Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
Nested Class Map Support for Zone-Based Policy Firewall
Downloads: This chapterpdf (PDF - 1.32MB) The complete bookPDF (PDF - 6.32MB) | The complete bookePub (ePub - 1.19MB) | Feedback

Nested Class Map Support for Zone-Based Policy Firewall

Contents

Nested Class Map Support for Zone-Based Policy Firewall

The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The Cisco IOS XE firewall supports up to three levels of class map hierarchy.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall

Before configuring nested class maps, you should be familiar with the modular Quality of Service (QoS) CLI (MQC).

Information About Nested Class Map Support for Zone-Based Policy Firewall

Nested Class Maps

In Cisco IOS XE Release 3.5S and later releases, you can configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The nesting of class maps can be achieved by configuring the match class-map command. The only method of combining the match-any and match-all characteristics within a single traffic class is by using the class-map command.

match-all and match-any Keywords of the class-map Command

To create a traffic class, you must configure the class-map command with the match-all and match-any keywords. You need to specify the match-all and match-any keywords only if more than one match criterion is configured in the traffic class. The following rules apply to the match-all and match-any keywords:
  • Use the match-all keyword when all match criteria in the traffic class must be met to place a packet in the specified traffic class.
  • Use the match-any keyword when only one of the match criterion in the traffic class must be met to place a packet in the specified traffic class.
  • If you do not specify the match-all keyword or the match-any keyword, the traffic class behaves in a manner that is consistent with the match-all keyword.
Your zone-based policy firewall configuration supports nested class maps if the following criteria are met:
  • Individual class maps in a hierarchy include multiple match class-map command references.
  • Individual class maps in a hierarchy include match rules other than the match class-map command.

How to Configure Nested Class Map Support for Zone-Based Policy Firewall

Configuring a Two-Layer Nested Class Map

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    class-map match-any class-map-name

    4.    match protocol protocol-name

    5.    exit

    6.    class-map match-any class-map-name

    7.    match protocol protocol-name

    8.    exit

    9.    class-map match-any class-map-name

    10.    match class-map class-map-name

    11.    match class-map class-map-name

    12.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 class-map match-any class-map-name


    Example:
    Router(config)# class-map match-any child1
     

    Creates a Layer 3 or Layer 4 class map and enters class map configuration mode.

     
    Step 4 match protocol protocol-name


    Example:
    Router(config-cmap)# match protocol tcp 
     

    Configures the match criteria for a class map on the basis of a specified protocol.

     
    Step 5 exit


    Example:
    Router(config-cmap)# exit
     

    Exits class map configuration mode and enters global configuration mode.

     
    Step 6 class-map match-any class-map-name


    Example:
    Router(config)# class-map match-any child2
     

    Creates a Layer 3 or Layer 4 class map and enters class map configuration mode.

     
    Step 7 match protocol protocol-name


    Example:
    Router(config-cmap)# match protocol udp
     

    Configures the match criteria for a class map on the basis of a specified protocol.

     
    Step 8 exit


    Example:
    Router(config-cmap)# exit 
     

    Exits class map configuration mode and enters global configuration mode.

     
    Step 9 class-map match-any class-map-name


    Example:
    Router(config)# class-map match-any parent
     

    Creates a Layer 3 or Layer 4 class map and enters class map configuration mode.

     
    Step 10 match class-map class-map-name


    Example:
    Router(config-cmap)# match class-map child1
     

    Configures a traffic class as a classification policy.

     
    Step 11 match class-map class-map-name


    Example:
    Router(config-cmap)# match class-map child2
     

    Configures a traffic class as a classification policy.

     
    Step 12 end


    Example:
    Router(config-cmap)# end
     

    Exits class map configuration mode and enters privileged EXEC mode.

     

    Configuring a Policy Map for a Nested Class Map

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    policy-map type inspect policy-map-name

      4.    class-type inspect class-map-name

      5.    inspect

      6.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 policy-map type inspect policy-map-name


      Example:
      Router(config)# policy-map type inspect pmap
       

      Creates a Layer 3 or Layer 4 inspect type policy map and enters policy map configuration mode.

       
      Step 4 class-type inspect class-map-name


      Example:
      Router(config-pmap)# class-type inspect parent 
       

      Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode.

       
      Step 5 inspect


      Example:
      Router(config-pmap-c)# inspect
       

      Enables Cisco IOS XE stateful packet inspection.

       
      Step 6 end


      Example:
      Router(config-pmap-c)# end
       

      Exits policy-map class configuration mode and enters privileged EXEC mode.

       

      Attaching a Policy Map to a Zone Pair

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    zone security zone-name

        4.    exit

        5.    zone security zone-name

        6.    exit

        7.    zone-pair security zone-pair-name [source zone-name destination [zone-name]]

        8.    service-policy type inspect policy-map-name

        9.    exit

        10.    interface type number

        11.    zone-member security zone-name

        12.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         
        Enables privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 zone security zone-name


        Example:
        Router(config)# zone security source-zone
         

        Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

         
        Step 4 exit


        Example:
        Router(config-sec-zone)# exit
         

        Exits security zone configuration mode and enters global configuration mode.

         
        Step 5 zone security zone-name


        Example:
        Router(config)# zone security destination-zone
         

        Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

         
        Step 6 exit


        Example:
        Router(config-sec-zone)# exit
         

        Exits security zone configuration mode and enters global configuration mode.

         
        Step 7 zone-pair security zone-pair-name [source zone-name destination [zone-name]]


        Example:
        Router(config)# zone-pair security secure-zone source source-zone destination destination-zone
         

        Creates a zone pair and enters security zone pair configuration mode.

        • To apply a policy, you must configure a zone pair.
         
        Step 8 service-policy type inspect policy-map-name


        Example:
        Router(config-sec-zone-pair)# service-policy type inspect pmap
         
        Attaches a firewall policy map to the destination zone pair.
        Note   

        If a policy is not configured between a pair of zones, traffic is dropped by default.

         
        Step 9 exit


        Example:
        Router(config-sec-zone-pair)# exit
         

        Exits security zone pair configuration mode and enters global configuration mode.

         
        Step 10 interface type number


        Example:
        Router(config)# interface gigabitethernet 0/0/1
         

        Configures an interface and enters interface configuration mode.

         
        Step 11 zone-member security zone-name


        Example:
        Router(config-if)# zone-member security source-zone
         
        Assigns an interface to a specified security zone.
        • When you make an interface a member of a security zone, all traffic into and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.
         
        Step 12 end


        Example:
        Router(config-if)# end
         

        Exits interface configuration mode and enters privileged EXEC mode.

         

        Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall

        Example: Configuring a Two-Layer Nested Class Map

        Router# configure terminal
        Router(config)# class-map match-any child1
        Router(config-cmap)# match protocol tcp 
        Router(config-cmap)# exit
        Router(config)# class-map match-any child2
        Router(config-cmap)# match protocol udp
        Router(config-cmap)# exit 
        Router(config)# class-map match-any parent
        Router(config-cmap)# match class-map child1
        Router(config-cmap)# match class-map child2
        Router(config-cmap)# end
              

        Example: Configuring a Policy Map for a Nested Class Map

        Router# configure terminal
        Router(config)# policy-map type inspect pmap
        Router(config-pmap)# class-type inspect parent 
        Router(config-pmap-c)# inspect
        Router(config-pmap-c)# end
              

        Example: Attaching a Policy Map to a Zone Pair

        Router# configure terminal
        Router(config)# zone security source-zone
        Router(config-sec-zone)# exit
        Router(config)# zone security destination-zone
        Router(config-sec-zone)# exit
        Router(config)# zone-pair security secure-zone source source-zone destination destination-zone
        Router(config-sec-zone-pair)# service-policy type inspect pmap
        Router(config-sec-zone-pair)# exit
        Router(config)# interface gigabitethernet 0/0/1
        Router(config-if)# zone-member security source-zone
        Router(config-if)# end

        Additional References for Nested Class Map Support for Zone-Based Policy Firewall

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for Nested Class Map Support for Zone-Based Policy Firewall

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for Nested Class Map Support for Zone-Based Policy Firewall

        Feature Name

        Releases

        Feature Information

        Nested Class Map Support for Zone-Based Policy Firewall

        Cisco IOS XE Release 3.5S

        The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy.