HP MSR Series Configuration Manual page 456
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Figure 136 FTP inspection
As shown in
1.
The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.
2.
As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the
client.
3.
When data transmission times out or ends, the data connection is removed.
ASPF implements FTP inspection during the FTP connection lifetime as follows:
1.
ASPF checks the IP packets the FTP client sends to the FTP server to identify TCP-based FTP
packets. Based on the port number, ASPF identifies the control connection between the FTP
client and server and creates a control connection session entry.
2.
ASPF checks each FTP control connection packet, and examines their TCP status based on
the control connection session entry. ASPF analyzes the FTP instructions in the control
connection packet. If the packet contains a data channel setup instruction, ASPF creates an
associated entry for the data connection.
3.
For return FTP control connection packets, ASPF examines their TCP status based on the
control connection session entry to make packet forwarding decisions.
4.
When the FTP data passes through the device, ASPF is triggered to create a session entry for
the data connection and remove the associated entry.
5.
For returned FTP data packets, ASPF examines their TCP status based on the data connection
session entry to make packet forwarding decisions.
6.
When the data transmission ends, ASPF removes the data connection session entry. When the
FTP connection is removed, ASPF removes the control connection session entry.
Transport layer protocol inspection
The transport layer protocol inspection refers to generic TCP/UDP inspection. It creates session
entries to record the transport layer information of the packets to dynamically filter TCP and UDP
packets. The transport layer information includes source and destination addresses and port
numbers.
Generic TCP/UDP inspection requires that return packets must match the corresponding packets
that are previously sent out of the external interface. The return packets must have the same
source/destination addresses and source/destination port numbers as the outgoing packets (but
reversed). Otherwise, the return packets are blocked. For multichannel application layer protocols
like FTP, the deployment of TCP inspection without application layer inspection leads to failure of
establishing a data connection.
Figure
136, FTP connections are established and removed as follows:
441
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
