Default action in firewall policy maps

Marko asked a very interesting question: What is the default class policy in a firewall policy-map (policy-map type inspect)? Or, using his original wording, "is it mandatory to use class class-default/drop" at the end of every policy map?

As it turns out, the default action for any class (unless you specify otherwise) is drop. By default, packets not matched by any traffic class are therefore dropped (unless you specify a different action in the class-default), similar to well-known ip access-list behavior.I've tested this feature using a reverse setup: web traffic mapped into a class with no action and all other traffic being inspected in the class-default:

class-map type inspect match-all web
match protocol http
!
policy-map type inspect InToOut
class type inspect web
class class-default
inspect
!
zone security Inside
zone security Outside
zone-pair security InToOut source Inside destination Outside
service-policy type inspect InToOut
As expected, HTTP traffic (port 80) was the only traffic blocked by the firewall.

2 comments:

  1. It's interesting that official documentation states the opposite:

    ====
    drop (zone-based policy)

    To drop packets that are sent to the router, use the drop command in policy-map-class configuration mode.
    [...]

    Command Default

    Packets are not dropped.
    ====

    ReplyDelete
  2. Well, the original post was written more than a year ago, IOS might have changed in the meantime :)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.