Cisco Systems ASA 5580 Manual De Usuario
16-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Configuring the Cisco Phone Proxy
Prerequisites for the Phone Proxy
Prerequisites for Rate Limiting TFTP Requests
In a remote access scenario, we recommend that you configure rate limiting of TFTP requests because
any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server.
any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server.
To configure rate limiting of TFTP requests, configure the police command in the Modular Policy
Framework. See the command reference for information about using the police command.
Framework. See the command reference for information about using the police command.
Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you
configure, thus ensuring that no one traffic flow can take over the entire resource. When traffic exceeds
the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic
allowed.
configure, thus ensuring that no one traffic flow can take over the entire resource. When traffic exceeds
the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic
allowed.
Rate Limiting Configuration Example
The following example describes how you configure rate limiting for TFTP requests by using the police
command and the Modular Policy Framework.
command and the Modular Policy Framework.
Begin by determining the conformance rate that is required for the phone proxy. To determine the
conformance rate, use the following formula:
conformance rate, use the following formula:
X * Y * 8
Where
X = requests per second
Y = size of each packet, which includes the L2, L3, and L4 plus the payload
Therefore, if a rate of 300 TFTP requests/second is required, then the conformance rate would be
calculated as follows:
calculated as follows:
300 requests/second * 80 bytes * 8 = 192000
The example configuration below shows how the calculated conformance rate is used with the police
command:
command:
access-list tftp extended permit udp any host 192.168.0.1 eq tftp
class-map tftpclass
match access-list tftp
policy-map tftpmap
class tftpclass
police output 192000
service-policy tftpmap interface inside
About ICMP Traffic Destined for the Media Termination Address
To control which hosts can ping the media termination address, use the icmp command and apply the
access rule to the outside interface on the ASA.
access rule to the outside interface on the ASA.
Any rules for ICMP access applied to the outside interface apply to traffic destined for the media
termination address.
termination address.
For example, use the following command to deny ICMP pings from any host destined for the media
termination address:
termination address:
icmp deny any outside