Acl in class-map

Similar Messages

• IPv6 class-map or IOS problem

  Hello, sorry because of my bad English at first,
  I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
  I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
  This is my configuration:
  class-map match-any v6
     match access-group name v6
    policy-map v6
     class v6
      set ip dscp ef
  ipv6 access-list v6 permit FEC2::/64 any
  Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
  R1#sho policy-map interface fa0
    FastEthernet0
     Service-policy input: v6
       Class-map: v6 (match-any)
         0 packets, 0 bytes
         5 minute offered rate 0 bps, drop rate 0 bps
         Match: access-group name v6
           0 packets, 0 bytes
           5 minute rate 0 bps
         QoS Set
          ip dscp ef
             Packets marked 0
       Class-map: class-default (match-any)
         92 packets, 9134 bytes
         5 minute offered rate 0 bps, drop rate 0 bps
         Match: any
  This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
  If IOS version is too old, can you tell my what version will work so I can purchase it?
  Thanks

  If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Class-map with ACL rule

  In the following class-map:
  "class-map match-any voice
  match access-group 190"
  If the ACL 190 has more than one line with "permit" statements.
  In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
  Regards,
  Christos

  the explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
  The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
  T

• IOS Firewall: what is this class map doing?

  Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:
  class-map type inspect match-any SSH
  match protocol ssh
  match access-group name SSH
  The access list with the name "SSH" just allows certain public IP network blocks. 
  But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 
  Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:
  ip access-list extended SSH
  permit tcp xx.xx.0.0 0.255.255.255 any eq 22
  permit tcp xx.xx.0.0 0.7.255.255 any eq 22
  permit tcp xx.xx.0.0 0.255.255.255 any eq 22
  First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

  Hello Colin,
  But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
  Exactly you are getting it now It needs to be a match all....
  Regarding the ACL should be like this:
  access-list SSH
  permit tcp host outside_user_ip host router_outside_interface eq 22
  Regards,

• Source ip filtering with class map on cisco ace30

  Hello ,
  I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
  access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
  class-map match-all S_IP_FILTERING_XVIP
  2 match access-list S_IP_FILTERING
  3 match virtual-address 2.2.2.2 any
  Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
  thanks for your support
  Case,

  Hi,
  Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
  for example:
  class-map type http loadbalance match-any LOADBALANCE-FILTER
    2 match source-address X.X.X.X 255.255.255.255
  class-map match-any TEST-CLASSMAP
    2 match virtual-address Y.Y.Y.Y tcp eq www
  policy-map type loadbalance first-match LOADBALANCE
    class LOADBALANCE-FILTER
      serverfarm TEST-SERVERFARM
  policy-map multi-match UTC-PM
    class TEST-CLASSMAP
      loadbalance policy LOADBALANCE
      loadbalance vip inservice
  -Alex

• Help with Class-map configuration - ZBFW

  Hello,
  I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
  a.)
  class-map type inspect match-all HTTPS-ACCESS
  match protocol https
  match access-group name HTTPS-SERVER-ACCESS
  ip access-list extended HTTPS-SERVER-ACCESS
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.60 eq 443
  Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
  Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
  b.)
  ip access-list extended OUTSIDE-TO-INSIDE-ACL
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.55 eq www
  permit tcp any host 172.17.0.55 eq 21
  permit tcp any host 172.17.0.55 eq 3389
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.56 eq www
  permit tcp any host 172.17.0.56 eq 21
  permit tcp any host 172.17.0.56 eq 3389
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.36 eq www
  permit tcp any host 172.17.0.36 eq 21
  permit tcp any host 172.17.0.36 eq 3389
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.45 eq www
  permit tcp any host 172.17.0.45 eq 21
  permit tcp any host 172.17.0.45 eq 3389
  class-map type inspect match-all OUT-IN-CLASS
  match access-group name OUTSIDE-TO-INSIDE-ACL
  Which one is the correct approach when we consider the performance of the firewall ? Please help me.
  Regards,
  Yadhu

  Hey
  I do not agree with Varun, I think the first approach is the best one.
  Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
  Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened).  That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
  But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
  That's my two cents. Hope it helped!

• Class-map type inspect match access-group name question

  I'm creating a zone base firewall solution and all appears to be fine until I create a class-map type inspect match-all or any
  and match access-group name acl to match an extended ACL and once I match it the commands runs but when I go back to view the configuration of the class-map it is not there. 
  I have tried other named ACLs and it works if the ACL contents are simple like permit ip any any but for complex ACLs with ranges, tcp, udp, icmp etc etc it does not take it but  it does not report an issue either and when I view the config its not there for the complex extended acl but for the simple extended acl it does show.
  Any restrictions or possible bugs I'm running into?
  Thanks for all looking

  This could be a bug.  Could you post the exact configuration you are trying to implement?  I just set up a small test and I have been unable to reproduce what you are seeing.  I would like to see if I get the same result using your config. 
  Please remember to select a correct answer and rate helpful posts

• Class-map does not support match protocol ssl

  I have several 1941/k9's that do not have the class-map command: to suppot ssl.  System image is c1900-universalk9-mz.SPA.152-1.T.bin.
  class-map match-any af31
  match protocol ssl  <-- missing.
  I did some google searches but come up with nothing. 
  Is the fix to upgrade IOS?  I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin.  I would just upgrade and check but have an extensive change review board with questions before doing so.
  Thanks for advice,
  Haydn

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?).  Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
  Otherwise the "fix" would be to upgrade your IOS.
  Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
  PS:
  Also on the subject of SSL, don't forget much can use it.  I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.

• QoS Class-maps

  Trying to understand the class-default for marking
  I have the concept of Identify traffic with ACLs
  Classify traffic for marking with class-maps
  Mark traffic with policy-maps
  the policy-map will always have a default-class for unaccounted traffic in the policy-maps
  what I don't quite understand is that the there is not a class-map class-default
  when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
  when looking for the matches on class class-default there is no reference class-map to go to....
  I figured I have to accept this logic means if  traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
  i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
  but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
  policy-map XXX
       class class-default
       set ip precedence 0
  even though class-default does not exist as class-map class-default

  Hi,
  You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
  the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
  Doing a show policy-map interface will show you which class-map was matched.

• Match-any or Match All For Class-map On Nexus?

    I have an access-list MANAGEMENT
          permit udp any eq snmp any
          permit udp any any eq snmp
          permit tcp any any eq telnet
          permit tcp any eq telnet any
         permit tcp any any eq 22
         permit tcp any eq 22 any
  My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
   class-map type qos match-any MANAGEMENT
              match access-group name MANAGEMENT
  Or
  class-map type qos match-all MANAGEMENT
              match access-group name MANAGEMENT
  I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for  a class-map?
  Thanks

  It applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.

• 3850 QoS class-map match-all?

  I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in.  I would have expected the configuration listed below will work.  I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code.  It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
  ip   access-list extended ACL-QOS-SIP
  permit tcp any range 5060 5061 any
  permit tcp any any range 5060 5061
  ip   access-list extended ACL-QOS-CS3
  permit ip any any dscp cs3
  class-map   match-all CM-QOS-CS5
    match access-group name ACL-QOS-CS3
    match access-group name ACL-QOS-SIP
  policy-map   PM-QOS-MARKING
  class CM-QOS-CS5
       set ip dscp cs5
  Any suggestions would be appreciated.

  jlkeys,  below is configuration I ended up using to resolve the issue:
  ip access-list extended ACL-QOS-SIP
   permit tcp any range 5060 5061 any dscp cs3
  class-map match-any CM-QOS-CS5
    match access-group name ACL-QOS-SIP
  policy-map   PM-QOS-MARKING
   class CM-QOS-CS5
     set ip dscp cs5

• Class-map for CSC ignores

  I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
  permit ip 172.16.1.0 255.255.255.0 any
  deny ip any any
  or the other way around?
  deny ip 172.16.1.0 255.255.255.0 any
  permit ip any any

  thats right
  but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
  and will match any other web traffic
  but nothing else
  i mean no smtp,pop3 or ftp
  if u want to match any thing else after the deny or ignore statement
  u have to make permit ip any any
  after u match it with class-map
  apply it to a policy map
  like polic-map global_policy (which is the default global policy)
  class-map (ur calss-map name)
  csc fail-open
  then
  service-policy global_policy global
  in this case it will be applied to all interfaces
  good luck
  Rate if helpful

• Class-map not works, Packets not tagging

  Hey Guys,
  I have define policy maping and dont know why its not tagging the IPs;
  class-map match-all KHAN
   match access-group name ABC
   match input-interface GigabitEthernet0/1
  ip access-list extended ABC
   permit ip host 10.11.201.20 10.11.207.128 0.0.0.127
   permit ip host 10.11.201.19 10.11.207.128 0.0.0.127
  policy-map TAIM
   class voice
      priority percent 50
    set dscp ef
   class KHAN
      priority percent 49
    set dscp af41
  interface Multilink1
  service-policy output TAIM
  When I check the IPs on netflow it is showing half packets are tagged with af41 anf half are default. 
  Any idea will be appreciated. 
  Thanks
  show policy map interface result
      Class-map: TAIM (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: access-group name ABC
        Match: input-interface GigabitEthernet0/1
        Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
        QoS Set
          dscp af41
            Packets marked 0

  The problem is the way you are matching the packets:
  Here it shows that there are 0 packets marked and 0 packets matched:
   Class-map: TAIM (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: access-group name ABC
        Match: input-interface GigabitEthernet0/1
        Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
        QoS Set
          dscp af41
            Packets marked 0
  When you define this:
  class-map match-all KHAN
   match access-group name ABC
   match input-interface GigabitEthernet0/1
  You are telling the router to match both conditions of ACL ABC and Interface input Gi0/1... most likely what happens here is that the class map does not match both condtions here.
  Depending on what you need to accomplish, you can change it to be ANY:
  class-map match-any KHAN
   match access-group name ABC
   match input-interface GigabitEthernet0/1
  This way it will work if it matches either the first condition ACL ABC or second condition input Gi0/1.
  Or you can just remove the input statement for Gi0/1 and match by the IPs only:
  class-map match-all KHAN
   match access-group name ABC

• Matching ICMP in class maps

  What's the difference between these two approaches and which one is recommended in what scenarios?
  ip access-list extended ICMP
  permit icmp any any
  class-map ICMP
  match access-group name ICMP
  vs
  class-map ICMP
  match protocol ICMP

  In the CCIE lab you can use any technology you wish unless there are restrictions. If they wanted you to use ACLs the task could be worded like "Use a feature that uses the least amount of CPU to perform the task". If they wanted NBAR it could be something like "Use a feature that inspects at layer 7 to perform the classification".
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.