Archive for the ‘Generic Firewalling’ Category

Class, class-map, policy-map

Posted: November 5, 2013 in Generic Firewalling
0

ip access-list extended TTL    
permit ip host 172.16.1.1 any ttl lt 2

 

class-map acl-filter-class

# match access-group name TTL

 

policy-map acl-filter
class acl-filter-class

drop

 

control-plane
service-policy input acl-filter

The following example configures a traffic class called acl-filter-class for use in a policy map called acl-filter. An access list permits IP packets from any source having a TTL of 0 or 1. Any packets matching the access list are dropped.
The policy map is attached to the control plane.

!– defines an IP access list that filters on a TTL value; it must be an extended access list.
ip access-list extended TTL    !–Every access list must have at least one permit statement.!–This access-list sets conditions to allow a packet to pass a named IP access list.
!–This example permits packets from source 172.16.1.1 to any destination with a TTL value less than 2. Any packets that pass the access list are dropped in policy. This special access list is separate from any interface access list.
#permit ip host 172.16.1.1 any ttl lt 2!– Creates a class map to be used for matching packets to a specified class.
#class-map acl-filter-class!– Configures the match criteria for a class map on the basis of the specified access control list.

     # match access-group name TTL!– Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

policy-map acl-filter!– Specifies the name of the class whose policy you want to create or change or to specify the default class (commonly known as the class-default class) before you configure its policy.

class acl-filter-class!– Configures a traffic class to discard packets belonging to a specific class.

drop!– Associates or modifies attributes or parameters that are associated with the control plane of the device.

control-plane

!– Attaches a policy map to a control plane for aggregate control plane services.Router(config-cp)# service-policy input acl-filter