Kingsley,
The nice thing is it is modular so you have a lot of flexibility. I would typically apply policing on the interface I want to affect. set connections would depend on what specific traffic I want to affect. All HTTP or just a subset. It all depends. There is no given answer that fits for every circumstance. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, March 31, 2010 10:42 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] MPF with ASA Hi Tyson That is correct. But for some cases, I am bit confused. Vol 2 - Lab 2 - Section 1.5. Task is to allow size more than mss. Where should we apply the class-map. I think, it can be placed anywhere. Other cases would be like: police all inside traffic to 512 kbps "set connection" actions to http traffic For these cases, how should we proceed? With regards Kings On Wed, Mar 31, 2010 at 7:58 PM, Tyson Scott <[email protected]> wrote: Kingsley, Very simply it is any time you want to affect traffic that is called out by the class-default. I.E. You are wanting to do HTTP specific actions and you are inspecting HTTP traffic in the default inspection class. So if you applying a class with the following protocols inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp These are the defaults. Then you need to remove... apply your new class. Then re-apply the default. If you didn't have http inspection in the default class then you wouldn't have to remove it and re-add it. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, March 31, 2010 10:25 AM To: [email protected] Subject: [OSL | CCIE_Security] MPF with ASA Hi all When we have situations where we need apply policies globally to the ASA, then sometimes there is necessity where we need to remove the "class inspection_default", place our class-map with action and after that we add "class inspection_default". This seems to very important. If not placed properly, then your MPF won't work properly. policy-map global_policy class httptraffic inspect http http_inspection_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect http inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp My understanding is that when you need have specify traffic flow to be handled by MPF, then that should at the top. Can some please any other situations, where we would be place our class-maps above "class inspection_default". In the Cisco docs > ASA > Configuration Examples and Notes, I see that they just apply the class map under "policy-map global_policy" without removing class inspection_default and hence that will come below http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918 6a008009487d.shtml - Handling BGP With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
