Policy map rules

Unanswered Question
Mar 16th, 2007
User Badges:
  • Silver, 250 points or more

I read that "Only one policy map can be applied to a specific interface". What if you alreay using the default policy map and want to create one for you AIP-SSM and one for the current ACL?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
vitripat Fri, 03/16/2007 - 10:12
User Badges:
  • Gold, 750 points or more

The default policy map is the "global" policy-map. If you want to send the traffic on all interfaces, through the SSM module, you dont need to create a new policy-map, you only need to create the class mathing the traffic you need to send via SSM module. Then you can include this class also in the policy-map applied globally.

With above said, assuming you have default policy-map config, if I implement following commands to divert all traffic via SSM module:

access-list ips-acl permit ip any any

class-map ips-class

match access-list ips-acl

policy-map global_policy

class ips-class

ips inline fail-open

Thus final policy-map configuration would look like:

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

class ips-class

ips inline fail-open

service-policy global_policy global

Alternatively, I cann apply the ips class to altogether a new policy-map but I cant apply this policy-map globally. I can apply the new policy-map to a particular interface though.

Hope that helps.




This Discussion