Defining Policy Maps

To take action on the classified traffic, a policy map is used with a service policy statement. Multiple class maps are defined in a policy map. In a policy map, you can have actions for each class map. In this way, through policy map, multiple actions can be defined for the traffic flow. The packet can match only one feature type, and the subsequent action by FWSM will be performed in a class map.

A packet can match one feature type of TCP connection or other feature type of application inspection. The action can be applied to both the class maps. Two separate class maps of different application inspections cannot be applied to the same policy map. A single policy is applied per interface. The same policy can be reused for multiple interfaces.

Configuring Global Policy

A policy map is applied globally and used in all the interfaces. When a policy map is applied to an individual interface, it takes precedence over the global policy map and will be applied only to the interface.

To configure a policy map, follow these steps:

Step 1 Configure the policy name.

For example:

FWSM(config)# policy-map TEST1

Step 2 Attach the classified traffic that needs action.

For example:

FWSM(config)# policy-map TEST1 <- Define the policy map FWSM(config-pmap)# class TEST2 <- Define a class map FWSM (config-pmap-c)# set connection conn-max 256<- Define action for this class TEST2

FWSM(config-pmap)# class-map inspection_default<- Define a second class map under the policy map 'default class' FWSM (config-pmap-c)# match default-inspection-traffic<- Define action for 'default class'

You can have multiple class maps enabled on a policy map. In this command, TCP max connection is enabled for user-defined actions on the class map. Another class map defined is default, which matches the default inspection engine defined in FWSM. Keep in mind that the class map has to be defined prior to associating with a policy map.

Was this article helpful?

0 0

Post a comment