Guest

Cisco LocalDirector 400 Series

Load Balancing FTP Servers Through LocalDirector Without the Use of the Proxy FTP Service

Cisco - Load Balancing FTP Servers Through LocalDirector Without the Use of the Proxy FTP Service

Document ID: 4068

Updated: Jan 31, 2006

   Print

Introduction

This document explains how to load balance File Transfer Protocol (FTP) servers through a LocalDirector without the use of the proxy FTP service.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Problems and Solutions

The main difficulties of managing FTP through devices like the LocalDirector are mostly due to the DATA channel. The following are two possible scenarios:

  1. PORT FTP: also known as active FTP. The data connection is opened by the server's port 20 to the client's port that is passed via the PORT command over the control channel.

  2. PASS FTP: the data connection is initiated by the client. The server sends the IP address and the port the client has to open the connection with over the control channel.

Scenario 1

The problem in scenario number 1, PORT FTP, is that the LocalDirector has to be instructed to create a flow entry for the internal server's initiated traffic.

Typically, the solution in this scenario is to issue the static command. For FTP traffic, however, the LocalDirector applies it automatically.

Scenario 2

There are two problems with scenario number 2, PASS FTP. The first problem is that the load balancer has to be instructed to expect a connection from the client to destination TCP port that is different from the ones configured on the virtuals.

The solution in this problem is to create a non port-bound configuration such as 172.17.241.254:0:0:tcp. By using the no port-bound solution, the LocalDirector accepts and creates flows for every Layer 4 (L4) protocol that hit the virtual IP address. With FTP on the LocalDirector, however, this is not necessary, even with a port-bound configuration such as 172.17.241.254:21:0:tcp.

The LocalDirector continues looking into the FTP control sessions in order to intercept commands that will trigger passive DATA transfer.

The second problem is that the LocalDirector has to take care of the translation of the IP address sent by the server to the client in PASS FTP mode.

This is done automatically, even without the FTP proxy service. The IP address and the port to which the client will have to connect are shown during the FTP session whenever a command that triggers a DATA connection is issued, as shown below.

> 227 Entering Passive Mode (172,17,241,254,95,57) 

You can see that the address returned is the external VIP and not the internal real address. This means that the LocalDirector continues watching the payload of the control connection's packets. See the diagram below for more information.

lb_ftp_servers.gif

Sample command output is provided below.

[OK] 
localdirector# sho conf 
: Saved 
: LocalDirector 420 Version 4.2.2 
: Uptime is 0 weeks, 0 days, 3 hours, 0 minutes, 35 seconds 
syslog output 20.3 
no syslog console 
enable password 000000000000000000000000000000 encrypted 
hostname localdirector 
no shutdown ethernet 0 
no shutdown ethernet 1 
shutdown ethernet 2 
shutdown ethernet 3 
interface ethernet 0 10baset 
interface ethernet 1 10baset 
interface ethernet 2 100basetx 
interface ethernet 3 100basetx 
mtu 0 1500 
mtu 1 1500 
mtu 2 1500 
mtu 3 1500 
multiring all 
no secure? 0 
no secure? 1 
no secure? 2 
no secure? 3 
no ping-allow 0 
no ping-allow 1 
no ping-allow 2 
no ping-allow 3 
ip address 172.17.241.11 255.255.255.0 
arp timeout 30 
no rip passive 
rip version 1 
failover ip address 172.17.241.27 
no failover 
failover hellotime 30 
password dfeaf10390e560aea745ccba53e044ed encrypted 
snmp-server enable traps 
snmp-server community public 
no snmp-server contact 
no snmp-server location 
virtual 172.17.241.254:21:0:tcp is 
real 172.17.241.126:21:0:tcp is 
bind 172.17.241.254:21:0:tcp 172.17.241.126:21:0:tcp 

Below is the log of the FTP session.

smarsill@bru-cse-126% ftp 172.17.241.254 
Connected to 172.17.241.254. 
220 CISCO FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready. 
Name (172.17.241.254:smarsill): cisco 
331 Password required for cisco. 
Password: 
230 User cisco logged in. 
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp> ls 
227 Entering Passive Mode (172,17,241,254,95,57) 
150 Opening ASCII mode data connection for /bin/ls. 
total 24 
-rw-------??? 1 cisco??? cisco??????? 4088 Sep? 3 11:55 .bash_history 
-rw-r--r--??? 1 cisco??? cisco????????? 24 Feb 16? 2001 .bash_logout 
-rw-r--r--??? 1 cisco??? cisco???????? 230 Feb 16? 2001 .bash_profile 
-rw-r--r--??? 1 cisco??? cisco???????? 124 Feb 16? 2001 .bashrc 
-rw-r--r--??? 1 cisco??? cisco???????? 688 Feb 16? 2001 .emacs 
-rw-r--r--??? 1 cisco??? cisco??????? 3651 Feb 16? 2001 .screenrc 
226 Transfer complete. 
ftp> pass 
Passive mode off. 
ftp> ls 
200 PORT command successful. 
150 Opening ASCII mode data connection for /bin/ls. 
total 24 
-rw-------??? 1 cisco??? cisco??????? 4088 Sep? 3 11:55 .bash_history 
-rw-r--r--??? 1 cisco??? cisco????????? 24 Feb 16? 2001 .bash_logout 
-rw-r--r--??? 1 cisco??? cisco???????? 230 Feb 16? 2001 .bash_profile 
-rw-r--r--??? 1 cisco??? cisco???????? 124 Feb 16? 2001 .bashrc 
-rw-r--r--??? 1 cisco??? cisco???????? 688 Feb 16? 2001 .emacs 
-rw-r--r--??? 1 cisco??? cisco??????? 3651 Feb 16? 2001 .screenrc 
226 Transfer complete. 
ftp> 

Below is the output of the netstat -n command after the last command has been issued.

cisco@localhost cisco]$ netstat -n 
Active Internet connections (w/o servers) 
Proto Recv-Q Send-Q Local Address?????????? Foreign Address???????? State 
tcp??????? 0????? 0 172.17.241.126:20?????? 144.254.3.201:40411???? TIME_WAIT?? 

!--- Data Active expired.
 
tcp??????? 0????? 0 172.17.241.126:24377??? 144.254.3.201:40410???? TIME_WAIT?? 

!--- Data Passive expired.

tcp??????? 0????? 0 172.17.241.126:21?????? 144.254.3.201:40408???? ESTABLISHED 

!--- Control.

tcp??????? 0??? 126 172.17.241.126:23?????? 144.254.3.201:40220???? ESTABLISHED 

!--- Telnet session. 

Related Information

Updated: Jan 31, 2006
Document ID: 4068