Class-map for CSC ignores

Unanswered Question
Jul 18th, 2008
User Badges:

I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be


permit ip 172.16.1.0 255.255.255.0 any

deny ip any any


or the other way around?


deny ip 172.16.1.0 255.255.255.0 any

permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Fri, 07/18/2008 - 07:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

with class-maps

permit ACL mean match

deny mean ignore

in ur case

deny traffic from the 172.16.1.0/24 to any

then permit any


good luck

and rate if helpful

tahequivoice Fri, 07/18/2008 - 08:17
User Badges:

OK I think I got it, havent applied it yet.


access-list CSC-Ignore extended deny tcp 172.16.1.0 255.255.255.0 192.168.0.0 255.255.248.0 eq www

access-list CSC-Ignore extended permit tcp any any eq www

!

class-map http

match access-list CSC-Ignore

Marwan ALshawi Fri, 07/18/2008 - 19:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

thats right

but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0

and will match any other web traffic

but nothing else

i mean no smtp,pop3 or ftp

if u want to match any thing else after the deny or ignore statement

u have to make permit ip any any


after u match it with class-map


apply it to a policy map


like polic-map global_policy (which is the default global policy)


class-map (ur calss-map name)

csc fail-open


then

service-policy global_policy global


in this case it will be applied to all interfaces


good luck


Rate if helpful

Actions

This Discussion