ZBPF Routed Mode task

Dears,

In WB1, and in the solution of ZBPF routed mode, we were asked to allow icmp except src/dst 150.1.0.0/16 within the OUTSIDE zone.
In the solution, here is the below:


ip access-list extended OUTSIDE_TO_OUTSIDE
 deny icmp 150.1.0.0 0.0.255.255 150.1.0.0 0.0.255.255
 permit icmp any any

class-map type inspect match-all OUTSIDE_TO_OUTSIDE_ICMP
 match protocol icmp
 match access-group name OUTSIDE_TO_OUTSIDE

My question is:
If ACL OUTSIDE_TO_OUTSIDE matches ICMP, why do we need the "match protocol icmp" command within the class-map?

Comments

  • Hi,

        In older IOS versions, you had to use a "match protocol" statement, additionally to "match access-group". In this case, even though it should work with just the ACL, in general is recommended to always have a "match protocol" statement and use ACL just to filter for which traffic the inspection applies.

    Regards,

    Cristian.

Sign In or Register to comment.