1 Reply Latest reply: Nov 27, 2011 11:06 PM by Aaron RSS

    Zone Based Firewall  "class class-default"

    Jimmy P



      A Quote form above document.



      "Configuring Zone-Based Policy Firewall Policy-Maps

      The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass.

      The log option can be added with the drop action. Inspect cannot be applied on class class-default."





      Router(config)#policy-map type inspect InsideToOutside

      Router(config-pmap)#class class-default ?




      Router(config-pmap)#class class-default


      Policy-map class configuration commands:

        drop            Drop the packet

        exit            Exit from class action configuration mode

      inspect         Context-based Access Control Engine

        no              Negate or set default values of a command

        pass            Pass the packet

        police          Police

        service-policy  Deep Packet Inspection Engine

        urlfilter       URL Filtering Engine





      %No specific protocol configured in class class-default for inspection. All protocols will be inspected

      Router(config-pmap-c)#do show run | s i policy-map

      policy-map type inspect InsideToOutside

      class class-default





      Maybe someone can explain.

        • 1. Re: Zone Based Firewall  "class class-default"



          The class-default class map is system defined. It represents all packets that do not match any of the user defined. We can define explicit actions for this class. And if we DON'T configure any actions, the default one is drop.


          Actions that can be done within the class-default have been changing since the first release of the Zone-Based Policy Firewall feature, so, maybe you are looking some obsolete or older version document.

          If you need to implement some feature and it does not work as expected, look for the documentation on the same version than the IOS you're actually running.