Showing results for 
Search instead for 
Did you mean: 


Need Class-Map and Policy Map Explanations

I really could use some help understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional.  Here are my two questions:

1.)  What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?


class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic


Class-Map ccp-cls-insp-traffic isnt directly applied to any Policy Map.  Only Class-Map ccp-insp-traffic is being used by a Policy-Map (below) that is applied to an inside-to-outside zone pair.  Note that ccp-cls-insp-traffic is "match-any" and ccp-insp-traffic is "match-all" which makes it even more confusing to me.


2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:

policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-insp-traffic
class type inspect ccp-protocol-http
class class-default

class-map type inspect match-all ccp-invalid-src

match access-group 100

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host any

access-list 100 permit ip any

Note that Policy-Map ccp-inspect is also applied to an inside-to-outside zone pair.  My inside vLan 1 has a subnet of / 24.

Thank you so much for the help!

James E

Bastien Migette
Cisco Employee


class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

is not really useful. You could have used ccp-insp-traffic directly in your policy map.

For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).

So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.

Hope this is clear now

Recognize Your Peers
Content for Community-Ad