More MPF and a Quick Survey
By brandon on Fri, 04/11/08 - 12:45am.So in my last post I talked about the Modular Policy Framework and we too a very short look at how a class-map, policy-map, and service-policy all fit together. I also said that today I would discuss how to add application layer functionality. Where I will, as promised but before I do that I want to take a quick survey. Please use the survey below to answer the following questions:
When it comes to studying for the CCSP, what do you do for lab access?
Does it make sense to build your own lab or does it make more sense to just run though to books?
If you are buying your own gear are you also planning on attempting the CCIE Security?
Lets say your boss gives you a $3000 budget to work on certification or furthering your skills.
What do you do with it? Take a class? Take a Boot Camp?
Are Boot Camps worth it?
What would make training really stand out? (ok this one is personal- I've been the student in many classes and recently I had the pleasure of taking a class that provided EVERYTHING in PDF format. That really stood out to me. )
Wow, that's a lot to think about! In the mean time lets take a look at adding application layer functionality to you MPF.
Lets start with the structure. In this first figure you can see the basics of the MPF that we talked about last week. This shows us that the class-map matched a whole slew of things and the policy-map applies an action to it.
In this next figure we see a new type of class-map. This one is called a "class-map type inspect." This matches different options than the first class-map. This new class-map matched the protocols DNS, FTP, H323, HTTP, IM, and SIP.
By using this type of class map we get a new level of granularity. This lets us match specific things that these protocol do, for example with HTTP we can match a request, req-response, or a response. This will let us catch a POST as it flies by in a packet.
Now once you match the POST what are you going to do with it? That's there the policy-map type inspect comes in. Here you can match the class-map and the drop-connection. Reset, and/or log.
So far here is how it should look:
class-map type inspect http match-all MY_CLASS_INSPECT
match request method post
!
policy-map type inspect http MYHTTP_POLICYMAP
parameters
class MYINSPECT
reset log
So far this looks good. Now what? Well here is where it sometimes gets confusing. Here is where we combine it with the standard "class-map>policy-map>service-policy" that we discussed last week. The reason we are going to include this is because 1.) we cant apply a policy-map type inspect to a service-policy, and 2.) we want to match a specific conversation when we drop the post.
Lets use the following diagram for this example:
First lets start with an access-list that matched the traffic we want to look for:
access-list MATCH_HTTP permit tcp host 172.30.1.1 host 10.1.1.1 eq www
Next build a class-map to match the access-list you just created:
Class-map MATCH_HTTP
Match access-list MATCH_HTTP
Next up is the policy map. First off we want to tell the policy map to match the MATCH_HTTP class-map. This will allow it to find traffic from 172.30.1.1 to 10.1.1.1 that's http.
Policy-map MY_HTTP
Class MY_HTTP
Then we tell it to inspect http and apply the policy-map type inspect:
Inspect http MYHTTP_POLICYMAP
Now you have a working policy map that matches http traffic from 172.30.1.1 to 10.1.1.1, and when it does it will look for a POST. If it finds a POST it will log it and reset the tcp connection. Still it isn't applied to anything so to shore it all up we need to do that:
service-policy MY_HTTP interface outside
Here is a look at the final config:
class-map type inspect http match-all MY_CLASS_INSPECT
match request method post
!
policy-map type inspect http MYHTTP_POLICYMAP
parameters
class MY_CLASS_INSPECT
reset log
!
access-list MY_HTTP extended permit tcp host 172.30.1.1 host 10.1.1.1 eq www
!
class-map MY_HTTP
match access-list MY_HTTP
!
policy-map MY_HTTP
class MY_HTTP
inspect http MYHTTP_POLICYMAP
!
service-policy MY_HTTP interface outside
Well that wraps it up for this post. Again I look forward to hearing your input on the questions that I posed way back at the beginning if the post. I'm not sure what next week brings since my wife is due to deliver our second child so give me some ideas and bear with me if it takes awhile to get back to you!
- About Cisco Unwired
Brandon Carroll, CCIE # 23837, is a certified Cisco Systems Instructor working for Ascolta Training, based out of the Irvine, Ca. Training Center. He is published by Cisco Press/Pearson Education in the area of network security and wireless.
Brandon maintains a personal blog at GlobalConfig.net as well as a company blog at Ascolta
His most recent book is theCCNA Wireless Official Exam Certification Guide, however a new AAA Identity Management book is soon to be published, available now as a http://www.ciscopress.com/bookstore/product.asp?isbn=1587141558.
This blog is part of the Cisco Subnet blogging community.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise