RE: NBAR Question

From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Tue Nov 28 2006 - 03:11:11 ART

• Next message: Bozhidar Batev: "dynamips/dynagen"
• Previous message: Xiangling: "Re: NBAR Question"
• Maybe in reply to: Lab Rat #109385382: "NBAR Question"
• Next in thread: Iamgoingtobeaccie: "RE: NBAR Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

<<2. The ACL method will not be working if the server redefined other port
as HTTP port.>>

Well, NBAR will only check port 80, as well, unless the "ip nbar port-map"
command is configured.

From: Xiangling [mailto:xianglingzj@gmail.com]
Sent: Monday, November 27, 2006 10:08 PM
To: Lab Rat #109385382
Cc: cisco@groupstudy.com; Cisco certification; security@groupstudy.com
Subject: Re: NBAR Question

IMHO there are 2 major differences.

1. Your ACL method only matches destination port of 80, not the source
port. Which means you match only HTTP request but not response.

2. The ACL method will not be working if the server redefined other port
as HTTP port.

Thus using NBAR will be more suitable here.

On 11/28/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:

If I was asked to match HTTP traffic (to later be police'd), is there any
difference between doing the following:

class-map HTTP
match protocol http

with doing the following:

access-list 100 permit tcp any any eq www
class-map HTTP
match access-group 100

I've seen it done both ways, and I just want to know if there are any
distinct functional differences between the two methods.

Thanks,

Ed

• Next message: Bozhidar Batev: "dynamips/dynagen"
• Previous message: Xiangling: "Re: NBAR Question"
• Maybe in reply to: Lab Rat #109385382: "NBAR Question"
• Next in thread: Iamgoingtobeaccie: "RE: NBAR Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART