From: Geert Nijs (geert.nijs@simac.be)
Date: Thu Jul 15 2004 - 04:44:19 GMT-3
I think NBAR will only match port 21:
R9#sh ip nbar port-map | i ftp
port-map ftp tcp 21
port-map secure-ftp tcp 990
port-map tftp udp 69
Correct my if i am wrong,
Geert
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Neil Moore
Sent: donderdag 15 juli 2004 4:55
To: ccie-cs@comcast.net; comserv@groupstudy.com; ccielab@groupstudy.com
Subject: Re: match protocol ftp
I would ask the proctor in a format such as "which do you prefer for the
answer .. An access-list based method or a protocol discovery method."
My 2cents.
-Neil
----- Original Message -----
From: <ccie-cs@comcast.net>
To: <comserv@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Wednesday, July 14, 2004 2:58 PM
Subject: match protocol ftp
> Hi, Team,
> If I am asked to configure a class map to match ftp traffic, AND the
router has NBAR feature enabled, i.e. you can match layer 4 protocols
instead of using ACL, which configuration below should I use? The "match
protocol ftp" is simpler, but I have not idea which ports does it match?
Could anyone help?
> 1) Use match protocol
> class ftp
> match protocol ftp
> 2) Use ACL
> class ftp
> match access-group 110
> access-list 110 permit tcp any any eq ftp
> access-list 110 permit tcp any eq ftp any
> access-list 110 permit tcp any any eq ftp-data
> access-list 110 permit tcp any eq ftp-data any
> access-list 110 permit tcp any gt 1023 any (i am not sure this line???)
> access-list 110 permit tcp any any gt 1023 (????)
> Thanks,
> Mike
> _____________________________________________________________________
> Subscription information: http://www.groupstudy.com/list/comserv.html
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3