Cisco SCA BB Protocol Reference Guide
General Information
Downloads: This chapterpdf (PDF - 734.0KB) The complete bookPDF (PDF - 2.49MB) | Feedback

Table of Contents

General Information

Introduction

HTTP Download - URL-based Signatures

Flash-based Signatures

31SMS

Skype Signatures and Support Matrix

Viber Unidirectional Flow Classification

Alicall Signatures and Support Matrix

Blocking Alicall

Gmail Video And VoIP Signatures Support

Gmail Video Signature Details

Blocking Gmail Video

Effective Blocking of Yahoo Messenger VoIP Services

MSN VoIP Traffic Blocking

Thunder Service: Blocking Thunder Download

Thunder Service: Blocking WebThunder Download

Generic P2PSuspected (Not supported in release PP #27 and later)

HeadCall

P2P Throttling

Popcorn-Time

Behavioral Upload Download Signature Updates

Service Tree and HTTP Browsing

Teredo

BBC iPlayer

STUN

YouTube Blocking

Flash youtube

FourSquare

Skype

SpiderOak Hive

Tor obfuscation (obfsproxy)

Dailymotion

Appstore

Ubisoft Uplay

Google Services

DroidVPN

Methods of Blocking Applicable only to Protocol Pack #36

Methods of Blocking Applicable only to Protocol Pack #37

Methods of Blocking (Protocol Pack #38)

Setting the Content Filtering Category Preference (Protocol Pack #39)

Methods of Blocking (Protocol Pack #42)

General Information

Introduction


NoteThis section is aligned with Protocol Pack #14 and later. In previous Protocol Packs, the classification methods might be different. This section is aligned with Protocol Pack #14 and later. In previous Protocol Packs, the classification methods might be different.


HTTP Download - URL-based Signatures

For URL-based HTTP protocol signatures (Video / Audio / Binary over HTTP), the following file extension conditions are looked up in the HTTP request URL header:

  • VIDEO_OVER_HTTP file extensions:

asfv1, asf, wmv, wvx, avi, mov, asx, mp4, mpg, mpeg, qt, rm, rv, ogm, mkv, m4v, mvb, div, divx, 3gp, 3g2.

  • AUDIO_OVER_HTTP file extensions:

aac, aa3, aif, aiff, ape, mpa, m4a, m4b, m4p, midi, mid, mp3, ogg, oma, omg, ra, spx, wav, wma, ram, wax.

  • BINARY_OVER_HTTP file extensions:

zip, iso, rar, gz, pkg, pps, ppt, doc, exe.

Flash-based Signatures

The following information describes the classification conditions for HTTP Flash-based signatures.

Flash:

  • HTTP URL field: ".swf", ".flv" extension or "/get_video", "/videoplayblack", or "/generate" prefix

Upon Flash signature detection, the following additional signatures are checked in order to get a more granular classification.

Flash YouTube:

  • Host field: "youtube" or "youtube.com" or "ytimg.com" suffix
  • Referrer field: "youtube.com"suffix
  • Request Line URI field: "youtube.com"suffix

Flash MySpace:

  • Host field: "myspace.com" suffix

Flash Yahoo:

  • Host field: "yahoo.com" suffix

31SMS

In Protocol Pack #26, classification of network-side SMS retrieval traffic is not supported. But when you apply a block policy, the functionality of the 31SMS application is blocked.

Skype Signatures and Support Matrix

Protocol packs prior to PP #22 did not provide effective and reliable classification of Skype TCP. A tunable (GT_PL_BLOCK_SKYPE_ALL_FEATURES) was introduced in PP #22 that allows you to control Skype protocol classification. This mechanism is based on the following two concepts:

  • Blocking Skype UDP: The tunable mechanism applies only to Skype TCP. Skype communication changes to TCP when Skype UDP is fully blocked by a device such as the SCE platform.
  • Limiting Skype bandwidth: The system does not discriminate between different Skype flavors, such as IM, VoIP and FT. However, by limiting the total Skype bandwidth, VoIP and FT are effectively blocked, whereas IM gets through since it requires very little bandwidth.

The following section is applicable to Releases Protocol Pack #22 to Protocol Pack #27.


NoteSkype IN and Skype OUT signatures, which point to the Skype PC to MOBILE calls IN and OUT respectively, have not been updated in recent protocol packs. Therefore, this may not work for newer versions of Skype. Skype IN and Skype OUT signatures, which point to the Skype PC to MOBILE calls IN and OUT respectively, have not been updated in recent protocol packs. Therefore, this may not work for newer versions of Skype.



NoteWhen GT_PL_BLOCK_SKYPE_ALL_FEATURES is set to TRUE, there is no subservice classification (such as VoIP or FT) available under Skype services. All TCP Skype traffic is classified to the specific signature called “skype_chat_ft_voip'” under the service called “Other Skype”. When GT_PL_BLOCK_SKYPE_ALL_FEATURES is set to TRUE, there is no subservice classification (such as VoIP or FT) available under Skype services. All TCP Skype traffic is classified to the specific signature called “skype_chat_ft_voip'” under the service called “Other Skype”.


To set the tunable, use the following CLI command sequence:

enable 15
config
interface LineCard 0
tunable GT_PL_BLOCK_SKYPE_ALL_FEATURES value TRUE
end
 

To keep the tunable set to TRUE across reboot, use following command.

copy running-config startup-config
 

The following table summarizes the results of setting this tunable when PP #22 is installed.

 

tunable set to TRUE
tunable set to FALSE (default)
Classification

Accurate granular classification of each of the Skype services is lost, since all Skype services will be classified as Skype.

Accurate granular classification of each of the Skype protocol suite (VoIP, FT). Skype Video will be classified as VoIP.

Block Action

A blocking policy can be set to force Skype to move to TCP communication, which can be effectively blocked for the whole protocol suite (VoIP, FT and IM) without dedicated classification.

Blocking is not effective.

Rate limiting

Skype can be rate limited for the whole protocol suite (recommended limit is 5Kbps ). Since IM requires only a small bandwidth, it will get through, while Voice and FT will suffer from extreme jitter and disconnections.

Effective only for Skype over UDP. Set rates as follows:

  • 5 Kbps for Skype FT
  • 3 Kbps for Skype VoIP.

Rate limiting of Skype VoIP and FT for Skype over TCP is not effective.

The following section is applicable to Releases PP #28 and later.

 

Table 5-1 Skype Support Matrix for Service/TCP (PP #28 Onwards)

Service/TCP

Classification

Rate limiting as a means for block

IM

Supported

Not Supported

FT(PC-PC)

Supported

Supported

Voice(PC-PC)

Supported

Supported

Voice(PC-Mobile)

Supported

Supported

Voice(PC-Non-Skype Mobile)

Supported

Supported

Voice(PC-Non-Skype Landline)

Supported

Supported

Video(PC-Mobile)

Supported

Supported

Video(PC-PC)

Supported

Supported


NoteSkype Support Matrix for Service/UDP (PP #28 Onwards) is detailed in the below table. Skype Support Matrix for Service/UDP (PP #28 Onwards) is detailed in the below table.


 

Table 5-2 Skype Support Matrix for Service/UDP (PP #28 Onwards)

Service/TCP

Classification

Rate limiting as a means for block

IM

Not available (seeing only TCP traffic for IM)

IM(Mobile-Mobile)

Supported

Not Supported

FT(PC-PC)

Supported

Supported

FT(Mobile-Mobile

Supported

Supported

Voice(PC-PC)

Supported

Supported

Voice(PC-Mobile)

Supported

Supported

Voice(PC-Non-Skype Mobile)

Supported

Supported

Voice(PC-Non-Skype Landline)

Supported

Supported

Voice(Mobile-Mobile)

Supported

Supported

Video(PC-Mobile)

Supported

Supported

Video(PC-PC)

Supported

Supported

Video(Mobile-Mobile)

Supported

Supported

  • Skype Sub service Classification accuracy is at 80%
  • SSL and HTTP Skype flows are not supported.
  • Blocking of Skype: Configuration guideline.

To make FT, Voice and Video Skype services as unusable, do the following:

Set the tunable GT_PL_BLOCK_SKYPE_ALL_FEATURES to TRUE.

Set the tunable RST_OTHER_SKYPE_FLOWS_FROM_SUBSCRIBER to TRUE.

When GT_PL_BLOCK_SKYPE_ALL_FEATURES is set to TRUE, there is no subservice classification. From PP #28 onwards, all TCP/UDP Skype traffic is classified to the Skype-IM protocol under the service Other Skype .

Applying rate limit to approximately 5 kbps makes all the Skype services unusable. Depending on the network conditions, the rate limit value may be tuned it to a value between 3 and 6 kbps.

Starting from PP#34, to allow the Skype IM and make all the other Skype services unusable with 3 kbps rate-limiting, set the value of GT_PL_ALLOWIM_BLOCK_OTHERS and GT_PL_BLOCK_SKYPE_ALL_FEATURES tunables as TRUE.

Viber Unidirectional Flow Classification


NoteThis feature is applicable only on Cisco SCE 8000. This feature is applicable only on Cisco SCE 8000.


Starting from Protocol Pack #42, you can enable classification of Viber Voip unidirectional flows.

To enable the classification, set the value of the GT_PL_VIBERCALL_UNIDIRECTIONAL_FEATURE tunable to 40 or above.

Alicall Signatures and Support Matrix

Alicall voice traffic can be over TCP or UDP, based on the server selected during initial setup.

 

Signature Name
Signature ID
Comments

Alicall over UDP

101711872

Alicall voice UDP traffic, from PC to Mobile.

Alicall over TCP

101712128

Alicall voice TCP traffic, from PC to Mobile

Alicall Callback

101712640

Signature support for callback feature of Alicall, where Alicall initiates calls for Mobile to Mobile communication.

Alicall Control (TCP/UDP call)

101712896

Signature support for Call Control flow during call initiation

Blocking Alicall

To block Alicall irrespective of L4 protocol, apply a block policy on the Protocol ID: "Alicall Control (TCP/UDP call)".

Gmail Video And VoIP Signatures Support

In the PP #24 release, only Gmail Video chat was supported.

However, because Google is providing voice and video services through the Gtalk, Gmail VoIP, and Gmail Video applications, the following information clarifies the support matrix and expected signatures.

Gmail Video Signature Details

Gmail Video chatting generates both video and voice traffic.

Gmail Video - Video traffic

Gmail video traffic is by default UDP based. If UDP is blocked, it is moved to TCP based. If TCP based is also blocked, it is moved to SSL based. Signatures are provided for all three different types of traffic.

Gmail Video - Voice traffic

Gmail video traffic is by default UDP based. If UDP is blocked, it is moved to TCP based. If TCP based is also blocked, it is moved to SSL based. Signatures are provided for all three different types of traffic.

  • TCP-based traffic of Gmail Video-Voice and Gmail VoIP are classified to the signatures Gmail VoIP (such as 85526272 and 85526528).
  • UDP-based traffic of Gmail Video-Voice and Gmail VoIP are classified to existing Gtalk VoIP signature.

 

Signature Name
Signature ID
Comments

Gmail Video TCP

85525504

This signature is to support TCP-based video traffic of Gmail Video chat.

Gmail Video UDP

85525760

This signature is to support UDP-based video traffic of Gmail Video chat.

Gmail Video SSL

85526016

This signature is to support SSL-based video traffic of Gmail Video chat.

Gmail VoIP TCP

85526272

This signature is to support TCP-based voice traffic of Gmail Video chat and Gmail VoIP.

Gmail VoIP SSL

85526528

This signature is to support SSL-based voice traffic of Gmail Video chat and Gmail VoIP.

Temp Gmail Video TCP

85524992

Temporary signature for early detection of video traffic.

Temp Gmail Video SSL

85525248

Temporary signature for early detection of video traffic.

Blocking Gmail Video

To block Gmail Video UDP traffic, apply a rate limit of 5 Kbps.

Other traffic flows can be blocked based on their respective signatures.

The following set of tunables that were already in PP #23 for Gtalk classification was not supported in PP #24.

  • GT_PL_STUN_TOTAL_PACKETS_SKIPPED
  • GT_PL_STUN_NUM_PACKETS_AFTER_EACH_SKIP

To enable you to control the classification of both Gmail and Gtalk traffic, the following tunables were introduced in PP # 24 instead of the tunables that were supported in PP #23:

  • GT_PL_STUN_TOTAL_PACKETS_SKIPPED_FOR_GMAIL_GTALK_TCP

Default value set to 1020

  • GT_PL_STUN_TOTAL_PACKETS_SKIPPED_FOR_GMAIL_GTALK_UDP

Default value set to 1000

  • GT_PL_STUN_NUM_PACKETS_AFTER_EACH_SKIP_FOR_GMAIL_GTALK

Default value set to 10


Tip The tunable GT_PL_STUN_NUM_PACKETS_AFTER_EACH_SKIP_FOR_GMAIL_GTALK should always be greater than 0 to support both Gmail video and VoIP as well as Gtalk applications. When this is set to 0, TCP traffic of Gmail video and VoIP is not classified.



Tip The tunable GT_PL_STUN_TOTAL_PACKETS_SKIPPED_FOR_GMAIL_GTALK_TCP should always be multiples of 60 to have a granular classification.


To set the tunable, use the following CLI command sequence:

SCE>enable 15
SCE#>config
SCE(config)#>interface LineCard 0
SCE(config if)#>tunable GT_PL_STUN_TOTAL_PACKETS_SKIPPED_FOR_GMAIL_GTALK_TCP value 1080
SCE(config if)#>end
 

To keep the tunable same across reboot, use following command.

SCE#>copy running-config startup-config
 

Effective Blocking of Yahoo Messenger VoIP Services

Blocking call setup traffic of Yahoo Messenger triggers more flows and bypasses the blocking. To address this issue, call setup traffic has been separated by the protocol ID "Yahoo Messenger Call Setup" in PP #24. It is recommended not to apply a block policy on this protocol. For effective blocking, apply a block policy on the protocol Yahoo Messenger VoIP and JaJah YahooPhoneOut, while permitting "Yahoo Messenger Call Setup" traffic.

MSN VoIP Traffic Blocking

Starting with PP #22, MSN VoIP Classification is supported for the latest MSN Messenger version (version 14.0 as of PP #22)). MSN VoIP changes to TCP when it is fully blocked by a device such as the SCE platform.


Tip To effectively block MSN VoIP traffic, apply rate-limiting at 3 Kbps, upstream and downstream.


Thunder Service: Blocking Thunder Download

You can block Thunder download traffic by creating a new service and moving the Thunder service elements from the Other P2P service to the new service. You can then block the Thunder service without affecting other P2P protocols.

Add the WebThunder signature to the independant Thunder service.

To block Thunder download traffic, complete the following steps:


Step 1 Create a new service. Give the service a name indicating that this service will be used to block Thunder download. (The name used in the example is ‘Thunder Only’.)

Figure 5-1 Creating a Service

 

Step 2 Remove the following elements from the ‘Other P2P’ service:

  • Zones: ThunderZone1, ThunderZone2, ThunderZone3, and ThunderZone4
  • Flavor: Thunder New Service
  • Protocol: Thunder

Figure 5-2 Removing the Thunder Service Elements from Other P2P Service

 

Step 3 Add the following service elements (which you removed from the ‘Other P2P’ service) to the new service you created:

a. Four service elements assigning ThunderZone1, ThunderZone2, ThunderZone3, and ThunderZone4 as the zones.

b. A service element assigning 'Thunder New Service' as the Flavor.

c. A service element assigning 'Thunder' as the protocol.

Figure 5-3 Adding a Service Element to the New Service

 

Figure 5-4 Thunder Only Service Configuration

 

Step 4 Apply a block policy against the newly created service to block Thunder download traffic.


 

Thunder Service: Blocking WebThunder Download

You can block WebThunder download traffic by creating a new service and deleting the WebThunder service element from the Other P2P service.

To block WebThunder download traffic, follow these steps:


Step 1 Create a new service and enter an appropriate name indicating that this service is used to block WebThunder download.

Figure 5-5 Creating a WebThunder Service

Step 2 Click the Other P2P service and from the right pane, remove the protocol named WebThunder:

Figure 5-6 Removing the WebThunder Service Elements from Other P2P Service

Step 3 Add WebThunder service element to the new service you created:

Figure 5-7 Adding a Service Element to WebThunder Service


 

Generic P2PSuspected (Not supported in release PP #27 and later)

  • The Generic P2PSuspected signature is based on the P2P traffic behavior reported by a customer. When an unknown application causes high levels of “Other UDP” traffic in the customer site, we assume that the traffic belongs to a P2P application.
  • By default, the Generic P2PSuspected signature is under the “Other UDP” service. However, if this traffic is suspected to be P2P traffic, you must bring it under a “P2P” service.
  • By default, the Generic P2PSuspected signature is turned off. The tunable that can be used to turn it on is GT_PL_GENERIC_P2PSUSPECTED_DO_CLASSIFY.

NoteGT_PL_GENERIC_P2PSUSPECTED_DO_CLASSIFY code is removed from PP#27 and later and the tunable is removed from 3.8.5 and later. GT_PL_GENERIC_P2PSUSPECTED_DO_CLASSIFY code is removed from PP#27 and later and the tunable is removed from 3.8.5 and later.


HeadCall

Classification of Headcall traffic requires you to set the tunable GT_PL_HEADCALL_DO_CLASSIFY to true. By default, this tunable is set to false.

To set the tunable, use the following CLI command sequence:

enable 15
config
interface LineCard 0
tunable GT_PL_HEADCALL_DO_CLASSIFY value TRUE
end
 

To keep the tunable set to TRUE across reboot, use following command.

copy running-config startup-config

P2P Throttling

If an issue is seen with P2P throttling at desirable bandwidth, configure the following Cisco SCABB advanced configuration settings:


Step 1 From the Service Configuration Editor, choose Configuration > Policies > System Settings... .

Step 2 Click Advanced Options tab.

Step 3 Click the Advanced Service Configuration Options... button.

Step 4 In the Bandwidth Management area, change the value of the property Level of BWC enforcement on networking flows on networking flows of P2P and IM applications to SCE to use relevant P2P or IM Service BWCs.


 

Popcorn-Time

Popcorn-Time is an application to watch movies streamed over Bittorrent. The application flows of this application is classified as Bittorrent.

Behavioral Upload Download Signature Updates

In some geographical locations, unknown gaming traffic is identified as Behavioral Upload/Download and in turn to Bittorent because of the behavior of the user.

Behavioral upload/download signatures are updated such a way that unknown gaming traffic will cease to be identified as BitTorrent.

By default these signature changes are disabled. To enable these signature changes, configure the following on the line card of the box:

SCE2000#> configure
SCE2000(config)#> interface LineCard 0
SCE2000(config if)#> tunable GT_PL_BITTORRENT_SKIP_BEHAVIORAL_BT_DO_CLASSIFY value TRUE
SCE2000(config if)#> exit
SCE2000(config)#> exit
SCE2000#> copy running-config-application startup-config-application

 

To revert to the default disabled signature changes, configure the following on the line card of the box:

SCE2000#> configure
SCE2000(config)#> interface LineCard 0
SCE2000(config if)#> tunable GT_PL_BITTORRENT_SKIP_BEHAVIORAL_BT_DO_CLASSIFY value FALSE
SCE2000(config if)#> exit
SCE2000(config)#> exit
SCE2000#> copy running-config-application startup-config-application
 

NoteThe tunable change will persist through reboots/policy apply/PP upgrades. It does not persist after PQI installation which is used in version upgrade. The tunable change will persist through reboots/policy apply/PP upgrades. It does not persist after PQI installation which is used in version upgrade.


Service Tree and HTTP Browsing

As part of the SCOS Release 3.6.5 requirements, the following two services were introduced in SCA BB Release 3.6.5:

  • ClickStream-New Page
  • ClickStream-New Site

This affects any configuration that refers to the “HTTP Browsing” Protocol ID. As of Release 3.6.5, wherever HTTP Browsing is referred to, you might need to include these two new ClickStream services.

For example:

  • Pre 3.6.5—"HTTP Browsing" is the only Protocol ID for Content filtering configuration.
  • Post 3.6.5—In addition to "HTTP Browsing" Protocol Service, you must include the two ClickStream services for Content filtering configuration.

For more information, see Release Notes for Cisco Service Control Application for Broadband (SCA BB), Release 3.6.x .

Teredo

The global tunable "GT_PL_TUNNELED_IPV6_ENABLED" has to be enabled. By default this tunable is false in sce2000 and true in sce8000.

BBC iPlayer

To classify the RTMPT traffic of BBC iPlayer using the BBC iPlayer over RTMP signature, you must set the tunable GT_PL_BBC_RTMPT_DO_CLASSIFY to TRUE. By default, this tunable is set to FALSE.

To set the tunable, use the following CLI command sequence:

SCE2000#> configure
SCE2000(config)#> interface LineCard 0
SCE2000(config if)# tunable GT_PL_BBC_RTMPT_DO_CLASSIFY value TRUE
SCE2000(config if)# end
 

To maintain the tunable value to TRUE across reboots, copy the running configuration to the startup configuration using the copy running-config startup-config command after you set the tunable value to TRUE.

There are RTMPT flows that lack deterministic patterns. As a fall-back option, Zone support is included for RTMPT flows. Service element based on zone is added under “BBC Iplayer Streaming” service. A zone called ”BBCIplayerZone” with five IP address is available. If you observe more zones, add them under BBCIplayerZone to improve the classification accuracy for RTMPT flows.

Figure 5-8 Zone Configuration for BBC iPlayer

 

STUN

STUN flows may not be usable if you configure a rate limit of 5 kbps with the default tunable value.

YouTube Blocking

From Release PP31, a separate tunable is available to classify and block YouTube Flash video without impacting the non-YouTube HTTP traffic. You need to configure the tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_YOUTUBE to block YouTube Flash video. The recommended value is 3.

To set the value of the tunable to 3, use the following CLI command sequence:

SCE2000#>configure
SCE2000(config)#>interface LineCard 0
SCE2000(config if)#> tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_YOUTUBE value 3
SCE2000(config if)#> end
 

Flash youtube

The tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_YOUTUBE is added to define HTTP GET request parameter specifically for youtube. By default tunable value is set to 1 and it shall be set to 3 in case of flash youtube blocking/classification is required.

FourSquare

The GT_PL_FOURSQUARE_MAPS_DO_CLASSIFY tunable is added to classify the maps in foursquare application. By default, the value of the tunable is set to FALSE, but to classify the maps in foursquare it should be set to TRUE.

Skype

The GT_PL_ALLOWIM_BLOCK_OTHERS tunable is enabled to allow Skype-IM and make all the other Skype services unusable.

SpiderOak Hive

The default aging time for PL_AGING_SPIDEROAKHIVE_PC is 1200.

To support the flows with aging time longer than 1200, increase the aging time of tunable PL_AGING_SPIDEROAKHIVE_PC to 11000.

Tor obfuscation (obfsproxy)

Classification of Tor obfuscation (obfsporxy) traffic requires you to set the tunable GT_PL_TOR_OBFSPROXY_DO_CLASSIFY to true. By default, this tunable is set to false.

To set the tunable:

SCE#> configure

SCE(config)#> interface LineCard 0

SCE(config if)#> tunable GT_PL_TOR_OBFSPROXY_DO_CLASSIFY value TRUE

SCE(config if)#> exit

SCE(config)#> exit

To keep the tunable set to TRUE across SCE reboot, use following command.

SCE#> copy running-config-application startup-config-application

Dailymotion

Classification of Dailymotion traffic requires you to set the tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_DAILYMOTION to 2 or 3. By default, this tunable is set to 1.

To set the tunable:

SCE#> configure

SCE(config)#> interface LineCard 0

SCE(config if)#> tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_DAILYMOTION value 2

SCE(config if)#> exit

SCE(config)#> exit

To keep the tunable set to a specific value across SCE reboot, use following command.

SCE#> copy running-config-application startup-config-application

Appstore

To classify Appstore in iOS, set the value of the tunable GT_PL_APPSTORE_DO_CLASSIFY to TRUE. By default, the value is FALSE.

Ubisoft Uplay

To classify Uplay, set the value of the tunable GT_PL_UPLAY_DO_CLASSIFY to TRUE and the value of the global tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_UPLAY to 2.

By default, the value of the tunable GT_PL_UPLAY_DO_CLASSIFY is FALSE and the value of the tunable GT_PL_MAXIMAL_INSPECTED_HTTP_TRANSACTIONS_PER_FLOW_FOR_UPLAY is 1.

Google Services

  • For default block and allow Google Services, configure the following Google Zones through Cisco SCA BB:

64.18.0.0/20

64.233.160.0/19

66.102.0.0/20

66.249.0.0/20

72.14.192.0/15

74.125.0.0/16

173.194.0.0/16

207.126.144.0/20

209.83.126.0/17

216.219.32.0/19

  • To classify Google service such as Google maps and Google play, create zones using the URLs listed in the previous bullet point.
  • When the URLs listed in the previous bullet point are used in Cisco SCA BB, some of the Google Services are classified to Google Zone.

DroidVPN

To classify the DroidVPN TCP traffic, set the tunable GT_PL_DROIDVPN_DO_CLASSIFY to TRUE. By default, the value of this tunable is set to false.

To set the tunable, use the following CLI command sequence:

SCE#> configure
SCE(config)#> interfaceLineCard0
SCE(configif)#> tunable GT_PL_DROIDVPN_DO_CLASSIFY value TRUE
SCE(config if)#>
SCE(config)#> exit
 

To keep the tunable set to TRUE across SCE reboot, use the following command:

SCE#> copy running-config-application startup-config-application

Methods of Blocking Applicable only to Protocol Pack #36

iFone Platinum

To block iFone Platinum traffic, both data and control signature should be used together.

Nymgo

To block Nymgo traffic, use rate-limiting at 3kbps.

Methods of Blocking Applicable only to Protocol Pack #37

Globo Video

Only free videos are supported.

GoogleMaps

To block Nymgo traffic, use rate-limiting at 2kbps.

WDR-Mediatheken

To block WDR-Mediatheken traffic, use rate-limiting at 2kbps.

Methods of Blocking (Protocol Pack #38)

OpenDrive

To block OpenDrive traffic, use rate-limiting at 3kbps.

Gmail Video

Block Google Talk Voice signature along with Gmail Video service.

Setting the Content Filtering Category Preference (Protocol Pack #39)

Configure the GT_HTTP_PREFER_CONTENT_FILTERING_CATEGORY tunable to set the preference to Content Filtering Category.

With the Content Filtering Enabled, when the incoming HTTP traffic matches both Content Filtering Category and HTTP Flavors configured in Cisco SCA BB, the GT_HTTP_PREFER_CONTENT_FILTERING_CATEGORY tunable is used to set the preference to Content Filtering Category.

The tunable is used when the value of the GT_CLS_ENABLE_CONTENT_FILTERING_PERFORMANCE_ENHANCEMENT tunable is FALSE or when none of the HTTP Flavors matches the incoming HTTP traffic.

Possible values are TRUE and FALSE.

When the value is set to TRUE, the Category is preferred. But, if no matching Category ID is found, then HTTP Flavor is considered for filtering.

If the value is set to False, the HTTP Flavor configured in Cisco SCA BB is preferred. By default, the value is set to FALSE.

Methods of Blocking (Protocol Pack #42)

Ultrasurf

To block Ultrasurf traffic, use rate-limiting at 3kbps.