The Modular Policy Framework (MPF) is supported with these features:
TCP and general connection settings
Protocol inspection services
Intrusion prevention services
QoS services
Policing (rate limit)
Configuring MPF
To configure security features using the MPF, perform the following steps, which show an example of configuring
the MPF to identify HTTP traffic and control the half-open (embryonic) TCP connection limit.
Step 1??âIdentifying Traffic Flow
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic on port 80 is
classified as an HTTP traffic class. Traffic flow is identified using a class-map command from the global
configuration mode. Various match criteria using the match command can be included to define the traffic in
the class-map. When the packet matches the specified criteria, it is subject to an action, such as application
inspection or policing. Packets that do not match any of the criteria are assigned to the default traffic class. For
example, create an access list to identify HTTP traffic on TCP port 80, and define it in the traffic class-map, as
shown in Example 6-25.
Example 6-25. Configuring Class Map to Identify Traffic (Using ACL)
hostname(config)# access-list 101 permit tcp any any eq 80
hostname(config)# class-map identify_http_packets
hostname(config-cmap)# match access-list 101
Alternatively, the same could be achieved using the port command to assign the default HTTP port (as shown in
Example 6-26) instead of using the ACL.
Pages:
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317