The policy-map command is used to configure various
policies. A policy consists of a class command and its
associated actions. The PIX Security Appliance supports one policy per
interface and one global policy. Each policy map may support multiple classes
and policy actions. In the example in Figure
, there are two
policy maps, the outside policy map and the global policy map. The outside
policy map supports four class maps, these are the Internet, SE, EXEC, and S2S
class maps. IDS, Inspect, police, and priority actions are associated with the
aforementioned classes. The global policy map supports default inspection
criteria for all traffic.
The following steps are use to define a policy
map:
Step 1 Name the policy.
Step 2 Identify a class of traffic covered by this
policy.
Step 3 Associate an action or actions
with each traffic flow.
The first step is to define the policy
maps. In the example in Figure
, there are two
policy maps, outside and global.
The next step is to identify which
traffic flows, or classes, are specified in a policy map. Each traffic flow is
identified by a class map name. In the example in Figure
, the
outside policy map is identified. Internet class traffic flow is assigned to
the outside policy map.
The syntax of the policy-map
commands is as follows:
policy-mappolicymap_name
description text
classclassmap_name
The last step is to associate actions with specific traffic flows within a
policy map. In the example in Figure
, the policy map
name, outside, is defined. The Internet class of traffic is defined. The
administrator must next associate actions with this traffic flow. The policy
action options are to forward traffic to IDS, perform specified protocol
inspections, police the bandwidth used by the specified flow, direct the flow
to the low latency queue, or set connection parameters on these flows.
To
display all of the policy map configurations or the default policy map
configuration, use the show running-config policy-map
command.
More information about the syntax of the
policy-map command is available in the Command
Reference.