Showing results for 
Search instead for 
Did you mean: 

'not' criterion in zone-based policy firewall class-maps

Level 1
Level 1

I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress):

Class-maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match

command in a class-map:

Access-group—A standard, extended, or named ACL can filter traffic based on source and destination IP address and source and destination port.

Protocol—The Layer 4 protocols (TCP, UDP, and ICMP) and application services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to Port-Application Mapping can be specified.

Class-map—A subordinate class-map that provides additional match criteria can be nested inside another class-map.

Not—The not criterion specifies that any traffic that does not match a specified service (protocol), access-group

or subordinate class-map will be selected for the class-map.

but it doesn't give any examples of use of the 'not' criterion and I can't get our SR520 to accept anything I try. I can't find any other help on this either.

What I'm trying to do is allow only a restricted set of hosts on the LAN out-bound access through the firewall. eg

class-map type inspect match-all allowed-LAN-hosts

match not access-group 108                                        ???? - router won't allow! - what is the correct syntax?

policy-map type inspect pm-in-out

class type inspect allowed-LAN-hosts



access-list 108 permit ip any

where my intention is to let only LAN hosts with IPs in the range to out through the firewall.

There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.

Thanks, Ian.

0 Replies 0