Re: smtp flow - Can match prot smtp be used instead?

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Nov 15 2004 - 13:32:00 GMT-3

• Next message: JB: "RE: smtp - IEWB lab 2, task 9.10"
• Previous message: Bob Smith: "Re: as-path prepend on incoming BGP routes"
• Next in thread: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Maybe reply: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian,

What's the difference, if any, between the config below from the SG where
an acl is used to match smtp traffic and using the match prot smtp
statement? Specifically, would using the match prot smtp statement AVOID
the issue of where the "eq smtp" should be that exists with the access-list?

R3#
class-map SMTP-FROM-SERVER
match access-group name SMTP-FROM-SERVER

 ip access-list extended SMTP-FROM-SERVER
 permit tcp host 132.1.3.100 eq smtp any

 R5#
class-map SMTP-TO-SERVER
match access-group name SMTP-TO-SERVER

 ip access-list extended SMTP-TO-SERVER
 permit tcp any host 132.1.3.100 eq smtp

Is below the same as above config?

R3

class-map SMTP
match prot smtp

R5
class-map SMTP
match prot smtp

Thanks, Tim

----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "John Matus" <jmatus@pacbell.net>
Cc: "lab" <ccielab@groupstudy.com>
Sent: Monday, November 15, 2004 9:36 AM
Subject: RE: smtp flow

> John,
>
> Yes there was a previous typo in this solution that was fixed.
> The correct ACLs read as follows:
>
> R3#
> ip access-list extended SMTP_FROM_SERVER
> permit tcp host 132.1.3.100 eq smtp any
>
> R5#
> ip access-list extended SMTP_TO_SERVER
> permit tcp any host 132.1.3.100 eq smtp
>
> See this post for reference:
>
> http://forum.internetworkexpert.com/ubbthreads/showflat.php?Cat=&Board=I
> EWB_RS_LAB2&Number=4830&Forum=All_Forums&Words=smtp&Searchpage=0&Limit=2
> 5&Main=1570&Search=true&where=bodysub&Name=&daterange=1&newerval=1&newer
> type=y&olderval=&oldertype=&bodyprev=#Post4830
>
> And no this isn't a CCNP level question ;)
>
> Thanks,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > John Matus
> > Sent: Monday, November 15, 2004 12:29 AM
> > To: marc van hoof; ccie2be
> > Cc: lab
> > Subject: Re: smtp flow
> >
> > yes, that was my initial thinking, however internetwork experts had it
> > ass-backwards in their solution guide and i just wanted to make sure i
> was
> > correct <and they had a typo>
> >
> >
> > Regards,
> >
> > John D. Matus
> > MCSE, CCNP
> > Office: 818-782-2061
> > Cell: 818-430-8372
> > jmatus@pacbell.net
> > ----- Original Message -----
> > From: "marc van hoof" <mvh@marcvanhoof.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>
> > Cc: "John Matus" <jmatus@pacbell.net>; "lab" <ccielab@groupstudy.com>
> > Sent: Sunday, November 14, 2004 8:50 PM
> > Subject: Re: smtp flow
> >
> >
> > > oh, and to answer the question, i would probably go with:
> > >
> > > deny tcp any eq smtp any
> > >
> > > given that you have to look at the terms "server" and "client" from
> the
> > > perspective of the transaction, rather than the functions of the
> > > hardware...
> > >
> > > in a traditional transaction, a client will be the originator of a
> > > session, and the server will be the recipient...
> > >
> > > so PC 1 creates a tcp connection from some random source port to
> another
> > > computer on port 25... in this transaction, i'd interpret that as
> the
> > > "server"
> > >
> > > to block the return traffic, you need to stop it flowing from the
> > "server"
> > > on port 25 to the client's variable port, hence it must be
> unspecified
> > in
> > > the acl.
> > >
> > > the definition of "server" and "client" are something you could
> probably
> > > ask the proctor though - just to clarify your understanding of the
> > > question. "proctor - should we assume that the client is the
> originator
> > of
> > > the connection - i'm a bit confused because smtp is often used
> between
> > > mail servers"...
> > >
> > > -marc (#13832)
> > >
> > > On Sun, 14 Nov 2004, ccie2be wrote:
> > >
> > >> John,
> > >>
> > >> I don't know the answer for sure. But, in the lab, if something
> like
> > >> that
> > >> comes and the wording of the task didn't forbid it, what I would do
> is
> > >> use
> > >> both. Youdon't lose points for extra config commands which aren't
> > needed
> > >> as
> > >> long as the extra commands don't break or violate anything else.
> > >>
> > >> If one of those entries is the right entry but you don't know which
> one
> > >> and
> > >> just guess, you've got a 50% chance of being right. If you put in
> both
> > >> entries and the wrong entry does no harm, you've increase your odds
> to
> > >> 100%.
> > >>
> > >> FYI, smtp is usually not used between a server and a client.
> Usually,
> > >> it's
> > >> something like pop, (or imap?).
> > >>
> > >> HTH, Tim
> > >> ----- Original Message -----
> > >> From: "John Matus" <jmatus@pacbell.net>
> > >> To: "lab" <ccielab@groupstudy.com>
> > >> Sent: Sunday, November 14, 2004 10:09 PM
> > >> Subject: smtp flow
> > >>
> > >>
> > >>> if you are writing an acl that is denying a smpt flow from a
> server to
> > a
> > >>> client would it be:
> > >>>
> > >>> deny tcp any eq smtp any?..........(or deny tcp any any eq smtp)?
> > >>>
> > >>>
> > >>> Regards,
> > >>>
> > >>> John D. Matus
> > >>> MCSE, CCNP
> > >>> Office: 818-782-2061
> > >>> Cell: 818-430-8372
> > >>> jmatus@pacbell.net
> > >>>
> > >>>
> >
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: JB: "RE: smtp - IEWB lab 2, task 9.10"
• Previous message: Bob Smith: "Re: as-path prepend on incoming BGP routes"
• Next in thread: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Maybe reply: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:45 GMT-3