Re: Class-map type inpect match-any or match-all?

louis0001 · ‎04-28-2020

I understand the difference between match-any and match-all but still have a few questions:

in match-any - if an ACL is specified like so to a class-map:

ip access-list extended LOCAL_TO_REMOTE
permit ip object-group LOCAL_LAN object-group REMOTE_LAN

class-map type inpect match-any LOCAL_TO_REMOTE
match access-group name REMOTE_TO_LAN
match http

1. Would everything just flow because the first line is met eg ssh, dns, http, https and anything else not matching the ACL would be allowed if it was http?

What would the effect be if match http was moved above the ACL like so:

class-map type inpect match-any LOCAL_TO_REMOTE
match http
match access-group name REMOTE_TO_LAN

2. Would any IP matching http get through? And then anything from the ACL get through?

I know a match-all would force the ACL and http like so:

class-map type inpect match-all LOCAL_TO_REMOTE
match access-group name REMOTE_TO_LAN
match http

3. But what if I wanted to additionally specify https? Is that another class-map because you wouldn't expect a client to use http & https at the same time?

4. If the above case is true, is it not easier to specify the ACL like so:

ip access-list extended LOCAL_TO_REMOTE
permit tcp object-group LOCAL_LAN object-group REMOTE_LAN eq 80
permit tcp object-group LOCAL_LAN object-group REMOTE_LAN eq 443

I know this doesn't allow the more exotic aspects of using http & https inspect but it would save on another class-map match-all

5. Is it better to specify the class-maps with match-all for each specific port eg tcp 443 so that QoS can be applied more easily if required?

Basically trying to get a configuration convention up rather than a mish-mash of ACL's & match http, match https etc

Giuseppe Larosa · ‎04-29-2020

Hello @louis0001 ,

a match-any requires a match on one of the listed criteria.

However your understanding is correct order does matter and what matches the ACL is counted as an hit over it.

To be noted your ACL is at the ip level between two subnets and allow all traffic between them also http.

The second criteria match http uses NBAR and ,matches on the protocol regardless of source IP and destination IP that may be too generic.

2) if you are using match all instead of match any you are permitting only HTTP traffic between the two subnets specified in the ACL

3)

if you want to add additional protocols you need a line like

match http https

the items listed in the same match command are always in or between them regardless of match-any / match-all settings.

4)

The true equivalent of the two match commands is an ACL like the following:

ip access-list extended LOCAL_TO_REMOTE
permit tcp object-group LOCAL_LAN object-group REMOTE_LAN eq 80
permit tcp object-group LOCAL_LAN object-group REMOTE_LAN eq 443

permit tcp object-group LOCAL_LAN eq 80 object-group REMOTE_LAN

permit tcp object-group LOCAL_LAN eq 443 object-group REMOTE_LAN

because the server side can be either in the local LAN or the remote LAN

Be aware that class-map type inspect are used for zone based firewall and not for QoS purposes . For QoS purposes you need to use the standard class-map (without the type inspect keywords)

Hope to help

Giuseppe

louis0001 · ‎04-29-2020

Brill...

1. match http https - I didn't know you could do that!

2. Be aware that class-map type inspect are used for zone based firewall and not for QoS purposes . For QoS purposes you need to use the standard class-map (without the type inspect keywords)

Can the class-map be called the same eg class-map type inspect MYCLASS & class-map MYCLASS or am I better doing something like class-map type inspect MYCLASS_INSPECT & class-map MYCLASS_QOS?

Giuseppe Larosa · ‎04-29-2020

Hello @louis0001 ,

the naming convention is your choice you cannot invoke a class-map type inspect inside a QoS policy-map and viceversa, however I agree that it can be helpful to be able to distinguish the two type of class-maps for clarity in configuration.

Hope to help

Giuseppe