From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Jul 17 2005 - 10:55:32 GMT-3
Nope, that command is definitely not needed.
However, you should know and understand when you should use nbar versus an
acl as this is not 100% intuitive for many people.
For example, let's say you have to police http traffic to a server attached
to e0.
In this case, you might think that if you use match prot http, you'd be OK.
But, in fact, this is wrong.
Here's why. Match prot http would match BOTH requests to http server on E0
and responses from a server somewhere else in the network which are going to
http clients on E0.
IOW, match prot http is equivalent to this
access-list 100 per tcp any eq www any
access-list 101 per tcp any any eq www
class-map match-any WWW
match access-group 100
match access-group 101
Acl 100 matches traffic coming from a web server going to web clients which
you don't want to include.
So, I would advise you to study MQC thoroughly because lot's of landmines
exist and Cisco will absolutely plant many of them on your lab.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of k c
Sent: Sunday, July 17, 2005 8:00 AM
To: ccielab@groupstudy.com
Subject: NBAR Config
Hi Group,
Is it necessary to type "ip nbar protocol-discovery" on the interface
applied policy-map? I have seen many examples that they don't need this
command.
class-map match-any http-worm
match protocol http url "*cmd.exe*"
!
policy-map mark-http-worm
class http-worm
set ip dscp 1
interface Ethernet1/1
ip address 10.1.2.2 255.255.255.0
service-policy input mark-http-worm
8g;if8,h)&d;6e01/d;%3ie<5g
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3