SteelHead™ Deployment Guide - Protocols : FTP Optimization : QoS Classification for the FTP Data Channel
QoS Classification for the FTP Data Channel
When configuring QoS classification for FTP, the QoS rules differ depending on whether the FTP data channel is using active or passive FTP. Active versus passive FTP determines whether the FTP client or the FTP server select the port connection for use with the data channel, which has implications for QoS classification.
Active FTP Classification
With active FTP, the FTP client logs in and enters the PORT command, informing the server which port it must use to connect to the client for the FTP data channel. Next, the FTP server initiates the connection towards the client. From a TCP perspective, the server and the client swap roles. The FTP server becomes the client because it sends the SYN packet, and the FTP client becomes the server because it receives the SYN packet.
Although not defined in the RFC, most FTP servers use source port 20 for the active FTP data channel.
For active FTP, configure a QoS rule on the server-side SteelHead to match source port 20. On the client-side SteelHead, configure a QoS rule to match destination port 20.
You can also use the Application Flow Engine (AFE) to classify active FTP traffic.
Passive FTP Classification
With passive FTP, the FTP client initiates both connections to the server. First, it requests passive mode by entering the PASV command after logging in. Next, it requests a port number for use with the data channel from the FTP server. The server agrees to this mode, selects a random port number, and returns it to the client. Once the client has this information, it initiates a new TCP connection for the data channel to the server-assigned port. Unlike active FTP, there is no role swapping and the FTP client initiates the SYN packet for the data channel.
The FTP client receives a random port number from the FTP server. Because the FTP server cannot return a consistent port number to use with the FTP data channel, RiOS does not support QoS Classification for passive FTP in versions earlier than RiOS v4.1.8, v5.0.6, or v5.5.1. Later RiOS releases support passive FTP and the QoS Classification configuration for passive FTP is the same as active FTP.
When configuring QoS Classification for passive FTP, port 20 on both the server-side and client-side SteelHeads means the port number is being used by the data channel for passive FTP, as opposed to the literal meaning of source or destination port 20.
The SteelHead must intercept the FTP control channel (port 21), regardless of whether the FTP data channel is using active or passive FTP.
Figure 7‑3. Active and Passive FTP
With RiOS v8.0.4 and later, the AFE monitors the FTP control connection. AFE learns the negotiated port numbers and connection initiator from the FTP control connection. You can then use AFE to classify active and passive FTP connections for IPv4.
The AFE is unable to classify FTP correctly in a server-side out-of-path (SSOOP) SteelHead deployment with the exception of optimized FTP in active mode.
FTP with IPv6 is currently not supported in AFE and QoS.
For more information about QoS and AFE, see the SteelHead Deployment Guide and the SteelHead Management Console User’s Guide.