Cisco PIX 500 Series Configuration Manual page 392
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Identifying Traffic Using a Layer 3/4 Class Map
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic. Because the match default-inspection-traffic command
specifies the ports to match, any ports in the access list are ignored.
DSCP value in an IP header—The class map matches up to eight DSCP values.
•
hostname(config-cmap)# match dscp value1 [ value2 ] [...] [ value8 ]
For example, enter the following:
hostname(config-cmap)# match dscp af43 cs1 ef
Precedence—The class map matches up to four precedence values, represented by the TOS byte in
•
the IP header.
hostname(config-cmap)# match precedence value1 [ value2 ] [ value3 ] [ value4 ]
where value1 through value4 can be 0 to 7, corresponding to the possible precedences.
RTP traffic—The class map matches RTP traffic.
•
hostname(config-cmap)# match rtp starting_port range
The starting_port specifies an even-numbered UDP destination port between 2000 and 65534. The
range specifies the number of additional UDP ports to match above the starting_port, between 0 and
16383.
Tunnel group traffic—The class map matches traffic for a tunnel group to which you want to apply
•
QoS.
hostname(config-cmap)# match tunnel-group name
You can also specify one other match command to refine the traffic match. You can specify any of
the preceding commands, except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can enter the following command to police each
flow:
hostname(config-cmap)# match flow ip destination address
All traffic going to a unique IP destination address is considered a flow.
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo
Cisco Security Appliance Command Line Configuration Guide
21-4
Chapter 21
Using Modular Policy Framework
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
