RE: match protocol ftp

From: Dalu-Chandu, Jay (JD163604@NCR.COM)
Date: Thu Jul 15 2004 - 05:49:34 GMT-3

• Next message: Fernando Rodriguez: "Re: is it usefull the Lab review?"
• Previous message: Koen Peetermans: "RE: match protocol ftp"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: ccie-cs@comcast.net: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are two basic types of ftp active and passive, the details for both
are illustrated on the site listed below. The illustrations will allow you
to build an accurate ACL. I am not sure about NBAR, but the documentation
would suggest that NBAR could be utilised to match ftp traffic.

http://slacksite.com/other/ftp.html

Jay

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Geert Nijs
Sent: 15 July 2004 08:44
To: Neil Moore; ccie-cs@comcast.net; comserv@groupstudy.com;
ccielab@groupstudy.com
Subject: RE: match protocol ftp

I think NBAR will only match port 21:

R9#sh ip nbar port-map | i ftp
port-map ftp tcp 21
port-map secure-ftp tcp 990
port-map tftp udp 69

Correct my if i am wrong,

Geert

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Neil
Moore
Sent: donderdag 15 juli 2004 4:55
To: ccie-cs@comcast.net; comserv@groupstudy.com; ccielab@groupstudy.com
Subject: Re: match protocol ftp

I would ask the proctor in a format such as "which do you prefer for the
answer .. An access-list based method or a protocol discovery method."
My 2cents.
-Neil
----- Original Message -----
From: <ccie-cs@comcast.net>
To: <comserv@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Wednesday, July 14, 2004 2:58 PM
Subject: match protocol ftp

> Hi, Team,
> If I am asked to configure a class map to match ftp traffic, AND the
router has NBAR feature enabled, i.e. you can match layer 4 protocols
instead of using ACL, which configuration below should I use? The "match
protocol ftp" is simpler, but I have not idea which ports does it match?
Could anyone help?
> 1) Use match protocol
> class ftp
> match protocol ftp
> 2) Use ACL
> class ftp
> match access-group 110
> access-list 110 permit tcp any any eq ftp
> access-list 110 permit tcp any eq ftp any
> access-list 110 permit tcp any any eq ftp-data
> access-list 110 permit tcp any eq ftp-data any
> access-list 110 permit tcp any gt 1023 any (i am not sure this line???)
> access-list 110 permit tcp any any gt 1023 (????)
> Thanks,
> Mike
> _____________________________________________________________________
> Subscription information: http://www.groupstudy.com/list/comserv.html

• Next message: Fernando Rodriguez: "Re: is it usefull the Lab review?"
• Previous message: Koen Peetermans: "RE: match protocol ftp"
• Maybe in reply to: ccie-cs@comcast.net: "match protocol ftp"
• Next in thread: ccie-cs@comcast.net: "RE: match protocol ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3