ZBPF Routed Mode task


In WB1, and in the solution of ZBPF routed mode, we were asked to allow icmp except src/dst within the OUTSIDE zone.
In the solution, here is the below:

ip access-list extended OUTSIDE_TO_OUTSIDE
 deny icmp
 permit icmp any any

class-map type inspect match-all OUTSIDE_TO_OUTSIDE_ICMP
 match protocol icmp
 match access-group name OUTSIDE_TO_OUTSIDE

My question is:
If ACL OUTSIDE_TO_OUTSIDE matches ICMP, why do we need the "match protocol icmp" command within the class-map?


  • Hi,

        In older IOS versions, you had to use a "match protocol" statement, additionally to "match access-group". In this case, even though it should work with just the ACL, in general is recommended to always have a "match protocol" statement and use ACL just to filter for which traffic the inspection applies.



Sign In or Register to comment.