Solved: Re: first-match and multi-match

NAVIN PARWAL · ‎01-08-2008

Folks,

Can someone help me understand these commands.

First match means that as soon as the first match is made, the ACE code will take an action? isn't that the default behavior in a policy map anyways?

What does multi-match means? does it mean multiple matches?

I am very confussed about the command " loadbalance vip inservice" does it bring the vip in service or start loadbalancing if the vip is in service? why use this command?

Sean Merrow · ‎01-08-2008

Hello,

Layer 7 policy-maps use the first-match parameter. This is just what you thought. It means that the first match that the incoming traffic matches under the policy-map, will make that a match to this policy-map. No other match statements will be compared to the traffic at that point.

Layer 3/4 policy-maps use the multi-match parameter. This is because client traffic may match more than one layer 3/4 class-map under

the policy-map. The ACE will check to see if the client traffic matches each one of the classes under the policy-map, but only

once for each feature. Features include loadbalancing, NAT, inspection, etc.

Example:

policy-map multi-match L34-POLICY-MAP

class SITE_1

loadbalance policy L7-POLICY-MAP-1

loadbalance vip inservice

class NAT_1

nat dynamic 10 vlan 100

class INSPECTION_1

inspect http

class SITE_2

loadbalance policy L7-POLICY-MAP-2

loadbalance vip inservice

class NAT_2

nat dynamic 20 vlan 200

In the above config example, if a client matches the class-map SITE-1, then it will also be checked against the NAT_1 class-map to see if NAT should be performed, and it will be checked to see if it matches the INSPECTION_1 class-map to see if inspection should be performed. All three features may be used if the traffic matches all the class-maps. The ACE will only check for a feature once though. So if the client traffic does not match the NAT_1 class-map, then it will be checked to see if it matches class-map NAT_2, but if it does match MAT_1, then it will not be checked for a match to any other NAT class-maps.

The 'loadbalance vip inservice' command line simply places the VIP inservice. To take the VIP out-of-service so that it will stop accepting connections, you would use the command 'no loadbalance vip inservice'.

Regards,

Sean

View solution in original post

Sean Merrow · ‎01-08-2008

Hello,

Layer 7 policy-maps use the first-match parameter. This is just what you thought. It means that the first match that the incoming traffic matches under the policy-map, will make that a match to this policy-map. No other match statements will be compared to the traffic at that point.

Layer 3/4 policy-maps use the multi-match parameter. This is because client traffic may match more than one layer 3/4 class-map under

the policy-map. The ACE will check to see if the client traffic matches each one of the classes under the policy-map, but only

once for each feature. Features include loadbalancing, NAT, inspection, etc.

Example:

policy-map multi-match L34-POLICY-MAP

class SITE_1

loadbalance policy L7-POLICY-MAP-1

loadbalance vip inservice

class NAT_1

nat dynamic 10 vlan 100

class INSPECTION_1

inspect http

class SITE_2

loadbalance policy L7-POLICY-MAP-2

loadbalance vip inservice

class NAT_2

nat dynamic 20 vlan 200

In the above config example, if a client matches the class-map SITE-1, then it will also be checked against the NAT_1 class-map to see if NAT should be performed, and it will be checked to see if it matches the INSPECTION_1 class-map to see if inspection should be performed. All three features may be used if the traffic matches all the class-maps. The ACE will only check for a feature once though. So if the client traffic does not match the NAT_1 class-map, then it will be checked to see if it matches class-map NAT_2, but if it does match MAT_1, then it will not be checked for a match to any other NAT class-maps.

The 'loadbalance vip inservice' command line simply places the VIP inservice. To take the VIP out-of-service so that it will stop accepting connections, you would use the command 'no loadbalance vip inservice'.

Regards,

Sean