Routing all FTP traffic to another router

How do I take ANY ftp traffic connecting to Router 1 with two interfaces Fa0/0 10.130.1.1 and S0/0 1.1.1.1 (FR)

Router 2 has two interfaces Fa0/0 10.130.1.254 and S0/0 VPN connection

I want to take ALL / ANY FTP traffic and reroute it to Router 2

I tried a:

access-list 101 permit tcp any any eq FTP

access-list 101 permit tcp any any eq FTP-data

route-map Internet 10

ip address 101

set next-hop 10.130.1.254

this works for the intial connection (port 21) put when a Put or a Get the ports are randomized >1024  and this traffic goes out Router 1 s0/0 interface.

I can not target the destination IP addresses

Any help?

Thank you.

LD

 

Comments

  • But how do I do the route-map with NBAR?

  • For active mode ftp, the data port will be sourced from the server.

     

  • But how do I do the route-map with NBAR?

    You mark ftp traffic, then use policy routing on router that needs to make routing decision.

  • But how do I do the route-map with NBAR?

    You mark ftp traffic, then use policy routing on router that needs to make routing decision.

    Thank you for all your help!  I think I must still be missing sometihng:

    Here is what I tried.. But it seems to not reroute the put or get of the FTP.   Also what Debug should I use to verify it is working?

    class-map match-any Internet-test

     match protocol ftp

     match protocol http

     match protocol secure-http

    !

    !

    policy-map PM-Internet

     class Internet-test

    interface FastEthernet0/0

     description 10.130.0.0 LAN

     ip address 10.130.1.1
     ip policy route-map Internet

    route-map Internet permit 10

     match policy-list PM-Internet

     set ip next-hop 10.130.1.254

  • No that won't work, match policy-list matches ip policy-list in BGP.. what you need is to somehow tag traffic before it gets to router it needs to reroute traffic, which may or may not be possible with your network setup. There's always more than one solution to the problem.

  • From what I can tell, a router will process a service-policy before it processes a route-map.  

    So you should be able to match traffic with an inbound service-policy and mark it.  Also on the same interface have a "ip policy route-map" that matches on that marking with an access list and sets a next hop.

    worked for me in a lab....

     

Sign In or Register to comment.