default class-maps can't use a parameter-map so solution A is totally irrelevant. You would be matching URI with the NBAR field in it.
nbar protocol-discovery is not important on the second option. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of kamran shakil Sent: Friday, January 28, 2011 11:31 PM To: [email protected] Subject: [OSL | CCIE_Security] [call for H3lp] NBAR - > which solution is right !!! "plz help me understand" Solution to be provided using NBAR IOS Techonology: ======================================== Are both solutions correct with respect to LAB requirements if we need to block NIMDA attack on webserver ? Which one is the best solution ? What is the difference between the following 2 configurations . In the question, it has been said that the NIMDA traffic is already having a DSCP marking of 1 . SOLUTION A: =========== parameter-map type regex NBAR pattern default\.ida pattern cmd\.exe pattern root\.exe class-map match-all NBAR match protocol http url NBAR match dscp 1 policy-map SOLUTION class NBAR drop int fa0/1 service-policy input SOLUTION ip nbar protocol-discovery <----------- this command is important or not ??? ip add <a.b.c.d> <mask> no sh SOLUTION B: ========== class-map match-any CMAP_ATTACK match protocol http url "*default.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*" class-map match-all NIMDA match dscp 1 match class CMAP-ATTACK policy-map SOLUTION class NIMDA drop int fa0/1 service-policy input SOLUTION ip nbar protocol-discovery <----------- this command is important or not ??? ip add <a.b.c.d> <mask> no sh regards, Kamran.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
