Layer 7 Policy/Application Signature
Policy rules are used to assign incoming traffic to a specific policy profile. Layer 7 policy/application signature provides an additional traffic classification capability. This layer 7 classification is accomplished by the snooping of DNS packets for pre-defined traffic application signatures. The snooping feature is activated automatically when policy is enabled and an application signature (AS) rule is created. It is deactivated if all AS rules are removed or if policy is disabled. Layer 7 policy uses shared look-up stage TCAM resources that must be configured first (see VCAP Partitioning). The number of signature rules is dependent upon the availability of this shared space.
Dynamic policy rules are created in hardware using DNS-discovered destination IP addresses for the host name. The IP addresses ultimately map the traffic to a particular application traffic signature pattern. IP addresses and their associated dynamic rules are timed out per the TTL of the snooped IP address. The application traffic signatures are defined in groups of one or more signature names, where each signature name consists of one or more signature patterns.
Layer 7 policy is based on the use of the enterasys-application-signature-mib (see ENTERASYS-APPLICATION-SIGNATURE-MIB).
ExtremeSwitching X450-G2, X460-G2, X440-G2, X465, X590, X620, and X695 series switches.
- V6 is not supported.
- Rule creation and deletion are controlled by a time-to-live (TTL) 5 second timer.
- TTL value is configurable in terms of 1 min., 5 mins., and 10 mins.
- When VCAP space runs out, any IP rule not already installed in hardware is not created. New attempts to install previously uninstalled rules occur after the 5 second TTL timer interval and are dependent upon the space made available by other rules that have timed out.
Starting with ExtremeXOS 30.4, policy rules have an additional traffic classification of application signature group and name. There is a fixed, defined set of signature groups available. Each group has a subset of pre-defined/built-in signature names; these can be enhanced with additional ones that can be created by commands or MIB. Additionally, each application signature name is defined by one or more signature patterns.
The signatures are arranged into two hierarchical levels, group and name.
Group examples: Advertising, Storage, Education
Names examples: Etrade, Skype, AOL, Facebook, Twitter, Google
Example Signature Groups
- Social Networking
- Search Engines
- News and Information