Chapter 4
Configuring Class Maps and Policy Maps
Defining Layer 7 Classifications for HTTP Deep Packet Inspection
OL-11157-01
The ACE uses a Layer 7 class map for HTTP deep packet application protocol
inspection. The ACE performs a stateful deep packet inspection of the HTTP
protocol and permits or blocks traffic based on the actions in your configured
policies.
HTTP deep packet inspection supports the following security features:
RFC compliance monitoring and RFC method filtering
•
Content, URL, and HTTP header length checks
•
Transfer-encoding methods
•
Content type verification and filtering
•
Port 80 misuse
•
URL logging
•
To create a Layer 7 class map to be used for the deep packet inspection of HTTP
traffic through the ACE, use the class-map type http inspect command in
configuration mode.
The syntax of this command is:
class-map type http inspect [match-all | match-any] map_name
The arguments and options are:
match-all | match-any—(Optional) Determines how the ACE performs the
•
deep packet inspection of HTTP traffic when multiple match criteria exist in
a class map. The class map is considered a match if the match commands
meet one of the following conditions:
match-all—(Default) Network traffic needs to satisfy all of the match
–
criteria (implicit AND) to match the Layer 7 HTTP deep packet
inspection class map. The match-all keyword is applicable only for
match statements of different HTTP deep packet inspection types. For
example, specifying a match-all condition for URL, HTTP header, and
URL content statements in the same class map is valid. However,
specifying a match-all condition for multiple HTTP headers with the
same names or multiple URLs in the same class map is invalid.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
Configuring Layer 7 Class Maps
4-41