Nested Class Map Support for Zone-Based Policy Firewall

Similar documents
Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

QoS Group Match and Set for Classification and Marking

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Configurable Number of Simultaneous Packets per Flow

Quality of Service for VPNs

Object Groups for ACLs

Configuring Firewall TCP SYN Cookie

Fine-Grain NBAR for Selective Applications

Sun RPC ALG Support for Firewall and NAT

Firewall Stateful Inspection of ICMP

NAT Routemaps Outside-to-Inside Support

MSRPC ALG Support for Firewall and NAT

EVC Quality of Service

Port-Level Shaping and Minimum Bandwidth Guarantee

Fine-Grain NBAR for Selective Applications

Configuring Network-Based Application Recognition

Marking Network Traffic

Match-in-VRF Support for NAT

GPRS Tunneling Protocol V2 Support

QoS Tunnel Marking for GRE Tunnels

Applying QoS Features Using the MQC

Regulating Packet Flow on a Per-Interface Basis Using Generic Traffic Shaping

Configurable Queue Depth

EVC Quality of Service

Configuring GPRS Tunneling Protocol Support

EVC Quality of Service

Marking Network Traffic

Using Flexible NetFlow Flow Sampling

ACL Syslog Correlation

Port-Shaper and LLQ in the Presence of EFPs

Using Flexible NetFlow Flow Sampling

QoS: Child Service Policy for Priority Class

Classifying and Marking MPLS EXP

Configuring Class-Based RTP and TCP Header Compression

BGP Route-Map Continue

Flexible Packet Matching XML Configuration

GGSN Pooling Support for Firewalls

NBAR2 HTTP-Based Visibility Dashboard

Bulk Logging and Port Block Allocation

FPG Endpoint Agnostic Port Allocation

Object Groups for ACLs

Multi-Level Priority Queues

DMVPN Event Tracing. Finding Feature Information

Ethernet Overhead Accounting

Flexible NetFlow - MPLS Support

WRED Explicit Congestion Notification

OSPF Limit on Number of Redistributed Routes

Object Groups for ACLs

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

Flow-Based per Port-Channel Load Balancing

Protection Against Distributed Denial of Service Attacks

RADIUS Route Download

QoS Packet-Matching Statistics Configuration

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

SSL Custom Application

Control Plane Policing

OSPF Incremental SPF

Modular QoS CLI Three-Level Hierarchical Policer

AAA Dead-Server Detection

802.1P CoS Bit Set for PPP and PPPoE Control Frames

EIGRP Support for Route Map Filtering

Configuring Application Visibility and Control for Cisco Flexible Netflow

OSPFv2 Local RIB. Finding Feature Information

Configuring Class-Based RTP and TCP Header Compression

Classifying Network Traffic

IGMP Proxy. Finding Feature Information. Prerequisites for IGMP Proxy

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

Per-Flow Admission. Finding Feature Information. Prerequisites for Per-Flow Admission

QoS Policy Propagation via BGP

Classifying Network Traffic

EIGRP Route Tag Enhancements

IPv6 Routing: Route Redistribution

Flexible Packet Matching XML Configuration

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values

IGMP Static Group Range Support

Zone-Based Policy Firewall High Availability

Using the Multicast Routing Monitor

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

Memory Threshold Notifications

Area Command in Interface Mode for OSPFv2

QoS: Regulating Packet Flow Configuration Guide, Cisco IOS Release 15S

Configuring IP Summary Address for RIPv2

Configuring IP SLAs TCP Connect Operations

Object Groups for ACLs

Configuring an Error Response Code upon an Out-of-Dialog OPTIONS Ping Failure

Named ACL Support for Noncontiguous Ports on an Access Control Entry

IEEE 802.1X Open Authentication

Configuring Data Export for Flexible NetFlow with Flow Exporters

Flexible NetFlow IPv6 Unicast Flows

IS-IS Inbound Filtering

Flexible NetFlow IPFIX Export Format

Dynamic Bandwidth Sharing

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports

Flexible NetFlow IPv4 Unicast Flows

Transcription:

Nested Class Map Support for Zone-Based Policy Firewall The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The Cisco IOS XE firewall supports up to three levels of class map hierarchy. Finding Feature Information, page 1 Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall, page 2 Information About Nested Class Map Support for Zone-Based Policy Firewall, page 2 How to Configure Nested Class Map Support for Zone-Based Policy Firewall, page 3 Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall, page 8 Additional References for Nested Class Map Support for Zone-Based Policy Firewall, page 8 Feature Information for Nested Class Map Support for Zone-Based Policy Firewall, page 9 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. 1

Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall Nested Class Map Support for Zone-Based Policy Firewall Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall Before configuring nested class maps, you should be familiar with the modular Quality of Service (QoS) CLI (MQC). Information About Nested Class Map Support for Zone-Based Policy Firewall Nested Class Maps In Cisco IOS XE Release 3.5S and later releases, you can configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The nesting of class maps can be achieved by configuring the match class-map command. The only method of combining the match-any and match-all characteristics within a single traffic class is by using the class-map command. match-all and match-any Keywords of the class-map Command To create a traffic class, you must configure the class-map command with the match-all and match-any keywords. You need to specify the match-all and match-any keywords only if more than one match criterion is configured in the traffic class. The following rules apply to the match-all and match-any keywords: Use the match-all keyword when all match criteria in the traffic class must be met to place a packet in the specified traffic class. Use the match-any keyword when only one of the match criterion in the traffic class must be met to place a packet in the specified traffic class. If you do not specify the match-all keyword or the match-any keyword, the traffic class behaves in a manner that is consistent with the match-all keyword. Your zone-based policy firewall configuration supports nested class maps if the following criteria are met: Individual class maps in a hierarchy include multiple match class-map command references. Individual class maps in a hierarchy include match rules other than the match class-map command. 2

Nested Class Map Support for Zone-Based Policy Firewall How to Configure Nested Class Map Support for Zone-Based Policy Firewall How to Configure Nested Class Map Support for Zone-Based Policy Firewall Configuring a Two-Layer Nested Class Map SUMMARY STEPS 1. enable 2. configure terminal 3. class-map match-any class-map-name 4. match protocol protocol-name 5. exit 6. class-map match-any class-map-name 7. match protocol protocol-name 8. exit 9. class-map match-any class-map-name 10. match class-map class-map-name 11. match class-map class-map-name 12. end DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 class-map match-any class-map-name Router(config)# class-map match-any child1 match protocol protocol-name Router(config-cmap)# match protocol tcp Creates a Layer 3 or Layer 4 class map and enters class map configuration mode. Configures the match criteria for a class map on the basis of a specified protocol. 3

Configuring a Two-Layer Nested Class Map Nested Class Map Support for Zone-Based Policy Firewall Step 5 Step 6 Step 7 Step 8 Step 9 Command or Action exit Router(config-cmap)# exit class-map match-any class-map-name Router(config)# class-map match-any child2 match protocol protocol-name Router(config-cmap)# match protocol udp exit Router(config-cmap)# exit class-map match-any class-map-name Router(config)# class-map match-any parent Purpose Exits class map configuration mode and enters global configuration mode. Creates a Layer 3 or Layer 4 class map and enters class map configuration mode. Configures the match criteria for a class map on the basis of a specified protocol. Exits class map configuration mode and enters global configuration mode. Creates a Layer 3 or Layer 4 class map and enters class map configuration mode. Step 10 match class-map class-map-name Configures a traffic class as a classification policy. Step 11 Router(config-cmap)# match class-map child1 match class-map class-map-name Configures a traffic class as a classification policy. Step 12 Router(config-cmap)# match class-map child2 end Router(config-cmap)# end Exits class map configuration mode and enters privileged EXEC mode. 4

Nested Class Map Support for Zone-Based Policy Firewall Configuring a Policy Map for a Nested Class Map Configuring a Policy Map for a Nested Class Map SUMMARY STEPS 1. enable 2. configure terminal 3. policy-map type inspect policy-map-name 4. class-type inspect class-map-name 5. inspect 6. end DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 policy-map type inspect policy-map-name Router(config)# policy-map type inspect pmap Creates a Layer 3 or Layer 4 inspect type policy map and enters policy map configuration mode. Step 4 Step 5 class-type inspect class-map-name Router(config-pmap)# class-type inspect parent inspect Specifies the traffic (class) on which an action is to be performed and enters policy-map class configuration mode. Enables Cisco IOS XE stateful packet inspection. Step 6 Router(config-pmap-c)# inspect end Router(config-pmap-c)# end Exits policy-map class configuration mode and enters privileged EXEC mode. 5

Attaching a Policy Map to a Zone Pair Nested Class Map Support for Zone-Based Policy Firewall Attaching a Policy Map to a Zone Pair SUMMARY STEPS 1. enable 2. configure terminal 3. zone security zone-name 4. exit 5. zone security zone-name 6. exit 7. zone-pair security zone-pair-name [source zone-name destination [zone-name]] 8. service-policy type inspect policy-map-name 9. exit 10. interface type number 11. zone-member security zone-name 12. end DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 zone security zone-name Router(config)# zone security source-zone Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. Step 4 Step 5 exit Router(config-sec-zone)# exit zone security zone-name Router(config)# zone security destination-zone Exits security zone configuration mode and enters global configuration mode. Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. 6

Nested Class Map Support for Zone-Based Policy Firewall Attaching a Policy Map to a Zone Pair Step 6 Command or Action exit Router(config-sec-zone)# exit Purpose Exits security zone configuration mode and enters global configuration mode. Step 7 zone-pair security zone-pair-name [source zone-name destination [zone-name]] Router(config)# zone-pair security secure-zone source source-zone destination destination-zone Creates a zone pair and enters security zone pair configuration mode. To apply a policy, you must configure a zone pair. Step 8 Step 9 Step 10 service-policy type inspect policy-map-name Router(config-sec-zone-pair)# service-policy type inspect pmap exit Router(config-sec-zone-pair)# exit interface type number Attaches a firewall policy map to the destination zone pair. Note If a policy is not configured between a pair of zones, traffic is dropped by default. Exits security zone pair configuration mode and enters global configuration mode. Configures an interface and enters interface configuration mode. Step 11 Step 12 Router(config)# interface gigabitethernet 0/0/1 zone-member security zone-name Router(config-if)# zone-member security source-zone end Router(config-if)# end Assigns an interface to a specified security zone. When you make an interface a member of a security zone, all traffic into and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface. Exits interface configuration mode and enters privileged EXEC mode. 7

Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall Nested Class Map Support for Zone-Based Policy Firewall Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall Configuring a Two-Layer Nested Class Map Router(config)# class-map match-any child1 Router(config-cmap)# match protocol tcp Router(config-cmap)# exit Router(config)# class-map match-any child2 Router(config-cmap)# match protocol udp Router(config-cmap)# exit Router(config)# class-map match-any parent Router(config-cmap)# match class-map child1 Router(config-cmap)# match class-map child2 Router(config-cmap)# end Configuring a Policy Map for a Nested Class Map Router(config)# policy-map type inspect pmap Router(config-pmap)# class-type inspect parent Router(config-pmap-c)# inspect Router(config-pmap-c)# end Attaching a Policy Map to a Zone Pair Router(config)# zone security source-zone Router(config-sec-zone)# exit Router(config)# zone security destination-zone Router(config-sec-zone)# exit Router(config)# zone-pair security secure-zone source source-zone destination destination-zone Router(config-sec-zone-pair)# service-policy type inspect pmap Router(config-sec-zone-pair)# exit Router(config)# interface gigabitethernet 0/0/1 Router(config-if)# zone-member security source-zone Router(config-if)# end Additional References for Nested Class Map Support for Zone-Based Policy Firewall Related Documents Related Topic Cisco IOS commands Document Title Cisco IOS Master Command List, All Releases 8

Nested Class Map Support for Zone-Based Policy Firewall Feature Information for Nested Class Map Support for Zone-Based Policy Firewall Related Topic Security commands Document Title Cisco IOS Security Command Reference: Commands A to C Cisco IOS Security Command Reference: Commands D to L Cisco IOS Security Command Reference: Commands M to R Cisco IOS Security Command Reference: Commands S to Z Zone-based policy firewall Zone-Based Policy Firewall Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/index.html Feature Information for Nested Class Map Support for Zone-Based Policy Firewall The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. 9

Feature Information for Nested Class Map Support for Zone-Based Policy Firewall Nested Class Map Support for Zone-Based Policy Firewall Table 1: Feature Information for Nested Class Map Support for Zone-Based Policy Firewall Feature Name Nested Class Map Support for Zone-Based Policy Firewall Releases Cisco IOS XE Release 3.5S Feature Information The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback