1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Software
  5. 4700M
  6. Configuration manual

Configuring A Layer 3 And Layer 4 Application Protocol Inspection Traffic Policy; Configuration Guidelines For Inspection Traffic Policies - Cisco 4700M Configuration Manual

Application control engine appliance security
Hide thumbs Also See for 4700M:
Table of Contents

Advertisement

Chapter 3
Configuring Application Protocol Inspection
Configuring a Layer 3 and Layer 4 Application
Protocol Inspection Traffic Policy

Configuration Guidelines for Inspection Traffic Policies

OL-16202-01

Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

This section describes how to create a Layer 3 and Layer 4 class map and policy
map to classify network traffic that passes through the ACE and to perform
applicable application protocol inspection actions to that traffic. The Layer 3 and
Layer 4 traffic policy defines the Layer 3 and Layer 4 HTTP deep packet
inspection, FTP command inspection, or application protocol inspection policy
actions. Application inspection involves the examination of protocols such as
DNS, FTP, HTTP, ICMP, ILS, RTSP, SCCP, and SIP to verify the protocol
behavior and identify unwanted or malicious traffic that passes through the ACE.
Configuration Guidelines for Inspection Traffic Policies
Configuring a Layer 3 and Layer 4 Class Map
Configuring a Layer 3 and Layer 4 Policy Map
Because the version A3(1.0) ACE software has strict error checks for application
protocol inspection configurations, be sure that your inspection configurations
meet the guidelines in this section. The error checking process in the software
denies misconfigurations in inspection classifications (class maps) and displays
appropriate error messages. If such misconfigurations exist in your startup- or
running-configuration file before you load the software, the standby ACE in a
redundant configuration may boot up to the STANDBY_COLD state. For
information about redundancy states, see the Cisco 4700 Series Application
Control Engine Appliance Administration Guide.
If the class map for the inspection traffic is generic (match . . . any or
class-default is configured) so that noninspection traffic is also matched, the ACE
displays an error message and does not accept the inspection configuration. For
example:
switch/Admin(config)# class-map match-all TCP_ANY
switch/Admin(config-cmap)# match port tcp any
switch/Admin(config)# policy-map multi-match FTP_POLICY
switch/Admin(config-pmap)# class TCP_ANY
switch/Admin(config-pmap-c)# inspect ftp
Error: This class doesn't have tcp protocol and a specific port
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-91

Advertisement

Table of Contents
loading

Related Manuals for Cisco 4700M

Related Content for Cisco 4700M

This manual is also suitable for:

4700 series

Table of Contents