Configuring Application Fingerprinting AFP Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 30-7
Using the UNP Mode
Using the Universal Network Profile (UNP) mode also triggers IP packet sampling on the port but first
attempts to see if the ingress traffic is classified into a UNP.
• If the traffic is assigned to a UNP, the switch then checks if the UNP is associated with an AFP QoS
policy list that contains the AFP policy condition.
• If the UNP is associated with an AFP QoS policy list, the application group specified in the AFP policy
condition of a rule within that list is used to monitor ingress traffic on the AFP port. Policy actions
associated with the same AFP policy condition rule are applied to matching IP traffic.
• If there is no matching UNP or the UNP does not use an AFP policy list or condition, then AFP ignores
the traffic; no packet sampling or monitoring is performed.
The UNP QoS policy list for AFP is created in the same manner as how the list used by the QoS mode is
created. The main difference between the UNP and QoS mode is the check for UNP classification before
packet sampling and monitoring is started. In addition the policy list type is set to UNP instead of
Application Fingerprinting and UNP is enabled on the AFP port. For example, the following QoS policy
rule and policy list configuration is associated with a UNP that is applied to AFP port traffic associated
with the UNP:
-> policy condition c1 appfp-group p2p
-> policy action a1 disposition drop
-> policy rule r1 condition c1 action a1 no default-list
-> policy list list1 type unp
-> policy list list1 rules r1
-> qos apply
-> unp profile V10_1 qos_policy-list list1
-> unp profile v10_1 map vlan 10
-> unp classification mac-address 00:00:00:00:03:01 vlan-tag 10 profile1 V10_1
-> unp port 1/2/1 port-type bridge
-> app-fingerprint port 1/2/1 unp-profile
Using the Application REGEX Signature File
The REGEX signatures that AFP uses to detect and monitor remote applications are stored in an ASCII
text file named “app-regex.txt”. This file is located in the “/flash/app-signature/” directory on the local
switch, and the contents of the file is user-configurable.
The application REGEX signature file contains two sections: one section to define application signatures
and the other section to define application groups.
• The application signatures section defines a name, optional description, and a REGEX signature for
each application.
• The application group section is used to group application signatures together. Each group is identified
by a name and consists of the names of each application signature that is a member of the group.
An application group name is required when configuring an AFP port to run in monitoring mode and
when creating QoS policy lists that are used when the port is running in the QoS or UNP mode (see
“Application Fingerprinting Modes” on page 30-6). Combining multiple application signatures into one
group eases configuration; specifying a single group name when configuring the AFP operation requires
less steps than having to configure AFP for each individual application.
To Next Page
Loading...
