Configuring the Firewall Management Interface



Similar documents
Enabling Remote Access to the ACE

Configuring Class Maps and Policy Maps

Configuring Network Address Translation

Configuring Server Load Balancing

Configuring Traffic Policies for Server Load Balancing

Configuring Role-Based Access Control

Configuring Stickiness

Troubleshooting the Firewall Services Module

Configuring System Message Logging

Troubleshooting the Firewall Services Module

Traffic Mirroring Commands on the Cisco IOS XR Software

Firewall Stateful Inspection of ICMP

QoS: Color-Aware Policer

Configuring NetFlow on Cisco ASR 9000 Series Aggregation Services Router

Configuring NetFlow on Cisco IOS XR Software

Configuring SSL Termination

Lab Introduction to the Modular QoS Command-Line Interface

Configuring Health Monitoring

Implementing Object Tracking on Cisco IOS XR Software

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Configuring Control Plane Policing

Configuring NetFlow Secure Event Logging (NSEL)

Ethernet Overhead Accounting

- The PIX OS Command-Line Interface -

Lab Configure Basic AP Security through IOS CLI

Adding an Extended Access List

HA Proxy DNS Configuration Mode Commands

Configuring CSS Remote Access Methods

Configuring a Leased Line

Configuring Server Load Balancing

Configuring NetFlow-lite

Flow Monitor for WhatsUp Gold v16.2 User Guide

Cisco Performance Monitor Commands

Easy Performance Monitor

F-SECURE MESSAGING SECURITY GATEWAY

Easy Performance Monitor

Terminal Server Configuration and Reference Errata

Monitoring Traffic Interception

Easy Performance Monitor

Configuring Link Aggregation

Configuring RADIUS Server Support for Switch Services

Configuring the Switch for the Firewall Services Module

How To Configure A Cisco Router With A Cio Router

Configuring the Cisco Secure PIX Firewall with a Single Intern

Network Data Encryption Commands

Configuring SNMP CHAPTER7

Flow Monitor for WhatsUp Gold v16.1 User Guide

Lab 8: Confi guring QoS

GLBP - Gateway Load Balancing Protocol

Configuring DHCP Snooping

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuring the Content Routing Software

Lab 2 - Basic Router Configuration

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

CCT vs. CCENT Skill Set Comparison

NetFlow v9 Export Format

Troubleshooting IP Access Lists

Firewall Authentication Proxy for FTP and Telnet Sessions

WhatsUpGold. v14.4. Flow Monitor User Guide

CISCO IOS NETWORK SECURITY (IINS)

NetFlow Subinterface Support

Troubleshooting Bundles and Load Balancing

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Lab Configuring Basic Router Settings with the Cisco IOS CLI

Connecting to the Firewall Services Module and Managing the Configuration

Configuring System Message Logging

QoS Queuing on Cisco Nexus 1000V Class-Based Weighted Fair Queuing for Virtualized Data Centers and Cloud Environments

Configuring Basic Settings

WhatsUpGold. v15.0. Flow Monitor User Guide

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Implementing Secure Shell

CTS2134 Introduction to Networking. Module Network Security

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Cisco Nexus 5548UP. Switch Configuration Guide for Dell PS Series SANs. A Dell Deployment and Configuration Guide

Call Flows for Simple IP Users

CISCO IOS FIREWALL DESIGN GUIDE

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Backing Up and Restoring Data

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

- Basic Router Security -

Cisco Quality of Service and DDOS

Flow-Based per Port-Channel Load Balancing

Traffic Mirroring Commands on the Cisco ASR 9000 Series Router

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Brocade to Cisco Comparisons

Using Cisco IOS Software

Embedded Event Manager Commands

Configuring Remote Access IPSec VPNs

Configuring PA Firewalls for a Layer 3 Deployment

IOS Zone Based Firewall Step-by-Step Basic Configuration

Embedded Event Manager Debug Commands on Cisco IOS XR Software

Skills Assessment Student Training Exam

How To Install Cisco Asr 9000 Series Router Software On A Mini Mini Mini (Cisco Ios) Router

HTTP 1.1 Web Server and Client

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring Logging. Information About Logging CHAPTER

Configuring the ASA IPS Module

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

7750 SR OS System Management Guide

Transcription:

Configuring the Firewall Management Interface The firewall management interface can be configured under each firewall context to provide a virtualized management interface (see Figure 7). The management interface can be used to connect management devices such as Telnet, Secure Shell (SSH) Protocol clients, authentication, authorization, and accounting (AAA) servers. The firewall management interface must be configured in the Cisco IOS XR software and on the corresponding management interface of the VFW application. This chapter includes the following sections: Configuring the Management Interface on Cisco IOS XR Configuring the Management Interface on the VFW Application Configuring Remote Network Management Traffic Services Figure 7 Firewall Management Interface GigabitEthernet0/2/0.3 GigabitEthernet0/2/0.4 Inside1 Inside2 ctx1 VFW Application Firewall Cisco XR 12000 Router Outside Mgmnt All Other Cisco XR 12000 Interfaces CP firewallmanagement 1 10.1.1.2 211402 VFC-35

Configuring the Management Interface on Cisco IOS XR Configuring the Firewall Management Interface Configuring the Management Interface on Cisco IOS XR SUMMARY STEPS DETAILED STEPS This task provides a virtualized management interface for managing firewall contexts using Cisco IOS XR software. The firewall management interface must also be configured within the VFW application (see Configuring the Management Interface on the VFW Application) using a different IP address on the same subnet. 1. configure 2. interface FirewallManagement number 3. ipv4 address ip-address 4. firewall firewall-context-name follow-active 5. end or commit 6. show interfaces FirewallManagement number Step 1 Command or Action configure Purpose Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure interface FirewallManagement number Specifies the interface. Step 3 Step 4 RP/0/0/CPU0:router(config)# interface firewallmanagement1 ipv4 address ip-address RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.3/30 firewall firewall-context-name follow-active RP/0/0/CPU0:router(config)# firewall ctx1 follow-active Specifies the IPv4 address of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the management interface on the VFW application. Attaches the management interface to a particular firewall context (ctx1) and attaches it to the active instance of the firewall (follow-active). VFC-36

Configuring the Firewall Management Interface Configuring the Management Interface on Cisco IOS XR Step 5 Step 6 Command or Action end or commit RP/0/0/CPU0:router(config-if)# end or RP/0/0/CPU0:router(config-if)# commit show interfaces firewallmanagement number RP/0/0/CPU0:router# show interfaces firewallmanagement1 Purpose Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Provides the status of the management interface. If the output does not display the status as up, the management interface is not operating properly. Refer to the Troubleshooting Tips, page 37 for additional information. Troubleshooting Tips To verify if the management interface is up, use the show interfaces firewallmanagement command to verify the interface: RP/0/0/CPU0:router# show interfaces firewallmanagement FirewallManagement1 is up, line protocol is up Interface state transitions: 4 Hardware is Firewall Management Interface(s) Internet address is 88.88.88.88/24 MTU 9216 bytes, BW 1000000 Kbit reliability 255/255, txload 0/255, rxload 0/255 Encapsulation fmi, loopback not set, Last clearing of "show interface" counters never 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 total input drops 0 drops for unrecognized upper-level protocol Received 0 broadcast packets, 0 multicast packets 0 packets output, 0 bytes, 0 total output drops Output 0 broadcast packets, 0 multicast packets VFC-37

Configuring the Management Interface on the VFW Application Configuring the Firewall Management Interface Configuring the Management Interface on Cisco IOS XR: Example The following example shows how to configure a virtualized management interface for managing firewall contexts using Cisco IOS XR software (see Configuring the Management Interface on Cisco IOS XR for summary steps and detailed steps): interface firewallmanagement1 ipv4 address 10.1.1.1/30 firewall ctx1 follow-active commit The firewall management interface must also be configured within the VFW application. Configuring the Management Interface on the VFW Application SUMMARY STEPS This task provides a virtualized management interface for managing firewall contexts at the firewall control point on the VFW application. The firewall management interface must also be configured on Cisco IOS XR software (see Configuring the Management Interface on Cisco IOS XR) using a different IP address on the same subnet. 1. service service-id attach location node-id 2. admin 3. configure 4. interface management name 5. ip address location 6. no shut 7. end or commit VFC-38

Configuring the Firewall Management Interface Configuring the Management Interface on the VFW Application DETAILED STEPS Step 1 Step 2 Step 3 Step 4 Command or Action service service-id attach location location RP/0/0/CPU0:router(config)# service firewall attach location 0/3/CPU0 admin RP/0/0/CPU0:ios# service firewall attach location 0/3/CPU0 firewall login: admin Password: Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. firewall/admin# configure firewall/admin# configure interface management name Purpose Provides attachment to the VFW application. You are then prompted to log in to the VFW application. Logs in to the VFW application using admin as the user ID and password. Enters global configuration mode. You are now within configuration mode of the VFW application. Configures a management interface named mgmt. Step 5 firewall/admin (config)# interface management mgmnt ip address location firewall/admin (config-if-mgmt)# ip address 10.1.1.2 255.255.255.252 Specifies the IP address and mask of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the management interface on the Cisco IOS XR software. VFC-39

Configuring the Management Interface on the VFW Application Configuring the Firewall Management Interface Step 6 Step 7 Command or Action no shut firewall/ctx1(config-if-mgmt)# no shut end or commit RP/0/0/CPU0:router(config-if)# end or RP/0/0/CPU0:router(config-if)# commit Purpose Specifies that the management interface is not to be shut down. Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring the Firewall Management Interface on the VFW Application: Example To access the VFW application, see Attaching to the VFW Application. The following example shows how to configure a virtualized management interface for managing firewall contexts in the VFW application (see Configuring the Management Interface on the VFW Application for summary steps and detailed steps): interface management Mgmnt ip address 10.1.1.2 255.255.255.252 no shutdown The firewall management interface must also be configured in Cisco IOS XR software. VFC-40

Configuring the Firewall Management Interface Configuring Remote Network Management Traffic Services Configuring Remote Network Management Traffic Services You configure rules for remote access to the VFW application through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring remote network management access to the VFW application: Class map Provides the remote network traffic match criteria to permit traffic based on: Remote access network management protocols (SSH, Telnet, ICMP) Client source IP address Policy map Enables remote network management access for a traffic classification that matches the criteria listed in the class map. Service policy Activates the policy map, attaches the traffic policy to an interface or globally on all interfaces. This section provides an overview on creating a class map, policy map, and service policy for remote network access. Telnet and SSH remote access sessions are established to the VFW application on a per context basis. For details on creating users and contexts, refer to Configuring Virtualization. This section includes the following topics: Creating and Configuring a Remote Management Class Map Creating a Layer 3 and Layer 4 Remote Access Policy Map Defining Management Traffic Policy Actions Applying a Service Policy Creating and Configuring a Remote Management Class Map To create a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the VFW application, use the class-map type management configuration command. This command permits network management traffic to be received by the VFW application by identifying the incoming IP protocols that the VFW application can receive as well as the client source IP address and subnet mask as the matching criteria. A class map of type management defines the allowed network traffic as a form of management security for protocols such as SSH, Telnet, and ICMP. There can be multiple match commands in a class map. You can configure class maps to define multiple management protocol and source IP address match commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the VFW application evaluates multiple match statements operations when multiple match criteria exist in a class map. class-map type management [match-all match-any] map_name VFC-41

Configuring Remote Network Management Traffic Services Configuring the Firewall Management Interface The keywords, arguments, and options are: match-all match-any (Optional) Determines how the VFW application evaluates Layer 3 and Layer 4 network management traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions: match-all All of the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of the same type. match-any Any one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of different types. The default setting is to meet all of the match criteria (match-all) in a class map. map_name Specifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The CLI enters the class map management configuration mode. To classify the remote network management traffic received by the VFW application, include one or more of the associated commands to configure the match criteria for the class map: description See Defining a Class Map Description match protocol See Defining Remote Network Management Protocol Match Criteria You may include multiple match protocol commands in a class map. For example, to allow SSH and Telnet access to the VFW application from IP address 172.16.10.0, enter: host1/adminhost1/admin(config)# class-map type management match-all SSH-TELNET_ALLOW_CLASS host1/admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254 host1/admin(config-cmap-mgmt)# match protocol telnet source-address 172.16.10.0 255.255.255.254 host1/admin(config-cmap-mgmt)# exit host1/adminhost1/admin(config)# To remove a Layer 3 and Layer 4 network management class map from the VFW application, enter: host1/adminhost1/admin(config)# no class-map type management match-all SSH-TELNET_ALLOW_CLASS Defining a Class Map Description Use the description command to provide a brief summary about the Layer 3 and Layer 4 remote management class map. Access the class map configuration mode to specify the description command. description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. For example, to specify a description that the class map is to allow remote Telnet access, enter: host1/adminhost1/admin(config)# class-map type management TELNET-ALLOW_CLASS host1/admin(config-cmap-mgmt)# description Allow Telnet access to the VFW To remove the description from the class map, enter: host1/admin(config-cmap-mgmt)# no description VFC-42

Configuring the Firewall Management Interface Configuring Remote Network Management Traffic Services Defining Remote Network Management Protocol Match Criteria Use the match protocol command to configure the class map to identify the remote network access management protocols that can be received by the VFW application. You configure the associated policy map to permit access to the VFW application for the specified management protocols. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the VFW application to allow any client source address for the management traffic classification. Access the class map configuration mode to specify the match protocol command. [line_number] match protocol {http https icmp snmp ssh telnet} {any source-address ip_address mask} line_number (Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements. http Specifies the Hypertext Transfer Protocol (HTTP). The configuration of the HTTP management protocol is covered in Configuring HTTP and HTTPS Management Traffic Services. https Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP). The configuration of the HTTPS management protocol is covered in Configuring HTTP and HTTPS Management Traffic Services. icmp Specifies Internet Control Message Protocol (ICMP) messages to the VFW application. The configuration of the ICMP management protocol is covered in this section. snmp Specifies the Simple Network Management Protocol (SNMP). The configuration of the SNMP management protocol is covered in Configuring SNMP. ssh Specifies a Secure Shell (SSH) remote connection to the VFW application. The VFW application supports the SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers. The configuration of the SSH management protocol is covered in this section. Note SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you use an SSH v1.x client when accessing the VFW application. telnet Specifies a Telnet remote connection to the VFW application. The configuration of the Telnet management protocol is covered in this section. any Specifies any client source address for the management traffic classification. source-address Specifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the VFW application implicitly obtains the destination IP address from the interface on which you apply the policy map. ip_address Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). mask The subnet mask of the client in dotted-decimal notation (for example, 255.255.255.0). VFC-43

Configuring Remote Network Management Traffic Services Configuring the Firewall Management Interface For example, to specify that the class map allows SSH access to the VFW application, enter: host1/adminhost1/admin(config)# class-map type management SSH-ALLOW_CLASS host1/admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254 To deselect the specified network management protocol match criteria from the class map, enter: host1/admin(config-cmap-mgmt)# no match protocol ssh source-address 172.16.10.0 255.255.255.254 Creating a Layer 3 and Layer 4 Remote Access Policy Map The following procedure outlines the general steps to configure a Layer 3 and Layer 4 policy map that defines the actions executed on remote network management traffic that match the specified classifications. 1. Use the policy-map type management configuration command to configure a Layer 3 and Layer 4 policy map that permits the VFW application to receive the specified remote management protocols. The VFW application executes the action for the first matching classification. The syntax of this command is: policy-map type management first-match map_name The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The CLI The CLI enters the policy map management configuration mode. For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/admin(config-pmap-mgmt) # To remove a policy map from the VFW application, enter: host1/admin(config) #no policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY 2. If desired, use the description command to provide a brief summary about the Layer 3 and Layer 4 remote management policy map. description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. For example, to specify a description that the policy map is to allow remote Telnet access, enter: host1/admin(config-pmap-mgmt)# description Allow Telnet access to the VFW To remove a description from the policy map, enter: host1/admin(config-pmap-mgmt)# no description VFC-44

Configuring the Firewall Management Interface Configuring Remote Network Management Traffic Services 3. To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. class map_name The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The CLI enters the policy map management class configuration mode. For example, to specify an existing class map within the Layer 3 and Layer 4 remote access policy map, enter: host1/admin(config-pmap-mgmt)# class L4_REMOTE_ACCESS_CLASS host1/admin(config-pmap-mgmt-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: host1/admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS 4. To manually insert a class map ahead of a previously specified class map, use the insert-before command. The VFW application does not save sequence reordering through the insert-before command as part of the configuration. class map_name1 insert-before map_name2 The arguments are: class map_name1 Specifies the name of a previously defined traffic class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 characters. insert-before map_name2 Places the current class map ahead of an existing class map as specified by the map_name2 argument. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter: host1/admin(config-pmap-c)# class L4_SSH_CLASS insert-before L4_REMOTE_ACCESS_CLASS 5. To specify the class-default class map for the Layer 3 and Layer 4 traffic policy, use the class class-default command. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the VFW application then matches the action specified under the class class-default command. The class-default. class map has an implicit match any statement in it such that it matches all traffic. For example, to use the class class-default command, enter: host1/admin(config-pmap)# class class-default host1/admin(config-pmap-c)# The CLI enters the policy map class configuration mode. VFC-45

Configuring Remote Network Management Traffic Services Configuring the Firewall Management Interface 6. Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map. See Defining Management Traffic Policy Actions section to define the different Layer 3 and Layer 4 network traffic polices and associated actions. For example, to specify a traffic management action for the Layer 3 and Layer 4 policy map, enter: host1/admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/admin(config-pmap-mgmt-c)# permit host1/admin(config-pmap-mgmt-c)# exit host1/admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS host1/admin(config-pmap-mgmt-c) #permit Defining Management Traffic Policy Actions Use the permit command in policy map class configuration mode to permit the remote network management protocols listed in the class map to be received by the VFW application. permit Use the deny command in policy map class configuration mode to deny the remote network management protocols listed in the class map to be received by the VFW application. deny For example, to create a Layer 3 and Layer 4 remote network traffic management policy map that permits SSH, Telnet, and ICMP connections to be received by the VFW application, enter: host1/admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/admin(config-pmap-mgmt-c) #permit host1/admin(config-pmap-mgmt-c)# exit host1/admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS host1/admin(config-pmap-mgmt-c) #permit host1/admin(config-pmap-mgmt-c)# exit host1/admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/admin(config-pmap-mgmt-c) #permit host1/admin(config-pmap-mgmt-c)# exit For example, to create a policy map that restricts an ICMP connection by the VFW application, enter: host1/admin(config) #policy-map type management first-action ICMP_RESTRICT_POLICY host1/admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/admin(config-pmap-mgmt-c)# deny VFC-46

Configuring the Firewall Management Interface Configuring Remote Network Management Traffic Services Applying a Service Policy Use the service-policy command to: Apply a previously created policy map. Attach the traffic policy to a specific interface or globally to all interfaces in the same context. Specify that the traffic policy is to be attached to the input direction of an interface. The service-policy command is available at both the interface configuration mode and at the configuration mode. Specifying a policy map in the interface configuration mode applies the policy map to a specific interface. Specifying a policy map in the configuration mode applies the policy to all of the interfaces associated with a context. service-policy inputpolicy_name The keywords, arguments, and options are: input Specifies that the traffic policy is to be attached to the input direction of an interface. The traffic policy evaluates all traffic received by that interface. policy_name Specifies the name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 40 alphanumeric characters. For example, to specify an interface and apply the remote access policy map to it, enter: host1/admin(config)# interface interface_name host1/admin(config-if)# ip address 172.16.1.100 255.255.0.0 host1/admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY For example, to globally apply the remote access policy map to all of the interfaces associated with a context, enter: host1/admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY To detach the remote access traffic policy from an interface, enter: host1/admin(config-if)# no service-policy input REMOTE_MGMT_ALLOW_POLICY To globally detach the remote access traffic policy from all interfaces associated with a context, enter: host1/admin(config)# no service-policy input REMOTE_MGMT_ALLOW_POLICY When you detach a traffic policy either: Individually from the last interface on which you applied the service policy Globally from all interfaces in the same context the VFW application automatically resets the associated service policy statistics. The VFW application performs this action to provide a new starting point for the service policy statistics the next time you attach a traffic policy to a specific interface or globally to all interfaces in the same context. VFC-47

Configuring Remote Network Management Traffic Services Configuring the Firewall Management Interface Note the following when creating a service policy: Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context. A policy activated on an interface overwrites any specified global policies for overlapping classification and actions The VFW application allows only one policy of a specific feature type to be activated on a given interface. To display service policy statistics for a Layer 3 and Layer 4 remote network traffic management policy map, use the show service-policy command in Exec mode. show service-policy policy_name [detail] The keywords, options, and arguments are as follows: policy_name The identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. detail (Optional) Displays a more detailed listing of policy map statistics and status information. Note The VFW application updates the counters that the show service-policy command displays after the applicable connections are closed. For example, to display service policy statistics for the REMOTE_MGMT_ALLOW_POLICY policy map, enter: host1/admin# show service-policy REMOTE_MGMT_ALLOW_POLICY Status : ACTIVE Description: Allow mgmt protocols ----------------------------------------- Context Global Policy: service-policy: REMOTE_MGMT_ALLOW_POLICY To clear the service policy statistics, use the clear service-policy command. The syntax of this command is: clear service-policy policy_name For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface). For example, to clear the statistics for the policy map REMOTE_MGMT_ALLOW_POLICY that is currently in service, enter: host1/admin# clear service-policy REMOTE_MGMT_ALLOW_POLICY VFC-48

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information