ACE - need help implementing basic parameter map

Unanswered Question
May 21st, 2008
User Badges:

Hi,


I'm trying to implement a connection parameter on an ACE module that sumply sets the TCP timeout to 0.


I can get this to work fine if I permit all TCP traffic in the class-map, but it doesn't work if I use an ACL;


>>Match all TCP;


parameter-map type connection TCP-Timeout

set timeout inactivity 0



class-map match-all TCP-Timeout-Out-Class

2 match port tcp any

class-map match-all TCP-Timeout-in-Class

2 match port tcp any


policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Timeout

policy-map multi-match TCP-Timeout-in-Policy

class TCP-Timeout-in-Class

connection advanced-options TCP-Timeout



Interface vlan 920

....

service-policy input TCP-Timeout-in-Policy


Interface vlan 923

....

service-policy input TCP-Timeout-Out-Policy





>>Match ACL;


access-list TCP-Timeout-Group-Out line 10 extended permit ip 10.221.178.0 0.0.0.255 any

access-list TCP-Timeout-Group-in line 10 extended permit ip any 10.221.178.0 0.0.0.255


parameter-map type connection TCP-Timeout

set timeout inactivity 0


class-map match-all TCP-Timeout-Out-Class

match access-list TCP-Timeout-Group-Out

class-map match-all TCP-Timeout-in-Class

match access-list TCP-Timeout-Group-in


policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Timeout

policy-map multi-match TCP-Timeout-in-Policy

class TCP-Timeout-in-Class

connection advanced-options TCP-Timeout



Interface vlan 320

....

service-policy input TCP-Timeout-in-Policy


Interface vlan 323

....

service-policy input TCP-Timeout-Out-Policy


Any ideas?

Many Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roble Mumin Wed, 05/21/2008 - 07:49
User Badges:
  • Bronze, 100 points or more

Try changing the class-map from "type match-all" to "type match-any". Match all implies both statments need to be true. The match-any is probably what you want. Either of the ACL statements can be true.


Also try to apply the policy globally instead of the interfaces, simplifying the config might help as well.



e.g.:


access-list TCP-Timeout-Group line 10 extended permit ip 10.221.178.0 0.0.0.255 any

access-list TCP-Timeout-Group line 20 extended permit ip any 10.221.178.0 0.0.0.255


class-map match-any TCP-Timeout-Class

match access-list TCP-Timeout-Group


parameter-map type connection TCP-Parameter-Map

set timeout inactivity 0


policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Parameter-Map


service policy input TCP-Timeout-Out-Policy <- apply it globally



Hope it helps.



Roble


tj.mitchell Wed, 05/21/2008 - 10:19
User Badges:
  • Bronze, 100 points or more

Agreed, you should use the match-any as the match-all will need to match both ACL's. Apply it globally and is if works then apply it to the interfaces.


Also, I would change the 2nd ACL to a different name since the traffic is in reverse of the first ACL.


Hope it works..


HTH

d-fillmore Thu, 05/22/2008 - 00:17
User Badges:

Thanks for your comments guys, but the ACLs are both named differently, so the match all should only be matching one ACL at a time.


I agree with the point the the service policy could be applied globally though

Actions

This Discussion