classification: exclude ftp from a certain class

Unanswered Question
Mar 20th, 2009

I'd like to exclude ftp to be classified in a certain class af31. Would this work:

class-map match-all af31

match not protocol ftp

match access-group name af31

(The named access-list af31 contains further statements to include certain source and destinations)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Fri, 03/20/2009 - 05:46

Hello Alain,

define ACL af31 so that it denies FTP traffic

put the deny statements at the beginning and then go on with the permit statements

Hope to help


awoog Fri, 03/20/2009 - 07:53

This won't work with ftp in passive mode - because the ports are dynamically assigned. Hence the need of nbar. Note that the question is also if match not protocol ftp is syntactically correct.

Mohamed Sobair Fri, 03/20/2009 - 08:00


Yes it would work,

The (match not) protocol is inspected by NBAR, so in this class any FTP traffic is excluded.



Giuseppe Larosa Fri, 03/20/2009 - 10:03

Hello Mohamed,

good note I rated it as deserved

there is an example very close to this case

In the following traffic class, all protocols except IP are considered successful match criteria:

Router(config)# class-map noip

Router(config-cmap)# match not protocol ip

Router(config-cmap)# exit

Hope to help


awoog Mon, 03/23/2009 - 01:50

thanks - good hint... I'd like nevertheless to have the confirmation if possible that it has been indeed configured and tried, if not with with ftp, with a similar protocol, the kind of protocol with dynamic port assignment (passive mode)- difficult to put in an acces-list- otherwise I'd put it in the a simple access-list as was suggested before. You don't have a router at hand ;-) ?

Giuseppe Larosa Mon, 03/23/2009 - 03:55

Hello Alain,

when using match not protocol I think NBAR is invoked exactly like in match protocol so NBAR is capable of classify traffic with dynamic ports.

Hope to help



This Discussion