Table Of Contents

Class Map Commands on the Virtual Firewall

class-map

class-map type ftp inspect

class-map type http inspect

class-map type management

description

match access-list

match any

match content

match content length

match destination-address

match header

match header length

match header mime-type

match port

match port-misuse

match protocol

match request-method

match request-method (ftp)

match source-address

match transfer-encoding

match url

match url length

Class Map Commands on the Virtual Firewall

---

This chapter describes the class map commands used to configure application protocol inspection on the Virtual Firewall (VFW) application.

---

Note The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.

---

class-map

To create a Layer 3 and Layer 4 class map and access class map configuration mode, use the class-map command in configuration mode. The prompt changes to (config-cmap). To remove a Layer 3 and Layer 4 class map from the VFW application, use the no form of the command.

class-map [match-all | match-any] class_name

no class-map [match-all | match-any] class_name

Syntax Description

match-all | match-any

(Optional) Determines how the VFW application evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions: •match-all —(Default) All the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of different types. •match-any—Only one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of the same type.

class_name

Name assigned to the Layer 3 and Layer 4 class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect, NAT, or connection feature in your user role, depending on the type of class map you want to configure. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the class-map command to configure a Layer 3 and Layer 4 class map. You enter class map configuration mode, where you can configure the match criteria for the class map. The CLI prompt changes correspondingly to the selected class map configuration mode: (config-cmap).

A Layer 3 and Layer 4 class map contains match criteria that classifies network traffic that can pass through the VFW application based on source or destination IP address, source or destination port, IP protocol, and port.

The VFW application supports a system-wide maximum of 8192 class maps.

When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any as the evaluation instruction, the traffic being evaluated must match one of the specified criteria, typically match commands of the same type. If you specify match-all as the evaluation instruction, the traffic being evaluated must match all the specified criteria, typically match commands of different types.

Examples

The following example shows how to create a Layer 3 and Layer 4 class map named L4VIP_CLASS to identify the network traffic that can pass through the VFW application:

firewall/Admin(config)# class-map match-all L4VIP_CLASS

firewall/Admin(config-cmap)#

Related Commands

Command	Description
policy-map multi-match	Creates a Layer 3 and Layer 4 policy map and enters policy map configuration mode.

class-map type ftp inspect

To create and configure a Layer 7 class map to be used for the inspection of FTP request commands and access class map FTP inspection configuration mode, use the class-map type ftp inspect command in configuration mode. To remove the class map from the VFW application, use the no form of the command.

class-map type ftp inspect match-any class_name

no class-map type ftp inspect match-any class_name

Syntax Description

match-any	Determines how the VFW application inspects FTP request commands when multiple match criteria exist in a class map. Only one of the match criteria listed in the class map is satisfied to match the FTP command inspection class in the class map.
class_name	Name assigned to the Layer 7 FTP command request class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect, NAT, or connection feature in your user role, depending on the type of class map you want to configure. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the class-map type ftp inspect command to configure a Layer 7 class map to be used for the inspection of FTP request commands. You enter class map FTP inspection configuration mode where you can configure request methods that you want to match in the FTP inspection. The CLI prompt changes correspondingly to the selected class map configuration mode: (config-cmap-ftp-insp).

A Layer 7 FTP class map contains match criteria that perform FTP request command filtering.

The VFW application supports a system-wide maximum of 8192 class maps.

Due to the match-any keyword, the traffic being evaluated must match one of the request match commands.

Examples

The following example shows how to create a Layer 7 class map named FTP_INSPECT_L7CLASS that performs FTP command inspection:

firewall/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-ftp-insp)#

Related Commands

Command	Description
match request-method	Configures the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods.
policy-map type inspect ftp	Creates an FTP command request inspection policy map and enters policy map FTP inspection configuration mode.

class-map type http inspect

To create a Layer 7 HTTP deep packet inspection class map and access class map HTTP inspection configuration mode, use the class-map type http inspect command in configuration mode. The prompt changes to (config-cmap-http-insp). To remove an HTTP deep packet inspection class map from the VFW application, use the no form of the command.

class-map type http inspect [match-all | match-any] class_name

no class-map type http inspect [match-all | match-any] class_name

Syntax Description

match-all | match-any

(Optional) Determines how the VFW application performs the deep packet inspection of HTTP traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions: •match-all —(Default) Network traffic needs to satisfy all the match criteria (implicit AND) to match the Layer 7 HTTP deep packet inspection class map. The match-all keyword is applicable only for match statements of different HTTP deep packet inspection types. For example, specifying a match-all condition for URL, HTTP header, and URL content statements in the same class map is valid. However, specifying a match-all condition for multiple HTTP headers with the same names or multiple URLs in the same class map is invalid. •match-any—Network traffic needs to satisfy only one of the match criteria (implicit OR) to match the Layer 7 HTTP deep packet inspection class map. The match-any keyword is applicable only for match statements of the same Layer 7 HTTP deep packet inspection type. For example, the VFW application does not allow you to specify a match-any condition for URL, HTTP header, and URL content statements in the same class map but does allow you to specify a match-any condition for multiple URLs, multiple HTTP headers, or multiple URL content statements with different names in the same class map.

class_name

Name assigned to the Layer 7 HTTP deep packet inspection class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect, NAT, or connection feature in your user role, depending on the type of class map you want to configure. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the class-map type http inspect command to create a Layer 7 HTTP deep packet inspection class map. You enter class map HTTP inspection configuration mode, where you can configure the match criteria for the class map. The CLI prompt changes correspondingly to the selected class map configuration mode: (config-cmap-http-insp).

A Layer 7 HTTP class map contains match criteria that perform deep packet inspection of the HTTP protocol.

The VFW application supports a system-wide maximum of 8192 class maps.

When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any as the evaluation instruction, the traffic being evaluated must match one of the specified criteria, typically match commands of the same type. If you specify match-all as the evaluation instruction, the traffic being evaluated must match all the specified criteria, typically match commands of different types.

Examples

The following example shows how to create a Layer 7 class map named HTTP_INSPECT_L7CLASS that performs HTTP deep packet inspection:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS

firewall/Admin(config-cmap-http-insp)# 

Related Commands

Command	Description
policy-map type inspect http	Creates an HTTP deep packet inspection policy map and enters policy map inspection HTTP configuration mode.

class-map type management

To create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the VFW application and access class map management configuration mode, use the class-map type management configuration command in configuration mode. The prompt changes to (config-cmap-mgmt). To remove a network management class map, use the no form of this command.

class-map type management [match-all | match-any] class_name

no class-map type management [match-all | match-any] class_name

Syntax Description

match-all | match-any

(Optional) Determines how the VFW application evaluates Layer 3 and Layer 4 network management traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions. •match-all —(Default) All the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of different types. •match-any—Only one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of the same type.

class_name

Name assigned to the Layer 3 and Layer 4 network management protocol class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect, NAT, or connection feature in your user role, depending on the type of class map you want to configure. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the class-map type management configuration command to create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the VFW application. You enter class map management configuration mode, where you can configure the match criteria for the class map. The CLI prompt changes according to the selected class map configuration mode: config-cmap-mgmt.

A Layer 3 and Layer 4 management class map contains match criteria that classifies network management traffic that can be received by the VFW application based on management protocol: HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet.

The VFW application supports a system-wide maximum of 8192 class maps.

When multiple match criteria exist in the traffic class, you can identify evaluation instructions using the match-any or match-all keywords. If you specify match-any as the evaluation instruction, the traffic being evaluated must match one of the specified criteria, typically match commands of the same type. If you specify match-all as the evaluation instruction, the traffic being evaluated must match all the specified criteria, typically match commands of different types.

Examples

The following example shows how to create a Layer 3 and Layer 4 class map named MGMT-ACCESS_CLASS that classifies the network management protocols that can be received by the VFW application:

firewall/Admin# class-map type management match-any MGMT-ACCESS_CLASS 

firewall/Admin(config-cmap-mgmt)# 

Related Commands

Command	Description
policy-map type management	Creates a Layer 3 and Layer 4 network management policy map and enters the policy map management configuration mode.

description

To provide a brief summary about a class map, use the description command in the appropriate class map configuration mode. To remove the Layer 3 and Layer 4 class map description from the class map, use the no form of the command.

description text

no description

Syntax Description

text	Description of a class map. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Class map configuration
Class map FTP inspection configuration
Class map HTTP inspection configuration
Class map management configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Examples

The following example shows how to add a description to the class map:

firewall/Admin(config)# class-map L4_SOURCE_IP_CLASS

firewall/Admin(config-cmap)# description match on source IP address of incoming traffic

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.
class-map type ftp inspect	Creates and configures a Layer 7 class map to be used for the inspection of FTP request commands and enters class map FTP inspection configuration mode.
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.
class-map type management	Create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the VFW application and enters class map management configuration mode.

match access-list

To configure the Layer 3 and Layer 4 class map to filter network traffic using a pre-defined access control list, use the match access-list command in class map configuration mode. When a packet matches an entry in an access list, and if it is a permit entry, the VFW application allows the matching result. If it is a deny entry, the VFW application blocks the matching result. To clear the access control list match criteria from the class map, use the no form of the command.

[line_number] match access-list name

no [line_number] match access-list name

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
name	Previously created access list identifier. Enter an unquoted text string with a maximum of 64 characters.

Defaults

No default behavior or values

Command Modes

Class map configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

There can be multiple match access-list commands within a single class map. You may combine multiple match access-list, match source-address, match destination-address, and match port commands in a class map.

See the "Configuring Security Access Control Lists on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide for details about the creating access control lists in the VFW application.

Examples

The following example shows how to specify that the class map is to match on access control list INBOUND:

firewall/Admin(config)# class-map match-any L4_FILTERTRAFFIC_CLASS 

firewall/Admin(config-cmap)# match access-list INBOUND 

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.

match any

To instruct the VFW application to perform a match on any network traffic passing through the device, use the match any command in class map configuration mode. To remove the match any criteria from the class map, use the no form of the command.

[line_number] match any

no [line_number] match any

Syntax Description

line_number

(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

Defaults

No default behavior or values

Command Modes

Class map configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role feature restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

You can include only one match any command within a class map and you cannot combine the match any command with other types of match commands in a class map since the match criteria will be ignored.

Examples

The following example shows how to specify that the class map is to match on any network traffic:

firewall/Admin(config)# class-map match-any L4_MATCHANYTRAFFIC_CLASS 

firewall/Admin(config-cmap)# match any 

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.

match content

To define HTTP application inspection decisions based on content expressions contained within the HTTP entity-body, use the match content command in class map HTTP inspection configuration mode. To clear content expression checking match criteria from the class map, use the no form of the command.

[line_number] match content expression [offset number]

no [line_number] match content expression [offset number]

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
expression	Content expression contained within the HTTP entity-body. The range is from 1 to 255 alphanumeric characters. For a list of the supported characters that you can use in regular expressions, see Table 1.
offset number	(Optional) Provides an absolute offset where the content expression search string starts. The offset starts at the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. The offset value is between 1 to 4000 bytes.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

The match content command is available only in HTTP inspection class maps.

Table 1 provides a list of the supported characters that you can use in regular expressions.

Table 1 Special Characters for Matching String Expressions 

Convention	Description
.	One of any character.
.*	Zero or more of any character.
\.	Period (escaped).
[charset]	Match any single character from the range.
[^charset]	Do not match any character in the range. All other characters represent themselves.
()	Expression grouping.
(expr1 | expr2)	OR of expressions.
(expr)*	0 or more of expression.
(expr)+	1 or more of expression.
expr{m,n}	Repeat the expression between m and n times, where m and n have a range of 1 to 255.
expr{m}	Match the expression exactly m times. The range for m is from 1 to 255.
expr{m,}	Match the expression m or more times. The range for m is from 1 to 255.
\a	Alert (ASCII 7).
\b	Backspace (ASCII 8).
\f	Form-feed (ASCII 12).
\n	New line (ascii 10).
\r	Carriage return (ASCII 13).
\t	Tab (ASCII 9).
\v	Vertical tab (ASCII 11).
\0	Null (ASCII 0).
\\	Backslash.
\x##	Any ASCII character as specified in two-digit hexadecimal notation.

Examples

The following example shows how to specify a content expression contained within the entity-body sent with an HTTP request:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match content .*newp2psig 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match content length

To configure the class map to define application inspection decisions on HTTP traffic up to the configured maximum content parse length, use the match content length command in class map HTTP inspection configuration mode. Messages that meet the specified criteria are either allowed or denied, based on the Layer 7 HTTP deep packet inspection policy map action. To clear the HTTP content length match criteria from the class map, use the no form of the command.

[line_number] match content length operator bytes [bytes2]

no [line_number] match content length operator bytes [bytes2]

Syntax Description

[line_number]	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
operator	Comparison that is to be made against the HTTP content parse length. Allowable operators are as follows: •lt—Less than •gt—Greater than •eq—Equal to •neq—Not equal to •range—An inclusive range of size values
bytes [bytes2]	Numeric value to compare to the HTTP content parse length. Valid entries are from 1 to 65535 bytes. The bytes2 argument is used for the range operator.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Examples

The following example shows how to identify content parse length in an HTTP message that can be received by the VFW application:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match content length eq 3495 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match destination-address

To specify the destination IP address and subnet mask as the network traffic matching criteria, use the match destination-address command in class map configuration mode.To clear the destination IP address and subnet mask match criteria from the class map, use the no form of the command.

[line_number] match destination-address ip_address [mask]

no [line_number] match destination-address ip_address [mask]

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
ip_address	Destination IP address. Enter the IP address in dotted-decimal notation.
mask	(Optional) Subnet mask entry in dotted-decimal notation.

Defaults

No default behavior or values

Command Modes

Class map configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role feature restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

There can be multiple match destination-address commands within a single class map. You may combine multiple match destination-address, match access-list, match source-address, and match port commands in a class map.

An entry of 0.0.0.0 0.0.0.0 indicates a wildcard match for any destination IP address and subnet mask.

Examples

The following example shows how to specify that the class map is to match on destination IP address 172.16.20.1 255.255.0.0:

firewall/Admin(config)# class-map L4_DEST_IP_CLASS 

firewall/Admin(config-cmap)# match destination-address 172.16.20.1 255.255.0.0 

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.

match header

To configure the class map to define application inspection decisions based on the name and value in an HTTP header, use the match header command in class map HTTP inspection configuration mode. To clear an HTTP header match criteria from the class map, use the no form of the command.

[line_number] match header {header_name | header_field} header-value expression

no [line_number] match header {header_name | header_field} header-value expression

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
header_name	Name of the HTTP header to match (for example, www.example1.com.) The range is from 1 to 64 alphanumeric characters. Note The header_name argument cannot include the colon in the name of the HTTP header; the VFW application rejects the colon as an invalid token.
header_field	Standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header field. Table 2 lists the supported HTTP/1.1 header fields. The length and mime-type header types are supported in the match header length and match header mime-type commands.
header-value expression	Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. Table 1 provides a list of the supported characters that you can use in regular expressions.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

When you use the match header command, the VFW application performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression.

Table 2 lists the supported HTTP/1.1 header fields.

Table 2 HTTP/1.1 Header Fields 

Field Name	Description
Accept	A semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.
Accept-Charset	The character sets are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.
Accept-Encoding	Restricts the content encoding that a user accepts from the server.
Accept-Language	The ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.
Authorization	Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.
Cache-Control	Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.
Connection	Allows the sender to specify connection options.
Content-MD5	An MD5 digest of the entity-body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.
Expect	Used by a client to inform the server about what behaviors the client requires.
From	Contains the e-mail address of the person that controls the requesting user agent.
Host	The Internet host and port number of the resource being requested, as obtained from the original uniform resource identifier (URI) given by the user or referring resource. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.
If-Match	Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used, on updating requests, to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.
Pragma	Pragma directives understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP; for example, the accept field, a comma-separated list of entries, for which the optional parameters are separated by semicolons.
Referer	The address (URI) of the resource from which the URI in the request was obtained.
Transfer-Encoding	Indicates what (if any) type of transformation has been applied to the message body to safely transfer it between the sender and the recipient.
User-Agent	Information about the user agent, for example a software program originating the request. This information is for statistical purposes, tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations.
Via	Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses.

The VFW application supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the spaces are escaped or quoted. Table 1 provides a list of the supported characters that you can use in regular expressions.

Examples

The following example shows how to filter on content and allow HTTP headers that contain the expression html:

firewall/Admin(config)# class-map type http inspect match-all L7_CLASSFLTRHTML1 

firewall/Admin(config-cmap-http-insp)# match header accept header-value html 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.
match header length	Limits the HTTP traffic allowed through the VFW application based on the length of the entity body in the HTTP message.
match header mime-type	Specifies a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the VFW application permits or denies based on the actions in the policy map.

match header length

To limit the HTTP traffic allowed through the VFW application based on the length of the entity body in the HTTP message, use the match header length command in class map HTTP inspection configuration mode. To clear an HTTP header length match criterion from the class map. use the no form of the command.

[line_number] match header length {request | response} operator bytes1 [bytes2]

no [line_number] match header length {request | response} operator bytes1 [bytes2]

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
request	Specifies the size of the HTTP header request message that can be received by the VFW application.
response	Specifies the size of the HTTP header response message sent by the VFW application.
operator	Comparison that is to be made against the length of the entity body in the HTTP message. Allowable operators are as follows: •lt—Less than •gt—Greater than •eq—Equal to •neq—Not equal to •range—An inclusive range of size values
bytes [bytes2]	Numeric value to compare to the length of the entity body in the HTTP message. Valid entries are from 1 to 65535 bytes. The bytes2 argument is used for the range operator.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. To limit the HTTP traffic allowed through the VFW application, based on the length of the entity body in the HTTP message, use the match header length command. Messages either are allowed or denied, based on the Layer 7 HTTP deep packet inspection policy map action.

Examples

The following example shows how to specify that the class map match on HTTP traffic received with a length less than or equal to 3600 bytes in the entity body of the HTTP message:

firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match header length request eq 3600 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match header mime-type

To specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the VFW application permits or denies based on the actions in the policy map, use the match header mime-type command in class map HTTP inspection configuration mode. To deselect the specified MIME message match criteria from the class map, use the no form of the command.

[line_number] match header mime-type mime_type

no [line_number] match header mime-type mime_type

Syntax Description

[line_number]	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
mime_type	The MIME-type message. The VFW application includes a predefined list of mime-types, such as image\Jpeg, text\html, application\msword, and audio\mpeg. Choose whether only the mime-types included in this list are permitted through the VFW application firewall or whether all mime-types are acceptable. Table 3 lists the supported mime-types.

Defaults

The default behavior is to allow all mime-types.

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

To specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the VFW application permits or denies based on the actions in the policy map, use the match header mime-type command. MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers. Table 3 lists the supported mime-types.

Table 3 Supported MIME Types

application\msexcel application\mspowerpoint application\msword application\octet-stream application\pdf application\postscript application\x-gzip application\x-java-archive application\x-java-vm application\x-messenger application\zip audio\* audio\basic audio\midi audio\mpeg

image\x-portable-bitmap image\x-portable-greymap image\x-xpm text\* text\css text\html text\plain text\richtext text\sgml text\xmcd text\xml video\* video\flc video\mpeg video\quicktime

video\sgi video\x-fli audio\x-adpcm audio\x-aiff audio\x-ogg audio\x-wav image\* image\gif image\jpeg image\png image\tiff image\x-3ds image\x-bitmap image\x-niff

To define MIME type messages in addition to what is supported under the match header mime-type command, use the match header command. For example, to define a match for a new MIME-type audio\myaudio, you could enter the following match statement:

firewall/Admin(config-cmap-http-insp)# match header Content-type header-value 
audio\myaudio

Examples

The following example shows how to permit the MIME-type audio\midi and audio\mpeg messages through the VFW application:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match header mime-type audio\midi 

firewall/Admin(config-cmap-http-insp)# match header mime-type audio\mpeg 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.
match header	Configures the class map to define application inspection decisions based on the name and value in an HTTP header.

match port

To specify a TCP or User Datagram Protocol (UDP) port number or port range as the network traffic matching criteria, use the match port command in class map configuration mode. To clear the TCP or UDP port number match criteria from the class map, use the no form of the command.

[line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

no [line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
tcp | udp	Specifies the protocol, TCP or UDP.
any	Specifies that any TCP or UDP port number can match the specified value.
eq port_number	Specifies that the TCP or UDP port number must match the specified value. Enter an integer from 0 to 65535. A value of 0 instructs the VFW application to include all ports. Alternatively, you can enter the name of a well-known TCP or UDP port. Table 4 lists the well-known TCP port numbers and keywords. Table 5 lists the well-known UDP port numbers and keywords.
range port1 port2	Specifies a port range to use for the TCP or UDP port. Valid port ranges are 0 to 65535. A value of 0 (for port 1and port2) instructs the VFW application to match all ports.

Defaults

No default behavior or values

Command Modes

Class map configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role feature restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

There can be multiple match port commands within a single class map. You may combine multiple match port, match access-list, match source-address, and match destination-address commands in a class map.

Table 4 lists the well-known TCP port numbers and keywords.

Table 4 Well-Known TCP Ports and Keywords 

Port	Port Number	Description
domain	53	Specifies Domain Name System
ftp	21	Specifies File Transfer Protocol
ftp-data	20	Specifies File Transfer Protocol Data
http	80	Specifies Hyper Text Transfer Protocol
https	443	Specifies HTTP over SSL protocol
irc	194	Specifies Internet Relay Chat protocol
matip-a	350	Specifies Matip Type A protocol
nntp	119	Specifies Network News Transport Protocol
pop2	109	Specifies Post Office Protocol v2
pop3	110	Specifies Post Office Protocol v3
rtsp	554	Specifies Real Time Stream Control Protocol
smtp	25	Specifies Simple Mail Transfer Protocol
telnet	23	Specifies Telnet protocol
www	80	Specifies World Wide Web

Table 5 lists the well-known UDP port numbers and keywords.

Table 5 Well-Known UDP Port Numbers and Keywords 

Key Word	Port Number	Description
domain	53	Domain Name System
wsp	9200	Connectionless Wireless Session Protocol (WSP)
wsp-wtls	9202	Secure Connectionless WSP
wsp-wtp	9201	Connection-based WSP
wsp-wtp-wtls	9203	Secure Connection-based WSP

Examples

The following example shows how to specify that the class map is to match on TCP port number 23 (Telnet client):

firewall/Admin(config)# class-map L4_TCPPORT_CLASS 

firewall/Admin(config-cmap)# match port tcp eq 23 

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.

match port-misuse

To configure the class map to define application inspection compliance decisions that restrict certain HTTP traffic from passing through the VFW application, use the match port-misuse command in class map HTTP inspection configuration mode. To clear the HTTP restricted application category match criteria from the class map, use the no form of the command.

[line_number] match port-misuse {im | p2p | tunneling}

no [line_number] match port-misuse {im | p2p | tunneling}

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
im	Defines the instant messaging application category. The VFW application checks for the Yahoo Messenger instant messaging application.
p2p	Defines the peer-to-peer application category. The applications checked include Kazaa and Gnutella.
tunneling	Defines the tunneling application category. The applications checked include: HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru, and Http-tunnel.com Client.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Class maps with the match port-misuse command detect the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.

You can specify multiple match port-misuse commands within a class map. Each match port-misuse command configures a single application type.

The port misuse application inspection process requires a search of the entity body of the HTTP message, which may degrade performance of the VFW application.

The VFW application disables the match port-misuse command by default. If you do not configure a restricted HTTP application category, the default action by the VFW application is to allow the applications without generating a log.

Examples

The following example shows how to identify that peer-to-peer applications are restricted HTTP traffic:

firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match port-misuse p2p 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match protocol

To configure the class map to identify the network management protocols that can be received by the VFW application, use the match protocol command in class map configuration mode. To deselect the specified network management protocol match criteria from the class map, use the no form of the command.

[line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}

no [line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
http	Specifies the Hypertext Transfer Protocol (HTTP).
https	Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP).
icmp	Specifies the Internet Control Message Protocol (ping).
snmp	Specifies the Simple Network Management Protocol (SNMP).
ssh	Specifies a Secure Shell (SSH) connection to the VFW application.
telnet	Specifies a Telnet connection to the VFW application.
any	Specifies any client source address for the management traffic classification.
source-address	Specifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the VFW application implicitly obtains the destination IP address from the interface on which you apply the policy map.
ip_address	Source IP address of the client. Enter the IP address in dotted-decimal notation.
mask	Subnet mask of the client entry in dotted-decimal notation.

Defaults

No default behavior or values

Command Modes

Class map management configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

Use the match protocol command to configure a class map to identify the network management protocols that can be received by the VFW application. You configure the associated policy map to permit access to the VFW application for the specified management protocols. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the VFW application to allow any client source address for the management traffic classification.

Examples

The following example shows how to specify that the class map allows SSH access to the VFW application from source IP address 192.168.10.1 255.255.255.0:

firewall/Admin# class-map type management SSH-ALLOW_CLASS 

firewall/Admin(config-cmap-mgmt)# match protocol ssh source-address 192.168.10.1 
255.255.255.0 

Related Commands

Command	Description
class-map type management	Create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the VFW application and enters class map management configuration mode.

match request-method

To configure the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods, use the match request-method command in class map HTTP inspection configuration mode. To clear the HTTP request method match criteria from the class map, use the no form of the command.

[line_number] match request-method {ext method | rfc method}

no [line_number] match request-method {ext method | rfc method}

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
ext method	Specifies an HTTP extension method. If the RFC request messages does not contain one of the RFC 2616 HTTP request methods, the VFW application verifies if it is an extension method. The VFW application supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkdir, move, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.
rfc method	Specifies a RFC 2616 HTTP request method that you want to perform an RFC compliance check on. The VFW application supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

By default, the VFW application allows all request and extension methods. To configure the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods, use the match request-method command. If the HTTP request method or extension method compliance checks fails, the VFW application denies or resets the specified HTTP traffic based on the policy map action. You can specify multiple match request-method commands within a class map. Each match request-method command configures a single request method.

For unsupported HTTP request methods, include the inspect http strict command as an action in the Layer 3 and Layer 4 policy map.

The VFW application disables the match request-method command by default. If you do not configure a request method, the default action by the VFW application is to allow the RFC 2616 HTTP request method without generating a log.

Examples

The following example shows how to identify that the connect, get, head, and index HTTP RFC 2616 protocols are to be used for application inspection:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match request-method rfc connect 

firewall/Admin(config-cmap-http-insp)# match request-method rfc get 

firewall/Admin(config-cmap-http-insp)# match request-method rfc head 

firewall/Admin(config-cmap-http-insp)# match request-method ext index 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match request-method (ftp)

To define FTP command inspection decisions by the VFW application, use the match request-method command in class map FTP inspection configuration mode. To clear the FTP inspection request method from the class map, use the no form of the command.

[line_number] match request-method ftp_command

no [line_number] match request-method ftp_command

Syntax Description

line_number

(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

ftp_command

FTP command in the class map to be subjected to FTP inspection by the VFW application. The possible FTP commands are: •appe—Append to a file •cdup—Change to the parent of the current directory •dele—Delete a file at the server side •get—Retrieve a file •help—Help information from the server •mkd—Create a directory •put—Store a file •rmd—Remove a directory •rnfr—Rename from •rnto—Rename to •site—Specify server-specific command •stou—Store a file with a unique name •syst—Get system information

Defaults

No default behavior or values

Command Modes

Class map FTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

To define FTP command inspection decisions by the VFW application, use the match request-method command. This command identifies the FTP commands that you want filtered by the VFW application. You can specify multiple match request-method commands within a class map.

Examples

The following example shows how to specify that at least one FTP inspection command in the class map must be satisfied for the VFW application to indicate a match:

firewall/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-ftp-insp)# match request-method cdup 

firewall/Admin(config-cmap-ftp-insp)# match request-method get 

firewall/Admin(config-cmap-ftp-insp)# match request-method stou 

firewall/Admin(config-cmap-ftp-insp)# match request-method put 

Related Commands

Command	Description
class-map type ftp inspect	Creates and configures a Layer 7 class map to be used for the inspection of FTP request commands and enters class map FTP inspection configuration mode.

match source-address

To specify a client source host IP address and subnet mask from which the VFW application accepts traffic as the network traffic matching criteria, use the match source-address command in class map configuration mode. To clear the source IP address and subnet mask match criteria from the class map, use the no form of the command.

[line_number] match source-address ip_address mask

no [line_number] match source-address ip_address mask

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
ip_address	Source IP address of the client. Enter the IP address in dotted-decimal notation.
mask	Subnet mask of the client entry in dotted-decimal notation.

Defaults

No default behavior or values

Command Modes

Class map configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command has no user role feature restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

To specify a client source host IP address and subnet mask from which the VFW application accepts traffic as the network traffic matching criteria, use the match source-address command. You configure the associated policy map to permit or restrict management traffic to the VFW application from the specified source network or host. There can be multiple match source-address commands within a single class map. You may combine multiple match source-address, match access-list, match destination-address, and match port commands in a class map.

An entry of 0.0.0.0 0.0.0.0 indicates a wildcard match for any source IP address and subnet mask.

Examples

The following example shows how to specify that the class map match on source IP address 192.168.11.2:

firewall/Admin(config)# class-map http type loadbalance match-any L7SLBCLASS 

firewall/Admin(config-cmap-http-lb)# match source-address 192.168.11.2 255.255.255.0 

Related Commands

Command	Description
class-map	Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.

match transfer-encoding

To configure the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the VFW application, use the match transfer-encoding command in class map HTTP inspection configuration mode. To clear the HTTP transfer-encoding match criteria from the class map, use the no form of the command.

[line_number] match transfer-encoding {chunked | compressed | deflate | gzip | identity}

no [line_number] match transfer-encoding {chunked | compressed | deflate | gzip | identity}

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
chunked	Transfers the message body as a series of chunks.
compressed	Defines the encoding format produced by the common UNIX file compression program "compress". This format is an adaptive Lempel-Ziv-Welch coding (LZW).
deflate	Defines the .zlib format defined in RFC 1950 in combination with the deflate compression mechanism described in RFC 1951.
gzip	Defines the encoding format produced by the file compression program gzip (GNU zip), as described in RFC 1952. This format is a Lempel-Ziv coding (LZ77) with a 32-bit CRC.
identity	Defines the default (identity) encoding, which does not require the use of transformation.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the match transfer-encoding command to configure the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the VFW application. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP request message contains the configured transfer-encoding type, the VFW application performs the configured action in the policy map. You can specify multiple match transfer-encoding commands within a class map. Each match transfer-encoding command configures a single application type.

The VFW application disables the match transfer-encoding command by default. If you do not configure a transfer-encoding type, the default action by the VFW application is to allow the HTTP transfer-encoding types without generating a log.

Examples

The following example shows how to specify a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the VFW application:

firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match transfer-encoding chunked 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match url

To configure the class map to define application inspection decisions based on URL name and, optionally, HTTP method, use the match url command in class map HTTP inspection configuration mode. To clear a URL match criteria from the class map, use the no form of the command.

[line_number] match url expression

no [line_number] match url expression

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
expression	URL or portion of a URL to match. The URL string range is from 1 to 255 characters. Include only the portion of the URL following www.hostname.domain in the match statement. For a list of the supported characters that you can use in regular expressions, see Table 1.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the match url command to configure the class map to define application inspection decisions based on URL name and, optionally, HTTP method. HTTP performs regular expression matching against the received packet data from a particular connection based on the URL expression.

Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The VFW application supports the use of regular expressions for matching.

When matching URLs, keep in mind that the period "." character does not have a literal meaning in regular expressions. Use either the "[]" or "/" character classes to match this symbol, for example, specify "www[.]xyz[.]com" instead of "www.xyz.com".

Examples

The following example shows how to specify that the Layer 7 class map is to match and perform application inspection on a specific URL:

firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match url whatsnew/latest.* 

The following example shows how to use regular expressions to emulate a wildcard search to match on any .gif or .html file:

firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match url .*.gif 

firewall/Admin(config-cmap-http-insp)# match url .*.html 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.

match url length

To limit the HTTP traffic allowed through the VFW application by specifying the maximum length of a URL in a request message that can be received by the VFW application, use the match url length command in class map HTTP inspection configuration mode. To clear a URL length match criteria from the class map, use the no form of the command.

[line_number] match url length operator bytes [bytes2]

no [line_number] match url length operator bytes [bytes2]

Syntax Description

line_number	(Optional) Line number to assist you in editing or deleting individual match commands. Enter an integer from 2 to 1024 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.
operator	Specifies the comparison that is to be made against the maximum length of a URL in a request message. Allowable operators are as follows: •lt—Less than •gt—Greater than •eq—Equal to •neq—Not equal to •range—An inclusive range of size values
bytes [bytes2]	Numeric value to compare to the maximum length of a URL in a request message. Valid entries are from 1 to 65535 bytes. The bytes2 argument is used for the range operator.

Defaults

No default behavior or values

Command Modes

Class map HTTP inspection configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" chapter in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the match url length command to limit the HTTP traffic allowed through the VFW application by specifying the maximum length of a URL in a request message that can be received by the VFW application. Messages are either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.

Examples

The following example shows how to specify that the class map is to match on a URL with a length equal to 10000 bytes in the request message:

firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS 

firewall/Admin(config-cmap-http-insp)# match url length eq 10000 

Related Commands

Command	Description
class-map type http inspect	Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.