Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 | configure terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 | class-map type inspect match-any class-map-name
Example:
Device(config)# class-map type inspect match-any ddos-class
|
Creates an application-specific inspect type class map and enters QoS class-map configuration mode.
|
Step 4 | match protocol
{icmp |
tcp |
udp}
Example:
Device(config-cmap)# match protocol tcp
|
Configures the match criterion for a class map based on the specified protocol.
|
Step 5 | exit
Example:
Device(config-cmap)# exit
|
Exits QoS class-map configuration mode and enters global configuration mode.
|
Step 6 | parameter-map type inspect global
Example:
Device(config)# parameter-map type inspect global
|
Defines a global inspect parameter map and enters parameter-map type inspect configuration mode.
|
Step 7 | redundancy
Example:
Device(config-profile)# redundancy
|
Enables firewall high availability.
|
Step 8 | exit
Example:
Device(config-profile)# exit
|
Exits parameter-map type inspect configuration mode and enters global configuration mode.
|
Step 9 | policy-map type inspect
policy-map-name
Example:
Device(config)# policy-map type inspect ddos-fw
|
Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode.
|
Step 10 | class type inspect
class-map-name
Example:
Device(config-pmap)# class type inspect ddos-class
|
Specifies the traffic class on which an action is to be performed and enters QoS policy-map class configuration mode.
|
Step 11 | inspect
Example:
Device(config-pmap-c)# inspect
|
Enables stateful packet inspection.
|
Step 12 | exit
Example:
Device(config-pmap-c)# exit
|
Exits QoS policy-map class configuration mode and enters QoS policy-map configuration mode.
|
Step 13 | class class-default
Example:
Device(config-pmap)# class class-default
|
Configures the default class on which an action is to be performed and enters QoS policy-map class configuration mode.
|
Step 14 | drop
Example:
Device(config-pmap-c)# drop
|
Allows traffic to pass between two interfaces in the same zone.
|
Step 15 | exit
Example:
Device(config-pmap-c)# exit
|
Exits QoS policy-map class configuration mode and enters QoS policy-map configuration mode.
|
Step 16 | exit
Example:
Device(config-pmap)# exit
|
Exits QoS policy-map configuration mode and enters global configuration mode.
|
Step 17 | zone security
security-zone-name
Example:
Device(config)# zone security private
|
Creates a security zone and enters security zone configuration mode.
|
Step 18 | exit
Example:
Device(config-sec-zone)# exit
|
Exits security zone configuration mode and enters global configuration mode.
|
Step 19 | zone security
security-zone-name
Example:
Device(config)# zone security public
|
Creates a security zone and enters security zone configuration mode.
|
Step 20 | exit
Example:
Device(config-sec-zone)# exit
|
Exits security zone configuration mode and enters global configuration mode.
|
Step 21 | zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
Example:
Device(config)# zone-pair security private2public source private destination public
|
Creates a zone pair and enters security zone-pair configuration mode.
|
Step 22 | service-policy type inspect
policy-map-name
Example:
Device(config-sec-zone-pair)# service-policy type inspect ddos-fw
|
Attaches a policy map to a top-level policy map.
|
Step 23 | exit
Example:
Device(config-sec-zone-pair)# exit
|
Exits security zone-pair configuration mode and enters global configuration mode.
|
Step 24 | interface
type
number
Example:
Device(config)# interface gigabitethernet 0/1/0.1
|
Configures an interface and enters subinterface configuration mode.
|
Step 25 | ip address
ip-address
mask
Example:
Device(config-subif)# ip address 10.1.1.1 255.255.255.0
|
Configures an IP address for the subinterface.
|
Step 26 | encapsulation dot1q
vlan-id
Example:
Device(config-subif)# encapsulation dot1q 2
|
Sets the encapsulation method used by the interface.
|
Step 27 | zone-member security
security-zone-name
Example:
Device(config-subif)# zone-member security private
|
Configures the interface as a zone member.
-
For the
security-zone-name argument, you must configure one of the zones that you had configured by using the
zone security
command.
When an interface is in a security zone, all traffic to and from that interface (except traffic going to the device or initiated by the device) is dropped by default. To permit traffic through an interface that is a zone member, you must make that zone part of a zone pair to which you apply a policy. If the policy permits traffic (via
inspect or
pass actions), traffic can flow through the interface.
|
Step 28 | end
Example:
Device(config-subif)# end
|
Exits subinterface configuration mode and enters privileged EXEC mode.
|
Step 29 | To attach a zone to another interface, repeat Steps 21 to 25.
|
—
|