Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks.

Define Traffic

First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.

cisco-asa(config)# access-list mpf-policy-acl extended deny ip host 8.8.8.8 any
cisco-asa(config)# access-list mpf-policy-acl extended permit ip any any

Create Class-map

Next we assign the previously created access-list to a class-map.

cisco-asa(config)# class-map mpf-policy
cisco-asa(config-cmap)# match access-list mpf-policy-acl
cisco-asa(config-cmap)# exit

Create Policy-map

Then a policy-map is created and the necessary connection limits defined.

cisco-asa(config)# policy-map mpf-policy-map
cisco-asa(config-pmap)# class mpf-policy
cisco-asa(config-pmap-c)# set connection conn-max 9500
cisco-asa(config-pmap-c)# set connection embryonic-conn-max 5000
cisco-asa(config-pmap-c)# set connection per-client-embryonic-max 100
cisco-asa(config-pmap-c)# set connection per-client-max 75
cisco-asa(config-pmap-c)# exit
cisco-asa(config-pmap)# exit

Assign to Interface

Finally the policy map is assigned against a service-policy and interface

cisco-asa(config)# service-policy mpf-policy-map interface outside