EasyManua.ls Logo

Cisco ACE-4710-K9

Cisco ACE-4710-K9
418 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
4-61
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Chapter 4 Configuring Class Maps and Policy Maps
Class Maps and Policy Map Examples
To create a series of class maps and policy maps to classify and permit the
identified traffic, perform the following steps:
Step 1 Permit ICMP packets from IP address 172.16.10.0 255.255.255.254 and allow
global SSH access to the ACE by entering the following commands:
host1/Admin(config)# class-map type management ICMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# ma
tch protocol icmp source-address
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# ex
it
host1/Admin(config)#
host1/Admin(config)# class-map ty
pe management SSH-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# ma
tch protocol ssh any
host1/Admin(config-cmap-mgmt)# ex
it
host1/Admin(config)#
host1/Admin(config)# policy-map t
ype management first-match
L4_MGMT_POLICY
host1/Admin(config-pmap-mgmt)# cl
ass ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# cl
ass SSH-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# ex
it
host1/Admin(config)#
Step 2 Create a class map to filter HTTP traffic to include an ACL that allows the ACE
to receive any HTTP traffic through the VLAN by entering the following
commands:
host1/Admin(config)# access-list 200 extended permit tcp any any eq
http
host1/Admin(config)# class-map ma
tch-all L4_FILTERHTTP_CLASS
host1/Admin(config-cmap)# match a
ccess-list 200
Step 3 Define the following Layer 7 class maps and policy maps to filter on content and
allow HTTL headers that contain the “html”expression:
a. Identify HTTP headers that contain the “html” expression with a header
length of 255 or less by entering the following commands:
host1/Admin(config)# class-map type http inspect match-all
L7_FLTRHTML1_CLASS
host1/Admin(config-cmap-http-insp)# match header accept
header-va
lue html
host1/Admin(config-cmap-http-insp)# ma
tch header length request eq
255

Table of Contents

Related product manuals