08-24-2008 10:04 AM
hi,
What is the difference between multi-match and first-match, match types within policy-map commands ? Command reference guide isn't quite clear. Reply with examples would be great.
Rgds.
Solved! Go to Solution.
08-24-2008 11:21 PM
There are multiple types of policies used by ACE for e.g (Layer3/4 policy, FTP inspection Policy, HTTP Inspection Policy , HTTP Loadbalancing Policy and management policy).
Match-type under policy definition controls what action(s) is taken "if traffic is classified by multiple class-maps" in a policy.
There are 3 match types
all-match : actions assigned to all matching class-maps are performed on the packet. Mostly used with HTTP Inspect policy.
first-match: actions assigned to the first matching class-map is performed on the packet. Used with "FTP Inspect", "HTTP Loadbalance policy" & "Management policy".
Multi-match policy: In ACE you can define mutliple type of class-maps. For e.g "class-maps for traffic inspection", "class-maps for NAT" & "Class-maps for Loadbalancing". If you define multiple class-maps (where there are multiple type of class-maps for Inspection, NAT & LB)under a policy then multi-match type ensures that action is performed on first-match basis for each type of class-maps.
For e.g if policy map has 3 NAT-classes and 4 LB classes and multi-match is the match type configured for POlicy then only action associated with the first matching NAT class and first matching LB class will be taken. (Hence its called multi-match).
This match-type is only used with L3/L4 policy , which is one of the two policy types (Management policy is te other policy type) that can be applied to the interface applied to the vlan interface.
HTH
Syed Iftekhar Ahmed
08-25-2008 10:36 AM
Its the action associated under the class that defines which feature the class is associated with.
In the following example action "loadbalance" tells us that its a LB class, similarly "nat dynamic" & "inspect HTTP" define these classes as HTTP Inspect & NAT classes.
policy-map multi-match Syed-policy
class class-4-LB
loadbalance policy App1
loadbalance vip inservice
class class-4-NAT
nat dynamic 10 vlan 100
class class-4-Inspection
inspect http
Hope this helps
Syed Iftekhar Ahmed
08-24-2008 11:00 AM
multi-match is the policy that you install on the client facing interface itself, and by definition it can match multiple classes. As each class has its own VIP, this is obviously necessary. first-match is used for the loadbalance policy, which is referenced in a specific VIP class for the overall policy, and usually only contains a class-default anyway.
08-24-2008 11:21 PM
There are multiple types of policies used by ACE for e.g (Layer3/4 policy, FTP inspection Policy, HTTP Inspection Policy , HTTP Loadbalancing Policy and management policy).
Match-type under policy definition controls what action(s) is taken "if traffic is classified by multiple class-maps" in a policy.
There are 3 match types
all-match : actions assigned to all matching class-maps are performed on the packet. Mostly used with HTTP Inspect policy.
first-match: actions assigned to the first matching class-map is performed on the packet. Used with "FTP Inspect", "HTTP Loadbalance policy" & "Management policy".
Multi-match policy: In ACE you can define mutliple type of class-maps. For e.g "class-maps for traffic inspection", "class-maps for NAT" & "Class-maps for Loadbalancing". If you define multiple class-maps (where there are multiple type of class-maps for Inspection, NAT & LB)under a policy then multi-match type ensures that action is performed on first-match basis for each type of class-maps.
For e.g if policy map has 3 NAT-classes and 4 LB classes and multi-match is the match type configured for POlicy then only action associated with the first matching NAT class and first matching LB class will be taken. (Hence its called multi-match).
This match-type is only used with L3/L4 policy , which is one of the two policy types (Management policy is te other policy type) that can be applied to the interface applied to the vlan interface.
HTH
Syed Iftekhar Ahmed
08-25-2008 02:24 AM
I am going thru a certified Cisco configuration and I can see that a policy-map with multi-match has multiple classes originally defined with first-match that has 'match virtual address' statements.
So, within multi-match definition how does it identfy whether the class-map is for LB and/or NAT'ing. Is it due to the match virtual address statement under the class-map ?
And if the multi-match policy only refers to LB classes, then I believe first-match should be used. Coz any single flow cannot hit various VIP's in one go.
Rgds.
08-25-2008 10:36 AM
Its the action associated under the class that defines which feature the class is associated with.
In the following example action "loadbalance" tells us that its a LB class, similarly "nat dynamic" & "inspect HTTP" define these classes as HTTP Inspect & NAT classes.
policy-map multi-match Syed-policy
class class-4-LB
loadbalance policy App1
loadbalance vip inservice
class class-4-NAT
nat dynamic 10 vlan 100
class class-4-Inspection
inspect http
Hope this helps
Syed Iftekhar Ahmed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide