Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
policy-map
type
inspect
policy-map-name
Example:
Device(config)# policy-map type inspect z1z2-policy
|
Creates a Layer 3 or Layer 4 inspect type policy map.
|
Step 4 |
class
type
inspect
class-name
Example:
Device(config-pmap)# class type inspect cmap-1
|
Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode.
|
Step 5 |
inspect
Example:
Device(config-pmap-c)# inspect
|
Enables packet inspection.
|
Step 6 |
exit
Example:
Device(config-pmap-c)# exit
|
Exits policy-map class configuration mode and enters global configuration mode.
|
Step 7 |
zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
Example:
Device(config)# zone-pair security z1z2 source z1 destination z2
|
Creates a zone pair and enters security zone configuration mode.
Note
| To apply a policy, you must configure a zone pair.
|
|
Step 8 |
service-policy type inspect
policy-map-name
Example:
Device(config-sec-zone)# service-policy type inspect z1z2-policy2
|
Attaches a firewall policy map to the destination zone pair.
Note
| If a policy is not configured between a pair of zones, traffic is dropped by default.
|
|
Step 9 |
end
Example:
Device(config-sec-zone)# end
|
Exits security zone configuration mode and enters global configuration mode.
|
Step 10 |
interface
type
number
Example:
Device(config)# interface GigabitEthernet 0/1/1
|
Configures an interface and enters interface configuration mode.
|
Step 11 |
zone-member security
zone-name
Example:
Device(config-if)# zone-member security Inside
|
Assigns an interface to a specified security zone.
Note
| When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you should apply a policy. If the policy permits traffic, traffic can flow through that interface.
|
|
Step 12 |
cts manual
Example:
Device(config-if)# cts manual
|
Enables the interface for Cisco TrustSec Security (CTS) SGT authorization and forwarding, and enters CTS manual interface configuration mode.
|
Step 13 |
no propagate sgt
Example:
Device(config-if-cts-manual)# no propagate sgt
|
Disables SGT propagation at Layer 2 on CTS interfaces.
|
Step 14 |
policy static sgt
tag [trusted]
Example:
Device(config-if-cts-manual)# policy static sgt 100 trusted
|
Configures a static authorization policy for a CTS security group with a tagged packet that defines the trustworthiness of the SGT.
|
Step 15 |
exit
Example:
|
Exits security zone configuration mode and enters privileged EXEC mode.
|
Step 16 |
show policy-map type inspect zone-pair session
Example:
Device# show policy-map type inspect zone-pair session
|
(Optional) Displays the Cisco IOS stateful packet inspection sessions created because of the policy-map application on the specified zone pair.
Note
| The information displayed under the class-map field is the traffic rate (bits per second) of the traffic that belongs to the connection-initiating traffic only. Unless the connection setup rate is significantly high and is sustained for multiple intervals over which the rate is computed, no significant data is shown for the connection.
|
|