12-11-2008 12:30 AM - edited 03-11-2019 07:24 AM
Hi All,
I have the following scenario;
Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint
I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.
class-map hack
match port udp eq 514
policy-map inside
class hack
set connection conn-max 1
police input 8000 conform-action drop exceed drop
service-policy inside interface inside
I'm getting matches against the service-policy but the traffic doesn't drop ...
Interface inside:
Service-policy: inside
Class-map: syslog
Set connection policy: conn-max 1
current conns 1, drop 0
Input police Interface inside:
cir 8000 bps, bc 1500 bytes
conformed 3 packets, 375 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 80 bps, exceed 0 bps
12-11-2008 10:06 AM
You current connection count is only 1 so you will not see any drops.
12-14-2008 08:11 AM
Hi,
It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.
I misunderstood the functionality of this feature.
Many thanks for your input.
Jon Humphries
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: