Friday, June 8, 2007

FTP serverfarm on Cisco ACE

This is a mix from Cisco forums and hundreds of trials, being the Cisco ACE Server Load Balancing configuration guide not so clear...

Scenario :



Active FTP :
This is the simpler and it's only a matter of ACE configuration :

probe tcp 21-TCP
port 21
interval 10
passdetect interval 5
passdetect count 1

rserver host SERVER-10.1
ip address 10.0.10.1
inservice

rserver host SERVER-10.2
ip address 10.0.10.2
inservice


serverfarm host FTPFARM_20.1:21
failaction purge
probe 21-TCP
rserver
SERVER-10.1 21
inservice
rserver SERVER-10.2 21
inservice

sticky ip-netmask 255.255.255.255 address source
STICKY-FTPFARM_20.1:21
timeout 20
timeout activeconns
replicate sticky
serverfarm
FTPFARM_20.1:21


class-map match-all L4-MAP-FTPFARM_20.1:21
2 match virtual-address 10.0.20.1 any

policy-map type loadbalance first-match L7-
FTPFARM_20.1:21
class class-default
sticky-serverfarm STICKY-
FTPFARM_20.1:21

policy-map multi-match L4-POLICYMAPMULTI-FTP
class L4-MAP-FTPFARM_20.1:21
loadbalance vip inservice
loadbalance policy
L7-FTPFARM_20.1:21
inspect ftp


interface vlan 101
description SERVERSIDE
ip address 10.0.10.199 255.255.255.0
no normalization
no shutdown
interface vlan 151
description FIREWALLSIDE
ip address 10.0.0.2 255.255.255.240
no normalization
service-policy input L4-POLICYMAPMULTI-FTP
no shutdown


Passive FTP :
In order to make Passive FTP connection work, with the firewall checking consistency of source and destination addresses, youll need to change the FTP server configuration.
On the frox server there's a configuration parameter "PASV Reply Address" that should be set to the VIP (10.0.20.1) in order to have the FTP server call back the client (passive mode) with the same address the firewall see for the active client-server communication.

2 comments:

Oleg said...

Interesting how you could run this config, as if you would try to apply "inspect ftp" on that serverfarm you would suppose to get
error message:

Error: This class doesn't have tcp protocol and a specific port

due to the fact that your VIP is with "any"

Al said...

I could run this config on a A1.x ACE.

The A2.x ACEs introduced the check on the any port on protocol inspection.

The release note is much clearer :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html#wp365052