Thanks, Marta and Jason. I wanted to ask the same question and you explained it very well.
From: [email protected] [mailto:[email protected]] On Behalf Of Marta Sokolowska Sent: 18 September 2012 03:10 PM To: Jason Madsen Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ZBFW Protocol Inspection Class Maps You probably won't see the difference when it comes to passing only ICMP/UDP/TCP traffic (on a L3/L4 level). When matching only ACL in class-map, like: ip access-list extended ICMP permit icmp any any class-map type inspect match-all c-ICMP match access-group name ICMP the result will be similar to matching icmp, udp or tcp protocol: class-map type inspect match-all c-ICMP match protocol icmp In that case ZBF does only basic inspection: passing returning traffic based on src/dst address (and ports for TCP/UDP traffic). The difference is visible for higher level protocols, like http or ftp. When you configure class-map with matching L7 traffic, like: ip access-list extended HTTP permit tcp any any eq 80 class-map type inspect match-all c-HTTP match access-group name HTTP match protocol http router knows that this is not only TCP traffic, but HTTP and does deep-level packet inspection. In that case you can for example log and/or drop any protocol violation, like blocking a request containing an URI longer than the allowed value (allowed by RFC). An even better example would be with passing FTP traffic (passive mode) - I suspect that without "inspect ftp" you won't have the traffic for dynamically negotiatiated data ports allowed. Also, when you match protocols (not only ACL), you can configure application-level inspection for applications that uses unusual ports, like for example http traffic for TCP/8080: ip port-map http port 8080 class-map type inspect match-all c-HTTP match protocol http Without PAM and http protocol matching (with only ACLs configured for TCP/8080 port), it would be classified only as the TCP traffic. During the exam I personally advise you to always use match protocol in class-maps. Marta Sokolowska. 2012/9/18 Jason Madsen <[email protected]<mailto:[email protected]>> [...] I've used both approaches in the past (not necessarily for echo and echo-reply...referring to using "match protocol" in addition to ACL, whch specifies protocol) and didn't notice any functional differences whether I specified a "match procotol" statement or not. The policy seemed to drill down and inspect only what was specified in the ACL despite the "no protocol specified...will match all protocols" warning when not using "match protocol". However, I don't want to rely on functional differences I noticed or didn't notice during the lab :-). I want to be sure I clearly understand any differences there may be. Thanks, Jason
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
