Cisco has announced the end-of-sale for the Cisco LocalDirector. For more information, refer to the LocalDirector 400 Series End-of-Life and End-of-Sale Notices and Product Bulletins.
This document explains how to load balance File Transfer Protocol (FTP) servers through a LocalDirector without the use of the proxy FTP service.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For more information on document conventions, see the Cisco Technical Tips Conventions.
The main difficulties of managing FTP through devices like the LocalDirector are mostly due to the DATA channel. The following are two possible scenarios:
PORT FTP: also known as active FTP. The data connection is opened by the server's port 20 to the client's port that is passed via the PORT command over the control channel.
PASS FTP: the data connection is initiated by the client. The server sends the IP address and the port the client has to open the connection with over the control channel.
The problem in scenario number 1, PORT FTP, is that the LocalDirector has to be instructed to create a flow entry for the internal server's initiated traffic.
Typically, the solution in this scenario is to issue the static command. For FTP traffic, however, the LocalDirector applies it automatically.
There are two problems with scenario number 2, PASS FTP. The first problem is that the load balancer has to be instructed to expect a connection from the client to destination TCP port that is different from the ones configured on the virtuals.
The solution in this problem is to create a non port-bound configuration such as 172.17.241.254:0:0:tcp. By using the no port-bound solution, the LocalDirector accepts and creates flows for every Layer 4 (L4) protocol that hit the virtual IP address. With FTP on the LocalDirector, however, this is not necessary, even with a port-bound configuration such as 172.17.241.254:21:0:tcp.
The LocalDirector continues looking into the FTP control sessions in order to intercept commands that will trigger passive DATA transfer.
The second problem is that the LocalDirector has to take care of the translation of the IP address sent by the server to the client in PASS FTP mode.
This is done automatically, even without the FTP proxy service. The IP address and the port to which the client will have to connect are shown during the FTP session whenever a command that triggers a DATA connection is issued, as shown below.
> 227 Entering Passive Mode (172,17,241,254,95,57)
You can see that the address returned is the external VIP and not the internal real address. This means that the LocalDirector continues watching the payload of the control connection's packets. See the diagram below for more information.
Sample command output is provided below.
[OK] localdirector# sho conf : Saved : LocalDirector 420 Version 4.2.2 : Uptime is 0 weeks, 0 days, 3 hours, 0 minutes, 35 seconds syslog output 20.3 no syslog console enable password 000000000000000000000000000000 encrypted hostname localdirector no shutdown ethernet 0 no shutdown ethernet 1 shutdown ethernet 2 shutdown ethernet 3 interface ethernet 0 10baset interface ethernet 1 10baset interface ethernet 2 100basetx interface ethernet 3 100basetx mtu 0 1500 mtu 1 1500 mtu 2 1500 mtu 3 1500 multiring all no secure? 0 no secure? 1 no secure? 2 no secure? 3 no ping-allow 0 no ping-allow 1 no ping-allow 2 no ping-allow 3 ip address 172.17.241.11 255.255.255.0 arp timeout 30 no rip passive rip version 1 failover ip address 172.17.241.27 no failover failover hellotime 30 password dfeaf10390e560aea745ccba53e044ed encrypted snmp-server enable traps snmp-server community public no snmp-server contact no snmp-server location virtual 172.17.241.254:21:0:tcp is real 172.17.241.126:21:0:tcp is bind 172.17.241.254:21:0:tcp 172.17.241.126:21:0:tcp
Below is the log of the FTP session.
smarsill@bru-cse-126% ftp 172.17.241.254 Connected to 172.17.241.254. 220 CISCO FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready. Name (172.17.241.254:smarsill): cisco 331 Password required for cisco. Password: 230 User cisco logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,17,241,254,95,57) 150 Opening ASCII mode data connection for /bin/ls. total 24 -rw-------??? 1 cisco??? cisco??????? 4088 Sep? 3 11:55 .bash_history -rw-r--r--??? 1 cisco??? cisco????????? 24 Feb 16? 2001 .bash_logout -rw-r--r--??? 1 cisco??? cisco???????? 230 Feb 16? 2001 .bash_profile -rw-r--r--??? 1 cisco??? cisco???????? 124 Feb 16? 2001 .bashrc -rw-r--r--??? 1 cisco??? cisco???????? 688 Feb 16? 2001 .emacs -rw-r--r--??? 1 cisco??? cisco??????? 3651 Feb 16? 2001 .screenrc 226 Transfer complete. ftp> pass Passive mode off. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 24 -rw-------??? 1 cisco??? cisco??????? 4088 Sep? 3 11:55 .bash_history -rw-r--r--??? 1 cisco??? cisco????????? 24 Feb 16? 2001 .bash_logout -rw-r--r--??? 1 cisco??? cisco???????? 230 Feb 16? 2001 .bash_profile -rw-r--r--??? 1 cisco??? cisco???????? 124 Feb 16? 2001 .bashrc -rw-r--r--??? 1 cisco??? cisco???????? 688 Feb 16? 2001 .emacs -rw-r--r--??? 1 cisco??? cisco??????? 3651 Feb 16? 2001 .screenrc 226 Transfer complete. ftp>
Below is the output of the netstat -n command after the last command has been issued.
cisco@localhost cisco]$ netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address?????????? Foreign Address???????? State tcp??????? 0????? 0 172.17.241.126:20?????? 126.96.36.199:40411???? TIME_WAIT?? !--- Data Active expired. tcp??????? 0????? 0 172.17.241.126:24377??? 188.8.131.52:40410???? TIME_WAIT?? !--- Data Passive expired. tcp??????? 0????? 0 172.17.241.126:21?????? 184.108.40.206:40408???? ESTABLISHED !--- Control. tcp??????? 0??? 126 172.17.241.126:23?????? 220.127.116.11:40220???? ESTABLISHED !--- Telnet session.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.