Application Control Engine Module SSL Configuration Guide (Software Version A1(2))
Configuring SSL Termination
Download this chapter
Configuring SSL TerminationConfiguring SSL Termination
Download the complete book
Cisco Application Control Engine Module SSL Configuration Guide Book-Length PDF (Software Version A1(2))Cisco Application Control Engine Module SSL Configuration Guide Book-Length PDF (Software Version A1(2)) (PDF - 1 MB)
give_us_feedback

Table Of Contents

Configuring SSL Termination

Overview of SSL Termination

ACE SSL Termination Configuration Prerequisites

SSL Termination Configuration Quick Start

Creating and Defining an SSL Parameter Map

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Creating and Defining an SSL Proxy Service

Associating an SSL Parameter Map with the SSL Proxy Server Service

Specifying the Key Pair

Specifying the Certificate

Specifying the Certificate Chain Group

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating an SSL Proxy Server Service with the Policy Map

Applying the Policy Map to the VLANs

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Example of an SSL Termination Configuration


Configuring SSL Termination

This chapter describes the steps required to configure a context on the Cisco Application Control Engine (ACE) module as a virtual SSL server for SSL termination. It contains the following major sections:

Overview of SSL Termination

ACE SSL Termination Configuration Prerequisites

SSL Termination Configuration Quick Start

Creating and Defining an SSL Parameter Map

Creating and Defining an SSL Proxy Service

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

Applying the Policy Map to the VLANs

Example of an SSL Termination Configuration

Overview of SSL Termination

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Figure 3-1 illustrates the following network connections in which the ACE terminates the SSL connection with the client:

Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server

ACE to Server—TCP connection between the ACE and the HTTP server

Figure 3-1 SSL Termination with a Client

The ACE uses a combination of parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information among the client, the ACE, and the server. Because SSL termination is based on the destination IP addresses of the inbound traffic flow from the client, it is considered a Layer 3 and Layer 4 application. For this type of application, you create a Layer 3 and Layer 4 policy map that the ACE applies to the inbound traffic.

When configuring a policy map for SSL termination, you associate a parameter map and SSL proxy server service with the policy map to define the SSL session parameters and client/server authentication tools, such as the certificate and RSA key pair. You also associate a class map with the policy map to define the virtual SSL server IP addresses that the destination IP address of the inbound traffic must match. When a match occurs, the ACE negotiates with the client to establish an SSL connection. You can define a maximum of 250 virtual SSL servers for a single class map.

The flow chart shown in Figure 3-2 provides a basic overview of the process required to build and apply the Layer 3 and Layer 4 policy map the ACE uses for SSL termination. The flow chart also illustrates how you associate the various components of the policy map configuration with each other.

Figure 3-2 Basic SSL Termination Configuration Flow Diagram

ACE SSL Termination Configuration Prerequisites

Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). During the real server and server farm configuration process, when you associate a real server with a server farm, ensure that you assign an appropriate port number for the real server. The default behavior by the ACE is to automatically assign the same destination port that was used by the inbound connection to the outbound server connection if you do not specify a port.

For example, if the incoming connection to the ACE is a secure client HTTPS connection, the connection is typically made on port 443. If you do not assign a port number to the real server, the ACE will automatically use port 443 to connect to the server, which results in the ACE making a clear-text HTTP connection over port 443. In this case, you would typically define an outbound destination port of 80, 81, or 8080 for the backend server connection.

During the SLB traffic policy configuration process, create the following configuration objects:

Layer 7 class map

Layer 3 and Layer 4 class map

Layer 7 policy map

Layer 3 and Layer 4 policy map

After configuring SLB, modify the existing SLB class maps and policy maps with the SSL configuration requirements described in this guide for SSL termination.

To configure your ACE for SLB, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

SSL Termination Configuration Quick Start

Table 3-1 provides a quick overview of the steps required to configure the ACE for SSL termination. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 3-1.

Note The following quick start does not include creating a parameter map as shown in Figure 3-2. By not creating a parameter map, the ACE uses the default parameter map settings as described in Table 3-2.

Table 3-1 SSL Termination Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify you are operating in the desired context. If necessary, log directly in to, or change to, the correct context. 

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context for illustration purposes. For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.

2. Enter configuration mode. 

host1/Admin# config

host1/Admin(config)#

3. Create an SSL proxy server service to define the handshake parameters that the ACE, acting as an SSL server, applies to a policy map. 

host1/Admin(config)# ssl-proxy service SSL_PSERVICE_SERVER

host1/Admin(config-ssl-proxy)#

4. Configure the SSL proxy server service by defining the certificate and corresponding RSA key pair. 

host1/Admin(config-ssl-proxy)# key MYRSAKEY_SERVER

host1/Admin(config-ssl-proxy)# cert MYCERT_SERVER

host1/Admin(config-ssl-proxy)# exit

host1/Admin(config)#

5. Create a Layer 3 and Layer 4 class map and configure it with the input traffic match criteria as required. 

host1/Admin(config)# class-map L4VIPCLASS

host1/Admin(config-cmap)# match virtual-address 192.168.10.24 tcp 
any

host1/Admin(config-cmap)# exit

host1/Admin(config)#

6. Create a policy map and associate the class map created in Step 7 with it. 

host1/Admin(config)# policy-map multi-match L4POLICY

host1/Admin(config-pmap)# class L4VIPCLASS

host1/Admin(config-pmap-c)#

7. Associate the SSL proxy server service created in Step 5 with the policy map. 

host1/Admin(config-pmap-c)# ssl-proxy server SSL_PSERVICE_SERVER

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

8. Apply the policy map to the input of the desired interface.

Globally, to all context VLANS: 

host1/Admin(config)# service-policy input L4POLICY

To a specific VLAN: 

host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# service-policy input L4POLICY

9. (Recommended) Display the running configuration to verify the information you just added is configured properly. 

host1/Admin(config-if)# do show running-config

10. (Optional) To save the configuration changes to flash memory, copy the running configuration to the startup configuration. 

host1/Admin(config-if)# do copy running-config startup-config


Creating and Defining an SSL Parameter Map

An SSL parameter map defines the SSL session parameters that the ACE applies to an SSL proxy service. Creating an SSL parameter map allows you to apply the same SSL session parameters to different proxy services. Table 3-3 describes each of the SSL session parameters along with their default values.

Table 3-2 Default SSL Parameter Map Settings

SSL Session Parameter
Description
Default Value

Cipher suites

Defines the cipher suites that the ACE supports during the SSL handshake (see Table 3-3 for a list of available cipher suites that the ACE supports)

The ACE supports all of the available cipher suites

Close-protocol

Defines how the ACE executes close-notify messages

strict—The ACE sends a close-notify alert message to its peer when closing a session and expects to receive one back

Version

Defines the SSL and TLS versions the ACE supports during the SSL handshake

all—The ACE supports versions SSL3 and TLS1


Note If you want an SSL proxy service to use the default SSL parameter map values, then you do not need to create an SSL parameter map or associate one with the proxy service. When you do not associate a parameter map with the SSL proxy service, the ACE automatically applies the default SSL parameter map values listed in Table 3-3 to the proxy service.

To create an SSL parameter map, use the parameter-map type ssl command in configuration mode.

The syntax of this command is:

parameter-map type ssl parammap_name

The parammap_name argument is the name of the SSL parameter map. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL parameter map PARAMMAP_SSL, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

Once you create an SSL proxy parameter map, the CLI enters SSL parameter map configuration mode. 

host1/Admin(config-parammap-ssl)#

If you exit out of SSL parameter map configuration mode without defining any of the SSL parameter map attributes, the ACE configures the parameter map with the default values listed in Table 3-2.

To delete an existing SSL parameter map, enter: 

host1/Admin(config)# no parameter-map type ssl PARAMMAP_SSL

This section contains the following procedures for defining the SSL parameter map attributes:

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Adding a Cipher Suite

The SSL protocol supports a variety of different cryptographic algorithms, or ciphers, for use in operations such as:

authenticating the server and client to each other

transmitting certificates

establishing session keys

Clients and servers may support different cipher suites, or sets of ciphers, depending on various factors, such as the version of SSL they support, company policies regarding acceptable encryption strength, and government restrictions on export of SSL-enabled software. Among its other functions, the SSL handshake protocol determines how the server and client negotiate which cipher suite they will use to authenticate each other, transmit certificates, and to establish session keys.

As shown in Figure 3-3, a cipher suite consists of the following three algorithms:

Key exchange algorithm

Data encryption algorithm

Message authentication (hash) algorithm

Figure 3-3 Cipher Suite Algorithms

Note Exportable cipher suites are those cipher suites that are not as strong as some of the other cipher suites (for example, 3DES or RC4 with 128-bit encryption) as defined by U.S. export restrictions on software products. Exportable cipher suites may be exported to most countries from the United States and provide the strongest encryption available for exportable products.

To define each of the cipher suites you want the ACE to support during a secure session, use the cipher command in ssl parameter-map configuration mode. The cipher suite that you choose depends on your environment and security requirements and must correlate to the certificates and keys that you have loaded on the ACE.

Note By default, the ACE supports all of the cipher suites listed in Table 3-3. The default setting works only when you do not configure the SSL parameter map with any specific ciphers. To return to using the all cipher suites setting, you must delete each of the specifically-defined ciphers from the parameter map using the no form of the command.

The syntax of this command is:

cipher cipher_name [priority cipher_priority]

The keywords and arguments are:

cipher_name—Name of the cipher suite you want the ACE to support. Table 3-3 lists the cipher suites the ACE supports. Enter one of the supported cipher suites from the table.

priority—(Optional) Assigns a priority level to the cipher suite. The priority level represents the preference ranking of the cipher suite, with 10 being the most preferred and 1 being the least preferred. By default, all configured cipher suites have a priority level of 1. When negotiating which cipher suite to use, the ACE selects from the client list based on the cipher suite configured with the highest priority level. A higher priority level will bias towards the specified cipher suite. For SSL termination applications, the ACE uses the priority level to match cipher suites in the client's ClientHello handshake message. For SSL initiation applications, the priority level represents the order in which the ACE places the cipher suites in its ClientHello handshake message to the server.

cipher_priority—Priority level of the cipher suite. Enter an integer from 1 to 10. The default is 1.

For example, to add the cipher suite rsa_with _aes_128_cbc_sha with a priority 2 level, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# cipher rsa_with_aes_128_cbc_sha 
priority 2

Repeat the cipher command for each cipher suite you want to include in the SSL parameter map.

To delete a cipher suite from the SSL parameter map, enter: 

host1/Admin(config-parammap-ssl)# no cipher rsa_with_aes_128_cbc_sha

Table 3-3 lists the available cipher suites that the ACE supports and indicates which of the supported cipher suites are exportable from the ACE. The table also lists the authentication certificate and encryption key required by each cipher suite.

If you use the default setting in which the ACE implicitly supports all of the cipher suites listed in Table 3-3 or you explicitly define each cipher suite with equal priority and the client connection uses multiple ciphers, the ACE sends the cipher suites to its peer in the same order as they appear in the table, starting with RSA_WITH_RC4_128_MD5.

Caution Cipher suites with "export" in the title indicate that they are intended for use outside of the domestic United States and have encryption algorithms with limited key sizes.

Table 3-3 SSL Cipher Suites Supported by the ACE 

Cipher Suite
Exportable
Authentication Certificate Used
Key Exchange Algorithm
Used

RSA_WITH_RC4_128_MD5

No

RSA certificate

RSA key exchange

RSA_WITH_RC4_128_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_DES_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_3DES_EDE_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_AES_128_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_AES_256_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_RC4_40_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_DES40_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_DES_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_SHA

Yes

RSA certificate

RSA key exchange


Defining the Close-Protocol Behavior

To configure how the ACE handles the sending of close-notify messages, use the close-protocol command in the ssl parameter-map configuration mode.

The syntax for this command is:

close-protocol {disabled | none | strict}

The keywords are:

disabled—The ACE does not send a close-notify alert message to its peer when closing a session. In this case, the ssl-proxy will only send a TCP fin to terminate the SSL connection.

none—The ACE sends a close-notify alert message to its peer when closing a session, but has no expectation of receiving one back from the peer.

strict—The ACE sends a close-notify alert message to its peer when closing a session and expects to receive one back from the client/server. This is the default setting.

For example, to set close-protocol to none, enter: 

host1/Admin(config)# parameter-map type SSL_PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# close-protocol none

To configure the close-protocol command with the default setting of strict, use the no form of the command: 

host1/Admin(config-parammap-ssl)# no close-protocol none

Defining the SSL and TLS Version

To specify which version of security protocol the ACE supports during the SSL handshake with its peer, use the version command in SSL parameter map configuration mode.

The syntax of this command is:

version {all | ssl3 | tls1}

The keywords are:

all—(Default) The ACE supports both SSL version and TLS version

ssl3—The ACE supports only SSL version 3.0

tls1—The ACE supports only TLS version 1.0

For example, to specify SSL version 3.0 for the parameter map, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# version ssl3

To remove a security protocol version from the SSL proxy parameter map, enter: 

host1/Admin(config-parammap-ssl)# no version tlsl

Creating and Defining an SSL Proxy Service

The SSL proxy service defines the SSL parameter map, key pair, certificate, and chaingroup the ACE uses during the SSL handshake. For SSL termination, you configure the ACE with an SSL proxy server service as the ACE acts as an SSL server.

To create an SSL proxy server service, use the ssl- proxy service command in configuration mode.

The syntax of this command is:

ssl- proxy service pservice_name

The pservice_name argument is the name of the SSL proxy server service. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL proxy server service PSERVICE_SERVER, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

Once you create an SSL proxy server service, the CLI enters SSL proxy configuration mode. 

host1/Admin(config-ssl-proxy)#

To delete an existing SSL proxy server service, enter: 

host1/Admin(config)# no ssl-proxy PSERVICE_SERVER

This section contains the following procedures for configuring the SSL proxy server service:

Associating an SSL Parameter Map with the SSL Proxy Server Service

Specifying the Key Pair

Specifying the Certificate

Specifying the Certificate Chain Group

Associating an SSL Parameter Map with the SSL Proxy Server Service

To associate an SSL parameter map with the SSL proxy server service, use the ssl advanced-options command in SSL proxy configuration mode.

The syntax of this command is:

ssl advanced-options parammap_name

The parammap_name argument represents the name of an existing SSL parameter map (see the "Creating and Defining an SSL Parameter Map" section). Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to associate the parameter map PARAMMAP_SSL with the SSL proxy service, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

host1/Admin(config-ssl-proxy)# ssl advanced-options PARAMMAP_SSL

To remove the association of an SSL parameter map with the SSL proxy service, enter: 

host1/Admin(config-ssl-proxy)# no ssl advanced-options PARAMMAP_SSL

Specifying the Key Pair

To specify the key pair the ACE uses during the SSL handshake for data encryption, use the key command in SSL proxy configuration mode.

Note The public key in the key pair file you select must match the public key embedded in the certificate you select (see the "Specifying the Certificate" section). For information on verifying a public key match, see the "Verifying a Certificate Against a Key Pair" section in "Managing Certificates and Keys."

The syntax of this command is:

key key_filename

The key_filename argument represents the name of an existing key pair file loaded on the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.

For example, to specify the private key in the key pair file MYKEY.PEM, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

host1/Admin(config-ssl-proxy)# key MYKEY.PEM

To delete a private key from the SSL proxy service, enter: 

host1/Admin(config-ssl-proxy)# no key MYKEY.PEM

Specifying the Certificate

To specify the certificate the ACE uses during the SSL handshake process to prove its identity, use the cert command in SSL proxy configuration mode.

Note The public key embedded in the certificate you select must match the public key in the pair file you select (see the "Specifying the Key Pair" section). For information on verifying a public key match, see the "Verifying a Certificate Against a Key Pair" section in Chapter 2, Managing Certificates and Keys.

The syntax of this command is:

cert cert_filename

The cert_filename argument represents the name of an existing certificate file loaded on the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.

For example, to specify the certificate in the certificate file MYCERT.PEM, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

host1/Admin(config-ssl-proxy)# cert MYCERT.PEM

To delete a certificate file from the SSL proxy service, enter: 

host1/Admin(config-ssl-proxy)# no cert MYCERT.PEM

Specifying the Certificate Chain Group

To specify the certificate chain that the ACE sends to its peer during the SSL handshake, use the chaingroup command in SSL proxy configuration mode. The ACE includes the certificate chain along with the certificate you specified for the SSL proxy service (see the "Specifying the Certificate" section).

The syntax of this command is:

chaingroup group_name

The group_name argument represents the name of an existing certificate chain group (see the "Creating a Chain Group" section in Chapter 2, Managing Certificates and Keys). Enter an unquoted alphanumeric string with a maximum of 64 characters.

Note When a change occurs in a chain-group certificate, the change takes effect when you remove the associated chain group through the no chaingroup command and then readd it through the chaingroup command.

For example, to specify the certificate chain group MYCHAINGROUP, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

host1/Admin(config-ssl-proxy)# chaingroup MYCHAINGROUP

To delete a certificate chain group from the SSL proxy service, enter: 

host1/Admin(config-ssl-proxy)# no chaingroup MYCHAINGROUP

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

The class map you associate with a policy map acts as a filter for traffic that matches the criteria you specify. For SSL termination, you can define the match criteria based on one or more of the following traffic characteristics:

Access list

Virtual IP address

Source IP address and subnet mask

Destination IP address and subnet mask

TCP/UDP port number or port range

To create a Layer 3 and Layer 4 class map, use the class-map command in configuration mode. For details on creating and configuring a Layer 3 and Layer 4 class map, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

For SSL termination, you configure the ACE so that it is recognized as an SSL server by a client. To accomplish this, you configure a Layer 3 and Layer 4 policy map that the ACE applies to the inbound traffic. The policy map uses the Layer 3 and Layer 4 class map you associate with it to determine if the inbound traffic matches the criteria you specify. When a match is found, the ACE engages the client in the SSL handshake and establishes an SSL session using the parameters you specify in the associated SSL proxy server service.

This section contains the following procedures for creating and configuring a Layer 3 and Layer 4 policy map for SSL termination:

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating an SSL Proxy Server Service with the Policy Map

Creating a Layer 3 and Layer 4 Policy Map

To create an SSL termination policy map, use the policy-map command in configuration mode.

The syntax of this command is:

policy-map multi-match policy_name

The policy_name argument represents the name you assign the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create the policy map L4POLICY, enter: 

host1/Admin(config)# policy-map multi-match L4POLICY

Once you create a class map, the CLI enters into policy map configuration mode. 

host1/Admin(config-pmap)#

To delete an existing policy map, enter: 

host1/Admin(config)# no policy-map L4POLICY

For information on associating an SSL class map with the policy map, proceed to the "Associating the Layer 3 and Layer 4 Class Map with the Policy Map" section.

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

To associate the Layer 3 and Layer 4 class map with the policy map, use the class command in policy map configuration mode.

The syntax of this command is:

class class-map

The class-map argument represents the name of an existing class map. map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate the class map L4VIPCLASS with the policy map, enter: 

host1/Admin(config)# policy-map multi-match L4POLICY

host1/Admin(config-pmap)# class L4VIPCLASS

Once you associate a class map with the policy map, the CLI enters into policy-map class-map configuration mode. 

host1/Admin(config-pmap-c)#

To remove the association of a class map to the policy map, enter: 

host1/Admin(config-pmap)# no class L4VIPCLASS

For information on associating an SSL proxy service with the class map, proceed to the "Associating an SSL Proxy Server Service with the Policy Map" section.

Associating an SSL Proxy Server Service with the Policy Map

To associate an SSL proxy server service with the policy map, use the ssl-proxy server command in policy map class configuration mode.

The syntax of this command is:

ssl-proxy server pservice

The pservice argument represents the name of an existing SSL proxy server service. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to associate the SSL proxy server service PSERVICE_SERVER with the policy map, enter: 

host1/Admin(config)# policy-map multi-match L4POLICY

host1/Admin(config-pmap)# class L4VIPCLASS

host1/Admin(config-pmap-c)# ssl-proxy server PSERVICE_SERVER

To remove the class map association, enter: 

host1/Admin(config-pmap-c)# no ssl-proxy server PSERVICE_SERVER

Applying the Policy Map to the VLANs

This section describes how to apply the Layer 3 and Layer 4 policy map to the VLAN traffic. The ACE allows you to apply the policy globally to all VLANs within the current context or to a specific VLAN in the context.

This section contains the following procedures for applying the policy map to a VLAN:

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Applying the Policy Map Globally

To globally apply the policy map to all VLANs in the context, use the service-policy command in configuration mode.

The syntax of this command is:

service-policy input policy_name

The policy_name argument represents the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to globally apply the policy map L4POLICY to all VLANs in the context, enter: 

host1/Admin(config)# service-policy input L4POLICY

To globally remove the policy from all VLANs, enter: 

host1/Admin(config)# no service-policy input L4POLICY

Applying the Policy Map to a Specific VLAN

To apply a policy map to a specific VLAN interface, you must enter interface configuration mode using the interface command in configuration mode.

The syntax of this command is:

interface vlan vlan

The vlan argument represents the context VLAN number. Enter an integer from 2 to 4094.

For example, to enter interface configuration mode for VLAN 10, enter: 

host1/Admin(config)# interface vlan 10

host1/Admin(config-if)#

To apply the policy map to the interface, use the service-policy command in interface configuration mode.

The syntax of this command is:

service-policy input policy-name

The policy-name argument represents the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to apply the policy map L4POLICY to VLAN 10, enter: 

host1/Admin(config)# interface vlan 10

host1/Admin(config-if)# service-policy input L4POLICY

To remove the policy from the interface, enter: 

host1/Admin(config-if)# no service-policy input L4POLICY

Example of an SSL Termination Configuration 

access-list ANYONE line 10 extended permit tcp any any


parameter-map type ssl SSL_TERM

  cipher RSA_WITH_3DES_EDE_CBC_SHA


rserver host DC5-LNX1

  ip address 192.168.1.11

  inservice

rserver host DC5-LNX2

  ip address 192.168.1.12

  inservice

rserver host DC5-LNX3

  ip address 192.168.1.13

  inservice

rserver host DC5-LNX4

  ip address 192.168.1.14

  inservice

rserver host dc5-lnx5

  ip address 192.168.1.15

  inservice


ssl-proxy service SSL_PROXY1

  cert MYCERT.PEM

  ssl advanced-options SSL_TERM


serverfarm host SERVERS5

  rserver DC5-LNX1

    inservice

  rserver DC5-LNX2

    inservice

  rserver DC5-LNX3

    inservice

  rserver DC5-LNX4

    inservice

  rserver DC5-LNX5

    inservice


class-map match-all VIP-70

  2 match virtual-address 172.16.22.70 any

class-map type management match-any REMOTE-ACCESS

  description remote-access-traffic-match

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any


policy-map type management first-match REMOTE-MGMT

  class REMOTE-ACCESS

    permit

policy-map type loadbalance first-match SLB5-LOGIC

  class class-default

    serverfarm SERVERS5

policy-map multi-match CLIENT-VIPS

  class VIP-70

    loadbalance vip inservice

    loadbalance SLB5-LOGIC

    ssl-proxy server SSL_PROXY1


interface vlan 222

  description Client vlan

  ip address 172.16.22.15 255.255.255.0

  access-group input ANYONE

  service-policy input REMOTE-MGMT

  service-policy input CLIENT-VIPS

  no shutdown

interface vlan 422

  description Servers vlan

  ip address 192.168.1.1 255.255.255.0

  no shutdown


ip route 0.0.0.0 0.0.0.0 172.16.22.1


username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/  role 
Admin domain default-domain