Cisco CCNA (640-553) Security Training
Using the “class type inspect” command
By Charles Ross CCNA - CCNP #CSCO10444244
In today’s article, I’m going to quickly inform you about the Cisco IOS policy-map configuration mode command named “class type inspect”.
CCNAs (like you) use the “class type inspect” command to specify the traffic (class) on which an action is to be performed.
In other words, network administrators (like you) use the command to indicate the traffic class and the protocol (if needed) on which an action (like drop, inspect, pass, reset, or urlfilter) is to be performed. The command can also be used with the “service-policy” policy-map configuration mode command to attach a Layer 7 (application-specific) policy-map to a “top-level” (Layer 3 or Layer 4) policy-map.
Below is the command’s syntax, if you don’t have to specify a protocol:
class type inspect class-map-name
As you can see, if you’re not required to specify the protocol, the only argument being used with the command is the class-map-name argument; this argument is used to name the traffic class on which an action is to be performed. And, this name must match the name being used by the class-map type inspect command.
And, below is the command’s syntax if you need to specify a protocol:
class type inspect protocol-name class-map-name
Notice, that the protocol-name and class-map-name arguments are being used with the command; the protocol-name argument is the name of the protocol that the traffic class is supporting; a traffic class is able to support the following protocols:
• aol—America Online Instant Messenger (IM)
• edonkey—eDonkey peer-to-peer (P2P)
• fasttrack—FastTrack traffic P2P
• gnutella—Gnutella Version 2 traffic P2P
• h323 —H.323 protocol, Version 4
• http—HTTP
• icq—I Seek You (ICQ) IM protocol
• imap—Internet Message Access Protocol (IMAP)
• kazaa2—Kazaa Version 2 P2P protocol
• msnmsgr—MSN Messenger IM protocol
• pop3—Post Office Protocol, Version 3 (POP3)
• sip—Session Initiation Protocol (SIP)
• smtp—Simple Mail Transfer Protocol (SMTP)
• sunrpc—SUN Remote Procedure Call (SUNRPC)
• winmsgr—Windows Messenger IM protocol
• ymsgr—Yahoo IM
Below is an example of the command being used:
Router>enable
Router#configure terminal
Router(config)#class-map type inspect aol match-any the-aol-cmap
Router(config-cmap)#match service text-chat
Router(config-cmap)#exit
Router(config)#class-map type inspect ymsgr match-any the-ysmgr-cmap
Router(config-cmap)#match service any
Router(config-cmap)#exit
Router(config)#policy-map type inspect im im-pmap
Router(config-pmap)#class type inspect aol the-aol-cmap
Router(config-pmap-c)#allow log
Router(config-pmap-c)#exit
Router(config-pmap)#class type inspect ymsgr the-ysmgr-cmap
Router(config-pmap-c)#reset log
Router(config-pmap-c)#end
Router#copy run start
In the example above, the “im-pmap” policy map is being configured with the AOL and Yahoo Messenger traffic classes and only text-chat messages will be allowed to pass through. Any other packets other than “text-chat” will cause the connection to be reset.
And, like with mostly all Cisco IOS commands; you can use the word “no” in front of the command to remove (disable) the configured command; like you see below:
Router(config-pmap)#no class type inspect aol the-aol-cmap
By the way, if you decide to use the command, make sure your router(s) is running Cisco IOS 12.4(20)T or higher, so you can have support for all the protocols.
I hope this article was very informative and helped you quickly understand the usage of the class type inspect command. If you need to learn more; I suggest you visit my website, (www.ccnaittechtips.com) were you’ll find the latest information regarding the Cisco CCNA (640-553) Security exam techniques.
To your success,
Charles Ross
CCNA- CCNP #CSCO10444244