https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062907#M894376 <HTML><HEAD></HEAD><BODY><P>actually it will not pass or drop</P><P></P><P>the logic is </P><P>the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken</P><P>in ur case nothing will be match so the next stage which is the action stage will not be considered </P><P></P><P>hope this helps</P></BODY></HTML> Wed, 29 Oct 2008 21:46:46 GMT Marwan ALshawi 2008-10-29T21:46:46Z https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062904#M894372 <P>In a ZBF (IOS 12.4(20)T1, what happens if the following class-map is used in a policy which is tied to a zone pair and an interface, but the class-map does not have a "match" statement under it? Is the default to drop all since there is no match? Or since there is a "match-any" statement, does it pass all traffic? This was set up automatically by SDM 2.5 and I'm trying to figure out what will happen here?</P><P></P><P>class-map type inspect match-any no-match</P><P></P><P>class-map type inspect match-all willwork</P><P> match class-map no-match</P><P> match access-group 110</P><P></P><P>policy-map type inspect whathappens</P><P> class type inspect willwork</P><P> inspect</P><P> class class-default</P><P> drop</P><P></P><P>zone security in</P><P>zone security out</P><P></P><P>zone-pair security out-self source out destination self</P><P> service-policy type inspect whathappens</P><P></P><P>interface GigabitEthernet 0/0</P><P> description Untrusted</P><P> zone-member security out</P><P></P><P></P><P>Thanks,</P><P>Scott</P> Mon, 11 Mar 2019 14:04:30 GMT https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062904#M894372 sdniel 2019-03-11T14:04:30Z https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062905#M894373 <HTML><HEAD></HEAD><BODY><P>as long as the class dose not have match </P><P>no action will be taken until the match occuer</P><P>so nothing will happen </P><P></P><P>to make sure</P><P>do show policy-map whathappens interface GigabitEthernet 0/0</P><P>and see the matched traffic</P><P>it show 0 </P><P>good luck</P><P>if helpful Rate</P></BODY></HTML> Wed, 29 Oct 2008 02:45:16 GMT https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062905#M894373 Marwan ALshawi 2008-10-29T02:45:16Z https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062906#M894374 <HTML><HEAD></HEAD><BODY><P>When you say "nothing will happen", are you saying it will "pass" all traffic or "drop" all traffic?</P></BODY></HTML> Wed, 29 Oct 2008 14:36:07 GMT https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062906#M894374 sdniel 2008-10-29T14:36:07Z https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062907#M894376 <HTML><HEAD></HEAD><BODY><P>actually it will not pass or drop</P><P></P><P>the logic is </P><P>the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken</P><P>in ur case nothing will be match so the next stage which is the action stage will not be considered </P><P></P><P>hope this helps</P></BODY></HTML> Wed, 29 Oct 2008 21:46:46 GMT https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062907#M894376 Marwan ALshawi 2008-10-29T21:46:46Z https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062908#M894378 <HTML><HEAD></HEAD><BODY><P>So in this case, since class-map no-match is nested within class-map willwork, which has a match-all statement match class-map no-match "anded" with access list 110, does the policy whathappens inspect packets for only access-group 110? Wou8ld the result be the same if class-map no-match did not exist at all? You state that is does not pass or drop packets, so what does it do with them? </P></BODY></HTML> Thu, 30 Oct 2008 14:07:23 GMT https://community.cisco.com/t5/network-security/class-map-type-inspect-statement-with-out-match-statement/m-p/1062908#M894378 sdniel 2008-10-30T14:07:23Z