Hi Group, quick question...
is there any functional difference between the 2 policies: *Option A:* class-map type inspect match-all ICMP match access-group ICMP_ACL ! ip access-list extended ICMP_ACL permit icmp any any echo ip access-list extended ICMP_ACL permit icmp any any echo-reply *Option B:* class-map type inspect match-all ICMP match protocol icmp match access-group ICMP_ACL ! ip access-list extended ICMP_ACL permit icmp any any echo ip access-list extended ICMP_ACL permit icmp any any echo-reply I've used both approaches in the past (not necessarily for echo and echo-reply...referring to using "match protocol" in addition to ACL, whch specifies protocol) and didn't notice any functional differences whether I specified a "match procotol" statement or not. The policy seemed to drill down and inspect only what was specified in the ACL despite the "no protocol specified...will match all protocols" warning when not using "match protocol". However, I don't want to rely on functional differences I noticed or didn't notice during the lab :-). I want to be sure I clearly understand any differences there may be. Thanks, Jason
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
