Cisco 5510 Getting Started Guide - Page 179
class, global, interface, nameif, Step 3
![]() |
UPC - 882658094767
View all Cisco 5510 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 179 highlights
Chapter 13 Configuring the AIP SSM Configuring the AIP SSM Step 5 where the class_map_name2 argument is the name of a separate class map on which you want to perform IPS inspection. See Step 3 for information about the command options. Traffic cannot match more than one class map for the same action type; so if you want network A to go to sensorA, but want all other traffic to go to sensorB, then you need to enter the class command for network A before you enter the class command for all traffic; otherwise all traffic (including network A) will match the first class command, and will be sent to sensorB. To activate the policy map on one or more interfaces, enter the following command: hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. 78-19186-01 The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ips-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0 Cisco ASA 5500 Series Getting Started Guide 13-13
![](/manual_guide/products/cisco-5510-getting-started-guide-a35054b/179.png)