12-11-2008 12:30 AM - edited 03-11-2019 07:24 AM
Hi All,
I have the following scenario;
Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint
I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.
class-map hack
match port udp eq 514
policy-map inside
class hack
set connection conn-max 1
police input 8000 conform-action drop exceed drop
service-policy inside interface inside
I'm getting matches against the service-policy but the traffic doesn't drop ...
Interface inside:
Service-policy: inside
Class-map: syslog
Set connection policy: conn-max 1
current conns 1, drop 0
Input police Interface inside:
cir 8000 bps, bc 1500 bytes
conformed 3 packets, 375 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 80 bps, exceed 0 bps
12-11-2008 10:06 AM
You current connection count is only 1 so you will not see any drops.
12-14-2008 08:11 AM
Hi,
It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.
I misunderstood the functionality of this feature.
Many thanks for your input.
Jon Humphries
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide