The basic idea is this:
• create an L7 class-map with an action and a name
- define some match criteria
• create a policy-map with an action and a name
- refer back to a class-map
- action (like deny)
• create an L4 class-map with an action and a name
- match on a port number
• create another policy-map with an action and a name
- call out the L4 class-map
- call out the first policy map (the one that had the L7 class map in it)
• Apply the last policy-map - the one that summarized all of the class-maps and policy-maps together - to an interface
________________
• Create a class-map called "FTP_INSPECT_L7CLASS" that states we are inspecting traffic and it can match on any of the items defined:
class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
!
• This is the match criteria (and the only one listed) that says look for someone making a directory:
match request-method mkdir
!
________________
• Now the policy-map - this will inspect ftp traffic and do a first match
policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
!
! This statement in the policy-map refers to the class-map we already created called FTP_INSPECT_L7CLASS which was looking for anyone making a directory
class FTP_INSPECT_L7CLASS
!
! Now the action - deny it
deny
!
________________
• OK, another class-map, this time L4
class-map match-all FTP_INSPECT_L4CLASS
!
• Hey look a description!
description FTP command inspection of incoming traffic
!
• Lets match on FTP port 21 (the port that commands are issued on)
match port tcp eq 21
________________
• Now the policy-map setup as a multimatch
policy-map multi-match FTP_INSPECT_L4POLICY
!
• The class, in this case its referring to the class-map we made called FTP_INSPECT_L4CLASS
class FTP_INSPECT_L4CLASS
!
• OK now the confusing part - this action under the class FTP_INSPECT_L4CLASS says inspect ftp traffic strictly adhering to the policy-map
FTP_INSPECT_L7POLICY that itself has a class-map called FTP_INSPECT_L7CLASS that said look for anyone making a directory and then an action to deny it.....
inspect ftp strict policy FTP_INSPECT_L7POLICY
!
________________
• Here is where the rubber meats the road and the service-policy is applied to the interface
interface vlan 50
!
ip address 172.16.1.100 255.255.255.0
!
service-policy input FTP_INSPECT_L4POLICY
!
About Me
- David Walsh
- I've been working with computers and networking gear for longer than I can remember. I have worked for fruit companies, search engines and more recently with state and local governments.
From the desk of
