12-5
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 12 Configuring Traffic Policies
Class Map and Policy Map Overview
• Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
• Application Protocol Inspection Overview, page 12-5
• Configuring Traffic Policies, page 12-1
• Configuring Virtual Context Policy Maps, page 12-34
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps
Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example,
an HTTP parameter map provides a means of performing actions on traffic received by the ACE
appliance based on certain criteria such as HTTP header and cookie settings, server connection reuse,
action to be taken when an HTTP header, cookie or URL exceeds a configured maximum length, and so
on.
The ACE appliance uses policy maps to combine class maps and parameter maps into traffic policies and
to perform certain configured actions on the traffic that matches the specified criteria in the policies.
See Table 8-1 for a list of available ACE appliance parameter maps.
Related Topics
• Configuring Parameter Maps, page 8-1
• Class Map and Policy Map Overview, page 12-2
• Class Maps, page 12-3
• Policy Maps, page 12-4
• Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5
• Application Protocol Inspection Overview, page 12-5
Application Protocol Inspection Overview
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted
or malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE
accepts or rejects the packets to ensure the secure use of applications and services.
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE appliance. Application protocol inspection helps to verify the protocol behavior and identify
unwanted or malicious traffic passing through the ACE appliance. Based on the specifications of the
traffic policy, the ACE appliance accepts or rejects the packets to ensure the secure use of applications
and services.
You can configure the ACE to perform application protocol inspection, sometimes referred to as an
application protocol “fixup” for applications that do the following:
• Embed IP addressing information in the data packet including the data payload.
• Open secondary channels on dynamically assigned ports.
You may require the ACE to perform application inspection of Domain Name System (DNS), FTP (File
Transfer Protocol), H.323, HTTP, Internet Control Message Protocol (ICMP), Internet Locator Service
(ILS), Real-Time Streaming Protocol (RTSP), Skinny Client Control Protocol (SCCP), and Session
Initiation Protocol (SIP) as a first step before passing the packets to the destination server. For HTTP,
the ACE performs deep packet inspection to statefully monitor the HTTP protocol and permit or deny
Comments to this Manuals