Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
4
Helpful
4
Replies

class-map type inspect statement with out match statement

sdniel
Level 1
Level 1

‎10-28-2008 05:23 PM - edited ‎03-11-2019 07:04 AM

In a ZBF (IOS 12.4(20)T1, what happens if the following class-map is used in a policy which is tied to a zone pair and an interface, but the class-map does not have a "match" statement under it? Is the default to drop all since there is no match? Or since there is a "match-any" statement, does it pass all traffic? This was set up automatically by SDM 2.5 and I'm trying to figure out what will happen here?

class-map type inspect match-any no-match

class-map type inspect match-all willwork

match class-map no-match

match access-group 110

policy-map type inspect whathappens

class type inspect willwork

inspect

class class-default

drop

zone security in

zone security out

zone-pair security out-self source out destination self

service-policy type inspect whathappens

interface GigabitEthernet 0/0

description Untrusted

zone-member security out

Thanks,

Scott

Labels:
0 Helpful
4 Replies 4

Marwan ALshawi
VIP Alumni
VIP Alumni

‎10-28-2008 07:45 PM

as long as the class dose not have match

no action will be taken until the match occuer

so nothing will happen

to make sure

do show policy-map whathappens interface GigabitEthernet 0/0

and see the matched traffic

it show 0

good luck

if helpful Rate

0 Helpful

sdniel
Level 1
Level 1
In response to Marwan ALshawi

‎10-29-2008 07:36 AM

When you say "nothing will happen", are you saying it will "pass" all traffic or "drop" all traffic?

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to sdniel

‎10-29-2008 02:46 PM

actually it will not pass or drop

the logic is

the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken

in ur case nothing will be match so the next stage which is the action stage will not be considered

hope this helps

sdniel
Level 1
Level 1
In response to Marwan ALshawi

‎10-30-2008 07:07 AM

So in this case, since class-map no-match is nested within class-map willwork, which has a match-all statement match class-map no-match "anded" with access list 110, does the policy whathappens inspect packets for only access-group 110? Wou8ld the result be the same if class-map no-match did not exist at all? You state that is does not pass or drop packets, so what does it do with them?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card