Paul,
You are correct that http should be first. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Saturday, October 03, 2009 11:48 AM To: [email protected] Subject: [OSL | CCIE_Security] LAB 12 section 2.2 The second task is to "Allow all outbound HTTP, ICMP, TCP and UDP traffic". The solutions guide shows the following class-map: class-map type inspect match-any INSPECT->OUT match protocol tcp match protocol udp match protocol icmp match protocol http This technically allows the outbound protocols specified. However, it may not work as many would think. In ZFW, the match protocol instructs the inspection engine as to which protocol to use for inspection purposes. Since http is tcp, the http traffic would match the first line in the class. Inspection on http traffic would happen as tcp, not http. So the last line really does nothing. A really, REALLY good read on how ZFW determines protocol inspection can be found at the URL below. Also worth noting is that if you need to match a user defined port, the port needs to be defined in PAM for the protocol being matched. The match protocol is more than just a match in the way that I normally think of it. It is really says, see if the traffic matches the PAM defined port for the protocol defined (x), if so inspect it for (s). It is a match and identify as protocol (x), not just match. This URL is a PDF that is a must read for ZFW. http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configurat ion_example0900aecd804f1776.pdf
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
