Feature Matching Guidelines For Multiple Policy Maps; Default Layer 3/4 Policy Map; Adding A Layer 3/4 Policy Map - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Defining Actions (Layer 3/4 Policy Map)
Feature Matching Guidelines for Multiple Policy Maps
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies
operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that
matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a
policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure connection limits on the inside and outside interfaces, but the inside policy sets the
maximum connections to 2000 while the outside policy sets the maximum connections to 3000, then a
non-stateful Ping might be denied at a lower level if it is outbound than if it is inbound.
Default Layer 3/4 Policy Map
The configuration includes a default Layer 3/4 policy map that the FWSM uses in the default global
policy. It is called global_policy and performs inspection on the default inspection traffic. You can only
apply one global policy, so if you want to alter the global policy, you need to either reconfigure the
default policy or disable it and apply a new one.
The default policy map configuration includes the following commands:
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
See the
Note
the special match default-inspection-traffic command used in the default class map.
Adding a Layer 3/4 Policy Map
The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following
steps:
Add the policy map by entering the following command:
Step 1
hostname(config)# policy-map policy_map_name
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
20-18
"Incompatibility of Certain Feature Actions" section on page 20-17
Chapter 20
Using Modular Policy Framework
for more information about
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
