Class-map with ACL rule

In the following class-map:
"class-map match-any voice
match access-group 190"
If the ACL 190 has more than one line with "permit" statements.
In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
Regards,
Christos

the explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
T

Similar Messages

  • Using CSS class together with CSS Rule

    Hi,
    I design my web site in Dreamweaver and then use Web
    Developer 2005 Express for the dynamic stuff. I amalgamate all the
    work I have done in Dreamweaver into 2005 Express. However with the
    new server side controls I do not know how to add a CSS class
    together with a CSS rule.
    In the normal client side control in Dreamweaver I have -
    <input name="txtPassword" type="password" class="Input"
    id="SpacerBottom" />
    In the server side controls the ID keyword is used now -
    <asp:TextBox ID="txtPassword" runat="server"
    Style="z-index: 107" CssClass="Input" ></asp:TextBox>
    I have tried to use the name="txtPassword", but it ignores
    this.
    I would really like to know how I can use a class and an id
    selector with the new server side controls and would really
    appreciate some help on this.
    Many thanks,
    Polly Anna

    the explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
    The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
    T

  • Layer 7 class-map with different match types

    Hello,
    I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
    Here is what the configuration guides says :
    host1/Admin(config)# class-map type http loadbalance match-any CLASS3
    host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
    host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    host1/Admin(config-cmap-http-lb)# exit
    If I test exactly the same configuration in a context of my ACE, I receive an error message :
    CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
    CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
    CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    Error: Match-any classmap can not have different type of match
    If I use nested class-maps, I receive the same error message !
    Is it a known problem or is it a solution for it ?
    Thank you for any help
    Yves

    Hello Yves,
    The command error is correct.  I'll take a look at the docs and see about getting them corrected, if necessary.
    Basically, for a match-all, you would have to use different types.  For example, there will only be one Host header, so you would only specify it once using regex or a fixed string.  As you found out, the match-any requires that they all be of the same type.  See my example below:
    class-map type http loadbalance match-all HEADER-AND-URL
      100 match http url /login.*
      200 match http header Host header-value "XYZ"
    class-map type http loadbalance match-any URLS
      100 match http url .*\.gif
      200 match http url .*\.jpg
    class-map type http loadbalance match-any HEADER
      200 match http header Host header-value "CISCO"
    policy-map type loadbalance first-match SLB_LOGIC
      class HEADER-AND-URL
        serverfarm LOGIN-FARM
      class URLS
        serverfarm IMAGES-FARM
      class HEADER
        serverfarm CISCO-FARM
      class class-default
        serverfarm WWW-FARM
    So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
    class-map type http loadbalance match-any URL-JPG
      2 match http url .*\.jpg
    class-map type http loadbalance match-any HOST-XYZ
      2 match http header Host header-value "XYZ"
    policy-map type loadbalance first-match SLB_LOGIC
      class URL-JPG
        serverfarm SERVER-FARM
      class HOST-XYZ
        serverfarm SERVER-FARM
    If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
    class-map type http  loadbalance match-all HEADER-AND-URL
       100 match http url /login.*
       200 match http header Host header-value "XYZ"
    policy-map type  loadbalance first-match SLB_LOGIC
       class HEADER-AND-URL
         serverfarm LOGIN-FARM
    Hope this helps,
    Sean

  • ACE: a class-map with multiple ports... what about the probe/serverfarm?

    Hello Gilles,
    One question about something I was not able to find in the documentation.
    Lets say I have one class-map which includes 2 ports (in this case https and 5061).
    Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
    So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
    The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
    Thanks and have a great day!!
    Giulio.
    probe tcp PROBE_GENERIC_TCP
      description This probe works for all TCP services by inheriting the VIP port.
      interval 15
      faildetect 2
      passdetect interval 15
      passdetect count 2
      open 2
    rserver host SERVER1_ACCESS
      ip address <1AC>
      inservice
    rserver host SERVER2_ACCESS
      ip address <2AC>
      inservice
    serverfarm host ACCESS-SFARM
      probe PROBE_GENERIC_TCP
      rserver SERVER1_ACCESS
        inservice
      rserver SERVER2_ACCESS
        inservice
    class-map match-any OCS_L4ACCESS
      2 match virtual-address x.x.x.176 tcp eq https
      2 match virtual-address x.x.x.176 tcp eq 5061
    policy-map type loadbalance first-match OCS_L4ACCESS
      class class-default
        sticky-serverfarm ACCESS_STICKY
    policy-map multi-match POLICY
    class OCS_L4ACCESS
    loadbalance vip inservice
    loadbalance policy OCS_L4ACCESS
    loadbalance vip icmp-reply active
    connection advanced-options OCS_VIPTIMEOUT
    nat dynamic XXX vlan 503

    Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

  • Can someone help me and explain how to affect hotspot/image map with css rules or any other way?

    i have problem with hotspot because its position cant be fixed to follow the proportion of the fixed background in different resoulutions.

    You can't affect hotspots at all with css. Here are a couple different options you have available though...
    You could try using multiple images that scale, linking each individual image, instead of hotspots.
    You could also look into "responsive image maps" to get quite a few examples of jquery/javascript run image maps that can be scaled.
    Depending on your image, (for example, if you are linking states on a map) you would be able to use SVG paths and link the paths with javascript.

  • A problem with ACL in the class-map on the ACE module

                      Hi all,
    I configured the following on the ACE module:
    object-group network test
      host 192.168.1.21
      host 192.168.1.22
      host 192.168.1.23
    object-group service port
      tcp eq www
      tcp eq 8080
    access-list T line 8 extended permit object-group port object-group test any
    I tried to configure a class-map for matching this ACL:
    ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
    ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
    Error: Cannot associate acl having object-group ACEs in class-map.
    So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
    Thank you
    Roman

    Hi Roman,
    I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
    Regards
    Daniel

  • Source ip filtering with class map on cisco ace30

    Hello ,
    I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
    access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
    class-map match-all S_IP_FILTERING_XVIP
    2 match access-list S_IP_FILTERING
    3 match virtual-address 2.2.2.2 any
    Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
    thanks for your support
    Case,

    Hi,
    Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
    for example:
    class-map type http loadbalance match-any LOADBALANCE-FILTER
      2 match source-address X.X.X.X 255.255.255.255
    class-map match-any TEST-CLASSMAP
      2 match virtual-address Y.Y.Y.Y tcp eq www
    policy-map type loadbalance first-match LOADBALANCE
      class LOADBALANCE-FILTER
        serverfarm TEST-SERVERFARM
    policy-map multi-match UTC-PM
      class TEST-CLASSMAP
        loadbalance policy LOADBALANCE
        loadbalance vip inservice
    -Alex

  • Help with Class-map configuration - ZBFW

    Hello,
    I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
    a.)
    class-map type inspect match-all HTTPS-ACCESS
    match protocol https
    match access-group name HTTPS-SERVER-ACCESS
    ip access-list extended HTTPS-SERVER-ACCESS
    permit tcp any host 172.17.0.55 eq 443
    permit tcp any host 172.17.0.56 eq 443
    permit tcp any host 172.17.0.36 eq 443
    permit tcp any host 172.17.0.45 eq 443
    permit tcp any host 172.17.0.60 eq 443
    Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
    Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
    b.)
    ip access-list extended OUTSIDE-TO-INSIDE-ACL
    permit tcp any host 172.17.0.55 eq 443
    permit tcp any host 172.17.0.55 eq www
    permit tcp any host 172.17.0.55 eq 21
    permit tcp any host 172.17.0.55 eq 3389
    permit tcp any host 172.17.0.56 eq 443
    permit tcp any host 172.17.0.56 eq www
    permit tcp any host 172.17.0.56 eq 21
    permit tcp any host 172.17.0.56 eq 3389
    permit tcp any host 172.17.0.36 eq 443
    permit tcp any host 172.17.0.36 eq www
    permit tcp any host 172.17.0.36 eq 21
    permit tcp any host 172.17.0.36 eq 3389
    permit tcp any host 172.17.0.45 eq 443
    permit tcp any host 172.17.0.45 eq www
    permit tcp any host 172.17.0.45 eq 21
    permit tcp any host 172.17.0.45 eq 3389
    class-map type inspect match-all OUT-IN-CLASS
    match access-group name OUTSIDE-TO-INSIDE-ACL
    Which one is the correct approach when we consider the performance of the firewall ? Please help me.
    Regards,
    Yadhu

    Hey
    I do not agree with Varun, I think the first approach is the best one.
    Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
    Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened).  That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
    But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
    That's my two cents. Hope it helped!

  • Acl in class-map

    Hi
    i'm a little unsure of how using ACL's works within a class map.
    I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
    permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
    when i apply this to the policy map i can either inspect, drop or pass the traffic.
    what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
    for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
    If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
    ​​also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
    hope this makes sense..
    thanks for any help

    When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    In order to actually deny the traffic, you have to specify a drop in the policy map.
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    ip access-list extended ACL_HTTPS
    permit tcp any host 1.1.1.1 eq 443
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    match access-group name ACL_HTTPS
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.

  • Specifying table with jdbc-class-map-name

    Greetings
    How do I specify the name of the table to map to when using the jdbc-
    class-map-name hint?
    In my jdo file, I have specified:
    <class name="Customer" objectid-class="CustomerId">
    <extension vendor-name="kodo" key="jdbc-class-map-name" value="base">
    <extension vendor-name="kodo" key="table" value="PERSONS"/>
    </extension>
    but when mappingtool generates the mapping file, the "table" hint
    is ignored, and I end up with the following in the .mapping file:
    <class name="Customer">
    <jdbc-class-map type="base" table="FRED.CUSTOMER"/>
    What I really want to see in the above jdbc-class-map is:
    table="FRED.PERSONS"
    I am using the property setting: kodo.jdbc.Schemas: FRED
    Note that mapping fields to columns using jdbc-field-map-name
    seems to work fine...
    Any clues? Thanks.
    droo.

    You can't specify table or column names via mapping tool hints. The
    typical way to change the default names is either to override the
    getValidTableName/getValidColumnName methods in a custom DBDictionary
    for systematic changes, or to follow the process outlined in example 7.6
    on this page:
    http://www.solarmetric.com/Software/Documentation/latest/docs/ref_guide_mapping.html#ref_guide_mapping_mappingtool_examples

  • Issue with ACE HTTP class map

    This is what I want to achieve USING the ACE as a reverse proxy.
    User uses the url https://abc/password - gets to the destination server & the web page
    If user tries to use any thing additional then the connection is dropped at the ACE such as
    https://abc/password/test or any such variation.
    Following is the config I have to achieve this
    class-map type http loadbalance match-any L7-CLASS-TEST
      match http url /password
      match http url /password/
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url .*.*
    policy-map type loadbalance first-match LBP-TEST
      class L7-CLASS-TEST
        serverfarm FARM-TEST
        ssl-proxy client TEST
      class L7-CLASS-TEST-deny
        drop
      class class-default
        serverfarm FARM-TEST
        ssl-proxy client TEST
    The problem with this is when the page opens I get broken links on all the images. If I use the following line
    match http url /password.*
    I get the images to work but the user can use the https://abc/password/test which is not what I want.
    Has any one faced this issue ?
    Any help will be appreciated.
    Thanks in advance
    Prasanna

    Prasanna,
    What about if you try it in HTTP and apply the following change?
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url /.*
    This should work in HTTP but not with HTTPS
    Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
    Jorge

  • Map data from class CL_PT_REQ_WF_ATTRIBS with workflow

    Hi All,
    I am using the standard class CL_PT_REQ_WF_ATTRIBS with DUMMY method for approval workitem which uses webdynpro ABAP. The webdynpro person is passing one variable RESULT after the approval, and RESULT with its value is shown in the log but there is no workflow container element named RESULT in the workflow. so, I created one with that name. But when I use this vaiable in the task after mapping, it is not showing any value. Am I missing something or doing anything wrong?

    Hi
    After creating the  container element in Approve Leave request Task did you try to refresh the buffer and Refresh Org assignement.
    And also make sur ethat the webdynpro developer is writing  back the decision to Approve Leave request Task
    and also make sure you do a proper bidning between Task container to workflow container. Check in the workflow log whteher in atleast the task container the value is populate. Also please let us know how the webdynpro developer is assigning the result value is it something like he  is using SAP_WAPI_WRITE_CONTAINER function module then make sure that the container element is CAse Sensitive. so ask him to define as you decalred in the task/workflow container.
    Regards
    Pavan
    Edited by: Pavan Bhamidipati on May 17, 2011 2:18 PM
    Edited by: Pavan Bhamidipati on May 17, 2011 2:18 PM
    Edited by: Pavan Bhamidipati on May 17, 2011 2:19 PM

  • Policer with IPv6 class-map on Catalyst 3750

    Hi,
    I've the following problem.
    It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
    On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
    mls qos
    ipv6 access-list DESTINATION-RANGE-A
     permit ipv6 any 2007::/16
    ipv6 access-list DESTINATION-RANGE-B
     permit ipv6 any 2B03::/16
    class-map match-all A
     match access-group name DESTINATION-RANGE-A
    class-map match-all B
     match access-group name DESTINATION-RANGE-B
    policy-map RL-POLICY
     class A
      police 2000000 8000 exceed-action drop
     class B
      police 6000000 8000 exceed-action drop
    interface GigabitEthernet1/0/7
     switchport access vlan 90
     load-interval 30
     service-policy input RL-POLICY
    The last CLI command which should bind the policy to the specific interface, leads to the following error message
    QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
    Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
    Thanks in advance for your help!
    Regards,
    Jens

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

  • Ratelimiter with IPv6 class-map on Catalyst 3750

    Hi,
    I've the following problem.
    It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
    On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
    mls qos
    ipv6 access-list DESTINATION-RANGE-A
     permit ipv6 any 2007::/16
    ipv6 access-list DESTINATION-RANGE-B
     permit ipv6 any 2B03::/16
    class-map match-all A
     match access-group name DESTINATION-RANGE-A
    class-map match-all B
     match access-group name DESTINATION-RANGE-B
    policy-map RL-POLICY
     class A
      police 2000000 8000 exceed-action drop
     class B
      police 6000000 8000 exceed-action drop
    interface GigabitEthernet1/0/7
     switchport access vlan 90
     load-interval 30
     service-policy input RL-POLICY
    The last CLI command which should bind the policy to the specific interface, leads to the following error message
    QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
    Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
    Thanks in advance for your help!
    Regards,
    Jens

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

  • IOS Firewall: what is this class map doing?

    Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:
    class-map type inspect match-any SSH
    match protocol ssh
    match access-group name SSH
    The access list with the name "SSH" just allows certain public IP network blocks. 
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 
    Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:
    ip access-list extended SSH
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    permit tcp xx.xx.0.0 0.7.255.255 any eq 22
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

    Hello Colin,
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
    Exactly you are getting it now It needs to be a match all....
    Regarding the ACL should be like this:
    access-list SSH
    permit tcp host outside_user_ip host router_outside_interface eq 22
    Regards,

Maybe you are looking for

  • How to add two heading in fieldcatlog

    Hello Exprets, I have an ALV report, in which I want two dispaly two header line... I don't no how to do that. for example. Class 10 Class 11 Class 12 Class-A Class-B Class-C Class-D Class-A Class-B Class-C Class-D Class-A Class-B Class-C Class-D Can

  • ITunes 10.2.1 not installing

    Hello I'm trying to download the latest iTunes, should be very simple. I click 'Check For Updates' in iTunes and it tells me there is a new version available - 10.2.1 - and asks if I want to download it now. I click to download it now and the Softwar

  • Automatic creation of folders in Collaboration from DMS

    Hi experts Need your Technical assitance in the DMS - cFolders interface. We have the following requirement. Step1: EHS Specification need to be converted into PDF document and automatically a document (DIR) should be created under particular documen

  • Organizer and external hard drive

    I have 20,000 pictures in Organizer, and am always terrified of losing my work here, captions tags etc, which happened once before. So, I do periodical back-ups. As I use Organizer for all of my work, I have not worried about folders, which are a mes

  • Unable to create partition after RAID setup failure

    SL - Tried to create RAID 1 with two external 250G drives. The RAID setup failed indicating improper format pair. So....I attempted to re-create the partition on one of the drives with proper settings. It will not partition at all. It returns a POSIX