classification: exclude ftp from a certain class

awoog · ‎03-20-2009

I'd like to exclude ftp to be classified in a certain class af31. Would this work:

class-map match-all af31

match not protocol ftp

match access-group name af31

(The named access-list af31 contains further statements to include certain source and destinations)

Giuseppe Larosa · ‎03-20-2009

Hello Alain,

define ACL af31 so that it denies FTP traffic

put the deny statements at the beginning and then go on with the permit statements

Hope to help

Giuseppe

awoog · ‎03-20-2009

This won't work with ftp in passive mode - because the ports are dynamically assigned. Hence the need of nbar. Note that the question is also if match not protocol ftp is syntactically correct.

Mohamed Sobair · ‎03-20-2009

Hi,

Yes it would work,

The (match not) protocol is inspected by NBAR, so in this class any FTP traffic is excluded.

HTH

Mohamed

Giuseppe Larosa · ‎03-20-2009

Hello Mohamed,

good note I rated it as deserved

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1013500

there is an example very close to this case

In the following traffic class, all protocols except IP are considered successful match criteria:

Router(config)# class-map noip

Router(config-cmap)# match not protocol ip

Router(config-cmap)# exit

Hope to help

Giuseppe

awoog · ‎03-23-2009

thanks - good hint... I'd like nevertheless to have the confirmation if possible that it has been indeed configured and tried, if not with with ftp, with a similar protocol, the kind of protocol with dynamic port assignment (passive mode)- difficult to put in an acces-list- otherwise I'd put it in the a simple access-list as was suggested before. You don't have a router at hand ;-) ?

Giuseppe Larosa · ‎03-23-2009

Hello Alain,

when using match not protocol I think NBAR is invoked exactly like in match protocol so NBAR is capable of classify traffic with dynamic ports.

Hope to help

Giuseppe