RE: match protocol ftp

From: Koen Peetermans (K.Peetermans@chello.be)
Date: Thu Jul 15 2004 - 04:54:08 GMT-3

• Next message: Dalu-Chandu, Jay: "RE: match protocol ftp"
• Previous message: Geert Nijs: "RE: match protocol ftp"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: Dalu-Chandu, Jay: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Geert, Cisco states that ftp is a "stateful" nbar protocol, so I think it
should not be necessary to add port 20 since it would be matched
statefully.....

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guid
e09186a0080087cd0.html

Table 5 TCP and UDP Stateful Protocols
FTP
 TCP
 File Transfer Protocol
 ftp
 12.0(5)XE2
12.1(1)E
12.1(5)T

Greetings from Belgium ;-)

Kind regards,

Koen.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Geert Nijs
Sent: donderdag 15 juli 2004 9:44
To: Neil Moore; ccie-cs@comcast.net; comserv@groupstudy.com;
ccielab@groupstudy.com
Subject: RE: match protocol ftp

I think NBAR will only match port 21:

R9#sh ip nbar port-map | i ftp
port-map ftp tcp 21
port-map secure-ftp tcp 990
port-map tftp udp 69

Correct my if i am wrong,

Geert

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Neil Moore
Sent: donderdag 15 juli 2004 4:55
To: ccie-cs@comcast.net; comserv@groupstudy.com; ccielab@groupstudy.com
Subject: Re: match protocol ftp

I would ask the proctor in a format such as "which do you prefer for the
answer .. An access-list based method or a protocol discovery method."
My 2cents.
-Neil
----- Original Message -----
From: <ccie-cs@comcast.net>
To: <comserv@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Wednesday, July 14, 2004 2:58 PM
Subject: match protocol ftp

> Hi, Team,
> If I am asked to configure a class map to match ftp traffic, AND the
router has NBAR feature enabled, i.e. you can match layer 4 protocols
instead of using ACL, which configuration below should I use? The "match
protocol ftp" is simpler, but I have not idea which ports does it match?
Could anyone help?
> 1) Use match protocol
> class ftp
> match protocol ftp
> 2) Use ACL
> class ftp
> match access-group 110
> access-list 110 permit tcp any any eq ftp
> access-list 110 permit tcp any eq ftp any
> access-list 110 permit tcp any any eq ftp-data
> access-list 110 permit tcp any eq ftp-data any
> access-list 110 permit tcp any gt 1023 any (i am not sure this line???)
> access-list 110 permit tcp any any gt 1023 (????)
> Thanks,
> Mike
> _____________________________________________________________________
> Subscription information: http://www.groupstudy.com/list/comserv.html

• Next message: Dalu-Chandu, Jay: "RE: match protocol ftp"
• Previous message: Geert Nijs: "RE: match protocol ftp"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: Dalu-Chandu, Jay: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3