Cisco Explorer 4700 Installation Guide Page 426

  • Download
  • Add to my manuals
  • Print
  • Page
    / 648
  • Table of contents
  • TROUBLESHOOTING
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 425
12-6
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 12 Configuring Traffic Policies
Class Map and Policy Map Overview
traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP
attributes such as the HTTP header, the URL, and the payload. For FTP, the ACE performs FTP
command inspection for FTP sessions, allowing you to restrict specific commands by the ACE.
Application inspection helps you to identify the location of the embedded IP addressing information in
the TCP or UDP flow. This inspection allows the ACE to translate embedded IP addresses and to update
any checksum or other fields that are affected by the translation.
Translating IP addresses embedded in the payload of protocols is especially important for NAT
(explicitly configured by the user) and server load balancing (an implicit NAT).
Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary
channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session
on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol
inspection function monitors these sessions, identifies the dynamic port assignments, and permits data
exchange on these ports for the duration of the session.
Table 12-2 describes the application inspection protocols supported by the ACE, the default TCP or UDP
protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and
Port Address Translation (PAT).
Table 12-2 Application Inspection Support
Application
Protocol
Transpo
rt
Protocol Port
NAT/PA
T
Support
Enabled
by
Default
Standards
1
Comments/Limitations
DNS UDP Src—Any
Dest—53
NAT No RFC 1123 Inspects DNS packets
destined to port 53. You
can specify the maximum
length of the DNS packet
to be inspected.
FTP TCP Src—Any
Dest—21
Both No RFC 959 Inspects FTP packets,
translates address and port
embedded in the payload,
and opens up a secondary
channel for data.
FTP strict TCP Src—Any
Dest—21
Both No RFC 959 The FTP Strict field
allows the ACE appliance
to track each FTP
command and response
sequence, and also
prevents an FTP client
from determining valid
usernames that are
supported on an FTP
server.
HTTP TCP Src—Any
Dest—80
Both No RFC 2616 Inspects HTTP packets.
ICMP ICMP Src—N/A
Dest—N/A
Both No Allows ICMP traffic to
have a “session” so that it
can be inspected similarly
to TCP and UDP traffic.
Page view 425
1 ... 425 426 427 ... 648

Comments to this Manuals

No comments