Updating Your Application Protocol Inspection Configurations - Cisco 4700M Administration Manual
Application control engine appliance
Hide thumbs
Also See for 4700M:
- Configuration manual (388 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Appendix A
Upgrading or Downgrading Your ACE Software
Updating Your Application Protocol Inspection Configurations
Because the ACE version A3(1.x) software has stricter error checks for application protocol inspection
configurations than A1(x) software versions, be sure that your inspection configurations meet the
guidelines that follow. The error checking process in A3(1.x) software denies misconfigurations in
inspection classifications (class maps) and displays error messages. If such misconfigurations exist in
your startup- or running-configuration file before you load the A3(1.x) software, the standby ACE in a
redundant configuration may boot up to the STANDBY_COLD state. For information about redundancy
states, see
If the class map for the inspection traffic is generic (match . . . any or class-default is configured) so
that noninspection traffic is also matched, the ACE displays an error message and does not accept the
inspection configuration. For example:
host1/Admin(config)# class-map match-all TCP_ANY
host1/Admin(config-cmap)# match port tcp any
host1/Admin(config)# policy-map multi-match FTP_POLICY
host1/Admin(config-pmap)# class TCP_ANY
host1/Admin(config-pmap-c)# inspect ftp
Error: This class doesn't have tcp protocol and a specific port
The following examples show some of the generic class-map match statements and an ACL that are not
allowed in A3(1.x) inspection configurations:
•
•
•
•
•
•
•
For application protocol inspection, the class map must have a specific protocol (related to the inspection
type) configured and a specific port or range of port numbers.
For HTTP, FTP, RTSP, Skinny, and ILS protocol inspection, the class map must have TCP as the
configured protocol and a specific port or range of ports. For example, enter the following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq www
For SIP protocol inspection, the class map must have TCP or UDP as the configured protocol and a
specific port or range of ports. For example, enter the following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq 124
or
host1/Admin(config-cmap)# match port udp eq 135
For DNS inspection, the class map must have UDP as the con figured protocol and a specific port or range
of ports. For example, enter the following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port udp eq domain
OL-20823-01
Chapter 6, Configuring Redundant
match port tcp any
match port udp any
match port tcp range 0 65535
match port udp range 0 65535
match virtual-address 192.168.12.15 255.255.255.0 any
match virtual-address 192.168.12.15 255.255.255.0 tcp any
access-list acl1 line 10 extended permit ip any any
Cisco 4700 Series Application Control Engine Appliance Administration Guide
Prerequisites for Upgrading Your ACE
ACEs.
A-3
Advertisement
Table of Contents
