Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

class-map type inspect statement with out match statement

In a ZBF (IOS 12.4(20)T1, what happens if the following class-map is used in a policy which is tied to a zone pair and an interface, but the class-map does not have a "match" statement under it? Is the default to drop all since there is no match? Or since there is a "match-any" statement, does it pass all traffic? This was set up automatically by SDM 2.5 and I'm trying to figure out what will happen here?

class-map type inspect match-any no-match

class-map type inspect match-all willwork

match class-map no-match

match access-group 110

policy-map type inspect whathappens

class type inspect willwork

inspect

class class-default

drop

zone security in

zone security out

zone-pair security out-self source out destination self

service-policy type inspect whathappens

interface GigabitEthernet 0/0

description Untrusted

zone-member security out

Thanks,

Scott

4 REPLIES

Re: class-map type inspect statement with out match statement

as long as the class dose not have match

no action will be taken until the match occuer

so nothing will happen

to make sure

do show policy-map whathappens interface GigabitEthernet 0/0

and see the matched traffic

it show 0

good luck

if helpful Rate

New Member

Re: class-map type inspect statement with out match statement

When you say "nothing will happen", are you saying it will "pass" all traffic or "drop" all traffic?

Re: class-map type inspect statement with out match statement

actually it will not pass or drop

the logic is

the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken

in ur case nothing will be match so the next stage which is the action stage will not be considered

hope this helps

New Member

Re: class-map type inspect statement with out match statement

So in this case, since class-map no-match is nested within class-map willwork, which has a match-all statement match class-map no-match "anded" with access list 110, does the policy whathappens inspect packets for only access-group 110? Wou8ld the result be the same if class-map no-match did not exist at all? You state that is does not pass or drop packets, so what does it do with them?

414
Views
4
Helpful
4
Replies
CreatePlease to create content