GigaSMART Application Session Filtering (ASF) and Buffer ASF
Required Licenses: Adaptive Packet Filtering (APF) and Application Session Filtering (ASF)NOTE: The ASF license requires the APF license to be installed as a prerequisite.
Application Session Filtering (ASF) provides additional filtering on top of Adaptive Packet Filtering (APF). With APF, you can filter on any data patterns within a packet. With ASF, you apply the pattern matching and then send all the packet flows associated with the matched packet to monitoring or security tools.
ASF allows you to filter all traffic corresponding to a session. Use ASF to create a flow session and send the packets associated with the flow session to one or more tools. A flow session consists of one or more fields that you select to define the session. Either the packets for the whole session can be captured or only the packets following a pattern match.
ASF and Buffer ASF Examples
Refer to the following ASF examples (non-buffered):
| Example 1: ASF, Forward TCP Traffic |
| Example 2: ASF, Forward VNC Traffic |
| Example 3: ASF, Forward Traffic Matching a Pattern |
| Example 4: ASF, Forward GTP Traffic |
Refer to the following buffer ASF examples:
| Example 1: Buffer ASF, Drop Netflix Traffic |
| Example 2: Buffer ASF, Drop YouTube Traffic |
| Example 3: Buffer ASF, Drop Windows Update Traffic |
| Example 4: Buffer ASF, Forward VNC Traffic |
| Example 5: Buffer ASF, Forward HTTPS Traffic on Non-Standard Port |
In addition to the examples in this document, the Application Session Filtering Cookbook provides a number of step-by-step recipes that show how to extract relevant flows with ASF, such as filtering YouTube traffic or emails with attachments. The cookbook also describes a methodology for identifying string patterns and regular expressions.
Example 1: ASF, Forward TCP Traffic
In Example 1, ASF is used with GigaSMART Load Balancing and Adaptive Packet Filtering to load balance TCP traffic among multiple tool ports. TCP SYN indicates the start of a connection. Once the TCP SYN packet is detected, subsequent packets belonging to the same TCP connection will be forwarded to a configured tool port. Packets belonging to the same connection will be sent to the same tool port, regardless of the number of connections.
In Example 1, the whole connection is captured because the first packet of the connection is captured by APF.
Note: This example uses APF to filter TCP packets to capture the SYN packet. Alternatively, use buffer ASF to capture a whole session by buffering packets.
|
Step |
Description |
Command |
|||
|
Create a flow session. |
(config) # apps asf alias asf4 (config apps asf alias asf4) # sess-field add ipv4-5tuple outer (config apps asf alias asf4) # exit (config) # |
|||
|
Create a port group and specify the tool ports for load balancing. |
(config) # port-group alias portgrp1 port-list 1/1/x6,1/1/x7,1/2/x3,1/2/x4 |
|||
|
Enable load balancing on the port group. |
(config) # port-group alias portgrp1 smart-lb enable |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf4 lb app asf metric round-robin port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule captures the first packet of a session. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to portgrp1 (config map alias map22) # gsrule add pass tcp ctl pos 1 value 2 mask none (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show port-group (config) # show gsgroup (config) # show gsop (config) # show gsop stats all Note: In Gen3, the packets that matches the ruleSets are shown in gsop stats all. Note: In Gen2, the the packets that reach the v-port are shown in gsop stats all. (config) # show load-balance port-group stats |
Example 2: ASF, Forward VNC Traffic
In Example 2, traffic from a Virtual Network Computing (VNC) application is forwarded from network port 1/1/x1 to tool port 1/1/x6. Packets will be matched with a VNC signature. Once a packet is matched, subsequent packets with the same IPv4 5tuple will be forwarded to the same destination as the matching packet. By default, both the forward and the reverse traffic of the same session will be captured and forwarded.
|
Step |
Description |
Command |
|||
|
Create a flow session. |
(config) # apps asf alias asf1 (config apps asf alias asf1) # sess-field add ipv4-5tuple outer (config apps asf alias asf1) # exit (config) # |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf1 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level egress map. The gsrule contains the VNC signature. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add pass pmatch RegEx "^rfb 00[1-9]\.00[0-9]\x0a$" 16..1000 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsop (config) # show map |
Example 3: ASF, Forward Traffic Matching a Pattern
In Example 3, the traffic that matches a particular pattern (ymsg|ypns|yhoo) is forwarded from network port 1/1/x1 to tool port 1/1/x6 after adding a VLAN tag. Packets will be matched with the special signature. Once a packet is matched, subsequent packets with the same source IP, source port, and VLAN ID will be forwarded to the same destination as the matching packet (after the VLAN header is inserted). By default, both the forward and the reverse traffic of the same session will be captured and forwarded.
|
Step |
Description |
Command |
|||
|
Create a flow session and other parameters. |
(config) # apps asf alias asf2 (config apps asf alias asf2) # sess-field add ipv4-src outer (config apps asf alias asf2) # sess-field add l4port-src outer (config apps asf alias asf2) # sess-field add vlan-id pos 1 (config apps asf alias asf2) # packet-count 50 (config apps asf alias asf2) # exit (config) # |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Configure the GigaSMART operation. |
(config) # gsop alias gsop1 apf set add-header vlan 1000 asf asf2 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule contains the special signature. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add pass pmatch RegEx "(ymsg|ypns|yhoo)" 16..1000 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsop (config) # show map |
Example 4: ASF, Forward GTP Traffic
In Example 4, GTP traffic from network port 1/1/x1 is load balanced based on inner IP and tunnel ID to four tool ports: 1/1/x6, 1/1/x7, 1/2/x3, and 1/2/x4. APF filters GTP-u packets. Once a packet is matched, subsequent packets in the same direction with the same gtpu-teid and inner IP will be forwarded to the same destination as the matching packet. In Example 4, both the outer and inner IP are IPv4.
|
Step |
Description |
Command |
|||
|
Create a flow session and other parameters. |
(config) # apps asf alias asf3 (config apps asf alias asf3) # sess-field add gtpu-teid (config apps asf alias asf3) # sess-field add ipv4 inner (config apps asf alias asf3) # bi-directional disable (config apps asf alias asf3) # timeout 90 (config apps asf alias asf3) # exit (config) # |
|||
|
Create a port group and specify the tool ports for load balancing. |
(config) # port-group alias portgrp1 port-list 1/1/x6,1/1/x7,1/2/x3,1/2/x4 |
|||
|
Enable load balancing on the port group. |
(config) # port-group alias portgrp1 smart-lb enable |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf3 lb app asf metric lt-conn port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass protocol udp portdst 2152 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to portgrp1 (config map alias map22) # gsrule add pass ipv4 protocol pos 1 value udp l4port dst pos 1 value 2152 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsop (config) # show port-group (config) # show map (config) # show apps asf |
Example 1: Buffer ASF, Drop Netflix Traffic
In Example 1, the goal is to drop all Netflix traffic. The flow session is defined by the 5tuple field and the first occurrence of VLAN ID. The Netflix traffic is expected to be identified in the first 6 packets of a session. (Configure the maximum number of packets buffered before the match to 5.) A maximum of 3 million sessions is specified.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Define the maximum number of sessions, in millions. |
(config) # gsparams gsgroup gsgrp1 resource buffer-asf 3 |
|||
|
If needed, reload the GigaSMART line card or module to allocate the resources for buffer ASF. |
(config) # card slot 3 down Then to bring the GigaSMART line card or module back up: (config) # no card slot 3 down |
|||
|
Create a flow session, specify the buffer count before the match, and enable buffering. Note: The default protocol is TCP, so it does not need to be specified. |
(config) # apps asf alias asf2 (config apps asf alias asf2) # sess-field add ipv4-5tuple outer (config apps asf alias asf2) # sess-field add vlan-id pos 1 (config apps asf alias asf2) # buffer-count-before-match 5 (config apps asf alias asf2) # buffer enable (config apps asf alias asf2) # exit (config) # |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf2 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule specifies the traffic to drop, using keywords. Buffered packets and all subsequent packets will be dropped. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add drop pmatch protocol tcp pos 1 RegEx “netflix|nflxvideo|nflximg|Netflix|nflxext” 0..1460 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsparams (config) # show apps asf (config) # show gsop (config) # show vport (config) # show map |
Example 2: Buffer ASF, Drop YouTube Traffic
In Example 2, the goal is to drop all YouTube traffic. The YouTube traffic is expected to be identified in the first 7 packets of a session. (Configure the maximum number of packets buffered before the match to 6.) A maximum of 4 million sessions is specified.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Define the maximum number of sessions, in millions. |
(config) # gsparams gsgroup gsgrp1 resource buffer-asf 4 |
|||
|
If needed, reload the GigaSMART line card or module to allocate the resources for buffer ASF. |
(config) # card slot 3 down Then to bring the GigaSMART line card or module back up: (config) # no card slot 3 down |
|||
|
Create a flow session, specify the buffer count before the match, and enable buffering. Note: The default protocol is TCP, so it does not need to be specified. |
(config) # apps asf alias asf2 (config apps asf alias asf2) # sess-field add ipv4-5tuple outer (config apps asf alias asf2) # buffer-count-before-match 6 (config apps asf alias asf2) # buffer enable (config apps asf alias asf2) # exit (config) # |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf2 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule specifies the traffic to drop, using keywords. Buffered packets and all subsequent packets will be dropped. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add drop pmatch protocol tcp pos 1 RegEx “youtube|ytimg|yt3.ggpht|tubeMogul|tmogul” 0..1460 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsparams (config) # show apps asf (config) # show gsop (config) # show vport (config) # show map |
Example 3: Buffer ASF, Drop Windows Update Traffic
In Example 3, the goal is to drop all Windows update traffic. The Windows update traffic is expected to be identified on the HTTP request packet of a session. A maximum of 2 million sessions is specified.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Define the maximum number of sessions, in millions. |
(config) # gsparams gsgroup gsgrp1 resource buffer-asf 2 |
|||
|
If needed, reload the GigaSMART line card or module to allocate the resources for buffer ASF. |
(config) # card slot 3 down Then to bring the GigaSMART line card or module back up: (config) # no card slot 3 down |
|||
|
Create a flow session, specify the buffer count before the match, and enable buffering. Note: The default protocol is TCP, so it does not need to be specified. |
(config) # apps asf alias asf2 (config apps asf alias asf2) # sess-field add ipv4-5tuple outer (config apps asf alias asf2) # buffer-count-before-match 3 (config apps asf alias asf2) # buffer enable (config apps asf alias asf2) # exit (config) # |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf2 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule specifies the traffic to drop. Buffered packets and all subsequent packets will be dropped. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add drop pmatch protocol tcp pos 1 RegEx “msdownload/update/software” 0..1460 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsparams (config) # show apps asf (config) # show map |
Example 4: Buffer ASF, Forward VNC Traffic
In Example 4, the goal is to forward VNC traffic from network port 1/1/x1 to tool port 1/1/x6. All packets belonging to the TCP connection need to be sent to the tool port. The first data packet after the TCP handshake is expected to contain the VNC pattern match. A maximum of 2 million sessions is specified.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Define the maximum number of sessions, in millions. |
(config) # gsparams gsgroup gsgrp1 resource buffer-asf 2 |
|||
|
If needed, reload the GigaSMART line card or module to allocate the resources for buffer ASF. |
(config) # card slot 3 down Then to bring the GigaSMART line card or module back up: (config) # no card slot 3 down |
|||
|
Create a flow session, specify the buffer count before the match, and enable buffering. Note: The default protocol is TCP, so it does not need to be specified. |
(config) # apps asf alias asf1 (config apps asf alias asf1) # sess-field add ipv4-5tuple outer (config apps asf alias asf1) # buffer-count-before-match 3 (config apps asf alias asf1) # buffer enable (config apps asf alias asf1) # exit (config) # |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf1 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule specifies the traffic to pass. Buffered packets and all subsequent packets will be passed. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add pass pmatch protocol tcp pos 1 RegEx “^rfb 00[1-9]\.00[0-9]\x0a$” 0 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsparams (config) # show gsgroup (config) # show gsop (config) # show map |
Example 5: Buffer ASF, Forward HTTPS Traffic on Non-Standard Port
In Example 5, the goal is to forward HTTPS traffic that uses a non-standard Layer 4 port. All packets belonging to the TCP connection need to be sent to the tool port. A maximum of 5 million sessions is specified.
|
Step |
Description |
Command |
|||
|
Configure a GigaSMART group and associate it with GigaSMART engine ports. |
(config) # gsgroup alias gsgrp1 port-list 1/3/e1,1/3/e2 |
|||
|
Define the maximum number of sessions, in millions. |
(config) # gsparams gsgroup gsgrp1 resource buffer-asf 5 |
|||
|
If needed, reload the GigaSMART line card or module to allocate the resources for buffer ASF. |
(config) # card slot 3 down Then to bring the GigaSMART line card or module back up: (config) # no card slot 3 down |
|||
|
Create a flow session, specify the buffer count before the match, and enable buffering. Note: The default protocol is TCP, so it does not need to be specified. |
(config) # apps asf alias asf2 (config apps asf alias asf2) # sess-field add ipv4-5tuple outer (config apps asf alias asf2) # buffer-count-before-match 3 (config apps asf alias asf2) # buffer enable (config apps asf alias asf2) # exit (config) # |
|||
|
Configure the combined GigaSMART operation. |
(config) # gsop alias gsop1 apf set asf asf2 port-list gsgrp1 |
|||
|
Create a virtual port and associate it with the GigaSMART group. |
(config) # vport alias vp1 gsgroup gsgrp1 |
|||
|
Create a first level map. |
(config) # map alias map11 (config map alias map11) # type firstLevel byRule (config map alias map11) # from 1/1/x1 (config map alias map11) # to vp1 (config map alias map11) # rule add pass ipver 4 (config map alias map11) # exit (config) # |
|||
|
Create a second level map. The gsrule specifies the traffic to pass. The RegEx expression identifies the traffic as SSL. Buffered packets and all subsequent packets will be passed. |
(config) # map alias map22 (config map alias map22) # type secondLevel byRule (config map alias map22) # from vp1 (config map alias map22) # use gsop gsop1 (config map alias map22) # to 1/1/x6 (config map alias map22) # gsrule add pass pmatch protocol tcp pos 1 RegEx “\x16\x03.{3}\x01” 0 (config map alias map22) # exit (config) # |
|||
|
Display the configuration for this example. |
(config) # show gsgroup (config) # show gsop (config) # show map |
