Cisco 7604 Configuration Guide - Page 396
Applying Actions to an Interface (Service Policy
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 396 highlights
Applying Actions to an Interface (Service Policy) Chapter 20 Using Modular Policy Framework hostname(config)# class-map telnet_traffic hostname(config-cmap)# match port tcp eq 23 hostname(config)# class-map ftp_traffic hostname(config-cmap)# match port tcp eq 21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy hostname(config-pmap)# class telnet_traffic hostname(config-pmap-c)# set connection timeout tcp 0:0:0 hostname(config-pmap-c)# set connection conn-max 100 hostname(config-pmap)# class ftp_traffic hostname(config-pmap-c)# set connection timeout tcp 0:5:0 hostname(config-pmap-c)# set connection conn-max 50 hostname(config-pmap)# class tcp_traffic hostname(config-pmap-c)# set connection timeout tcp 2:0:0 hostname(config-pmap-c)# set connection conn-max 2000 When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the FWSM does not make this match because they previously matched other classes. Applying Actions to an Interface (Service Policy) To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with FTP inspection, and an interface policy with TCP connection settings, then both FTP inspection and TCP connection settings are applied to the interface. However, if you have a global policy with FTP inspection, and an interface policy with FTP inspection, then only the interface policy FTP inspection is applied to that interface. • To create a service policy by associating a policy map with an interface, enter the following command: hostname(config)# service-policy policy_map_name interface interface_name • To create a service policy that applies to all interfaces that do not have a specific policy, enter the following command: hostname(config)# service-policy policy_map_name global By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. The default service policy includes the following command: service-policy global_policy global For example, the following command enables the inbound_policy policy map on the outside interface: hostname(config)# service-policy inbound_policy interface outside The following commands disable the default global policy, and enables a new one called new_global_policy on all other FWSM interfaces: hostname(config)# no service-policy global_policy global 20-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01