Class-map/policy-map

@all...
Can i apply class-map in both inbound/outbound, or is it restricted to outbound only. whereas for policy-map i understand it can be applied either in or out bound...
correct me if i am wrong
ta
hanu

     According to this link http://www.pingafrica.org/node/135 i configure my CISC OIOS (tm) C1700 Software (C1700-Y-M), Version 12.3(17a), router to filter HTML trafic. It works perfectly.
     Could you tell me how to configure it to not filter traffic for specific IP addresses ex. administrators and other privileged users in my network?
Thanks a lot

Similar Messages

  • Policy map/ class map/ service policy for IOS xr

    Hi,
    I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
    I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
    the IOS xr version we are using is 4.3.4
    I was hoping someone could help me out by giving me a configuration example I could follow.
    Thank you.

    for instance like this:
    policy-map police-in
    class class-default
    police rate 10 mpbs <optionally set burst>
    policy-map shape-out-parent
    class class-default
    shape 10 mpbs <optional burst config>
    service-policy shape-out-child
    policy-map shape-out-child
    class class-default
    queue-limit 10 packets
    int g 0/0/0/0
    service-policy police-in in
    service-policy shape-out-parent out
    also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
    and the support forum article of "asr9000 quality of service architecture"
    xander

  • Class-Map and Policy-Map Configuration in CM Confusion

    Hi,
    I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
    I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
    Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
     ==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN        (WAN CLOUD)        ==> 61 in WAN (DC ROUTER) <== 62 in LAN
    We are using two distinct device groups, BRANCH and DATA CENTER.
    If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
    Class-Map
    Line 1: DST IP 10.1.1.1 DST Port 443
    Line 2: SRC IP 10.1.1.1 SRC Port 443
    Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
    My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
    I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
    I hope this makes sense.

    for instance like this:
    policy-map police-in
    class class-default
    police rate 10 mpbs <optionally set burst>
    policy-map shape-out-parent
    class class-default
    shape 10 mpbs <optional burst config>
    service-policy shape-out-child
    policy-map shape-out-child
    class class-default
    queue-limit 10 packets
    int g 0/0/0/0
    service-policy police-in in
    service-policy shape-out-parent out
    also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
    and the support forum article of "asr9000 quality of service architecture"
    xander

  • QoS - Create class-map while inside policy-map

    The cisco training notes for CME claim you can create a non-existant class-map while in the policy-map. Here is the what the notes say
    router(config-pmap)#class class-map-name condition
    ? Optionally you can define a new class-map by entering the condition after the name of the new class map
    Does this work

    If my memory serves me, it was on a 7206VXR running a 12.3 cut. Also, I do recall that the '?' will not present this as an option but it still works...
    Paresh.

  • ACE SSL Sticky class-map generic vs class default differences.

    There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
    Can anyone explain the benefits and differences of using a specific class-map generic such as this:
    class-map type generic match-any SSL-v3-32
      2 match layer4-payload regex "\x16\x03\x00..\x01.*"
      3 match layer4-payload regex "\x16\x03\x01..\x01.*"
    Versus just matching class default?
    So if I have a configuration such as this:
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class SSL-v3-32
       sticky-serverfarm ssl-v3
    vs
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class class-default
       sticky-serverfarm ssl-v3
    What's the benefit or drawback?

    The SSL session id is only available in version 3.0.1 and 3.1.1
    So you can match this particular version and then attempt to do stickyness.
    You are guaranteed to find what you're looking for.
    If you match a class-default it means you apply stickyness to any version of ssl packet.
    So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
    Gilles.

  • The class-default class map

    According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
    , the ASA is equipped with two default class-maps
    class-map inspection_default
    match default-inspection-traffic
    and
    class-map class-default
    match any
    The first makes perfect sense, but what is the class-default used for? Cisco says
    "This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
    match any class map. In fact, some features are only available for class-default."
    But I see stuff like this:
    policy-map MyPolicy
    class class-default
      inspect tfp MyFTPpolicy
    Obviously it is being used here to act on traffic! So I am confused.
    I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

    Hello Collin,
    This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
    The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.
    This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
    Mike

  • IOS Firewall: what is this class map doing?

    Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:
    class-map type inspect match-any SSH
    match protocol ssh
    match access-group name SSH
    The access list with the name "SSH" just allows certain public IP network blocks. 
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 
    Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:
    ip access-list extended SSH
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    permit tcp xx.xx.0.0 0.7.255.255 any eq 22
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

    Hello Colin,
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
    Exactly you are getting it now It needs to be a match all....
    Regarding the ACL should be like this:
    access-list SSH
    permit tcp host outside_user_ip host router_outside_interface eq 22
    Regards,

  • Source ip filtering with class map on cisco ace30

    Hello ,
    I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
    access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
    class-map match-all S_IP_FILTERING_XVIP
    2 match access-list S_IP_FILTERING
    3 match virtual-address 2.2.2.2 any
    Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
    thanks for your support
    Case,

    Hi,
    Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
    for example:
    class-map type http loadbalance match-any LOADBALANCE-FILTER
      2 match source-address X.X.X.X 255.255.255.255
    class-map match-any TEST-CLASSMAP
      2 match virtual-address Y.Y.Y.Y tcp eq www
    policy-map type loadbalance first-match LOADBALANCE
      class LOADBALANCE-FILTER
        serverfarm TEST-SERVERFARM
    policy-map multi-match UTC-PM
      class TEST-CLASSMAP
        loadbalance policy LOADBALANCE
        loadbalance vip inservice
    -Alex

  • ACE ignoring class map depending on source???

    I have a problem with a the load balancing "not working" properly depending on the source.
    The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
    This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
    The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
    My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
    Here is the config:
    rserver host FE1-app
      description frontend app
      ip address 192.168.137.69
      inservice
    rserver host FE2-app
      description frontend app
      ip address 192.168.137.74
      inservice
    serverfarm host FE1-app
      rserver FE1-app 80
        inservice
    serverfarm host FE2-app
      rserver FE2-app 80
        inservice
    serverfarm host FE-app
      rserver FE1-app 80
        inservice
      rserver FE2-app 80
        inservice
    class-map type http loadbalance match-all COOKIE-FE1
      2 match http cookie secondary ld cookie-value "fe1"
    class-map type http loadbalance match-all COOKIE-FE2
      2 match http cookie secondary ld cookie-value "fe2"
    class-map match-all VIP-app
      2 match virtual-address 192.168.138.39 tcp eq www
    policy-map type loadbalance first-match VIP-app-loadbalance
      class COOKIE-FE1
        serverfarm FE1-app
      class COOKIE-FE2
        serverfarm FE2-app
      class class-default
        serverfarm FE-app
    policy-map multi-match INT470
      class VIP-app
        loadbalance vip inservice
        loadbalance policy VIP-app-loadbalance
        loadbalance vip icmp-reply
    interface vlan 470
      description lb_rpfedrift
      ip address 192.168.138.36 255.255.255.240
      alias 192.168.138.35 255.255.255.240
      peer ip address 192.168.138.37 255.255.255.240
      service-policy input remote_mgmt_allow_policy
      service-policy input INT470
      no shutdown

    Hi Federico,
    The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
    The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
    From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
    I hope this helps
    Daniel

  • ACE - HTTPS CLASS MAP CONFIGURATION

    Hi,
    We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
    https://abc.com/ABC/* -> serverfarm#1
    https://abc.com/* -> serverfarm#2           (Default)
    Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
    We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    =========================================================

    Kanwaljeet,
    Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
    We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
    Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map match-all vs_serverfarm
      2 match virtual-address 10.178.50.140 tcp eq https
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    policy-map multi-match PRODWEB_POLICY
      class vs_serverfarm
        loadbalance vip inservice
        loadbalance policy vs_serverfarm_https
        loadbalance vip icmp-reply active
        nat dynamic 100 vlan 100
        ssl-proxy server ssl_serverfarm
    =========================================================

  • ACE: a class-map with multiple ports... what about the probe/serverfarm?

    Hello Gilles,
    One question about something I was not able to find in the documentation.
    Lets say I have one class-map which includes 2 ports (in this case https and 5061).
    Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
    So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
    The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
    Thanks and have a great day!!
    Giulio.
    probe tcp PROBE_GENERIC_TCP
      description This probe works for all TCP services by inheriting the VIP port.
      interval 15
      faildetect 2
      passdetect interval 15
      passdetect count 2
      open 2
    rserver host SERVER1_ACCESS
      ip address <1AC>
      inservice
    rserver host SERVER2_ACCESS
      ip address <2AC>
      inservice
    serverfarm host ACCESS-SFARM
      probe PROBE_GENERIC_TCP
      rserver SERVER1_ACCESS
        inservice
      rserver SERVER2_ACCESS
        inservice
    class-map match-any OCS_L4ACCESS
      2 match virtual-address x.x.x.176 tcp eq https
      2 match virtual-address x.x.x.176 tcp eq 5061
    policy-map type loadbalance first-match OCS_L4ACCESS
      class class-default
        sticky-serverfarm ACCESS_STICKY
    policy-map multi-match POLICY
    class OCS_L4ACCESS
    loadbalance vip inservice
    loadbalance policy OCS_L4ACCESS
    loadbalance vip icmp-reply active
    connection advanced-options OCS_VIPTIMEOUT
    nat dynamic XXX vlan 503

    Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

  • Layer 7 class-map with different match types

    Hello,
    I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
    Here is what the configuration guides says :
    host1/Admin(config)# class-map type http loadbalance match-any CLASS3
    host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
    host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    host1/Admin(config-cmap-http-lb)# exit
    If I test exactly the same configuration in a context of my ACE, I receive an error message :
    CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
    CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
    CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    Error: Match-any classmap can not have different type of match
    If I use nested class-maps, I receive the same error message !
    Is it a known problem or is it a solution for it ?
    Thank you for any help
    Yves

    Hello Yves,
    The command error is correct.  I'll take a look at the docs and see about getting them corrected, if necessary.
    Basically, for a match-all, you would have to use different types.  For example, there will only be one Host header, so you would only specify it once using regex or a fixed string.  As you found out, the match-any requires that they all be of the same type.  See my example below:
    class-map type http loadbalance match-all HEADER-AND-URL
      100 match http url /login.*
      200 match http header Host header-value "XYZ"
    class-map type http loadbalance match-any URLS
      100 match http url .*\.gif
      200 match http url .*\.jpg
    class-map type http loadbalance match-any HEADER
      200 match http header Host header-value "CISCO"
    policy-map type loadbalance first-match SLB_LOGIC
      class HEADER-AND-URL
        serverfarm LOGIN-FARM
      class URLS
        serverfarm IMAGES-FARM
      class HEADER
        serverfarm CISCO-FARM
      class class-default
        serverfarm WWW-FARM
    So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
    class-map type http loadbalance match-any URL-JPG
      2 match http url .*\.jpg
    class-map type http loadbalance match-any HOST-XYZ
      2 match http header Host header-value "XYZ"
    policy-map type loadbalance first-match SLB_LOGIC
      class URL-JPG
        serverfarm SERVER-FARM
      class HOST-XYZ
        serverfarm SERVER-FARM
    If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
    class-map type http  loadbalance match-all HEADER-AND-URL
       100 match http url /login.*
       200 match http header Host header-value "XYZ"
    policy-map type  loadbalance first-match SLB_LOGIC
       class HEADER-AND-URL
         serverfarm LOGIN-FARM
    Hope this helps,
    Sean

  • Default class map is dropping all Packets

    Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
    The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
    Guest VLAN has access to 2 IP's in Data for printing.
    Cisco871#sh run
    Building configuration...
    Current configuration : 8005 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service sequence-numbers
    hostname Cisco871
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    no logging console
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock summer-time PST recurring
    crypto pki trustpoint TP-self-signed-4004039535
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4004039535
    revocation-check none
    rsakeypair TP-self-signed-4004039535
    crypto pki certificate chain TP-self-signed-4004039535
    certificate self-signed 01
      3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
      32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
      33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
      B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
      147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
      41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
      F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
      551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
      03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
      0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
      092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
      D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
      8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
      E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
      3543BD68 A4B2692D 05CBF6DC C93C8142
                quit
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.0.0.1 10.0.0.5
    ip dhcp excluded-address 172.16.15.1 172.16.15.5
    ip dhcp excluded-address 172.16.15.14
    ip dhcp excluded-address 172.16.17.1 172.16.17.5
    ip dhcp excluded-address 192.168.19.1 192.168.19.5
    ip dhcp pool MyNetNative
       import all
       network 10.0.0.0 255.255.255.248
       default-router 10.0.0.1
       domain-name MyNetNet.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       lease 0 2
    ip dhcp pool MyNetData
       import all
       network 172.16.15.0 255.255.255.240
       dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       default-router 172.16.15.1
       domain-name MyDomain.org
    ip dhcp pool MyNetVoice
       import all
       network 172.16.17.0 255.255.255.240
       dns-server 172.16.15.14
       default-router 172.16.17.1
       domain-name MyDomain.org
    ip dhcp pool MyNetGuest
       import all
       network 192.168.19.0 255.255.255.240
       default-router 192.168.19.1
       domain-name MyNetGuest.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
    ip domain name MyDomain.org
    ip name-server 172.16.15.14
    ip name-server 4.2.2.4
    ip inspect log drop-pkt
    multilink bundle-name authenticated
    parameter-map type inspect TCP_PARAM
    parameter-map type inspect global
    username MyAdmin privilege 15 secret 5 MyPassword
    archive
    log config
      hidekeys
    class-map type inspect match-all MyNetGuest-access-list
    match access-group 110
    class-map type inspect match-any Base-protocols
    match protocol http
    match protocol https
    match protocol ftp
    match protocol ssh
    match protocol dns
    match protocol ntp
    match protocol ica
    match protocol pptp
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all MyNetGuest-Class
    match class-map MyNetGuest-access-list
    match class-map Base-protocols
    class-map type inspect match-all MyNetNet-access-list
    match access-group 100
    class-map type inspect match-any Voice-protocols
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any Extended-protocols
    match protocol pop3
    match protocol pop3s
    match protocol imap
    match protocol imaps
    match protocol smtp
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    class type inspect MyNetGuest-access-list
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetGuest-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone
    class class-default
      pass
    zone security MyNetNet-zone
    zone security MyNetGuest-zone
    zone security MyNetWAN-zone
    zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
    service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    interface FastEthernet0
    description Cisco-2849-Switch
    switchport mode trunk
    speed 100
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    description SBS-Server
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet4
    description WAN
    no ip address
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    zone-member security MyNetWAN-zone
    ip tcp adjust-mss 1452
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    description MyNetNative
    ip address 10.0.0.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    ip tcp adjust-mss 1452
    interface Vlan10
    description MyNetData
    ip address 172.16.15.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan20
    description MyNetVoice
    ip address 172.16.17.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan69
    description MyNetGuest
    ip address 192.168.19.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetGuest-zone
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    access-list 100 remark MyNetnet
    access-list 100 permit ip 10.0.0.0 0.0.0.7 any
    access-list 100 permit ip 172.16.15.0 0.0.0.31 any
    access-list 100 permit ip 172.16.17.0 0.0.0.15 any
    access-list 110 remark MyNetGuest
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
    access-list 110 permit ip 192.168.19.0 0.0.0.15 any
    control-plane
    banner login ^CC
    You know if you should be here or not.
             if not please leave
    NOW
    ^C
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    scheduler max-task-time 5000
    ntp server 172.16.15.14
    webvpn cef
    end
    Cisco871#sh zone security
    zone self
      Description: System defined zone
    zone MyNetNet-zone
      Member Interfaces:
        Vlan1
        Vlan10
        Vlan20
    zone MyNetGuest-zone
      Member Interfaces:
        Vlan69
    zone MyNetWAN-zone
      Member Interfaces:
        FastEthernet4
    Cisco871#sh zone-pair security
    Zone-pair name MyNetNet->MyNetGuest
        Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
        service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
    Zone-pair name MyNetNet->MyNetWAN
        Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetWAN
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetNet
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
        service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
    Cisco871#sh int faste4
    FastEthernet4 is up, line protocol is up
      Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
      Description: WAN
      Internet address is 10.38.177.98/25
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, 100BaseTX/FX
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:34:50, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 2000 bits/sec, 3 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         593096 packets input, 73090812 bytes
         Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog
         0 input packets with dribble condition detected
         9940 packets output, 1016025 bytes, 0 underruns
         0 output errors, 0 collisions, 3 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier
         0 output buffer failures, 0 output buffers swapped out
    Zone-pair: MyNetNet->MyNetWAN
      Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
        Class-map: MyNetNet-Class (match-all)
          Match: class-map match-all MyNetNet-access-list
            Match: access-group 100
          Match: class-map match-any Voice-protocols
            Match: protocol h323
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol skinny
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol sip
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Extended-protocols
            Match: protocol pop3
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pop3s
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imap
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imaps
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol smtp
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Base-protocols
            Match: protocol http
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol https
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ftp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ssh
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol dns
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ntp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ica
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pptp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol icmp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol tcp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol udp
              0 packets, 0 bytes
              30 second rate 0 bps
          Inspect
            Session creations since subsystem startup or last reset 0
            Current session counts (estab/half-open/terminating) [0:0:0]
            Maxever session counts (estab/half-open/terminating) [0:0:0]
            Last session created never
            Last statistic reset never
            Last session creation rate 0
            Maxever session creation rate 0
            Last half-open session total 0
        Class-map: class-default (match-any)
          Match: any
          Drop (default action)
            5196 packets, 256211 bytes
    Cisco871#sh log
    Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                    0 flushes, 0 overruns, xml disabled, filtering disabled)
    No Active Message Discriminator.
    No Inactive Message Discriminator.
        Console logging: disabled
        Monitor logging: level debugging, 0 messages logged, xml disabled,
                         filtering disabled
        Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                         filtering disabled
        Logging Exception size (4096 bytes)
        Count and timestamp logging messages: disabled
        Persistent logging: disabled
    No active filter modules.
    ESM: 0 messages dropped
        Trap logging: level informational, 1785 message lines logged
    Log Buffer (4096 bytes):
    001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
    001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
    001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
    001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

    Hello Charlie,
    I would recomend you to investigate a little bit more about how the ZBFW features works
    Now I am going to help you on this one at least, then I will give you a few links you could use to study
    We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
    First the zone-pair
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    so lets go policy-map
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    Finally to the class map
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    That keyword MATCH-ALL is the one causing the issues!!
    Why?
    Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
    So here are the links
    http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
    https://supportforums.cisco.com/thread/2138873
    http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
    You have some work to do
    Please remember to rate all the helpful posts
    Julio
    CCSP

  • ZBF Class-map and different way of doing them

    Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
    i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
    ok we we all know the basic
    class-map type inspect match-any ZBF_CM_ICMP
    match protocol icmp
    policy-map type inspect ZBF_PM_EXTERNAL->DMZ
    class type inspect ZBF_CM_ICMP
      inspect
    and then the ZP dont need to show, this is a simple map using nbar fair enough
    then we could a mulitiple matches
    class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
    match protocol icmp
    match protocol http
    match protocol dns
    match protocol https
    policy-map type inspect ZBF_PM_DMZ->EXTERNAL
    class type inspect ZBF_CM_STD_DMZ_PORTS
      inspect
    Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
    ip access-list extended AL_RDP_PORT
    permit tcp any any eq 3389
    class-map type inspect match-all ZBF_CM_RDP
    match access-group name AL_RDP_PORT
    policy-map type inspect ZBF_PM_EXTERNAL->DMZ
    class type inspect ZBF_CM_RDP
      inspect
    This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
    ip access-list extended AL_HOST_IP_IN
    permit ip any host 11.11.11.11
    ip access-list extended AL_ISATAP
    permit 41 any any
    ip access-list extended AL_TEREDO
    permit udp any any eq 3544
    class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
    description Nested Class Map
    match access-group name AL_ISATAP
    match access-group name AL_TEREDO
    match protocol https
    class-map type inspect match-ALL ZBF_CM_APP_IN
    match access-group name AL_HOST_IP_IN
    match access-group name ZBF_CM_DirectAccess_Protocols
    policy-map type inspect ZBF_PM_EXTERNAL->DMZ
    class type inspect ZBF_CM_APP_IN
      inspect                                                                                                      (or pass with rule for other direction)
    THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where  same proceduare as below.
    ip access-list extended AL_HOST_IP_IN
    permit ip any host 11.11.11.11
    ip access-list extended AL_ISATAP
    permit 41 any any
    ip access-list extended AL_TEREDO
    permit udp any any eq 3544
    class-map type inspect match-ANY CM_ISATAP
    match access-group name AL_ISATAP
    class-map type inspect match-ANY CM_TEREDO
    match access-group name AL_TEREDO
    class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
    description Nested Class Map
    match class-map CM_ISATAP
    match class-map CM_TEREDO
    match protocol https
    class-map type inspect match-ALL ZBF_CM_APP_IN
    match access-group name AL_HOST_IP_IN
    match access-group name ZBF_CM_DirectAccess_Protocols
    policy-map type inspect ZBF_PM_EXTERNAL->DMZ
    class type inspect ZBF_CM_APP_IN
      inspect
    So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
    QUESTION:
    Why did CiscoCP do the extra nesting
    both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
    thanks
    regards
    A very sore headed
    Dave

    When people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
    But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
    It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
    shmoove

  • Issue with ACE HTTP class map

    This is what I want to achieve USING the ACE as a reverse proxy.
    User uses the url https://abc/password - gets to the destination server & the web page
    If user tries to use any thing additional then the connection is dropped at the ACE such as
    https://abc/password/test or any such variation.
    Following is the config I have to achieve this
    class-map type http loadbalance match-any L7-CLASS-TEST
      match http url /password
      match http url /password/
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url .*.*
    policy-map type loadbalance first-match LBP-TEST
      class L7-CLASS-TEST
        serverfarm FARM-TEST
        ssl-proxy client TEST
      class L7-CLASS-TEST-deny
        drop
      class class-default
        serverfarm FARM-TEST
        ssl-proxy client TEST
    The problem with this is when the page opens I get broken links on all the images. If I use the following line
    match http url /password.*
    I get the images to work but the user can use the https://abc/password/test which is not what I want.
    Has any one faced this issue ?
    Any help will be appreciated.
    Thanks in advance
    Prasanna

    Prasanna,
    What about if you try it in HTTP and apply the following change?
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url /.*
    This should work in HTTP but not with HTTPS
    Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
    Jorge

Maybe you are looking for

  • Setting up bridge as photo database for a small company

    My company is using a quite large collection of stock photos. Those photos are currently saved in appropiately named folders, however it's quite hard to find a specific type of photo this way. That's why we want to start using bridge for the manageme

  • Plugged in, not charging - PLEASE HELP

    Hi, I have a T61 and from yesterday my battery is not charging. I have a 9 cell battery and when I plug in the AC adapter, it shows "plugged in, not charging" status on the battery icon in the system tray. Could someone please help asap? Thanks, Anim

  • N500 4233 NOTEBOOK no wifi after reinstalli​ng vista

    Today morning i've format my system and reinstall windows vista on my N500 notebook, after trying windows 7 (it was too slow so...) but now i can't get my WIFI work! tried everything from drivers to power managment, the switch in the front, the BIOS

  • [ADF] migration to ADF, pl/sql based DB api

    We are planning to move one of our project to ADF (we using flex for now), we have all our DB working through the proc/functions API. Its about 50+ entities, lots of rename/update/create api already exists and working well. There seems a bit tricky t

  • The 'Next' iPad...

    ... I really like the iPad as a device. I look at it's competition and say 'there is none', because I believe it occupies a niche of it's own. Like many other Apple-product fans, I listen to the harsh criticism of all of it's devices, and hear the 'e