From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Tue Nov 28 2006 - 01:41:14 ART
In answer to my own question...
I guess the "correct" answer is to use the "match protocol" command, because
otherwise, it's not really NBAR...right?
I mean the primary function of NBAR is to match protocols. Wouldn't
matching an access-list be considered general classification?
-----Original Message-----
From: Marvin Greenlee [mailto:marvingreenlee@yahoo.com]
Sent: Monday, November 27, 2006 8:24 PM
To: Lab Rat #109385382; cisco@groupstudy.com; Cisco certification;
security@groupstudy.com
Subject: Re: NBAR Question
Generally, NBAR will match in both directions, so the protocol could be
either source or dest, which would be the same as:
access-list 100 permit tcp any any eq www access-list 100 permit tcp any eq
www any
If you know where the web server is, and know that you only need to match
traffic with a destination port of 80, your original access list would work.
If you don't know where the web server is, and are just told to police the
web traffic, make sure to catch in both directions.
Thanks,
Marvin Greenlee
--- Lab Rat #109385382 <techlist01@gmail.com> wrote:
> If I was asked to match HTTP traffic (to later be police'd), is there
> any difference between doing the following:
>
>
>
> class-map HTTP
> match protocol http
>
>
>
> with doing the following:
>
>
>
> access-list 100 permit tcp any any eq www class-map HTTP
> match access-group 100
>
>
>
> I've seen it done both ways, and I just want to know if there are any
> distinct functional differences between the two methods.
>
> Thanks,
>
> Ed
>
>
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART