Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
1545 Views 1 Reply Latest reply: Nov 27, 2011 11:06 PM by Aaron RSS

Currently Being Moderated

Zone Based Firewall  "class class-default"

Nov 27, 2011 10:40 PM

Jimmy P 169 posts since
Jun 14, 2009

http://www.cisco.com/image/gif/paws/98628/zone-design-guide.pdf

 

A Quote form above document.

 

 

"Configuring Zone-Based Policy Firewall Policy-Maps

The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass.

The log option can be added with the drop action. Inspect cannot be applied on class class-default."

 

 

 

 

Router(config)#policy-map type inspect InsideToOutside

Router(config-pmap)#class class-default ?

  <cr>

 

 

Router(config-pmap)#class class-default

Router(config-pmap-c)#?

Policy-map class configuration commands:

  drop            Drop the packet

  exit            Exit from class action configuration mode

inspect         Context-based Access Control Engine

  no              Negate or set default values of a command

  pass            Pass the packet

  police          Police

  service-policy  Deep Packet Inspection Engine

  urlfilter       URL Filtering Engine

  <cr>

 

 

Router(config-pmap-c)#inspect

%No specific protocol configured in class class-default for inspection. All protocols will be inspected

Router(config-pmap-c)#do show run | s i policy-map

policy-map type inspect InsideToOutside

class class-default

  inspect

Router(config-pmap-c)#

 

 

Maybe someone can explain.

  • Aaron 129 posts since
    Aug 23, 2009
    Currently Being Moderated
    1. Nov 27, 2011 11:06 PM (in response to Jimmy P)
    Re: Zone Based Firewall "class class-default"

    Hi,

     

    The class-default class map is system defined. It represents all packets that do not match any of the user defined. We can define explicit actions for this class. And if we DON'T configure any actions, the default one is drop.

     

    Actions that can be done within the class-default have been changing since the first release of the Zone-Based Policy Firewall feature, so, maybe you are looking some obsolete or older version document.

    If you need to implement some feature and it does not work as expected, look for the documentation on the same version than the IOS you're actually running.

     

    Cheers,

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)