21-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 21 Using Modular Policy Framework
Identifying Traffic Using a Layer 3/4 Class Map
Creating a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4
attributes.
To define a Layer 3/4 class map, perform the following steps:
Step 1 Create a Layer 3/4 class map by entering the following command:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
Step 2 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 3 Define the traffic to include in the class by matching one of the following characteristics. Unless
otherwise specified, you can include only one match command in the class map.
• Any traffic—The class map matches all traffic.
hostname(config-cmap)# match any
• Access list—The class map matches traffic specified by an extended access list. If the security
appliance is operating in transparent firewall mode, you can use an EtherType access list.
hostname(config-cmap)# match access-list access_list_name
For more information about creating access lists, see the “Adding an Extended Access List” section
on page 16-5 or the “Adding an EtherType Access List” section on page 16-8.
For information about creating access lists with NAT, see the “IP Addresses Used for Access Lists
When You Use NAT” section on page 16-3.
• TCP or UDP destination ports—The class map matches a single port or a contiguous range of ports.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num}
Tip For applications that use multiple, non-contiguous ports, use the match access-list command
and define an ACE to match each port.
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11.
For example, enter the following command to match TCP packets on port 80 (HTTP):
hostname(config-cmap)# match tcp eq 80
• Default traffic for inspection—The class map matches the default TCP and UDP ports used by all
applications that the security appliance can inspect.
hostname(config-cmap)# match default-inspection-traffic
See the “Default Inspection Policy” section on page 25-3 for a list of default ports. The security
appliance includes a default global policy that matches the default inspection traffic, and applies
common inspections to the traffic on all interfaces. Not all applications whose ports are included in
the match default-inspection-traffic command are enabled by default in the policy map.
To Next Page
Loading...
