07-23-2011 02:05 PM - edited 03-11-2019 02:02 PM
I really could use some help understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
--------------------------------
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
--------------------------------
Class-Map ccp-cls-insp-traffic isnt directly applied to any Policy Map. Only Class-Map ccp-insp-traffic is being used by a Policy-Map (below) that is applied to an inside-to-outside zone pair. Note that ccp-cls-insp-traffic is "match-any" and ccp-insp-traffic is "match-all" which makes it even more confusing to me.
---------------------------------------------------------------------
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-protocol-http
class class-default
drop
class-map type inspect match-all ccp-invalid-src
match access-group 100
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
Note that Policy-Map ccp-inspect is also applied to an inside-to-outside zone pair. My inside vLan 1 has a subnet of 192.168.1.0 / 24.
Thank you so much for the help!
James E
07-24-2011 01:04 AM
Hi,
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
is not really useful. You could have used ccp-insp-traffic directly in your policy map.
For the second question, you shouldn't think ACL as filtering method, but more as classification method. In the same way, when you use an ACL for nat, it's to select the traffic to be natted. In a classmap, the ACL is only used to select a particular traffic and associate it to the class-map, but the permit/deny action won't allow/drop the traffic, it only defines which traffic belongs to the class (permit), and which doesn't (deny).
So your ACL 100 will associate broadcast and loopback address to the invalid src class-map, which will be dropped per the action of the policy map.
Hope this is clear now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide