- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall
- Information About Nested Class Map Support for Zone-Based Policy Firewall
- How to Configure Nested Class Map Support for Zone-Based Policy Firewall
- Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall
- Additional References for Nested Class Map Support for Zone-Based Policy Firewall
- Feature Information for Nested Class Map Support for Zone-Based Policy Firewall
Nested Class Map Support for Zone-Based Policy Firewall
The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The Cisco IOS XE firewall supports up to three levels of class map hierarchy.
- Finding Feature Information
- Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall
- Information About Nested Class Map Support for Zone-Based Policy Firewall
- How to Configure Nested Class Map Support for Zone-Based Policy Firewall
- Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall
- Additional References for Nested Class Map Support for Zone-Based Policy Firewall
- Feature Information for Nested Class Map Support for Zone-Based Policy Firewall
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Nested Class Map Support for Zone-Based Policy Firewall
Before configuring nested class maps, you should be familiar with the modular Quality of Service (QoS) CLI (MQC).
Information About Nested Class Map Support for Zone-Based Policy Firewall
Nested Class Maps
In Cisco IOS XE Release 3.5S and later releases, you can configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. The nesting of class maps can be achieved by configuring the match class-map command. The only method of combining the match-any and match-all characteristics within a single traffic class is by using the class-map command.
match-all and match-any Keywords of the class-map Command
Use the match-all keyword when all match criteria in the traffic class must be met to place a packet in the specified traffic class.
Use the match-any keyword when only one of the match criterion in the traffic class must be met to place a packet in the specified traffic class.
If you do not specify the match-all keyword or the match-any keyword, the traffic class behaves in a manner that is consistent with the match-all keyword.
How to Configure Nested Class Map Support for Zone-Based Policy Firewall
Configuring a Two-Layer Nested Class Map
1.
enable
2.
configure terminal
3.
class-map match-any
class-map-name
4.
match protocol
protocol-name
5.
exit
6.
class-map match-any
class-map-name
7.
match protocol
protocol-name
8.
exit
9.
class-map match-any
class-map-name
10.
match class-map
class-map-name
11.
match class-map
class-map-name
12.
end
DETAILED STEPS
Configuring a Policy Map for a Nested Class Map
1.
enable
2.
configure terminal
3.
policy-map type inspect
policy-map-name
4.
class-type inspect
class-map-name
5.
inspect
6.
end
DETAILED STEPS
Attaching a Policy Map to a Zone Pair
1.
enable
2.
configure terminal
3.
zone security
zone-name
4.
exit
5.
zone security
zone-name
6.
exit
7.
zone-pair security
zone-pair-name
[source
zone-name
destination
[zone-name]]
8.
service-policy type inspect
policy-map-name
9.
exit
10.
interface
type number
11.
zone-member security
zone-name
12.
end
DETAILED STEPS
Configuration Examples for Nested Class Map Support for Zone-Based Policy Firewall
Example: Configuring a Two-Layer Nested Class Map
Router# configure terminal
Router(config)# class-map match-any child1
Router(config-cmap)# match protocol tcp
Router(config-cmap)# exit
Router(config)# class-map match-any child2
Router(config-cmap)# match protocol udp
Router(config-cmap)# exit
Router(config)# class-map match-any parent
Router(config-cmap)# match class-map child1
Router(config-cmap)# match class-map child2
Router(config-cmap)# end
Example: Configuring a Policy Map for a Nested Class Map
Router# configure terminal
Router(config)# policy-map type inspect pmap
Router(config-pmap)# class-type inspect parent
Router(config-pmap-c)# inspect
Router(config-pmap-c)# end
Example: Attaching a Policy Map to a Zone Pair
Router# configure terminal Router(config)# zone security source-zone Router(config-sec-zone)# exit Router(config)# zone security destination-zone Router(config-sec-zone)# exit Router(config)# zone-pair security secure-zone source source-zone destination destination-zone Router(config-sec-zone-pair)# service-policy type inspect pmap Router(config-sec-zone-pair)# exit Router(config)# interface gigabitethernet 0/0/1 Router(config-if)# zone-member security source-zone Router(config-if)# end
Additional References for Nested Class Map Support for Zone-Based Policy Firewall
Related Documents
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
|
Zone-based policy firewall |
Zone-Based Policy Firewall |
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Nested Class Map Support for Zone-Based Policy Firewall
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Nested Class Map Support for Zone-Based Policy Firewall |
Cisco IOS XE Release 3.5S |
The Nested Class Map Support for Zone-Based Policy Firewall feature provides the Cisco IOS XE firewall the functionality to configure multiple traffic classes (which are also called nested class maps or hierarchical class maps) as a single traffic class. When packets meet more than one match criterion, you can configure multiple class maps that can be associated with a single traffic policy. |
Feedback