Layer 3 And Layer 4 Application Protocol Inspection For Dns Inspection - Cisco 4700M Configuration Manual

Examples of Application Protocol Inspection Configurations
Layer 3 and Layer 4 Application Protocol Inspection for DNS
Inspection
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-128
policy-map multi-match L4_VIP_POLICY
class L4_FTP-VIP_CLASS
loadbalance vip inservice
loadbalance policy L7_FTP-LB-SF-FTP_POLICY
inspect ftp strict policy L7_FTP-INSPSF-FTP_POLICY
interface vlan 29
ip address 172.16.0.1 255.255.255.0
fragment chain 20
fragment min-mtu 68
nat-pool 1 192.168.120.71 192.168.120.71 netmask 255.255.255.0 pat
no shutdown
interface vlan 120
description Upstream VLAN_120 - Clients and VIPs
ip address 192.168.120.1 255.255.255.0
fragment chain 20
fragment min-mtu 68
access-group input ACL1
nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat
service-policy input L4_VIP_POLICY
no shutdown
ip route 10.1.0.0 255.255.255.0 192.168.120.254
ip route 172.16.0.0 255.252.0.0 172.16.0.253
In the following application protocol inspection configuration, the ACE performs
DNS query inspection using a Layer 3 and Layer 4 policy map. DNS requires
application inspection so that DNS queries will not be subject to the generic UDP
handling based on activity timeouts. The ACE performs the reassembly of DNS
packets to verify that the packet length is less than the configured maximum
length of a DNS reply.
access-list ACL1 line 10 extended permit ip any any
class-map match-any L4_DNS-INSPECT_CLASS
description DNS application protocol inspection of incoming traffic
match port udp eq domain
policy-map multi-match L4_DNS-INSPECT_POLICY
class L4_DNS-INSPECT_CLASS
inspect dns maximum length 1000
Chapter 3 Configuring Application Protocol Inspection
OL-16202-01