Re: Zone based firewall from Sadiq Yakasai on 2010-06-23 (Ccielab archives 06/2010)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Wed, 23 Jun 2010 21:55:38 +0100

I agree with Tyson's point. Although this stupid exam is not about
"recommended best practices"! :-)

So keep an open mind.

Sadiq

On Wed, Jun 23, 2010 at 8:48 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> The design recommendation is to match the protocol in the class map. The
> reason for doing this is to prevent unnecessary packet inspection for
> traffic that doesn't apply. The second option is the better choice.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Maarten Vervoorn
> Sent: Wednesday, June 23, 2010 8:12 AM
> To: Cisco certification
> Subject: Zone based firewall
>
> Hi,
>
> A question regarding zone based firewall.
> When you are questioned to inspect FTP traffic to a specific
> destination will both anwsers below give you the points?
>
> 1:
> ip access-list ext FTP
> permit tcp any host 172.16.1.1 eq ftp
> permit tcp any host 172.16.1.1 eq ftp-data
> !
> class-map type inspect FTP
> match access-group name FTP
> !
> policy-map ty inspect INT-EXT
> class FTP
> inspect
> --------------------------------------------------
> 2:
> ip access-list ext R1
> permit ip any host 172.16.1.1
> !
> class-map type inspect match-all FTP
> match protocol ftp
> match access-group name R1
> !
> policy-map ty inspect INT-EXT
> class FTP
> inspect
> --------------------------------------------------
>
> Kind regards,
>
> Maarten
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Wed Jun 23 2010 - 21:55:38 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:38 ART