class-map? match access-list?
LearnAsIGo
Member Posts: 20 ■□□□□□□□□□
in CCNP
Studying about application inspection:
!
!
access-list MY_EXAMPLE permit tcp any host X.X.X.X eq 25
class-map MY_EXAMPLE
match access-list MY_EXAMPLE
!
!
My understanding:
1) Access list permits SMTP traffic from anybody to this specific host X.X.X.X
After reading on cisco.com:
2) class-map classifies traffic that will be inspected.
3) match access-list identifies traffic to be scanned.
To me, 2 & 3 sound very similar. I see the difference, but I don't SEE the difference. Any help to push me off the fence?
Bottom Line ===> What's the deciding factor I need to differentiate the two?
As always, much thanks in advance.
!
!
access-list MY_EXAMPLE permit tcp any host X.X.X.X eq 25
class-map MY_EXAMPLE
match access-list MY_EXAMPLE
!
!
My understanding:
1) Access list permits SMTP traffic from anybody to this specific host X.X.X.X
After reading on cisco.com:
2) class-map classifies traffic that will be inspected.
3) match access-list identifies traffic to be scanned.
To me, 2 & 3 sound very similar. I see the difference, but I don't SEE the difference. Any help to push me off the fence?
Bottom Line ===> What's the deciding factor I need to differentiate the two?
As always, much thanks in advance.
Comments
-
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
hello,
this is all about subject and object kind of thing.
the process order will determined your PBR execution.
the object is the access-list which has to be created first in order the map-class scanning function to work.
the subject is the map-class which scan your access-list.
so - sometimes is good to just knowing the basic idea.
cheers.the More I know, that is more and More I dont know. -
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
Class-maps are used to match a hugh range of variables, one of those variables that can be matched is an access-list.The class-map can perform either an AND or OR operation on these variables depending on how you configure it.You can also stack the class-maps inside each other so it gives you hugh flexibility.
So an access-list has a basic matching function whereas the class-map can have the basic matching functionality of an access-list and a whole lot more.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
LearnAsIGo
Member Posts: 20 ■□□□□□□□□□
Rossonieri,Ed - thanks for replying.
Both of you cleared up the techno-speak I've not yet grown accustomed to reading.
I've played around with these on the rack sessions, and I do seem to understand them more and more.
My understanding now is:
1) class-maps have an entire sphere of VERSATILITY, which encompasses access-lists.
2) access-lists are not as ROBUST as class-maps, being kinda like a hammer - obviously used only specifically to pound a nail in.
Whereas a class-map is a tool-box, which of course can include a hammer as well as other toolkits/boxes (as Ed said, "stack class-maps within each other").