Feedback
Contents
mab through mime-type
- mab
- mac access-group
- mac-address (RITE)
- managed-config-flag
- map type
- mask (policy-map)
- mask-urls
- master (IKEv2 cluster)
- match (gtp)
- match access-group
- match address (GDOI local server)
- match address (IPSec)
- match authentication trustpoint
- match body regex
- match certificate
- match certificate (ca-trustpoint)
- match certificate (ca-trustpool)
- match certificate (ISAKMP)
- match certificate override cdp
- match certificate override ocsp
- match certificate override sia
- match class-map
- match class session
- match cmd
- match data-length
- match encrypted
- match field
- match file-transfer
- match group-object security
- match header count
- match header length gt
- match header regex
- match identity
- match (IKEv2 policy)
- match (IKEv2 profile)
- match invalid-command
- match ipv6 access-list
- match login clear-text
- match message
- match mime content-type regex
- match mime encoding
- match not
- match program-number
- match protocol (zone)
- match protocol h323-annexe
- match protocol h323-nxg
- match protocol-violation
- match ra prefix-list
- match recipient address regex
- match recipient count gt
- match recipient invalid count gt
- match reply ehlo
- match req-resp
- match req-resp body length
- match req-resp header content-type
- match req-resp header transfer-encoding
- match req-resp protocol-violation
- match request
- match request length
- match request method
- match request not regex
- match request port-misuse
- match request regex
- match response
- match response body java-applet
- match response status-line regex
- match search-file-name
- match security-group
- match sender address regex
- match server-domain urlf-glob
- match server-response any
- match service
- match start
- match text-chat
- match url
- match url category
- match url-keyword urlf-glob
- match url reputation
- match user-group
- max-destination
- max-header-length
- max-incomplete
- max-incomplete (parameter-map type)
- max-incomplete aggressive-aging
- max-logins
- max-request
- max-resp-pak
- max-retry-attempts
- max-uri-length
- max-users
- max-users (WebVPN)
- message retry count
- message retry interval
- mime-type
mab
To enable MAC-based authentication on a port, use the mab command in interface configuration mode. To disable MAC-based authentication, use the no form of this command.
Usage Guidelines
Use the mab command to enable MAC-based authentication on a port. To enable EAP on the port, use the mab eap command.
NoteIf you are unsure whether MAB or MAB EAP is enabled or disabled on the switched port, use the default mabor default mab eap commands in interface configuration mode to configure MAB or MAB EAP to its default.
mac access-group
To use a MAC access control list (ACL) to control the reception of incoming traffic on a Gigabit Ethernet interface, an 802.1Q VLAN subinterface, an 802.1Q-in-Q stacked VLAN subinterface, use the macaccess-groupcommand in interface or subinterface configuration mode. To remove a MAC ACL, use the no form of this command.
Usage Guidelines
MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.
On Catalyst 6500 series switches, this command is supported on Layer 2 ports only.
NoteThe macaccess-groupcommand is supported on a VLAN subinterface only if a VLAN is already configured on the subinterface.
Examples
The following example applies MAC ACL 101 on incoming traffic received on Gigabit Ethernet interface 0:
Router> enable Router# configure terminal Router(config)# interface gigabitethernet 0 Router(config-if)# mac access-group 101 inRelated Commands
Command
Description
access-list (MAC)
Defines a MAC ACL.
clear mac access-list counters
Clears the counters of a MAC ACL.
ip access-group
Configures an IP access list to be used for packets transmitted from the asynchronous host.
show access-group mode interface
Displays the ACL configuration on a Layer 2 interface.
show mac access-list
Displays the contents of one or all MAC ACLs.
mac-address (RITE)
To specify the Ethernet address of the destination host, use the mac-address command in router IP traffic export (RITE) configuration mode. To change the MAC address of the destination host, use the no form of this command.
Usage Guidelines
The mac-address command, which is used to specify the destination host that is receiving the exported traffic, is part of suite of RITE configuration mode commands that are used to control various attributes for both incoming and outgoing IP traffic export.
The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.
Examples
The following example shows how to configure the profile “corp1,” which will send captured IP traffic to host “00a.8aab.90a0” at the interface “FastEthernet 0/1.” This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control lists (ACL) “ham_ACL.”
Router(config)# ip traffic-export profile corp1 Router(config-rite)# interface FastEthernet 0/1 Router(config-rite)# bidirectional Router(config-rite)# mac-address 00a.8aab.90a0 Router(config-rite)# outgoing sample one-in-every 50 Router(config-rite)# incoming access-list ham_acl Router(config-rite)# exit Router(config)# interface FastEthernet 0/0 Router(config-if)# ip traffic-export apply corp1managed-config-flag
To verify the advertised managed address configuration parameter, use the managed-config-flag command in RA guard policy configuration mode.
Usage Guidelines
The managed-config-flag command enables verification of the advertised managed address configuration parameter (or "M" flag). This flag could be set by an attacker to force hosts to obtain addresses through a DHCPv6 server that may not be trustworthy.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and enables M flag verification:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# managed-config-flag onmap type
To define the mapping of an attribute in the Lightweight Directory Access Protocol (LDAP) server, use the map typecommand in attribute-map configuration mode. To remove the attribute maps, use the no form of this command.
map type ldap-attr-type aaa-attr-type [ format dn-to-string ]
no map type ldap-attr-type aaa-attr-type [ format dn-to-string ]
Usage Guidelines
To use the attribute mapping features, you need to understand the Cisco AAA attribute names and values as well as the LDAP servers user-defined attribute names and values.
Examples
The following example shows how to map the user-defined attribute named department to the AAA attribute named element-req-qos in an LDAP server.
Router(config)# ldap attribute-map att_map_1 Router(config-attribute-map)# map type department element-req-qos format dn-to-string Router(config-attribute-map)# exitRelated Commands
Command
Description
attribute-map
Attaches an attribute map to a particular LDAP server.
ldap attribute-map
Configures a dynamic LDAP attribute map.
map-type
Defines the mapping of a attribute in the LDAP server.
show ldap attribute
Displays information about default LDAP attribute mapping.
mask (policy-map)
To explicitly mask specified SMTP commands or the parameters returned by the server in response to an EHLO command, use the mask command in global configuration mode. To remove this filter from the configuration, use the no form of this command:
Usage Guidelines
Using the mask command applies to certain ‘match’ command filters like the match cmd command and the verb keyword. Validations are performed to make this check and the configuration is not be accepted in case of invalid combinations.
mask-urls
To obfuscate, or mask, sensitive portions of an enterprise URL, such as IP addresses, hostnames, or port numbers, use the mask-urls command in webvpn group policy configuration mode. To remove the masking, use the no form of this command.
master (IKEv2 cluster)
To define the settings for the master gateway in a Hot Standby Router Protocol (HSRP) cluster, use the master command in IKEv2 cluster configuration mode. To restore the default settings, use the no form of this command.
master { overload-limit percent | weight { crypto-load weight-number | system-load weight-number } }
no master { overload-limit | weight { crypto-load | system-load } }
Syntax Description
overload-limit percent
Specifies the threshold limit of a cluster. The range is from 50 to 99. The default is 99.
weight
Specifies the weight of a load attribute.
crypto-load weight-number
Specifies the Internet Key Exchange (IKE) and IPsec weight limit. The range is from 0 to 100. The default is 100.
system-load weight-number
Specifies the CPU and memory weight limit. The range is from 0 to 100. The default is 100.
Usage Guidelines
You must enable the crypto ikev2 cluster command before enabling the master command.
The load limit helps to decide if a device is busy and ignore it for redirection by specifying the weight of an attribute.
match (gtp)
To configure the classification criteria for inspect-type class map for General Packet Radio Service (GPRS) Tunneling Protocol (GTP), use the match command in class-map configuration mode. To disable the classification criteria, use the no form of this command.
match { apn regex parameter-map-name | mcc country-code mnc network-code | message-id id | message-length min min-length max max-length | version number }
no match { apn | mcc country-code mnc network-code | message-id id | message-length | version number }
Syntax Description
apn
Configures filtering for the GTP Access Point Name (APN).
regex
Specifies the APN address for the GNU regular expression (regex) matching library.
parameter-map-name
Name of the APN regex parameter map.
mcc
Configures filtering for a valid Mobile Country Code (MCC).
country-code
Mobile country code. The range is from 0 to 999.
mnc
Configures filtering for Mobile Network Code (MNC).
network-code
Mobile network code. The range is from 0 to 999.
message-id id
Configures filtering for the GTP message ID. The range is from 1 to 255.
message-length
Configures filtering for the GTP message length.
min
Specifies the minimum length of the GTP message.
min-length
Minimum length, in bytes, of the GTP message. The range is from 1 to 65536.
max
Specifies the maximum length of the GTP message.
max-length
Maximum length, in bytes, of the GTP message. The range is from 1 to 65536.
version number
Configures filtering for the GTP version. Accepted values are 0 and 1.
Usage Guidelines
The mcc country-code and mnc network-code keyword-argument combinations are used for International Mobile Subscriber Identity (IMSI) prefix filtering, where the country code contains three digits and the network code contains two- or three-digit values. The message-length keyword allows you to filter packets that do not meet the configured maximum and minimum length values. This length is the sum of the GTP header and the rest of the message. For example, the payload of the UDP packet. The apn keyword allows you to activate action on GTP messages with the specified APN. The message-id keyword allows you to activate action on specific GTP messages. The version keyword allows you to activate action on GTP messages with the specified version.
Examples
The following example shows how to configure match criteria for a message with a minimum length of 300 bytes and a maximum length of 500 bytes for inspect-type class map for GTPv0.
Router(config)# class-map type inspect gtpv0 LAYER7_CLASS_MAP Router(config-cmap)# match message-length min 300 max 500match access-group
To configure the match criteria for a class map on the basis of the specified access control list (ACL), use the match access-group command in QoS class-map configuration or policy inline configuration mode. To remove the ACL match criteria from a class map, use the no form of this command.
match access-group { access-group | name access-group-name }
no match { access-group | name access-group-name }
Syntax Description
access-group
A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the same class. The range is from 1 to 2699.
name access-group-name
Specifies a named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the same class. The name can be up to 40 alphanumeric characters.
Command Modes
QoS class-map configuration (config-cmap)
Policy inline configuration (config-if-spolicy-inline)
Command History
Release
Modification
12.0(5)T
This command was introduced.
12.0(5)XE
This command was integrated into Cisco IOS Release 12.0(5)XE.
12.0(7)S
This command was integrated into Cisco IOS Release 12.0(7)S.
12.0(17)SL
This command was modified. This command was enhanced to include matching of access lists on the Cisco 10000 series routers.
12.1(1)E
This command was integrated into Cisco IOS Release 12.1(1)E.
12.4(6)T
This command was modified. This command was enhanced to support the zone-based policy firewall.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB
This command was integrated into Cisco IOS Release 12.2(31)SB.
12.2SX
This command was integrated into the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.
Usage Guidelines
The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
A traffic rate is generated for packets that match an access group. In zone-based policy firewalls, only the first packet that creates a session matches the configured policy. Subsequent packets in the flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the inspect action.
Zone-based policy firewalls support only the match access-group, match class-map, and match protocol commands. If you specify more than one match command in a class map, only the last command that you specified will be applied to the class map. The last match command overrides the previously entered match commands.
The match access-group command specifies the numbered access list against whose contents packets are checked to determine if they match the criteria specified in the class map. Access lists configured with the log keyword of the access-list command are not supported when you configure the match criteria. For more information about the access-list command, refer to the Cisco IOS IP Application Services Command Reference.
When this command is configured in Cisco IOS Release 15.0(1)M and later releases, the firewall inspects only Layer 4 policy maps. In releases prior to Cisco IOS Release 15.0(1)M, the firewall inspects both Layer 4 and Layer 7 policy maps.
For class-based weighted fair queueing (CBWFQ), you can define traffic classes based on the match criteria that include ACLs, experimental (EXP) field values, input interfaces, protocols, and quality of service (QoS) labels. Packets that satisfy the match criteria for a class constitute the traffic for that class.
NoteIn zone-based policy firewalls, this command is not applicable for CBWFQ.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration modes in which you can issue this command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
To use the match access-group command, you must configure the service-policy type performance-monitor inline command.
Supported Platforms Other than Cisco 10000 Series Routers
To use the match access-group command, you must configure the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:
Cisco 10000 Series Routers
To use the match access-group command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.
NoteThe match access-group command specifies the numbered access list against whose contents packets are checked to determine if they match the criteria specified in the class map. Access lists configured with the log keyword of the access-list command are not supported when you configure the match criteria.
Cisco ASR 1000 Series Aggregation Services Routers
Cisco ASR 1000 Series Routers do not support more than 16 match statements per class map. An interface with more than 16 match statements rejects the service policy.
Examples
The following example shows how to specify a class map named acl144 and to configure the ACL numbered 144 to be used as the match criterion for that class:
Device(config)# class-map acl144 Device(config-cmap)# match access-group 144The following example shows how to define a class map named c1 and configure the ACL numbered 144 to be used as the match criterion for that class:Device(config)# class-map type inspect match-all c1 Device(config-cmap)# match access-group 144Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example shows how to configure a service policy for the Performance Monitor in policy inline configuration mode. The policy specifies that packets traversing Ethernet interface 0/0 must match ACL144.
Device(config)# interface ethernet 0/0 Device(config-if)# service-policy type performance-monitor inline input Device(config-if-spolicy-inline)# match access-group name ACL144 Device(config-if-spolicy-inline)# exitRelated Commands
Command
Description
access-list (IP extended)
Defines an extended IP access list.
access-list (IP standard)
Defines a standard IP access list.
class-map
Creates a class map to be used for matching packets to a specified class.
match access-group
Configures the match criteria for a class map on the basis of the specified ACL.
match class-map
Uses a traffic class as a classification policy.
match input-interface
Configures a class map to use the specified input interface as a match criterion.
match mpls experimental
Configures a class map to use the specified EXP field value as a match criterion.
match protocol
Configures the match criteria for a class map on the basis of the specified protocol.
service-policy type performance-monitor
Associates a Performance Monitor policy with an interface.
match address (GDOI local server)
To specify an IP extended access list for a Group Domain of Interpretation (GDOI) registration, use the match address command in GDOI SA IPsec configuration mode. To disable the access list, use the no form of this command.
match address { ipv4 | ipv6 } { access-list-number | access-list-name }
no match address { ipv4 | ipv6 } { access-list-number | access-list-name }
Syntax Description
ipv4
Specifies that IPv4 packets should be matched.
ipv6
Specifies that IPv6 packets should be matched.
access-list-number | access-list-name
Access list number or name. This value should match the access list number or name of the extended access list that is being matched. IPv6 configurations must use named access lists.
The range is 100 through 199 or 2000 through 2699 for an expanded range.
Usage Guidelines
If you attempt to assign an IPv6 group with IPv4 policies, an error message appears indicating that the access list name is invalid or that the list already exists but is the wrong type.
Examples
The following example shows how to specify an IP extended access list named 102 for IPv4 traffic. This example uses an identity number (rather than an identity address) and a profile named gdoi-p:
Router# enable Router# configure terminal Router(config)# crypto gdoi group gdoigroupname Router(config-gdoi-group)# identity number 3333 Router(config-gdoi-group)# server local Router(gdoi-local-server)# sa ipsec 1 Router(gdoi-sa-ipsec)# profile gdoi-p Router(gdoi-sa-ipsec)# match address ipv4 102The following example shows how to specify an IP extended access list named group1_v6 for IPv6 traffic. This example uses a profile named gdoi-p2:
Router# enable Router# configure terminal Router(config)# crypto gdoi group ipv6 gdoigroupname2 Router(config-gdoi-group)# identity number 3333 Router(config-gdoi-group)# server local Router(gdoi-local-server)# sa ipsec 1 Router(gdoi-sa-ipsec)# profile gdoi-p2 Router(gdoi-sa-ipsec)# match address ipv6 group1_v6match address (IPSec)
To specify an extended access list for a crypto map entry, use the match address command in crypto map configuration mode. To remove the extended access list from a crypto map entry, use the no form of this command.
Syntax Description
access-list-id
(Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.
name
(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.
Command History
Release
Modification
11.2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-listor ip access-list extended commands.
The extended access list specified with this command will be used by IPSec to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
Note that the crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination.
The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface’s crypto map entries to determine if it should be protected by crypto and if so (if traffic matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface’s crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)
In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be “permitted” by the crypto access list.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)
crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1Related Commands
Command
Description
crypto dynamic-map
Creates a dynamic crypto map entry and enters the crypto map configuration command mode.
crypto map (global IPSec)
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
crypto map (interface IPSec)
Applies a previously defined crypto map set to an interface.
crypto map local-address
Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
set peer (IPSec)
Specifies an IPSec peer in a crypto map entry.
set pfs
Specifies that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations.
set security-association level per-host
Specifies that separate IPSec security associations should be requested for each source/destination host pair.
set security-association lifetime
Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations.
set session-key
Specifies the IPSec session keys within a crypto map entry.
set transform-set
Specifies which transform sets can be used with the crypto map entry.
show crypto map (IPSec)
Displays the crypto map configuration.
match authentication trustpoint
To specify the trustpoint name that should be used to authenticate the SDP peer’s certificate, use the match authentication trustpointcommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The match authentication trustpointcommand can be used optionally in the SDP registrar configuration, which is used to deploy Apple iPhones on a corporate network.
If the trustpoint name is not specified, then the trustpoint configured using the authentication trustpointin tti-registrar configuration mode is used to authenticate the SDP peer’s certificate.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match url
Specifies the URL to be associated with the URL profile.
authentication trustpoint
Specifies the trustpoint used to authenticate the SDP petitioner device’s existing certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
match body regex
To specify an arbitrary text expression to restrict specified content-types and content encoding types for text and HTML in the “body” of the e-mail, use the match body regex command in class-map configuration mode. To remove this match criterion, use the no form of this command.
Usage Guidelines
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
The text or HTML pattern is scanned only if the encoding is 7-bit or 8-bit and the encoding is checked before attempting to match the pattern. If the pattern is of another encoding type (For example, base64, zip files etc.), then the pattern cannot be scanned
NoteUsing this command can impact performance because the complete SMTP connection has to be scanned.
Examples
The following example shows how to configure an SMTP policy to block an e-mail that contains the pattern “*UD-421590*” in the body of an e-mail.
parameter-map type regex doc-data pattern “*UD-421590*” class-map type inspect smtp c1 match body regex doc-data policy-map type inspect smtp p1 class type inspect smtp c1 logmatch certificate
To specify the name of the certificate map used to authorize the peer’s certificate, use the match certificatecommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The match certificatecommand can be used optionally in the SDP registrar configuration, which is used to deploy Apple iPhones on a corporate network.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match url
Specifies the URL to be associated with the URL profile.
match authentication trustpoint
Specifies the trustpoint name that should be used to authenticate the SDP peer’s certificate in order to deploy Apple iPhones on a corporate network.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
match certificate (ca-trustpoint)
To associate a certificate-based access control list (ACL) that is defined with the crypto ca certificate map command, use the match certificate command in ca-trustpoint configuration mode. To remove the association, use the no form of this command.
match certificate certificate-map-label [ allow expired-certificate | skip revocation-check | skip authorization-check ]
no match certificate certificate-map-label [ allow expired-certificate | skip revocation-check | skip authorization-check ]
Syntax Description
Command Default
If this command is not configured, no default match certificate is configured. Each of the allow expired-certificate, skip revocation-check, and skip authorization-check keywords have a default (see the “Syntax Description” section).
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(18)SXD
This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.3(4)T
The allow expired-certificate, skip revocation-check, and skip authorization-check keywords were added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
The match certificatecommand associates the certificate-based ACL defined with the crypto ca certificate map command to the trustpoint. The certificate-map-label argument in the match certificate command must match the label argument specified in a previously defined crypto ca certificate map command.
The certificate map with the label certificate-map-label must be defined before it can be used with the match certificate subcommand.
A certificate referenced in a match certificate command may not be deleted until all references to the certificate map are removed from configured trustpoints (that is, no match certificate commands can reference the certificate map being deleted).
When the certificate of a peer has been verified, the certificate-based ACL as specified by the certificate map is checked. If the certificate of the peer matches the certificate ACL, or a certificate map is not associated with the trustpoint used to verify the certificate of the peer, the certificate of the peer is considered valid.
If the certificate map does not have any attributes defined, the certificate is rejected.
Using the allow expired-certificate Keyword
The allow expired-certificate keyword has two purposes:
- If the certificate of a peer has expired, this keyword may be used to “allow” the expired certificate until the peer is able to obtain a new certificate.
- If your router clock has not yet been set to the correct time, the certificate of a peer will appear to be not yet valid until the clock is set. This keyword may be used to allow the certificate of the peer even though your router clock is not set.
NoteIf Network Time Protocol (NTP) is available only via the IPSec connection (usually via the hub in a hub-and-spoke configuration), the router clock can never be set. The tunnel to the hub cannot be “brought up” because the certificate of the hub is not yet valid.
- “Expired” is a generic term for a certificate that is expired or that is not yet valid. The certificate has a start and end time. An expired certificate, for purposes of the ACL, is one for which the current time of the router is outside the start and end time specified in the certificate.
Using the skip revocation-check Keyword
The type of enforcement provided using the skip revocation-check keyword is most useful in a hub-and-spoke configuration in which you also want to allow direct spoke-to-spoke connections. In pure hub-and-spoke configurations, all spokes connect only to the hub, so CRL checking is necessary only on the hub. If one spoke communicates directly with another spoke, the CRLs must be checked. However, if the trustpoint is configured to require CRLs, the connection to the hub to retrieve the CRL usually cannot be made because the CRL is available only via the connection hub.
Using the skip authorization-check Keyword
If the communication with an AAA server is protected with a certificate, and you want to skip the AAA check of the certificate, use the skip authorization-check keyword. For example, if a Virtual Private Network (VPN) tunnel is configured so that all AAA traffic goes over that tunnel, and the tunnel is protected with a certificate, you can use the skip authorization-check keyword to skip the certificate check so that the tunnel can be established.
The skip authorization-check keyword should be configured after PKI integration with an AAA server is configured.
Examples
The following example shows a certificate-based ACL with the label “Group” defined in a crypto ca certificate map command and included in the match certificate command:
crypto ca certificate map Group 10 subject-name co ou=WAN subject-name co o=Cisco ! crypto ca trustpoint pki match certificate GroupThe following example shows a configuration for a central site using the allow expired-certificate keyword. The router at a branch site has an expired certificate named “branch1” and has to establish a tunnel to the central site to renew its certificate.
crypto pki trustpoint VPN-GW enrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dll serial-number none fqdn none ip-address none subject-name o=Home Office Inc,cn=Central VPN Gateway revocation-check crl match certificate branch1 allow expired-certificateThe following example shows a branch office configuration using the skip revocation-check keyword. The trustpoint is being allowed to enforce CRLs except for “central-site” certificates.
crypto pki trustpoint home-office enrollment url http://ca.home-office.com:80/certsrv/mscep/mscep.dll serial-number none fqdn none ip-address none subject-name o=Home Office Inc,cn=Branch 1 revocation-check crl match certificate central-site skip revocation-checkThe following example shows a branch office configuration using the skip authorization-check keyword. The trustpoint is being allowed to skip AAA checking for the central site.
crypto pki trustpoint home-office auth list allow_list auth user subj commonname match certificate central-site skip authorization-checkmatch certificate (ca-trustpool)
To enable the use of certificate maps for the public key infrastructure (PKI) trustpool, use the match certificate command in ca-trustpool configuration mode. To remove the association, use the no form of this command.
match certificate certificate-map-name [ allow expired-certificate | override { cdp directory ldap-location | ocsp { number url | trustpool name number url url } | sia number url } | skip [ revocation-check | authorization-check ] ]
no match certificate certificate-map-name [ allow expired-certificate | override { cdp directory ldap-location | ocsp { number url | trustpool name number url url } | sia number url } | skip [ revocation-check | authorization-check ] ]
Syntax Description
certificate-map-name
The certificate map name that is matched.
allow expired-certificate
(Optional) Ignores expired certificates.
Note If this keyword combination is not configured, the router does not ignore expired certificates.
override
Overrides the online certificate status protocol (OCSP), or SubjectInfoAccess (SIA) attribute fields in a certificate that is in the PKI trustpool.
cdp
Overrides the certificate distribution point (CDP) in a certificate.
directory ldap-location
Specifies the CDP in either the http: or ldap: URL, or the Lightweight Directory Access Protocol (LDAP) directory to override in the certificate.
ocsp number url
Specifies the OCSP sequence number from 0 to 10000 and URL to override in the certificate.
trustpool name number url url
Overrides the PKI trustpool for verifying the OCSP certificate by specifying the PKI trustpool name, sequence number, and URL.
sia number url
Overrides the SIA URL in a certificate by specifying the SIA sequence number and URL.
skip revocation-check
(Optional) Allows the PKI trustpool to enforce certificate revocation lists (CRLs) except for specific certificates.
Note If this keyword combination is not configured, the PKI trustpool enforces CRLs for all certificates.
skip authorization-check
(Optional) Skips the authentication, authorization, and accounting (AAA) check of a certificate when PKI integration with an AAA server is configured.
Note If this keyword combination is not configured and PKI integration with an AAA server is configured, the AAA checking of a certificate is done.
Command Default
If this command is not configured, no default match certificate is configured for the PKI trustpool. Each of the allow expired-certificate, skip revocation-check, and skip authorization-check keywords has a default behavior (see the “Syntax Description” section).
Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
A certificate referenced in a match certificate command may not be deleted until all references to the certificate map are removed from configured trustpool (that is, no match certificate commands can reference the certificate map being deleted).
If the certificate map has no attributes defined, then the certificate is rejected.
Using the allow expired-certificate Keyword Combination
The allow expired-certificate keyword combination has three purposes:
- If the certificate of a peer has expired, this keyword may be used to allow the expired certificate until the peer is able to obtain a new certificate.
- If your router clock has not yet been set to the correct time, the certificate of a peer will appear to be not yet valid until the clock is set. This keyword may be used to allow the certificate of the peer even though your router clock is not set.
NoteIf Network Time Protocol (NTP) is available only through the IPSec connection (usually through the hub in a hub-and-spoke configuration), the router clock can never be set. The tunnel to the hub cannot be “brought up” because the certificate of the hub is not yet valid.
- “Expired” is a generic term for a certificate that is expired or that is not yet valid. The certificate has a start and end time. An expired certificate, for purposes of the ACL, is one for which the current time of the router is outside the start and end time specified in the certificate.
Using the skip revocation-check Keyword Combination
The type of enforcement provided using the skip revocation-check keyword combination is most useful in a hub-and-spoke configuration in which you also want to allow direct spoke-to-spoke connections. In pure hub-and-spoke configurations, all spokes connect only to the hub, so CRL checking is necessary only on the hub. If one spoke communicates directly with another spoke, the CRLs must be checked. However, if the trustpoint is configured to require CRLs, the connection to the hub to retrieve the CRL usually cannot be made because the CRL is available only via the connection hub.
Using the skip authorization-check Keyword Combination
If the communication with an AAA server is protected with a certificate, and you want to skip the AAA check of the certificate, use the skip authorization-check keyword combination. For example, if a VPN tunnel is configured so that all AAA traffic goes over that tunnel, and the tunnel is protected with a certificate, you can use the skip authorization-check keyword to skip the certificate check so that the tunnel can be established.
The skip authorization-check keyword combination should be configured after PKI integration with an AAA server is configured.
Examples
The following example shows how to configure revocation policy for an OSCP URL for an individual certificate authority (CA) certificate in the PKI trustpool by matching the issuer name:
Router(config)# crypto pki trustpool policy Router(ca-trustpool)# match certificate mycert override ocsp 1 url http://ocspts.identrust.comRelated Commands
Command
Description
cabundle url
Configures the URL from which the PKI trustpool CA bundle is downloaded.
chain-validation
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool.
crl
Specifes the CRL query and cache options for the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
storage
Specifies a file system location where PKI trustpool certificates are stored on the router.
vrf
Specifies the VRF instance to be used for CRL retrieval.
match certificate (ISAKMP)
To assign an Internet Security Association Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate, use the match certificate command in crypto ISAKMP profile configuration mode. To remove the profile, use the no form of this command.
Command History
Release
Modification
12.3(8)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SX
This command is supported in the Cisco 12.2SX family of releases. Support in a 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The match certificate command is used after the certificate map has been configured and the ISAKMP profiles have been assigned to them.
Examples
The following configuration example shows that whenever a certificate contains “ou = green,” the ISAKMP profile “cert_pro” will be assigned to the peer.
crypto pki certificate map cert_map 10 subject-name co ou = green ! ! crypto isakmp identity dn crypto isakmp profile cert_pro ca trust-point 2315 ca trust-point LaBcA initiate mode aggressive match certificate cert_mapmatch certificate override cdp
To manually override the existing certificate distribution point (CDP) entries for a certificate with a URL or directory specification, use the match certificate override cdpcommand in ca-trustpoint configuration mode. To remove the override, use the no form of this command.
match certificate certificate-map-label override cdp { url | directory } string
no match certificate certificate-map-label override cdp { url | directory } string
Syntax Description
certificate-map-label
A user-specified label that must match the label argument specified in a previously defined crypto ca certificate map command.
url
Specifies that the certificates CDPs will be overridden with an http or ldap URL.
directory
Specifies that the certificate’s CDPs will be overridden with an ldap directory specification.
string
The URL or directory specification.
Usage Guidelines
Use the match certificate override cdpcommand to replace all of the existing CDPs in a certificate with a manually configured CDP URL or directory specification.
The certificate-map-label argument in the match certificate override cdpcommand must match the label argument specified in a previously defined crypto ca certificate map command.
NoteSome applications may time out before all CDPs have been tried and will report an error message. This will not affect the router, and the Cisco IOS software will continue attempting to retrieve a CRL until all CDPs have been tried.
Examples
The following example uses the match certificate override cdpcommand to override the CDPs for the certificate map named Group1 defined in a crypto ca certificate map command:
crypto ca certificate map Group1 10 subject-name co ou=WAN subject-name co o=Cisco ! crypto ca trustpoint pki match certificate Group1 override cdp url http://server.cisco.commatch certificate override ocsp
To override an Online Certificate Status Protocol (OCSP) server setting specified in either the Authority Info Access (AIA) field of the client certificate or in the trustpoint configuration , use the match certificate override ocsp command in ca-trustpoint configuration mode. To remove the OCSP server override setting, use the no form of this command.
match certificate certificate-map-label override ocsp [ trustpoint trustpoint-label ] sequence-number url ocsp-url
no match certificate certificate-map-label override ocsp [ trustpoint trustpoint-label ] sequence-number url ocsp-url
Syntax Description
certificate-map-label
Specifies the exact name of an existing certificate map label.
trustpoint trustpoint-label
(Optional) Specifies the existing trustpoint to be used when validating the OCSP server responder certificate.
sequence-number
Indicates the order of the override statements to be applied when a certificate is being verified.
Note Certificate matches are performed from the lowest sequence number to the highest sequence number. If more than one command is issued with the same sequence number, the previous OCSP server override setting is replaced.
url ocsp-url
Specifies the OCSP server URL.
Usage Guidelines
OCSP server validation is usually based on the root certification authority (CA) certificate or a valid subordinate CA certificate, but may also be configured for validation of the OCSP server identity with the match certificate override ocspcommand and trustpoint keyword.
One or more OCSP servers may be specified, either per client certificate or per group of client certificates. When the certificate matches a configured certificate map, the AIA field of the client certificate and any previously issued ocsp url command settings are overwritten with the specified OCSP server. If the ocsp url configuration exists and no map-based match occurs, the ocsp url configuration settings will continue to apply to the client certificates.
Examples
The following example shows an excerpt of the running configuration output when adding an override OCSP server to the beginning of an existing sequence:
match certificate map3 override ocsp 5 url http://192.168.2.3/ show running-config . . . match certificate map3 override ocsp 5 url http://192.168.2.3/ match certificate map1 override ocsp 10 url http://192.168.2.1/ match certificate map2 override ocsp 15 url http://192.168.2.2/ The following example shows an excerpt of the running configuration output when an existing override OSCP server is replaced and a trustpoint is specified to use an alternative public key infrastructure (PKI) hierarchy: match certificate map4 override ocsp trustpoint tp4 10 url http://192.168.2.4/newvalue\ show running-config . . . match certificate map3 override ocsp trustpoint tp3 5 url http://192.168.2.3/ match certificate map1 override ocsp trustpoint tp1 10 url http://192.168.2.1/ match certificate map4 override ocsp trustpoint tp4 10 url http://192.168.2.4/newvalue match certificate map2 override ocsp trustpoint tp2 15 url http://192.168.2.2/ The following example shows an excerpt of the running configuration output when an existing override OCSP server is removed from an existing sequence: no match certificate map1 override ocsp trustpoint tp1 10 url http://192.168.2.1/ show running-config . . . match certificate map3 override ocsp trustpoint tp3 5 url http://192.168.2.3/ match certificate map4 override ocsp trustpoint tp4 10 url http://192.168.2.4/newvalue match certificate map2 override ocsp trustpoint tp2 15 url http://192.168.2.2/match certificate override sia
To manually override the existing SubjectInfoAccess (SIA) attribute, use the match certificate override sia command in CA-trustpoint configuration mode. To remove the override, use the no form of this command.
match certificate certificate-map-label override sia sequence-number certificate-url
no match certificate certificate-map-label override sia
Syntax Description
certificate-map-label
A user-specified label that should match the label argument specified in a previously defined crypto ca certificate map command.
sequence-number
The order of the override statements to be applied when a certificate is being verified.
Note Certificate matches are performed from the lowest sequence number to the highest sequence number. If more than one command is issued with the same sequence number, the previous SIA override setting is replaced.
certificate-url
The remote location of the certificate in URL format.
Usage Guidelines
The certificate's storage location is contained in the certificate itself by the issuing authority. This data is contained in the SIA and the AuthorityInfoAccess (AIA) extension in certificates. Use the match certificate override sia command to manually configure the remote location of the identity certificate regardless of the SIA attribute in the certificate.
Examples
The following example shows how to use the match certificate override sia command to override the SIAs for the certificate map named Group1 defined in a crypto ca certificate map command:
Router(config)# crypto ca certificate map Group1 10 Router(ca-certificate-map)# subject-name co ou=WAN Router(ca-certificate-map)# subject-name co o=Cisco ! Router(config)# crypto ca trustpoint pki Router (ca-trustpoint)# match certificate Group1 override sia 100 http://certs.example.com/certificate.cermatch class-map
To use a traffic class as a classification policy, use the match class-map command in class-map or policy inline configuration mode. To remove a specific traffic class as a match criterion, use the no form of this command.
Command History
Release
Modification
12.0(5)XE
This command was introduced.
12.1(1)E
This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
12.4(6)T
This command was enhanced to support Zone-Based Policy Firewall.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB
This command was implemented on the Cisco 10000 series.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2S
This command was integrated into Cisco IOS XE Release 3.2S.
Usage Guidelines
The only method of including both match-any and match-all characteristics in a single traffic class is to use the match class-map command. To combine match-any and match-all characteristics into a single class, do one of the following:
- Create a traffic class with the match-anyinstruction and use a class configured with the match-all instruction as a match criterion (using the match class-map command).
- Create a traffic class with the match-allinstruction and use a class configured with the match-any instruction as a match criterion (using the match class-map command).
You can also use the match class-map command to nest traffic classes within one another, saving users the overhead of re-creating a new traffic class when most of the information exists in a previously configured traffic class.
When packets are matched to a class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.
Examples
In the following example, the traffic class called class1 has the same characteristics as traffic class called class2, with the exception that traffic class class1 has added a destination address as a match criterion. Rather than configuring traffic class class1 line by line, you can enter the match class-map class2 command. This command allows all of the characteristics in the traffic class called class2 to be included in the traffic class called class1, and you can simply add the new destination address match criterion without reconfiguring the entire traffic class.
Router(config)# class-map match-any class2 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 3 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# class-map match-all class1 Router(config-cmap)# match class-map class2 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# exitThe following example shows how to combine the characteristics of two traffic classes, one with match-any and one with match-all characteristics, into one traffic class with the match class-map command. The result of traffic class called class4 requires a packet to match one of the following three match criteria to be considered a member of traffic class called class 4: IP protocol and QoS group 4, destination MAC address 1.1.1, or access group 2. Match criteria IP protocol and QoS group 4 are required in the definition of the traffic class named class3 and included as a possible match in the definition of the traffic class named class4 with the match class-map class3 command.
In this example, only the traffic class called class4 is used with the service policy called policy1.
Router(config)# class-map match-all class3 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 4 Router(config-cmap)# exit Router(config)# class-map match-any class4 Router(config-cmap)# match class-map class3 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# policy-map policy1 Router(config-pmap)# class class4 Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4 Router(config-pmap-c)# exitmatch class session
NoteEffective with Cisco IOS Release 15.2(4)M, the match class session command is not available in Cisco IOS software.
To configure match criteria for a class map used to identify a session (flow) containing packets of interest, which is then applied to all packets transmitted during the session, use the match class session command in class map configuration mode. To remove this configuration, use the no form of this command.
match class class-name [ packet-range low high | byte-range low high ] session
no match class class-name [ packet-range low high | byte-range low high ] session
Syntax Description
class-name
Specifies the class map used to identify a session containing packets of interest. The classification results are preserved for the subsequent packets of the same packet session.
packet-range low high
(Optional) Specifies the range of packets from 1 to 2147483647, in which the regular expressions (regex) within every packet is are checked. The classification results are preserved for the specified packets or bytes of the same packet session.
byte-range low high
(Optional) Specifies the range of bytes from 1 to 2147483647, in which the regular expressions (regex) within every packet are checked. The classification results are preserved for the specified packets or bytes of the same packet session.
Usage Guidelines
With the introduction of Cisco IOS Release15.1(3)T, Flexible Packet Matching (FPM) can now match every packet against the filters specified in the class map and pass the match result to consecutive packets of the same network session. If a filter matches with malicious content in the packet’s protocol header or payload, then the required action is taken to resolve the problem.
The match class session command configures match criteria that identify a session containing packets of interest, which is then applied to all packets transmitted during the session. The packet-range and byte-range keywords are used to create a filter mechanism that increases the performance and matching accuracy of regex-based FPM class maps by classifying traffic that resides in the narrow packet number or byte ranges of each packet flow. If packets go beyond the classification window, then the packet flow can be identified as unknown and packet classification is terminated early to increase performance. For example, a specific application can be blocked efficiently by filtering all packets that belong to this application on a session. These packets are dropped without matching every individual packet with the filters, which improves the performance of a session.
These filters also reduce the number of false positives introduced by general regex-based approaches. For example, Internet company messenger traffic can be classified with a string like intco, intcomsg, and ic. These strings are searched for in a packet’s payload. These small strings can appear in the packet payload of any other applications, such as e-mail, and can introduce false positives. False positives can be avoided by specifying which regex is searched within which packet of a particular packet flow.
Once the match criteria are applied to packets belonging to the specific traffic class, these packets can be discarded by configuring the drop all command in a policy map. Packets match only on the packet flow entry of an FPM, and skip user-configured classification filters.
A match class does not have to be applied exclusively for a regex-based filter. Any FPM filter can be used in the nested match class filter. For example, if the match class c1 has the filter match field TCP source-port eq 80, then the match class c1 session command takes the same action for the packets that follow the first matching packet.
Examples
The following example shows how to configure a class map and policy map to specify the protocol stack class, the match criteria and action to take, and a combination of classes using session-based (flow-based) and nonsession-based actions. The drop all command is associated with the action to be taken on the policy.
Router(config)# class-map type access-control match-all my-HTTP Router(config-cm)# match field tcp destport eq 8080 Router(config-cm)# match start tcp payload-start offset 20 size 10 regex “GET” Router(config)# class-map type access-control match-all my-FTP Router(config-cmap)# match field tcp destport eq 21 Router(config)# class-map type access-control match all class1 Router(config-cmap)# match class my-HTTP session Router(config-cmap)# match start tcp payload-start offset 40 size 20 regex “abc.*def” Router(config)# policy-map type access-control my_http_policy Router(config-pmap)# class class1 Router(config-pmap-c)# drop all Router(config)# interface gigabitEthernet 0/1 Router(config-if)# service-policy type access-control input my_http_policyThe following example shows how to configure a class map and policy map to specify the protocol stack class, the match criteria and action to take, and a combination of classes using session-based (flow-based) and nonsession-based actions. However, this example uses the match class command with the packet-range keyword, which acts as a filter mechanism to increases the performance and matching accuracy of the regex-based FPM class map.
Router(config)# load disk2:ip.phdf Router(config)# load protocol disk2:tcp.phdf Router(config)# class-map type stack match-all ip_tcp Router(config-cmap)# description “match TCP over IP packets” Router(config-cmap)# match field ip protocol eq 6 next tcp Router(config)# class-map type access-control match-all WM Router(config-cmap) # match start tcp payload-start offset 20 size 20 regex “.*(WEBCO|WMSG|WPNS).......[LWT].*\xc0\x80” Router(config)# class-map type access-control match-all wtube Router(config-cmap) # match start tcp payload-start offset 20 size 20 regex “.*GET\x20.*HTTP\x2f(0\.9|1\.0|1\.1)\x0d\x0aHost:\x20webtube.com\x0d\x0a” Router(config)# class-map type access-control match-all doom Router(config-cmap) # match start tcp payload-start offset 20 size 20 string virus Router(config)# class-map type access-control match-all class_webco Router(config-cmap)# match class WM session Router(config-cmap)# match field ip length eq 0x194 Router(config-cmap)# match start network-start offset 224 size 4 eq 0x4011010 Router(config)# class-map type access-control match-all class_webtube Router(config-cmap)# match class wtube packet-range 1 5 session Router(config-cmap)# match class doom session Router(config-cmap)# match field ip length eq 0x194 Router(config-cmap)# match start network-start offset 224 size 4 eq 0x4011010 Router(config)# policy-map type access-control my_policy Router(config-pmap)# class class_webco Router(config-pmap-c)# log Router(config)# policy-map type access-control my_policy Router(config-pmap)# class class_webtube Router(config-pmap-c)# drop all Router(config)# policy-map type access-control P1 Router(config-pmap)# class ip_tcp Router(config-pmap-c)# service-policy my_policy Router(config)# interface gigabitEthernet 0/1 Router(config-if)# service-policy type access-control input P1match cmd
To specify a value that limits the length of the ESMTP command line or specifies the ESMTP command line verb used to thwart denial of service (DoS) attacks, use the match cmdcommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
match cmd { line length gt length | verb { AUTH | DATA | EHLO | ETRN | EXPN | HELO | HELP | MAIL NOOP | QUIT | RCPT | RSET | SAML | SEND | SOML | STARTTLS | VERB | VRFY | WORD } }
no match cmd { line length gt length | verb { AUTH | DATA | EHLO | ETRN | EXPN | HELO | HELP | MAIL NOOP | QUIT | RCPT | RSET | SAML | SEND | SOML | STARTTLS | VERB | VRFY | WORD } }
Syntax Description
line length gt length
Specifies the ESMTP command line greater than the length of a number of characters from 1 to 65535.
verb
Specifies the ESMTP command verb used to thwart DoS attacks.
AUTH
SMTP service extension whereby an SMTP client may indicate an authentication mechanism to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions.
DATA
Sent by a client to initiate the transfer of message content.
EHLO
Enables the server to identify its support for Extended Simple Mail Transfer Protocol (ESMTP) commands.
ETRN
Requests the local SMTP server to initiate delivery of mail to the external SMTP server on a separate SMTP connection.
EXPN
Expand a mailing list address into individual recipients. Often disabled to prevent use by spammers.
HELO
Sent by a client to identify itself, usually with a domain name.
HELP
Returns a list of commands that are supported by the SMTP service.
MAIL NOOP
Start of MAIL FROM: Identifies sender of mail message. May be forged. May not correspond to the From: line in a mail message. Should be added in Return Path header. Address to send any undeliverable notifications (bounces). The NO OPeration (NOOP) does nothing, except keep the connection active and help synchronize commands and responses.
QUIT
Terminates the session.
RCPT
Identifies the message recipients; used in the form RCPT TO:
RSET
Nullifies the entire message transaction and resets the buffer.
SAML
Start of SAML FROM: Like MAIL except supposed to also display the message on the recipients computer (early form of instant messaging).
SOML
Start of SAML FROM: Like MAIL except supposed to either mail the message OR display the message on the recipients computer (early form of instant messaging)
STARTTLS
Triggers start of TLS negotiation for secure SMTP conversation. If successful, resets state to before EHLO command sent.
VERB
Enables verbose (detailed) responses.
VRFY
Verifies that a mailbox is available for message delivery; for example, the VRFY MARK command verifies that a mailbox for MARK resides on the local server. This command is off by default in Exchange implementations.
WORD
Specifies a word in the body of the e-mail message.
Usage Guidelines
In a class-map type inspect smtp match-all command statement with the match cmd verb command statement, only the following match cmd line length gt command statement can coexist. For example:
class-map type inspect smtp match-all c2 match cmd line length gt 256 match cmd verb MAIL
NoteThere are no match restrictions in case of a class-map type inspect smtp match-any command statement for a class map because the class-map applies to all SMTP commands.
The class-map c2 matches if the length of only the e-mail command is greater than 256 bytes (which is not applicable to other commands), which translates to: If the length of the MAIL command exceeds the configured value.
NoteIf no match cmd verb command statement is specified in a class-map type inspect smtp match-all command statement for a class-map, which contains the match cmd line length gt command statement, then the class-map applies to all SMTP commands.
match data-length
To determine if the amount of data transferred in a Simple Mail Transfer Protocol (SMTP) connection is greater than the configured limit, use the match data-lengthcommand in class-map type inspect smtp configuration mode. To remove this match criteria, use the no form of this command.
Usage Guidelines
The match data-length match criteria can be specified only under an SMTP class map. For more information, see the class-map type inspect smtp command.
match encrypted
NoteEffective with Cisco IOS Release 15.2(4)M, the match encrypted command is not available in Cisco IOS software.
To configure the match criteria for a class map on the basis of encrypted Flexible Packet Matching (FPM) filters and enter FPM match encryption filter configuration mode, use the match encrypted command in class-map configuration mode. To remove the specified match criteria, use the no form of this command.
Usage Guidelines
If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Examples
The following example shows how to enter FPM match encryption filter configuration mode:
Router(config)# class-map type access-control match-all class2 Routre(config-cmap)# match encrypted Router(c-map-match-enc-config)#Related Commands
Command
Description
algorithm
Specifies the algorithm to be used for decrypting the filters.
cipherkey
Specifies the symmetric keyname that is used to decrypt the filter.
ciphervalue
Specifies the encrypted filter contents.
class-map type
Creates a class map to be used for matching packets to a specified class.
filter-hash
Specifies the hash for verification and validation of decrypted contents.
filter-id
Specifies a filter level ID for encrypted filters.
filter-version
Specifies the filter level version value for encrypted filters.
match field
NoteEffective with Cisco IOS Release 15.2(4)M, the match field command is not available in Cisco IOS software.
To configure the match criteria for a class map on the basis of the fields defined in the protocol header description files (PHDFs), use the match field command in class-map configuration mode. To remove the specified match criteria, use the no form of this command.
match field protocol protocol-field { eq [mask] | neq [mask] | gt | lt | range range | regex string } value [ next next-protocol ]
no match field protocol protocol-field { eq [mask] | neq [mask] | gt | lt | range range | regex string } value [ next next-protocol ]
Syntax Description
protocol
Name of protocol whose PHDF has been loaded onto a router.
protocol field
Match criteria is based upon the specified f ield within the loaded protocol.
eq
Match criteria is met if the packet is equal to the specified value or mask.
neq
Match criteria is met if the packet is not equal to the specified value or mask.
mask mask
(Optional) Can be used when the eq or the neq keywords are issued.
gt
Match criteria is met if the packet does not exceed the specified value.
lt
Match criteria is met if the packet is less than the specified value.
range range
Match criteria is based upon a lower and upper boundary protocol field range.
regex string
Match criteria is based upon a string that is to be matched.
value
Value for which the packet must be in accordance with.
next next-protocol
Specify the next protocol within the stack of protocols that is to be used as the match criteria.
Command History
Release
Modification
12.4(4)T
This command was introduced.
12.2(18)ZY
This command was integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).
Cisco IOS XE 2.2
This command was integrated into Cisco IOS XE Release 2.2.
15.2(4)M
This command was removed from the Cisco IOS software.
Usage Guidelines
Before issuing the match-field command, you must load a PHDF onto the router via the load protocol command. Thereafter, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.
Match criteria are defined via a start point, offset, size, value to match, and mask. A match can be defined on a pattern with any protocol field.
Examples
The following example shows how to configure FPM for blaster packets. The class map contains the following match criteria: TCP port 135, 4444 or UDP port 69; and pattern 0x0030 at 3 bytes from start of IP header.
load protocol disk2:ip.phdf load protocol disk2:tcp.phdf load protocol disk2:udp.phdf class-map type stack match-all ip-tcp match field ip protocol eq 0x6 next tcp class-map type stack match-all ip-udp match field ip protocol eq 0x11 next udp class-map type access-control match-all blaster1 match field tcp dest-port eq 135 match start 13-start offset 3 size 2 eq 0x0030 class-map type access-control match-all blaster2 match field tcp dest-port eq 4444 match start 13-start offset 3 size 2 eq 0x0030 class-map type access-control match-all blaster3 match field udp dest-port eq 69 match start 13-start offset 3 size 2 eq 0x0030 policy-map type access-control fpm-tcp-policy class blaster1 drop class blaster2 drop policy-map type access-control fpm-udp-policy class blaster3 drop policy-map type access-control fpm-policy class ip-tcp service-policy fpm-tcp-policy class ip-udp service-policy fpm-udp-policy interface gigabitEthernet 0/1 service-policy type access-control input fpm-policymatch file-transfer
To use file transfers as the match criterion, use the match file-transfercommand in class-map configuration mode. To remove the file transfer match criterion from the configuration file, use the no form of this command.
Syntax Description
regular-expression
(Optional) The regular expression used to identify file transfers for a specified P2P application. For example, entering “.exe” as the regular expression would classify the Gnutella file transfer connections containing the string “.exe” as matches for the traffic policy.
To specify that all file transfer connections be identified by the traffic class, use an asterisk (*) as the regular expression.
Usage Guidelines
After the class-map type inspectcommand is issued and a P2P application is specified, you can use the match file-transfercommand to configure the Cisco IOS Firewall to match file transfer connections within any supported P2P protocol.
NoteThis command can be used only with the following supported P2P protocols: eDonkey, Gnutella, Kazaa Version 2, and FastTrack.
Examples
The following example shows how to configure the Cisco IOS Firewall to block and reset all Gnutella file transfers that are classified into the “my-gnutella-restrictions” class map:
class-map type inspect gnutella match-any my-gnutella-restrictions match file-transfer * ! policy-map type inspect p2p my-p2p-policy reset logmatch group-object security
To match traffic from a user in the source and destination security group, use the match group-object security command in class-map configuration mode. To remove the match criteria for the source or destination security group, use the no form of this command.
match group-object security { source name | destination name }
no match group-object security { source name | destination name }
Examples
The following example shows how the match group-object security command is used in the class map configuration of the SGA ZBPF.
Router(config)# object-group security myobject1 Router(config-object-group)# security-group tag-id 1 Router(config-object-group)# end Router(config)# class-map type inspect match-any myclass1 Router(config-cmap)# match group-object security source myobject1 Router(config-cmap)# endRelated Commands
Command
Description
debug object-group event
Enables debug messages for object-group events.
group-object
Specifies a nested reference to a type of user group.
object-group security
Creates an object group to identify traffic coming from a specific user or endpoint.
security-group
Specifies the membership of the security group for an object group.
show object-group
Displays the content of all user groups.
match header count
To configure an HTTP firewall policy to permit or deny HTTP traffic on the basis of request, response, or both request and response messages whose headers do not exceed a maximum number of fields, use the match header count command in class-map configuration mode. To change the configuration, use the no form of this command.
match { request | response | req-resp } header [header-name] count gt number
no match { request | response | req-resp } header [header-name] count gt number
Syntax Description
request
Headers in request messages are checked for the match criterion.
response
Headers in response messages are checked for the match criterion.
req-resp
Headers in both request and response messages are checked for the match criterion.
header-name
(Optional) Specific line in the header field. This argument enables the firewall to scan for repeated header fields.
Note If this option is defined, the gt number option must be set to 1.
gt number
Message cannot be greater than the specified number of header lines (fields).
Usage Guidelines
Use the match header countcommand to configure an HTTP firewall policy match criterion on the basis of a maximum allowed header fields count.
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
Header Field Repetition Inspection
To enable the firewall policy to checks whether a request or response message has repeated header fields, use the header-nameargument. This functionality can be used to prevent session smuggling.
Examples
The following example shows how to configure an HTTP application firewall policy to block all requests that exceed 16 header fields:
class-map type inspect http hdr_cnt_cm match req-resp header count gt 16 policy-map type inspect http hdr_cnt_pm class type inspect http hdr_cnt_cm resetThe following example shows how to configure an HTTP application firewall policy to block a request or response that has multiple content-length header lines:
class-map type inspect http multi_occrns_cm match req-resp header content-length count gt 1 policy-map type inspect http multi_occrns_pm class type inspect http multi_occrns_cm resetmatch header length gt
To thwart DoS attacks, use the match header length gtcommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(9)T
The header-name argument and the req-resp keyword were added.
12.4(20)T
The request, response, and req-resp keywords were removed and the header-name argument was removed. This command now applies to SMTP only.
Cisco IOS XE Release 3.2S
This command was integrated into Cisco IOS XE Release 3.2S.
Usage Guidelines
The match header length commandmatches on the maximum length of an SMTP header. If that number is exceeded, the match succeeds.
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
match header regex
To specify an arbitrary text expression (regular expression) in message or content type headers to monitor text patterns, use the match header regexcommand in class map configuration mode. To remove this filter from the configuration, use the no form of this command.
NoteThe request, response, and req-resp keywords and header-name argument are not used in the configuration of an SMTP class map.
match { request | response | req-resp } header [header-name] regex parameter-map-name
no match { request | response | req-resp } header [header-name] regex parameter-map-name
Syntax Description
request
Headers in request messages are checked for the match criterion.
response
Headers in response messages are checked for the match criterion.
req-resp
Headers in both request and response messages are checked for the match criterion.
header-name
Specific line or content type in the header field. This argument enables the firewall to scan for repeated header fields.
parameter-map-name
Name of a specific traffic pattern specified through the parameter-map type regexcommand.
Usage Guidelines
Configuring a Class Map for SMTP
Use the match header regexcommand to configure an SMTP policy match criterion on the basis of headers that match the regular expression defined in a parameter map. An arbitrary text expression in the SMTP e-mail message header (subject field) or e-mail body such as ‘subject’, ‘Received’, ‘To’ or other private header fields helps the router to monitor text patterns.
Configuring a Class Map for HTTP
An HTTP firewall policy match criteria can be configured on the basis of headers that match the regular expression defined in a parameter map.
HTTP has two regular expression (regex) options. One combines the header keyword, content type header name, and regex keyword and parameter-map-name argument. The other combines the header keyword and regex keyword and parameter-map-name argument.
- If the header and regex keywords are used with the parameter-map-name argument, it does not require a period and asterisk infront of the parameter-map-name argument. For example, either "html" or ".*html" parameter-map-name argument can be configured.
- If the header keyword is used with the content-type header name and regex keyword, then the parameter map name requires a period and asterisk (.*) in front of the parameter-map-name argument. For example, the parameter-map-name argument “html” is expressed as: .*html
NoteIf the period and asterisk is added in front of html (.*html), the parameter-map-name argument works for both HTTP regex options.
- The mismatch keyword is only valid for the match response header content-type regex command syntax for messages that need to be matched that have a content-typeheader name mismatch.
Tip
It is a good practice to add ".*" to the regexparameter-map-name arguments that are not present at the beginning of a text string.
Examples
SMTP Class Map Example
The following example shows how to configure an SMTP policy using the match header regex command:
parameter-map type regex lottery-spam pattern “Subject:*lottery*” class-map type inspect smtp c1 match header regex lottery-spam policy-map type inspect smtp p1 class type inspect smtp c1 reset HTTP Class Map ExampleThe following example shows how to configure an HTTP policy using the match header regex command:
parameter-map type inspect .*html class-map type inspect http http-class match req-resp header regex .*html policy-map type inspect http myhttp-policy class-type inspect http http-class resetRelated Commands
Command
Description
max-header-regex
Specifies an arbitrary text expression in the SMTP e-mail message header (subject field) or e-mail body such as ‘subject’, ‘Received’, ‘To’ or other private header fields to monitor text patterns.
parameter-map type
Creates or modifies a parameter map.
policy-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect type policy map.
match identity
To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identitycommand in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.
match identity { group group-name | address { address [mask] [fvrf] | ipv6 ipv6-address } | host host-name | host domain domain-name | user user-fqdn | user domain domain-name }
no match identity { group group-name | address { address [mask] [fvrf] | ipv6 ipv6-address } | host host-name | host domain domain-name | user user-fqdn | user domain domain-name }
Syntax Description
group group-name
A Unity group that matches identification (ID) type ID_KEY_ID. If Unity and main mode Rivest, Shamir, and Adelman (RSA) signatures are used, the group-name argument matches the Organizational Unit (OU) field of the Distinguished Name (DN).
address address [mask] [fvrf]
Identity that matches the identity of type ID_IPV4_ADDR.
- mask-- Use to match the range of the address.
- fvrf --Use to match the address in the front door Virtual Route Forwarding (FVRF) Virtual Private Network (VPN) space.
ipv6 ipv6-address
Identity that matches the identity of type ID_IPV6_ADDR.
host host-name
Identity that matches an identity of the type ID_FQDN.
host domain domain-name
Identity that matches an identity of the type ID_FQDN, whose fully qualified domain name (FQDN) ends with the domain name.
user user-fqdn
Identity that matches the FQDN.
user domain domain-name
Identity that matches the identities of the type ID_USER_FQDN. When the user domain keyword is present, all users having identities of the type ID_USER_FQDN and ending with “domain-name” will be matched.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(18)SXD
This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.4(4)T
The ipv6 keyword and ipv6-address argument were added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
There must be at least one match identitycommand in an ISAKMP profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
match (IKEv2 policy)
To match a policy based on Front-door VPN Routing and Forwarding (FVRF) or local parameters, such as an IP address, use the match command in IKEv2 policy configuration mode. To delete a match, use the no form of this command.
match address local { ipv4-address | ipv6-address | fvrf fvrf-name | any }
no match address local { ipv4-address | ipv6-address | fvrf fvrf-name | any }
Usage Guidelines
Use this command to match a policy based on the FVRF or the local IP address (IPv4 or IPv6). The FVRF specifies the VRF in which the IKEv2 security association (SA) packets are negotiated. The default FVRF is the global FVRF. Use the match fvrf any command to match a policy based on any FVRF.
A policy with no match address local statement will match all local addresses. A policy with no match FVRF statement will match the global FVRF. If there are no match statements, an IKEv2 policy matches all local addresses in the global VRF.
Examples
The following example shows how to match an IKEv2 policy based on the FVRF and the local IPv4 address:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal proposal1 Router(config-ikev2-policy)# match fvrf fvrf1 Router(config-ikev2-policy)# match address local 10.0.0.1The following example shows how to match an IKEv2 policy based on the FVRF and the local IPv6 address:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal proposal1 Router(config-ikev2-policy)# match fvrf fvrf1 Router(config-ikev2-policy)# match address local 2001:DB8:0:ABCD::1match (IKEv2 profile)
To match a profile on front-door VPN routing and forwarding (FVRF) or local parameters such as the IP address, the peer identity, or the peer certificate, use the match command in IKEv2 profile configuration mode. To delete a match, use the no form of this command.
match { address local { ipv4-address | ipv6-address | interface name } | certificate certificate-map | fvrf { fvrf-name | any } | identity remote address { ipv4-address [mask] | ipv6-address-prefix } | email [domain] string | fqdn [domain] string | key-id opaque-string | any }no match { address local { ipv4-address | ipv6-address | interface name } | certificate certificate-map | fvrf { fvrf-name | any } | identity remote address { ipv4-address [mask] | ipv6-address-prefix } | email [domain] string | fqdn [domain] string | key-id opaque-string | any }
Syntax Description
address local {ipv4-address | ipv6-address} Matches the profile based on the local IPv4 or IPv6 address.
interface name Matches the profile based on the local interface.
certificate certificate-map Matches the profile based on fields in the certificate received from the peer.
fvrf fvrf-name Matches the profile based on the user-defined FVRF. The default FVRF is global.
any Matches the profile based on any FVRF.
Note The match vrf any command must be explicitly configured to match all VRFs. identity remote Match a profile based on the remote IKEv2 identity field in the AUTH exchange.
address {ipv4-address [mask] | ipv6-address prefix} Matches a profile based on the identity of the type remote IPv4 address and its subnet mask or IPv6 address and its prefix length.
key-id opaque-string Matches a profile based on the identity of the type remote key ID.
Matches a profile based on the identity of the type remote email ID.
fqdn fqdn-name Matches a profile based on the identity of the type remote Fully Qualified Domain Name (FQDN).
domain string Matches a profile based on the domain part of remote identities of the type FQDN or email.
any Matches the profile based on any remote address.
Command History
Release
Modification
15.1(1)T
This command was introduced.
15.1(4)M
This command was modified. Support was added for IPv6 addresses.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
15.2(4)S
This command was integrated into Cisco IOS Release 15.2(4)S.
15.3(3)M
This command was modified. The any keyword was added for remote address.
Usage Guidelines
In an IKEv2 profile, multiple match statements of the same type are logically ORed and match statements of different types are logically ANDed.
Note
The match identity remote and match certificate statements are considered the same type of statements and are ORed.The result of configuring multiple match certificate statements is the same as configuring one match certificate statement. Hence, using a single match certificate statement as a certificate map caters to multiple certificates and is independent of trustpoints.
Note
There can only be one match FVRF statement.For example, the following command translates to the subsequent “and”, “or” statement:
crypto ikev2 profile profile-1 match vrf green match local address 10.0.0.1 match local address 10.0.0.2 match certificate remote CertMap(vrf = green AND (local addr = 10.0.0.1 OR local addr = 10.0.0.1) AND remote certificate match CertMap).
There is no precedence between match statements of different types, and selection is based on the first match. Configuration of overlapping profiles is considered as a misconfiguration.
Examples
The following examples show how an IKEv2 profile is matched on the remote identity. The following profile caters to peers that identify using fqdn example.com and authenticate with rsa-signature using trustpoint-remote. The local node authenticates with pre-share using keyring-1.
Router(config)# crypto ikev2 profile profile2 Router(config-ikev2-profile)# match identity remote fqdn example.com Router(config-ikev2-profile)# identity local email router2@example.com Router(config-ikev2-profile)# authentication local pre-share Router(config-ikev2-profile)# authentication remote rsa-sig Router(config-ikev2-profile)# keyring keyring-1 Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify Router(config-ikev2-profile)# lifetime 300 Router(config-ikev2-profile)# dpd 5 10 on-demand Router(config-ikev2-profile)# virtual-template 1Related Commands
Command
Description
crypto ikev2 profile Defines an IKEv2 profile.
identity (IKEv2 profile) Specifies how the local or remote router identifies itself to the peer and communicates with the peer in the RSA authentication exchange.
authentication (IKEv2 profile) Specifies the local and remote authentication methods in an IKEv2 profile.
keyring (IKEv2 profile) Specifies a locally defined or AAA-based keyring.
pki trustpoint Specifies the router to use the PKI trustpoints in the RSA signature authentication.
match invalid-command
To locate invalid commands on a Post Office Protocol, Version 3 (POP 3) server or an Internet Message Access Protocol (IMAP) connection, use the match invalid-command in class-map configuration mode. To stop locating invalid commands, use the no form of this command.
Usage Guidelines
You can use this command only after entering the class-map type inspect imap or class-map type inspect pop3 command.
match ipv6 access-list
To verify the sender’s IPv6 address in inspected messages from the authorized prefix list, use the match ipv6 access-list command in RA guard policy configuration mode.
Usage Guidelines
The match ipv6 access-list command enables verification of the sender’s IPv6 address in inspected messages from the configured authorized router source access list. If the match ipv6 access-list command is not configured, this authorization is bypassed.
An access list is configured using the ipv6 access-list command. For instance, to authorize the router with link-local address FE80::A8BB:CCFF:FE01:F700 only, define the following IPv6 access list:
Router(config)# ipv6 access-list list1 Router(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
NoteThe access list is used here as a convenient way to define several explicit router sources, but it should not be considered to be a port-based access list (PACL). The match ipv6 access-list command verifies the IPv6 source address of the router messages, so specifying a destination in the access list is meaningless and the destination of the access control list (ACL) entry should always be "any." If a destination is specified in the access list, then matching will fail.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and matches the IPv6 addresses in the access list named list1:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# match ipv6 access-list list1match login clear-text
To find a nonsecure login when using an Internet Message Access Protocol (IMAP) or Post Office Protocol, Version 3 (POP3) server, use the match login clear-text command in class-map configuration mode. To disable this match criteria, use the no form of this command.
Usage Guidelines
You can use this command either when you are configuring a POP3 firewall class map after you enter the class-map type inspect pop3 command or when you are configuring an IMAP firewall class map after you enter the class-map type inspect imap command.
match message
To configure the match criterion for a class map on the basis of H.323 protocol messages, use the match message command in class-map configuration mode. To remove the H.323-based match criterion from a class map, use the no form of this command.
Syntax Description
message-name
Name of the message used as a message criterion. The supported message criteria are as follows:
- alerting --H.225 ALERTING message
- call-proceeding --H.225 CALL PROCEEDING message
- connect --H.225 CONNECT message
- facility --H.225 FACILITY message
- release-complete --H.225 RELEASE COMPLETE message
- setup --H.225 SETUP message
- status --H.225 STATUS message
- status-enquiry --H.225 STATUS ENQUIRY message
Usage Guidelines
Use the match message command to inspect H.323 traffic based on the message criterion.
The match message command is available under the class-map type inspect h323 command.
match mime content-type regex
To specify Multipurpose Internet Mail Extension (MIME) content file types, which are restricted in attachments in the body of the e-mail being sent over SMTP, use the match mime content-type regex commandin class-map configuration mode. To disable this inspection parameter, use the no form of this command.
match mime content-type regex content-type-regex
no match mime content-type regex content-type-regex
Usage Guidelines
The format of data being transmitted through SMTP is specified by using the MIME standard, which uses headers to specify the content-type, encoding and the filenames of data being sent (text, html, images, applications, documents etc.). The following is an example of an e-mail using the MIME format:
From: "foo" <foo@cisco.com> To: bar <bar@abc.com> Subject: testmail Date: Sat, 7 Jan 2006 20:18:47 -0400 Message-ID: <000dadf7453e$bee1bb00$8a22f340@oemcomputer> MIME-Version: 1.0 Content-Type: image/jpeg; name='picture.jpg' Content-Transfer-Encoding: base64<base64 encoded data for the picture.jpg image>
In the above example, the “name=’picture.jpg’” is optional. Even without the definition, the image is sent to the recipient. The e-mail client of the recipient may display it as “part-1”, “attach-1” or it may render the image in-line. Also, attachments are not ‘stripped’ from the e-mail. If a content-type for which ‘reset’ action was configured is detected, an 5XX error code is sent and the connection is closed, in order to prevent the whole e-mail from being delivered. However, the remainder of the e-mail message is sent.
Examples
The following example shows how to configure an SMTP application firewall policy to specify that any form of JPEG image content be restricted in attachments in the body of the e-mail being sent over SMTP:
parameter-map type regex jpeg pattern “*image//*” class-map type inspect smtp c1 match mime content-type regex jpeg policy-map type inspect smtp p1 class type inspect smtp c1 logRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
parameter-map type regex
Enters the parameter-map name of a specific traffic pattern.
pattern
Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
match mime encoding
To restrict unknown Multipurpose Internet Mail Extension (MIME) content-encoding types or values from being transmitted over SMTP, use the match mime encodingcommandin class-map configuration mode. To disable this inspection parameter, use the no form of this command.
match mime encoding { unknown | WORD | encoding-type }
nomatch mime encoding { unknown | WORD | encoding-type }
Syntax Description
unknown
Specify this keyword if the content-transfer-encoding value in the e-mail does not match any of the ones in the list to restrict unknown and potentially dangerous encodings.
WORD
Specifies a user-defined content-transfer encoding type, which must begin with ‘X’ (example, “Xmyencodingscheme”).
Non-alphanumeric characters, such as hyphens, are not supported.
encoding-type
Specifies one of the pre-configured content-transfer-encoding type:
- 7-bit -ASCII characters
- 8-bit -Facilitates the exchange of e-mail messages containing octets outside the 7-bit ASCII range.
- base64 -Any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation.
- quoted-printable -Encoding using printable characters (i.e. alphanumeric and the equals sign "=") to transmit 8-bit data over a 7-bit data path. It is defined as a MIME content transfer encoding for use in Internet e-mail.
- binary -Representation for numbers using only two digits (usually, 0 and 1).
- x-uuencode -Nonstandard encoding.
- The quoted-printable and base64 encoding types tell the email client that a binary-to-text encoding scheme was used and that appropriate initial decoding is necessary before the message can be read with its original encoding.
Usage Guidelines
The pre-configured content-transfer-encoding types act as a filter on the ‘content-transfer-encoding’ field in the MIME header within the SMTP body. The ‘uuencode’ encoding type is not recognized as a standard type by the MIME RFCs because many subtle differences exist in its various implementations. However, since it is used by some mail systems, the x-uuencode type is included in the pre-configured list.
Examples
The following example shows how to configure an SMTP application firewall policy to specify that any quoted-printable encoding field in the MIME header within the SMTP body be restricted in e-mail being sent over SMTP:
class-map type inspect smtp c1 match mime encoding quoted-printable policy-map type inspect smtp p1 class type inspect smtp c1 logRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
log
Generates a log of messages.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
match not
To negate the classification criteria for an inspect-type class map that is configured for the General Packet Radio Service (GPRS) Tunneling Protocol (GTP), use the match not command in QoS class-map configuration mode. To enable the classification criteria, use the no form of this command.
match not { apn regex regex-parameter-map | mcc country-code mnc network-code | message-id id | message-length min min-length max max-length | version number }
message-length min no match not { apn | mcc country-code mnc network-code | message-id id | message-length | version number }
Syntax Description
apn
Prevents the filtering of the GTP Access Point Name (APN).
regex
Prevents the filtering of the APN address for the GNU regular expression (regex) matching library.
regex-parameter-map
Name of the APN regex parameter map.
mcc
Prevents the filtering of a valid mobile country code (MCC).
country-code
Mobile country code. The range is from 0 to 999.
mnc
Prevents the filtering of a mobile network code (MNC).
network-code
Mobile network code. The range is from 0 to 999.
message-id id
Prevents the filtering of the GTP message ID. The range is from 1 to 255.
message-length
Prevents the filtering of the GTP message length.
min min-length
Prevents the filtering of the minimum length, in bytes, of the GTP message. The range is from 1 to 65536.
max max-length
Prevents the filtering of the maximum length, in bytes, of the GTP message. The range is from 1 to 65536.
version number
Prevents the filtering of the GTP version. Valid values are 0 and 1.
Usage Guidelines
When you configure the match not command, the specified criteria is not matched.
The mcc country-code and mnc network-code keyword-argument combinations are used for International Mobile Subscriber Identity (IMSI) prefix filtering, where the country code contains three digits and the network code contains two or three digits.
The message-length keyword allows you to filter packets that do not meet the configured maximum and minimum length values. The message length is the sum of the GTP header and the rest of the message such as the payload of a UDP packet.
Examples
The following example shows how to negate the match criteria for a message with a minimum length of 300 bytes and a maximum length of 500 bytes for GTPv0 inspect-type class map.
Device(config)# class-map type inspect gtpv0 layer7-cmap Device(config-cmap)# match not message-length min 300 max 500match program-number
To specify the allowed Remote Procedure Call (RPC) protocol program number as a match criterion, use the match program-number command in class-map configuration mode. To disable this match criterion, use the no form of this command.
Usage Guidelines
This match criterion is allowed only for SUN Remote Procedure Call (SUNRPC) class maps. You can use the match program-number command only after specifying the class-map type inspect sunrpccommand.
match protocol (zone)
To configure a match criterion for a class map on the basis of the specified protocol, use the match protocol command in class-map configuration mode. To remove the protocol-based match criterion from a class map, use the no form of this command.
match protocol protocol-name [parameter-map] [signature]
no match protocol protocol-name [parameter-map] [signature]
Syntax Description
protocol-name
Name of the protocol used as a matching criterion.
For a list of supported protocols, use the CLI help option (?) on your platform.
parameter-map
(Optional) Protocol-specific parameter map.
signature
(Optional) Enables signature-based classification for peer-to-peer (P2P) packets.
Note This option is available only for P2P traffic.
Command History
Release
Modification
12.4(6)T
This command was introduced for the zone-based policy firewall.
12.4(9)T
This command was modified. Support for the following protocols was added:
- P2P protocols: bittorrent, directconnect, edonkey, fasttrack, gnutella, kazaa2, and gtpv0, gtpv1, winmx
- Instant Messenger (IM) protocols: aol, msnmsgr, and ymsgr
Also, the signature keyword was added to be used only with P2P protocols.
12.4(11)T
This command was modified. Support for the H.225 Remote Access Services (RAS) protocol and the h225ras keyword was added.
12.4(20)T
This command was modified. Support for the I Seek You (ICQ) and Windows Messenger IM protocols and the following keywords was added: icq, winmsgr.
Support for the H.323 protocol and the h323 keyword was added.
Support for the Session Initiation Protocol (SIP) and the sip keyword was added.
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS XE Release 2.4.
15.0(1)M
This command was modified. The extended keyword was removed from the protocol name.
15.1(1)T
This command was modified. Support for the CU-SeeMe protocol and cuseeme keyword was removed.
15.0(1)S
This command was integrated into Cisco IOS Release 15.0(1)S. The following keywords were added: netbios-dgm, netbios-ns, and netbios-ssn.
Cisco IOS XE Release 3.4S
This command was modified. Support for the GPRS Tunneling Protocol (GTP) and gtpv0 and gtpv1 keywords was added.
Usage Guidelines
Use the match protocol command to specify the traffic based on a particular protocol. You can use this command in conjunction with the match access-group and match class-map commands to build sophisticated traffic classes.
The match protocol command is available under the class-map type inspect command.
If you enter the match protocol command under the class-map type inspect command, the Port to Application Mappings (PAM) are honored when the protocol field in the packet is matched against the command. All port mappings configured in the PAM table appear under the class map.
When packets are matched to a protocol, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the inspect action.
In Cisco IOS Release 12.4(15)T, if Simple Mail Transfer Protocol (SMTP) is currently configured for inspection in a class map and the inspection of Extended SMTP (ESMTP) needs to be configured, then the no match protocol smtp command must be entered before adding the match protocol smtp extended command. To revert to regular SMTP inspection, use the no match protocol smtp extended command, and then enter the match protocol smtp command. If these commands are not configured in the proper order, the following error is displayed:
%Cannot add this filter. Remove match protocol smtp filter and then add this filter.
In Cisco IOS Release 15.0(1)M and later releases, the extended keyword was removed from the match protocol smtp command.
Examples
The following example shows how to specify a class map called c1 and configure the HTTP protocol as a match criterion:
class-map type inspect c1 match protocol httpThe following example shows how to specify different class maps for ICQ and Windows Messenger IM applications:
! Define the servers for ICQ. parameter-map type protocol-info icq-servers server name *.icq.com snoop server name oam-d09a.blue.aol.com ! Define the servers for Windows Messenger. parameter-map type protocol-info winmsgr-servers server name messenger.msn.com snoop ! Define servers for yahoo. parameter-map type protocol-info yahoo-servers server name scs*.msg.yahoo.com snoop server name c*.msg.yahoo.com snoop ! Define class-map to match ICQ traffic. class-map type inspect icq-traffic match protocol icq icq-servers ! Define class-map to match windows Messenger traffic. class-map type inspect winmsgr-traffic match protocol winmsgr winmsgr-servers ! ! Define class-map to match text-chat for windows messenger. class-map type inspect winmsgr winmsgr-textchat match service text-chat ! Define class-map to match default service class-map type inspect winmsgr winmsgr-defaultservice match service any !The following example shows how to specify a class map called c1 and configure the netbios-dgm protocol as a match criterion:
class-map type inspect c1 match protocol netbios-dgmRelated Commands
Command
Description
class-map type inspect
Creates a Layer 3 or Layer 4 inspect type class map.
match access-group
Configures the match criteria for a class map based on a specified ACL.
match protocol (zone)
Configures match criterion for a class map on the basis of a specified protocol.
parameter-map type protocol-info
Creates or modify a protocol-specific parameter map.
server
Associates a Diameter server with a Diameter authentication, authorization, and accounting (AAA) server group.
match protocol h323-annexe
To enable the inspection of H.323 protocol Annex E traffic which works on the User Datagram Protocol (UDP) diagnostic port or TCP port 2517, use the match protocol h323-annexe command in class-map configuration mode. To disable the inspection, use the no form of this command.
Usage Guidelines
Use the match protocol h323-annexe command to inspect traffic based on Annex E of the H.323 protocol that uses the UDP diagnostic port or TCP port 2517. You can use this command in conjunction with the match access-group command to build sophisticated traffic classes.
The match protocol h323-annexe command is available under the class-map type inspect command.
Examples
The following example shows how to configure a voice policy to inspect the H.323 protocol Annex E packets for the "my-voice-class" class map.
class-map type inspect match-all my-voice-class match protocol h323-annexeRelated Commands
Command
Description
class-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect type class map.
match access-group
Configures the match criteria for a class map based on the specified ACL.
match protocol h323-nxg
Enables the inspection of H.323 protocol Annex G traffic exchanged between border elements (BE) using the User Datagram Protocol (UDP) diagnostic port or TCP port 2099.
match protocol h323-nxg
To enable the inspection of H.323 protocol Annex G traffic exchanged between border elements (BE) using User Datagram Protocol (UDP) diagnostic port or TCP port 2099, use the match protocol h323-nxg command in class-map configuration mode. To disable the inspection, use the no form of this command.
Usage Guidelines
Use the match protocol h323-nxg command to inspect traffic based on Annex G of the H.323 protocol that uses the UDP diagnostic port or TCP port 2099 to exchange traffic between border elements. You can use this command in conjunction with the match access-group command to build sophisticated traffic classes.
The match protocol h323-nxg command is available under the class-map type inspect command.
Examples
The following example shows how to configure a voice policy to inspect the H.323 protocol Annex G packets for the "my-voice-class" class map.
class-map type inspect match-all my-voice-class match protocol h323-nxgRelated Commands
Command
Description
class-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect type class map.
match access-group
Configures the match criteria for a class map based on the specified ACL.
match protocol h323-annexe
Enables the inspection of H.323 protocol Annex E traffic which works on the UDP diagnostic port or TCP Port 2517.
match protocol-violation
To configure a Session Initiation Protocol (SIP) class map to use the protocol-violation method as a match criterion for permitting or denying SIP traffic, use the match protocol-violationcommand in class-map configuration mode. To remove the protocol-violation based match criterion from a class map, use the no form of this command.
Usage Guidelines
Use this command when configuring an SIP firewall class map, after entering the class-map type inspectcommand.
match ra prefix-list
To verify the advertised prefixes in inspected messages from the authorized prefix list, use the match ra prefix-list command in RA guard policy configuration mode.
Usage Guidelines
The match ra prefix-list command enables verification of the advertised prefixes in inspected messages from the configured authorized prefix list. Use the ipv6 prefix-list command to configure an IPv6 prefix list. For instance, to authorize the 2001:101::/64 prefixes and deny the 2001:100::/64 prefixes, define the following IPv6 prefix list:
Router(config)# ipv6 prefix-list listname1 deny 2001:0DB8:101:/64 Router(config)# ipv6 prefix-list listname1 permit 2001:0DB8:100::/64Examples
The following example shows how the command defines an router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and verifies the advertised prefixes in listname1:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# match ra prefix-list listname1match recipient address regex
To specify a non-existent e-mail recipient pattern in order to learn a spam sender and their domain information by luring them to use this contrived e-mail recipient, use the match recipient address regexcommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
Usage Guidelines
A non-existent e-mail recipient pattern can be specified to learn about a spam sender and their domain information by luring them to use this non-existent e-mail recipient pattern. This pattern is a regular-expression (regex) that can be specified to identify an e-mail addressed to a particular recipient or domain when a server is functioning as a relay. The specified pattern is checked in the SMTP RCPT command (SMTP envelope) parameter to identify if the recipient is either used as an argument or a source-list to forward mail in the route specified in the list.
NoteThe match recipient address regex command does not operate on the ‘To’ or ‘Cc’ fields in the e-mail header.
Examples
The following example shows how to configure a regular expression non-existent e-mail recipient pattern:
parameter-map type regex known-unknown-users pattern “john@mydomain.com” class-map type inspect smtp c1 match recipient address regex known-unknown-users policy-map type inspect smtp p1 class type inspect smtp c1 resetRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
parameter-map type regex
Enters the parameter-map name of a specific traffic pattern.
pattern
Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
match recipient count gt
To specify an action that occurs when a number of invalid recipients appear on an SMTP connection, use the match recipient count gtcommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
Usage Guidelines
Spammers who search for a large number of user accounts in a domain typically send the same e-mail to all the user accounts they find in this domain. Spammers can be identified and restricted from searching for user accounts in a domain by using the match recipient count gt command.
NoteThe match recipient count gt command does not count the number of recipients specified in the ‘To:’ or ‘Cc:’ fields in the e-mail header.
Examples
The following example shows how to configure an SMTP application firewall policy to determine the number of RCPT lines and invalid recipients, for which the server has replied “500 No such address,” in the SMTP transaction:
class-map type inspect smtp c1 match recipient count gt 25 policy-map type inspect smtp p1 class type inspect smtp c1 resetRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
match recipient invalid count gt
To identify and restrict the number of invalid SMTP recipients that can appear in an e-mail from senders who try common names on a domain in the hope that they discover a valid user name to whom they can send spam, use the match recipient invalid count gt command in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
Usage Guidelines
If a sender specifies in an invalid e-mail recipient and SMTP encounters this invalid recipient on the SMTP connection, then SMTP sends an error code reply to the e-mail sender (client) to specify another recipient. In this case, the event did not violate the SMTP protocol or indicate that this particular SMTP connection is bad. However, if a pattern of invalid recipients appears, then a reasonable threshold can be set to restrict these nuisance SMTP connections.
Examples
The following example shows how to configure an SMTP application firewall policy that restricts the number of invalid e-mail recipients on this SMTP connection to 5:
class-map type inspect smtp c1 match recipient invalid count gt 5 policy-map type inspect smtp p1 class type inspect smtp c1 resetRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
match reply ehlo
To identify and mask a service extension parameter in the EHLO server reply (e.g. 8BITMIME, ETRN) to prevent a sender (client) from using that particular service extension, use the match reply ehlocommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
Examples
The following example shows how to configure an SMTP application firewall policy that identifies and masks a well-known service extension parameter in the EHLO server reply:
class-map type inspect smtp c1 match reply ehlo ETRN policy-map type inspect smtp p1 class type inspect smtp c1 log maskRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
class type inspect smtp
Configures an SMTP class-map firewall for SMTP inspection parameters.
log
Logs an action related to this class-type in the SMTP policy map.
mask (policy-map)
Explicitly masks specified SMTP commands or the parameters returned by the server in response to an EHLO command.
policy-map type inspect smtp
Create a Layer 7 SMTP policy map.
match req-resp
To configure a Session Initiation Protocol (SIP) class map to use the req-resp methods as a match criterion for permitting or denying SIP traffic, use the match req-resp command in class-map configuration mode. To remove the req-resp based match criterion from a class map, use the no form of this command.
match req-resp header field regex regex-parameter-map
no match req-resp header field regex regex-parameter-map
Syntax Description
header
Identifies the SIP header field.
field
Name of the request header field. The following are valid request header fields: accept, accept-encoding, accept-language, alert-info, allow, contact, content-disposition, content-encoding, content-language, content-length, content-type, from, record-route, supported, to, user-agent, via.
regex
Indicates that a regular expression will follow.
regex-parameter-map
Configures a parameter map of type regex.
Usage Guidelines
Use this command when configuring an SIP firewall class map, after entering the class-map type inspectcommand.
match req-resp body length
To configure an HTTP class map to use the minimum or maximum message size, in bytes, as a match criterion for permitting or denying HTTP traffic through the firewall, use the match req-resp body length command in class-map configuration mode. To remove message-size limitations from your configuration, use the no form of this command.
match req-resp body length { lt bytes | gt bytes }
no match req-resp body length { lt bytes | gt bytes }
Usage Guidelines
You can use this command when you are configuring an HTTP firewall policy map,only after entering the class-map type inspect http command.
If the message body length is less than or greater than the specified values, a match occurs.
match req-resp header content-type
To match traffic based on the content type of the HTTP body, use the match req-resp header content-type command in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
match req-resp header content-type { violation | mismatch | unknown }
no match req-resp header content-type { violation | mismatch | unknown }
Usage Guidelines
You can use the match req-resp header content-typecommand when you are configuring an HTTP firewall policy map, only after entering the class-map type inspect http command.
The match req-resp header content-typecommand configures a policy based on the content type of HTTP traffic. The command verifies that the header is one of the following supported content types:
- audio/*
- audio/basic
- audio/midi
- audio/mpeg
- audio/x-adpcm
- audio/x-aiff
- audio/x-ogg
- audio/x-wav
- application/msword
- application/octet-stream
- application/pdf
- application/postscript
- application/vnd.ms-excel
- application/vnd.ms-powerpoint
- application/x-gzip
- application/x-java-arching
- application/x-java-xm
- application/zip
- image/*
- image/cgf
- image/gif
- image/jpeg
- image/png
- image/tiff
- image/x-3ds
- image/x-bitmap
- image/x-niff
- image/x-portable-bitmap
- image/x-portable-greymap
- image/x-xpm
- text/*
- text/css
- text/html
- text/plain
- text/richtext
- text/sgml
- text/xmcd
- text/xml
- video/*
- video/-flc
- video/mpeg
- video/quicktime
- video/sgi
- video/x-avi
- video/x-fli
- video/x-mng
- video/x-msvideo
Examples
The following example configures an HTTP class map based on the content type of HTTP traffic:
class-map type inspect http http-class match req-resp header content-type unknownRelated Commands
Command
Description
class-map type inspect http
Creates a class map for HTTP.
content-type-verification
Permits or denies HTTP traffic through the firewall on the basis of content message type.
content-type-verification-match-req-rsp
Verifies the content type of the HTTP response against the accept field of the HTTP request.
match req-resp header transfer-encoding
To permit or deny HTTP traffic according to the specified transfer encoding of the message, use the match req-resp header transfer-encodingcommand in class-map configuration mode. To remove this match criterion, use the no form of this command.
match req-resp header transfer-encoding { chunked | compress | deflate | gzip | identity | all }
no match req-resp header transfer-encoding { chunked | compress | deflate | gzip | identity | all }
Syntax Description
chunked
Encoding format (specified in RFC 2616, Hypertext Transfer Protocol--HTTP/1) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.
compress
Encoding format produced by the UNIX compress utility.
deflate
ZLIB format defined in RFC 1950, ZLIB Compressed Data Format Specification Version 3.3, combined with the deflate compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification Version 1.3.
gzip
Encoding format produced by the gzip (GNU zip) program.
identity
Default encoding, which indicates that no encoding has been performed.
all
All of the transfer encoding types.
Usage Guidelines
You can use this command when you are configuring an HTTP firewall policy map, after entering the class-map type inspect http command.
match req-resp protocol-violation
To allow HTTP messages to pass through the firewall or to reset the TCP connection when HTTP noncompliant traffic is detected, use the match req-resp protocol-violationcommand in class-map configuration mode. To disable configured settings, use the no form of this command.
Usage Guidelines
You can use this command when you are configuring an HTTP firewall policy map, after entering the class-map type inspect http command.
The match req-resp protocol-violationcommand allows HTTP messages to pass through the firewall, If desired, in the policy map you can reset the TCP connection when HTTP noncompliant traffic is detected.
match request
To configure a Session Initiation Protocol (SIP) class map to use the request methods as a match criterion for permitting or denying SIP traffic, use the match request command in class-map configuration mode. To remove request based match criterion from a class map, use the no form of this command.
match request { method method-name | header field regex regex-parameter-map }
no match request { method method-name | header field regex regex-parameter-map }
Syntax Description
method
Identifies the SIP request method.
method-name
Name of the method (for example, ack) used as a matching criterion. See the "Usage Guidelines" for a list of methods supported by most routers.
header
Identifies the SIP header field.
field
Name of the request header field. The following are valid request header fields: accept, accept-encoding, accept-language, alert-info, allow, authorization, contact, content-disposition, content-encoding, content-language, content-length, content-type, from, in-reply-to, max-forwards, priority, proxy-authorization, proxy-require, record-route, route, subject, supported, to, user-agent, via, warning.
regex
Indicates that a regular expression will follow.
regex-parameter-map
Configures a parameter map of type regex.
Usage Guidelines
Use this command when configuring an SIP firewall class map, after entering the class-map type inspectcommand.
Supported Methods
The table below lists the request methods supported by most routers. For a complete list of supported methods, see the online help for the match request command on the router that you are using.
Table 1 Supported Methods Method Name
Description
ack
Acknowledges that the previous message is valid and accepted.
bye
Signifies intent to terminate a call.
cancel
Terminates any pending request.
info
Communicates midsession signaling information along the signaling path for a call.
invite
Sets up a call.
message
Sends an instant message.
notify
Informs subscribers of state changes.
options
Allows a user-agent (UA) to query another UA or a proxy server about its capabilities.
prack
Provides reliable transfer of provisional response messages.
refer
Indicates that the recipient should contact a third party using the contact information provided in the request.
register
Includes a contact address to which SIP requests for the address-of-record should be forwarded.
subscribe
Requests state subscription. It is a dialog creating method.
update
Allows a client to update the parameters of a session (for example, the set of media streams and their codecs), but has no impact on the state of a dialog.
match request length
To configure an HTTP firewall policy to use the uniform resource identifier (URI) or argument length in the request message as a match criterion for permitting or denying HTTP traffic, use the match request length command in class-map configuration mode. To remove this match criterion, use the no form of this command.
Usage Guidelines
Use the match request length command to verify the length of the URI or argument that is being sent in a request message and apply the configured action when the length exceeds the configured threshold.
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
Examples
The following example shows how to configure an HTTP application firewall policy to raise an alarm whenever the URI length of a request message exceeds 3076 bytes:
class-map type inspect http uri_len_cm match request uri length gt 3076 policy-map type inspect http uri_len_pm class type inspect http uri_len_cmlog
The following example shows how to configure an HTTP application firewall policy to raise an alarm whenever the argument length of a request message exceeds 512 bytes.
class-map type inspect http arg_len_cm match request arg length gt 512 policy-map type inspect http arg_len_pm class type inspect http arg_len_cm logmatch request method
To configure an HTTP class map to use the request methods or the extension methods as a match criterion for permitting or denying HTTP traffic, use the match request method command in class-map configuration mode. To remove this match criterion, use the no form of this command.
match request method { connect | copy | delete | edit | get | getattribute | getattributenames | getproperties | head | index | lock | mkdir | move | options | post | put | revadd | revlabel | revlog | revnum | save | setattribute | startrev | stoprev | trace | unedit | unlock }
no match request method { connect | copy | delete | edit | get | getattribute | getattributenames | getproperties | head | index | lock | mkdir | move | options | post | put | revadd | revlabel | revlog | revnum | save | setattribute | startrev | stoprev | trace | unedit | unlock }
Syntax Description
connect
Connect method.
copy
Copy extension method.
delete
Delete method.
edit
Edit extension method.
get
Get method.
getattribute
Getattribute extension method.
getattributenames
Getattributenames extension method.
getproperties
Getproperties method.
head
Head method.
index
Index extension method.
lock
Lock extension method.
mkdir
Mkdir extension method.
move
Move extension method.
options
Options method.
post
Post method.
put
Put method.
revadd
Revadd extension method.
revlabel
Revlabel extension method.
revlog
Revlog extension method.
revnum
Revnum extension method.
save
Save extension method.
setattribute
Setattribute extension method.
startrev
Startrev extension method.
stoprev
Stoprev extension method.
trace
Trace method.
unedit
Unedit extension method.
unlock
Unlock extension method.
Usage Guidelines
You can use this command when you are configuring an HTTP firewall class map, after entering the class-map type inspect http command.
match request not regex
To negate a match result in a HTTP firewall policy, use the match request not regexcommand in class-map configuration mode. To reset the match criterion, use the no form of this command.
Examples
The following example shows how to negate a match result and the output of the configuration in the running configuration.
Router(config-cmap)#match not request uri regex pmap Router(config-cmap)#match request method post Router(config)#policy-map type inspect http httppmap Route(config-pmap)# class type inspect http cmap Router(config-pmap-c)reset Router(config-pmap-c)logIn the following configuration, if the HTTP POST request does not match the URL regular expression, It will be classified under class 'httpcmap' and firewall will RESET the connection as it has RESET configured for this class.
parameter-map type regex pmap pattern .*Publications/OrderHardcopies/tabid/123/Default.aspx class-map type inspect http match-all httpcmap match not request uri regex pmap match request method post policy-map type inspect http pmap class type inspect http httpcmap reset log class class-defaultmatch request port-misuse
To identify applications misusing HTTP port, use the match request port-misuse command in class-map configuration mode. To remove this inspection parameter, use the no form of this command.
match request port-misuse { im | p2p | tunneling | any }
no match request port-misuse { im | p2p | tunneling | any }
Usage Guidelines
You can use this command only after entering the class-map type inspect http command.
match request regex
To configure an HTTP firewall policy to permit or deny HTTP traffic on the basis of request messages whose uniform resource identifier (URI) or arguments (parameters) match a defined regular expression, use the match request regex command in class-map configuration mode. To remove this match criterion, use the no form of this command.
match request { uri | arg } regex parameter-map-name
no match request { uri | arg } regex parameter-map-name
Usage Guidelines
Use the match request uri regexcommand to block custom URLs and queries; use the match request arg regex command to block all messages whose parameters match the configured regular inspection.
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
Examples
The following example shows how to configure an HTTP application firewall policy to block any request whose URI matches any of the following regular expressions: “.*cmd.exe,” “.*money,” “.*gambling”.
parameter-map type regex uri_regex_cm pattern “.*cmd.exe” pattern “.*money” pattern “.*gambling” class-map type inspect http uri_check_cm match request uri regex uri_regex_cm policy-map type inspect http uri_check_pm class type inspect http uri_check_cm resetThe following example shows how to configure an HTTP application firewall policy to block any request whose arguments match the “.*codered” or the “.*attack” regular expressions:
parameter-map type regex arg_regex_cm pattern “.*codered” pattern “.*attack” class-map type inspect http arg_check_cm match request arg regex arg_regex_cm policy-map type inspect http arg_check_pm class type inspect http arg_check_cm resetmatch response
To configure a Session Initiation Protocol (SIP) class map to use a response method as the match criterion for permitting or denying SIP traffic, use the match response command in class-map configuration mode. To remove the response based match criterion from a class map, use the no form of this command.
match response { header field | status } regex regex-parameter-map
no match response { header field | status } regex regex-parameter-map
Syntax Description
header
(Optional) Identifies the SIP header field.
field
Name of the request header field. The following are valid request header fields: accept, accept-encoding, accept-language, alert-info, allow, authentication-info, contact, content-disposition, content-encoding, content-language, content-length, content-type, error-info, from, proxy-authenticate, record-route, retry-after, server, supported, to, user-agent, via, www-authenticate.
status
(Optional) Identifies status line in response.
regex
Indicates that a regular expression will follow.
regex-parameter-map
Name of parameter-map.
Usage Guidelines
Use this command when configuring an SIP firewall class map, after entering the class-map type inspectcommand.
match response body java-applet
To identify Java applets in an HTTP connection., use the match response body java-appletcommand in class-map configuration mode. To remove this inspection rule, use the no form of this command.
Usage Guidelines
You can use this command when you are configuring an HTTP firewall policy map, after entering the class-map type inspect http command.
match response status-line regex
To specify a list of regular expressions that are to be matched against the status line of a response message, use the match response status-line regex command in class-map configuration mode. To remove this match criterion, use the no form of this command.
match response status-line regex parameter-map-name
no match response status-line regex parameter-map-name
Command Default
The status line of response messages is not considered when permitting or denying HTTP traffic.
Usage Guidelines
If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log. (The log action triggers a syslog message when a match is found.)
Examples
The following example shows how to configure an HTTP firewall policy to log an alarm whenever an attempt is made to access a forbidden page. (A forbidden page usually contains a 403 status-code and the status line looks like “HTTP/1.0 403 page forbidden\r\n”.)
parameter-map type regex status_line_regex pattern “[Hh][Tt][Tt][Pp][/][0-9][.][0-9][ \t]+403” class-map type inspect http status_line_cm match response status-line regex status_line_regex policy-map type inspect http status_line_pm class type inspect http status_line_cm logmatch search-file-name
To use filenames within a search request as the match criterion, use the match search-file-namecommand in class-map configuration mode. To remove this match criterion from the configuration file, use the no form of this command.
Syntax Description
regular-expression
(Optional) The regular expression used to identify specific filenames within a search request. For example, entering “.exe” as the regular expression would classify the filenames containing the string “.exe” as matches for the traffic policy.
If this argument is not issued, all filenames are classified, as appropriate.
Usage Guidelines
Use the match search-file-namecommand to configure the Cisco IOS Firewall to block filenames within a search request for clients using the eDonkey peer-to-peer (P2P) protocol.
NoteThis command is available only for the eDonkey P2P protocol.
Examples
The following example shows how to configure a Cisco IOS Firewall to block filename searches for “.exe” and permit file transfers within the eDonkey protocol:
! Select eDonkey protocol requiring L7 policies class-map type inspect match-any my-restricted-p2p match protocol edonkey signature ! ! Configure Edonkey to look for "*.exe" in searches class-map type inspect edonkey my-edonkey-exe match search-file-name "*.exe" ! ! Configure Edonkey to look for file-transfers class-map type inspect edonkey my-edonkey-file-tx match file-transfer * ! ! Configure P2P Layer 7 policy map policy-map type inspect p2p my-p2p-policy ! class type inspect edonkey my-edonkey-exe reset class type inspect edonkey my-edonkey-file-tx allow log ! !match security-group
To configure the match criteria for a class map on the basis of a source or destination Security Group Tag (SGT) number, use the match security-group command in class-map configuration mode. To remove source or destination SGT match criteria from a class map, use the no form of this command.
match security-group { source sgt-number | destination sgt-number }
no match security-group { source sgt-number | destination sgt-number }
Syntax Description
source
Specifies the source SGT used as the match criteria against which packets are checked to determine if they belong to this class.
destination
Specifies the destination SGT used as the match criteria against which packets are checked to determine if they belong to this class.
sgt-number
Number used to define the source or destination SGT.
Usage Guidelines
When packets are matched to a source or destination SGT, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the inspect action.
To use the match security-group command, you must first enter the class-map type inspect command to specify the name of the class whose match criteria you want to establish.
Examples
The following example specifies a class map named cmap-3 and configures the source and destination SGT numbers to be used as the match criterion for that class in order to configure a class map for classifying a Security Group Access (SGA) zone-based policy firewall network traffic.
Router(config)# class-map type inspect match-all cmap-3 Router(config-cmap)# match security-group source tag 100 Router(config-cmap)# match security-group destination tag 200 Router(config-cmap)# exit Router# show policy-map type inspect zone-pair sessionRelated Commands
Command
Description
class-map inspect type
Creates a class map to be used for matching packets to a specified class.
class type inspect
Creates a Layer 3 or Layer 4 inspect type policy map.
inspect
Enables packet inspection.
policy-map type inspect
Creates a Layer 3 or Layer 4 inspect type policy map.
service-policy type inspect
Attaches a firewall policy map to the destination zone pair.
show policy-map type inspect zone-pair session
Displays the Cisco IOS stateful packet inspection sessions created because of the policy-map application on the specified zone pair.
zone-pair security
Creates a zone pair.
match sender address regex
To specify spam e-mail from suspected domains and user accounts to be restricted, use the match sender address regexcommand in class-map configuration mode. To disable this inspection parameter, use the no form of this command.
match sender address regex parameter-map-name
no match sender address regex parameter-map-name
Usage Guidelines
The match sender address regex command helps to match the parameter-map name of a specific traffic pattern that specifies a sender domain or e-mail address in the SMTP traffic. The specified pattern is scanned in the parameter for the SMTP MAIL FROM: command.
Examples
The following example shows how to configure an SMTP application firewall policy to restrict an e-mail sender from a suspected domain:
parameter-map type regex bad-guys pattern “*deals\.com” pattern *crazyperson*@hotmail\.com class-map type inspect smtp match-any c1 match sender address regex bad-guys policy-map type inspect smtp p1 class type inspect smtp c1 log resetRelated Commands
Command
Description
class-map type inspect smtp
Creates a class map for the SMTP protocol so that the match criteria is set to match criteria for this class map.
parameter-map type regex
Enters the parameter-map name of a specific traffic pattern.
pattern
Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
match server-domain urlf-glob
To configure the match criteria for a local URL filtering class map on the basis of server domain name, use the match server-domain urlf-glob command in class-map configuration mode. To remove the domain name match criteria from a URL filtering class map, use the no form of this command.
Usage Guidelines
The match server-domain urlf-globcommand specifies the server domain matches for local URL filtering. Typically, you use this command in two class maps: one to specify trusted domains and one to specify untrusted domains. You must configure the urlf-glob keyword with the parameter-map type urlf-glob commandand create the local filtering class with the class-map type urlfilter command before using this command, otherwise you will receive an error message.
Examples
The following example shows the configuration for trusted domains and untrusted domains:
parameter-map type urlf-glob trusted-domain-param pattern www.example.com pattern *.example1.com class-map type urlfilter match-any trusted-domain-class match server-domain urlf-glob trusted-domain-param parameter-map type urlf-glob untrusted-domain-param pattern www.example3.com pattern www.example4.com class-map type urlfilter match-any untrusted-domain-class match server-domain urlf-glob untrusted-domain-paramRelated Commands
Command
Description
class-map type urlfilter
Creates a class map to be used for matching packets to which a URL filtering policy applies.
match url-keyword urlf-glob
Specifies the match criteria for a local URL keyword filter.
parameter-map type urlf-glob
Specifies the per-policy parameters for local URL filtering of trusted domains, untrusted domains, and URL keywords.
match server-response any
To configure the match criterion for a SmartFilter (N2H2) or Websense URL filtering class map, use the match server-response any command in class-map configuration mode. To remove the match criterion, use the no form of this command.
Usage Guidelines
Use the match server-response anycommand to specify that any response from the SmartFilter or Websense server results in a match. Use this command after you have created a class map with the class-map type urlfilter n2h2 or the class-map type urlfilter websense command:
Examples
The following example shows the configuration for a SmartFilter class:
class-map type urlfilter n2h2 match-any smartfilter-class match server-response anyThe following example shows the configuration for a Websense class:
class-map type urlfilter websense match-any websense-class match server-response anymatch service
To specify a match criterion for any supported Instant Messenger (IM) protocol, use the match service command in class-map configuration mode. To remove the match criterion from the configuration file, use the no form of this command.
Usage Guidelines
Use the match service command to configure the Cisco IOS Firewall to create a match criterion on the basis of text chat messages or for any available service within a given IM protocol.
Before you can use the match service command, you must issue the class-map type inspect command and specify one of the following IM protocols: AOL, ICQ, MSN Messenger, Yahoo Messenger, and Windows Messenger.
Examples
The following example shows how to configure an AOL IM policy that permits text chat and blocks any MSN IM service:
class-map type inspect aol match-any l7cmap-service-text-chat match service text-chat ! class-map type inspect msnmsgr match-any l7cmap-service-any match service any ! Allow text-chat, reset if any other service, alarm for both policy-map type inspect im l7pmap class type inspect aol l7cmap-service-text-chat allow log ! class type inspect msnmsgr l7cmap-service-any reset logmatch start
NoteEffective with Cisco IOS Release 15.2(4)M, the match start command is not available in Cisco IOS software.
To configure the match criteria for a class map on the basis of the datagram header (Layer 2 ) or the network header (Layer 3), use the match start command in class-map configuration mode. To remove the specified match criteria, use the no form of this command.
match start { l2-start | l3-start } offset number size number { eq | neq | gt | lt | range range | regex string } { value [value2] | [string] }
no match start { l2-start | l3-start } offset number size number { eq | neq | gt | lt | range range | regex string } { value [value2] | [string] }
Syntax Description
l2-start
Match criterion starts from the datagram header.
l3-start
Match criterion starts from the network header.
offset number
Match criterion can be made according to any aribitrary offset.
size number
Number of bytes in which to match.
eq
Match criteria is met if the packet is equal to the specified value or mask.
neq
Match criteria is met if the packet is not equal to the specified value or mask.
mask
(Optional) Can be used when the eq or the neq keywords are issued.
gt
Match criteria is met if the packet is greater than the specified value.
lt
Match criteria is met if the packet is less than the specified value.
range range
Match critera is based upon a lower and upper boundary protocol field range.
regex string
Match critera is based upon a string that is to be matched.
value
Value for which the packet must be in accordance with.
Command History
Release
Modification
12.4(4)T
This command was introduced.
12.2(18)ZY
This command was integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).
Cisco IOS XE 2.2
This command was integrated into Cisco IOS XE Release 2.2.
Usage Guidelines
To the match criteria that is to be used for flexible packet matching, you must first enter theclass-map command to specify the name of the class whose match criteria you want to establish. Thereafter, you can enter one of the following commands:
Examples
The following example shows how to configure FPM for blaster packets. The class map contains the following match criteria: TCP port 135, 4444 or UDP port 69; and pattern 0x0030 at 3 bytes from start of IP header.
load protocol disk2:ip.phdf load protocol disk2:tcp.phdf load protocol disk2:udp.phdf class-map type stack match-all ip-tcp match field ip protocol eq 0x6 next tcp class-map type stack match-all ip-udp match field ip protocol eq 0x11 next udp class-map type access-control match-all blaster1 match field tcp dest-port eq 135 match start 13-start offset 3 size 2 eq 0x0030 class-map type access-control match-all blaster2 match field tcp dest-port eq 4444 match start 13-start offset 3 size 2 eq 0x0030 class-map type access-control match-all blaster3 match field udp dest-port eq 69 match start 13-start offset 3 size 2 eq 0x0030 policy-map type access-control fpm-tcp-policy class blaster1 drop class blaster2 drop policy-map type access-control fpm-udp-policy class blaster3 drop policy-map type access-control fpm-policy class ip-tcp service-policy fpm-tcp-policy class ip-udp service-policy fpm-udp-policy interface gigabitEthernet 0/1 service-policy type access-control input fpm-policymatch text-chat
To use text chat messages as the match criterion, use the match text-chat command in class-map configuration mode. To remove the match criterion from the configuration file, use the no form of this command.
Syntax Description
regular-expression
(Optional) The regular expression used to identify specific eDonkey text chat messages. For example, entering “.exe” as the regular expression would classify the eDonkey text chat messages containing the string “.exe” as matches for the traffic policy.
To specify that all eDonkey text chat messages be identified by the traffic class, use an asterisk (*) as the regular expression.
Usage Guidelines
Use the match text-chatcommand to configure the Cisco IOS firewall to block text chat messages between clients using the eDonkey peer-to-peer (P2P) application.
NoteThis command is available only for the eDonkey P2P protocol.
match url
To specify the URL to be associated with the URL profile that configures the SDP registrar to run HTTPS, use the match urlcommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The match urlcommand is required in the SDP registrar configuration, which is used to deploy Apple iPhones on a corporate network.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match authentication trustpoint
Enters the trustpoint name that should be used to authenticate the peer’s certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
match url category
To configure the match criteria for a Trend-Micro URL filtering class map on the basis of the specified URL category, use the match url categorycommand in class-map configuration mode. To remove the URL category match criteria from a URL filtering class map, use the no form of this command.
Usage Guidelines
The match url categorycommand specifies the name of the URL category to be used as the match criteria against which packets are checked to determine whether they belong to the class specified by the class map. Before you can use the match url categorycommand, you must first use the class-map type urlfiltercommand to specify the name of the class whose match criteria you want to establish.
To display a list of supported URL categories, use the match url category ? command in class map configuration mode.
Examples
The following example specifies a class map for Trend Micro filtering called drop-category and configures the URL categories Gambling and Personals-Dating as match criteria:
class-map type urlfilter trend match-any drop-category match url category Gambling match url category Personals-Datingmatch url-keyword urlf-glob
To configure the match criteria for a local URL filtering class map on the basis of the URL keyword, use the match url-keyword urlf-glob command in class-map configuration mode. To remove the keyword match criteria from a URL filtering class map, use the no form of this command.
Usage Guidelines
The match url-keyword urlf-glob command specifies URL keyword matches for local URL filtering. Typically, you use this command to specify the URL keywords for which you want to block access. You must configure the urlf-glob keyword with the parameter-map type urlf-glob commandand create the local filtering class with the class-map type urlfilter command before using this command, otherwise you will receive an error message.
Examples
The following example shows the use of:
- The parameter-map type urlf-glob command to configure the the keyword matching patterns.
- The class-map type urlfilter command to create the local URL filtering class keyword class.
- The match url-keyword urlf-glob command to specify the matching criteria for the class.
parameter-map type urlf-glob keyword-param pattern example pattern www.example1 pattern example3 class-map type urlfilter match-any keyword-class match url-keyword urlf-glob keyword-paramRelated Commands
Command
Description
class-map type urlfilter
Creates a class map to be used for matching packets to which a URL filtering policy applies.
match server-domain urlf-glob
Specifies the match criteria for a local domain name filter.
parameter-map type urlf-glob
Specifies the per-policy parameters for local URL filtering of trusted domains, untrusted domains, and URL keywords.
match url reputation
To configure the match criteria for a Trend-Micro URL filtering class map on the basis of the specified URL reputation, use the match url reputationcommand in class-map configuration mode. To remove the URL reputation match criteria from a URL filtering class map, use the no form of this command.
Usage Guidelines
The match url reputationcommand specifies the name of the URL reputation to be used as a match criterion against which packets are checked to determine whether they belong to the class specified by the class map. Before you can use the match url reputationcommand, you must first use the class-map type urlfiltercommand to specify the name of the class whose match criteria you want to establish.
To display a list of supported URL reputations, use the match url reputation ? command in class map configuration mode.
match user-group
To configure the match criterion for a class map on the basis of the specified user group, use the match user-group command in class-map configuration mode. To remove user-group based match criterion from a class map, use the no form of this command.
Usage Guidelines
To use the match user-group command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.
Examples
The following example specifies a class map called ftp and configures the user-group as a match criterion:
Router(config)# class-map type inspect match-all auth_proxy_ins_cm Router(config-cmap)# description ! Inspect Type Class-map for auth_proxy_ug ! Router(config-cmap)# match protocol telnet Router(config-cmap)# match user-group auth_proxy_ug Router(config-cmap)# exit Router(config)# class-map type inspect match-all eng_group_ins_cm Router(config-cmap)# description ! Inspect Type Class-map for eng_group_ug ! Router(config-cmap)# match protocol telnet Router(config-cmap)# match user-group eng_group_ug Router(config-cmap)# exit Router(config)# class-map type inspect match-all manager_group_ins_cm Router(config-cmap)# description ! Inspect Type Class-map for manager_group_ug ! Router(config-cmap)# match protocol ftp Router(config-cmap)# match user-group manager_group_ug Router(config-cmap)# endmax-destination
To configure the maximum number of destinations that a firewall can track, use the max-destination command in profile configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
You must configure the parameter-map type inspect-zone command before you can configure the max-destination command.
The firewall creates an entry for each destination to track the rate of TCP synchronization (SYN) flood packets arriving from a zone to a destination address. The number of entries that a firewall creates should be limited, so that these entries do not consume a lot of memory during a denial-of-service (DoS) attack. The max-destination command configures the maximum number of destinations that a firewall can track. When the maximum limit is reached, the SYN packets to a destination are dropped.
max-header-length
To permit or deny HTTP traffic on the basis of the message header length, use the max-header-lengthcommand in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
max-header-length request bytes response bytes action { reset | allow } [alarm]
no max-header-length request bytes response bytes action { reset | allow } [alarm]
Syntax Description
request bytes
Maximum header length, in bytes, allowed in the request message. Number of bytes range: 0 to 65535.
response bytes
Maximum header length, in bytes, allowed in the response message. Number of bytes range: 0 to 65535.
action
Messages that exceed the maximum size are subject to the specified action (reset or allow).
reset
Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow
Forwards the packet through the firewall.
alarm
(Optional) Generates system logging (syslog) messages for the given action.
Usage Guidelines
All message header lengths exceeding the configured maximum size will be subjected to the specified action (reset or allow).
Examples
The following example shows how to define the HTTP application firewall policy “mypolicy.” This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule “firewall,” which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy. appfw policy-name mypolicy application http strict-http action allow alarm content-length maximum 1 action allow alarm content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 1 action allow alarm port-misuse default action allow alarm request-method rfc default action allow alarm request-method extension default action allow alarm transfer-encoding type default action allow alarm ! ! ! Apply the policy to an inspection rule. ip inspect name firewall appfw mypolicy ip inspect name firewall http ! ! ! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface. interface FastEthernet0/0 ip inspect firewall in ! !max-incomplete
To define the number of existing half-open sessions that will cause the Cisco IOS firewall to start and stop deleting half-open sessions, use the max-incomplete command in parameter-map type inspect configuration mode. To disable this function, use the no form of this command.
max-incomplete { low number-of-connections | high number-of-connections }
no max-incomplete { low number-of-connections | high number-of-connections }
Syntax Description
low number-of-connections
Minimum number of half-open sessions that will cause the Cisco IOS firewall to stop deleting half-open sessions. The default is unlimited.
high number-of-connections
Maximum number of half-sessions after which the Cisco IOS firewall will start deleting half-open sessions. The default is unlimited.
Usage Guidelines
When you are configuring an inspect type parameter map, you can enter the max-incompletesubcommand after you enter the parameter-map type inspect command.
Enter the max-incompletecommand twice. The first command specifies a high number at which the system will start deleting half-open sessions. The second command specifies a low number at which the system will stop deleting half-open sessions.
For more detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example shows how to specify that the Cisco IOS firewall will stop deleting half-open sessions when there is a minimum of 800 half-open sessions and a maximum of 10000 half-open sessions:
parameter-map type inspect internet-policy max-incomplete high 10000 max-incomplete low unlimited 800Related Commands
Command
Description
ip inspect max-incomplete high
Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions.
ip inspect max-incomplete low
Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions.
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
max-incomplete (parameter-map type)
To configure the half-opened session limit for VPN routing and forwarding (VRF), use the max-incomplete command in parameter-map type inspect configuration mode. To disable the half-opened session limit configuration, use the no form of this command.
Syntax Description
icmp
(Optional) Specifies the maximum half-opened Internet Control Message Protocol (ICMP) connections per VRF.
tcp
(Optional) Specifies the maximum half-opened TCP connections per VRF.
udp
(Optional) Specifies the maximum half-opened UDP connections per VRF.
number
Number of half-opened sessions per VRF. Valid values are from 1 to 4294967295.
Usage Guidelines
You must configure the parameter-map type inspect global or parameter-map type inspect-vrf command before you configure the max-incomplete command.
A half-opened session is a session that has not reached the established state.
When you configure the max-incomplete command after configuring the parameter-map type inspect global, command, the half-opened session limit is configured for the global VRF table.
When the configured half-opened session limit is reached, new connections are dropped.
Examples
The following example shows how to configure the half-opened session limit to 3400 for the global VRF table:
Router(config)# parameter-map type inspect global Router(config-profile)# max-incomplete 3400 Router(config-profile)# endThe following example shows how to configure the half-opened limit to 2380 for per-VRF firewall sessions:
Router(config)# parameter-map type inspect-vrf vrf-pmap Router(config-profile)# max-incomplete 2380 Router(config-profile)# endmax-incomplete aggressive-aging
To configure the maximum number of half-opened firewall sessions and the aggressive aging of half-opened firewall sessions for VPN routing and forwarding (VRF), use the max-incomplete aggressive-aging command in parameter-map type inspect configuration mode. To disable the configuration, use the no form of this command.
max-incomplete number aggressive-aging high { value low value | percent percent low percent percent }
no max-incomplete number aggressive-aging high { value low value | percent percent low percent percent }
Syntax Description
number
Number of half-opened sessions. Valid values are from 1 to 4294967295.
high
Specifies the high watermark for aggressive aging.
value
High watermark in absolute values. Valid values are from 1 to 4294967295.
low
Specifies the low watermark for aggressive aging.
value
Low watermark in absolute values. Valid values are from 1 to 4294967295.
percent percent
Specifies the high watermark percentage for aggressive aging. Valid values are from 1 to 100.
low percent percent
Specifies the low watermark percentage for aggressive aging. Valid values are from 1 to 100.
Usage Guidelines
The Aggressive Aging feature allows the firewall to aggressively age out sessions to make space for new sessions, thereby protecting the firewall session table from filling.
A half-opened session is a session that has not reached the established state.
You must configure the parameter-map type inspect global or the parameter-map type inspect-vrf command before configuring the max-incomplete aggressive-aging command.
Examples
The following example shows how to configure the aggressive aging of half-opened sessions for a VRF:
Router(config)# parameter-map type inspect-vrf vrf-pmap Router(config-profile)# max-incomplete 2345 aggressive-aging high percent 70 low percent 30 Router(config-profile)# endRelated Commands
Command
Description
max-incomplete (inspect-vrf)
Configures the half opened session limit for a VRF.
parameter-map type inspect global
Configures a global parameter map and enters parameter-map type inspect configuration mode.
parameter-map type inspect-vrf
Configures an inspect VRF-type parameter map and enters parameter-map type inspect configuration mode.
max-logins
To limit the number of simultaneous logins for users in a specific server group, use the max-logins command in global configuration mode. To remove the number of connections that were set, use the no form of this command.
Command History
Release
Modification
12.3(4)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of simultaneous logins for users in that group.
The max-users and max-logins keywords can be enabled together or individually to control the usage of resources by any groups or individuals.
Examples
The following example shows that the maximum number of logins for users in server group “cisco” has been set to 8:
Router (config)# crypto isakmp client configuration group cisco Router (config)# max-logins 8The following shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
ipsec:max-users=1000 ipsec:max-logins=1max-request
To specify the maximum number of outstanding requests that can exist at any given time, use the max-request command in URL parameter-map configuration mode. To disable this feature, use the no form of this command.
Usage Guidelines
When you are creating or modifying a URL parameter map, you can enter the max-requestsubcommand after you enter the parameter-map type urlfilter command. For more detailed information about creating a parameter map, see the parameter-map type urlfilter command.
max-resp-pak
To specify the maximum number of HTTP responses that the Cisco IOS firewall can keep in its packet buffer, use the max-resp-pakcommand in URL parameter-map configuration mode. To disable this feature, use the no form of this command.
Usage Guidelines
When you are creating or modifying a URL parameter map, you can enter the max-resp-paksubcommand after you enter the parameter-map type urlfilter command. For more detailed information about creating a parameter map, see the parameter-map type urlfilter command.
max-retry-attempts
To set the maximum number of retries before Single SignOn (SSO) authentication fails, use the max-retry-attempts command in webvpn sso server configuration mode. To remove the number of retries that were set, use the no form of this command.
Command Default
A maximum number of retries is not set. If this command is not configured, the default is 3 retries.
Usage Guidelines
This command is useful for networks that are congested and tend to have losses. Corporate networks are generally not affected by congestion or losses.
max-uri-length
To permit or deny HTTP traffic on the basis of the uniform resource identifier (URI) length in the request message, use the max-uri-lengthcommand in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
max-uri-length bytes action { reset | allow } [alarm]
no max-uri-length bytes action { reset | allow } [alarm]
Syntax Description
bytes
Number of bytes ranging from 0 to 65535.
action
Messages that exceed the maximum URI length are subject to the specified action (reset or allow).
reset
Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow
Forwards the packet through the firewall.
alarm
(Optional) Generates system logging (syslog) messages for the given action.
Usage Guidelines
All URI lengths exceeding the configured value will be subjected to the specified action (reset or allow).
Examples
The following example shows how to define the HTTP application firewall policy “mypolicy.” This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule “firewall,” which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy. appfw policy-name mypolicy application http strict-http action allow alarm content-length maximum 1 action allow alarm content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 1 action allow alarm port-misuse default action allow alarm request-method rfc default action allow alarm request-method extension default action allow alarm transfer-encoding type default action allow alarm ! ! ! Apply the policy to an inspection rule. ip inspect name firewall appfw mypolicy ip inspect name firewall http ! ! ! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface. interface FastEthernet0/0 ip inspect firewall in ! !max-users
To limit the number of connections to a specific server group, use the max-users command in global configuration mode. To remove the number of connections that were set, use the no form of this command.
Command History
Release
Modification
12.2(4)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group.
The max-users and max-logins keywords can be enabled together or individually to control the usage of resources by any groups or individuals.
Examples
The following example shows that the maximum number of connections to server group “cisco” has been set to 1200:
Router (config)# crypto isakmp client configuration group cisco Router (config)# max-users 1200The following shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
ipsec:max-users=1000 ipsec:max-logins=1max-users (WebVPN)
To limit the number of connections to an SSL VPN that will be permitted, use the max-users command in webvpn context configuration mode. To remove the connection limit from the SSL VPN context configuration, use the no form of this command.
Command Default
The following is the default if this command is not configured or if the no form is entered:
number : 1000
message retry count
To configure the number of times that a Trusted Information Distribution Protocol (TIDP) message is transmitted, use the message retry count command in parameter-map configuration mode. To configure TMS to use the default message timer value, use the no form of this command.
NoteEffective with Cisco IOS Release 12.4(20)T, the message retry count command is not available in Cisco IOS software.
Command Default
The following default value is used if this command is not configured or if the no form is entered:
3
Usage Guidelines
The message timer regulates the number of times that the controller sends a Control Information Message (CIM) to a nonresponsive consumer.
Examples
The following example configures a controller to send messages to consumers up to 5 times at 15-second intervals:
Router(config)# parameter-map type tms TMS_PAR_1 Router(config-profile)# logging tms events Router(config-profile)# heartbeat retry interval 60 Router(config-profile)# heartbeat retry count 3 Router(config-profile)# message retry interval 15 Router(config-profile)# message retry count 5 Router(config-profile)# exitmessage retry interval
To configure the time interval between the transmission of Transitory Messaging Services (TMS) messages, use the message retry interval command in parameter-map configuration mode. To configure TMS to use the default message timer value, use the no form of this command.
NoteEffective with Cisco IOS Release 12.4(20)T, the message retry interval command is not available in Cisco IOS software.
Command Default
The following default value is used if this command is not configured or if the no form is entered:
10
Usage Guidelines
The message timer regulates the number of times that the controller sends a Threat Information Message (TIM) to a nonresponsive consumer.
Examples
The following example configures a controller to send messages to consumers up to five times at 15-second intervals:
Router(config)# parameter-map type tms TMS_PAR_1 Router(config-profile)# logging tms events Router(config-profile)# heartbeat retry interval 60 Router(config-profile)# heartbeat retry count 3 Router(config-profile)# message retry interval 15 Router(config-profile)# message retry count 5 Router(config-profile)# exitmime-type
To specify the Multipurpose Internet Mail Extensions (MIME) type that the SDP registrar should use to respond to a request received through the URL profile, use the mime-type command in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The mime-typecommand is required in the SDP registrar configuration, which is used to deploy Apple iPhones on a corporate network.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match authentication trustpoint
Enters the trustpoint name that should be used to authenticate the peer’s certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
match url
Specifies the URL to be associated with the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
