Home » Cisco Manuals » Servers » Cisco ACE-4710-K9 » Manual Viewer

Cisco ACE-4710-K9 Administration Guide - Page 118

Class Map and Policy Map, Application Protocol Inspection Configuration Flow Diagram

Add to My Manuals
Save this manual to your list of manuals

Page 118 highlights

Class Map and Policy Map Overview Chapter 4 Configuring Class Maps and Policy Maps Figure 4-1 Class Map and Policy Map-Application Protocol Inspection Configuration Flow Diagram 1 Layer 7 HTTP Inspection Class Map (config)# class-map type http inspect match-all | match-any HTTP_INSPECT_L7CLASS Defines multiple Layer 7 HTTP deep packet inspection match criteria, such as: Content expressions and length Header, header length, header MIME-type Port misuse URL expressions and length Layer 7 HTTP inspection class map associated with Layer 7 HTTP inspection policy map 2 Layer 7 HTTP Inspection Policy Map (config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY Associates the Layer 7 HTTP inspection class map and specifies one or more of the following actions: Permit Reset 3 Layer 7 FTP Inspection Class Map (config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS Defines multiple Layer 7 FTP request command inspection match criteria, including: appe, cdup, dele, get, help, mkd, put, rmd, rnfr, rnto, site, stou, and syst Layer 7 FTP inspection class map associated with Layer 7 FTP inspection policy map 4 Layer 7 FTP Inspection Policy Map (config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY Associates the Layer 7 FTP inspection class map and specifies one or more of the following actions: Deny Mask-reply 5 Layer 3 and Layer 4 Traffic Class Map (config)# class-map match-all | match-any APP_INSPECT_L4CLASS Defines Layer 3 and Layer 4 traffic match criteria for application protocol inspection: Access list Port 6 Layer 3 and Layer 4 Policy Map (config)# policy-map multi-match HTTP_INSPECT_L4POLICY Creates a Layer 3 and Layer 4 policy map to perform one or more of the following actions: Associate Layer 3 and Layer 4 traffic Layer 3 and Layer 4 traffic class map, Layer 7 HTTP inspection policy map, and Layer 7 FTP policy map associated with a Layer 3 and Layer 4 policy map class map Associate Layer 7 HTTP deep packet inspection policy map Associate Layer 7 FTP command inspection policy map Perform HTTP inspection Perform DNS inspection Perform FTP inspection Perform ICMP inspection Perform RTSP inspection Policy map applied globally to all VLAN interfaces or to a specific VLAN interface 7 Global Service Policy/VLAN (config)# service-policy input HTTP_INSPECT_L4POLICY Service policy applies policy map to all VLAN interfaces in the context Specific Service Policy/VLAN (config)# interface vlan 50 (config-if)# service-policy input HTTP_INSPECT_L4POLICY Service policy applies policy map to a specific VLAN interface 153381 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-4 OL-11157-01

Section	Page
Cisco 4700 Series Application Control Engine Appliance Administration Guide	1
Contents	3
Preface	15
Setting Up the ACE	27
Establishing a Console Connection on the ACE	28
Using the Setup Script to Enable Connectivity to the Device Manager	29
Connecting and Logging into the ACE	33
Changing the Administrative Password	35
Resetting the Administrator CLI Account Password	36
Assigning a Name to the ACE	38
Configuring an ACE Inactivity Timeout	38
Configuring a Message-of-the-Day Banner	39
Configuring the Time, Date, and Time Zone	41
Setting the System Time and Date	41
Setting the Time Zone	42
Adjusting for Daylight Saving Time	45
Viewing the System Clock Settings	47
Synchronizing the ACE with an NTP Server	47
Configuring NTP Server and Peer Associations	48
Viewing NTP Statistics and Information	49
.Clearing NTP Statistics	54
Configuring Terminal Settings	56
Configuring Terminal Display Attributes	56
Configuring Terminal Line Settings	58
Configuring Console Line Settings	58
Configuring Virtual Terminal Line Settings	60
Modifying the Boot Configuration	61
Setting the Boot Method from the Configuration Register	61
Setting the BOOT Environment Variable	63
Configuring the ACE to Bypass the Startup Configuration File During the Boot Process	64
Displaying the ACE Boot Configuration	67
Restarting the ACE	67
Shutting Down the ACE	68
Enabling Remote Access to the ACE	69
Remote Access Configuration Quick Start	70
Configuring Remote Network Management Traffic Services	72
Creating and Configuring a Remote Management Class Map	73
Defining a Class Map Description	74
Defining Remote Network Management Protocol Match Criteria	75
Creating a Layer 3 and Layer 4 Remote Access Policy Map	77
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	77
Defining a Layer 3 and Layer 4 Policy Map Description	78
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy	78
Defining Layer 3 and Layer 4 Management Traffic Policy Actions	80
Applying a Service Policy	81
Configuring Telnet Management Sessions	83
Configuring SSH Management Sessions	84
Configuring Maximum Number of SSH Sessions	84
Generating SSH Host Key Pairs	85
Terminating an Active User Session	87
Enabling ICMP Messages to the ACE	87
Directly Accessing a User Context Through SSH	89
Example of a Remote Access Configuration	91
Viewing Session Information	92
Showing Telnet Session Information	92
Showing SSH Session Information	94
Showing SSH Session Information	94
Showing SSH Key Details	95
Managing ACE Software Licenses	97
Available ACE Licenses	98
Ordering an Upgrade License and Generating a Key	101
Copying a License File to the ACE	102
Installing a New or Upgrade License File	103
Replacing a Demo License with a Permanent License	104
Removing a License	105
Removing an Appliance Performance Throughput License	106
Removing an SSL TPS License	106
Removing a Virtualization Context License	106
Removing an HTTP Compression Performance License	109
Removing the Application Acceleration Software Feature Pack License	110
Backing Up a License File	111
Displaying License Configurations and Statistics	112
Configuring Class Maps and Policy Maps	115
Class Map and Policy Map Overview	116
Class Maps	119
Policy Maps	120
Service Policies	123
Class Map and Policy Map Configuration Quick Start	124
Configuring Layer 3 and Layer 4 Class Maps	138
Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing Through the ACE	138
Creating a Layer 3 and Layer 4 Network Traffic Class Map	139
Defining a Class Map Description	141
Defining Access-List Match Criteria	142
Defining Match Any Criteria	142
Defining Destination IP Address and Subnet Mask Match Criteria	143
Defining TCP/UDP Port Number or Port Range Match Criteria	144
Defining the Source IP Address and Subnet Mask Match Criteria	145
Defining the VIP Address Match Criteria	146
Defining Layer 3 and Layer 4 Classifications for Network Management Traffic Received by the ACE	149
Creating a Layer 3 and Layer 4 Network Management Traffic Class Map	149
Defining Network Management Access Match Criteria	151
Configuring Layer 7 Class Maps	152
Defining Layer 7 Classifications for HTTP Server Load Balancing	153
Defining Layer 7 Classifications for HTTP Deep Packet Inspection	155
Defining Layer 7 Classifications for FTP Command Inspection	156
Configuring a Layer 3 and Layer 4 Policy Map	157
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	158
Creating a Layer 3 and Layer 4 Policy Map for Network Traffic Passing Through the ACE	159
Defining a Layer 3 and Layer 4 Policy Map Description	159
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy	160
Specifying Layer 3 and Layer 4 Policy Actions	161
Using Parameter Maps in a Layer 3 and Layer 4 Policy Map	163
Configuring a Layer 7 Policy Map	164
Creating a Layer 7 Policy Map	165
Adding a Layer 7 Policy Map Description	167
Including Inline Match Statements in a Layer 7 Policy Map	167
Specifying a Layer 7 Traffic Class with the Traffic Policy	168
Specifying Layer 7 Policy Actions	169
Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map	171
Applying a Service Policy	172
Class Maps and Policy Map Examples	174
Firewall Example	174
Layer 7 Load-Balancing Example	177
Layer 3 and Layer 4 Load-Balancing Example	179
VIP With Connection Parameters Example	180
Example of a Traffic Policy Configuration	182
Viewing Class Maps, Policy Maps, and Service Policies	185
Displaying Class Map Configuration Information	185
Displaying Policy Map Configuration Information	185
Displaying Service Policy Configuration Information	186
Managing the ACE Software	191
Saving Configuration Files	191
Saving the Configuration File in Flash Memory	193
Saving Configuration Files to a Remote Server	194
Copying the Configuration File to the disk0: File System	195
Merging the Startup-Configuration File with the Running-Configuration File	196
Viewing Configuration Files	197
Viewing User Context Running-Config Files from the Admin Context	200
Clearing the Startup-Configuration File	200
Loading Configuration Files from a Remote Server	201
Using the File System on the ACE	202
Listing the Files in a Directory	203
Copying Files	205
Copying Files to Another Directory on the ACE	205
Copying Licenses	206
Copying a Packet Capture Buffer	206
Copying Files to a Remote Server	207
Copying Files from a Remote Server	209
Copying an ACE Software System Image to a Remote Server	210
Uncompressing Files in the disk0: File System	211
Untarring Files in the disk0: File System	212
Creating a New Directory	212
Deleting an Existing Directory	213
Moving Files	213
Deleting Files	214
Displaying File Contents	215
Saving show Command Output to a File	216
Viewing and Copying Core Dumps	217
Copying Core Dumps	218
Clearing the Core Directory	219
Deleting a Core Dump File	219
Capturing and Copying Packet Information	220
Capturing Packet Information	220
Copying Capture Buffer Information	222
Viewing Packet Capture Information	223
Using the Configuration Checkpoint and Rollback Service	227
Overview	227
Creating a Configuration Checkpoint	228
Deleting a Configuration Checkpoint	228
Rolling Back a Running Configuration	229
Displaying Checkpoint Information	229
Reformatting Flash Memory	230
Viewing ACE Hardware and Software Configuration Information	233
Displaying Software Version Information	234
Displaying Software Copyright Information	235
Displaying Hardware Information	235
Displaying the Hardware Inventory	236
Displaying ACE Environment Information	237
Displaying System Processes	238
Displaying Process Status Information and Memory Resource Limits	243
Displaying System Information	246
Displaying ICMP Statistics	248
Displaying Technical Support Information	249
Configuring Redundant ACE Appliances	253
Overview of Redundancy	253
Redundancy Protocol	254
Stateful Failover	257
FT VLAN	258
Configuration Synchronization	259
Configuration Requirements and Restrictions	260
Redundancy Configuration Quick Start	260
Configuring Redundancy	264
Configuring an FT VLAN	264
Creating an FT VLAN	265
Configuring an FT VLAN IP Address	265
Configuring the Peer IP Address	266
Enabling the FT VLAN	267
Configuring an Alias IP Address	267
Configuring an FT Peer	268
Associating the FT VLAN with the Local Peer	268
Configuring the Heartbeat Interval and Count	269
Configuring a Query Interface	270
Configuring an FT Group	271
Associating a Context with an FT Group	271
Associating a Peer with an FT Group	272
Assigning a Priority to the Active FT Group Member	272
Assigning a Priority to the Standby FT Group Member	273
Configuring Preemption	274
Placing an FT Group in Service	275
Modifying an FT Group	275
Forcing a Failover	276
Synchronizing Redundant Configurations	277
Configuring Tracking and Failure Detection	280
Overview of Tracking and Failure Detection	280
Configuring Tracking and Failure Detection for a Host or Gateway	281
Creating a Tracking and Failure Detection Process for a Host or Gateway	282
Configuring the Gateway or Host IP Address Tracked by the Active Member	282
Configuring a Probe on the Active Member for Host Tracking	283
Configuring a Priority on the Active Member for Multiple Probes	284
Configuring the Gateway or Host IP Address Tracked by the Standby Member	284
Configuring a Probe on the Standby Member for Host Tracking	285
Configuring a Priority on the Standby Member for Multiple Probes	285
Example of a Tracking Configuration for a Gateway	286
Configuring Tracking and Failure Detection for an Interface	287
Creating a Tracking and Failure Detection Process for an Interface	287
Configuring the Interface Tracked by the Active Member	288
Configuring a Priority for a Tracked Interface on the Active Member	288
Configuring the Interface Tracked by the Standby Member	289
Configuring a Priority for a Tracked Interface on the Standby Member	289
Example of a Tracking Configuration for an Interface	290
Example of a Redundancy Configuration	290
Displaying Redundancy Information	293
Displaying Redundancy Configurations	293
Displaying FT Group Information	293
Displaying the IDMAP Table	298
Displaying the Redundancy Internal Software History	299
Displaying Memory Statistics	299
Displaying Peer Information	299
Displaying FT Statistics	303
Displaying FT Tracking Information	306
Clearing Redundancy Statistics	310
Clearing FT Statistics	310
Clearing the Redundancy History	310
Configuring SNMP	311
SNMP Overview	312
Managers and Agents	313
SNMP Manager and Agent Communication	314
SNMP Traps and Informs	315
SNMPv3 CLI User Management and AAA Integration	316
CLI and SNMP User Synchronization	316
Supported MIBs and Notifications	317
SNMP Limitations	334
SNMP Configuration Quick Start	335
Configuring SNMP Users	337
Defining SNMP Communities	339
Configuring an SNMP Contact	341
Configuring an SNMP Location	341
Configuring SNMP Notifications	342
Configuring SNMP Notification Hosts	342
Enabling SNMP Notifications	344
Enabling the IETF Standard for SNMP linkUp and linkDown Traps	346
Assigning a Trap-Source Interface for SNMP Traps	347
Configuring SNMP Management Traffic Services	348
Creating and Configuring a Layer 3 and Layer 4 Class Map	349
Defining a Class Map Description	350
Defining SNMP Protocol Match Criteria	351
Creating a Layer 3 and Layer 4 Policy Map	352
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE	352
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy	353
Specifying Layer 3 and Layer 4 Policy Actions	354
Applying a Service Policy	355
Example of an SNMP Configuration	357
Displaying SNMP Statistics	360
Configuring the XML Interface	365
XML Overview	366
XML Usage with the ACE	366
HTTP and HTTPS Support with the ACE	368
HTTP Return Codes	369
Document Type Definition	371
Sample XML Configuration	373
XML Configuration Quick Start	375
Configuring HTTP and HTTPS Management Traffic Services	377
Creating and Configuring a Class Map	378
Defining a Class Map Description	379
Defining HTTP and HTTPS Protocol Match Criteria	380
Creating a Layer 3 and Layer 4 Policy Map	381
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	381
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy	382
Specifying Layer 3 and Layer 4 Policy Actions	384
Applying a Service Policy	384
Enabling the Display of Raw XML Request show Command Output in XML Format	388
Accessing the ACE DTD File	391
Upgrading Your ACE Software	393
Overview of Upgrading ACE Software	394
Before You Begin	394
Changing the Admin Password	394
Changing the www User Password	395
Checking Your Configuration for FT Priority and Preempt	395
Creating a Checkpoint	395
Software Upgrade Quick Start	396
Copying the Software Upgrade Image to the ACE	399
Configuring the ACE to Autoboot the Software Image	400
Setting the Boot Variable	400
Configuring the Configuration Register to Autoboot the Boot Variable	401
Verifying the Boot Variable and Configuration Register	402
Reloading the ACE	402
Displaying Software Image Information	403

Match case Limit results 1 per page

Chapter 4

Configuring Class Maps and Policy Maps

Class Map and Policy Map Overview

4-4

Cisco 4700 Series Application Control Engine Appliance Administration Guide

OL-11157-01

Figure 4-1

Class Map and Policy Map

—

Application Protocol Inspection Configuration Flow Diagram

153381

ayer 7 HTTP Inspection Policy Map

(config)# policy-map type inspect http all-match

HTTP_INSPECT_L7POLICY

Associates the Layer 7 HTTP inspection class

map and specifies one or more of the following

actions:

Permit

Reset

Layer 7 HTTP Inspection Class Map

(config)# class-map type http inspect match-all |

match-any HTTP_INSPECT_L7CLASS

Defines multiple Layer 7 HTTP deep packet

inspection match criteria, such as:

Content expressions and length

Header, header length, header MIME-type

Port misuse

URL expressions and length

Layer 7 HTTP inspection class map

associated with Layer 7 HTTP inspection

policy map

Layer 7 FTP Inspection Class Map

(config)# class-map type ftp inspect match-any

FTP_INSPECT_L7CLASS

Defines multiple Layer 7 FTP request command

inspection match criteria, including: appe, cdup,

dele, get, help, mkd, put, rmd, rnfr, rnto,

site, stou, and syst

Layer 7 FTP inspection class map associated

with Layer 7 FTP inspection policy map

Policy map applied globally

to all VLAN interfaces or

to a specific VLAN interface

Global Service Policy/VLAN

(config)# service-policy input

HTTP_INSPECT_L4POLICY

Service policy applies policy

map to all VLAN interfaces in

the context

Specific Service Policy/VLAN

(config)# interface vlan 50

(config-if)# service-policy input

HTTP_INSPECT_L4POLICY

Service policy applies policy

map to a specific VLAN

interface

Layer 3 and Layer 4

traffic class map,

Layer 7 HTTP

inspection policy

map, and Layer 7 FTP

policy map associated

with a Layer 3 and

Layer 4 policy map

Layer 7 FTP Inspection Policy Map

(config)# policy-map type inspect ftp first-match

FTP_INSPECT_L7POLICY

Associates the Layer 7 FTP inspection class map

and specifies one or more of the following actions:

Deny

Mask-reply

Layer 3 and Layer 4 Policy Map

(config)# policy-map multi-match

HTTP_INSPECT_L4POLICY

Creates a Layer 3 and Layer 4 policy

map to perform one or more of the

following actions:

Associate Layer 3 and Layer 4 traffic

class map

Associate Layer 7 HTTP deep packet

inspection policy map

Associate Layer 7 FTP command

inspection policy map

Perform HTTP inspection

Perform DNS inspection

Perform FTP inspection

Perform ICMP inspection

Perform RTSP inspection

Layer 3 and Layer 4 Traffic Class Map

(config)# class-map match-all | match-any

APP_INSPECT_L4CLASS

Defines Layer 3 and Layer 4 traffic match

criteria for application protocol inspection:

Access list

Port