Chapter 4 Configuring Class Maps and Policy Maps
Configuring Layer 7 Class Maps
4-42
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
–
match-any
—Network traffic needs to satisfy only one of the match
criteria (implicit OR) to match the Layer 7 HTTP deep packet inspection
class map. The
match-any
keyword is applicable only for match
statements of the same Layer 7 HTTP deep packet inspection type. For
example, the ACE does not allow you to specify a
match-any
condition
for URL, HTTP header, and URL content statements in the same class
map but does allow you to specify a
match-any
condition for multiple
URLs, multiple HTTP headers, or multiple URL content statements with
different names in the same class map.
•
map_name
—Name assigned to the class map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
When you use the
class-map type http inspect
command, you will access class
map HTTP inspection configuration mode. For details on specifying the match
criteria for the HTTP application protocol inspection class map, see the
Cisco
4700 Series Application Control Engine Appliance Security Configuration Guide
.
Defining Layer 7 Classifications for FTP Command Inspection
The ACE uses a Layer 7 FTP command class map to perform an FTP request
inspection for FTP sessions, allowing you to restrict specific commands by the
ACE. You can use this function to prevent web browsers from sending embedded
commands to the ACE in FTP requests. The ACE must acknowledged each
specified FTP command before it allows a new command.
To create a Layer 7 class map to be used for the inspection of FTP request
commands, use the
class-map type ftp inspect
command in configuration mode.
The syntax of this command is:
class-map
type ftp inspect match-any
map_name
The keywords and arguments are:
•
match-any
— Specifies only one of the match criteria listed in the class map
is satisfied to match the FTP command inspection class in the class map.
•
map_name
—Name assigned to the class map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
When you use the
class-map type ftp inspect
command, you will access class
map FTP inspection configuration mode. For details on specifying the match
criteria for the FTP command inspection class map, see the
Cisco 4700 Series
Application Control Engine Appliance Security Configuration Guide
.