Chapter 4 Configuring Class Maps and Policy Maps
Class Map and Policy Map Overview
4-4
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Figure 4-1
Class Map and Policy Map
—
Application Protocol Inspection Configuration Flow Diagram
153381
3
2
L
ayer 7 HTTP Inspection Policy Map
(config)# policy-map type inspect http all-match
HTTP_INSPECT_L7POLICY
Associates the Layer 7 HTTP inspection class
map and specifies one or more of the following
actions:
Permit
Reset
1
Layer 7 HTTP Inspection Class Map
(config)# class-map type http inspect match-all |
match-any HTTP_INSPECT_L7CLASS
Defines multiple Layer 7 HTTP deep packet
inspection match criteria, such as:
Content expressions and length
Header, header length, header MIME-type
Port misuse
URL expressions and length
Layer 7 HTTP inspection class map
associated with Layer 7 HTTP inspection
policy map
Layer 7 FTP Inspection Class Map
(config)# class-map type ftp inspect match-any
FTP_INSPECT_L7CLASS
Defines multiple Layer 7 FTP request command
inspection match criteria, including: appe, cdup,
dele, get, help, mkd, put, rmd, rnfr, rnto,
site, stou, and syst
Layer 7 FTP inspection class map associated
with Layer 7 FTP inspection policy map
Policy map applied globally
to all VLAN interfaces or
to a specific VLAN interface
7
Global Service Policy/VLAN
(config)# service-policy input
HTTP_INSPECT_L4POLICY
Service policy applies policy
map to all VLAN interfaces in
the context
Specific Service Policy/VLAN
(config)# interface vlan 50
(config-if)# service-policy input
HTTP_INSPECT_L4POLICY
Service policy applies policy
map to a specific VLAN
interface
Layer 3 and Layer 4
traffic class map,
Layer 7 HTTP
inspection policy
map, and Layer 7 FTP
policy map associated
with a Layer 3 and
Layer 4 policy map
4
Layer 7 FTP Inspection Policy Map
(config)# policy-map type inspect ftp first-match
FTP_INSPECT_L7POLICY
Associates the Layer 7 FTP inspection class map
and specifies one or more of the following actions:
Deny
Mask-reply
6
Layer 3 and Layer 4 Policy Map
(config)# policy-map multi-match
HTTP_INSPECT_L4POLICY
Creates a Layer 3 and Layer 4 policy
map to perform one or more of the
following actions:
Associate Layer 3 and Layer 4 traffic
class map
Associate Layer 7 HTTP deep packet
inspection policy map
Associate Layer 7 FTP command
inspection policy map
Perform HTTP inspection
Perform DNS inspection
Perform FTP inspection
Perform ICMP inspection
Perform RTSP inspection
5
Layer 3 and Layer 4 Traffic Class Map
(config)# class-map match-all | match-any
APP_INSPECT_L4CLASS
Defines Layer 3 and Layer 4 traffic match
criteria for application protocol inspection:
Access list
Port