12-11-2013 05:11 AM - edited 03-11-2019 08:16 PM
I've a FWSM in active/passive configuration, with 4.0.8 version of software without configuration of context. This equipament can support 256k connections.
I want to limit this guy to receive at most 150k connections.
I've read
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1055963
...
To add or change a class in the system configuration, follow these steps. After you add the class, you can add more limits as required by following this procedure again for the same class name and specifying additional limits. You do not need to reenter existing resource commands; the commands you already set remain in place unless you remove them with the no form of the command. You can change the value of a particular resource limit by reentering the command with a new value.
To configure a resource class, follow these steps:
Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space:
FWSM(config)# class name
The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.
Step 2 To set the resource limits, see the following options:
•To set all resource limits (shown in Table 5-1), enter the following command:
FWSM(config-resmgmt)# limit-resource all {number% | 0}
The number is an integer greater than or equal to 1. 0 (without a percent sign (%)) sets the resources to unlimited. You can assign more than 100% if you want to oversubscribe the device.
•To set a particular resource limit, enter the following command:
FWSM(config-resmgmt)# limit-resource [rate] resource_name number[%]
For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. See Table 5-1 for resources for which you can set the rate per second.
Table 5-1 lists the resource types and the limits. See also the show resource types command.
...
But the command class doesn't exist. Just class-map exist.
fw01-rprlbm-pae/act/9(config)# class-map inspection_default
fw01-rprlbm-pae/act/9(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit Exit from MPF class-map configuration mode
help Help for MPF class-map configuration commands
match Configure classification criteria
no Negate or set default values of a command
rename Rename this class-map
fw01-rprlbm-pae/act/9(config-cmap)# limi?
ERROR: % Unrecognized command
fw01-rprlbm-pae/act/9(config-cmap)#
Ok I've tried class-map too, but limit-resource command doesn't exist.
Inside policy-map (showed below) I can set a number of connections. But I need to set 150k connections, but this command limits to 64k. Ok, I can create some ACL and apply 64k of each ACL. But I don't want this. I want to set 150k to entire box. Anyone have any idea to help me?
fw01-rprlbm-pae/act/9(config)# policy-map global_policy
fw01-rprlbm-pae/act/9(config-pmap)# class inspection_default
fw01-rprlbm-pae/act/9(config-pmap-c)# ?
MPF policy-map class configuration commands:
deny Pisa Protocol Control Services
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
no Negate or set default values of a command
permit Pisa Protocol Control Services
quit Exit from MPF class action configuration mode
set Set connection values
fw01-rprlbm-pae/act/9(config-pmap-c)# set
fw01-rprlbm-pae/act/9(config-pmap-c)# set ?
mpf-policy-map-class mode commands/options:
connection Configure connection parameters
fw01-rprlbm-pae/act/9(config-pmap-c)# set conn
fw01-rprlbm-pae/act/9(config-pmap-c)# set connection ?
mpf-policy-map-class mode commands/options:
advanced-options Configure advanced connection parameters
conn-max Keyword to set the maximum number of all simultaneous
connections that are allowed. Default is 0 which
means unlimited connections.
conn-rate-limit Keyword to set the connection rate that is
allowed.Default is 0 which means no rate limiting. In
seconds.
random-sequence-number Enable/disable TCP sequence number randomization.
Default is to enable TCP sequence number
randomization
timeout Configure connection timeout parameters
fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn
fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-ma
fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-max ?
mpf-policy-map-class mode commands/options:
<0-65535> Enter the maximum number of simultaneous connections
fw01-rprlbm-pae/act/9(config-pmap-c)# set connection conn-max
01-09-2014 01:26 PM
Hello,
The limit resources commands appear on system context only. This means that the firewall should be configured in multiple context mode in order to enable those commands.
This can not be done under the context itself or under an active/standby FWSM.
I hope it helps.
regards,
Itzcoatl
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: