Configuring Afp - Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual

Configuring Application Fingerprinting

Configuring AFP

This section provides the following information about how to configure and activate the OmniSwitch
implementation of Application Fingerprinting:
•
"Configuration Guidelines" on page
•
"Enabling/Disabling AFP" on page
•
"Enabling/Disabling Trap Generation" on page 30-11
•
"Changing the REGEX Signature Filename" on page
•
"Defining Application REGEX Signatures and Groups" on page
•
"Configuring AFP Port Modes" on page
Configuration Guidelines
Review the guidelines in this section before attempting to configure and activate OmniSwitch Application
Fingerprinting (AFP).
•
The AFP pattern matching function compares IP packets to REGEX signatures. These signatures are
defined in a user-configurable ASCII text file located on the switch. This file also defines groups of
application signatures and associates each group with a specific name. A group name is required when
configuring AFP functionality (operational modes) on a switch port or link aggregate. Make sure the
appropriate application groups are defined in the text file.
•
Configuring different operational modes (monitoring, QoS, or UNP) on the same AFP port is allowed,
but use different application groups for each mode to avoid conflicts or inconsistencies in how traffic is
processed. For example, if monitoring mode is set to use application group named "appgroup1", then
configure QoS mode on that same port to use a policy list that specifies application group name
"appgroup2".
•
QoS, UNP, and AFP QoS use shared switch resources. So configuring an AFP port to run in the QoS
mode, UNP mode, or both modes, will require additional QoS resources that may be limited depending
on what else is running on the switch.
•
Make sure a QoS policy list assigned directly to an AFP port running in the QoS mode is configured as
an Application Fingerprinting policy list type (appfp). In addition, the policy list rules must contain the
appfp-group policy condition that specifies the name of an application signature group that AFP uses
for packet pattern matching. For example:
-> policy condition c1 appfp-group myp2p
-> policy action a1 disposition drop
-> policy rule drop-p2p condition c1 action a1 no default list
-> policy list afp-p2p type appfp
-> policy list afp-p2p rules drop-p2p
-> app-fingerprint port 1/1/5 policy-list-name afp-p2p
•
A QoS policy list assigned to a UNP that is associated with an AFP port running in the UNP mode
must also contain policy list rules that use the appfp-group policy condition to specify the application
group used for packet pattern matching. However, configuring the policy list as an AFP list type is not
required when the list is associated with a UNP.
OmniSwitch AOS Release 8 Network Configuration Guide
30-10.
30-11.
30-12.
30-16.
December 2017
Configuring AFP
30-13.
page 30-10