Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

class-map does not support match protocol ssl

I have several 1941/k9's that do not have the class-map command: to suppot ssl.  System image is c1900-universalk9-mz.SPA.152-1.T.bin.

class-map match-any af31

match protocol ssl  <-- missing.

 

I did some google searches but come up with nothing. 

Is the fix to upgrade IOS?  I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin.  I would just upgrade and check but have an extensive change review board with questions before doing so.

 

Thanks for advice,

Haydn

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?).  Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.

Otherwise the "fix" would be to upgrade your IOS.

Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).

PS:

Also on the subject of SSL, don't forget much can use it.  I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.

3 REPLIES

It should be: match protocol

It should be:

 

match protocol secure-http

 

HTH,

John
 

HTH, John *** Please rate all useful posts ***

you can do your own custom

you can do your own custom class

for example

access-list acl_ssl extended perm tcp any any eq 443

access-list acl_ssl extended perm tcp any  eq 443 any

class-map match-any ssl_class

match access-list acl_ssl

 

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?).  Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.

Otherwise the "fix" would be to upgrade your IOS.

Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).

PS:

Also on the subject of SSL, don't forget much can use it.  I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.

143
Views
5
Helpful
3
Replies
CreatePlease login to create content