I have the following scenario;
Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint
I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.
match port udp eq 514
set connection conn-max 1
police input 8000 conform-action drop exceed drop
service-policy inside interface inside
I'm getting matches against the service-policy but the traffic doesn't drop ...
Set connection policy: conn-max 1
current conns 1, drop 0
Input police Interface inside:
cir 8000 bps, bc 1500 bytes
conformed 3 packets, 375 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 80 bps, exceed 0 bps