class-map? match access-list?
LearnAsIGo
Member Posts: 20 ■□□□□□□□□□
in CCNP
Studying about application inspection:
!
!
access-list MY_EXAMPLE permit tcp any host X.X.X.X eq 25
class-map MY_EXAMPLE
match access-list MY_EXAMPLE
!
!
My understanding:
1) Access list permits SMTP traffic from anybody to this specific host X.X.X.X
After reading on cisco.com:
2) class-map classifies traffic that will be inspected.
3) match access-list identifies traffic to be scanned.
To me, 2 & 3 sound very similar. I see the difference, but I don't SEE the difference. Any help to push me off the fence?
Bottom Line ===> What's the deciding factor I need to differentiate the two?
As always, much thanks in advance.
!
!
access-list MY_EXAMPLE permit tcp any host X.X.X.X eq 25
class-map MY_EXAMPLE
match access-list MY_EXAMPLE
!
!
My understanding:
1) Access list permits SMTP traffic from anybody to this specific host X.X.X.X
After reading on cisco.com:
2) class-map classifies traffic that will be inspected.
3) match access-list identifies traffic to be scanned.
To me, 2 & 3 sound very similar. I see the difference, but I don't SEE the difference. Any help to push me off the fence?
Bottom Line ===> What's the deciding factor I need to differentiate the two?
As always, much thanks in advance.
Comments
this is all about subject and object kind of thing.
the process order will determined your PBR execution.
the object is the access-list which has to be created first in order the map-class scanning function to work.
the subject is the map-class which scan your access-list.
so - sometimes is good to just knowing the basic idea.
cheers.
So an access-list has a basic matching function whereas the class-map can have the basic matching functionality of an access-list and a whole lot more.
Both of you cleared up the techno-speak I've not yet grown accustomed to reading.
I've played around with these on the rack sessions, and I do seem to understand them more and more.
My understanding now is:
1) class-maps have an entire sphere of VERSATILITY, which encompasses access-lists.
2) access-lists are not as ROBUST as class-maps, being kinda like a hammer - obviously used only specifically to pound a nail in.
Whereas a class-map is a tool-box, which of course can include a hammer as well as other toolkits/boxes (as Ed said, "stack class-maps within each other").