

Asa-handing Traffic

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.