Wednesday, April 16, 2008

class-maps and policy-maps

The basic idea is this:

• create an L7 class-map with an action and a name
- define some match criteria

• create a policy-map with an action and a name
- refer back to a class-map
- action (like deny)

• create an L4 class-map with an action and a name
- match on a port number

• create another policy-map with an action and a name
- call out the L4 class-map
- call out the first policy map (the one that had the L7 class map in it)

• Apply the last policy-map - the one that summarized all of the class-maps and policy-maps together - to an interface

________________

• Create a class-map called "FTP_INSPECT_L7CLASS" that states we are inspecting traffic and it can match on any of the items defined:
class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
!

• This is the match criteria (and the only one listed) that says look for someone making a directory:
match request-method mkdir
!

________________

• Now the policy-map - this will inspect ftp traffic and do a first match
policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
!

! This statement in the policy-map refers to the class-map we already created called FTP_INSPECT_L7CLASS which was looking for anyone making a directory
class FTP_INSPECT_L7CLASS
!

! Now the action - deny it
deny
!

________________


• OK, another class-map, this time L4
class-map match-all FTP_INSPECT_L4CLASS
!

• Hey look a description!
description FTP command inspection of incoming traffic
!

• Lets match on FTP port 21 (the port that commands are issued on)
match port tcp eq 21

________________

• Now the policy-map setup as a multimatch
policy-map multi-match FTP_INSPECT_L4POLICY
!

• The class, in this case its referring to the class-map we made called FTP_INSPECT_L4CLASS
class FTP_INSPECT_L4CLASS
!

• OK now the confusing part - this action under the class FTP_INSPECT_L4CLASS says inspect ftp traffic strictly adhering to the policy-map
FTP_INSPECT_L7POLICY that itself has a class-map called FTP_INSPECT_L7CLASS that said look for anyone making a directory and then an action to deny it.....

inspect ftp strict policy FTP_INSPECT_L7POLICY
!

________________

• Here is where the rubber meats the road and the service-policy is applied to the interface

interface vlan 50
!
ip address 172.16.1.100 255.255.255.0
!
service-policy input FTP_INSPECT_L4POLICY
!
Posted by at
Subscribe to: Posts (Atom)