All Cisco-Network Study Notes: Modular Policy Example Flow

Modular Policy Example Flow
Step 1: Create a Class Map
You must assign a name to the class map. This name must be unique and should be intuitive
to the content it will be matching. Use the class-map command to create and assign a name
to a class map. To disable the command, use the no form of this command:
class-map class-map_name
When this command has been executed, it will enter the class map configuration mode.
Setting the different match criteria, as well as creating a description of the class map, can be
done in this mode. Table 8-2 provides a list of available commands.
Table 8-2 match Command Syntax
Command Description
description Specifies a description for the class-map command.
match any Specifies that all traffic is to be matched. This can be used to
catch all traffic flowing through an interface, regardless of the
content, type, or destination.
match access-list Specifies the name of an access list to be used as match criteria.
This can be used when a specific destination or source requires
special attention, as well as a unique set of policy actions. Using
access to the Internet falls under this category.
match port Specifies to match traffic using a TCP/UDP destination port. Use
this to assign a traffic class to a port not already specified by the
default port lists. Additionally, you can use this match type to
reassign matching for a known port, such as FTP, to a new port
location, such as 10234 instead of 21.
Class Map:
Internet
Class Map:
Voice
Class Map:
Inspect_Default
Match all traffic
through all
interfaces
Policy Map:
outside_interface
Policy Map:
Global Policy
Match using
Internet ACL
Match on
dscp cs5
Apply the following
actions to Internet
class-map
inspect IPS
Apply the following
actions to voice
class-map Priority
Apply the following
actions to
Inspect_Defaultmap:
Inspect
Service Policy:
Outside Interface
Service Policy:
Global Interface

match Command Syntax (Continued)

Command Description
match precedence Specifies to match the precedence value represented by the ToS1
byte in the IP header. Use this match when you are creating a set
of policy actions that affect priority and queuing, such as voice
and video. Make sure that the ToS byte has been assigned at the
source for this to function correctly.
match dscp Specifies to match the IETF2-defined DSCP3 value in the IP
header. Like the precedence match criteria cited previously, this
should be used when assigning actions that will affect priority
and queuing.
match rtp Specifies to match an RTP4 UDP5 port. This matching criterion
will allow you to set priority and queue settings for video in a
priority map.
match tunnel-group Specifies to match security-related tunnel groups. Use this if you
would like to match a VPN6 group of remote uses and force its
traffic into a priority map for inspection, IPS7, and so on.
match flow Specifies to match every flow based on a unique IP destination
address. This augments the match tunnel-group command, and
must be used with the tunnel-group command.
match default-inspection-traffic Specifies to match default traffic for the inspect commands. This
is used on the global interface and through the default policies.
You can also use it to match the default match criteria, so that
you can add additional actions via a policy map. It would be
easier to just modify the default policy map instead of creating a
new one.

1 ToS = Type of Service
2 IETF = Internet Engineering Task Force
3 DSCP = Differentiated Services Code Point
4 RTP = Real-Time Transport Protocol
5 UDP = User Datagram Protocol
6 VPN = virtual private network
7 IPS = Intrusion Protection Services
Command Description
match precedence Specifies to match the precedence value represented by the ToS1
byte in the IP header. Use this match when you are creating a set
of policy actions that affect priority and queuing, such as voice
and video. Make sure that the ToS byte has been assigned at the
source for this to function correctly.
match dscp Specifies to match the IETF2-defined DSCP3 value in the IP
header. Like the precedence match criteria cited previously, this
should be used when assigning actions that will affect priority
and queuing.
match rtp Specifies to match an RTP4 UDP5 port. This matching criterion
will allow you to set priority and queue settings for video in a
priority map.
match tunnel-group Specifies to match security-related tunnel groups. Use this if you
would like to match a VPN6 group of remote uses and force its
traffic into a priority map for inspection, IPS7, and so on.
match flow Specifies to match every flow based on a unique IP destination
address. This augments the match tunnel-group command, and
must be used with the tunnel-group command.
match default-inspection-traffic Specifies to match default traffic for the inspect commands. This
is used on the global interface and through the default policies.
You can also use it to match the default match criteria, so that
you can add additional actions via a policy map. It would be
easier to just modify the default policy map instead of creating a
new one.
NOTE You cannot assign the class map class-default, as it is a default catch-all class map
assigned to the global policy map. You can remove the default class map, although it is not
recommended. To do so, use the following commands in sequence:
pix(config)# no service-policy asa_global_fw_policy global
pix(config)# no policy-map asa_global_fw_policy
pix(config)# no class-map inspection_default