Failover Support; Configuring The Fwsm To Deny Pisa Traffic - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Permitting or Denying Application Types with PISA Integration
After the FWSM receives the packet and acts on the information, it strips the GRE encapsulation from
the packet.
When you configure the FWSM to deny traffic based on the PISA encapsulation, for the VLAN on which
that traffic resides, the PISA encapsulates all traffic (including traffic that you did not specify for denial).
The GRE encapsulation increases the packet size slightly, so you should increase the MTU between the
PISA and the FWSM according to the
Length" section on page
The GRE encapsulation causes a slight performance impact for PISA traffic sent to the FWSM.
Failover Support
Failover of the PISA is independent of failover of the FWSM. If you have Stateful Failover on the
FWSM, then the session information is maintained across the failover.
Configuring the FWSM to Deny PISA Traffic
To identify traffic that you want to deny using PISA tagging, perform the following steps:
Step 1
To identify the traffic that you want to deny based on the application type, add a class map using the
class-map command. See the
information.
For example, you can match an access list:
hostname(config)# access list BAD_APPS extended permit any 10.1.1.1 255.255.255.255
hostname(config)# class-map denied_apps
hostname(config-cmap)# match access-list BAD_APPS
Step 2
To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from
For example:
hostname(config)# policy-map denied_apps_policy
hostname(config-pmap)# class denied_apps
hostname(config-pmap-c)#
Step 3
Determine which applications are permitted or denied by entering the following commands:
hostname(config-pmap-c)# deny {all | protocol}
hostname(config-pmap-c)# permit protocol
Where the protocol argument is the protocol name or number. To see the supported protocol names, use
the permit ? or deny ? command.
You can combine permit and deny statements to narrow the traffic that you want denied. You must enter
at least one deny statement. Unlike access lists, which have an implicit deny at the end, PISA actions
have an implicit permit at the end.
For example, to permit all traffic except for Skype, eDonkey, and Yahoo, enter the following commands:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
21-6
"Changing the MTU on the Switch to Support Longer Packet
21-8.
"Identifying Traffic (Layer 3/4 Class Map)" section on page 20-4
Step
Chapter 21
Configuring Advanced Connection Features
1.
for more
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
