01-27-2011 09:37 AM - edited 03-04-2019 11:13 AM
I want to limit the Outbound FTP access from my internet LAN. Is there any way to limit the outbound FTP traffic, also i already have an extended ACL applied on my WAN interface. Please let me know how to limit the traffic .
Thanks
01-27-2011 11:15 AM
Hi,
What do you mean by limit? deny some ftp or limit bandwidth used for ftp?
Regards.
Alain.
01-27-2011 02:01 PM
I want to limit the bandwidth for the FTP connections only , also i have an inbound and outbound ACL already applied to the WAN interface , so i make another 1 or can i readjuct the FTP volume limit to the existing ACL.
Thanks
01-27-2011 10:28 PM
You need to use QoS.
For example, to limit FTP to 4Mb/s:
class-map FTP
match protocol ftp
policy-map FTP
class FTP
shape average 4 mbps
bandwidth per 20
class class-default
bandwidth per 80
interface x/x
service-policy output FTP
Alternatively, if you have main interface faster than your service speed, you'd need to use hierarchical policy-map
policy-map PARENT
class class-default
shape average 10 mbps
service-policy FTP
interface x/x
service-policy output PARENT
01-28-2011 06:37 AM
Thanks Pavlo
Its a 2821 router & the interface is 100 Mbps and the bandwidth on it is 10 Mb , so do you think
class-map FTP
match protocol ftp
policy-map FTP
class FTP
shape average 4 mbps
bandwidth per 20
class class-default
bandwidth per 80
interface x/x
service-policy output FTP
will work.
01-29-2011 11:10 PM
I have applied the specified con
figs but it isnt working
class-map match-all FTP
match protocol ftp
!
!
policy-map FTP
class FTP
shape average 4000000
bandwidth percent 30
class class-default
bandwidth percent 70
Interface fastethernet 0/0
service-policy output FTP
Can you let me know if thats correct if i have to limit FTP traffic to 4mb , also the bandwidth percent here is over all interface bandwidth or the service i am subscribed for or is that the bandwidth available on teh interface.
01-30-2011 09:56 AM
That is not correct.
Since you have fast ethernet interface and 10Mbps service, you must either use hierarchical policy map, or reduce the speed of the interface to 10Mb/s, using "speed 10" and "duplex full" on both sides (CPE and CE). Also, make sure the matching is occuring. Match protocol is nbar feature, you might need to use ACL in your class-map to match FTP ports.
01-31-2011 06:32 AM
I dont want to limit the WAN interface to 10 Mb speed, however can I sue these commands.
policy-map PARENT
class class-default
shape average 10 mbps
service-policy FTP
interface interface fastethernet 0/0
service-policy output PARENT
are these the only commands i ahve to apply ?
Also can you give me any example, or sample configs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide