Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
0
Helpful
3
Replies

ACL bandwidth for FTP communications

Jose Francisco Prieto Lopez
Level 1
Level 1

‎02-12-2014 07:39 AM - edited ‎03-07-2019 06:09 PM

Hi all,

first all, sorry about my english. I hope you could understand me

I have been reading all the day different documents and discussions on this forum...but something is still wrong .

I have two 4500 working on HSRP. I have a FTP server on vlan 6 (10.29.6.99) and i have a remote client (10.92.6.98) and a local client (10.29.6.98).

I have created an ACL to filter remote client, assigned that ACL to a class-map, to a policy map and to the vlan interface.

When i do this, i can limit FTP transfer to 1 Mb, but for both clients and i only want to limit remote client (10.92.6.98).

My config is (i have tried different configs...)

ip access-list extended FTP-ACL

permit tcp any host 10.29.6.99 eq ftp

class-map match-all FTP-ACL

  match access-group name FTP-ACL

policy-map FTP-ACL

class FTP-ACL

    police 1000000    conform-action transmit     exceed-action drop

class class-default

    police 10000000    conform-action transmit     exceed-action drop

vlan configuration 6

  service-policy input FTP-ACL

Do you have any idea about where is my mistake? The goal is that only remote client would be filterred and limited BW to the server, the other clients should run without limits.

thanks in advance!

Regards

Jose

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2014 08:28 AM

Jose

The local client 10.29.6.98 is on the same vlan/IP subnet as the FTP server so any policy you apply to the L3 vlan interface won't be applied for the particular client.

For that remote client that you want to limit what are you trying to do ie. your policy is applied inbound on vlan 6 so that will limit traffic from the FTP server to the remote client. So currently your acl is actually the wrong way round as far as i can see because the source IP will be the FTP server.

Are you trying to limit the amount of bandwidth in a download ie. from the server to the client or are you trying to limit the amount of bandwidth in an upload ie. from the client to the server ?

Jon

0 Helpful

josefco.prieto.msn
Level 1
Level 1
In response to Jon Marshall

‎02-12-2014 09:24 AM

Hi Jon,

thanks for your reply.

I am login with my personal (not business account now cause i am having problems accesing from network).

1.- Of course, local client and server are on the same subnet (also on the same 4500 slot). That is why i do not know why when i apply the service-policy the traffic is limited for this client too   ..... i must say that i tried to configure the service-police over the "int vlan 6" but the router said me that i should configure that over "vlan config 6"

2.- The idea is that the remote clients would download traffic from the server (server-> client limited ftp bw, at this moment the client->ftp bw traffic is not needed).

thanks for your help and time

Jose

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to josefco.prieto.msn

‎02-13-2014 08:13 AM

Hi Jose

1) the policy will not affect the client on the same subnet because that traffic never goes to the SVI

2) bearing in mind the policy is applied inbound then you need to change the acl to reflect that so -

ip access-list extended FTP-ACL

permit tcp host 10.29.6.99 eq ftp host 10.92.6.98

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card