I really could use some help understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
Class-Map ccp-cls-insp-traffic isnt directly applied to any Policy Map. Only Class-Map ccp-insp-traffic is being used by a Policy-Map (below) that is applied to an inside-to-outside zone pair. Note that ccp-cls-insp-traffic is "match-any" and ccp-insp-traffic is "match-all" which makes it even more confusing to me.
is not really useful. You could have used ccp-insp-traffic directly in your policy map.
For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).
So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.
Radius server configuration for 802.1X
Server radius test1
Address ipv4 10.1.1.1
Server radius test2
Address ipv4 10.1.1.2
aaa group server radius TEST-gr
server name test1
server name test2
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To...
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is...
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi...