I don't think your suggestion would work King. I think when you go under policy-map to attach a class-map you must have configured at least 1 INSPECT. A class-map with no inspect statement, when attached under policy-map generates this: %No specific protocol configured in class test for inspection. All protocols will be inspected
I don't know the answer for the question but would shoot that is not possible as King said On Tue, Mar 1, 2011 at 9:43 AM, Kingsley Charles <[email protected] > wrote: > BGP and RIP which uses TCP and UDP can be inspected. But not sure, if OSPF > and EIGRP which are directly encapsulated in IP can be inspected using their > protocol numbers. > > You can configure access-list for ospf/eigrp and associate to the class map > for testing it. > > With regards > Kings > > On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan <[email protected]>wrote: > >> >> Hi, >> >> What is the best practice for allowing IGP traffic >> when self zones are configured in both directions? >> >> 1. Say you have self-Outside zone and Outside-self zone configured. >> >> 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class >> to both zone-pairs? Or do you "inspect" one of them. I don't think of >> IGP peerings as "sessions" in the UDP/TCP sense. >> >> >> !--- >> policy-map type inspect XXX-out-self >> class IGP >> pass >> !--- apply to Outside-self zone-pair >> !--- >> policy-map type inspect XXX-self-out >> class IGP >> pass >> !--- apply to self-Outside zone-pair >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
