Acl in class-map
Hi
i'm a little unsure of how using ACL's works within a class map.
I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
when i apply this to the policy map i can either inspect, drop or pass the traffic.
what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
hope this makes sense..
thanks for any help
When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
In order to actually deny the traffic, you have to specify a drop in the policy map.
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
ip access-list extended ACL_HTTPS
permit tcp any host 1.1.1.1 eq 443
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
match access-group name ACL_HTTPS
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.
Similar Messages
-
Hello, sorry because of my bad English at first,
I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
This is my configuration:
class-map match-any v6
match access-group name v6
policy-map v6
class v6
set ip dscp ef
ipv6 access-list v6 permit FEC2::/64 any
Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
R1#sho policy-map interface fa0
FastEthernet0
Service-policy input: v6
Class-map: v6 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name v6
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp ef
Packets marked 0
Class-map: class-default (match-any)
92 packets, 9134 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
If IOS version is too old, can you tell my what version will work so I can purchase it?
ThanksIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
-
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
In the following class-map:
"class-map match-any voice
match access-group 190"
If the ACL 190 has more than one line with "permit" statements.
In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
Regards,
Christosthe explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
T -
IOS Firewall: what is this class map doing?
Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has. It is applied to a policy map for ssh access from the Internet to the router for management:
class-map type inspect match-any SSH
match protocol ssh
match access-group name SSH
The access list with the name "SSH" just allows certain public IP network blocks.
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Also just to ensure I am not confused about proper creation of the ACL. The ACL with the name SSH I've given is as follows:
ip access-list extended SSH
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
permit tcp xx.xx.0.0 0.7.255.255 any eq 22
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh?Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards, -
Source ip filtering with class map on cisco ace30
Hello ,
I would like to know if it is possible to filter source ips connecting to a virtual ip within a class map configuration ( or something else ) ?
access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
class-map match-all S_IP_FILTERING_XVIP
2 match access-list S_IP_FILTERING
3 match virtual-address 2.2.2.2 any
Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
thanks for your support
Case,Hi,
Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
for example:
class-map type http loadbalance match-any LOADBALANCE-FILTER
2 match source-address X.X.X.X 255.255.255.255
class-map match-any TEST-CLASSMAP
2 match virtual-address Y.Y.Y.Y tcp eq www
policy-map type loadbalance first-match LOADBALANCE
class LOADBALANCE-FILTER
serverfarm TEST-SERVERFARM
policy-map multi-match UTC-PM
class TEST-CLASSMAP
loadbalance policy LOADBALANCE
loadbalance vip inservice
-Alex -
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
Class-map type inspect match access-group name question
I'm creating a zone base firewall solution and all appears to be fine until I create a class-map type inspect match-all or any
and match access-group name acl to match an extended ACL and once I match it the commands runs but when I go back to view the configuration of the class-map it is not there.
I have tried other named ACLs and it works if the ACL contents are simple like permit ip any any but for complex ACLs with ranges, tcp, udp, icmp etc etc it does not take it but it does not report an issue either and when I view the config its not there for the complex extended acl but for the simple extended acl it does show.
Any restrictions or possible bugs I'm running into?
Thanks for all lookingThis could be a bug. Could you post the exact configuration you are trying to implement? I just set up a small test and I have been unable to reproduce what you are seeing. I would like to see if I get the same result using your config.
Please remember to select a correct answer and rate helpful posts -
Class-map does not support match protocol ssl
I have several 1941/k9's that do not have the class-map command: to suppot ssl. System image is c1900-universalk9-mz.SPA.152-1.T.bin.
class-map match-any af31
match protocol ssl <-- missing.
I did some google searches but come up with nothing.
Is the fix to upgrade IOS? I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin. I would just upgrade and check but have an extensive change review board with questions before doing so.
Thanks for advice,
HaydnDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?). Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
Otherwise the "fix" would be to upgrade your IOS.
Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
PS:
Also on the subject of SSL, don't forget much can use it. I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it. -
Trying to understand the class-default for marking
I have the concept of Identify traffic with ACLs
Classify traffic for marking with class-maps
Mark traffic with policy-maps
the policy-map will always have a default-class for unaccounted traffic in the policy-maps
what I don't quite understand is that the there is not a class-map class-default
when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
when looking for the matches on class class-default there is no reference class-map to go to....
I figured I have to accept this logic means if traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
policy-map XXX
class class-default
set ip precedence 0
even though class-default does not exist as class-map class-defaultHi,
You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
Doing a show policy-map interface will show you which class-map was matched. -
Match-any or Match All For Class-map On Nexus?
I have an access-list MANAGEMENT
permit udp any eq snmp any
permit udp any any eq snmp
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
class-map type qos match-any MANAGEMENT
match access-group name MANAGEMENT
Or
class-map type qos match-all MANAGEMENT
match access-group name MANAGEMENT
I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for a class-map?
ThanksIt applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.
-
3850 QoS class-map match-all?
I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in. I would have expected the configuration listed below will work. I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code. It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any
permit tcp any any range 5060 5061
ip access-list extended ACL-QOS-CS3
permit ip any any dscp cs3
class-map match-all CM-QOS-CS5
match access-group name ACL-QOS-CS3
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5
Any suggestions would be appreciated.jlkeys, below is configuration I ended up using to resolve the issue:
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any dscp cs3
class-map match-any CM-QOS-CS5
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5 -
I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
permit ip 172.16.1.0 255.255.255.0 any
deny ip any any
or the other way around?
deny ip 172.16.1.0 255.255.255.0 any
permit ip any anythats right
but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
and will match any other web traffic
but nothing else
i mean no smtp,pop3 or ftp
if u want to match any thing else after the deny or ignore statement
u have to make permit ip any any
after u match it with class-map
apply it to a policy map
like polic-map global_policy (which is the default global policy)
class-map (ur calss-map name)
csc fail-open
then
service-policy global_policy global
in this case it will be applied to all interfaces
good luck
Rate if helpful -
Class-map not works, Packets not tagging
Hey Guys,
I have define policy maping and dont know why its not tagging the IPs;
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
ip access-list extended ABC
permit ip host 10.11.201.20 10.11.207.128 0.0.0.127
permit ip host 10.11.201.19 10.11.207.128 0.0.0.127
policy-map TAIM
class voice
priority percent 50
set dscp ef
class KHAN
priority percent 49
set dscp af41
interface Multilink1
service-policy output TAIM
When I check the IPs on netflow it is showing half packets are tagged with af41 anf half are default.
Any idea will be appreciated.
Thanks
show policy map interface result
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0The problem is the way you are matching the packets:
Here it shows that there are 0 packets marked and 0 packets matched:
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0
When you define this:
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
You are telling the router to match both conditions of ACL ABC and Interface input Gi0/1... most likely what happens here is that the class map does not match both condtions here.
Depending on what you need to accomplish, you can change it to be ANY:
class-map match-any KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
This way it will work if it matches either the first condition ACL ABC or second condition input Gi0/1.
Or you can just remove the input statement for Gi0/1 and match by the IPs only:
class-map match-all KHAN
match access-group name ABC -
What's the difference between these two approaches and which one is recommended in what scenarios?
ip access-list extended ICMP
permit icmp any any
class-map ICMP
match access-group name ICMP
vs
class-map ICMP
match protocol ICMPIn the CCIE lab you can use any technology you wish unless there are restrictions. If they wanted you to use ACLs the task could be worded like "Use a feature that uses the least amount of CPU to perform the task". If they wanted NBAR it could be something like "Use a feature that inspects at layer 7 to perform the classification".
Daniel Dib
CCIE #37149
Please rate helpful posts.
Maybe you are looking for
-
Good afternoon. I recently downloaded a bunch of movie trailers using the "View Source" method (viewing the source of the display page and finding the URL). When I went to open them in Quicktime 7.0.2, they would not display. I received an error sayi
-
On my album view I have several pictures of the same album, each has one or more songs that are not duplicated in the others. How do I combine these into one album?
-
I have ios6 on my iphone 4s. I want to install the ibooks but it is saying ios7 is required. Can I still get ibooks for ios6?
-
Site Manager Update Issue Continues
Duncan; It appears that the iTunes U Desktop Application update issue has not been resolved. I added new content to a collection (see attached link) on Friday. As of this morning, the tracks have not appeared in the iTunes U Desktop application (ver.
-
Use preview files unchecked, but uses preview files?
Premiere Pro CS4 running on Windows XP MCE SP3 on a core two duo processor (Yes, I know it is underpowered, but it works well enough for my current projects) and a three internal HDD setup. When exporting to mpeg2 - DVD I make sure to check "maximum