Configure a Security Appliance Modular Policy
Configure a class map

The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two step process. The steps are to name a class of traffic and define the attributes of the traffic. A name is assigned to each individual class of traffic. For example in Figure , there are four traffic classes named. The class-map se command identifies the system engineer remote VPN traffic from the system engineers. The class-map s2s command identifies the remote VPN traffic from the system engineers.

The syntax of the class-map commands is as follows:

class-map class_map_name

After a class of traffic is named, the characteristics of the traffic flow are identified. To be considered part of a named class, a traffic flow must match a defined set of attributes. There are various types of match criteria in a class map. One example of match criteria is an access list that defines all traffic from the Internet to the DMZ. Another match is VPN tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic.

The following is the class matching criteria :

  • match access-list – This keyword specifies to match an entry in an access-list.
  • match any – This keyword specifies that all traffic is to be matched. Match any is used in the class-default class-map.
  • match dcsp – This keyword specifies to match the IETF defined Differentiated Service Code Point (DSCP) value in the IP header. This allows the administrator to define classes based on the DCSP values defined within the TOS byte in the IP header.
  • match flow – This keyword specifies to match each IP flow within a tunnel-group. This match command must be used in conjunction with the match tunnel-group command.
  • match port – This keyword specifies to match traffic using a TCP or UDP destination port.
  • match precedence – This keyword specifies to match the precedence value represented by the TOS byte in the IP header. This allows the administrator to define classes based on the precedence defined within the TOS byte in the IP header.
  • match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP) destination port. This allows the administrator to match on a UDP port number within the specified range. The allowed range is targeted at capturing applications likely to be using RTP.
  • match tunnel-group – This keyword specifies to match tunnel traffic.

A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 21 and 80 may be classified as an Internet traffic class.

More information about the syntax of the class-map commands is available in the Command Reference.