- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-APR configuration
- 03-ARP attack protection configuration
- 04-ASPF configuration
- 05-IP source guard configuration
- 06-IPsec configuration
- 07-ND attack defense configuration
- 08-Password control configuration
- 09-PKI configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-User profile configuration
- 13-Public key management
- 14-Attack detection and prevention configuration
- 15-Session management
- 16-Crypto engine configuration
- 17-Connection limit configuration
- 18-Time range configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
02-APR configuration | 61.33 KB |
Configuring application groups
Enabling application statistics on an interface
Display and maintenance commands for APR
Configuring APR
About APR
The application recognition (APR) feature recognizes application protocols of packets for features such as QoS, ASPF, and bandwidth management.
APR uses the following methods to recognize an application protocol:
· Port-based application recognition (PBAR).
· Network-based application recognition (NBAR).
Only PBAR is supported in the current software version.
PBAR
PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.
PBAR supports the following port-protocol mappings:
· Predefined—An application protocol uses the port defined by the system.
· User-defined—An application protocol uses the port defined by the user.
Configuring PBAR
1. Enter system view.
system-view
2. Configure a port mapping.
Choose the options to configure as needed:
¡ Configure a general port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ]
¡ Configure an ACL-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
¡ Configure a subnet-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length }
¡ Configure an IP address-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ]
By default, all application protocols are mapped to well-known ports.
If the specified application protocol does not exist, the system first creates the protocol.
Configuring application groups
1. Enter system view.
system-view
2. Create an application group and enter its view.
app-group group-name
3. (Optional.) Configure the description of the application group.
description text
By default, the description is "User-defined application group".
4. Add application protocols to the group.
Choose the options to configure as needed:
¡ Copy all application protocols from another group to the group.
copy app-group group-name
Execute this command multiple times to copy application protocols from multiple groups to the current group.
¡ Add an application protocol to the group.
include application application-name
By default, an application group does not contain any application protocols.
Enabling application statistics on an interface
About this task
When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
Restrictions and guidelines
The application statistics feature consumes a large amount of system memory. When the system generates an alarm for lack of memory, disable the application statistics feature on all interfaces.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Enable application statistics on the interface.
application statistics enable [ inbound | outbound ]
By default, this feature is disabled.
You can enable the application statistics feature in both the inbound and outbound directions of the interface.
Display and maintenance commands for APR
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display information about application groups. |
display app-group [ name group-name ] |
Display information about application protocols. |
display application [ name application-name | pre-defined | user-defined ] |
Display statistics for application protocols. |
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number | name application-name ] * |
Display statistics for application protocols on an interface in descending order based on the specified criteria. |
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number |
Display information about predefined port mappings. |
display port-mapping pre-defined |
Display information about user-defined port mappings. |
display port-mapping user-defined [ application application-name | port port-number ] |
Clear application statistics for interfaces. |
reset application statistics [ interface interface-type interface-number ] |