Option 1 would match on TCP port 80. Option 2 could match on either TCP or UDP port 80.
*Matt Manire* *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* *Information Systems Security Manager* [email protected] *t*: 817.525.1863 *f*: 817.525.1903 *m*: 817.271.9165 *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com <http://www.firstrate.com/> *From:* [email protected] [mailto: [email protected]] *On Behalf Of *GuardGrid *Sent:* Monday, July 09, 2012 9:28 PM *To:* Ben Shaw *Cc:* [email protected] *Subject:* Re: [OSL | CCIE_Security] Match port or match access-list none. Advantage of acl is more granularity in defining the match if required by the task. On Mon, Jul 9, 2012 at 9:27 PM, Ben Shaw <[email protected]> wrote: Hi All I am jsut doing some practice on protocol inspection using MPF on ASA. I am generally using ACLs to match my traffic in my L3/L4 class maps though at times the answers I see match just on the port number. Apart from being able to define source and destination IP addresses in ACLs as compared to matching just on a port number in a class map, are there any deeper benefits to matching on one or the other when using MPF, especially in regards to then implementing L7 application inspection? Below is what I mean: Option 1 access-list http-out extended permit tcp any any eq http log class-map http-outside match access-list http-out Option 2 class-map http-outside match port eq 80 Thanks Ben _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
