Lets take a question on NBAR match statement under a class-map
Why do
these two matching statement generally be configured under a class-map?
class-map type
inspect match-all CMAP_TELNET
match access-group name ACL_TELNET
match protocol tcp
!
ip access-list
extended ACL_TELNET
permit tcp any any eq 23
When two match statements configured under a class
map like above way then logical AND operation occurs meaning
that the class is true only when both statements are matched.
In the above case one match
statement inspecting the entire tcp protocol suit but on the condition if that
traffic is destined for port 23 coming from anywhere. Also keep in mind that
NBAR feature is activated with match protocol statement and this feature not
only checks the port numbers but also various signatures associated with the
protocol if required.
If there is no need for
deep packet level inspection then you can avoid usiing NBAR. However it is very
common to use this feature in real world.
Let me ask you something, how you will classify telnet traffic
if telnet server is hosted on port other than 23 say 2323. If it’s known to you
than you can easily classify it based on destination port number but if you don’t
then you have no option but to use NBAR for classification. FTP also requires using
NBAR for classification because it uses different ports for control and data
transfer (learn more about active and passive FTP modes).
No comments:
Post a Comment