Table Of Contents
Configuring Class Maps and Policy Maps
Class Map and Policy Map Overview
Class Map and Policy Map Configuration Quick Start
Configuring Layer 3 and Layer 4 Class Maps
Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing Through the ACE
Creating a Layer 3 and Layer 4 Network Traffic Class Map
Defining a Class Map Description
Defining Access-List Match Criteria
Defining Destination IP Address and Subnet Mask Match Criteria
Defining TCP/UDP Port Number or Port Range Match Criteria
Defining Source IP Address and Subnet Mask Match Criteria
Defining VIP Address Match Criteria
Defining Layer 3 and Layer 4 Classifications for Network Management Traffic Received by the ACE
Creating a Layer 3 and Layer 4 Network Management Traffic Class Map
Defining Network Management Access Match Criteria
Configuring Layer 7 Class Maps
Defining Layer 7 Classifications for HTTP Server Load-Balancing
Defining Layer 7 Classifications for HTTP Deep Packet Inspection
Defining Layer 7 Classifications for FTP Command Inspection
Configuring a Layer 3 and Layer 4 Policy Map
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE
Creating a Layer 3 and Layer 4 Policy Map for Network Traffic Passing Through the ACE
Defining a Layer 3 and Layer 4 Policy Map Description
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy
Specifying Layer 3 and Layer 4 Policy Actions
Using Parameter Maps in a Layer 3 and Layer 4 Policy Map
Configuring a Layer 7 Policy Map
Adding a Layer 7 Policy Map Description
Including Inline Match Statements in a Layer 7 Policy Map
Specifying a Layer 7 Traffic Class with the Traffic Policy
Specifying Layer 7 Policy Actions
Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map
Class Maps and Policy Map Examples
Layer 7 Load Balancing Example
Layer 3 and Layer 4 Load Balancing Example
VIP With Connection Parameters Example
Viewing Class Maps, Policy Maps, and Service Policies
Displaying Class Map Configuration Information
Displaying Policy Map Configuration Information
Displaying Service Policy Configuration Information
Configuring Class Maps and Policy Maps
This chapter describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the Cisco Application Control Engine (ACE) module. You create traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE to apply feature-specific actions to the matching traffic.
The ACE uses the individual traffic policies to implement functions such as:
•
Remote access using Secure Shell (SSH) or Telnet
•
•
•
•
•
This chapter contains the following major sections:
•
•
•
•
•
•
•
•
Class Map and Policy Map Overview
You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification: network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic.
Class maps enable you to classify network traffic based on:
•
•
The three steps in the traffic classification process consist of:
1.
2.
3.
Traffic policies support the following feature-specific actions performed by the ACE:
•
•
•
•
•
•
•
•
•
•
This section contains the following overview topics:
The flow chart shown in Figure 4-1 provides a basic overview of the process required to configure class maps and policy maps, shown for application protocol inspection. The flow chart also illustrates how the ACE associates the various components of the class map and policy map configuration with each other.
Figure 4-1 Class Map and Policy Map - Application Protocol Inspection Configuration Flow Diagram
Class Maps
The class-map command defines each Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You create class maps to classify the traffic received and transmitted by the ACE.
•
•
A traffic class contains the following components:
•
•
•
The ACE supports a system-wide maximum of 8192 class maps.
The individual match commands specify the criteria for classifying Layer 3 and Layer 4 network traffic as well as the Layer 7 HTTP server load balancing and application protocol-specific fields. The ACE evaluates the packets to determine whether they match the specified criteria. If a statement matches, the ACE considers that packet to be a member of the class and forwards the packet according to the specifications set in the traffic policy. Packets that fail to meet any of the matching criteria are classified as members of the default traffic class if one is specified.
When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any as the evaluation instruction, the traffic being evaluated must match one of the specified criteria, typically match commands of the same type. If you specify match-all as the evaluation instruction, the traffic being evaluated must match all of the specified criteria, typically match commands of different types.
The specification of complex match criteria using the match-all or match-any keywords for Layer 7 HTTP load-balancing applications is useful as a means to provide the nesting of one class map within a second class map. For example, to specify a match criteria for load balancing where the URL is either /foo or /bar and the header "host" equals "thishost".
host1/Admin(config)# class-map type http loadbalance match-any URLCHK_SLB_L7_CLASShost1/Admin(config-cmap-http-lb)# match http url /foohost1/Admin(config-cmap-http-lb)# match http url /barhost1/Admin(config-cmap-http-lb)# exithost1/Admin(config)# class-map type http loadbalance match-all URLHDR_SLB_L7_CLASShost1/Admin(config-cmap-http-lb)# match http header host header-value thishosthost1/Admin(config-cmap-http-lb)# match class-map URLCHK_SLB_L7_CLASShost1/Admin(config-cmap-http-lb)# exitThe ACE allows you to configure two Layer 7 HTTP load-balancing class maps in a nested traffic class configuration to create a single traffic class. You can perform Layer 7 class map nesting to achieve complex logical expressions. The ACE restricts the nesting of class maps to two levels to prevent you from including one nested class map under a different class map.
Policy Maps
The policy-map command creates the traffic policy. The purpose of a traffic policy is to implement specific ACE functions associated with a traffic class. A traffic policy contains the following components:
•
•
•
The ACE supports a system-wide maximum of 4096 policy maps.
A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map using the Layer 3 and Layer 4 loadbalance policy command.
Depending on the policy-map command, the ACE executes the action specified in the policy map on the network traffic as follows:
•
•
•
When there are multiple instances of actions of the same type configured in a policy map, the ACE performs the first action encountered of the same type that has a match.
If none of the classifications specified in policy maps match, then the ACE executes the default actions specified against the class-default class map (if one is specified). All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. The class-default class map has an implicit match any statement in it and is used to match any traffic classification.
For example, with the following classifications for a specific request, the ACE attempts to match the incoming content request with the classification defined in class maps C1, C2, and C3.
host1/Admin(config)# policy-map type loadbalance first-match SLB_L7_POLICYhost1/Admin(config-pmap-lb)# class C1host1/Admin(config-pmap-lb-c)# serverfarm SF1host1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class C2host1/Admin(config-pmap-lb-c)# serverfarm SF2host1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class C3host1/Admin(config-pmap-lb-c)# serverfarm SF3host1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb-c)# class class-defaulthost1/Admin(config-pmap-lb-c)# serverfarm SFBACKUPIf the match criteria satisfies, the ACE load-balances a content request to serverfarm SF1; if not, the ACE evaluates the match criteria in class map C2 and class map C3. If the request does not match any of the classification in class maps C1, C2, or C3, then the class class-default is guaranteed to match since it contains a match-any match statement in it. This action results in the ACE load-balancing the request to serverfarm SFBACKUP.
The ACE supports flexible class map ordering within a policy map. The ACE executes only the actions for the first matching traffic classification, so the order of class maps within a policy map is very important. Policy lookup order is based on the security features of the ACE. The policy lookup order is implicit, irrespective of the order in which you configure policies on the interface.
The policy lookup order of the ACE is as follows:
1.
2.
3.
4.
5.
6.
7.
The sequence in which the ACE applies the actions for a specific policy are independent of the actions configured for a class inside a policy.
Service Policies
You activate policies on a single VLAN interface or globally to all VLAN interfaces associated with a context by using the service-policy command. The service-policy command attaches the traffic policy to each specified VLAN interface. The ACE evaluates all network traffic on the specified interface according to the actions specified in the named traffic policy. Policies and associated actions specify the behavior that you want applied to a traffic class.
Policy maps that are applied globally in a context are also internally applied to all interfaces that exist in the context. A policy that has been activated on the interface overwrites global policies for overlapping classification and actions.
The ACE allows only one policy of a specific feature type to be activated on a VLAN interface. Given that there can be many policies of different features applied on a specific interface, policy lookup ordering in the ACE is important (see the "Policy Maps" section).
For example, to specify an interface VLAN and apply multiple service policies to the VLAN, enter:
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0host1/Admin(config-if)# service-policy input L4_HTTP_SLB_POLICYhost1/Admin(config-if)# service-policy input L4_MGMT_POLICYClass Map and Policy Map Configuration Quick Start
Table 4-1 and Table 4-2 provides a quick overview of the steps required to create a class map containing match criteria that defines Layer 3 and Layer 4 network traffic classifications.
•
•
Each step includes the CLI command required to complete the task.
Table 4-3 provides a quick overview of the steps required to create a class map containing match criteria that defines specific Layer 7 protocol classifications. Each step includes the CLI command required to complete the task.
Table 4-4 provides a quick overview of the steps required to create and configure a Layer 3 and Layer 4 traffic policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task.
Table 4-5 provides a quick overview of the steps required to create and configure a Layer 3 and Layer 4 network management policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task.
Table 4-6 provides a quick overview of the steps required to create and configure a Layer 7 policy map. Each step includes the CLI command required to complete the task.
Configuring Layer 3 and Layer 4 Class Maps
A Layer 3 and Layer 4 class map contains match criteria that classifies network traffic that can pass through the ACE or network management traffic that can be received by the ACE. For background details on the role of class maps in the ACE, see the "Class Map and Policy Map Overview" section.
This section includes the following procedures:
•
•
Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing Through the ACE
Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can pass through the ACE. You can classify network traffic based on source or destination IP address, source or destination port, virtual IP address, or IP protocol and port.
This section includes the following procedures:
•
•
•
•
•
•
Creating a Layer 3 and Layer 4 Network Traffic Class Map
To create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE, use the class-map command in configuration mode.
There can be multiple match commands in a single class map to specify the matching criteria. For example, you can configure class maps to define multiple access group, source IP address, destination IP address, or port commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.
The syntax of this command is:
class-map [match-all | match-any] map_name
The arguments and options are:
•
–
–
•
You enter the class map configuration mode. To classify network traffic passing through the ACE, include one or more of the following commands to configure the match criteria for the class map:
•
•
•
•
•
•
•
Note the following when creating a class map to define a Layer 3 and Layer 4 match classification:
•
•
•
For example, to define the Layer 3 and Layer 4 HTTP_APP_PROTOCOL_
INSPECTION_CLASS class map and specify that all commands in the class map must be satisfied for the ACE to indicate a match, enter:host1/Admin(config)# class-map match-all HTTP_APP_PROTOCOL_INSPECTION_CLASShost1/Admin(config-cmap)# description HTTP protocol deep inspection of incoming traffichost1/Admin(config-cmap)# match port udp eq 53To remove a Layer 3 and Layer 4 network traffic class map from the ACE, enter:
(config)# no class-map match-all HTTP_APP_PROTOCOL_INSPECTION_CLASSDefining a Class Map Description
Use the description command to provide a brief summary about the Layer 3 and Layer 4 class map.
Access the class map configuration mode to specify the description command.
The syntax of this command is:
description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.
For example, to specify a description that the class map is to filter network traffic to the server, enter:
host1/Admin(config)# class-map HTTP_APP_PROTOCOL_INSPECTION_CLASShost1/Admin(config-cmap)# description HTTP inspection of incoming trafficTo remove the description from the class map, enter:
host1/Admin(config-cmap)# no descriptionDefining Access-List Match Criteria
Use the match access-list command to configure the class map to filter Layer 3 and Layer 4 network traffic using a pre-defined access control list (ACL). When a packet matches an entry in an ACL, and if it is a permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching result. Refer to the Cisco Application Control Engine Module Security Configuration Guide for details about creating ACLs in the ACE.
Access the class map configuration mode to specify the match access-list command.
The syntax of this command is:
[line_number] match access-list name
The arguments are:
•
•
There can be multiple match access-list commands within a single class map. You may combine multiple match access-list, match source-address, match destination-address, and match port commands in a class map.
For example, to specify that the class map is to match on access control list INBOUND, enter:
host1/Admin(config)# class-map match-any L4_FILTERTRAFFIC_CLASShost1/Admin(config-cmap)# match access-list INBOUNDTo clear the access control list match criteria from the class map, enter:
host1/Admin(config-cmap)# no match access-list INBOUNDDefining Match Any Criteria
Use the match any command to instruct the ACE to perform a match on any network traffic passing through the module. You can include only one match any command within a class map and you cannot combine the match any command with other types of match commands in a class map since the match criteria will be ignored.
Access the class map configuration mode to specify the match any command.
The syntax of this command is:
[line_number] match any
The optional line_number argument assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
For example, to specify that the class map is to match on any network traffic, enter:
host1/Admin(config)# class-map match-any L4_MATCHANYTRAFFIC_CLASShost1/Admin(config-cmap)# match anyTo remove the match any criteria from the class map, enter:
host1/Admin(config-cmap)# no match anyDefining Destination IP Address and Subnet Mask Match Criteria
Use the match destination-address command to specify the destination IP address and subnet mask as the Layer 3 and Layer 4 network traffic matching criteria.
Access the class map configuration mode to specify the match destination-address command.
The syntax of this command is:
[line_number] match destination-address ip_address mask
The arguments are:
•
•
•
There can be multiple match destination-address commands within a single class map. You may combine multiple match destination-address, match access-list, match source-address, and match port commands in a class map.
For example, to specify that the ACE is to match on destination IP address 172.16.20.1 255.255.0.0, enter:
host1/Admin(config)# class-map L4_DEST_IP_CLASShost1/Admin(config-cmap)# match destination-address 172.16.20.1 255.255.0.0To clear the destination IP address and subnet mask match criteria from the class map, enter:
host1/Admin(config-cmap)# no match destination-address 172.16.20.1 255.255.0.0Defining TCP/UDP Port Number or Port Range Match Criteria
Use the match port command to specify a TCP or UDP port number or port range as the Layer 3 and Layer 4 network traffic matching criteria.
Access the class map configuration mode to specify the match port command.
The syntax of this command is:
[line_number] match port {tcp | udp} {any | eq {port_number} | range port1 port2}
The keywords, arguments, and options are:
•
•
–
–
–
There can be multiple match port commands within a single class map. You may combine multiple match port, match access-list, match source-address, and match destination-address commands in a class map.
For example, to specify that the class map is to match on TCP port number 23 (Telnet client), enter:
host1/Admin(config)# class-map L4_TCPPORT_CLASShost1/Admin(config-cmap)# match port tcp eq 23To clear the TCP or UDP port number match criteria from the class map, enter:
host1/Admin(config-cmap)# no match port tcp eq 23Defining Source IP Address and Subnet Mask Match Criteria
Use the match source-address command to specify the client source IP address and subnet mask as the Layer 3 and Layer 4 network traffic matching criteria.
Access the class map configuration mode to specify the match source-address command.
The syntax of this command is:
[line_number] match source-address ip_address mask
The arguments are:
•
•
•
There can be multiple match source-address commands within a single class map. You may combine multiple match source-address, match access-list, match destination-address, and match port commands in a class map.
For example, to specify that the class map is to match on source IP address 172.16.20.1 255.255.0.0, enter:
host1/Admin(config)# class-map L4_SOURCE_IP_CLASShost1/Admin(config-cmap)# match source-address 192.168.10.1 255.255.255.0To clear the source IP address and subnet mask match criteria from the class map, enter:
host1/Admin(config-cmap)# no match source-address 192.168.10.1 255.255.255.0Defining VIP Address Match Criteria
To define a 3-tuple flow of virtual IP (VIP) address, protocol, and port as matching criteria for server load balancing, use the match virtual-address command in class map configuration mode.You can configure multiple match criteria statements to define the VIPs for server load balancing. Refer to Chapter 2, Configuring Policies for Server Load Balancing in the Cisco Application Control Engine Module Server Load Balancing Configuration Guide, for details about configuring the ACE to perform server load balancing.
Access the class map configuration mode to specify the match virtual-address command.
The syntax of this command is:
[line_number] match virtual-address vip_address {[netmask] protocol_number | any | {tcp | udp} {any | eq port_number | range port1 port2}}}
The keywords, arguments, and options are:
•
•
•
•
•
•
–
–
–
Note the following:
•
•
For example, to specify that class map L4_SLB_VIPCLASS matches traffic destined to VIP address 192.168.1.10 and TCP port number 80, enter:
host1/Admin(config)# class-map L4_SLB_VIP_CLASShost1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp port eq 80To remove the VIP match statement from the class map, enter:
host1/Admin(config-cmap)# no match virtual-address 192.168.1.10 tcp port eq 80Defining Layer 3 and Layer 4 Classifications for Network Management Traffic Received by the ACE
Layer 3 and Layer 4 traffic classes contain match criteria that identify the network management traffic that can be received by the ACE. Class maps enable you to classify network traffic based on management protocol: HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet.
This section includes the following procedures:
•
•
Creating a Layer 3 and Layer 4 Network Management Traffic Class Map
To create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the ACE, use the class-map type management configuration command. This command permits network management traffic by identifying the incoming IP management protocols that the ACE can receive as well as the client source host IP address and subnet mask as the matching criteria. A class map of type management provides access for one or more of the following management protocols: HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet.
There can be multiple match commands in a class map. You can configure class maps to define multiple management protocol and source IP address commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.
The syntax of this command is:
class-map type management [match-all | match-any] map_name
The arguments and options are:
•
–
–
•
You enter the class map management configuration mode.
To classify the network management traffic received by the ACE, include one or more of the following commands to configure the match criteria for the class map:
•
•
You may include multiple match protocol commands in a class map
For example, to permit ICMP packets from IP address 172.16.10.0 255.255.255.0 and allow global SSH access to the ACE, enter:
host1/Admin(config)# class-map type management match-any MGMT-ACCESS_CLASShost1/Admin(config-cmap-mgmt)# match protocol icmp source-address 172.16.10.0 255.255.255.0host1/Admin(config-cmap-mgmt)# match protocol ssh anyTo remove a Layer 3 and Layer 4 network management class map from the ACE, enter:
host1/Admin(config)# no class-map type management match-any MGMT-ACCESS_CLASSDefining Network Management Access Match Criteria
Use the match protocol command to configure the class map to identify the network management protocols that can be received by the ACE. You configure the associated policy map to permit access to the ACE for the specified management protocols. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any client source address for the management traffic classification.
Access the class map management configuration mode to specify the match protocol command.
The syntax of this command is:
[line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}
The keywords and arguments are:
•
•
•
•
•
•
•
•
•
•
•
For example, to specify that the class map allows SSH access to the ACE from source IP address 192.168.10.1 255.255.255.0, enter:
host1/Admin(config)# class-map type management SSH-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol ssh source-address 192.168.10.1 255.255.255.0To deselect the specified network management protocol match criteria from the class map, enter:
host1/Admin(config-cmap-mgmt)# no match protocol ssh source-address 192.168.10.1 255.255.255.0Configuring Layer 7 Class Maps
A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol information. The match criteria enables the ACE to:
•
•
•
For background details on the role of class maps in the ACE, see the "Class Map and Policy Map Overview" section.
This section contains the following procedures:
•
•
•
Defining Layer 7 Classifications for HTTP Server Load-Balancing
A Layer 7 HTTP server load balancing class map contains match criteria that classifies specific Layer 7 network traffic. You create a Layer 7 server load balancing class map based on HTTP cookies, HTTP headers, HTTP URLs, protocol header fields, or source IP addresses.
The Layer 7 HTTP server load balancing features include:
•
•
•
•
•
To create a Layer 7 class map for HTTP server load balancing, use the class-map type http loadbalance command in configuration mode.
There can be multiple match commands in a single class map to specify the matching criteria. For example, you can configure a Layer 7 HTTP server load balancing class map to define multiple URLs, cookies, and HTTP headers in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a Layer 7 HTTP load balancing class map.
The syntax of this command is:
class-map type http loadbalance [match-all | match-any] map_name
The arguments and options are:
•
–
–
•
You enter the class map HTTP server load balancing configuration mode. For details on specifying the match criteria for a HTTP server load balancing class map, refer to the Cisco Application Control Engine Module Server Load Balancing Configuration Guide.
Defining Layer 7 Classifications for HTTP Deep Packet Inspection
The ACE uses a Layer 7 class map for HTTP deep packet application protocol inspection. The ACE performs a stateful deep packet inspection of the HTTP protocol and permits or blocks traffic based on the actions in your configured policies.
The security features covered by HTTP deep packet inspection include:
•
•
•
•
•
•
To create a Layer 7 class map to be used for the deep packet inspection of HTTP traffic through the ACE, use the class-map type http inspect command in configuration mode.
The syntax of this command is:
class-map type http inspect [match-all | match-any] map_name
The arguments and options are:
•
–
–
•
You enter the class map HTTP inspection configuration mode. For details on specifying the match criteria for the HTTP application protocol inspection class map, refer to the Cisco Application Control Engine Module Security Configuration Guide.
Defining Layer 7 Classifications for FTP Command Inspection
The ACE uses a Layer 7 FTP command class map to perform FTP request inspection for FTP sessions, allowing you to restrict specific commands by the ACE. This function provides a security feature to prevent web browsers from sending embedded commands to the ACE in FTP requests. Each specified FTP command must be acknowledged before the ACE allows a new command.
To create a Layer 7 class map to be used for the inspection of FTP request commands, use the class-map type ftp inspect command in configuration mode.
The syntax of this command is:
class-map type ftp inspect match-any map_name
The keywords and arguments are:
•
•
You enter the class map FTP inspection configuration mode. For details on specifying the match criteria for the FTP command inspection class map, refer to the Cisco Application Control Engine Module Security Configuration Guide.
Configuring a Layer 3 and Layer 4 Policy Map
For a Layer 3 and Layer 4 traffic classification, you create a Layer 3 and Layer 4 policy map with actions that configure:
•
•
•
•
•
•
•
•
For background details on the role of policy maps in the ACE, see the "Class Map and Policy Map Overview" section.
This section outlines the general steps to configure a Layer 3 and Layer 4 network traffic policy. It includes the following topics:
•
•
•
•
•
•
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE
To configure a Layer 3 and Layer 4 policy map that defines the different actions applied to the IP management traffic received by the ACE, use the policy-map type management configuration command. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. The ACE does not execute any additional actions.
The syntax of this command is:
policy-map type management first-match map_name
The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You enter the policy map management configuration mode.
For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter:
host1/Admin(config)# policy-map type management first-match L4_MGMT_POLICYhost1/Admin(config-pmap-mgmt)#To remove a network traffic management policy map from the ACE, enter:
host1/Admin(config)# no policy-map type management first-match L4_MGMT_POLICYCreating a Layer 3 and Layer 4 Policy Map for Network Traffic Passing Through the ACE
To configure a Layer 3 and Layer 4 policy map that defines the different actions applied to traffic passing through the ACE, use the policy-map multi-match configuration command. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map to allow for multi-feature policies. The ACE executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes.
The syntax of this command is:
policy-map multi-match map_name
The map_name argument specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You enter the policy map configuration mode.
For example, to create a Layer 3 and Layer 4 application protocol inspection policy map, enter:
host1/Admin(config)# policy-map multi-match L4_HTTP_APP_INSPECTION_POLICYhost1/Admin(config-pmap)#To remove a policy map from the ACE, enter:
host1/Admin(config)# no policy-map multi-match L4_HTTP_APP_INSPECTION_POLICYDefining a Layer 3 and Layer 4 Policy Map Description
Use the description command to provide a brief summary about the Layer 3 and Layer 4 policy map.
Access the policy map configuration mode to specify the description command.
The syntax of this command is:
description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.
For example, to specify a description that the policy map is to filter network traffic to a VIP, enter:
host1/Admin(config-pmap)# description filter traffic matching a VIPTo remove the description from the class map, enter:
host1/Admin(config-pmap)# no descriptionSpecifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy
To specify a Layer 3 and Layer 4 traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command in policy map configuration mode.
The syntax of this command is:
class map_name
The map_name argument specifies the name of a previously defined Layer 3 and Layer 4 traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You enter the policy map class configuration mode.
For example, to specify an existing class map within the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap)# class L4_SLB_VIP_CLASShost1/Admin(config-pmap-c)#To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap)# no class L4_SLB_VIP_CLASSTo manually insert the class map ahead of a previously specified class map, use the insert-before command. The ACE does not save sequence reordering through the insert-before command as part of the configuration.
The syntax of this command is:
class map_name1 insert-before map_name2
The arguments are:
•
•
For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter:
host1/Admin(config-pmap-c)# class L4_HTTP_APP_INSPECTION_CLASS insert-before L4_SLB_VIP_CLASSTo specify the class-default class map for the Layer 3 and Layer 4 traffic policy, use the class class-default command. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it and is used to match any traffic classification.
For example, to use the class class-default command, enter:
host1/Admin(config-pmap)# class class-defaulthost1/Admin(config-pmap-c)# loadbalance vip replicate-connectionsYou enter the policy map class configuration mode.
Specifying Layer 3 and Layer 4 Policy Actions
To allow the network management traffic listed in the Layer 3 and Layer 4 class map to be received or rejected by the ACE, specify either the permit or deny command in policy map class configuration mode.
•
•
For example, to create a Layer 3 and Layer 4 traffic management policy map that permits ICMP and SSH connections to be received by the ACE, enter:
host1/Admin(config)# policy-map type management first-match L4_MGMT_POLICYhost1/Admin(config-pmap-mgmt)# class ICMP_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# class SSH_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exitTo specify the different policy map actions that you want applied to the Layer 3 and Layer 4 network traffic passing through the ACE, refer to the appropriate ACE document and chapter as outlined in Table 4-9. Table 4-9 defines the associated actions for the different Layer 3 and Layer 4 network traffic polices based on the function of the Layer 3 and Layer 4 policy map.
For example, to specify server load-balancing actions for the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap)# class L4_SLB_CLASShost1/Admin(config-pmap-c)# loadbalance vip advertise activehost1/Admin(config-pmap-c)# loadbalance vip inservicehost1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICYhost1/Admin(config-pmap-c)# exit
Using Parameter Maps in a Layer 3 and Layer 4 Policy Map
To combine related actions for TCP, IP, HTTP, or UDP connections in a Layer 3 and Layer 4 policy map, create one or more parameter maps for use with the ACE. The ACE supports the following Layer 3 and Layer 4 parameter map types:
•
•
•
•
To specify the SSL session parameters the ACE uses in an SSL proxy service, create an SSL parameter map for use with the ACE. The ACE supports the parameter-map type ssl command to specify SSL termination parameters. Refer to the Cisco Application Control Engine Module SSL Configuration Guide for details.
For example, to specify the parameter-map type connection command to combine TCP connection-related parameters in a parameter map, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)# reserved-bit allowhost1/Admin(config-parammap-conn)# exceed-mss allowhost1/Admin(config-parammap-conn)# naglehost1/Admin(config-parammap-conn)# set conn-max 64host1/Admin(config-parammap-conn)# set tcp queue-limit 10host1/Admin(config-parammap-conn)# set tcp syn-retry 3host1/Admin(config-parammap-conn)# set tcp timeout embryonic 60host1/Admin(config-parammap-conn)# exithost1/Admin(config)#host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)# class VIP_CLASShost1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICYhost1/Admin(config-pmap-c)# loadbalance vip inservicehost1/Admin(config-pmap-c)# loadbalance vip advertise activehost1/Admin(config-pmap-c)# connection advanced-options TCP-MAPhost1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)#Configuring a Layer 7 Policy Map
To use a Layer 7 policy map, first create the Layer 7 policy map. For a Layer 7 traffic classification, you create a policy map with actions that configure:
•
•
•
You associate the Layer 7 policy map within the appropriate Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can only be associated within an Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface.
For background details on the role of policy maps in the ACE, see the "Class Map and Policy Map Overview" section.
This section outlines the general steps to configure a Layer 7 traffic policy. It includes the following topics:
•
•
•
•
•
Creating a Layer 7 Policy Map
Use the policy-map type command in configuration mode to specify the type of Layer 7 traffic policy map. The syntax of this command is:
policy-map type {loadbalance first-match | inspect http all-match | inspect ftp first-match} map_name
The keywords and arguments are:
•
•
•
•
Note
For example, to create a Layer 7 load balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance first-match L4_SLB_POLICYhost1/Admin(config-pmap-lb)#To remove a policy map from the ACE, enter:
host1/Admin(config)# no policy-map type loadbalance first-match L4_SLB_POLICYAdding a Layer 7 Policy Map Description
Use the description command to provide a brief summary about the Layer 7 policy map.
Access the policy map configuration mode to specify the description command.
The syntax of this command is:
description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.
For example, to add a description that the policy map is to perform HTTP deep packet inspection, enter:
host1/Admin(config-pmap-ins-http)# description HTTP protocol deep inspection of incoming trafficTo remove the description from the policy map, enter:
host1/Admin(config-pmap-ins-http)# no descriptionIncluding Inline Match Statements in a Layer 7 Policy Map
To include a single inline match criteria in the policy map without specifying a traffic class, enter an applicable Layer 7 match command. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.
Note
The syntax for an inline match command is:
match name match_statement [insert-before map_name]
The arguments are:
•
•
•
For example:
host1/Admin(config-pmap-lb)# match L7loadbalance http url /financehost1/Admin(config-pmap-lb-m)# serverfarm FARM1host1/Admin(config-pmap-lb-m)# class TEST_CLASShost1/Admin(config-pmap-lb-m)# serverfarm FARM2Specifying a Layer 7 Traffic Class with the Traffic Policy
To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. The syntax of this command is:
class map_name
The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You enter the policy map class configuration mode.
For example, to specify an existing class map in the Layer 7 policy map, enter:
host1/Admin(config-pmap-lb)# class L7_SLB_SERVER_CLASShost1/Admin(config-pmap-lb-c)#To remove a class map from a Layer 7 policy map, enter:
host1/Admin(config-pmap-lb)# no class L7_SLB_SERVER_CLASSTo manually insert a class map ahead of a previously specified class map, use the insert-before command. The ACE does not save sequence reordering through the insert-before command as part of the configuration.
The syntax of this command is:
class map_name1 insert-before map_name2
The keywords and arguments are:
•
•
For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter:
host1/Admin(config-pmap-lb-c)# class L7_HTTP_SLB_CLASS insert-before L7_SLB_SERVER_CLASSTo specify the class-default class map for the traffic policy, use the class class-default command. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it and is used to match any traffic classification.
For example, to use the class class-default command, enter:
host1/Admin(config-pmap)# class class-defaulthost1/Admin(config-pmap-lb-c)# insert-http HostYou enter the policy map class configuration mode.
Specifying Layer 7 Policy Actions
To specify the policy map actions that you want applied to the Layer 7 policy map, refer to the appropriate ACE document and chapter as outlined in Table 4-10. Table 4-10 defines the associated actions for the different Layer 7 application polices based on the function of the Layer 7 policy map.
For example, to specify a serverfarm action in the Layer 7 load-balancing policy map, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASShost1/Admin(config-pmap-lb-c)# serverfarm SPORTS-SERVERhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASShost1/Admin(config-pmap-lb-c)# serverfarm NEWS-SERVERhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class-defaulthost1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALLhost1/Admin(config-pmap-lb-c)# exitTo disable an action from the Layer 7 load-balancing policy map, enter:
host1/Admin(config-pmap-lb-c)# no serverfarm SERVER-HANDLE-ALL
Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map
Use the policy-map multi-match command in configuration mode to associate the Layer 7 policy map with a Layer 3 and Layer 4 policy map as specified below.
•
•
•
See the "Configuring a Layer 3 and Layer 4 Policy Map" section and the documents listed in Table 4-9 for the specific procedure to create a Layer 3 and Layer 4 policy map that associates a Layer 7 HTTP server load balancing, HTTP deep packet inspection, or FTP command inspection policy map.
For example, to nest the Layer 7 L7_SLB_POLICY policy map within the Layer 3 and Layer 4 L4_SLB_POLICY policy map, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)# class L7_SLB_CLASShost1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3 stickyhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# exithost1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)# class L4_SLB_CLASShost1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICYApplying a Service Policy
Use the service-policy command to:
•
•
•
The service-policy command is available at both the interface configuration mode and at the configuration mode. Specifying a Layer 3 and Layer 4 policy map at the interface configuration mode applies the policy map to the specified VLAN interface. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context.
The syntax of this command is:
service-policy input policy_name
The keywords, arguments, and options are:
•
•
For example, to specify an interface VLAN and apply multiple service policies to the VLAN, enter:
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0host1/Admin(config-if)# service-policy input L4_SLB_POLICYhost1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICYFor example, to globally apply multiple service policies to all VLANs associated with the context, enter:
host1/Admin(config)# service-policy input L4_SLB_POLICYhost1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICYTo detach a traffic policy from an interface VLAN, enter:
host1/Admin(config-if)# no service-policy input L4_SLB_POLICYTo globally detach a traffic policy from all VLANs associated with a context, enter:
host1/Admin(config)# no service-policy input L4_SLB_POLICYWhen you detach a traffic policy either:
•
•
the ACE automatically resets the associated service policy statistics. The ACE performs this action to provide a new starting point for the service policy statistics the next time you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.
Note the following when creating a service policy:
•
•
•
Class Maps and Policy Map Examples
This section includes a series of examples to help illustrate how to use class maps and policy maps to perform various operations on the ACE. This section includes the following examples:
•
•
•
Firewall Example
For inside interface VLAN50, this example creates a firewall traffic policy that enables the following processes to occur on the ACE:
•
•
•
•
•
–
–
To accomplish these tasks, create a series of class maps and policy maps to classify and permit the identified traffic:
1.
host1/Admin(config)# class-map type management ICMP-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol icmp source-address 172.16.10.0 255.255.255.254host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#host1/Admin(config)# class-map type management SSH-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol ssh anyhost1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#host1/Admin(config)# policy-map type management first-match L4_MGMT_POLICYhost1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#2.
host1/Admin(config)# access-list 200 extended permit tcp any any eq httphost1/Admin(config)# class-map match-all L4_FILTERHTTP_CLASShost1/Admin(config-cmap)# match access-list 2003.
a.
host1/Admin(config)# class-map type http inspect match-all L7_FLTRHTML1_CLASShost1/Admin(config-cmap-http-insp)# match header accept header-value htmlhost1/Admin(config-cmap-http-insp)# match header length request eq 256host1/Admin(config-cmap-http-insp)# exithost1/Admin(config)#b.
host1/Admin(config)# class-map type http inspect L7_FLTRHTML2_CLASShost1/Admin(config-cmap-http-insp)# match url BADhost1/Admin(config-cmap-http-insp)# exithost1/Admin(config)#c.
host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICYhost1/Admin(config-pmap-ins-http)# class L7_FLTRHTML1_CLASShost1/Admin(config-pmap-ins-http-c)# permit loghost1/Admin(config-pmap-ins-http-c)# exithost1/Admin(config-pmap-ins-http)# class L7_FLTRHTML2_CLASShost1/Admin(config-pmap-ins-http-c)# resethost1/Admin(config-pmap-ins-http-c)# exit4.
host1/Admin(config)# policy-map multi-match L4_FILTER_POLICYhost1/Admin(config-pmap)# class L4_FILTERHTTP_CLASShost1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICYhost1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)#5.
host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0host1/Admin(config-if)# service-policy input L4_MGMT_POLICYhost1/Admin(config-if)# service-policy input L4_FILTER_POLICYLayer 7 Load Balancing Example
This example creates a Layer 7 load balancing traffic policy that enables the following processes to occur on the ACE:
•
–
–
•
•
1.
host1/Admin(config)# class-map type http loadbalance match-all SPORTS-MAP_CLASShost1/Admin(config-cmap-http-lb)# match http header host header-value .*test.comhost1/Admin(config-cmap-http-lb)# match http url /sports/host1/Admin(config-cmap-http-lb)# exit2.
host1/Admin(config)# class-map type http loadbalance NEWS-MAP_CLASShost1/Admin(config-cmap-http-lb)# match http url /news/host1/Admin(config-cmap-http-lb)# exit3.
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASShost1/Admin(config-pmap-lb-c)# serverfarm SPORTS-SERVERhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class NEWS-MAP_CLASShost1/Admin(config-pmap-lb-c)# serverfarm NEWS-SERVERhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# class class-defaulthost1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALLhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# exithost1/Admin(config)#4.
host1/Admin(config)# class-map L4_SLBVIP_CLASShost1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port eq 80host1/Admin(config-cmap)# exithost1/Admin(config)#5.
host1/Admin(config)# parameter-map type http HTTP_PARAMETER_MAPhost1/Admin(config-parammap-http)# persistent-rebalancehost1/Admin(config-parammap-http)# exithost1/Admin(config)#6.
host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)# class L4_SLBVIP_CLASShost1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICYhost1/Admin(config-pmap-c)# loadbalance vip inservicehost1/Admin(config-pmap-c)# appl-parameter http advanced-options HTTP_PARAMETER_MAPhost1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)#7.
host1/Admin(config)# interface VLAN 10host1/Admin(config-if)# service-policy input L4_SLB_POLICYLayer 3 and Layer 4 Load Balancing Example
This example creates a Layer 3 and 4 load balancing traffic policy that enables the following processes to occur on the ACE:
•
•
1.
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)# class class-defaulthost1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALLhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# exithost1/Admin(config)#2.
host1/Admin(config)# class-map L4_SLBVIP_CLASShost1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port anyhost1/Admin(config-cmap)# exithost1/Admin(config)#3.
host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)# class L4_SLBVIP_CLASShost1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICYhost1/Admin(config-pmap-c)# loadbalance vip inservicehost1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)#4.
host1/Admin(config)# interface VLAN 10host1/Admin(config-if)# service-policy input L4_SLB_POLICYVIP With Connection Parameters Example
This example creates a Layer 3 and 4 traffic policy that enables the following processes to occur on the ACE:
•
•
•
1.
host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICYhost1/Admin(config-pmap-lb)# class class-defaulthost1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALLhost1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# exithost1/Admin(config)#2.
host1/Admin(config)# class-map L4_SLBVIP_CLASShost1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port anyhost1/Admin(config-cmap)# exithost1/Admin(config)#3.
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)# reserved-bits allowhost1/Admin(config-parammap-conn)# exceed-mss allowhost1/Admin(config-parammap-conn)# naglehost1/Admin(config-parammap-conn)# set tcp queue-limit 10host1/Admin(config-parammap-conn)# set tcp syn-retry 3host1/Admin(config-parammap-conn)# set tcp timeout embryonic 60host1/Admin(config-parammap-conn)# exithost1/Admin(config)#4.
host1/Admin(config)# policy-map multi-match L4_SLB_POLICYhost1/Admin(config-pmap)# class L4_SLBVIP_CLASShost1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICYhost1/Admin(config-pmap-c)# loadbalance vip inservicehost1/Admin(config-pmap-c)# connection advanced-options TCP_MAPhost1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)#5.
host1/Admin(config)# interface VLAN 10host1/Admin(config-if)# service-policy input L4_SLB_POLICYViewing Class Maps, Policy Maps, and Service Policies
The ACE CLI provides a comprehensive set of show commands that display the class map, policy map, and service policy configuration. This section includes the following topics:
•
•
•
Displaying Class Map Configuration Information
To display the class map configurations in the ACE, use the show running-config class-map command in Exec mode.
For example, enter:
host1/Admin# show running-config class-mapGenerating configuration....class-map type management match-any Mgmt_allow_class10 match protocol telnet source-address 172.16.1.2 255.255.255.25420 match protocol ssh source-address 172.16.1.2 255.255.255.254class-map type http loadbalance match-any L4_SLB_classDisplaying Policy Map Configuration Information
To display the policy map configurations in the ACE, use the show running-config policy-map command in Exec mode.
For example, enter:
host1/Admin# show running-config policy-mapGenerating configuration....policy-map type management first-match REMOTE_MGMT_ALLOWclass SSH-ALLOWpermitclass TELNET-ALLOWpermitpolicy-map type loadbalance first-match L4_SLB_policyclass L4_SLB_classDisplaying Service Policy Configuration Information
To display service policy statistics use the show service-policy command in Exec mode. The statistics that appear in the output are dependent on the configuration of the associated Layer 3 and Layer 4 policy map. The show service-policy command displays following information:
•
•
•
The syntax of this command is:
show service-policy policy_name [detail]
The keywords, options, and arguments are as follows:
•
•
Note
For example, to display service policy statistics for the HTTP_INSPECT_L4POLICY policy map, enter:
host1/Admin# show service-policy HTTP_INSPECT_L4POLICYTo clear the service policy statistics, use the clear service-policy command. The syntax of this command is:
clear service-policy policy_name
For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface).
For example, to clear the statistics for the policy map REMOTE_MGMT_POLICY that is currently in service, enter:
host1/Admin# clear service-policy REMOTE_MGMT_POLICYTable 4-11 describes the various fields that can appear in the show service-policy detail command output.
