Configuring Application Fingerprinting Configuring AFP
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 30-16
Configuring AFP Port Modes
Configuring a port or link aggregate as an AFP port also applies an operational mode to the port. The
operational mode (monitoring, QoS, or Universal Network Profile) applied determines the following:
• The application signature group to use for monitoring ingress IP traffic on the port (monitoring mode).
• The QoS policy list that specifies the application signature group to monitor and any QoS actions to
apply to the matching IP traffic (QoS mode).
• Whether or not to check for a Universal Network Profile (UNP) associated with ingress port traffic. If
port traffic is associated with a UNP, the QoS policy list associated with the UNP is used to determine
the application signature group to monitor (UNP mode).
It is possible to configure more than one operational mode per AFP port. However, using a different
application signature group for each mode is highly recommended to avoid conflicts that might cause
undesired dropping of traffic, especially when the QoS or UNP modes are both used on the same port.
Configuring the AFP Monitoring Mode
To configure a port or link aggregate as an AFP port operating in the monitoring mode, use the app-
fingerprint port command with the monitor-app-group parameter. For example:
-> app-fingerprint port 1/2/1 monitor-app-group my-p2p
-> app-fingerprint linkagg 10 monitor-app-group my-p2p
In this example, port 1/2/1 and aggregate 10 are configured as AFP ports that will pattern match and
monitor ingress IP packets using the REGEX signatures defined in the “my-p2p” application group. When
a match is found, no further action is taken on the matching packets other than logging and monitoring the
application traffic.
Configuring the AFP QoS Mode
To configure a port or link aggregate as an AFP port operating in the QoS mode, use the app-fingerprint
port command with the policy-list-name parameter. For example:
-> app-fingerprint port 1/2/5 policy-list-name drop-p2p
-> app-fingerprint linkagg 2 policy-list-name drop-p2p
In this example, port 1/2/5 and aggregate 2 are configured as AFP ports that will pattern match ingress IP
packets using REGEX signatures defined in an application group that is specified by an AFP policy
condition in the “drop-p2p” policy list. When a match is found, QoS actions associated with the AFP
condition rule are applied to the matching traffic.
Configuring the AFP UNP Mode
To configure a port or link aggregate as an AFP port operating in the UNP mode, configure the port as a
UNP port then use the app-fingerprint port command with the unp parameter. For example:
-> unp port 1/1/8 port-type bridge
-> app-fingerprint port 1/1/8 unp-profile
-> unp linkagg 5 port-type bridge
-> app-fingerprint linkagg 5 unp-profile
In this example, port 1/1/8 and aggregate 5 are configured as UNP and AFP ports. AFP will determine if
traffic received on this port and aggregate is associated with a UNP. If so, the QoS policy list associated
with the UNP is applied to the ingress IP traffic. If the policy list does not specify an application group
condition, then the AFP port traffic is ignored.
To Next Page
Loading...
Need help?
General
