Layer 7 Policy/Application Signature

Policy rules are used to assign incoming traffic to a specific policy profile. Layer 7 policy/application signature provides an additional traffic classification capability. This layer 7 classification is accomplished by the snooping of DNS packets for pre-defined traffic application signatures.

Layer 7 policy is based on the use of the ENTERASYS-APPLICATION-SIGNATURE-MIB.

Supported Platforms

Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X465, X590, X620, X690, X870 series switches.

Limitations

V6 is not supported.
Rule creation and deletion are controlled by a time-to-live (TTL) 5 second timer.
When VCAP (first-stage ACL) space runs out, any IP rule not already installed in hardware is not created. New attempts to install previously uninstalled rules occur after the 5 second TTL timer interval and are dependent upon the space made available by other rules that have timed out.

New CLI Commands

configure policy app-signature group group name name [add | delete] pattern_list

unconfigure policy app-signature group group [name name | custom]

show policy app-signature group {group {name name}} {built-in | custom {detail} | detail}

configure policy slices {shared shared} {tci-overwrite slices}

show policy slices

Changed CLI Commands

Changes are underlined.

configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

unconfigure policy rule [ profile_index] [all-pid-entries ] | [[ether | icmp6type | icmptype |ip6dest | ipdestsocket | ipfrag |ipproto | ipsourcesocket | iptos | ipttl | macdest | macsource | port | tcpsourceportIP | udpsourceportIP | tcpdestportIP | udpdestportIP ] {app-signature} [all-traffic-entries | data] {mask mask} {port-string port_string|all}}]

show policy rule {all | app-signature | {profile-index profile_index | admin-profile} ether {ether} | icmp6type {icmp6type} | icmptype {icmptype} | ip6dest {ip6dest} | ipdest {ipdest} | ipfrag | ipproto {ipproto} | ipsource { ipsource } | iptos { iptos } | ipttl { ipttl } | macdest { macdest } | macsource { macsource } | port { port } | tcpdestportIP { tcpdestportIP } | tcpsourceportIP { tcpsourceportIP } | udpdestportIP { udpdestportIP } | udpsourceportIP { udpsourceportIP }} {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {cos cos | admin-pid admin_pid }} {detail | wide}