21-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections
Creating a Layer 3/4 Class Map for Management Traffic
For management traffic to the security appliance, you might want to perform actions specific to this kind
of traffic. You can specify a management class map that can match TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
Namely, this type of class map lets you inspect RADIUS accounting traffic.
To create a class map for management traffic to the security appliance, perform the following steps:
Step 1 Create a class map by entering the following command:
hostname(config)# class-map type management class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
Step 2 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 3 Define the traffic to include in the class by matching the TCP or UDP port. You can include only one
match command in the class map.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num}
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11.
For example, enter the following command to match TCP packets on port 10000:
hostname(config-cmap)# match tcp eq 10000
Configuring Special Actions for Application Inspections
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map.
See the “Configuring Application Inspection” section on page 25-5 for a list of applications that support
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
• Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
• Inspection class map—An inspection class map includes traffic matching commands that match
application traffic with criteria specific to the application, such as a URL string. You then identify
the class map in the policy map and enable actions. The difference between creating a class map and
defining the traffic match directly in the inspection policy map is that you can create more complex
match criteria and you can reuse class maps. Some applications do not support an inspection class
map.
• Parameters—Parameters affect the behavior of the inspection engine.
To Next Page
Loading...
Need help?
General