11-13
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 11      Service Policy Using the Modular Policy Framework
  Configure Service Policies
Identify Traffic (Layer 3/4 Class Maps)
A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. You can create 
multiple Layer 3/4 class maps for each Layer 3/4 policy map.
• Create a Layer 3/4 Class Map for Through Traffic, page 11-13
• Create a Layer 3/4 Class Map for Management Traffic, page 11-15
Create a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4 
attributes.
Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect 
all traffic, for example using match any, the ASA performance can be impacted.
Procedure
Step 1 Create a Layer 3/4 class map, where class_map_name is a string up to 40 characters in length. 
class-map class_map_name
The name “class-default” is reserved. All types of class maps use the same name space, so you cannot 
reuse a name already used by another type of class map. The CLI enters class-map configuration mode.
Example: 
hostname(config)# class-map all_udp
Step 2 (Optional) Add a description to the class map.
description string
Example: 
hostname(config-cmap)# description All UDP traffic
Step 3 Match traffic using one of the following commands. Unless otherwise specified, you can include only 
one match command in the class map.
• match any—Matches all traffic.
hostname(config-cmap)# match any
• match access-list access_list_name—Matches traffic specified by an extended ACL. If the ASA is 
operating in transparent firewall mode, you can use an EtherType ACL. 
hostname(config-cmap)# match access-list udp
• match port {tcp | udp} {eq port_num | range port_num port_num}—Matches TCP or UDP 
destination ports, either a single port or a contiguous range of ports. For applications that use 
multiple, non-contiguous ports, use the match access-list command and define an ACE to match 
each port.
hostname(config-cmap)# match tcp eq 80
• match default-inspection-traffic—Matches default traffic for inspection: the default TCP and 
UDP ports used by all applications that the ASA can inspect.