classification: exclude ftp from a certain class

Unanswered Question
Mar 20th, 2009
User Badges:

I'd like to exclude ftp to be classified in a certain class af31. Would this work:


class-map match-all af31

match not protocol ftp

match access-group name af31


(The named access-list af31 contains further statements to include certain source and destinations)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Fri, 03/20/2009 - 05:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alain,

define ACL af31 so that it denies FTP traffic


put the deny statements at the beginning and then go on with the permit statements


Hope to help

Giuseppe


awoog Fri, 03/20/2009 - 07:53
User Badges:

This won't work with ftp in passive mode - because the ports are dynamically assigned. Hence the need of nbar. Note that the question is also if match not protocol ftp is syntactically correct.

Mohamed Sobair Fri, 03/20/2009 - 08:00
User Badges:
  • Gold, 750 points or more


Hi,


Yes it would work,


The (match not) protocol is inspected by NBAR, so in this class any FTP traffic is excluded.



HTH

Mohamed

Giuseppe Larosa Fri, 03/20/2009 - 10:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mohamed,

good note I rated it as deserved


http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1013500


there is an example very close to this case


In the following traffic class, all protocols except IP are considered successful match criteria:


Router(config)# class-map noip


Router(config-cmap)# match not protocol ip


Router(config-cmap)# exit




Hope to help

Giuseppe


awoog Mon, 03/23/2009 - 01:50
User Badges:

thanks - good hint... I'd like nevertheless to have the confirmation if possible that it has been indeed configured and tried, if not with with ftp, with a similar protocol, the kind of protocol with dynamic port assignment (passive mode)- difficult to put in an acces-list- otherwise I'd put it in the a simple access-list as was suggested before. You don't have a router at hand ;-) ?

Giuseppe Larosa Mon, 03/23/2009 - 03:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alain,

when using match not protocol I think NBAR is invoked exactly like in match protocol so NBAR is capable of classify traffic with dynamic ports.



Hope to help

Giuseppe


Actions

This Discussion