Policy map rules

Tshi M · ‎03-16-2007

I read that "Only one policy map can be applied to a specific interface". What if you alreay using the default policy map and want to create one for you AIP-SSM and one for the current ACL?

vitripat · ‎03-16-2007

The default policy map is the "global" policy-map. If you want to send the traffic on all interfaces, through the SSM module, you dont need to create a new policy-map, you only need to create the class mathing the traffic you need to send via SSM module. Then you can include this class also in the policy-map applied globally.

With above said, assuming you have default policy-map config, if I implement following commands to divert all traffic via SSM module:

access-list ips-acl permit ip any any

class-map ips-class

match access-list ips-acl

policy-map global_policy

class ips-class

ips inline fail-open

Thus final policy-map configuration would look like:

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

class ips-class

ips inline fail-open

service-policy global_policy global

Alternatively, I cann apply the ips class to altogether a new policy-map but I cant apply this policy-map globally. I can apply the new policy-map to a particular interface though.

Hope that helps.

Regards,

Vibhor.