From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Fri Oct 03 2008 - 02:16:25 ART
Hi Dennis,
My opinion is that you can do either way NBAR or ACL. By default (i.e.
you do not modify default NBAR port-map), they will produce the same
outcome.
However, when you use ACL, you need to be carefull with the traffic
direction. Your ACL below only match traffic going from Clients to
Servers.
access-list 100 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
Depending on your scenario, you may only need one direction (could be
only Servers to Clients, or Clients to Server), or both directions. By
default, if nothing is mentioned about where Client/Server located, you
should to have additional entries to cover for the direction from Server
to Client.
The matching traffic using NBAR cover both traffic directions.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dennis Worth
Sent: Friday, 3 October 2008 2:16 PM
To: Cisco certification
Subject: NBAR or ACL's?
Hey group,
If asked to match SMTP and HTTP and Guarantee BW SMTP = 1Mb and HTTP =
2Mb.
Would you use NBAR
class-map match-all SMTP
match protocol smtp
class-map match-all HTTP
match protocol http
or
class-map match-all HTTP
match access-group 100
class-map match-all SMTP
match access-group 101
access-list 100 permit tcp any any eq www access-list 101 permit tcp any
any eq smtp
or
Is it my discretion?
Any thoughts that I may need to think about?
Thanks,
-- Dennis WorthBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST