Guest

Preview Tool

Cisco Bug: CSCuq41737 - Shared nested class-map applied to zone-pair will affect other zonepairs

Last Modified

Mar 08, 2018

Products (9)

  • Cisco IOS
  • Cisco 7206 Router
  • Cisco 7301 Router
  • Cisco 7206VXR Router
  • Cisco 7204 Router
  • Cisco 7202 Router
  • Cisco 7200 Series NPE-G2 Network Processing Engine
  • Cisco 7201 Router
  • Cisco 7204VXR Router

Known Affected Releases

15.2(4)M

Description (partial)

Symptom:
When changing a class-map for a particular zone-pair, a different zone-pair/s will also be affected by the change. For example, class-map PROTOCOLS is nested into 3 different Class-maps which is applied to different Policy-Maps.

class-map type inspect match-all IN-TO-OUT
   match access-group name IN-TO-OUT-ACL
   match class-map PROTOCOLS
class-map type inspect match-all OUT-TO-IN
   match access-group name OUT-TO-IN-ACL
   match class-map PROTOCOLS 
class-map type inspect match-all DMZ-TO-IN
   match class-map PROTOCOLS
   match access-group name DMZ-TO-IN-ACL

For example, If class-map PROTOCOLS is removed/modified from one of the zone class-maps, it will also affect traffic in other zones with the nested class-map PROTOCOLS.

Conditions:
ZBF firewall with Shared Nested class-map applied to different zone-pairs
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.