Cisco 7604 Configuration Guide - Page 385
match, class, reset, drop-connection, match content length, match content type
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 385 highlights
Chapter 20 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) If an action drops a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to reset the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as resetting the connection, can occur. (You can configure both the reset (or drop-connection, and so on.) and the log action for the same match or class command, in which case the packet is logged before it is reset for a given match.) If a packet matches multiple match or class commands that are the same, then they are matched in the order they appear in the policy map. For example, for a packet with the header length of 1001, it will match the first command below, and be logged, and then will match the second command and be reset. If you reverse the order of the two match commands, then the packet will be dropped and the connection reset before it can match the second match command; it will never be logged. match request header length gt 100 log match request header length gt 1000 reset A class map is determined to be the same type as another class map or match command based on the lowest priority match command in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class maps are matched according to the order they are added to the policy map. If the lowest priority command for each class map is different, then the class map with the higher priority match command is matched first. For example, the following three class maps contain two types of match commands: match content length (higher priority) and match content type (lower priority). The sip3 class map includes both commands, but it is ranked according to the lowest priority command, match content type. The sip1 class map includes the highest priority command, so it is matched first, regardless of the order in the policy map. The sip3 class map is ranked as being of the same priority as the sip2 class map, which also contains the match content type command. They are matched according to the order in the policy map: sip3 and then sip2. class-map inspect type sip match-all sip1 match content length gt 1000 class-map inspect type sip match-all sip2 match content type sdp class-map inspect type sip match-all sip3 match content length gt 1000 match content type sdp policy-map type inspect sip sip class sip3 log class sip2 log class sip1 log Step 4 To configure parameters that affect the inspection engine, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# The CLI enters parameters configuration mode. For the parameters available for each application, see Chapter 22, "Applying Application Layer Protocol Inspection." The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-9