Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

class-map vs class-map type inspect

I'm having a hard time understanding the difference between the following commands.

class-map match-any Name

class-map type inspect match-any Name

policy-map Name

policy-map type inspect Name

Also a policy-map of type inspect can apparently have a regular class-map or a class-map type inspect under it. Can someone please help explain the uses for the different types of class/policy maps and what each one is specifically used for?

Thank you very much.


Re: class-map vs class-map type inspect

Easiest way is to explain that the inspection type class map and policy map is used for treating, specific traffic such as TCP, FTP, SMTP and so on, if you define an inspection type class map/policy map say for example an FTP class map you will have features available for FTP traffic such as strict ftp inspection, specific allowance of commands like DELETE, LIST and so. And the normal class map is used for general traffic selection criteria.

Community Member

Re: class-map vs class-map type inspect

Here's an example I made real quick. In both the class-map and class-map type inspect I'm inspecting edonkey traffic. Can either of these be used for ZBF?

Is class-map typically used just for QoS while class-map type inspect is used for ZBF? Also when would a regular class-map be used under a policy-map type inspect?

class-map match-any NoType

match protocol edonkey

class-map type inspect match-all TypeInspect

match protocol edonkey



policy-map NoType

class NoType

police 1000000

policy-map type inspect TypeInspect

class type inspect TypeInspect


CreatePlease to create content