Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3073
Views
0
Helpful
1
Replies

Need Class-Map and Policy Map Explanations

jaesposito
Level 1
Level 1

‎07-23-2011 02:05 PM - edited ‎03-11-2019 02:02 PM

I really could use some help understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional.  Here are my two questions:

1.)  What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?

--------------------------------

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

--------------------------------

Class-Map ccp-cls-insp-traffic isnt directly applied to any Policy Map.  Only Class-Map ccp-insp-traffic is being used by a Policy-Map (below) that is applied to an inside-to-outside zone pair.  Note that ccp-cls-insp-traffic is "match-any" and ccp-insp-traffic is "match-all" which makes it even more confusing to me.

---------------------------------------------------------------------

2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:

policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-protocol-http
class class-default
  drop

class-map type inspect match-all ccp-invalid-src

match access-group 100

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

Note that Policy-Map ccp-inspect is also applied to an inside-to-outside zone pair.  My inside vLan 1 has a subnet of 192.168.1.0 / 24.

Thank you so much for the help!

James E

Labels:
0 Helpful
1 Reply 1

Bastien Migette
Cisco Employee
Cisco Employee

‎07-24-2011 01:04 AM

Hi,

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

is not really useful. You could have used ccp-insp-traffic directly in your policy map.

For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).

So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.

Hope this is clear now

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card