10-22-2014 02:21 PM - edited 03-05-2019 12:01 AM
I have several 1941/k9's that do not have the class-map command: to suppot ssl. System image is c1900-universalk9-mz.SPA.152-1.T.bin.
class-map match-any af31
match protocol ssl <-- missing.
I did some google searches but come up with nothing.
Is the fix to upgrade IOS? I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin. I would just upgrade and check but have an extensive change review board with questions before doing so.
Thanks for advice,
Haydn
Solved! Go to Solution.
10-23-2014 07:51 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?). Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
Otherwise the "fix" would be to upgrade your IOS.
Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
PS:
Also on the subject of SSL, don't forget much can use it. I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.
10-22-2014 02:43 PM
It should be:
match protocol secure-http
HTH,
John
10-22-2014 10:18 PM
you can do your own custom class
for example
access-list acl_ssl extended perm tcp any any eq 443
access-list acl_ssl extended perm tcp any eq 443 any
class-map match-any ssl_class
match access-list acl_ssl
10-23-2014 07:51 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?). Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
Otherwise the "fix" would be to upgrade your IOS.
Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
PS:
Also on the subject of SSL, don't forget much can use it. I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide