Solved: Re: Difference between policy map match types

cisco_realm · ‎08-24-2008

hi,

What is the difference between multi-match and first-match, match types within policy-map commands ? Command reference guide isn't quite clear. Reply with examples would be great.

Rgds.

Syed Iftekhar Ahmed · ‎08-24-2008

There are multiple types of policies used by ACE for e.g (Layer3/4 policy, FTP inspection Policy, HTTP Inspection Policy , HTTP Loadbalancing Policy and management policy).

Match-type under policy definition controls what action(s) is taken "if traffic is classified by multiple class-maps" in a policy.

There are 3 match types

all-match : actions assigned to all matching class-maps are performed on the packet. Mostly used with HTTP Inspect policy.

first-match: actions assigned to the first matching class-map is performed on the packet. Used with "FTP Inspect", "HTTP Loadbalance policy" & "Management policy".

Multi-match policy: In ACE you can define mutliple type of class-maps. For e.g "class-maps for traffic inspection", "class-maps for NAT" & "Class-maps for Loadbalancing". If you define multiple class-maps (where there are multiple type of class-maps for Inspection, NAT & LB)under a policy then multi-match type ensures that action is performed on first-match basis for each type of class-maps.

For e.g if policy map has 3 NAT-classes and 4 LB classes and multi-match is the match type configured for POlicy then only action associated with the first matching NAT class and first matching LB class will be taken. (Hence its called multi-match).

This match-type is only used with L3/L4 policy , which is one of the two policy types (Management policy is te other policy type) that can be applied to the interface applied to the vlan interface.

HTH

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎08-25-2008

Its the action associated under the class that defines which feature the class is associated with.

In the following example action "loadbalance" tells us that its a LB class, similarly "nat dynamic" & "inspect HTTP" define these classes as HTTP Inspect & NAT classes.

policy-map multi-match Syed-policy

class class-4-LB

loadbalance policy App1

loadbalance vip inservice

class class-4-NAT

nat dynamic 10 vlan 100

class class-4-Inspection

inspect http

Hope this helps

Syed Iftekhar Ahmed

View solution in original post

Frederick Reimer · ‎08-24-2008

multi-match is the policy that you install on the client facing interface itself, and by definition it can match multiple classes. As each class has its own VIP, this is obviously necessary. first-match is used for the loadbalance policy, which is referenced in a specific VIP class for the overall policy, and usually only contains a class-default anyway.

Syed Iftekhar Ahmed · ‎08-24-2008

There are multiple types of policies used by ACE for e.g (Layer3/4 policy, FTP inspection Policy, HTTP Inspection Policy , HTTP Loadbalancing Policy and management policy).

Match-type under policy definition controls what action(s) is taken "if traffic is classified by multiple class-maps" in a policy.

There are 3 match types

all-match : actions assigned to all matching class-maps are performed on the packet. Mostly used with HTTP Inspect policy.

first-match: actions assigned to the first matching class-map is performed on the packet. Used with "FTP Inspect", "HTTP Loadbalance policy" & "Management policy".

Multi-match policy: In ACE you can define mutliple type of class-maps. For e.g "class-maps for traffic inspection", "class-maps for NAT" & "Class-maps for Loadbalancing". If you define multiple class-maps (where there are multiple type of class-maps for Inspection, NAT & LB)under a policy then multi-match type ensures that action is performed on first-match basis for each type of class-maps.

For e.g if policy map has 3 NAT-classes and 4 LB classes and multi-match is the match type configured for POlicy then only action associated with the first matching NAT class and first matching LB class will be taken. (Hence its called multi-match).

This match-type is only used with L3/L4 policy , which is one of the two policy types (Management policy is te other policy type) that can be applied to the interface applied to the vlan interface.

HTH

Syed Iftekhar Ahmed

cisco_realm · ‎08-25-2008

I am going thru a certified Cisco configuration and I can see that a policy-map with multi-match has multiple classes originally defined with first-match that has 'match virtual address' statements.

So, within multi-match definition how does it identfy whether the class-map is for LB and/or NAT'ing. Is it due to the match virtual address statement under the class-map ?

And if the multi-match policy only refers to LB classes, then I believe first-match should be used. Coz any single flow cannot hit various VIP's in one go.

Rgds.

Syed Iftekhar Ahmed · ‎08-25-2008

Its the action associated under the class that defines which feature the class is associated with.

In the following example action "loadbalance" tells us that its a LB class, similarly "nat dynamic" & "inspect HTTP" define these classes as HTTP Inspect & NAT classes.

policy-map multi-match Syed-policy

class class-4-LB

loadbalance policy App1

loadbalance vip inservice

class class-4-NAT

nat dynamic 10 vlan 100

class class-4-Inspection

inspect http

Hope this helps

Syed Iftekhar Ahmed