Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1704
Views
5
Helpful
8
Replies

"policy-map type inspect XX" vs "policy-map XX", etc

Go to solution
DazOG
Level 1
Level 1

‎11-27-2023 01:58 AM

Hi

I've got a working ZBFW config, but I must admit I'm struggling to understand the differences between these commands:

policy-map type inspect NAME
policy-map NAME
class-map type inspect NAME
class-map NAME

Cisco's documentation says:

When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default default policy action is drop but can be changed to pass. The log option can be added with the drop action. Inspect cannot be applied on class class-default.

..which seems to indicate that policy-map type inspect should be used wherever you've created class-map(s) that have "type inspect" on (or not?)

What isn't clear to me is what combo of policy-map/class-map with or without "type inspect" I should use if I want to just "pass" traffic through?

  • What happens if I create a policy-map NAME that uses a class-map type inspect NAME ?
  • What happens if I create a policy-map type inspect NAME that uses a class-map NAME ?
  • What happens if the class-map action is "inspect" when using class-map NAME ?
  • What happens if the class-map action is "inspect" when using policy-map NAME ?
  • What happens if the class-map action is "pass" when policy-map and/or class-map is type inspect?  Is "type inspect" redundant here?

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to DazOG

‎11-27-2023 02:37 AM

The first example  is wrong' you dont specify that class map use for security'

the first one need type inspect'  for class map and that why error message appear.

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎11-27-2023 02:02 AM

Key points 

Class use to match traffic only' match acl or protocol 

Policy use to set action for specific traffic that match class use under it

Class and policy can use for Qos and for security that why we need type inspect in both to specify that this class map use for security not for other.

Go to solution
DazOG
Level 1
Level 1

‎11-27-2023 02:07 AM

Thanks.  It's still not very clear to me when I should use "type inspect" on either a policy-map or class-map, or both, and what happens if I don't....

For example, if I have an ACL that allows inbound connections to specific internal hosts on specified TCP/UDP ports, logically that should be "pass" because those target hosts/applications are talking to a specific explicitly defined port?  In that instance if I'm not inspecting the incoming traffic - should the class-map and/or policy-map be "type inspect"?  What happens if "type inspect" is specified and the action is "pass" ?

Hope that makes sense!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DazOG

‎11-27-2023 02:11 AM

Type inspect DONT have any rule with action' it only add as I mention above to different between class/policy use for security and that use for qos/copp.

For action there are three 

Pass 

Inspect 

Drop

Go to solution
DazOG
Level 1
Level 1

‎11-27-2023 02:28 AM - edited ‎11-27-2023 02:29 AM

Sorry I still don't understand.  I appreciate you trying to help but it's not clear what you're saying...

What is the difference between:

class-map TESTMAP
   match protocol https
policy-map type inspect TESTPOLICY
   class type inspect TESTMAP
      inspect

(This gives a warning of "%No specific protocol configured in class TESTMAP for inspection. All protocols will be inspected")

..and..

class-map type inspect match-all TESTMAP
   match protocol https
policy-map type inspect TESTPOLICY
   class type inspect TESTMAP
      inspect

(This gives no warning)

Thanks.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DazOG

‎11-27-2023 02:37 AM

The first example  is wrong' you dont specify that class map use for security'

the first one need type inspect'  for class map and that why error message appear.

Go to solution
DazOG
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 02:40 AM

I assume that is the same if it uses a match access-group (ACL) instead of “match protocol https”?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DazOG

‎11-27-2023 02:43 AM

Same if you match acl under class map.

MHM

Go to solution
MHM Cisco World
VIP
VIP

‎11-27-2023 03:04 AM

Cisco doc.

Firewalls

Quality of service (QoS) class maps have numerous match criteria; firewalls have fewer match criteria. Firewall class maps are of type inspect and this information controls what shows up under firewall class maps.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card