Application Control Engine Module Security Configuration Guide (Software Version A1(2)) - Configuring Application Protocol Inspection [Cisco Services Modules]

Table Of Contents

Configuring Application Protocol Inspection

Application Protocol Inspection Overview

Performing Application Protocol Inspection

Application Inspection Protocol Overview

HTTP Deep Packet Inspection

DNS Inspection

FTP Inspection

ICMP Inspection

RTSP Inspection

Application Protocol Inspection Configuration Quick Start Procedures

Configuring a Layer 7 HTTP Deep Inspection Policy

Creating a Layer 7 HTTP Deep Inspection Class Map

Creating an HTTP Deep Inspection Class Map

Adding a Layer 7 HTTP Deep Packet Inspection Class Map Description

Defining HTTP Content Match Criteria

Defining the Length of HTTP Content for Inspection

Defining an HTTP Header for Inspection

Defining the HTTP Maximum Header Length for Inspection

Defining a Header MIME Type Messages for Inspection

Defining an HTTP Traffic Restricted Category

Defining HTTP Request Methods and Extension Methods

Defining an HTTP Transfer Encoding Type

Defining an HTTP URL for Inspection

Defining an HTTP Maximum URL Length for Inspection

Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

Creating a Layer 7 HTTP Deep Packet Inspection Policy Map

Adding a Layer 7 HTTP Deep Packet Inspection Policy Map Description

Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map

Specifying a Layer 7 HTTP Inspection Traffic Class with the Traffic Policy

Specifying the Layer 7 HTTP Deep Packet Policy Actions

Configuring a Layer 7 FTP Command Inspection Policy

Creating an FTP Inspection Class Map

Adding a Layer 7 FTP Inspection Class Map Description

Defining FTP Match Request Methods

Configuring a Layer 7 FTP Command Inspection Policy Map

Creating a Layer 7 FTP Command Inspection Policy Map

Adding a Layer 7 FTP Inspection Policy Map Description

Including Inline Match Statements in a Layer 7 Command Inspection Policy Map

Specifying a Layer 7 FTP Command Inspection Traffic Class with the Traffic Policy

Specifying the Layer 7 FTP Command Inspection Policy Actions

Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

Configuring a Layer 3 and Layer 4 Class Map

Adding a Layer 3 and Layer 4 Class Map Description

Defining Access-List Match Criteria

Defining TCP/UDP Port Number or Port Range Match Criteria

Configuring a Layer 3 and Layer 4 Policy Map

Creating a Layer 3 and Layer 4 Policy Map

Adding a Layer 3 and Layer 4 Policy Map Description

Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy

Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions

Configuring an HTTP Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

Disabling Case Sensitivity Matching

Setting the Maximum Number of Bytes to Parse in HTTP Headers

Setting the Maximum Number of Bytes to Parse in HTTP Content

Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

Applying a Service Policy

Viewing Application Protocol Inspection Statistics and Service Policy Information

Displaying HTTP Protocol Inspection Statistics

Displaying Service Policy Configuration Information

Configuring Application Protocol Inspection

This chapter describes how to configure application protocol inspection for the Cisco Application Control Engine (ACE) module. Application protocol inspection provides functionality for several protocols that carry Layer 3 and Layer 4 information in the application payload, require some form of deep packet inspection of the HTTP protocol, or require FTP request command filtering.

This chapter includes the following major sections:

•Application Protocol Inspection Overview

•Application Protocol Inspection Configuration Quick Start Procedures

•Configuring a Layer 7 HTTP Deep Inspection Policy

•Configuring a Layer 7 FTP Command Inspection Policy

•Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

•Configuring an HTTP Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

•Applying a Service Policy

•Viewing Application Protocol Inspection Statistics and Service Policy Information

Application Protocol Inspection Overview

Certain applications require special handling of the data portion of a packet as the packets pass through the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE accepts or rejects the packets to ensure the secure use of applications and services.

This section includes the following topics on application protocol inspection:

•Performing Application Protocol Inspection

•Application Inspection Protocol Overview

Performing Application Protocol Inspection

You can configure the ACE to perform application protocol inspection, sometimes referred to as application protocol "fixup," for applications that:

•Embed IP addressing information in the data packet, including the data payload.

•Open secondary channels on dynamically assigned ports.

You may require that the ACE perform application inspection of HTTP, FTP, DNS, ICMP, and RTSP protocols as a first step before passing the packets to the destination server. For HTTP, the ACE performs deep packet inspection to statefully monitor the HTTP protocol and permits or denies traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP attributes such as HTTP header, URL, and the payload. For FTP, the ACE performs FTP command inspection for FTP sessions, allowing you to restrict specific commands by the ACE.

Application inspection helps you identify the location of embedded IP addressing information in the TCP or UDP flow. This inspection allows the ACE to translate embedded IP addresses and to update any checksum or other fields that are affected by the translation.

The need to translate IP addresses embedded in the payload of protocols is especially important for NAT (explicitly configured by the user) and server load-balancing (an implicit NAT).

Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the session.

Table 3-1 describes the application inspection protocols supported by the ACE, the default TCP or UDP protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and Port Address Translation (PAT).

Table 3-1 Application Inspection Support

Application Protocol

Protocol

Port

NAT/PAT Support

Enabled by Default

Standards¹

Comments/Limitations

DNS

UDP

Src—Any

Dest—53

NAT

No

RFC 1123

Inspects DNS packets destined to port 53. You can specify the maximum length of the DNS packet to be inspected. See the "DNS Inspection" section for background information.

FTP

TCP

Src—Any

Dest—21

Both

No

RFC 959

Inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data. See the "FTP Inspection" section for background information.

FTP strict

TCP

Src—Any

Dest—21

Both

No

RFC 959

The inspect ftp strict command allows the ACE to track each FTP command and response sequence, and also prevents an FTP client from determining valid usernames that are supported on an FTP server. See the "FTP Inspection" section for background information.

HTTP

TCP

Src—Any

Dest—80

Both

No

RFC 2616

Inspects HTTP packets. See the "HTTP Deep Packet Inspection" section for background information.

ICMP

ICMP

Src—N/A

Dest—N/A

Both

No

—

See the "ICMP Inspection" section for background information.

ICMP error

ICMP

Src—N/A

Dest—N/A

NAT

No

—

The error keyword supports NAT of ICMP error messages. When you enable ICMP error inspection, the ACE creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ACE overwrites the packet with the translated IP addresses. See the "ICMP Inspection" section for background information.

RTSP

TCP

Src—Any

Dest—554

NAT

No

RFC 2326, RFC 2327, RFC 1889

Inspects RTSP packets and translates the payload according to NAT rules. The ACE opens up the secondary channels for audio and video. Not all the RTSP methods (packet types) specified in the RFC are supported. See the "RTSP Inspection" section for background information.

¹The ACE is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the ACE does not enforce the order.

You configure rules for application protocol inspection through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring application protocol inspection:

•Layer 7 Class map—Provides the Layer 7 network traffic classification to identify HTTP deep protocol inspection attributes (such as HTTP header and URL) and FTP request commands.

•Layer 7 Policy Map—Configures the applicable HTTP deep packet inspection or FTP request command actions executed on the network traffic that match the classifications defined in the Layer 7 class map.

•Layer 3 and Layer 4 Class map—Classifies network traffic passing through the ACE for application inspection and matches traffic associated with the specified inspect commands in a policy map.

•Layer 3 and Layer 4 Policy map—Enables HTTP, DNS, FTP, ICMP, and RTSP protocol inspection and FTP command inspection for a traffic classification that matches the criteria listed the class map.

•Service policy—Activates the policy map and attaches the traffic policy to a VLAN interface or globally on all VLAN interfaces.

The flow chart shown in Figure 3-1 provides a basic overview of the process required to configure class maps and policy maps to perform application protocol inspection. The flow chart also illustrates how the ACE associates the various components of the class map and policy map configuration with each other.

Figure 3-1 Application Protocol Inspection Configuration Flow Diagram

Application Inspection Protocol Overview

This section provides an overview on the following application inspection protocols supported by the ACE:

•HTTP Deep Packet Inspection

•DNS Inspection

•FTP Inspection

•ICMP Inspection

•RTSP Inspection

HTTP Deep Packet Inspection

The ACE performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a special case of application inspection where the ACE examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the main focus of the application inspection process is on HTTP attributes such as HTTP header, URL, and to a limited extent, the payload. User-defined regular expressions can also be used to detect "signatures" in the payload.

You define policies to permit or deny the traffic, or to send a TCP reset message to the client or server to close the connection.

The security features covered by HTTP application inspection include:

•RFC compliance monitoring and RFC method filtering

•Content, URL, and HTTP header length checks

•Transfer-encoding methods

•Content type verification and filtering

•Port 80 misuse

DNS Inspection

Domain Name System (DNS) inspection performs the following tasks:

•Monitors the message exchange to ensure that the ID of the DNS response matches the ID of the DNS query.

•Allows one DNS response for each DNS query in a UDP connection. The ACE removes the DNS session associated with the DNS query as soon as the DNS reply is forwarded.

•Translates the DNS A-record based on the NAT configuration. Only forward lookups are NATed; the ACE does not handle PTR records.

Note The DNS rewrite function is not applicable for PAT because multiple PAT rules are applicable for each A-record. The use of multiple PAT rules makes it difficult for the ACE to properly choose the correct PAT rule.

•Performs a maximum DNS packet length check to verify that the maximum length of a DNS reply is no greater than the value specified in the inspect dns command.

Note If you enter the inspect dns command without specifying the maximum-length option, the ACE does not check the DNS packet size.

•Performs a number of security checks, including:

–Verification that the maximum label length is no greater than 63 bytes

–Verification that the maximum domain name length is no greater than 255 bytes

–Check for the existence of compression loops

A single connection is created for multiple DNS sessions, as long as the DNS sessions are between the same two hosts, and the sessions have the same 5-tuple (source and destination IP address, source and destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, if you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This reset action is due to the nature of the shared DNS connection and intended by design.

FTP Inspection

File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message, dynamic opening of ports, stateful tracking of request and response messages. Each specified FTP command must be acknowledged before the ACE allows a new command. Command filtering allows you to restrict specific commands by the ACE. When the ACE denies a command, it closes the connection.

The FTP command inspection process, as performed by the ACE:

•Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be pre-negotiated. The port is negotiated through the PORT or PASV commands.

•Tracks the FTP command-response sequence. The ACE performs the following command checks listed below. If you specify the strict keyword with the inspect ftp command in a Layer 3 and Layer 4 policy map, the ACE tracks each FTP command and response sequence for the anomalous activity outlined below. The strict keyword is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.

Note The use of the strict option may affect FTP clients that do not comply with the RFC standards.

–Truncated command—Checks the number of commas in the PORT and PASV reply command against a fixed value of five. If the value is not five, the ACE assumes that the PORT command is truncated and issues a warning message and closes the TCP connection.

–Incorrect command—Checks the FTP command to verify if it ends with <CR><LF> characters, as required by RFC 959. If the FTP command does not end with those characters, the ACE closes the connection.

–Size of RETR and STOR commands—Checked the size of the RETR and STOR commands against a fixed constant of 256. If the size is greater, the ACE logs an error message and closes the connection.

–Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT command is sent from the server, the ACE denies the TCP connection.

–Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server. If a PASV reply command is sent from the client, the ACE denies the TCP connection. This denial prevents a security hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."

–Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections). If the negotiated port falls in this range, the ACE closes the TCP connection.

–Command pipelining—Checks the number of characters present after the port numbers in the PORT and PASV reply command against a constant value of 8. If the number of characters is greater than 8, the ACE closes the TCP connection.

•Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the IP address within the application payload. Refer to RFC 959 for background details.

ICMP Inspection

Internet Control Message Protocol (ICMP) inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic. Without using ICMP inspection, we recommend that you do not allow ICMP traffic to pass through the ACE in an ACL. Without performing stateful inspection, ICMP can be used to attack your network. ICMP inspection ensures that there is only one response for each request, and that the sequence number is correct.

For stateful ICMP, state information, as maintained for TCP or UDP flows, is maintained for ICMP instead of performing only the ACL and NAT functions. The maintenance of ICMP state information is required to resolve the following problems:

•ICMP reply messages without request messages

•Unsolicited ICMP error message

•Unknown ICMP types

ICMP error messages are generated by intermediate nodes situated on the network path to a destination whenever a packet sent to that destination cannot be forwarded. ICMP error messages may also be generated by endpoint nodes, as in the case of port unreachable errors. These error messages carry the original packet for which the error is generated in the data part of the message. They also contain the addresses of the intermediate node or endpoint node in the outer header and destination in the inner header. ICMP error fixup handles address translation of node address and destination address to global addresses using NAT configuration.

ICMP error fixup is user-configurable, and if not enabled, intermediate node or endpoint node addresses are translated in the same way as the destination address of the embedded packet. As a result, error messages appear as if originating from the destination and the node addresses or the route to destination is not revealed.

ICMP inspection performs the following tasks for ICMP request or reply messages:

•Creates a bidirectional session or connection record. The lookup key in the forward direction is the source IP address, destination IP address, protocol, ICMP type, ICMP identifier, and VLAN.

•Verifies the connection record contains a sequence number window specifying the list of sequence numbers of outstanding requests for which replies are pending.

•Verifies the connection record should have a timeout, so that inactive connection record can be reused for other flows and can protect inside network against fraudulent ICMP reply packets.

•Allows reply packets only if a valid connection record exists and prevents the reply packets from passing through an ACL again if the connection record (or the state information) exists.

•Creates a connection record for the transit ICMP request or reply packets, and also for those packets addressed to or from the ACE.

ICMP error message inspection performs the following tasks:

•Extracts the embedded IP header in the ICMP error message and checks for the presence of a connection record corresponding to the embedded packet for which the error message has been generated.

•Performs an ACL of the ICMP error message regardless of the existence of a session for the embedded packet. The ICMP error message itself is stateless and requires access control.

•Allocates NAT translation entries (xlate) for intermediate nodes or endpoint nodes to perform NAT of a local IP address to a global IP address in any ICMP error message.

•Updates the checksum in the outer and inner headers.

RTSP Inspection

Real Time Streaming Protocol (RTSP) is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. RTSP applications use the well known port 554 with TCP and UDP as the control channel. The ACE only supports TCP in conformity with RFC 2326.

The TCP control channel negotiates the data channels used to transmit audio and video traffic, depending on the transport mode that is configured on the client. The supported data transport modes are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp. Data transport types rtp/avp/tcp and x-real-rdt/tcp use the control channel to stream data. RTSP inspection is not required in this case to open a pinhole for the data channel.

The ACE parses SETUP response messages with a status code of 200.

Because RFC 2326 does not require that the client and server ports be contained in the SETUP response message, the ACE must keep track of state and remember the client ports in the SETUP message. QuickTime places the client ports in the SETUP message; the server responds with only the server ports.

During RTSP inspection, the ACE does not:

•Inspect RTSP messages passing through UDP ports.

•Support RealNetworks multicast mode (x-real-rdt/mcast).

•Support the ability to recognize HTTP cloaking where RTSP messages are hidden in HTTP messages.

•Perform NAT on RTSP messages because the embedded IP addresses are contained in the Session Description Protocol (SDP) files as part of HTTP or RTSP messages.

The following additional restrictions apply to RTSP inspection as performed by the ACE:

•With Cisco IP/TV, the number of translations the ACE performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).

•When using RealPlayer, you must properly configure transport mode. For the ACE, add an ACL classification from the server to the client. For RealPlayer, change the transport mode by clicking Tools>Preferences>Connection>
Network Transport>RTSP Settings.

–If you use TCP mode on the RealPlayer, check the Attempt to use TCP for all content check box. It is not necessary to configure RTSP application inspection on the ACE.

–If you use UDP mode on the RealPlayer, check the Attempt to use UDP for all content check box. Configure RTSP application inspection on the ACE.

Application Protocol Inspection Configuration Quick Start Procedures

The following tables provide a quick overview of the steps required to configure application protocol inspection on the ACE. This section includes the following quick start tables:

•See Table 3-2 for a quick overview on configuring Layer 7 HTTP protocol deep inspection.

•See Table 3-3 for a quick overview on configuring Layer 7 FTP request command inspection.

•See Table 3-4 for a quick overview on configuring Layer 3 and Layer 4 DNS, FTP, HTTP, ICMP, and RTSP application protocol inspection.
Table 3-2 Layer 7 HTTP Protocol Deep Inspection Quick Start
Task and Command Example
1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.
host1/Admin# changeto C1
host1/C1# 
The rest of the examples in this table use the Admin context for illustration purposes, unless otherwise specified. For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.
2. Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
3. Create a Layer 7 class map that is used for the deep packet inspection of HTTP traffic. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

The CLI displays the class map HTTP application protocol inspection configuration mode.
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)#
Include one or more of the match commands listed in steps 4 though 13 as part of the Layer 7 HTTP deep packet inspection class map.
4. (Optional) Use the match content command to configure the class map to define HTTP application inspection decisions based on content expressions contained within the HTTP content.
host1/Admin(config-cmap-http-insp)# match content .*newp2psig 
5. (Optional) Use the match content length command to configure the class map to define application inspection decisions in the HTTP content up to the configured maximum content parse length.
host1/Admin(config-cmap-http-insp)# match content length eq 1000
6. (Optional) Use the match header command to configure the class map to define application inspection decisions based on the name and value in an HTTP header.
host1/Admin(config-cmap-http-insp)# match header Host 
header-value .mycompanyexample.com
7. (Optional) Use the match header length command to limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP message.
host1/Admin(config-cmap-http-insp)# match header length request 
eq 256
8. (Optional) Use the match header mime-type command to specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages to be permitted or denied by the ACE.
host1/Admin(config-cmap-http-insp)# match header mime-type 
audio\midi
host1/Admin(config-cmap-http-insp)# match header mime-type 
audio\mpeg
9. (Optional) Use the match port-misuse command to configure the class map to define application inspection compliance decisions that restrict certain HTTP traffic from passing through the ACE.
host1/Admin(config-cmap-http-insp)# match port-misuse p2p
10. (Optional) Use the match request-method command to configure the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods.
host1/Admin(config-cmap-http-insp)# match request-method rfc 
connect
host1/Admin(config-cmap-http-insp)# match request-method rfc get
host1/Admin(config-cmap-http-insp)# match request-method rfc head
host1/Admin(config-cmap-http-insp)# match request-method ext 
index
11. (Optional) Use the match transfer-encoding command to configure the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the ACE.
host1/Admin(config-cmap-http-insp)# match transfer-encoding 
chunked
12. (Optional) Use the match url command to configure the class map to define application inspection decisions based on URL name.
host1/Admin(config-cmap-http-insp)# match url .*.gif
host1/Admin(config-cmap-http-insp)# match url .*.html
13. (Optional) Use the match url length command to limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a request message that can be received by the ACE.
host1/Admin(config-cmap-http-insp)# match url length eq 10000
14. Create and configure a Layer 7 policy map that enables the deep packet inspection of the HTTP protocol. Specify the actions you want to apply to the Layer 7 user-defined class map and, if appropriate, to the default class map.
host1/Admin(config)# policy-map type inspect http all-match 
HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-http-c)# permit
host1/Admin(config-pmap-ins-http-c)# exit
host1/Admin(config-pmap-ins-http)# exit
host1/Admin(config)# 
15. Create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE for HTTP deep packet inspection. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

The CLI displays the class map configuration mode.
host1/Admin(config)# class-map match-all HTTP_INSPECT_L4CLASS
host1/Admin(config-cmap)#
Include one or more of the match commands as part of the Layer 3 and Layer 4 class map.
host1/Admin(config-cmap)# description HTTP protocol deep 
inspection of incoming traffic
host1/Admin(config-cmap)# match port tcp eq 80
host1/Admin(config-cmap)# exit
host1/Admin(config)# 
16. Create a Layer 3 and Layer 4 policy map and associate the Layer 7 HTTP deep packet inspection policy map to activate the operation. Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map.
host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# inspect http policy 
HTTP_INSPECT_L7POLICY
host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)# 
17. Attach the Layer 3 and Layer 4 traffic policy to a single VLAN interface or globally to all VLAN interfaces. For example, to specify a VLAN interface and apply multiple service policies to the VLAN, enter:
host1/Adminhost1/Admin(config)# interface vlan50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0
host1/Admin(config-if)# service-policy input 
HTTP_INSPECT_L4POLICY
18. (Optional) If necessary, save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Table 3-3 Layer 7 FTP Request Command Inspection Quick Start
Task and Command Example
1. If you are operating in multiple context mode, observe the CLI prompt to verify you are operating in the desired context. Change to the correct context if necessary.
host1/Admin# changeto C1
host1/C1# 
For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.
2. Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
3. Create a Layer 7 class map that is used for the inspection of FTP request commands. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

The CLI displays the class map FTP command inspection configuration mode.
host1/Admin(config)# class-map type ftp inspect match-any 
FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)# 
4. Configure the Layer 7 class map to define FTP request command inspection decisions through the ACE. The match request command identifies the FTP commands that you want filtered by the ACE.
host1/Admin(config-cmap-ftp-insp)# match request-method mkdir
host1/Admin(config-cmap-ftp-insp)# exit
host1/Admin(config)# 
5. Create and configure a Layer 7 policy map that enables FTP command inspection. Specify the actions you want to apply to the Layer 7 user-defined class map and, if appropriate, to the default class map.
host1/Admin(config)# policy-map type inspect ftp first-match 
FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# deny
host1/Admin(config-pmap-ftp-ins-c)# exit
host1/Admin(config)#
6. Create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE for FTP command inspection. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

The CLI displays the class map configuration mode.
host1/Admin(config)# class-map match-all FTP_INSPECT_L4CLASS
host1/Admin(config-cmap)#
Include one or more of the match commands as part of the Layer 3 and Layer 4 class map.
host1/Admin(config-cmap)# description FTP command inspection of 
incoming traffic
host1/Admin(config-cmap)# match port tcp eq 21
host1/Admin(config-cmap)# exit
host1/Admin(config)# 
7. Create a Layer 3 and Layer 4 policy map and associate the Layer 7 FTP command inspection policy map to activate the operation. Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map.
host1/Admin(config)# policy-map multi-match FTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class FTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c) inspect ftp strict policy 
FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-c) #exit
host1/Admin(config) #
8. Attach the Layer 3 and Layer 4 traffic policy to a single VLAN interface or globally to all VLAN interfaces, and specify the direction in which the policy should be applied. For example, to specify a VLAN interface and apply multiple service policies to the VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0
host1/Admin(config-if)# service-policy input FTP_INSPECT_L4POLICY
9. (Optional) If necessary, save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Table 3-4 Layer 3 and Layer 4 DNS, FTP, HTTP, ICMP, and RTSP Application Protocol Inspection Quick Start
Task and Command Example
1. If you are operating in multiple context mode, observe the CLI prompt to verify you are operating in the desired context. Change to the correct context if necessary.
host1/Admin# changeto C1
host1/C1# 
For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.
2. Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
3. Create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE for DNS, FTP, HTTP, ICMP, and RTSP application protocol inspection. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

The CLI displays the class map configuration mode.
host1/Admin(config)# class-map match-all DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)#
Include one or more of the match commands as part of the Layer 3 and Layer 4 class map.
host1/Admin(config-cmap)# description DNS application protocol 
inspection of incoming traffic
host1/Admin(config-cmap)# match port udp eq domain
host1/Admin(config-cmap)# exit
4. Create a Layer 3 and Layer 4 policy map and include the appropriate inspect command (inspect dns, inspect ftp, inspect http, inspect icmp, or inspect rtsp). Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map.

For example, to specify the inspect dns command as an action for a DNS application protocol inspection policy map, enter:
host1/Admin(config)# policy-map multi-match DNS_INSPECT_L4POLICY
host1/Admin(config-pmap)# class DNS_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# inspect dns maximum-length 1000 
host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)# 
5. Attach the Layer 3 and Layer 4 traffic policy to a single VLAN interface or globally on all VLAN interfaces. For example, to specify an VLAN interface and apply multiple service policies to the VLAN, enter:
host1/Admin(config)# interface vlan50
host1/Admin(config-if)# mtu 1500
host1/Admin(config-if)# ip address 192.168.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input DNS_INSPECT_L4POLICY
6. (Optional) If necessary, save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Configuring a Layer 7 HTTP Deep Inspection Policy

This section describes how to create a Layer 7 class map and policy map to be used for HTTP deep packet inspection by the ACE. The ACE performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic based on the actions in your configured policy maps. The following security features are included as part of HTTP deep packet inspection as performed by the ACE:

•Regular expression matching on name in an HTTP header, URL name, or content expressions in an HTTP entity body

•Content, URL, and HTTP header length checks

•MIME-type message inspection

•Transfer-encoding methods

•Content type verification and filtering

•Port 80 misuse by tunneling protocols

•RFC compliance monitoring and RFC method filtering

Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in:

•Match statements in Layer 7 class maps

•Inline match statements in Layer 7 policy maps

•Layer 7 hash predictors for server farms

•Layer 7 sticky expressions in sticky groups

•Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists

This section includes the following procedures:

•Creating a Layer 7 HTTP Deep Inspection Class Map

•Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

Creating a Layer 7 HTTP Deep Inspection Class Map

This section contains the following procedures:

•Creating an HTTP Deep Inspection Class Map

•Adding a Layer 7 HTTP Deep Packet Inspection Class Map Description

•Defining HTTP Content Match Criteria

•Defining the Length of HTTP Content for Inspection

•Defining an HTTP Header for Inspection

•Defining the HTTP Maximum Header Length for Inspection

•Defining a Header MIME Type Messages for Inspection

•Defining an HTTP Traffic Restricted Category

•Defining HTTP Request Methods and Extension Methods

•Defining an HTTP Transfer Encoding Type

•Defining an HTTP URL for Inspection

•Defining an HTTP Maximum URL Length for Inspection

Creating an HTTP Deep Inspection Class Map

To create a Layer 7 class map for deep packet inspection of HTTP traffic, use the class-map type http inspect command in configuration mode.

The syntax of this command is:

class-map type http inspect [match-all | match-any] map_name
The keywords, arguments, and options are:

•match-all | match-any—(Optional) Determines how the ACE performs the deep packet inspection of HTTP traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

–match-all —Network traffic needs to satisfy all of the match criteria (implicit AND) to match the Layer 7 HTTP deep packet inspection class map. The match-all keyword is applicable only for match statements of different HTTP deep packet inspection types. For example, specifying a match-all condition for URL, HTTP header, and URL content statements in the same class map is valid. However, specifying a match-all condition for multiple HTTP headers with the same names or multiple URLs in the same class map is invalid.

–match-any—(Default) Network traffic needs to satisfy only one of the match criteria (implicit OR) to match the Layer 7 HTTP deep packet inspection class map. The match-any keyword is applicable only for match statements of the same Layer 7 HTTP deep packet inspection type. For example, the ACE does not allow you to specify a match-any condition for URL, HTTP header, and URL content statements in the same class map but does allow you to specify a match-any condition for multiple URLs, multiple HTTP headers, or multiple URL content statements with different names in the same class map.

The default setting is to meet all of the match criteria (match-all) in a class map.

•map_name—Specifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI displays the class map HTTP application protocol inspection configuration mode. To classify the HTTP application inspection of traffic for evaluation by the ACE, include one or more of the commands to configure the match criteria for the Layer 7 class map:

•match content—See "Defining HTTP Content Match Criteria"

•match content length—See "Defining the Length of HTTP Content for Inspection"

•match header—See "Defining an HTTP Header for Inspection"

•match header length—See "Defining the HTTP Maximum Header Length for Inspection"

•match header mime-type—See "Defining a Header MIME Type Messages for Inspection"

•match port-misuse—See "Defining an HTTP Traffic Restricted Category"

•match request-method—See "Defining HTTP Request Methods and Extension Methods"

•match transfer-encoding—See "Defining an HTTP Transfer Encoding Type"

•match url—See "Defining an HTTP URL for Inspection"

•match url length—See "Defining an HTTP Maximum URL Length for Inspection"

Note that you may include multiple match commands in the class map.

For example, to specify HTTP_INSPECT_L7CLASS as the name of a class map and identify that at least one command in the Layer 7 HTTP application inspection class map must be satisfied for the ACE to indicate a match, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header length request eq 200
host1/Admin(config-cmap-http-insp)# match header Host header-value 
.*mycompanyexample.com
host1/Admin(config-cmap-http-insp)# match url length eq 10000
host1/Admin(config-cmap-http-insp)# match url .*.gif
To remove the HTTP application inspection class map from the ACE, enter:
host1/Admin(config)# no class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
Adding a Layer 7 HTTP Deep Packet Inspection Class Map Description

Use the description command to provide a brief summary about the Layer 7 HTTP deep packet inspection class map.

Access the class map configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

To add a description that the class map is to perform HTTP deep packet inspection, enter:
host1/Admin(config-cmap-http-insp)# description HTTP protocol deep 
inspection of incoming traffic
To remove the description from the class map, enter:
host1/Admin(config-cmap-http-insp)# no description
Defining HTTP Content Match Criteria

Use the match content command to configure the class map to define HTTP application inspection decisions based on content expressions contained within the HTTP entity-body.

Access the class map configuration mode to specify the match content command.

The syntax of this command is:

[line_number] match content expression [offset number]
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•expression—Specifies the content expression contained within the HTTP entity-body. The range is from 1 to 255 alphanumeric characters. See Table 3-8 for a list of the supported characters that you can use in regular expressions.

•offset number—Provides an absolute offset where the content expression search string starts. The offset starts at the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. The offset value is between 1 to 4000 bytes.

For example, to create a class map that specifies a content expression contained within the entity-body sent with an HTTP request, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match content .*newp2psig
To clear content expression checking match criteria from the class map, enter:
host1/Admin(config-cmap)# no match content .*newp2psig
Defining the Length of HTTP Content for Inspection

Use the match content length command to configure the class map to define application inspection decisions on HTTP traffic up to the configured maximum content parse length. Messages that meet the specified criteria will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

Access the class map configuration mode to specify the match content length command.

The syntax of this command is:

[line_number] match content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•eq bytes—Specifies a value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length equal to the specified value. Valid entries are from 1 to 65535 bytes.

•gt bytes—Specifies a minimum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length greater than the specified value. Valid entries are from 1 to 65535 bytes.

•lt bytes—Specifies a maximum value for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length size less than the specified value. Valid entries are from 1 to 65535 bytes.

•range bytes1 bytes2—Specifies a size range for the content parse length in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a content length within this range. The range is from 1 to 65535 bytes.

For example, to create a class map that identifies the content length in an HTTP message that can be received by the ACE, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match content length eq 3495
To clear the HTTP content length match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match content length eq 3495
Defining an HTTP Header for Inspection

Use the match header command to configure the class map to define application inspection decisions based on the name and value in an HTTP header. The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.

Access the class map configuration mode to specify the match header command.

The syntax of this command is:

[line_number] match header {header_name | header_field} header-value expression
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•header_name—Specifies the name of the HTTP header to match (for example, www.example1.com.) Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Alternatively, you can enter a text string with spaces provided that you enclose the entire string in quotation marks ("). For a list of predefined header fields, see Table 3-5.

Note The header_name argument cannot include the colon in the name of the HTTP header; the ACE rejects the colon as an invalid token.

•header_field—Specifies a standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header field. Table 3-5 lists the supported HTTP/1.1 header fields.

Table 3-5 HTTP/1.1 Header Fields

Field Name

Description

Accept

A semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset

The character sets are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can representing documents in those character sets.

Accept-Encoding

Restricts the content encoding that a user will accept from the server.

Accept-Language

The ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization

Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control

Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection

Allows the sender to specify connection options.

Content-MD5

An MD5 digest of the entity-body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect

Used by a client to inform the server about what behaviors the client requires.

From

Contains the e-mail address of the person that controls the requesting user agent.

Host

The Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.

If-Match

Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used, on updating requests, to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma

Pragma directives understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP, for example, the accept field, a comma-separated list of entries, for which the optional parameters are separated by semicolons.

Referer

The address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding

Indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent

Information about the user agent, for example a software program originating the request. This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations.

Via

Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses.

•header-value expression—Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. There are predefined header fields, such as: Accept-Language, User-Agent, or Host. The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the spaces are escaped or quoted. See Table 3-6 for a list of the supported characters that you can use in regular expressions.

Table 3-6 Special Characters for Matching String Expressions

Convention

Description

.

One of any character.

.*

Zero or more of any character.

\.

Period (escaped).

[charset]

Match any single character from the range.

[^charset]

Do not match any character in the range. All other characters represent themselves.

()

Expression grouping.

(expr1 | expr2)

OR of expressions.

(expr)*

0 or more of expression.

(expr)+

1 or more of expression.

expr{m,n}

Repeat the expression between m and n times, where m and n have a range of 1 to 255.

expr{m}

Match the expression exactly m times. The range for m is from 1 to 255.

expr{m,}

Match the expression m or more times. The range for m is from 1 to 255.

\a

Alert (ASCII 7).

\b

Backspace (ASCII 8).

\f

Form-feed (ASCII 12).

\n

New line (ascii 10).

\r

Carriage return (ASCII 13).

\t

Tab (ASCII 9).

\v

Vertical tab (ASCII 11).

\0

Null (ASCII 0).

\\

Backslash.

\x##

Any ASCII character as specified in two-digit hexadecimal notation.

For example, to specify that the Layer 7 class map is to match and perform application inspection on HTTP headers, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap)# match header Host header-value 
.mycompanyexample.com
For example, to specify regular expressions in a class map to emulate a wildcard search to match the header value expression string, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header Host header-value 
.*myfirstcompanyexample.com
host1/Admin(config-cmap-http-insp)# match header Host header-value 
.*mysecondcompanyexample.com
To clear an HTTP header match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match header Host header-value 
.*mysecondcompanyexample.com
Defining the HTTP Maximum Header Length for Inspection

By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. Use the match header length command to limit the HTTP traffic allowed through the ACE based on the length of the entity body in the HTTP message. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

Access the class map configuration mode to specify the match header length command.

The syntax of this command is:

[line_number] match header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•request—Specifies the size of the HTTP header request message that can be received by the ACE.

•response—Specifies the size of the HTTP header response message sent by the ACE.

•eq bytes—Specifies a value for the entity-body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity-body size equal to the specified value. Valid entries are from 1 to 65535 bytes.

•gt bytes—Specifies a minimum value for the entity-body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity-body size greater than the specified value. Valid entries are from 1 to 65535 bytes.

•lt bytes—Specifies a maximum value for the entity-body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with an entity-body size less than the specified value. Valid entries are from 1 to 65535 bytes.

•range bytes1 bytes2—Specifies a size range for the entity-body in an HTTP message received by the ACE. Based on the policy map action, the ACE allows or denies messages with a entity-body size within this range. The range is from 1 to 65535 bytes.

For example, to specify that the class map is to match on HTTP traffic received with a length less than or equal to 3600 bytes in the entity body of the HTTP message, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header length request eq 
3600
To clear the maximum HTTP header length match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match header length request eq 
3600
Defining a Header MIME Type Messages for Inspection

Use the match header mime-type command to specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the ACE permits or denies based on the actions in the policy map. MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.

Note To define MIME type messages in addition to what is supported under the match header mime-type command, use the match header command. For example, to define a match for a new MIME-type audio\myaudio, you could enter the following match statement: match header Content-type header-value audio\myaudio. See the "Defining an HTTP Header for Inspection" section for details.

The syntax of this command is:

[line_number] match header mime-type mime_type
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•mime_type—The ACE includes a predefined list of mime-types, such as image\Jpeg, text\html, application\msword, audio\mpeg. Choose whether only the mime-types included in this list are permitted through the ACE or whether all mime-types are acceptable. The default behavior is to allow all mime-types.

The following lists the supported mime-types.

–application\msexcel

–application\mspowerpoint

–application\msword

–application\octet-stream

–application\pdf

–application\postscript

–application\x-gzip

–application\x-java-archive

–application\x-java-vm

–application\x-messenger

–application\zip

–audio\*

–audio\basic

–audio\midi

–audio\mpeg

–audio\x-adpcm

–audio\x-aiff

–audio\x-ogg

–audio\x-wav

–image\*

–image\gif

–image\jpeg

–image\png

–image\tiff

–image\x-3ds

–image\x-bitmap

–image\x-niff

–image\x-portable-bitmap

–image\x-portable-greymap

–image\x-xpm

–text\*

–text\css

–text\html

–text\plain

–text\richtext

–text\sgml

–text\xmcd

–text\xml

–video\*

–video\flc

–video\mpeg

–video\quicktime

–video\sgi

–video\x-fli

Note the following considerations:

•You can specify multiple match header mime-type commands within a class map.

•Each match header mime-type command configures a single application type.

For example, to create a class map that specifies the MIME-type audio\midi and audio\mpeg messages permitted through the ACE, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match header mime-type audio\midi
host1/Admin(config-cmap-http-insp)# match header mime-type audio\mpeg
To deselect the specified MIME message match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match header mime-type 
audio\midi
Defining an HTTP Traffic Restricted Category

Use the match port-misuse command to configure the class map to define application inspection compliance decisions that restrict certain HTTP traffic from passing through the ACE. This class map detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.

Access the class map configuration mode to specify the match port-misuse command.

The syntax of this command is:

[line_number] match port-misuse application_category
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•application_category—Specifies the restricted HTTP application category for the class map. The possible values for application_category include:

–im—Instant messaging application category. The ACE checks for the Yahoo Messenger instant messaging application.

–p2p—Peer-to-peer application category. The applications checked include Kazaa and Gnutella.

–tunneling—Tunneling application category. The applications checked include: HTTPort/HTTHost, GNU Httptunnel, and Firethru.

Note the following considerations:

•You can specify multiple match port-misuse commands within a class map.

•Each match port-misuse command configures a single application type.

•The port misuse application inspection process requires a search of the entity body of the HTTP message, which may degrade performance of the ACE.

•The ACE disables the match port-misuse command by default. If you do not configure a restricted HTTP application category, the default action by the ACE is to allow the applications without generating a log.

For example, to create a class map that identifies peer-to-peer applications as restricted HTTP traffic, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match port-misuse p2p
To clear the HTTP restricted application category match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match port-misuse p2p
Defining HTTP Request Methods and Extension Methods

By default, the ACE allows all request and extension methods. Use the match request-method command to configure the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods. If the HTTP request method or extension method compliance checks fails, the ACE denies or resets the specified HTTP traffic based on the policy map action.

Access the class map configuration mode to specify the match request-method command.

The syntax of this command is:

[line_number] match request-method {ext method | rfc method}
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•ext method—Specifies an HTTP extension method. If the RFC request messages does not contain one of the RFC 2616 HTTP request methods, the ACE verifies if it is an extension method. The ACE supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkdir, move, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.

•rfc method—Specifies a RFC 2616 HTTP request method that you want to perform an RFC compliance check on. The ACE supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

Note the following considerations:

•You can specify multiple match request-method commands within a class map.

•Each match request-method command configures a single request method.

•For unsupported HTTP request methods, include the inspect http strict command as an action in the Layer 3 and Layer 4 policy map.

•The ACE disables the match request-method command by default. If you do not configure a request method, the default action by the ACE is to allow the RFC 2616 HTTP request method without generating a log.

For example, to create a class map that identifies the connect, get, head, and index HTTP RFC 2616 protocols for HTTP application protocol inspection, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match request-method rfc connect
host1/Admin(config-cmap-http-insp)# match request-method rfc get
host1/Admin(config-cmap-http-insp)# match request-method rfc head
host1/Admin(config-cmap-http-insp)# match request-method ext index
To clear an RFC 2616 HTTP request method match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match request-method rfc 
connect
Defining an HTTP Transfer Encoding Type

Use the match transfer-encoding command to configure the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the ACE. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP request message contains the configured transfer-encoding type, the ACE performs the configured action in the policy map.

Access the class map configuration mode to specify the match transfer-encoding command.

The syntax of this command is:

[line_number] match transfer-encoding coding_types
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•coding_types—Specifies the HTTP transfer-encoding type for the class map. The possible values for coding_types include:

–chunked—Message body is transferred as a series of chunks.

–compress—The encoding format produced by the common UNIX file compression program "compress". This format is an adaptive Lempel-Ziv-Welch coding (LZW).

–deflate—The .zlib format defined in RFC 1950 in combination with the deflate compression mechanism described in RFC 1951.

–gzip—An encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952. This format is a Lempel-Ziv coding (LZ77) with a 32 bit CRC.

–identity—The default (identity) encoding, which does not require the use of transformation.

Note the following considerations:

•You can specify multiple match transfer-encoding commands within a class map.

•Each match transfer-encoding command configures a single application type.

•The ACE disables the match transfer-encoding command by default.

For example, to create a class map that specifies a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the ACE, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match transfer-encoding chunked
To clear the HTTP transfer-encoding match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match transfer-encoding chunked
Defining an HTTP URL for Inspection

Use the match url command to configure the class map to define application inspection decisions based on URL name. HTTP performs regular expression matching against the received packet data from a particular connection based on the URL expression.

Access the class map configuration mode to specify the match url command.

The syntax of this command is:

[line_number] match url expression
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•expression—Specifies the URL, or portion of a URL, to match. The URL string range is from 1 to 255 characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expressions. The ACE supports the use of regular expressions for matching. See Table 3-6 for a list of the supported characters that you can use in regular expressions.

Note When matching URLs, keep in mind that the period "." character does not have a literal meaning in regular expressions. Use either the "[]" or "/" character classes to match this symbol, for example, specify "www[.]xyz[.]com" instead of "www.xyz.com".

For example, to specify that the Layer 7 class map is to match and perform application inspection on a specific URL, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url whatsnew/latest.*
For example, to use regular expressions to emulate a wildcard search to match on any .gif or .html file, enter:
host1/Admin(config)# class-map type http inspect match-any 
HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url .*.gif
host1/Admin(config-cmap-http-insp)# match url .*.html
To clear a URL match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match url .*.gif
Defining an HTTP Maximum URL Length for Inspection

Use the match url length command to limit the HTTP traffic allowed through the ACE by specifying the maximum length of a URL in a request message that can be received by the ACE. Messages will be either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

Access the class map configuration mode to specify the match url length command.

The syntax of this command is:

[line_number] match url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•eq bytes—Specifies a value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length equal to the specified value. Valid entries are from 1 to 65535 bytes.

•gt bytes—Specifies a minimum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length greater than the specified value. Valid entries are from 1 to 65535 bytes.

•lt bytes—Specifies a maximum value for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with an HTTP URL length less than the specified value. Valid entries are from 1 to 65535 bytes.

•range bytes1 bytes2—Specifies a size range for the HTTP URL length received by the ACE. Based on the policy map action, the ACE allows or denies messages with a URL length within this range. The range is from 1 to 65535 bytes.

For example, to specify that a class map is to match on a URL with a length equal to 10000 bytes in the request message, enter:
host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS
host1/Admin(config-cmap-http-insp)# match url length eq 10000
To clear a URL length match criteria from the class map, enter:
host1/Admin(config-cmap-http-insp)# no match url length eq 10000
Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

This section outlines how to configure a Layer 7 HTTP deep inspection policy map. The Layer 7 policy map configures the applicable HTTP deep packet inspection actions executed on the network traffic that match the classifications defined in a class map. You then associate the completed Layer 7 HTTP deep packet inspection policy with a Layer 3 and Layer 4 policy map to activate the operation on a VLAN interface (see the "Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions" section).

This section includes the following topics:

•Creating a Layer 7 HTTP Deep Packet Inspection Policy Map

•Adding a Layer 7 HTTP Deep Packet Inspection Policy Map Description

•Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map

•Specifying a Layer 7 HTTP Inspection Traffic Class with the Traffic Policy

•Specifying the Layer 7 HTTP Deep Packet Policy Actions

Creating a Layer 7 HTTP Deep Packet Inspection Policy Map

Use the policy-map type inspect http command in configuration mode to name the traffic policy and initiate Layer 7 HTTP deep packet inspection.

The syntax of this command is:

policy-map type inspect http all-match map_name
The keyword and arguments are:

•http all-match—Policy map that initiates the deep packet inspection of the HTTP protocol by the ACE. The ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

•map_name—Specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a Layer 7 HTTP deep packet inspection policy map, enter:
host/Admin(config)# policy-map type inspect http all-match 
HTTP_INSPECT_L7POLICY
host/Admin(config-pmap-ins-http)#
The CLI displays the policy map configuration mode.

To remove a Layer 7 HTTP deep packet inspection policy map from the ACE, enter:
host1/Admin(config)# no policy-map type inspect http all-match 
HTTP_INSPECT_L7POLICY
Adding a Layer 7 HTTP Deep Packet Inspection Policy Map Description

Use the description command to provide a brief summary about the Layer 7 HTTP deep packet inspection policy map.

Access the policy map configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

To add a description that the policy map is to perform HTTP deep packet inspection, enter:
host1/Admin(config-pmap-ins-http)# description HTTP protocol deep 
inspection of incoming traffic
To remove the description from the policy map, enter:
host1/Admin(config-pmap-ins-http)# no description
Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map

To include a single inline match criteria in the policy map without specifying a traffic class, enter an applicable Layer 7 match command. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

Note To specify actions for multiple match statements, use a class map as described in the "Specifying a Layer 7 HTTP Inspection Traffic Class with the Traffic Policy" section.

The syntax for an inline match command is:

match name match_statement [insert-before map_name]

The arguments are:

•name—Specifies the name assigned to the inline match command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

•match_statement—Specifies the inline match criteria to be used by the policy map. See below for details on the individual match commands associated with the Layer 7 HTTP deep inspection class map.

•insert-before map_name—(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.

The syntax for the HTTP deep packet inspection policy map inline match commands includes:

match name content expression [offset number]
match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
match name content-type-verification
match name header {header_name | header_field} header-value expression
match name header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
match name header mime-type mime_type
match name port-misuse application_category
match name request-method {ext method | rfc method}
match name strict-http
match name transfer-encoding coding_types
match name url expression
match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
See the "Creating a Layer 7 HTTP Deep Inspection Class Map" section for details on the individual inline match commands.

The match content-type-verification and match strict-http commands are available only as inline match commands under the Layer 7 policy-map type inspect http command. Because these two Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, they appear as inline match commands for a policy map.

These two match commands perform the following HTTP deep inspection functions:

•match content-type-verification—Verifies the content MIME-type messages with the header MIME-type. This inline match command limits the MIME-types in HTTP messages allowed through the ACE. It verifies that the header MIME-type value is in the internal list of supported MIME-types and the header MIME-type matches the actual content in the data or entity body portion of the message. If they do not match, the ACE performs the specified Layer 7 policy map action: permit or reset.

Note The MIME-type HTTP inspection process requires a search up to the configured maximum content parse length of the HTTP message, which may degrade performance of the ACE.

•match strict-http—Enforces that the internal compliance checks verify that a message is compliant with the HTTP RFC standard, RFC 2616. If the HTTP message is not compliant, the ACE performs the specified Layer 7 policy map action: permit or reset.

For example, to add an inline match command to a Layer 7 HTTP deep inspection policy map, enter:
host/Admin(config-pmap-ins-http)# match L7httpinspect port-misuse p2p
Specifying a Layer 7 HTTP Inspection Traffic Class with the Traffic Policy

To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. The syntax of this command is:

class map_name
The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI displays the policy map class configuration mode.

For example, to specify an existing class map in the Layer 7 policy map, enter:
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-http-c)# 
To remove a class map from a Layer 7 policy map, enter:
host1/Admin(config-pmap-ins-http)# no class HTTP_INSPECT_L7CLASS
To manually insert a class map ahead of a previously specified class map, use the insert-before command. The ACE does not save sequence reordering through the insert-before command as part of the configuration.

The syntax of this command is:

class map_name1 insert-before map_name2
The keywords and arguments are:

•class map_name1—Specifies the name of a previously defined traffic class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 characters.

•insert-before map_name2—Places the current class map ahead of an existing class map as specified by the map_name2 argument. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter:
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASSMAP2 
insert-before HTTP_INSPECT_L7CLASS
To specify the class-default class map for the traffic policy, use the class class-default command. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it such that it matches all traffic.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is only applied to HTTP requests.

For example, to use the class class-default command, enter:
host1/Admin(config-pmap-ins-http)# class class-default
host1/Admin(config-pmap-ins-http-c)# 
The CLI displays the policy map class configuration mode.

Specifying the Layer 7 HTTP Deep Packet Policy Actions

The default behavior of the ACE is to permit HTTP traffic. For example, if a policy map explicitly permits the HTTP GET method, other methods such as PUT will also be permitted. Only an explicit deny is capable of dropping traffic.

Specify the permit or reset command to define the action that the ACE performs on the HTTP traffic depending on whether it matches the specified commands. You apply the specified command against the single inline match command or the specified class map.

The Layer 7 HTTP deep packet inspection policy commands include:

{permit | reset}
The keywords, arguments, and options are:

•permit—Allows the specified HTTP traffic to be received by the ACE if it passes the HTTP deep packet inspection match criteria specified in either the class map or an inline match command.

•reset—Denies the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection.

For example, to specify the actions in the Layer 7 HTTP deep packet inspection policy map, enter:
host1/Admin(config)# policy-map type inspect http all-match 
HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class http_check
host1/Admin(config-pmap-ins-http-c)# permit
Because the default is to permit all HTTP packets, you must remove the class map to disable this function. For example, enter:
host1/Admin(config-pmap-ins-http)# no class http_check
By default, HTTP inspection allows traffic which does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action will be taken by the ACE. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all of the other requests.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is only applied to HTTP requests.

Configuring a Layer 7 FTP Command Inspection Policy

This section describes how to create a Layer 7 class map and policy map to be used for FTP command inspection by the ACE, a security feature that prevents web browsers from sending embedded commands to the ACE in FTP requests. Each FTP command must be acknowledged before the ACE allows a new command. FTP inspection allows traffic by default and restricts traffic that fails the security checks. Command filtering allows you to restrict specific commands through the ACE. When the ACE denies a command, it closes the connection.

Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in:

•Match statements in Layer 7 class maps

•Inline match statements in Layer 7 policy maps

•Layer 7 hash predictors for server farms

•Layer 7 sticky expressions in sticky groups

•Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists

This section includes the following procedures:

•Creating an FTP Inspection Class Map

•Adding a Layer 7 FTP Inspection Class Map Description

•Defining FTP Match Request Methods

•Configuring a Layer 7 FTP Command Inspection Policy Map

Creating an FTP Inspection Class Map

To define a class map to be used for the inspection of FTP request commands, use the class-map type ftp inspect command in configuration mode.

The syntax of this command is:

class-map type ftp inspect match-any map_name
The keywords, arguments, and options are:

•match-any—Determines how the ACE inspects FTP request commands when multiple match criteria exist in a class map. Only one of the match criteria listed in the class map is satisfied to match the FTP command inspection class in the class map.

•map_name—Specifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The class name is used for both the class map and to configure policy for the class in the policy map.

The CLI displays the class map FTP command inspection configuration mode. To classify the FTP request commands for inspection by the ACE, include one or more of the match request-method commands to configure the match criteria for the Layer 7 class map. See the "Defining FTP Match Request Methods" section.

For example, to specify FTP_INSPECT_L7CLASS as the name of a class map and identify that at least one FTP inspection command in the class map must be satisfied for the ACE to indicate a match, enter:
host1/Admin(config)# class-map type ftp inspect match-any 
FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)# match request-method cdup
host1/Admin(config-cmap-ftp-insp)# match request-method mkdir
host1/Admin(config-cmap-ftp-insp)# match request-method get
host1/Admin(config-cmap-ftp-insp)# match request-method put
To remove the FTP request inspection class map from the ACE, enter:
host1/Admin(config)# no class-map type ftp inspect match-any 
FTP_INSPECT_L7CLASS
Adding a Layer 7 FTP Inspection Class Map Description

Use the description command to provide a brief summary about the Layer 7 FTP inspection class map.

Access the class map configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

To add a description that the class map is to perform FTP command inspection, enter:
host1/Admin(config-cmap-ftp-insp)# description FTP command inspection 
of incoming traffic
To remove the description from the class map, enter:
host1/Admin(config-cmap-ftp-insp)# no description FTP command 
inspection of incoming traffic
Defining FTP Match Request Methods

Use the match request-method command to configure the class map to define FTP command inspection decisions by the ACE. The match command identifies the FTP commands that you want filtered by the ACE.

Access the class map configuration mode to specify the match request-method command.

The syntax of this command is:

match request-method ftp_commands
The ftp_commands argument specifies the FTP command in the class map to be subjected to FTP inspection by the ACE. The possible ftp_commands include: appe, cdup, dele, get, help, mkd, put, rmd, rnfr, rnto, site, stou, and syst.

You can specify multiple match request-methods commands within a class map.

For example, to specify FTP_INSPECT_L7CLASS as the name of a class map and identify that at least one FTP inspection command in the class map must be satisfied for the ACE to indicate a match, enter:
host1/Admin(config)# class-map type ftp inspect match-any 
FTP_INSPECT_L7CLASS
host1/Admin(config-cmap-ftp-insp)# match request-method cdup
host1/Admin(config-cmap-ftp-insp)# match request-method mkdir
host1/Admin(config-cmap-ftp-insp)# match request-method get
host1/Admin(config-cmap-ftp-insp)# match request-method stou
host1/Admin(config-cmap-ftp-insp)# match request-method put
Use the no form of the command to clear the FTP inspection request method from the class map.
host1/Admin(config-cmap-ftp-insp)# no match request-method cdup
Configuring a Layer 7 FTP Command Inspection Policy Map

This section outlines how to configure a Layer 7 FTP command inspection policy map. The Layer 7 policy map configures the applicable FTP command inspection actions executed on the network traffic that match the classifications defined in a class map. You then associate the completed Layer 7 FTP command inspection policy with a Layer 3 and Layer 4 policy map to activate the operation on a VLAN interface (see the "Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions" section).

This section includes the following topics:

•Creating a Layer 7 FTP Command Inspection Policy Map

•Adding a Layer 7 FTP Inspection Policy Map Description

•Including Inline Match Statements in a Layer 7 Command Inspection Policy Map

•Specifying a Layer 7 FTP Command Inspection Traffic Class with the Traffic Policy

•Specifying the Layer 7 FTP Command Inspection Policy Actions

Creating a Layer 7 FTP Command Inspection Policy Map

Use the policy-map type inspect ftp command in configuration mode to name the traffic policy and initiate FTP command inspection.The syntax of this command is:

policy-map type inspect ftp first-match map_name
The keyword and arguments are:

•ftp first-match—Specifies a Layer 7 policy map that defines the inspection of FTP commands by the ACE. The first-match keyword defines the execution for the Layer 7 FTP command inspection policy-map. The ACE executes only the action specified against the first-matching classification.

•map_name—Specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a Layer 7 FTP command inspection policy map, enter:
host/Admin(config)# policy-map type inspect ftp first-match 
FTP_INSPECT_L7POLICY
host/Admin(config-pmap-ftp-ins) #
The CLI displays the policy map configuration mode.

To remove a Layer 7 command inspection policy map from the ACE, enter:
host1/Admin(config)# no policy-map type inspect ftp first-match 
FTP_INSPECT_L7POLICY
Adding a Layer 7 FTP Inspection Policy Map Description

Use the description command to provide a brief summary about the Layer 7 FTP inspection policy map.

Access the policy map FTP inspection configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

To add a description that the policy map is to perform FTP command inspection, enter:
host1/Admin(config-pmap-ftp-ins)# description FTP command inspection 
of incoming traffic
To remove the description from the policy map, enter:
host1/Admin(config-pmap-ftp-ins)# no description FTP command 
inspection of incoming traffic
Including Inline Match Statements in a Layer 7 Command Inspection Policy Map

To include a single inline match criteria in the policy map without specifying a traffic class, enter an applicable Layer 7 match command. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

Note To specify actions for multiple match statements, use a class map as described in the "Specifying a Layer 7 FTP Command Inspection Traffic Class with the Traffic Policy" section.

The syntax for an inline match command is:

match name match_statement [insert-before map_name]

The arguments are:

•name—Specifies the name assigned to the inline match command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

•match_statement—Specifies the inline match criteria to be used by the policy map. See below for details on the match commands associated with the Layer 7 FTP command inspection class map.

•insert-before map_name—(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.

The syntax for the Layer 7 FTP inspection policy map inline match commands includes:

[line_number] match name request-method {appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou | syst}
See the "Defining FTP Match Request Methods" section for details about the inline match command.

For example, to add an inline match command to a Layer 7 FTP command policy map, enter:
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH 
request-method mkdir
host/Admin(config-pmap-ftp-ins-m)# 
Specifying a Layer 7 FTP Command Inspection Traffic Class with the Traffic Policy

To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. The syntax of this command is:

class map_name
The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI displays the policy map class configuration mode.

For example, to specify an existing class map in the Layer 7 policy map, enter:
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# 
To remove a class map from a Layer 7 policy map, enter:
host1/Admin(config-pmap-ftp-ins)# no class FTP_INSPECT_L7CLASS
Specifying the Layer 7 FTP Command Inspection Policy Actions

By default, the ACE allows all FTP commands to pass. To explicitly deny specific FTP commands, use one of the following commands as the action if the specified FTP traffic matches the classification. You apply the specified action against the single inline match command or the specified class map.

{deny | mask-reply}
The keywords, arguments, and options are:

•deny—Denies the FTP request commands against the single inline match command or specified in the class map by resetting the FTP session.

•mask-reply—Applicable to only the FTP SYST command and its associated reply. The SYST command is used to find out the type of operating system at the FTP server. The mask-reply keyword instructs the ACE to mask the system's reply to the FTP SYST command by filtering sensitive information from the command output.

For example, to specify the actions in the Layer 7 FTP inspection policy map, enter:
host1/Admin(config)# policy-map type inspect ftp first-match 
FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# mask-reply
To disable an action from the Layer 7 FTP inspection policy map, enter:
host1/Admin(config-pmap-ftp-ins-c)# no mask-reply
Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

This section describes how to create a Layer 3 and Layer 4 class map and policy map to classify network traffic passing through the ACE to perform an applicable application protocol inspection traffic policy. The Layer 3 and Layer 4 traffic policy defines the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions. Application inspection involves the examination of protocols such as DNS, FTP, HTTP, ICMP, and RTSP to verify the protocol behavior and identify unwanted or malicious traffic passing through the ACE.

•Creating a Layer 7 HTTP Deep Inspection Class Map

•Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

Configuring a Layer 3 and Layer 4 Class Map

To create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE to perform an applicable application protocol inspection policy, use the class-map command in configuration mode.

There can be multiple match commands in a single class map to specify the matching criteria. For example, you can configure class maps to define multiple access group or port commands in a group that you then associate with an application protocol inspection policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.

The syntax of this command is:

class-map [match-all | match-any] map_name
The keywords and options are:

•match-all | match-any—(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions.

–match-all —All of the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of different types.

–match-any—Only one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of the same type.

The default setting is to meet all of the match criteria (match-all) in a class map.

•map_name—Specifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI displays the class map configuration mode. To classify network traffic passing through the ACE for application protocol inspection, include one or more of the following commands to configure the match criteria for the class map:

•description—See the "Adding a Layer 3 and Layer 4 Class Map Description" section.

•match access-list—See the "Defining Access-List Match Criteria" section.

•match port —See the "Defining TCP/UDP Port Number or Port Range Match Criteria" section.

Note the following when creating a class map to define a Layer 3 and Layer 4 match classification:

•You may combine multiple match access-list and match port commands in a class map.

•The matched traffic depends on the individual inspect command specified in the policy map. See Table 3-1 for a summary of the application inspection protocols supported by the ACE along with the IP protocol and port.

For example, to define a Layer 3 and Layer 4 class map, enter:
host1/Admin(config)# class-map match-all DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)# description DNS application protocol 
inspection of incoming traffic
host1/Admin(config-cmap)# match port udp eq domain
To remove a Layer 3 and Layer 4 network traffic class map from the ACE, enter:
host1/Admin(config)# no class-map match-all DNS_INSPECT_L4CLASS
Adding a Layer 3 and Layer 4 Class Map Description

Use the description command to provide a brief summary about the Layer 3 and Layer 4 class map. Access the class map configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

For example, to specify a description that the class map is to perform DNS application protocol inspection, enter:
host1/Admin(config)# class-map DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)# description DNS application protocol 
inspection of incoming traffic
To remove the description from the class map, enter:
host1/Admin(config-cmap)# no description
Defining Access-List Match Criteria

Use the match access-list command to configure the class map to filter Layer 3 and Layer 4 network traffic on a per flow basis by using a pre-defined access control list. When a packet matches an entry in an access list, and if it is a permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching result. Refer to Chapter 1, Configuring Security Access Control Lists for details about the creating access control lists in the ACE.

Access the class map configuration mode to specify the match access-list command.

The syntax of this command is:

[line_number] match access-list identifier
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•identifier—Specifies a previously created access list identifier. Enter an unquoted text string with a maximum of 64 characters.

There can be multiple match access-list commands within a single class map. You may combine multiple match access-list and match port commands in a class map.

For example, to specify that the class map is to match on access control list INBOUND_ACL1, enter:
host1/Admin(config)# class-map match-any DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)# match access-list INBOUND_ACL1
To clear the access control list match criteria from the class map, enter:
host1/Admin(config-cmap)# no match access-list inboundacl1
Defining TCP/UDP Port Number or Port Range Match Criteria

Use the match port command to specify a TCP or UDP port number or port range as the Layer 3 and Layer 4 network traffic matching criteria.

Access the class map configuration mode to specify the match port command.

The syntax of this command is:

[line_number] match port {tcp | udp} {any | eq {port_number} | range port1 port2}
The keywords, arguments, and options are:

•line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

•tcp | udp —Specifies the protocol, TCP or UDP.

–any—Wildcard value for the TCP or UDP port number. With any used in place of either the eq or range values, packets from any incoming port match.

–eq port_number—Specifies that the TCP or UDP port number must match the specified value. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to include all ports. Alternatively, you can enter the name of a well-known TCP port as listed in Table 3-7 or a well-known UDP port as listed in Table 3-8.

–range port1 port2—Specifies a port range to use for the TCP or UDP port. Valid port ranges are 0 to 65535. A value of 0 instructs the ACE to match all ports.

Table 3-7 Well-Known TCP Ports and Keywords

Port

Port Number

Description

domain

53

Specifies Domain Name System

ftp

21

Specifies File Transfer Protocol

ftp-data

20

Specifies File Transfer Protocol Data

http

80

Specifies Hyper Text Transfer Protocol

https

443

Specifies HTTP over SSL protocol

irc

194

Specifies Internet Relay Chat protocol

matip-a

350

Specifies Matip Type A protocol

nntp

119

Specifies Network News Transport Protocol

pop2

109

Specifies Post Office Protocol v2

pop3

110

Specifies Post Office Protocol v3

rtsp

554

Specifies Real Time Stream Control Protocol

smtp

25

Specifies Simple Mail Transfer Protocol

telnet

23

Specifies Telnet protocol

www

80

Specifies World Wide Web

Table 3-8 Well-Known UDP Port Numbers and Key Words

Key Word

Port Number

Description

domain

53

Domain Name System

wsp

9200

Connectionless Wireless Session Protocol (WSP)

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP

There can be multiple match port commands within a single class map. You may combine multiple match access-list and match port commands in a class map.

For example, to specify that the class map is to match on TCP port number 23 (Telnet client), enter:
host1/Admin(config)# class-map DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)# match port tcp eq 23
To clear the TCP or UDP port number match criteria from the class map, enter:
host1/Admin(config-cmap)# no match port tcp eq 23
Configuring a Layer 3 and Layer 4 Policy Map

This section outlines how to configure a Layer 3 and Layer 4 policy that defines an HTTP deep packet inspection, FTP command inspection, or application protocol inspection traffic policy.

This section includes the following topics:

•Creating a Layer 3 and Layer 4 Policy Map

•Adding a Layer 3 and Layer 4 Policy Map Description

•Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy

•Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions

Creating a Layer 3 and Layer 4 Policy Map

Use the policy-map multi-match configuration command to configure a Layer 3 and Layer 4 policy map that defines the application inspection policies. The ACE attempts to match multiple classes within the Layer 3 and Layer 4 policy map, but can match only one class within each of the sets of traffic classes. If a classification matches more than one class map, then the ACE executes all of the corresponding actions. However, for a specific feature, the ACE executes only the first matching classification action.

The syntax of this command is:

policy-map multi-match map_name
The map_name argument specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a Layer 3 and Layer 4 network traffic policy map, enter:
host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)#
The CLI displays the policy map configuration mode.

To remove a Layer 3 and Layer 4 policy map from the ACE, enter:
host1/Admin(config)# no policy-map multi-match HTTP_INSPECT_L4POLICY
Adding a Layer 3 and Layer 4 Policy Map Description

Use the description command to provide a brief summary about the Layer 3 and Layer 4 policy map. Access the policy map configuration mode to specify the description command.

The syntax of this command is:

description text
Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

For example, to specify a description that the policy map is to perform DNS application protocol inspection, enter:
host1/Admin(config-pmap)# description DNS application protocol 
inspection of incoming traffic
To remove the description from the policy map, enter:
host1/Admin(config-pmap)# no description
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy

To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. The syntax of this command is:

class map_name
The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI displays the policy map class configuration mode.

For example, to specify an existing class map within the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# 
To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap)# no class HTTP_INSPECT_L4CLASS
To manually insert a class map ahead of a previously specified class map, use the insert-before command. The ACE does not save sequence reordering through the insert-before command as part of the configuration.

The syntax of this command is:

class map_name1 insert-before map_name2
The keywords and arguments are:

•class map_name1—Specifies the name of a previously defined traffic class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 characters.

•insert-before map_name2—Places the current class map ahead of an existing class map as specified by the map_name2 argument. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter:
host1/Admin(config-pmap-c)# 5 class FTP_INSPECT_L4CLASS insert-before 
HTTP_INSPECT_L4CLASS
To specify the class-default class map for the Layer 3 and Layer 4 traffic policy, use the class class-default command. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it such that it matches all traffic.

For example, to use the class class-default command, enter:
host1/Admin(config-pmap)# class class-default
host1/Admin(config-pmap-c)# 
The CLI displays the policy map class configuration mode.

Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions

Use the inspect command in policy map class configuration mode to define the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions. Application inspection involves the examination of protocols such as DNS, FTP, HTTP, ICMP, and RTSP to verify the protocol behavior and identify unwanted or malicious traffic passing through the ACE.

If you intend to perform Layer 7 application inspection of network traffic, first create a Layer 7 policy as described below:

•To perform the deep packet inspection of Layer 7 HTTP application traffic by the ACE, first create a Layer 7 policy using the policy-map type inspect http command (see the "Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map" section). You nest the Layer 7 HTTP inspection policy using the Layer 3 and Layer 4 inspect http command.

•To perform the request inspection of FTP commands, first create a Layer 7 policy using the policy-map type inspect ftp command (see the "Configuring a Layer 7 FTP Command Inspection Policy Map" section). You nest the Layer 7 FTP inspection policy using the Layer 3 and Layer 4 inspect ftp command.

You associate the Layer 7 policy map within the appropriate Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can only be associated within an Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be applied to a VLAN interface or applied globally to all VLAN interfaces in the same context; a Layer 7 policy map cannot be directly applied on an interface.

Note If you do not specify a Layer 7 HTTP or FTP policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP or FTP protocol fixup actions. For example, the ACE performs strict HTTP.

The syntax of the inspect command for Layer 3 and Layer 4 application protocol inspection includes:

inspect dns [maximum-length bytes]
inspect ftp [strict policy policy_map1]
inspect http [policy policy_map2 | url-logging]
inspect icmp [error]
inspect rtsp
The keywords, arguments, and options are:

•dns—Enables Domain Name System (DNS) query inspection. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The ACE performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length.

•maximum-length bytes—(Optional) Sets the maximum length of a DNS reply. Valid entries are 64 to 65536 bytes. The default is 512 bytes.

•ftp—Enables File Transfer Protocol (FTP) inspection. The ACE inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data.

•strict—(Optional) Checks for protocol RFC compliance and prevents web browsers from sending embedded commands in FTP requests. The strict keyword prevents an FTP client from determining valid usernames that are supported on an FTP server. When an FTP server replies to the USER command, the ACE intercepts the 530 reply code from the FTP server and replaces it with the 331 reply code. Specifying an FTP inspection policy allows selective command filtering and also prevent the display of the FTP server system type to the FTP client. The ACE intercepts the FTP server 215 reply code and message to the SYST command, then replaces the text following the reply code with asterisks.

•policy policy_map1—(Optional) Specifies the name assigned to a previously created Layer 7 FTP command inspection policy map to implement the inspection of Layer 7 FTP commands by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Use the inspect ftp command in policy map class configuration mode to define the FTP command request inspection policy.

Note If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 FTP protocol fixup actions.

•http—Enables enhanced Hypertext Transfer Protocol (HTTP) inspection on the HTTP traffic. By default, the ACE allows all request methods.

•policy policy_map2—(Optional) Specifies the name assigned to a previously created Layer 7 HTTP application inspection policy map to implement the deep packet inspection of Layer 7 HTTP application traffic by the ACE. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note If you do not specify a Layer 7 policy map, the ACE performs strict HTTP and a general set of Layer 3 and Layer 4 HTTP protocol fixup actions and internal RFC compliance checks.

•url-logging—(Optional) Enables the monitoring of Layer 3 and Layer 4 traffic. This function logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed.

•icmp—Enables Internet Control Message Protocol (ICMP) payload inspection. ICMP inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic.

•error—(Optional) Performs a NAT of ICMP error messages. The ACE creates translation sessions for intermediate or endpoint nodes that send ICMP error messages based on the NAT configuration. The ACE overwrites the packet with the translated IP addresses.

•rtsp—Enables Real Time Streaming Protocol (RTSP) packet inspection. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support).

For example, to specify the inspect http command as an action for an HTTP application protocol inspection policy map, enter:
host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# inspect http policy 
HTTP_DEEPINSPECT_L7POLICY
For example, to specify the inspect dns command as an action for a DNS application protocol inspection policy map, enter:
host1/Admin(config) #policy-map multi-match DNS_INSPECT_L4POLICY
host1/Admin(config-pmap) #class DNS_INSPECT_L4CLASS
host1/Admin(config-pmap-c) inspect dns 1000 
For example, to specify the inspect ftp command as an action for an FTP command inspection policy map, enter:
host1/Admin(config)# policy-map multi-match FTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-c)# inspect ftp strict policy 
FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-c)# exit
host1/Admin(config)#
To disable an application protocol inspection action from a policy map, enter:
host1/Admin(config-pmap-c) no inspect dns 1000 
Configuring an HTTP Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 HTTP deep packet inspection policy map. You reference this parameter map in the appl-parameter command in policy map class configuration mode. See the "Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map" section.

To configure advanced HTTP behavior for HTTP deep packet inspection, use the parameter-map type http command in configuration mode. The syntax of this command is:

parameter-map type http name
The name argument specifies the identifier assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 32 alphanumeric characters.

This section includes the following procedures to define the advanced HTTP parameter map:

•Disabling Case Sensitivity Matching

•Setting the Maximum Number of Bytes to Parse in HTTP Headers

•Setting the Maximum Number of Bytes to Parse in HTTP Content

•Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

Disabling Case Sensitivity Matching

By default, the ACE CLI is case sensitive. To disable case sensitivity matching for HTTP only, use the case-insensitive command in HTTP parameter map configuration mode. With case-insensitive matching enabled, upper- and lower-case letters are considered the same. When case sensitivity is disabled, it applies to:

•HTTP header names and values

•URL strings

•HTTP content inspection

The syntax of this command is:

case-insensitive
For example, to disable case sensitivity, enter:
host1/Admin(config-parammap-http)# case-insensitive
To reenable case-sensitive matching after it has been disabled, enter:
host1/Admin(config-parammap-http)# no case-insensitive
Setting the Maximum Number of Bytes to Parse in HTTP Headers

To set the maximum number of bytes to parse in HTTP headers, use the set header-maxparse-length command in HTTP parameter-map configuration mode. The syntax of this command is:

set header-maxparse-length bytes
The bytes argument specifies the maximum number of bytes to parse for HTTP headers. Enter an integer from 1 to 65535. The default is 2048 bytes.

For example, to set the HTTP header maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set header-maxparse-length 8192
To reset the HTTP header maximum parse length to the default of 2048 bytes, enter:
host1/Admin(config-parammap-http)# no set-header maxparse-length
Setting the Maximum Number of Bytes to Parse in HTTP Content

To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length command in HTTP parameter map configuration mode. The syntax of this command is:

set content-maxparse-length bytes
The bytes argument specifies the maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.

For example, to set the maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set content-maxparse-length 8192
To reset the maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set content-maxparse-length
Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter http advanced-options command in policy map class configuration mode.

The syntax of this command is:

appl-parameter http advanced-options name
The name argument identifies the name of an existing HTTP parameter map. Parameter maps aggregate HTTP traffic-related actions together. For details, see the "Configuring an HTTP Parameter Map for Use in a Layer 3 and Layer 4 Policy Map" section.

For example, to specify the appl-parameter http advanced-options command as an action for the HTTP deep packet inspection policy map, enter:
host1/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
host1/Admin(config-pmap-c)# appl-parameter http advanced-options 
HTTP_PARAM_MAP1
To disassociate the HTTP parameter map as an action from the HTTP deep packet inspection policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter http advanced-options 
HTTP_PARAM_MAP1
Applying a Service Policy

Use the service-policy command to:

•Apply a previously created policy map.

•Attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

•Specify that the traffic policy is to be attached to the input direction of an interface.

The service-policy command is available at both the interface configuration mode and at the configuration mode. Specifying a policy map in the interface configuration mode applies the policy map to a specific VLAN interface. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context.

The syntax of this command is:

service-policy input policy_name
The keywords, arguments, and options are:

•input—Specifies that the traffic policy is to be attached to the input direction of a VLAN interface. The traffic policy evaluates all traffic received by that interface.

•policy_name—Specifies the name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 64 alphanumeric characters.

For example, to specify a VLAN interface and apply multiple service policies to a VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0
host1/Admin(config-if)# service-policy input FTP_INSPECT_L4POLICY
host1/Admin(config-if)# service-policy input HTTP_INSPECT_L4POLICY
host1/Admin(config-if)# service-policy input DNS_INSPECT_L4POLICY
For example, to globally apply multiple service policies to all of the VLANs associated with a context, enter:
host1/Admin(config)# service-policy input FTP_INSPECT_L4POLICY
host1/Admin(config)# service-policy input HTTP_INSPECT_L4POLICY
host1/Admin(config)# service-policy input DNS_INSPECT_L4POLICY
To detach a traffic policy from a VLAN interface, enter:
host1/Admin(config-if)# no service-policy input DNS_INSPECT_L4POLICY
To globally detach a traffic policy from all VLANs associated with a context, enter:
host1/Admin(config)# no service-policy input DNS_INSPECT_L4POLICY
When you detach a traffic policy either:

•Individually from the last VLAN interface on which you applied the service policy

•Globally from all VLAN interfaces in the same context

the ACE automatically resets the associated service policy statistics. The ACE performs this action to provide a new starting point for the service policy statistics the next time you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

Note the following when creating a service policy:

•Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context.

•A policy activated on a VLAN interface overwrites any specified global policies for overlapping classification and actions.

•The ACE allows only one policy of a specific feature type to be activated on a given interface.

Viewing Application Protocol Inspection Statistics and Service Policy Information

The ACE CLI provides a comprehensive set of show commands that display application protocol inspection statistics and service policy configuration information. This section includes the following topics:

•Displaying HTTP Protocol Inspection Statistics

•Displaying Service Policy Configuration Information

Displaying HTTP Protocol Inspection Statistics

To display HTTP protocol inspection statistics, use the show stats inspect http command. The syntax for this command is:

show stats inspect http
For example, enter:
host1/Admin# show stats inspect http
+------------------------------------------+
+--------- HTTP Inspect statistics --------+
+------------------------------------------+
 Total request/response   : 0
 Total allow decisions    : 0
 Total drop decisions     : 0
 Total logging decisions  : 0
Use the clear stats inspect http command to clear the HTTP protocol inspection statistics.

Table 3-9 describes the fields in the show stats inspect command output.

Table 3-9 Field Descriptions for show stats inspect Command

Field

Description

Total Request/Response

Total number of HTTP packet requests or responses processed by the ACE.

Total Allow Decisions

Total number of HTTP packets inspected and allowed by the ACE.

Total Drop Decisions

Total number of HTTP packets inspected and denied by the ACE.

Total Logging Decisions

Total number of syslog messages generated to track the action taken by the ACE on the matching HTTP traffic. Logging is enabled as an action in the associated HTTP inspection policy map.

Displaying Service Policy Configuration Information

To display service policy statistics use the show service-policy command in Exec mode. The statistics that appear in the output are dependent on the configuration of the associated Layer 3 and Layer 4 policy map. The show service-policy command displays following information:

•VLAN to which the policy is applied

•Class map associated with the policy

•Status of any load balancing operations

The syntax of this command is:

show service-policy policy_name [detail]
The keywords, options, and arguments are as follows:

•policy_name—The identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters.

•detail—(Optional) Displays a more detailed listing of policy map statistics and status information.

Note The ACE updates the counters that the show service-policy command displays after the applicable connections are closed.

For example, to display service policy statistics for the HTTP_INSPECT_L4POLICY policy map, enter:
host1/Admin# show service-policy HTTP_INSPECT_L4POLICY
Status     : ACTIVE
Description: HTTP protocol deep inspection of incoming traffic
-----------------------------------------
Interface: vlan 40 
  service-policy: HTTP_INSPECT_L4POLICY
    class: HTTP_INSPECT_L4CLASS
      inspect http:
        curr conns       : 0         , hit count        : 0         
        dropped conns    : 0         
        client pkt count : 0         , client byte count: 0                   
        server pkt count : 0         , server byte count: 0                   
        L4 policy stats:
          TotalReq/Resp: 0          TotalAllowed: 0         
          TotalDropped : 0          TotalLogged : 0         
        L7 policy: HTTP_INSPECT_L7POLICY, url logging: disabled
        L7 policy stats: Total number of L7 rules 1
          L7 class/match HTTP_INSPECT_L7CLASS: reset
            TotalInspected     : 0          TotalMatched: 0         
            TotalDroppedOnError: 0          TotalLogged : 0 
For example, to display service policy statistics for the FTP_INSPECT_L4POLICY policy map, enter:
Status     : ACTIVE
Description: FTP command inspection of incoming traffic
-----------------------------------------
Context Global Policy:
  service-policy: FTP_INSPECT_L4POLICY
    class: class-default
      inspect ftp:
        strict ftp: ENABLED
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        L7 policy: FTP_INSPECT_L4POLICY
            TotalReplyMasked : 0          TotalDropped: 0
For example, to display service policy statistics for the APP_INSPECT_L4POLICY policy map, enter:
Status     : ACTIVE
-----------------------------------------
Context Global Policy:
  service-policy: APP_INSPECT_L4POLICY
    class: APP_INSPECT_L4CLASS
      inspect dns:
        max length: 0
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
To clear the service policy statistics, use the clear service-policy command. The syntax of this command is:

clear service-policy policy_name
For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface).

For example, to clear the statistics for the policy map HTTP_INSPECT_L4POLICY that is currently in service, enter:
host1/Admin# clear service-policy HTTP_INSPECT_L4POLICY
Table 3-10 describes the fields in the show service-policy detail command output for an application protocol inspection policy map.

Table 3-10 Field Descriptions for the show service-policy detail Command
Output

Field

Description

Status

The status of the policy map as applied in a service policy to a VLAN interface: Active or Inactive

Description

Optional description about the policy map

Context Global Policy

Indicates that the service policy has been applied globally in configuration mode to all VLAN interfaces for the context

Interface

VLAN identifier of the interface associated with the service policy

Service-Policy

Identifier of the policy map

Class

Identifier of the class map associated with the policy map

Inspect DNS

Displays DNS application protocol inspection statistics

Inspect HTTP

Displays HTTP application protocol inspection statistics

Inspect FTP

Displays FTP application protocol inspection statistics

Inspect ICMP

Displays ICMP application protocol inspection statistics

Inspect RTSP

Displays RTSP application protocol inspection statistics

Max Length

The maximum length of a DNS reply

Strict FTP

Status of the strict FTP function for FTP application protocol inspection: Enabled or Disabled

URL Logging

Status of the URL logging function for HTTP application protocol inspection: Enabled or Disabled

ICMP Error

Status of the ICMP error function for ICMP application protocol inspection: Enabled or Disabled

Curr Conns

Number of active connections.

Hit Count

Number of connections that the ACE

Dropped Conns

Number of connections that the ACE discarded

Client Pkt Count

Number of packets received from clients

Client Byte Count

Number of bytes received from clients

Server Pkt Count

Number of packets received from servers

Server Byte Count

Number of bytes received from servers

L4 Policy Stats

TotalReq/
Resp

Total number of requests and responses for the policy map

Total Allowed

Total number of packets received and allowed

Total Dropped

Total number of packets received and discarded

Total Logged

Total number of errors logged

L7 Policy

Identifier of the policy map associated with the service policy

L7 Policy Stats

Current status of the Layer 7 policy map, including the total number of Layer 7 rules

L7 Class/
Match

Identifier of the Layer 7 HTTP deep packet inspection class map and the associated policy map match actions

Total Inspected

Total number of packets inspected

Total Matched

Total number of packets matched

Total Reply Masked

Total number of masked system replies to the FTP SYST command. Applicable to only the FTP SYST command and its associated reply.

Total Dropped On Error

Total number of packets dropped due to an error in the match

TotalLogged

Total number of errors logged