Asa-handing Traffic

Topics:

Handing fragmented traffic:reassemble all the fragments of a packet to inspect the contents

Prioritizng Traffic:

Controlling traffic bandwidth:traffic policing && traffic shaping

Packets coming into a ASA may be fragmented or whole. The same security policies that inspect whole packets aren ' t as effective when inspecting fragments. An ASA can be configured
To intercept packet fragments, and virtually reassemble them so, they can be inspected normally.

An ASA can also is configured to identify certain traffic types so that they can is handled in a more efficient manner tha n is normally done. This allows time-or mission-critical packets to being forwarded ahead of other packets after inspection.

You can also configure a ASA to control the amount of bandwidth used by certain types of traffic. Traffic policing and shaping are, methods to hold traffic bandwidth within predefined limits.

Part 1:handling Fragmented traffic

You can verify the interface MTU settings with the show Running-config MTU command. If you find the default MTU value of $ needs to is adjusted, you can use the following
command to set the interface MTU from-to-65,535 bytes. Be aware this 9216 bytes is a common practical limit known as a "giant" packet.

Ciscoasa (config) # MTU Interface bytes

Cisco ASAs can participate in MTU discovery along an end-to-end IP routing path. This process follows RFC 1191, where the source and destination is expected to use the MTU value equal to the smallest all Owed MTU along the complete path.

What happens if an ASA receives packets that has already been fragmented?

Rather than passing the fragments along toward their destination, an ASA would inspect the fragments to make sure that they Aren ' t part of some malicious activity.

To does this, the ASA must store each fragment in a cache and virtually reassemble the fragments so that it can inspect the Complete original packet and verify the order and integrity of each fragment. If The reassembled packet passes inspection, then the ASA discards the packet and forwards all of the original fragments T Oward the Destination-as if nothing had happened to them.

Naturally, an ASA have to limit the resources it uses for the virtual packet reassembly process. Otherwise, someone could send an endless stream of fragmented packets and exhaust the ASA ' s memory. Virtual Packet reassembly is limited in the following ways by default:

• A maximum of the unique packets that can be reassembled, per interface
• A maximum of fragments for a single packet
• A maximum time of 5 seconds for all fragments of a packet to arrive

/tr>

Commands used to Configure Virtual Packet reassembly Limits

function	command Syntax
limit the Number of packets awaiting reassembly	ciscoasa (config) # fragment size Packets [Interface]
limit the number of fragments per packet	ciscoasa (config) # fragment chain fragments [interface]
limit the time for all parts of packet to arrive	ciscoasa (config) # fragment timeout seconds [interface]

You can monitor an ASA's fragmentation activity with the show fragment EXEC command.
In Example, the outside interface have the default fragment settings (database size packets, chain limit fragments, and timeout limit 5 seconds).

 $  - 5  22562972713

The output shows the ASA has reassembled 2562 packets, and both packets are awaiting reassembly. The output also shows the reassembly process has failed 972 times. This is because the timeout limit expired and the process was waiting for all fragments to arrive. The process has also had overflow conditions, indicating. For 712 different packets, more than in fragments arrived an D overflowed the packet buffer.

Part 2:prioritizing Traffic

Asa-handing Traffic