Re: match protocol ftp

From: James (james@towardex.com)
Date: Thu Jul 15 2004 - 00:33:49 GMT-3

• Next message: Scott Morris: "RE: How to move forward from a Lab failure ?"
• Previous message: Joseph D. Phillips: "How to move forward from a Lab failure ?"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: Geert Nijs: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> > match access-group 110
> > access-list 110 permit tcp any any eq ftp
> > access-list 110 permit tcp any eq ftp any
> > access-list 110 permit tcp any any eq ftp-data
> > access-list 110 permit tcp any eq ftp-data any

> > access-list 110 permit tcp any gt 1023 any (i am not sure this line???)
> > access-list 110 permit tcp any any gt 1023 (????)

The above line is actually most likely a mistake. Once FTP initiates,
one end of the session will have a high end ephemeral (sp) TCP Port where
as other end of the session will have either TCP Port 20 or 21.

But the ACE's before that specifies both ports 20,21 in either direction,
so 1023-gt-related lines are not needed, and will match traffic that are totally
irrelevant such as IRC. Most likely incorrectly done ACL to match FTP.

-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

• Next message: Scott Morris: "RE: How to move forward from a Lab failure ?"
• Previous message: Joseph D. Phillips: "How to move forward from a Lab failure ?"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: Geert Nijs: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3