The design recommendation is to match the protocol in the class map. The
reason for doing this is to prevent unnecessary packet inspection for
traffic that doesn't apply. The second option is the better choice.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Maarten Vervoorn
Sent: Wednesday, June 23, 2010 8:12 AM
To: Cisco certification
Subject: Zone based firewall
Hi,
A question regarding zone based firewall.
When you are questioned to inspect FTP traffic to a specific
destination will both anwsers below give you the points?
1:
ip access-list ext FTP
permit tcp any host 172.16.1.1 eq ftp
permit tcp any host 172.16.1.1 eq ftp-data
!
class-map type inspect FTP
match access-group name FTP
!
policy-map ty inspect INT-EXT
class FTP
inspect
--------------------------------------------------
2:
ip access-list ext R1
permit ip any host 172.16.1.1
!
class-map type inspect match-all FTP
match protocol ftp
match access-group name R1
!
policy-map ty inspect INT-EXT
class FTP
inspect
--------------------------------------------------
Kind regards,
Maarten
Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 23 2010 - 15:48:07 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:38 ART