Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FTP load balance on ACE

Has anyone load balanced FTP on the ACE? If so can you please leave a configuration example?

Thank you,

John...

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: FTP load balance on ACE

class-map match-any FTP

2 match virtual-address 10.10.10.100 tcp eq ftp

policy-map type loadbalance first-match FTP-POLICY

class class-default

serverfarm FTP-SFarm

policy-map multi-match VIPS

class FTP

loadbalance vip inservice

loadbalance policy FTP-POLICY

loadbalance vip icmp-reply

inspect ftp

Syed

Bronze

Re: FTP load balance on ACE

Hi,

If you want FTP passive mode to work then in addition to the above configuration also add

class-map match-any FTP

match virtual-address 10.10.10.100 tcp range 1023 65535

Regards

Re: FTP load balance on ACE

Kindly find these two examples for FTP load balance method in cisco ACE:

1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html

2. FTP Load Balancing on ACE in Routed Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example

3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

Sachin

8 REPLIES

Re: FTP load balance on ACE

class-map match-any FTP

2 match virtual-address 10.10.10.100 tcp eq ftp

policy-map type loadbalance first-match FTP-POLICY

class class-default

serverfarm FTP-SFarm

policy-map multi-match VIPS

class FTP

loadbalance vip inservice

loadbalance policy FTP-POLICY

loadbalance vip icmp-reply

inspect ftp

Syed

Bronze

Re: FTP load balance on ACE

Hi,

If you want FTP passive mode to work then in addition to the above configuration also add

class-map match-any FTP

match virtual-address 10.10.10.100 tcp range 1023 65535

Regards

New Member

Re: FTP load balance on ACE

Thank you Guys.

New Member

Re: FTP load balance on ACE

James

Wouldn't the ACE Ftp inspect also open the ports on the vip for the traffic to be loadbalanced? What you described raises security concerns. You could possibly have a firewall in front of the ACE doing the filtering (and ftp inspect)

Re: FTP load balance on ACE

Kindly find these two examples for FTP load balance method in cisco ACE:

1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html

2. FTP Load Balancing on ACE in Routed Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example

3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

Sachin

Cisco Employee

Re: FTP load balance on ACE

I think this commands were only needed as a workaround for an old defect.

With the latest versions, I don't think this is required anymore.

FTP inspection should take care of everything.

Gilles

New Member

Re: FTP load balance on ACE

Well Gilles

I went ahead and tried it in the labs. If you don't open the range of ports, ftp pasv does not work. Inspect ftp doesn't seem to resolv the issue.

Cisco Employee

Re: FTP load balance on ACE

you don't need to modify the FTP class.

However, if you do client-nat, you need to create a new class and a new policy to perform client nat on the data connection.

Unfortunately, inspect FTP can't do that alone.

So you should have

class ftp

match virt x.x.x.x tcp eq 21

class ftp-data-nat

match virt x.x.x.x tcp range ...

policy multi FTP

class ftp

load ...

nat dynamic ...

inspect ftp

class ftp-data-nat

nat dynamic ...

Without client nat, the class ftp-data-nat is not required for passive ftp to work.

Gilles.

1733
Views
17
Helpful
8
Replies
CreatePlease to create content