Cisco Class Maps, Policy Maps, and Service Policies #CCNP 350-401

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

at the end of the last video i mentioned that we were going to go through one of those configs that we saved one that we saved one that we copied actually and take a look at the class maps policy maps and all of that while we're going to take a quick look at one of the configs that we saved we are not going to go through this example i've got a new one ready for you another one ready for you on another board that's frankly a lot smaller because especially if you haven't seen class maps and policy maps and service policies before and how they tie into each other i want you to see it on a screen that isn't 47 screens long which seems to be about how long this one is it also has nested class maps in it which you haven't been introduced to and what you see now parameter maps and none of that's on the n a security it's not something that we could do in just a few minutes i'm adding enough material for you as it is so we're going to kind of call it right there and go to a smaller example i will show you a couple of little introductory things here though beyond these parameter maps and things that you can get used to notice in these class maps you know it's kind of a long-winded command because you've got the type of class map you've got to configure then something called a match in e and then this long-winded name which is does kind of give you a little idea of what's going on you know p2p and notice you can have more than one match statement because in some of the logic that we've seen before you know it's one line and either matches or it doesn't but here's a class map with five different match statements in it so you know what does that mean do we need to match any none some we'll talk about that because i've also got the live router that we've been configuring i've got the command line for that up on the screen and we'll do some ios help there for you get used to the options as well but with this many class maps and this many values and then a lot of match requests which you're not going to be introduced to yet i think it's a much better idea to use a smaller example but we will come back to it back to this at the end because we've got some zone pairs here i want to show you that kind of thing but again the names they tend to give these aren't aren't the most intuitive at times so let's go ahead and go over to our board because what i want to do is go through the class maps again and what they do i know we talked about it earlier but now you've seen some of it in action and now i want you to see it on the board and on the live equipment and that'll really help you grasp what's going on in this entire situation what we've got to do first is identify the traffic then we're going to say here's the traffic here's what i want to have happen to that kind of traffic and then we've got to tie it into our zone pairs with a service policy command so i've already written one and i've copied and pasted that to the board and like i said we'll step back to the live router as well i've got a couple of show commands for you that are on the board as well and we can see some of the options with ios help as well now the first thing we do is write a class map because that identifies the traffic and let's go and bring ios help up here let's bring the router back up i'm sure that's in the middle there we go and let's take a look at that first thing we're going to do is run with the class map so i'm going to show you the options here we do need to save the type here as you can see because it's been mentioned about 500 times in that other config we looked at and what we're doing here is the type inspect i always laugh every time i say e c e donkey i don't i don't know why i just do anyway the one the what we're really concerned with here is right in the middle with match all and match any and we can use either one of these and it says you know logical and all matching statements under this class map logical or all matching states under this class map that's kind of just a no i wouldn't say what kind of way unclear way of saying it let's put it this way it is what it sounds like if you put match any in a class map name and i'll move that up a bit if you put cl excuse me if you put match any and you put five match statements under how many would you expect to have to have match one that's it if you say match all then all five would have to match for that to be for the class map to have action taken by the policy map so you gotta watch that's a good troubleshooting question for an exam as well because like i said you can have and we saw that in the other config you have 20 match statements in in one class map and if you happen to accidentally put match all instead of match any that means you got to match all 20 for the action to be taken so that's not what we would want there so you could just put match any here and then you simply name the class map and a couple of things here i give it an intuitive name and you don't want to get too clever with all underscores and dashes and such what i like to do and what i found really helps in a lab environment is to put anything like that anything i'm naming in uppercase you know and here the class map and the policy map and the zone pair i put in uppercase it's not required it's not case specific on the router but to me when you're trying to spot and troubleshoot your class maps that kind of thing when you have that in in all caps it just stands out better so what i did there let's go ahead and drop back to we'll just call this one http 2. and then the couple of options you have here are description never hurts you've got exit match no and rename rename is a nice thing because if you do give it a title that you didn't mean to give and you just want to go back and say oh just call it web uh you know i could do rename and then follow with web and it would rename the class map which is pretty cool now let's see let's go ahead and use match and i'll show you what you can match on here and here we've got access group class map and protocol and you may look at that and say wait a minute i can match on a class map name inside a class map yes you can that's a nested class map and it does come in handy sometimes thankfully the scenarios that comes in handy in times will be in future studies for you you'll run into that in your np security studies i'm sure nesting the class maps not something we're going to do here so we're going to stick with match protocol and by the way if you use ios help here ios open more ios help sorry about the scrolling on your screen here this is a lot of protocols this is probably the longest list i've ever seen on a router but believe me it shows you everything you could possibly want to put here so what i would put here since i was doing um web traffic is i would put http and then i would just use my up error to repeat that command and you've got match https there so that's just what i have here and it's a very simple class map again watch that the big thing to watch is match any versus match all now policy maps do two things and don't let this first term throw you or intimidate you you know call the class map it sounds really complicated but it's not but you are going to name the class map inside your policy map as you're going to see actually you can see it right here on the whiteboard right now this is what it's going to look like you when you write your policy map you have the same choices here with type and inspect we needed to put that and then you're just going to name your policy map you can name it the same thing if you want to you can call this http traffic if you want to i like to call them different things but this is why you've got to watch your spelling and your spacing and that kind of thing especially with your dashes because here the very first thing i'm saying is okay the class that i'm calling is the class map http traffic so what i'm saying is i am using the criteria that i defined in the class map that i called http traffic to have actions taken on traffic by the policy map okay that's just what we mean by calling and then we just name the action to be taken and here i just said inspect it and you've got several options in there actually let's go ahead and call that back up because i want you to see that so let's go ahead and write that and we'll exit out of there and we'll call that policy map because we've got to write it before we can see it type inspect and i will keep the same name which was http underscore policy then it drops you down into policy map config mode on your exam something you might want to watch i doubt they get that detail but in multiple choice questions always watch your prompts you know there's cmap versus pmap so let's see we've got that and we're going to put class type inspect http and let me make sure exactly i want to do what i said i was going to do http traffic and then it's going to drop you down into pmap dash c prompt and this is where you can define the actions and the actions we see here are drop which is just drop the packet inspect which is what we're doing now you can do a no there you can pass the packet with the word pass there police service policy and url filter i wouldn't worry about policing or url filter right now but those are just the actions you can take the main ones we're concerned with right now are drop inspect and pass so we did inspect there and we would be done with our policy map at this point now you get to create your security zones and your zone pairs remember those we're actually coming back to those um and keep your names again simple and one of these is a pretty long-winded command the zone pair command but all you're doing here is creating your two zones and your choices you're going to put zone security and then you're just going to name it you know that's it so let's go ahead and drop out of that and let's see zune is a command security is the only option there and then naming it is your only option you know so i put inside and outside and that's simply what i would put there if i can go and do that now we're not going to configure a zone policy there or security zones let's see we've got zone security inside and outside now you've got your command and this looks complicated you know zone pair security inside outside source inside and blah blah it's not complicated at all what you're doing first is typing for zone pair of security i think i should have stayed in that yep should have stayed in there so now i'm in the zone so to speak and zone config modes and now i want to use the zone pair command oh i was right it's that dash i knew it yep there we go that was my error because notice right here i was trying to do zone pair and an unrecognized commanded me so i thought wait a minute maybe i need to be in another config mode but i don't you've got to have that dash so we've got zone pair our next option is security and now you're just going to name your zone pair again i would i would keep it like inside to outside into out out the end because remember these are unidirectional so what we're going to do with our name is indicate the direction that it's taking and i believe on the board i put inside outside yeah that's the one i like to use inside outside now you're just naming your source zone which is going to be inside right and notice the choice of self zone here remember that if you don't remember the rule side remember that has to do with the router itself traffic going to an ip address configured on the router and traffic being generated by the router we're not going to configure for the self zone but it's good to note that it's an option here so we will just say inside which is what we named it and destination and self zone again is an option but we had outside and note we're getting the dollar sign here because the command is so long and finally now we've got to put the service policy command we're almost done and let's see so we've got the service policy which in turn calls the policy map so this is what you would put here because we named our policy map http underscore policy if this is making your head swim the first time around don't feel bad it makes everybody's head swim the first time but let's go ahead with the service policy command there okay and then type and then inspect and it even tells you policy map name which in this case was http underscore policy a lot of typing right beats that 270 commands though that we had to that we would have had to type for that last lab in the advanced wizard so we are actually just about done now we've got to apply them to the interface a remark is always is a lovely idea and what you're actually doing here is indicating what zone they're in and that's it and notice on fast ethernet 01 i did put a description and i screamed outside zone you don't have to do that but i just put zone member is the command on the interface zone member and you've got security right there let me go ahead and show you that go to interface fast01 and it is zone member and then you just security of course and then you just type in the word of whatever zone that would be a member of zero one has been our untrusted interface so that would be outside and then you just go inside and finally that is it believe it or not a couple of good show commands here that i wanted to share with you um show zone pair security is a really good one because that's going to show you the zone pair name as you can see and the source zone which and the destination zone and the service policy that is assigned to that zone pair so that's a really good verification command and another one i just wanted to show you quickly was show zone security and what that's going to do and note again it shows the self zone description system defined zone so you know what that is you'll nail that on the exam and then it's just going to show you the name of each zone that we've created and the member interfaces so some good stuff there as far as verifying just making sure you've got your zones right and your zone pair exactly the way you want it let's go from top to bottom with that one more time and like i said especially if this is the first time you've seen this and you're trying to keep up with the class map and the policy map and everything else first time around it's going to make your head swim i have found that actually writing this out and just drawing arrows you know here's my class map and here's my policy map my policy map calls my class map and then my service policy calls the policy amount it works wonders so just from top to bottom from the beginning of that entire process your class maps identify the traffic and you've got that match any versus match all to watch out for and you can name as many protocols there as you want to now your policy maps do two things first off they're going to call your class map so watch that name and then it's going to name the action to be taken and we saw those actions as available actions in ios help then we're going to create our security zones and it sounds complicated but as we saw it wasn't zone security and then just name it and we created two inside and outside then we actually created the zone pair which is zone pair security and then the name of it and then the source and destination zones then you create the service policy under in that conflict mode and that in turn is going to call your policy map and then finally you're just about done assign each interface at zone membership and a couple of good show commands for you show zone pair security and show zone security give you some great information so that is going to be it for class maps and policy maps and service policies for now uh in your studies and i knew you're glad to see them go uh but we've got one more type of firewall we want to look at we're going to look at that in the next couple of videos and we will also look at nat and pat in ccp we're going to review those quickly i know you learned about those in your ccna studies but i don't want to assume that that was yesterday so we're going to review the fundamentals of nat and pat very quickly why we're doing it why it's in a security class to begin with and then we'll look at configuring it with ccp so i'll see you there

Info

Channel: IP Core Networks

Views: 1,238

Rating: undefined out of 5

Keywords: CCNA, CCNAsecuirty, firewall, CCNA 200-301, CCNP Enterprise, CCNA security, Examining Class Maps, policy map cisco, service policy cisco, policy map configuration mode command, cisco class-map policy-map example, ASDM, cisco ASA, configuration policy map, Route-map, policy-map & Class-map, understanding class and policy map, Cisco Security Appliance Command

Id: ZuJ-DslsTz0

Channel Id: undefined

Length: 18min 8sec (1088 seconds)

Published: Sat Mar 27 2021