Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5779
Views
0
Helpful
3
Replies

The class-default class map

Colin Higgins
Level 2
Level 2

‎05-07-2012 10:59 AM - edited ‎03-11-2019 04:03 PM

According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)

, the ASA is equipped with two default class-maps

class-map inspection_default

match default-inspection-traffic

and

class-map class-default

match any

The first makes perfect sense, but what is the class-default used for? Cisco says

"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own

match any class map. In fact, some features are only available for class-default."

But I see stuff like this:

policy-map MyPolicy

class class-default

  inspect tfp MyFTPpolicy

Obviously it is being used here to act on traffic! So I am confused.

I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-07-2012 04:46 PM

Hello Collin,

This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.

The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.

This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"

Mike

Mike
0 Helpful

Colin Higgins
Level 2
Level 2
In response to Maykol Rojas

‎05-08-2012 07:16 AM

So it sounds like using the class-default is not recommended unless you are doing it with QoS, Netflow, etc. yes?

If you want to inspect FTP traffic, you should do that with a layer 7 map?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Colin Higgins

‎05-08-2012 08:42 AM

Hi Collin,

For the FTP traffic to work properly, with the regular inspection of FTP it would do it, however, if you want to block specific information inside the FTP packets such as different types of method (PUT,GET) usernames, specific files etc, you will be needing to use Layer 7.

Cheers,

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card