Hi Jim, Since inspection_default catches all FTP traffic (TCP 21) there would be a match in this class in the first place. No other classes would be checked for FTP meaning that the L7 advanced inspection you configured would not kick in.
Yes, you could remove the "inspect ftp" and then it should work. Note, however, that then any other FTP traffic not matched by your class would not be FTP-like inspected (but only as TCP). There are more rules that govern how the inspection engine actually works and which class would be matched. The show service-policy flow and packet-tracer are NOT 100% verification tools. They work correctly in vast majority of cases but not always. The best verification method for MPF is to generate some traffic and look into the counters in the show service-policy. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Tue, Aug 23, 2011 at 3:41 PM, Jim Terry <[email protected]> wrote: > Hi all, > > In section 1.6 we are to configure a L7 ftp policy map. However my > question is on how to apply it. The solution shows to put it on the > global_policy and to make sure it shows before the class inspection_default. > > Why should it go before the inspection_default? Cant you just go into the > inspection_default and remove 'inspect ftp' and then put the new ftp class > map at the end of the global_policy? > > I am sure I am missing something so please let me know. > > Thanks, > > JT > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
