Thanks for you responses.
So its best to match on protocols. All the time?
Most of the times no matter which protocol http smtp etc. You can choose an
ACL or protocol. My question basicly is does both anwsers ACL or protocol
give you the points. Or should I ask the proctor for it?
Thanks,
Maarten
2010/6/24 dara tomar <wish2ie_at_gmail.com>
> Hi,
>
> As well the second option should take care of the passive FTP sessions,
> while the first will only nab the active FTP session.
>
> Thanks,
> Dara
>
>
> On Thu, Jun 24, 2010 at 2:25 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> I agree with Tyson's point. Although this stupid exam is not about
>> "recommended best practices"! :-)
>>
>> So keep an open mind.
>>
>> Sadiq
>>
>> On Wed, Jun 23, 2010 at 8:48 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>>
>> > The design recommendation is to match the protocol in the class map.
>> The
>> > reason for doing this is to prevent unnecessary packet inspection for
>> > traffic that doesn't apply. The second option is the better choice.
>> >
>> > Regards,
>> >
>> > Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > Managing Partner / Sr. Instructor - IPexpert, Inc.
>> > Mailto: tscott_at_ipexpert.com
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > Maarten Vervoorn
>> > Sent: Wednesday, June 23, 2010 8:12 AM
>> > To: Cisco certification
>> > Subject: Zone based firewall
>> >
>> > Hi,
>> >
>> > A question regarding zone based firewall.
>> > When you are questioned to inspect FTP traffic to a specific
>> > destination will both anwsers below give you the points?
>> >
>> > 1:
>> > ip access-list ext FTP
>> > permit tcp any host 172.16.1.1 eq ftp
>> > permit tcp any host 172.16.1.1 eq ftp-data
>> > !
>> > class-map type inspect FTP
>> > match access-group name FTP
>> > !
>> > policy-map ty inspect INT-EXT
>> > class FTP
>> > inspect
>> > --------------------------------------------------
>> > 2:
>> > ip access-list ext R1
>> > permit ip any host 172.16.1.1
>> > !
>> > class-map type inspect match-all FTP
>> > match protocol ftp
>> > match access-group name R1
>> > !
>> > policy-map ty inspect INT-EXT
>> > class FTP
>> > inspect
>> > --------------------------------------------------
>> >
>> > Kind regards,
>> >
>> > Maarten
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 24 2010 - 07:41:51 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:38 ART