https://community.cisco.com/t5/network-security/need-class-map-and-policy-map-explanations/m-p/1664963#M535228 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>class-map type inspect match-all ccp-insp-traffic</P><P>match class-map ccp-cls-insp-traffic</P><P></P><P>is not really useful. You could have used ccp-insp-traffic directly in your policy map.</P><P></P><P>For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).</P><P></P><P>So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.</P><P></P><P>Hope this is clear now <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/wink.gif"></SPAN></P></BODY></HTML> Sun, 24 Jul 2011 08:04:28 GMT Bastien Migette 2011-07-24T08:04:28Z https://community.cisco.com/t5/network-security/need-class-map-and-policy-map-explanations/m-p/1664962#M535226 <P>I really could use some help understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional.&nbsp; Here are my two questions:</P><P></P><P>1.)&nbsp; What is the purpose and logic behind consolidating the first class-map (<STRONG>ccp-cls-insp-traffic</STRONG>) in to the second Class-Map (<STRONG>ccp-insp-traffic</STRONG>) as follows?</P><P></P><P>--------------------------------</P><P>class-map type inspect match-any ccp-cls-insp-traffic</P><P>match protocol dns</P><P>match protocol ftp</P><P>match protocol h323</P><P>match protocol https</P><P>match protocol icmp</P><P>match protocol imap</P><P>match protocol pop3</P><P>match protocol netshow</P><P>match protocol shell</P><P>match protocol realmedia</P><P>match protocol rtsp</P><P>match protocol smtp</P><P>match protocol sql-net</P><P>match protocol streamworks</P><P>match protocol tftp</P><P>match protocol vdolive</P><P>match protocol tcp</P><P>match protocol udp</P><P>class-map type inspect match-all ccp-insp-traffic</P><P>match class-map ccp-cls-insp-traffic</P><P>--------------------------------</P><P><SPAN> </SPAN></P><P><SPAN>Class-Map <STRONG>ccp-cls-insp-traffic</STRONG> isnt directly applied to any Policy Map.&nbsp; Only Class-Map <STRONG>ccp-insp-traffic</STRONG> is being used by a Policy-Map (below) that is applied to an inside-to-outside zone pair.&nbsp; Note that ccp-cls-insp-traffic is "match-any" and ccp-insp-traffic is "match-all" which makes it even more confusing to me.</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>---------------------------------------------------------------------</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>2.) What is the purpose and logic of Policy-Map <STRONG>ccp-inspect</STRONG> is trying to drop traffic from <STRONG>ccp-invalid-src</STRONG>, which is filtering based on <STRONG>ACL 100</STRONG>:</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>policy-map type inspect ccp-inspect<BR />class type inspect ccp-invalid-src<BR />&nbsp; drop log<BR />class type inspect ccp-insp-traffic<BR />&nbsp; inspect<BR />class type inspect ccp-protocol-http<BR />class class-default<BR />&nbsp; drop</SPAN></P><P><SPAN> </SPAN></P><P>class-map type inspect match-all ccp-invalid-src</P><P>match access-group 100</P><P></P><P>access-list 100 remark CCP_ACL Category=128</P><P>access-list 100 permit ip host 255.255.255.255 any</P><P>access-list 100 permit ip 127.0.0.0 0.255.255.255 any</P><P></P><P>Note that Policy-Map <STRONG>ccp-inspect</STRONG> is also applied to an inside-to-outside zone pair.&nbsp; My inside vLan 1 has a subnet of 192.168.1.0 / 24.</P><P></P><P></P><P>Thank you so much for the help!</P><P></P><P>James E</P> Mon, 11 Mar 2019 21:02:46 GMT https://community.cisco.com/t5/network-security/need-class-map-and-policy-map-explanations/m-p/1664962#M535226 jaesposito 2019-03-11T21:02:46Z https://community.cisco.com/t5/network-security/need-class-map-and-policy-map-explanations/m-p/1664963#M535228 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>class-map type inspect match-all ccp-insp-traffic</P><P>match class-map ccp-cls-insp-traffic</P><P></P><P>is not really useful. You could have used ccp-insp-traffic directly in your policy map.</P><P></P><P>For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).</P><P></P><P>So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.</P><P></P><P>Hope this is clear now <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/wink.gif"></SPAN></P></BODY></HTML> Sun, 24 Jul 2011 08:04:28 GMT https://community.cisco.com/t5/network-security/need-class-map-and-policy-map-explanations/m-p/1664963#M535228 Bastien Migette 2011-07-24T08:04:28Z