Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Class-map for CSC ignores

I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be

permit ip 172.16.1.0 255.255.255.0 any

deny ip any any

or the other way around?

deny ip 172.16.1.0 255.255.255.0 any

permit ip any any

3 REPLIES

Re: Class-map for CSC ignores

with class-maps

permit ACL mean match

deny mean ignore

in ur case

deny traffic from the 172.16.1.0/24 to any

then permit any

good luck

and rate if helpful

New Member

Re: Class-map for CSC ignores

OK I think I got it, havent applied it yet.

access-list CSC-Ignore extended deny tcp 172.16.1.0 255.255.255.0 192.168.0.0 255.255.248.0 eq www

access-list CSC-Ignore extended permit tcp any any eq www

!

class-map http

match access-list CSC-Ignore

Re: Class-map for CSC ignores

thats right

but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0

and will match any other web traffic

but nothing else

i mean no smtp,pop3 or ftp

if u want to match any thing else after the deny or ignore statement

u have to make permit ip any any

after u match it with class-map

apply it to a policy map

like polic-map global_policy (which is the default global policy)

class-map (ur calss-map name)

csc fail-open

then

service-policy global_policy global

in this case it will be applied to all interfaces

good luck

Rate if helpful

116
Views
0
Helpful
3
Replies
CreatePlease to create content