Default class map is dropping all Packets

Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
  33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
  B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
  147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
  41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
  F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
  03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
  0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
  092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
  D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
  8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
  E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
  3543BD68 A4B2692D 05CBF6DC C93C8142
            quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
   import all
   network 10.0.0.0 255.255.255.248
   default-router 10.0.0.1
   domain-name MyNetNet.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   lease 0 2
ip dhcp pool MyNetData
   import all
   network 172.16.15.0 255.255.255.240
   dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   default-router 172.16.15.1
   domain-name MyDomain.org
ip dhcp pool MyNetVoice
   import all
   network 172.16.17.0 255.255.255.240
   dns-server 172.16.15.14
   default-router 172.16.17.1
   domain-name MyDomain.org
ip dhcp pool MyNetGuest
   import all
   network 192.168.19.0 255.255.255.240
   default-router 192.168.19.1
   domain-name MyNetGuest.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
  hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
  inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
  inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
  inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
  inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
  pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
         if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
  Description: System defined zone
zone MyNetNet-zone
  Member Interfaces:
    Vlan1
    Vlan10
    Vlan20
zone MyNetGuest-zone
  Member Interfaces:
    Vlan69
zone MyNetWAN-zone
  Member Interfaces:
    FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
    Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
    service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
    Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
    service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
    Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
    service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
    Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
    service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
  Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
  Description: WAN
  Internet address is 10.38.177.98/25
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:34:50, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 3 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     593096 packets input, 73090812 bytes
     Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     9940 packets output, 1016025 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
  Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
    Class-map: MyNetNet-Class (match-all)
      Match: class-map match-all MyNetNet-access-list
        Match: access-group 100
      Match: class-map match-any Voice-protocols
        Match: protocol h323
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol skinny
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol sip
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Extended-protocols
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3s
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imaps
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Base-protocols
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ica
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pptp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tcp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol udp
          0 packets, 0 bytes
          30 second rate 0 bps
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

Hello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
  inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP

Similar Messages

  • The class-default class map

    According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
    , the ASA is equipped with two default class-maps
    class-map inspection_default
    match default-inspection-traffic
    and
    class-map class-default
    match any
    The first makes perfect sense, but what is the class-default used for? Cisco says
    "This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
    match any class map. In fact, some features are only available for class-default."
    But I see stuff like this:
    policy-map MyPolicy
    class class-default
      inspect tfp MyFTPpolicy
    Obviously it is being used here to act on traffic! So I am confused.
    I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

    Hello Collin,
    This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
    The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.
    This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
    Mike

  • Class-map not works, Packets not tagging

    Hey Guys,
    I have define policy maping and dont know why its not tagging the IPs;
    class-map match-all KHAN
     match access-group name ABC
     match input-interface GigabitEthernet0/1
    ip access-list extended ABC
     permit ip host 10.11.201.20 10.11.207.128 0.0.0.127
     permit ip host 10.11.201.19 10.11.207.128 0.0.0.127
    policy-map TAIM
     class voice
        priority percent 50
      set dscp ef
     class KHAN
        priority percent 49
      set dscp af41
    interface Multilink1
    service-policy output TAIM
    When I check the IPs on netflow it is showing half packets are tagged with af41 anf half are default. 
    Any idea will be appreciated. 
    Thanks
    show policy map interface result
        Class-map: TAIM (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name ABC
          Match: input-interface GigabitEthernet0/1
          Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
          QoS Set
            dscp af41
              Packets marked 0

    The problem is the way you are matching the packets:
    Here it shows that there are 0 packets marked and 0 packets matched:
     Class-map: TAIM (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name ABC
          Match: input-interface GigabitEthernet0/1
          Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
          QoS Set
            dscp af41
              Packets marked 0
    When you define this:
    class-map match-all KHAN
     match access-group name ABC
     match input-interface GigabitEthernet0/1
    You are telling the router to match both conditions of ACL ABC and Interface input Gi0/1... most likely what happens here is that the class map does not match both condtions here.
    Depending on what you need to accomplish, you can change it to be ANY:
    class-map match-any KHAN
     match access-group name ABC
     match input-interface GigabitEthernet0/1
    This way it will work if it matches either the first condition ACL ABC or second condition input Gi0/1.
    Or you can just remove the input statement for Gi0/1 and match by the IPs only:
    class-map match-all KHAN
     match access-group name ABC

  • Total drops for class-map class-default

    Hi,
    I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
    I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Any ideas?
            Class-map: class-default (match-any)
              175934881 packets, 95319007968 bytes
              5 minute offered rate 23000 bps, drop rate 0000 bps
              Match: any
              queue limit 64 packets
              (queue depth/total drops/no-buffer drops) 0/340/0
              (pkts output/bytes output) 314212026/180287074028
    policy-map PM-Branch-QoS
    class CM-OAM
      set dscp af11
    class CM-Network
      set dscp cs6
    class CM-VC
      bandwidth percent 5
    class CM-Citrix
      set dscp af21
    class CM-CAPWAP
      set dscp af22
    policy-map PM-WAN
    class class-default
      shape peak 100000000
       service-policy PM-Branch-QoS

    Disclaimer
    The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
    Liability Disclaimer
    In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
    Posting
    I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Your expectations might be incorrect.  Often percentage of bandwidth capacity measurements are misunderstood.
    Let's assume your ingress is 100 Mbps.  Let's also assume your measuring over a five minute period.  Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes.  Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
    But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
    So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
    Since ingress was same bandwidth as egress, in the above, there would be no queuing.
    If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds.  This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued.  If queuing buffers are insufficient to hold all the packets, some will be dropped.
    The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low".  Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
    From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing.  If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay.

  • ACE SSL Sticky class-map generic vs class default differences.

    There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
    Can anyone explain the benefits and differences of using a specific class-map generic such as this:
    class-map type generic match-any SSL-v3-32
      2 match layer4-payload regex "\x16\x03\x00..\x01.*"
      3 match layer4-payload regex "\x16\x03\x01..\x01.*"
    Versus just matching class default?
    So if I have a configuration such as this:
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class SSL-v3-32
       sticky-serverfarm ssl-v3
    vs
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class class-default
       sticky-serverfarm ssl-v3
    What's the benefit or drawback?

    The SSL session id is only available in version 3.0.1 and 3.1.1
    So you can match this particular version and then attempt to do stickyness.
    You are guaranteed to find what you're looking for.
    If you match a class-default it means you apply stickyness to any version of ssl packet.
    So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
    Gilles.

  • 3850 QoS class-map match-all?

    I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in.  I would have expected the configuration listed below will work.  I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code.  It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
    ip   access-list extended ACL-QOS-SIP
    permit tcp any range 5060 5061 any
    permit tcp any any range 5060 5061
    ip   access-list extended ACL-QOS-CS3
    permit ip any any dscp cs3
    class-map   match-all CM-QOS-CS5
      match access-group name ACL-QOS-CS3
      match access-group name ACL-QOS-SIP
    policy-map   PM-QOS-MARKING
    class CM-QOS-CS5
         set ip dscp cs5
    Any suggestions would be appreciated.

    jlkeys,  below is configuration I ended up using to resolve the issue:
    ip access-list extended ACL-QOS-SIP
     permit tcp any range 5060 5061 any dscp cs3
    class-map match-any CM-QOS-CS5
      match access-group name ACL-QOS-SIP
    policy-map   PM-QOS-MARKING
     class CM-QOS-CS5
       set ip dscp cs5

  • Changing class-map from all to any

    I need to add a second port to a class-map, so I need to change it from match-all to match-any.  Do I just remove the old virtual server and re-add it?  
    no class-map match-all vs_test
    class-map match-any vs_test                                                                                                                      
      2 match virtual-address 10.1.1.10 tcp eq 80
      3 match virtual-address 10.1.1.10 tcp eq 443

    Hi Bill,
    Yes, you will have to remove the old configuration and define the class-map again. It's not possible to change the type of a class after it has been configured.

  • Match-any or Match All For Class-map On Nexus?

      I have an access-list MANAGEMENT
            permit udp any eq snmp any
            permit udp any any eq snmp
            permit tcp any any eq telnet
            permit tcp any eq telnet any
           permit tcp any any eq 22
           permit tcp any eq 22 any
    My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
     class-map type qos match-any MANAGEMENT
                match access-group name MANAGEMENT
    Or
    class-map type qos match-all MANAGEMENT
                match access-group name MANAGEMENT
    I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for  a class-map?
    Thanks

    It applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.

  • Why all packets dropped with %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs error msg for arp inspected vlans for DMZ and Backup

    Hi,
    We have got cisco 3759 switch where the followign line was configrued only
    ip arp inspection vlan 6,100
    And on those vlans no arp inspection trust was configrued. DMZ and backup servers were connected on that switch. Switch got restarted wihtin 5 minutes for the power outage and when the swithc came online it was denying all the packets coming through the vlan 100 adn 6 althought it was allowing packets before the power outage.
    It took me 30 minutes to find out that arp inspection was enables which might cause the issue, but I am still unsue why it would block all packets for vlan 100 & 6.After taking out the command ' ip arp inspection vlan 6,100' all started working fine.
    What is the reason the switch had this issue? Is there any resolution for this? thanks
    FYI: The error messages-
    0:48:32: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.182/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan 6.([000c.2915.1abe/220.233.31.184/0000.0000.0000/220.233.31.177/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.178/14:48:33 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.184/14:48:33 AEST Sun Feb 28 1993])
    Regards,
    Arman

    Code version:
    System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
    I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
    rgds,
    arman

  • Acl in class-map

    Hi
    i'm a little unsure of how using ACL's works within a class map.
    I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
    permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
    when i apply this to the policy map i can either inspect, drop or pass the traffic.
    what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
    for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
    If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
    ​​also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
    hope this makes sense..
    thanks for any help

    When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    In order to actually deny the traffic, you have to specify a drop in the policy map.
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    ip access-list extended ACL_HTTPS
    permit tcp any host 1.1.1.1 eq 443
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    match access-group name ACL_HTTPS
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.

  • Issue with ACE HTTP class map

    This is what I want to achieve USING the ACE as a reverse proxy.
    User uses the url https://abc/password - gets to the destination server & the web page
    If user tries to use any thing additional then the connection is dropped at the ACE such as
    https://abc/password/test or any such variation.
    Following is the config I have to achieve this
    class-map type http loadbalance match-any L7-CLASS-TEST
      match http url /password
      match http url /password/
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url .*.*
    policy-map type loadbalance first-match LBP-TEST
      class L7-CLASS-TEST
        serverfarm FARM-TEST
        ssl-proxy client TEST
      class L7-CLASS-TEST-deny
        drop
      class class-default
        serverfarm FARM-TEST
        ssl-proxy client TEST
    The problem with this is when the page opens I get broken links on all the images. If I use the following line
    match http url /password.*
    I get the images to work but the user can use the https://abc/password/test which is not what I want.
    Has any one faced this issue ?
    Any help will be appreciated.
    Thanks in advance
    Prasanna

    Prasanna,
    What about if you try it in HTTP and apply the following change?
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url /.*
    This should work in HTTP but not with HTTPS
    Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
    Jorge

  • IPv6 class-map or IOS problem

    Hello, sorry because of my bad English at first,
    I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
    I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
    This is my configuration:
    class-map match-any v6
       match access-group name v6
      policy-map v6
       class v6
        set ip dscp ef
    ipv6 access-list v6 permit FEC2::/64 any
    Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
    R1#sho policy-map interface fa0
      FastEthernet0
       Service-policy input: v6
         Class-map: v6 (match-any)
           0 packets, 0 bytes
           5 minute offered rate 0 bps, drop rate 0 bps
           Match: access-group name v6
             0 packets, 0 bytes
             5 minute rate 0 bps
           QoS Set
            ip dscp ef
               Packets marked 0
         Class-map: class-default (match-any)
           92 packets, 9134 bytes
           5 minute offered rate 0 bps, drop rate 0 bps
           Match: any
    This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
    If IOS version is too old, can you tell my what version will work so I can purchase it?
    Thanks

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

  • ACE ignoring class map depending on source???

    I have a problem with a the load balancing "not working" properly depending on the source.
    The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
    This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
    The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
    My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
    Here is the config:
    rserver host FE1-app
      description frontend app
      ip address 192.168.137.69
      inservice
    rserver host FE2-app
      description frontend app
      ip address 192.168.137.74
      inservice
    serverfarm host FE1-app
      rserver FE1-app 80
        inservice
    serverfarm host FE2-app
      rserver FE2-app 80
        inservice
    serverfarm host FE-app
      rserver FE1-app 80
        inservice
      rserver FE2-app 80
        inservice
    class-map type http loadbalance match-all COOKIE-FE1
      2 match http cookie secondary ld cookie-value "fe1"
    class-map type http loadbalance match-all COOKIE-FE2
      2 match http cookie secondary ld cookie-value "fe2"
    class-map match-all VIP-app
      2 match virtual-address 192.168.138.39 tcp eq www
    policy-map type loadbalance first-match VIP-app-loadbalance
      class COOKIE-FE1
        serverfarm FE1-app
      class COOKIE-FE2
        serverfarm FE2-app
      class class-default
        serverfarm FE-app
    policy-map multi-match INT470
      class VIP-app
        loadbalance vip inservice
        loadbalance policy VIP-app-loadbalance
        loadbalance vip icmp-reply
    interface vlan 470
      description lb_rpfedrift
      ip address 192.168.138.36 255.255.255.240
      alias 192.168.138.35 255.255.255.240
      peer ip address 192.168.138.37 255.255.255.240
      service-policy input remote_mgmt_allow_policy
      service-policy input INT470
      no shutdown

    Hi Federico,
    The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
    The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
    From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
    I hope this helps
    Daniel

  • ACE - HTTPS CLASS MAP CONFIGURATION

    Hi,
    We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
    https://abc.com/ABC/* -> serverfarm#1
    https://abc.com/* -> serverfarm#2           (Default)
    Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
    We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    =========================================================

    Kanwaljeet,
    Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
    We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
    Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map match-all vs_serverfarm
      2 match virtual-address 10.178.50.140 tcp eq https
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    policy-map multi-match PRODWEB_POLICY
      class vs_serverfarm
        loadbalance vip inservice
        loadbalance policy vs_serverfarm_https
        loadbalance vip icmp-reply active
        nat dynamic 100 vlan 100
        ssl-proxy server ssl_serverfarm
    =========================================================

  • ACE: a class-map with multiple ports... what about the probe/serverfarm?

    Hello Gilles,
    One question about something I was not able to find in the documentation.
    Lets say I have one class-map which includes 2 ports (in this case https and 5061).
    Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
    So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
    The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
    Thanks and have a great day!!
    Giulio.
    probe tcp PROBE_GENERIC_TCP
      description This probe works for all TCP services by inheriting the VIP port.
      interval 15
      faildetect 2
      passdetect interval 15
      passdetect count 2
      open 2
    rserver host SERVER1_ACCESS
      ip address <1AC>
      inservice
    rserver host SERVER2_ACCESS
      ip address <2AC>
      inservice
    serverfarm host ACCESS-SFARM
      probe PROBE_GENERIC_TCP
      rserver SERVER1_ACCESS
        inservice
      rserver SERVER2_ACCESS
        inservice
    class-map match-any OCS_L4ACCESS
      2 match virtual-address x.x.x.176 tcp eq https
      2 match virtual-address x.x.x.176 tcp eq 5061
    policy-map type loadbalance first-match OCS_L4ACCESS
      class class-default
        sticky-serverfarm ACCESS_STICKY
    policy-map multi-match POLICY
    class OCS_L4ACCESS
    loadbalance vip inservice
    loadbalance policy OCS_L4ACCESS
    loadbalance vip icmp-reply active
    connection advanced-options OCS_VIPTIMEOUT
    nat dynamic XXX vlan 503

    Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

Maybe you are looking for

  • Problem with photo download to iPad mini

    I am using the Apple adapter to download photos to my iPad mini using the SD card adaptor and for some reason not all for checked photos available to be downloaded. There seems to no pattern as to which photos it choses not to download

  • Problems with OWA after installing Exchange 2010 SP3

    Hi, I just installed Exchange 2010 SP3 on a SBS 2011 machine. The installation completed successfully, but after the installation OWA isn't working anymore. When I browse to OWA I get the following message: I did a reset for the OWA vritual directory

  • Strings in a switch?

    I would like to give my switch-statement a string, but that does not seem to work, is it possible in any way? public void test(String str) { switch(str){    case "Green":{               System.out.println("The color is green");}    case "Blue":{     

  • HR Master Data Filter

    Hi, we are using change pointers and the report RBDMIDOC to create Idoc HRMD_A from those change pointers, in order to send that data to an external payroll. However, we have a requirement to publish only some subtypes from one Infotype. Do you guys

  • REST call response encoding

    Hi All, I have a json message received from http call. If I set <par id="htta.returnpltypeforce" value="json"> in call payload then my response is fine, for example: <bfa:io>     <bfa:object>         <bfa:object name="response">             <bfa:stri