1. 創建class-map ,識別傳輸流量
config : access-list tcp_filter1 permit tcp 192.168.1.0 255.255.255.0 any eq www
class-map tcp_filter_class1
config-cmap: match access-list tcp_filter1 ##class-map 定義允許的流量
exit
//定義名爲 url1 的政策表達式,表示URL 後綴爲“.games.com”
config: regex url1 "\.games\.com"
//創建名字爲url_class1的class-map,類型爲regex
config: class-map type regex match-any url_class1
|
| 表示匹配任何一個
config-map: match regex url1
exit
//創建名爲http_url_class1的class-map , 類型爲inspect http (檢查http流量)
config:class-map type inspect http http_url_class1
config-cmap: match request header host regex class url_class1
2 創建policy-map ,關聯 class-map
config:policy-map type inspect http http_url_policy1
config-pmap: class http_url_class1 ##調用之前創建的class-map
config-pmap-c: drop-connection log ##drop數據包並關閉連接,併發送系統日誌
exit
exit
config: policy-map inside_http_url_policy
config-pmap: class tcp_filter-class1 ##調用之前創建的class-map
config-pmap-c:inspect http http_url_policy1 ##檢查http流量
exit
exit
3 應用policy-map到接口上
config: service-policy inside_http_url_policy1 interface inside
注意:一個接口只能應用一個policy-map