Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3109
Views
15
Helpful
8
Replies

How to Restrict FTP traffic on cisco router by traffic shapping.

KR SHAH
Level 1
Level 1

‎02-23-2018 08:57 PM - edited ‎03-08-2019 02:00 PM

Hi  all,

 

I need to implement Qos on cisco router. My main Aim is to restrict FTP traffic from external to internal. Please suggest How can i implement.   I had two ISP configure on interface & need to restrict on both interface. then How can I do it?

Labels:
0 Helpful
8 Replies 8

Julio E. Moisa
VIP
VIP

‎02-24-2018 04:34 AM - edited ‎02-24-2018 04:38 AM

Hi

There are ways to block a port like 20/21 used for FTP

 

Example 1

 

access-list 100 deny tcp any any range 20 21

access-list 100 permit ip any any

 

interface g0/0

ip access-group 100 in

 

Example 2

 

access-list 100 permit  tcp any any range 20 21

 

class-map FTP

match access-group 100

    or

match protocol ftp

 

policy-map QOS

class FTP

drop

 

interface g0/0

service-policy input QOS

 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

KR SHAH
Level 1
Level 1
In response to Julio E. Moisa

‎02-24-2018 04:59 AM

Hi,

 

Thanks for reply.

 

But i have still some query. such as 

if i go for example 2

 

1. Should i need to create access-list 100 permit  tcp any any range 20 21 if I use

 

class-map FTP

match protocol ftp

 

_________________________________

2. policy-map QOS

   class FTP

   drop

 

My main aim to restrict BW for FTP traffic only. so as per my understand above config will drop FTP traffic. Correct me if i wrong?

 

3.  While On interface which command will work . i.e. service-policy input or service-policy output.

Because i need to restrict BW of FTP traffic from external to Internal.  

 

4.In my scenario where to apply service-policy command i.e. on WAN interface or LAN interface.

 

5. what is the difference between service-policy input or service-policy output.?

0 Helpful

Julio E. Moisa
VIP
VIP
In response to KR SHAH

‎02-24-2018 05:09 AM

Hi

1. Should i need to create access-list 100 permit  tcp any any range 20 21 if I use

 No, you can use ACL or Protocol command, now if you want to be more specific to avoid the traffic from a specific source I suggest ACL.

 

class-map FTP

match protocol ftp

 

_________________________________

2. policy-map QOS

   class FTP

   drop

 

My main aim to restrict BW for FTP traffic only. so as per my understand above config will drop FTP traffic. Correct me if i wrong? Yes, it will restrict the FTP traffic only, inbound or outboud how you are applying it. There is an implicit default-class you could see it through show policy-map interface <interface>

 

3.  While On interface which command will work . i.e. service-policy input or service-policy output.

Because i need to restrict BW of FTP traffic from external to Internal.  It should be applied as input under the wan interfaces. 

 

4.In my scenario where to apply service-policy command i.e. on WAN interface or LAN interface. WAN Interfaces. 

 

5. what is the difference between service-policy input or service-policy output.? The direction, input is for incoming traffic from external to the router while output is for outgoing traffic from the router to external. 

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

KR SHAH
Level 1
Level 1
In response to Julio E. Moisa

‎02-24-2018 05:14 AM

Hi,

 

Thanks for such quick response. It clear almost all doubt except one.

 

1. Should i need to create access-list 100 permit  tcp any any range 20 21 if I use

 No, you can use ACL or Protocol command, now if you want to be more specific to avoid the traffic from a specific source I suggest ACL.

 

class-map FTP

match protocol ftp

 

i just want to know if i configure Class- Map with match protocol instead of match access-group then it will work or not.

 

Again thanks for clear the concept.

 

0 Helpful

Julio E. Moisa
VIP
VIP
In response to KR SHAH

‎02-24-2018 05:21 AM

Hi

You are welcome, yes, match protocol will work perfectly.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

KR SHAH
Level 1
Level 1
In response to Julio E. Moisa

‎02-24-2018 05:25 AM

Hi,

 

Okay I will try to config & see the result if it is working or not.

 

Thanks for solution.

0 Helpful

Julio E. Moisa
VIP
VIP
In response to KR SHAH

‎02-24-2018 05:28 AM

Hi,

You are welcome, please keep me posted of the results, 

Have a great weekend. 

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

KR SHAH
Level 1
Level 1
In response to Julio E. Moisa

‎03-14-2018 05:57 AM

Hi Julio,

 

I tried the same config but getting error while apply the command service-policy input. The error is "Weighted Fair Queueing feature not supported in input policy. Bandwidth command not allowed at parent level in input direction"Please suggest.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card