Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Policy map rules

I read that "Only one policy map can be applied to a specific interface". What if you alreay using the default policy map and want to create one for you AIP-SSM and one for the current ACL?

1 REPLY
Silver

Re: Policy map rules

The default policy map is the "global" policy-map. If you want to send the traffic on all interfaces, through the SSM module, you dont need to create a new policy-map, you only need to create the class mathing the traffic you need to send via SSM module. Then you can include this class also in the policy-map applied globally.

With above said, assuming you have default policy-map config, if I implement following commands to divert all traffic via SSM module:

access-list ips-acl permit ip any any

class-map ips-class

match access-list ips-acl

policy-map global_policy

class ips-class

ips inline fail-open

Thus final policy-map configuration would look like:

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

class ips-class

ips inline fail-open

service-policy global_policy global

Alternatively, I cann apply the ips class to altogether a new policy-map but I cant apply this policy-map globally. I can apply the new policy-map to a particular interface though.

Hope that helps.

Regards,

Vibhor.

103
Views
5
Helpful
1
Replies