Thank you all, I'm glad that I could help :-) Marta Sokolowska.
2012/9/19 Adil Pasha <[email protected]> Excellent example. > Did not get a straight answer for last one year. > > > Best Regards. > ______________________ > Adil > > On Sep 18, 2012, at 9:45 PM, Johan Bornman - ISC wrote: > > Thanks, Marta and Jason. I wanted to ask the same question and you > explained it very well.**** > ** ** > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Marta Sokolowska > *Sent:* 18 September 2012 03:10 PM > *To:* Jason Madsen > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ZBFW Protocol Inspection Class Maps** > ** > ** ** > > You probably won't see the difference when it comes to passing only > ICMP/UDP/TCP traffic (on a L3/L4 level). When matching only ACL in > class-map, like: > > ip access-list extended ICMP > permit icmp any any > > class-map type inspect match-all c-ICMP > match access-group name ICMP > > the result will be similar to matching icmp, udp or tcp protocol: > > class-map type inspect match-all c-ICMP > match protocol icmp > > In that case ZBF does only basic inspection: passing returning traffic > based on src/dst address (and ports for TCP/UDP traffic). > > The difference is visible for higher level protocols, like http or ftp. > When you configure class-map with matching L7 traffic, like: > > ip access-list extended HTTP > permit tcp any any eq 80 > > class-map type inspect match-all c-HTTP > match access-group name HTTP > match protocol http > > router knows that this is not only TCP traffic, but HTTP and does > deep-level packet inspection. In that case you can for example log and/or > drop any protocol violation, like blocking a request containing an URI > longer than the allowed value (allowed by RFC). An even better example > would be with passing FTP traffic (passive mode) - I suspect that without > "inspect ftp" you won't have the traffic for dynamically negotiatiated data > ports allowed. > > Also, when you match protocols (not only ACL), you can configure > application-level inspection for applications that uses unusual ports, like > for example http traffic for TCP/8080: > > ip port-map http port 8080 > > class-map type inspect match-all c-HTTP > match protocol http > > Without PAM and http protocol matching (with only ACLs configured for > TCP/8080 port), it would be classified only as the TCP traffic. > > During the exam I personally advise you to *always* use match protocol in > class-maps. > > Marta Sokolowska.**** > > > 2012/9/18 Jason Madsen <[email protected]>**** > [...] > > I've used both approaches in the past (not necessarily for echo and > echo-reply...referring to using "match protocol" in addition to ACL, whch > specifies protocol) and didn't notice any functional differences whether I > specified a "match procotol" statement or not. The policy seemed to drill > down and inspect only what was specified in the ACL despite the "no > protocol specified...will match all protocols" warning when not using > "match protocol". > > However, I don't want to rely on functional differences I noticed or > didn't notice during the lab :-). I want to be sure I clearly understand > any differences there may be. > > Thanks, > Jason**** > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
