Viewing the Class Map Configuration
A security administrator can view the class map configuration using the show run class-map
command. The output from this command will display each class map and its match criteria,
as illustrated in Example 8-2.
Assigning Actions to a Traffic Class
For purposes of managing, controlling, and manipulating the traffic classes, actions should
be assigned to these traffic classes. A security administrator might want to rate-limit only the
HTTP traffic that crosses the network, and use deep inspection on all TCP traffic entering
the network. This can be done by assigning one or more traffic classes, through class maps,
to policy maps. Policy maps assign one or more actions to one or more class maps assigned
to it. Each action is called a domain, and the sets are known as feature domains. Similar to
creating a class map, three steps are required to create a policy map:
Step 1 Create a policy map.
Step 2 Assign traffic classes to the policy map.
Step 3 Assign policies for each class.
Example 8-1 Class Map Configuration Examples
ASAfirewall(config)# class-map http1
ASAfirewall(config-cmap)# match port tcp eq 80
ASAfirewall(config)# class-map internet
ASAfirewall(config-cmap)# match access-list cleaninet
ASAfirewall(config)# class-map vpn1
ASAfirewall(config-cmap)# match tunnel-group vpn-group1
ASAfirewall(config-cmap)# match flow ip destination-address
Example 8-2 show run class-map Command Output
ASAfirewall(config)# show run class-map
class-map http1
match port tcp eq 80
class-map internet
match access-list cleaninet
class-map vpn1
match flow ip destination-address
match tunnel-group vpn-group1
ASAfirewall(config)#