Chapter 20
Using Modular Policy Framework
The policy_map_name argument is the name of the policy map up to 40 characters in length. All types
of policy maps use the same name space, so you cannot reuse a name already used by another type of
policy map. The CLI enters policy-map configuration mode.
(Optional) Specify a description for the policy map:
Step 2
hostname(config-pmap)# description text
Step 3
Specify a previously configured Layer 3/4 class map using the following command:
hostname(config-pmap)# class class_map_name
where the class_map_name is the name of the class map you created earlier. See the
(Layer 3/4 Class Map)" section on page 20-4
Step 4
Specify one or more actions for this class map.
•
TCP and UDP connection limits and timeouts, and TCP sequence number randomization. See the
"Configuring Connection Limits and Timeouts" section on page
•
TCP state bypass. See the
•
Application inspection. See
•
Permitting or Denying Application Types with PISA Integration—See the
Application Types with PISA Integration" section on page
Note
Repeat
Step 5
The following is an example of a policy-map command for connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:10:0
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
"Configuring TCP State Bypass" section on page
Chapter 22, "Applying Application Layer Protocol Inspection."
If there is no match default_inspection_traffic command in a class map, then at most one
inspect command is allowed to be configured under the class.
Step 3
and
Step 4
for each class map you want to include in this policy map.
Defining Actions (Layer 3/4 Policy Map)
to add a class map.
21-1.
21-4.
"Identifying Traffic
21-10.
"Permitting or Denying
20-19