Solved: Re: How a policy-map process multiple class-map associated to it

Difan Zhao · ‎11-04-2010

Hi experts!

I got a request from my boss to block different websites for different source IPs. I was able to block the same websites for all the IPs. Then I thought that I just needed to "deny the special IPs" from the original class-map and created a new class-map and "permit only these special IPs". Anyway here is my config. I want to block "monster" websites for IP 10.26.105.107 (which is my laptop, for testing purpose)

regex BLOCKURLLIST01 "\.facebook\.com"
regex BLOCKURLLIST11 "\.monster\."
regex BLOCKURLLIST02 "evony\.com"
regex BLOCKURLLIST03 "twitter\.com"
regex BLOCKURLLIST04 "youtube\.com"
regex BLOCKURLLIST05 "boutell\.com"

class-map type regex match-any CMAP_BLOCKURLLIST
match regex BLOCKURLLIST01
match regex BLOCKURLLIST02
match regex BLOCKURLLIST05
match regex BLOCKURLLIST03
match regex BLOCKURLLIST04
class-map type regex match-any CMAP_BLOCKURLLIST.1
match regex BLOCKURLLIST11

class-map type inspect http match-all CMAP_INSPECTURLLIST
match request header host regex class CMAP_BLOCKURLLIST

class-map type inspect http match-all CMAP_INSPECTURLLIST.1
match request header host regex class CMAP_BLOCKURLLIST.1

policy-map type inspect http PMAP_URLLIST
parameters
protocol-violation action log
class CMAP_INSPECTURLLIST
drop-connection log

policy-map type inspect http PMAP_URLLIST.1
parameters
protocol-violation action log
class CMAP_INSPECTURLLIST.1
drop-connection log

access-list INSPECTURL extended deny tcp host 10.26.105.107 any eq www
access-list INSPECTURL extended permit tcp any any eq www

access-list INSPECTURL.1 extended permit tcp host 10.26.105.107 any eq www

class-map CMAP_HTTP
match access-list INSPECTURL
class-map CMAP_HTTP.1
match access-list INSPECTURL.1

policy-map PMAP_INSPECTURL
class CMAP_HTTP
inspect http PMAP_URLLIST
class CMAP_HTTP.1
inspect http PMAP_URLLIST.1

service-policy PMAP_INSPECTURL interface inside

The config in blue are the old config and they still work for the rest IPs. However my laptop now can go to any websites including "monster". My regex should be fine because once I added the #11 regex in the original class-map and nobody (expect my laptop) can go to "monster" any more.

I also found that the new ACL doesn't match any www traffic from me. However the counter of the "deny" clause in the old ACL does match my traffic.

fw-dc-01(config)# sh access-list INSPECTURL
access-list INSPECTURL; 2 elements
access-list INSPECTURL line 1 extended deny tcp host 10.26.105.107 any eq www (hitcnt=369) 0xcce40994
access-list INSPECTURL line 2 extended permit tcp any any eq www (hitcnt=320948) 0x375d6ac6

fw-dc-01(config)# sh access-list INSPECTURL.1
access-list INSPECTURL.1; 1 elements
access-list INSPECTURL.1 line 1 extended permit tcp host 10.26.105.107 any eq www (hitcnt=0) 0x06b294db

That's why I'm wondering how a policy-map process multiple class-maps. I thought that it should process them in order of their sequence in the config. If the traffic doesn't match the first class-map then it will be matched against the 2nd, until there is a match or no class-maps are left...

So I figured that one policy-map may only process one class-map of same type (inspect HTTP). In order to prove my point, I changed the sequence of class-maps in the policy-map. Now it looks like:

policy-map PMAP_INSPECTURL
class CMAP_HTTP.1
inspect http PMAP_URLLIST.1
class CMAP_HTTP
inspect http PMAP_URLLIST

As expected, I can't browse monster anymore. However to my surprise, rest IPs are still blocked from the other websites!! If the policy-map only processes the first class-map, then obviously in this test it did process the other one!! But why it didn't work in the original sequence???

Guys I'm so lost... Help!!

Thanks,

Difan

Panos Kampanakis · ‎11-04-2010

If the class maps match the same protocols and ip addresses then as you are saying you will be matching only the first one.

Though, in your case you are matching a class-map. You are matching the first class-map, but you are matching the deny in the ACL (it is still a match). So, you will not be subject to the first policy (deny in the ACL), but the second policy will not be evaluated either because you matches the deny. It seems kind of strange but I am explaining how the feature works. There has been an enhancement request for this, but I don't think that it has been fixed.

I hope it clarifies it.

PK

View solution in original post

Panos Kampanakis · ‎11-04-2010

If the class maps match the same protocols and ip addresses then as you are saying you will be matching only the first one.

Though, in your case you are matching a class-map. You are matching the first class-map, but you are matching the deny in the ACL (it is still a match). So, you will not be subject to the first policy (deny in the ACL), but the second policy will not be evaluated either because you matches the deny. It seems kind of strange but I am explaining how the feature works. There has been an enhancement request for this, but I don't think that it has been fixed.

I hope it clarifies it.

PK

Difan Zhao · ‎11-04-2010

Hi PK,

Thanks for quick response! I think I got your point: if there is a match (no matter whether it's permit or deny) in the previous class-map, the next class-map won't run. However, just curious, all the ACL has an implied "deny any any" at the end of the list. So I guess this last "deny" clause won't "match" anything in the class-map then??

Thanks!

Panos Kampanakis · ‎11-04-2010

That is exactly it. The implicit deny in the ACL doesn't play in the class-maps.

Take care,

PK

How a policy-map process multiple class-map associated to it?