Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The class-default class map

According to Cisco dumentation (

, the ASA is equipped with two default class-maps

class-map inspection_default

match default-inspection-traffic


class-map class-default

match any

The first makes perfect sense, but what is the class-default used for? Cisco says

"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own

match any class map. In fact, some features are only available for class-default."

But I see stuff like this:

policy-map MyPolicy

class class-default

  inspect tfp MyFTPpolicy

Obviously it is being used here to act on traffic! So I am confused.

I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

Everyone's tags (5)
Cisco Employee

The class-default class map

Hello Collin,

This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.

The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.

This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"


New Member

The class-default class map

So it sounds like using the class-default is not recommended unless you are doing it with QoS, Netflow, etc. yes?

If you want to inspect FTP traffic, you should do that with a layer 7 map?

Cisco Employee

The class-default class map

Hi Collin,

For the FTP traffic to work properly, with the regular inspection of FTP it would do it, however, if you want to block specific information inside the FTP packets such as different types of method (PUT,GET) usernames, specific files etc, you will be needing to use Layer 7.