You probably won't see the difference when it comes to passing only ICMP/UDP/TCP traffic (on a L3/L4 level). When matching only ACL in class-map, like:
ip access-list extended ICMP permit icmp any any class-map type inspect match-all c-ICMP match access-group name ICMP the result will be similar to matching icmp, udp or tcp protocol: class-map type inspect match-all c-ICMP match protocol icmp In that case ZBF does only basic inspection: passing returning traffic based on src/dst address (and ports for TCP/UDP traffic). The difference is visible for higher level protocols, like http or ftp. When you configure class-map with matching L7 traffic, like: ip access-list extended HTTP permit tcp any any eq 80 class-map type inspect match-all c-HTTP match access-group name HTTP match protocol http router knows that this is not only TCP traffic, but HTTP and does deep-level packet inspection. In that case you can for example log and/or drop any protocol violation, like blocking a request containing an URI longer than the allowed value (allowed by RFC). An even better example would be with passing FTP traffic (passive mode) - I suspect that without "inspect ftp" you won't have the traffic for dynamically negotiatiated data ports allowed. Also, when you match protocols (not only ACL), you can configure application-level inspection for applications that uses unusual ports, like for example http traffic for TCP/8080: ip port-map http port 8080 class-map type inspect match-all c-HTTP match protocol http Without PAM and http protocol matching (with only ACLs configured for TCP/8080 port), it would be classified only as the TCP traffic. During the exam I personally advise you to *always* use match protocol in class-maps. Marta Sokolowska. 2012/9/18 Jason Madsen <[email protected]> [...] > > I've used both approaches in the past (not necessarily for echo and > echo-reply...referring to using "match protocol" in addition to ACL, whch > specifies protocol) and didn't notice any functional differences whether I > specified a "match procotol" statement or not. The policy seemed to drill > down and inspect only what was specified in the ACL despite the "no > protocol specified...will match all protocols" warning when not using > "match protocol". > > However, I don't want to rely on functional differences I noticed or > didn't notice during the lab :-). I want to be sure I clearly understand > any differences there may be. > > Thanks, > Jason >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
