03-20-2009 03:42 AM - edited 03-04-2019 04:01 AM
I'd like to exclude ftp to be classified in a certain class af31. Would this work:
class-map match-all af31
match not protocol ftp
match access-group name af31
(The named access-list af31 contains further statements to include certain source and destinations)
03-20-2009 05:46 AM
Hello Alain,
define ACL af31 so that it denies FTP traffic
put the deny statements at the beginning and then go on with the permit statements
Hope to help
Giuseppe
03-20-2009 07:53 AM
This won't work with ftp in passive mode - because the ports are dynamically assigned. Hence the need of nbar. Note that the question is also if match not protocol ftp is syntactically correct.
03-20-2009 08:00 AM
Hi,
Yes it would work,
The (match not) protocol is inspected by NBAR, so in this class any FTP traffic is excluded.
HTH
Mohamed
03-20-2009 10:03 AM
Hello Mohamed,
good note I rated it as deserved
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1013500
there is an example very close to this case
In the following traffic class, all protocols except IP are considered successful match criteria:
Router(config)# class-map noip
Router(config-cmap)# match not protocol ip
Router(config-cmap)# exit
Hope to help
Giuseppe
03-23-2009 01:50 AM
thanks - good hint... I'd like nevertheless to have the confirmation if possible that it has been indeed configured and tried, if not with with ftp, with a similar protocol, the kind of protocol with dynamic port assignment (passive mode)- difficult to put in an acces-list- otherwise I'd put it in the a simple access-list as was suggested before. You don't have a router at hand ;-) ?
03-23-2009 03:55 AM
Hello Alain,
when using match not protocol I think NBAR is invoked exactly like in match protocol so NBAR is capable of classify traffic with dynamic ports.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: