Configuring Layer 7 Class Maps
Defining Layer 7 Classifications for FTP Command Inspection
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-42
match-any—Network traffic needs to satisfy only one of the match
–
criteria (implicit OR) to match the Layer 7 HTTP deep packet inspection
class map. The match-any keyword is applicable only for match
statements of the same Layer 7 HTTP deep packet inspection type. For
example, the ACE does not allow you to specify a match-any condition
for URL, HTTP header, and URL content statements in the same class
map but does allow you to specify a match-any condition for multiple
URLs, multiple HTTP headers, or multiple URL content statements with
different names in the same class map.
map_name—Name assigned to the class map. Enter an unquoted text string
•
with no spaces and a maximum of 64 alphanumeric characters.
When you use the class-map type http inspect command, you will access class
map HTTP inspection configuration mode. For details on specifying the match
criteria for the HTTP application protocol inspection class map, see the Cisco
4700 Series Application Control Engine Appliance Security Configuration Guide.
The ACE uses a Layer 7 FTP command class map to perform an FTP request
inspection for FTP sessions, allowing you to restrict specific commands by the
ACE. You can use this function to prevent web browsers from sending embedded
commands to the ACE in FTP requests. The ACE must acknowledged each
specified FTP command before it allows a new command.
To create a Layer 7 class map to be used for the inspection of FTP request
commands, use the class-map type ftp inspect command in configuration mode.
The syntax of this command is:
class-map type ftp inspect match-any map_name
The keywords and arguments are:
match-any— Specifies only one of the match criteria listed in the class map
•
is satisfied to match the FTP command inspection class in the class map.
map_name—Name assigned to the class map. Enter an unquoted text string
•
with no spaces and a maximum of 64 alphanumeric characters.
When you use the class-map type ftp inspect command, you will access class
map FTP inspection configuration mode. For details on specifying the match
criteria for the FTP command inspection class map, see the Cisco 4700 Series
Application Control Engine Appliance Security Configuration Guide.
Chapter 4
Configuring Class Maps and Policy Maps
OL-11157-01