CCNA: Sec class-map question

mikearama

Hey techies... from the CCNA Security Offical Exam Cert Guide:

class-map type inspect match-any my-test-cmap
match protocol http
match protocol tcp

"In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."

This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?

Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?

So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:

match protocol FTP
match protocol TFTP
match protocol HTTP
match protocol RTSP
match protocol SMTP
match protocol DNS

before getting to put:

match protocol TCP ??? (Dayum, I don't care for class-maps!)

scheistermeister

No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.

dtlokee

Well the inspection engine will handle a TCP packet differently than a HTTP packet. Although HTTP rides on top of TCP, there are additional parameters that you can apply with HTTP inspection (like URL filtering) that you can't do with simple TCP inspection.

mikearama

scheistermeister wrote:

No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.

Ah, I think I see. So you're suggesting that the match statements work like ACL's, where once there's a match, the processing stops. Gotcha.

I read it differently... I thought that all the match statements were read from the top down, so even though HTTP traffic would get inspected by the TCP inspector, it would be move down and be inspected by the HTTP inspector.

Okay, I feel better about it now. Thanks guys.

AutoBahn81

It depends on whether you use the "any" keyword or the "all" keyword in the class-map statement. If you use "any" then there only needs to be one match anywhere in the map whereas with an "and" argument the packet must match all the criteria. The "any" is treated as an <or> operator and the "all" is treated as an <and> operator.

Class maps simply identify traffic, whereas Policy maps state what should actually be done with it once identified.