Installation guide

ManualsBrandsCisco ManualsComputer equipmentExplorer 4700

421

422

423

424

425

426

427

428

429

430

12-4

Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance

OL-26645-02

Chapter 12 Configuring Traffic Policies

Class Map and Policy Map Overview

• Application Protocol Inspection Overview, page 12-5

• Configuring Traffic Policies, page 12-1

• Configuring Virtual Context Class Maps, page 12-8

Policy Maps

A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE

appliance functions associated with a traffic class. A traffic policy contains the following components:

• Policy map name

• Previously created traffic class map or, optionally, the default class map

• One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be

performed by the ACE appliance

The ACE appliance supports a system-wide maximum of 4096 policy maps.

A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry

point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be

nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated

on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to

associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the

Layer 3 and Layer 4 Policy map action type.

If none of the classifications specified in policy maps match, then the ACE appliance executes the

default actions specified against the class map configured with the Use Class Default option to use a

default class map (if specified). All traffic that fails to meet the other matching criteria in the named class

map belongs to the default traffic class. The Use Class Default feature has an implicit match-any match

statement and is used to match any traffic classification.

The ACE appliance supports flexible class map ordering within a policy map. The ACE appliance

executes only the actions for the first matching traffic classification, so the order of class maps within a

policy map is very important. The policy lookup order is based on the security features of the ACE

appliance. The policy lookup order is implicit, irrespective of the order in which you configure policies

on the interface.

The policy lookup order of the ACE appliance is as follows:

1. Access control (permit or deny a packet)

2. Permit or deny management traffic

3. TCP/UDP connection parameters

4. Load balancing based on a virtual IP (VIP)

5. Application protocol inspection

6. Source NAT

7. Destination NAT

The sequence in which the ACE appliance applies the actions for a specific policy is independent of the

actions configured for a class map inside a policy.