Showing results for 
Search instead for 
Did you mean: 

ACL bandwidth for FTP communications

Hi all,

first all, sorry about my english. I hope you could understand me

I have been reading all the day different documents and discussions on this forum...but something is still wrong .

I have two 4500 working on HSRP. I have a FTP server on vlan 6 ( and i have a remote client ( and a local client (

I have created an ACL to filter remote client, assigned that ACL to a class-map, to a policy map and to the vlan interface.

When i do this, i can limit FTP transfer to 1 Mb, but for both clients and i only want to limit remote client (

My config is (i have tried different configs...)

ip access-list extended FTP-ACL

permit tcp any host eq ftp

class-map match-all FTP-ACL

  match access-group name FTP-ACL

policy-map FTP-ACL

class FTP-ACL

    police 1000000    conform-action transmit     exceed-action drop

class class-default

    police 10000000    conform-action transmit     exceed-action drop

vlan configuration 6

  service-policy input FTP-ACL

Do you have any idea about where is my mistake? The goal is that only remote client would be filterred and limited BW to the server, the other clients should run without limits.

thanks in advance!



Hall of Fame Guru


The local client is on the same vlan/IP subnet as the FTP server so any policy you apply to the L3 vlan interface won't be applied for the particular client.

For that remote client that you want to limit what are you trying to do ie. your policy is applied inbound on vlan 6 so that will limit traffic from the FTP server to the remote client. So currently your acl is actually the wrong way round as far as i can see because the source IP will be the FTP server.

Are you trying to limit the amount of bandwidth in a download ie. from the server to the client or are you trying to limit the amount of bandwidth in an upload ie. from the client to the server ?



Hi Jon,

thanks for your reply.

I am login with my personal (not business account now cause i am having problems accesing from network).

1.- Of course, local client and server are on the same subnet (also on the same 4500 slot). That is why i do not know why when i apply the service-policy the traffic is limited for this client too   ..... i must say that i tried to configure the service-police over the "int vlan 6" but the router said me that i should configure that over "vlan config 6"

2.- The idea is that the remote clients would download traffic from the server (server-> client limited ftp bw, at this moment the client->ftp bw traffic is not needed).

thanks for your help and time



Hi Jose

1) the policy will not affect the client on the same subnet because that traffic never goes to the SVI

2) bearing in mind the policy is applied inbound then you need to change the acl to reflect that so -

ip access-list extended FTP-ACL

permit tcp host eq ftp host


Content for Community-Ad