https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643558#M593267 <HTML><HEAD></HEAD><BODY><P>I have applied the specified con</P><P>figs but it isnt working</P><P></P><P>class-map match-all FTP<BR /> match protocol ftp<BR />!<BR />!<BR />policy-map FTP<BR />&nbsp; class FTP<BR />&nbsp; shape average 4000000<BR />&nbsp; bandwidth percent 30<BR />&nbsp; class class-default<BR />&nbsp; bandwidth percent 70</P><P></P><P>Interface fastethernet 0/0</P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;">service-policy output FTP</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;"></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;">Can you let me know if thats correct if i have to limit FTP traffic to 4mb , also the bandwidth percent here is over all interface bandwidth or the service i am subscribed for or is that the bandwidth available on teh interface.</SPAN></P></BODY></HTML> Sun, 30 Jan 2011 07:10:23 GMT imranraheel 2011-01-30T07:10:23Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643553#M593262 <P>I want to limit the Outbound FTP access from my internet LAN. Is there any way to limit the outbound FTP traffic, also i already have an extended ACL applied on my WAN interface. Please let me know how to limit the traffic .</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 19:40:53 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643553#M593262 imranraheel 2019-03-11T19:40:53Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643554#M593263 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can rate-limit FTP traffic by configuring Police.</P><P>Check out this document:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_qos.html#wp1065257">http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_qos.html#wp1065257</A></P><P></P><P>Hope it helps.</P><P><BR />Federico.</P></BODY></HTML> Thu, 27 Jan 2011 17:44:36 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643554#M593263 Federico Coto Fajardo 2011-01-27T17:44:36Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643555#M593264 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick response.</P><P></P><P></P><P>ACn you give me an example also I have an existing ACL would the policy map effect that ACL</P><P></P><P>ip access-list ext ftp-acl</P><P>match protocol ftp</P><P></P><P>class-map ftp-class</P><P>match ip ftp-acl</P><P> <BR />policy-map outbound</P><P>class ftp-class</P><P>bandwitdh 4096</P><P>class class-default</P><P>bandwith 10240</P><P></P><P>Keeping in mind the specified details.</P><P></P><P>I have a 10MB circuit and on the WAN interface i already have and inbound and outbound ACL applied</P></BODY></HTML> Thu, 27 Jan 2011 19:20:43 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643555#M593264 imranraheel 2011-01-27T19:20:43Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643556#M593265 <HTML><HEAD></HEAD><BODY><P>This is on an ASA or IOS device?</P><P>Your WAN interface is a physical interface?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 27 Jan 2011 20:14:07 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643556#M593265 Federico Coto Fajardo 2011-01-27T20:14:07Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643557#M593266 <HTML><HEAD></HEAD><BODY><P>From the output it seems it's an IOS router since the ASA does not supports NBAR.</P><P>So, on IOS (rate-limit FTP to 1Mb):</P><P></P><P><STRONG>class-map FTP</STRONG></P><P><STRONG>&nbsp; match protocol ftp</STRONG></P><P style="min-height: 8pt; height: 8pt; padding: 0px;"><STRONG> </STRONG></P><P><STRONG>policy-map CBWFQ</STRONG></P><P><STRONG>&nbsp; class FTP</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; police 1mb </STRONG></P><P style="min-height: 8pt; height: 8pt; padding: 0px;"><STRONG> </STRONG></P><P><STRONG>int s0</STRONG></P><P><STRONG>&nbsp; service-policy out CBWFQ</STRONG></P><P></P><P></P><P>You&nbsp; could also do the above with a shape command instead of police.&nbsp; The&nbsp; policier will drop all FTP traffic above 1 Mb, a shaper will queue it&nbsp; and to keep FTP from exceeding 1 Mb.</P><P></P><P>You could also not limit FTP bandwidth, but just prioritize to only use excess bandwidth.</P><P></P><P>e.g.</P><P></P><P><STRONG>policy-map CBWFQ</STRONG></P><P><STRONG>&nbsp; class FTP</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; bandwidth percent 1</STRONG></P><P></P><P>Federico.</P></BODY></HTML> Fri, 28 Jan 2011 04:36:39 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643557#M593266 Federico Coto Fajardo 2011-01-28T04:36:39Z https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643558#M593267 <HTML><HEAD></HEAD><BODY><P>I have applied the specified con</P><P>figs but it isnt working</P><P></P><P>class-map match-all FTP<BR /> match protocol ftp<BR />!<BR />!<BR />policy-map FTP<BR />&nbsp; class FTP<BR />&nbsp; shape average 4000000<BR />&nbsp; bandwidth percent 30<BR />&nbsp; class class-default<BR />&nbsp; bandwidth percent 70</P><P></P><P>Interface fastethernet 0/0</P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;">service-policy output FTP</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;"></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN lang="EN" style="font-family: Arial; color: #333333; font-size: 9pt; mso-ansi-language: EN;">Can you let me know if thats correct if i have to limit FTP traffic to 4mb , also the bandwidth percent here is over all interface bandwidth or the service i am subscribed for or is that the bandwidth available on teh interface.</SPAN></P></BODY></HTML> Sun, 30 Jan 2011 07:10:23 GMT https://community.cisco.com/t5/network-security/limiting-outbound-ftp-traffic/m-p/1643558#M593267 imranraheel 2011-01-30T07:10:23Z