Excellent example. Did not get a straight answer for last one year.
Best Regards. ______________________ Adil On Sep 18, 2012, at 9:45 PM, Johan Bornman - ISC wrote: > Thanks, Marta and Jason. I wanted to ask the same question and you explained > it very well. > > From: [email protected] > [mailto:[email protected]] On Behalf Of Marta > Sokolowska > Sent: 18 September 2012 03:10 PM > To: Jason Madsen > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] ZBFW Protocol Inspection Class Maps > > You probably won't see the difference when it comes to passing only > ICMP/UDP/TCP traffic (on a L3/L4 level). When matching only ACL in class-map, > like: > > ip access-list extended ICMP > permit icmp any any > > class-map type inspect match-all c-ICMP > match access-group name ICMP > > the result will be similar to matching icmp, udp or tcp protocol: > > class-map type inspect match-all c-ICMP > match protocol icmp > > In that case ZBF does only basic inspection: passing returning traffic based > on src/dst address (and ports for TCP/UDP traffic). > > The difference is visible for higher level protocols, like http or ftp. When > you configure class-map with matching L7 traffic, like: > > ip access-list extended HTTP > permit tcp any any eq 80 > > class-map type inspect match-all c-HTTP > match access-group name HTTP > match protocol http > > router knows that this is not only TCP traffic, but HTTP and does deep-level > packet inspection. In that case you can for example log and/or drop any > protocol violation, like blocking a request containing an URI longer than the > allowed value (allowed by RFC). An even better example would be with passing > FTP traffic (passive mode) - I suspect that without "inspect ftp" you won't > have the traffic for dynamically negotiatiated data ports allowed. > > Also, when you match protocols (not only ACL), you can configure > application-level inspection for applications that uses unusual ports, like > for example http traffic for TCP/8080: > > ip port-map http port 8080 > > class-map type inspect match-all c-HTTP > match protocol http > > Without PAM and http protocol matching (with only ACLs configured for > TCP/8080 port), it would be classified only as the TCP traffic. > > During the exam I personally advise you to always use match protocol in > class-maps. > > Marta Sokolowska. > > > 2012/9/18 Jason Madsen <[email protected]> > > [...] > > I've used both approaches in the past (not necessarily for echo and > echo-reply...referring to using "match protocol" in addition to ACL, whch > specifies protocol) and didn't notice any functional differences whether I > specified a "match procotol" statement or not. The policy seemed to drill > down and inspect only what was specified in the ACL despite the "no protocol > specified...will match all protocols" warning when not using "match protocol". > > However, I don't want to rely on functional differences I noticed or didn't > notice during the lab :-). I want to be sure I clearly understand any > differences there may be. > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
