¶ 实验需求:
¶ 1.丢弃 Win7访问外部 HTTP服务器(Outside路由器)的 URL中包含“cisco.com”关键字的所有 HTTP请求包,在 ASA的 Inside接口调用策略。
提示:Win7需要修改 host文件(C:\Windows\System32\drivers\etc),将 202.100.1.1与www.cisco.com映射。
提示:需要看到如下输出:
ASA(config)# sh service-policy inspect http
Interface Inside:
Service-policy: http.regex.policy
Class-map: http.class
Inspect: http http.policy, packet 104, lock fail 0, drop 1, reset-drop 0, 5-
min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
protocol violations
packet 0
match request header host regex http.regexdrop-connection log,
packet 1
设备配置:
regex www www.cisco.com
regex shrun sh/run
class-map type inspect http match-all match-http-class
match request header host regex www
match not request uri regex shrun
policy-map type inspect http control-http
parameters
protocol-violation action reset log
class match-http-class
reset log
policy-map Inside-policy
class inspection\_default
inspect http control-http
service-policy Inside-policy interface Inside
测试现象:
¶ 2. 对于正常的HTTP请求,做如下的限制:
最大连接数为500
最大半开连接数为100
每位用户最大连接数为10
每位用户最大半开连接数为5
设备配置:
access-list global_mpc line 1 extended permit tcp any any eq http
class-map control-connection
match access-list global_mpc
policy-map global_policy
class control-connection
set connection conn-max 500 embryonic-conn-max 100 per-client-max 10 per-client-embryonic-max 5 random-sequence-number enable
¶ 3.内部接口的入方向对HTTP流量限速为1M。
设备配置:
class-map http-traffic
match port tcp eq http
policy-map Inside-policy
class http-traffic
police input 1000000 1500 conform-action transmit exceed-action drop
service-policy Inside-policy interface Inside
¶ 4.通过匹配DSCP值“EF”,来匹配VOICE流量并在外部接口对匹配的VOICE流量进行优先级队列处理。
设备配置:
priority-queue Outside
tx-ring-limit 511
queue-limit 2048
class-map VoIP
match dscp 46
policy-map Outside-policy
class VoIP
priority
service-policy Outside-policy interface Outside