Chapter 3
Configuring Application Protocol Inspection
Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy
For example, to specify a description that the class map is to perform DNS
application protocol inspection, enter:
host1/Admin(config)# class-map DNS_INSPECT_L4CLASS
host1/Admin(config-cmap)# description DNS application protocol
inspection of incoming traffic
To remove the description from the class map, enter:
host1/Admin(config-cmap)# no description
Defining Access-List Match Criteria
You can use the match access-list command to configure the class map to filter
Layer 3 and Layer 4 network traffic on a per-flow basis by using a predefined
access control list. When a packet matches an entry in an access list, and if it is a
permit entry, the ACE allows the matching result. If it is a deny entry, the ACE
blocks the matching result. See
Chapter 1, Configuring Security Access Control
Lists, for details about the creating access control lists in the ACE.
For application protocol inspection, an access list must specify explicitly the IP
addresses and ports in the ACL entries. Otherwise, the ACE displays an error
message.
You must access the class map configuration mode to specify the match
access-list command.
The syntax of this command is as follows:
[line_number] match access-list identifier
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-95
OL-16202-01