×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ZBF Class-map and different way of doing them

Unanswered Question
Apr 2nd, 2012
User Badges:

Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)


i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs


ok we we all know the basic


class-map type inspect match-any ZBF_CM_ICMP

match protocol icmp


policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_ICMP

  inspect


and then the ZP dont need to show, this is a simple map using nbar fair enough


then we could a mulitiple matches


class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS

match protocol icmp

match protocol http

match protocol dns

match protocol https


policy-map type inspect ZBF_PM_DMZ->EXTERNAL

class type inspect ZBF_CM_STD_DMZ_PORTS

  inspect


Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches


ip access-list extended AL_RDP_PORT

permit tcp any any eq 3389


class-map type inspect match-all ZBF_CM_RDP

match access-group name AL_RDP_PORT


policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_RDP

  inspect


This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host


ip access-list extended AL_HOST_IP_IN

permit ip any host 11.11.11.11


ip access-list extended AL_ISATAP

permit 41 any any


ip access-list extended AL_TEREDO

permit udp any any eq 3544


class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols

description Nested Class Map

match access-group name AL_ISATAP

match access-group name AL_TEREDO

match protocol https


class-map type inspect match-ALL ZBF_CM_APP_IN

match access-group name AL_HOST_IP_IN

match access-group name ZBF_CM_DirectAccess_Protocols


policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_APP_IN

  inspect                                                                                                      (or pass with rule for other direction)


THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where  same proceduare as below.


ip access-list extended AL_HOST_IP_IN

permit ip any host 11.11.11.11


ip access-list extended AL_ISATAP

permit 41 any any


ip access-list extended AL_TEREDO

permit udp any any eq 3544


class-map type inspect match-ANY CM_ISATAP

match access-group name AL_ISATAP


class-map type inspect match-ANY CM_TEREDO

match access-group name AL_TEREDO


class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols

description Nested Class Map

match class-map CM_ISATAP

match class-map CM_TEREDO

match protocol https


class-map type inspect match-ALL ZBF_CM_APP_IN

match access-group name AL_HOST_IP_IN

match access-group name ZBF_CM_DirectAccess_Protocols


policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_APP_IN

  inspect



So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..


QUESTION:

Why did CiscoCP do the extra nesting


both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.



thanks


regards


A very sore headed


Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion