シスコサポートコミュニティ
キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

ACE: [事例] show service-policy で FTP data 量を確認できない

    今回紹介する事例は、ACE  appliance 使用時、ftp-data packet/byte count を確認したいのに show service-policy では、control connection しか count されないという現象についてです。

    実際、Server 10M file を作り、それを download した時の show service-policy command の出力結果は、下記のようになります。

    show service-policy command ftp-data 量も確認するという要求を満たすためにはどのようにすればよいでしょうか?

    # 構成

    ftp_case_01.png

    # file download 後の ACE4710 の出力


    ACE4710/Admin# clear service-policy lb

    ACE4710/Admin# sh service-policy

    Policy-map :    lb

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 1 721

      service-policy: lb

        class: vip-ftp

          loadbalance:

            L7 loadbalance policy: ftp

            VIP ICMP Reply       : ENABLED

            VIP State: INSERVICE

            Persistence Rebalance: DISABLED

            curr conns       : 0         , hit    count        : 1

            dropped conns    : 0

            client pkt count : 23        , client byte count: 1065

            server pkt count : 16        , server byte count: 1069

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

          compression:

            bytes_in  : 0                          bytes_out : 0

            Compression ratio : 0.00%

                    Gzip: 0               Deflate: 0

          compression errors:

            User-Agent  : 0               Accept-Encoding    : 0

            Content size: 0               Content type       : 0

            Not HTTP 1.1: 0               HTTP response error: 0

            Others      : 0

          inspect ftp:

            L7 inspect policy : -

            strict ftp: DISABLED

            curr conns       : 0         , hit    count        : 1

            dropped conns    : 0

           client pkt count : 23        , client byte count: 1065

            server pkt count : 16        , server byte count: 1069

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE4710/Admin#

    # server 上で 10M file を生成


    sv1:/# dd if=/dev/zero of=/home/ftp/tempfile bs=1M count=10

    10+0 records    in

    10+0 records    out

    10485760    bytes (10 MB) copied, 0.0554519 seconds, 189 MB/s

    sv1:/#

    # client から、file get


    # ftp 192.168.221.100

    Connected to    192.168.221.100.

    220 (vsFTPd    2.0.7)

    Name    (192.168.221.100:root): anonymous

    331 Please    specify the password.

    Password:

    230 Login    successful.

    Remote system    type is UNIX.

    Using binary    mode to transfer files.

    ftp> get tempfile

    local:    tempfile remote: tempfile

    200 PORT    command successful. Consider using PASV.

    150 Opening    BINARY mode data connection for tempfile (10485760 bytes).

    226 File send    OK.

    10485760    bytes received in 0.11 secs (94814.8 kB/s)

    ftp> passive

    Passive mode    on.

    ftp> get tempfile

    local:    tempfile remote: tempfile

    227 Entering    Passive Mode (192,168,221,100,4,80)

    150 Opening    BINARY mode data connection for tempfile (10485760 bytes).

    226 File send    OK.

    10485760    bytes received in 0.11 secs (91428.6 kB/s)

    ftp> quit

    221 Goodbye.

    # ACE4710 設定


    ACE4710/Admin# sh run

    Generating    configuration....

    boot system    image:c4710ace-mz.A3_2_5.bin

    hostname    ACE4710

    interface    gigabitEthernet 1/1

      switchport trunk allowed vlan 721-722

      no shutdown

    interface    gigabitEthernet 1/2

      shutdown

    interface    gigabitEthernet 1/3

      shutdown

    interface    gigabitEthernet 1/4

      shutdown

    access-list    all line 8 extended permit ip any any

    rserver host    sv1

      ip address 192.168.222.10

      inservice

    rserver host    sv2

      ip address 192.168.222.20

      inservice

    serverfarm    host sf

      rserver sv1

        inservice

      rserver sv2

        inservice

    class-map    match-all vip-ftp

      2 match virtual-address 192.168.221.100    tcp eq ftp

    policy-map    type loadbalance first-match ftp

      class class-default

        serverfarm sf

    policy-map    multi-match lb

      class vip-ftp

        loadbalance vip inservice

        loadbalance policy ftp

        loadbalance vip icmp-reply

        inspect ftp

    access-group    input all

    interface    vlan 721

      ip address 192.168.221.250 255.255.255.0

      service-policy input lb

      no shutdown

    interface    vlan 722

      ip address 192.168.222.250 255.255.255.0

      no shutdown

    ### 答え

    vip ftp control connection 用の、vip-ftp であり、data  connection は対象になっていません。

    そのため、show  service-policy data connection も対象になるような class の設定を行う必要があります。  今回の要件の場合、SNAT 設定を行うことで data connection も対象となる class を作ることができます。SNAT については、ACE Source NAT もご参照ください。

    ACE4710/Admin# sh run

    Generating    configuration....

    boot system    image:c4710ace-mz.A3_2_5.bin

    hostname    ACE4710b-yushimaz

    interface    gigabitEthernet 1/1

      switchport trunk allowed vlan 721-722

      no shutdown

    interface    gigabitEthernet 1/2

      shutdown

    interface    gigabitEthernet 1/3

      shutdown

    interface    gigabitEthernet 1/4

      shutdown

    access-list    all line 8 extended permit ip any any

    rserver host    sv1

      ip address 192.168.222.10

      inservice

    rserver host    sv2

      ip address 192.168.222.20

      inservice

    serverfarm    host sf

      rserver sv1

        inservice

      rserver sv2

        inservice

    class-map    match-all ftp-nat

      2 match destination-address    192.168.221.100 255.255.255.255

    class-map    match-all vip-ftp

      2 match virtual-address 192.168.221.100    tcp eq ftp

    policy-map    type loadbalance first-match ftp

      class class-default

        serverfarm sf

    policy-map    multi-match lb

      class vip-ftp

        loadbalance vip inservice

        loadbalance policy ftp

        loadbalance vip icmp-reply

        inspect ftp

      class ftp-nat

        nat dynamic 1 vlan 722

    access-group    input all

    interface    vlan 721

      ip address 192.168.221.250 255.255.255.0

      service-policy input lb

      no shutdown

    interface    vlan 722

      ip address 192.168.222.250 255.255.255.0

      nat-pool 1 192.168.221.100 192.168.221.100    netmask 255.255.255.255 pat

      no shutdown

    # file download 時の出力


    ACE4710/Admin# clear service-policy lb

    !___ active mode file download

    ACE4710/Admin# sh service-policy

    Policy-map :    lb

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 1 721

      service-policy: lb

        class: vip-ftp

          loadbalance:

            L7 loadbalance policy: ftp

            VIP ICMP Reply       : ENABLED

            VIP State: INSERVICE

            Persistence Rebalance: DISABLED

            curr conns       : 1         , hit count        : 1

            dropped conns    : 0

            client pkt count : 0         , client byte count: 0

            server pkt count : 0         , server byte count: 0

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

          compression:

            bytes_in  : 0                          bytes_out : 0

            Compression ratio : 0.00%

                    Gzip: 0               Deflate: 0

          compression errors:

            User-Agent  : 0               Accept-Encoding    : 0

            Content size: 0               Content type       : 0

            Not HTTP 1.1: 0               HTTP response error: 0

            Others      : 0

          inspect ftp:

            L7 inspect policy : -

            strict ftp: DISABLED

            curr conns       : 1         , hit count        : 1

            dropped conns    : 0

            client pkt count : 0         , client byte count: 0

            server pkt count : 0         , server byte count: 0

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

        class: ftp-nat

          nat:

            nat dynamic 1 vlan 722

            curr conns       : 0         , hit    count        : 2

    !___ control conn + data conn(active) = 2 conn

            dropped conns    : 0

            client pkt count : 7186      , client byte count: 10773220

            server pkt count : 2258      , server byte count: 90324

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    !___ passive mode file download

    ACE4710/Admin# sh service-policy

    Policy-map :    lb

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 1 721

      service-policy: lb

        class: vip-ftp

          loadbalance:

            L7 loadbalance policy: ftp

            VIP ICMP Reply       : ENABLED

            VIP State: INSERVICE

            Persistence Rebalance: DISABLED

            curr conns       : 1         , hit count        : 1

            dropped conns    : 0

            client pkt count : 0         , client byte count: 0

            server pkt count : 0         , server byte count: 0

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

          compression:

            bytes_in  : 0                          bytes_out : 0

            Compression ratio : 0.00%

                    Gzip: 0               Deflate: 0

          compression errors:

            User-Agent  : 0               Accept-Encoding    : 0

            Content size: 0               Content type       : 0

            Not HTTP 1.1: 0               HTTP response error: 0

            Others      : 0

          inspect ftp:

            L7 inspect policy : -

            strict ftp: DISABLED

            curr conns       : 1         , hit count        : 1

            dropped conns    : 0

            client pkt count : 0         , client byte count: 0

            server pkt count : 0         , server byte count: 0

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

        class: ftp-nat

          nat:

            nat dynamic 1 vlan 722

            curr conns       : 0         , hit    count        : 3

    !___ control conn + data conn(active) + data conn(passive)= 3    conn

            dropped conns    : 0

            client pkt count : 10425     , client byte count: 10902800

            server pkt count : 9443      , server byte count: 10863488

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE4710/Admin#

バージョン履歴
改訂番号
1/1
最終更新:
‎07-27-2010 06:30 PM
更新者:
 
タグ(3)