Hi Tyson That is correct.
But for some cases, I am bit confused. Vol 2 - Lab 2 - Section 1.5. Task is to allow size more than mss. Where should we apply the class-map. I think, it can be placed anywhere. Other cases would be like: police all inside traffic to 512 kbps "set connection" actions to http traffic For these cases, how should we proceed? With regards Kings On Wed, Mar 31, 2010 at 7:58 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > Very simply it is any time you want to affect traffic that is called out by > the class-default. > > > > I.E. You are wanting to do HTTP specific actions and you are inspecting > HTTP traffic in the default inspection class. > > > > So if you applying a class with the following protocols > > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > > inspect rtsp > > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > > > > These are the defaults. Then you need to remove... apply your new class. > Then re-apply the default. > > > > If you didn't have http inspection in the default class then you wouldn't > have to remove it and re-add it. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, March 31, 2010 10:25 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] MPF with ASA > > > > Hi all > > > > When we have situations where we need apply policies globally to the ASA, > then sometimes there is necessity where we need to remove the "class > inspection_default", place our class-map with action and after that we add > "class inspection_default". > > This seems to very important. If not placed properly, then your MPF won't > work properly. > > > > policy-map global_policy > > *class httptraffic** > inspect http http_inspection_policy* > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > > inspect http > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > > > > My understanding is that when you need have specify traffic flow to be > handled by MPF, then that should at the top. > > > Can some please any other situations, where we would be place our > class-maps above "class inspection_default". > > In the Cisco docs > ASA > Configuration Examples and Notes, I see that they > just apply the class map under "policy-map global_policy" > > without removing class inspection_default and hence that will come below > > > > > http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml > - > Handling BGP > > > > > > > > > > With regards > > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
