Solved: ASR1k inspection of ICMP -> ACL vs ZBF

Philippe Latu · ‎11-13-2012

Hello,

While reading the page linked below, I was surprised to see an ACL is created and never referenced in the class-map that comes afterward.

Is the ACL mentioning the matched protocol used by default ?

I thought I had to configure something like :

ip access-list extended ICMP-ACL

deny icmp any any fragments

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any ttl-exceeded

permit icmp any any unreachable

deny icmp any any

then

class-map type inspect match-all ICMP-CMAP

match access-group name ICMP-ACL

match protocol icmp

policy-map type inspect CAMPUS2DPT-PMAP

class type inspect ICMP-CMAP

inspect INSPECT-PARAM

If anyone could point where my mistake is, I would very pleased

TIA

Julio Carvajal · ‎11-13-2012

There is no mistake,

The ACL you could use it to be restrictive and just match certain ICMP traffic across your net work.

But the configuration is fine, it says match all ICMP protocol traffic that is involved with the ACL ( so an ACL hit got to happen)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎11-13-2012

There is no mistake,

The ACL you could use it to be restrictive and just match certain ICMP traffic across your net work.

But the configuration is fine, it says match all ICMP protocol traffic that is involved with the ACL ( so an ACL hit got to happen)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC