cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2591
Views
17
Helpful
8
Replies

FTP load balance on ACE

jteixido
Level 1
Level 1

Has anyone load balanced FTP on the ACE? If so can you please leave a configuration example?

Thank you,

John...

3 Accepted Solutions

Accepted Solutions

class-map match-any FTP

2 match virtual-address 10.10.10.100 tcp eq ftp

policy-map type loadbalance first-match FTP-POLICY

class class-default

serverfarm FTP-SFarm

policy-map multi-match VIPS

class FTP

loadbalance vip inservice

loadbalance policy FTP-POLICY

loadbalance vip icmp-reply

inspect ftp

Syed

View solution in original post

Hi,

If you want FTP passive mode to work then in addition to the above configuration also add

class-map match-any FTP

match virtual-address 10.10.10.100 tcp range 1023 65535

Regards

View solution in original post

Kindly find these two examples for FTP load balance method in cisco ACE:

1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html

2. FTP Load Balancing on ACE in Routed Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example

3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

Sachin

View solution in original post

8 Replies 8

class-map match-any FTP

2 match virtual-address 10.10.10.100 tcp eq ftp

policy-map type loadbalance first-match FTP-POLICY

class class-default

serverfarm FTP-SFarm

policy-map multi-match VIPS

class FTP

loadbalance vip inservice

loadbalance policy FTP-POLICY

loadbalance vip icmp-reply

inspect ftp

Syed

Hi,

If you want FTP passive mode to work then in addition to the above configuration also add

class-map match-any FTP

match virtual-address 10.10.10.100 tcp range 1023 65535

Regards

Thank you Guys.

James

Wouldn't the ACE Ftp inspect also open the ports on the vip for the traffic to be loadbalanced? What you described raises security concerns. You could possibly have a firewall in front of the ACE doing the filtering (and ftp inspect)

Kindly find these two examples for FTP load balance method in cisco ACE:

1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html

2. FTP Load Balancing on ACE in Routed Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example

3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

Sachin

I think this commands were only needed as a workaround for an old defect.

With the latest versions, I don't think this is required anymore.

FTP inspection should take care of everything.

Gilles

Well Gilles

I went ahead and tried it in the labs. If you don't open the range of ports, ftp pasv does not work. Inspect ftp doesn't seem to resolv the issue.

you don't need to modify the FTP class.

However, if you do client-nat, you need to create a new class and a new policy to perform client nat on the data connection.

Unfortunately, inspect FTP can't do that alone.

So you should have

class ftp

match virt x.x.x.x tcp eq 21

class ftp-data-nat

match virt x.x.x.x tcp range ...

policy multi FTP

class ftp

load ...

nat dynamic ...

inspect ftp

class ftp-data-nat

nat dynamic ...

Without client nat, the class ftp-data-nat is not required for passive ftp to work.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: