QoS, NBAR, and NAT

Unanswered Question
Mar 13th, 2009
User Badges:
  • Purple, 4500 points or more

All,


When using NAT, I understand that the translation is done BEFORE QoS is applied for inbound-to-outbound traffic. If this is correct, how would an ACL look if I wanted to restrict one host on the inside from going out a certain port?


Public IP: 5.5.5.5

Private IP: 192.168.1.50


If a service policy is applied as output on the public interface, then QoS would match on the 5.5.5.5 address, but if I wanted to restrict cnn.com, I would restrict everyone behind that address. Is there a way to restrict just the one host?


I've been using NBAR and I can't get anything to match, for whatever reason, so I'm wondering if it has something to do with NAT. Does anyone have a good example of a config that is using NAT, NBAR, and blocking either whole websites or, better yet, mime types?


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Istvan_Rabai Fri, 03/13/2009 - 11:03
User Badges:
  • Gold, 750 points or more

Hi John,


I don't know if I understand you well, but trying to tell you some words:


You can restrict an inside host from going out to the internet by applying an acl on the inside interface inbound, similar to this:


access-list 1 deny 192.168.1.50

access-list 1 permit any


int f0/0

ip access-group 1 in


If you want to restrict this host from going out on one outside interface but enable it to go out on another outside interface, then you may apply policy routing, similarly to this:


access-list 2 permit 192.168.1.50


route-map TEST permit 10

match ip address 2

set ip next-hop x.x.x.x

route-map TEST permit 20


int f0/0

ip policy route-map TEST


Cheers:

Istvan

John Blakley Fri, 03/13/2009 - 11:39
User Badges:
  • Purple, 4500 points or more

Istvan,


This is strictly with QoS, not just ACLs. I've been struggling to figure out why my QoS map is matching the ACL applied to a class-map only on the public IP, but not on the private.


Thanks,

John

Istvan_Rabai Fri, 03/13/2009 - 12:21
User Badges:
  • Gold, 750 points or more

Hi John,


This is because the sequence of events on outgoing packets is the following when NAT is applied:


1. NAT translation


2. Outgoing acl processing


3. QoS processing


After the NAT translation the packet's source address is the public ip address.

So after the NAT translation you have to use the public ip address in any outbound acls or outgoing QoS acls.


Once the packet has been NAT translated, if you use the inside local ip address in outbound acls and outgoing QoS acls then there will be no match on the packets.


If static NAT translation is taking place then you can apply your restrictions within the outbound acl or outgoing QoS acl, because with static NAT translations there is a static 1-to-1 mapping between the inside local and the inside global ip address. But anyway you have to use the public ip address inside those outbound acls.


Cheers:

Istvan


John Blakley Fri, 03/13/2009 - 12:31
User Badges:
  • Purple, 4500 points or more

Istvan,


Let's say that I have two hosts on the inside of the network.


For ease of understanding, I want one to have access to port 80 but not the other. (I know an ACL would be the best way, but I'm trying to see how my acl would look in the QoS aspect)


Public address: 5.5.5.5


Host A: 10.5.5.50 <-want http

Host B: 10.5.5.100


Theoretically, my acl that my class map references would look like:


access-list 101 permit ip host 5.5.5.5 any


class-map match-any HTTP

match access-group 101


policy-map NOHTTP

class HTTP

drop


With the above map, I'm thinking that anyone trying to get on the web will get dropped because everything is going out as the public ip, and then it's being dropped.


How would my acl look if I wanted to allow one person through, but then keep the other one from going through? There's a point to this. =) I may want to allow 5 people to get to youtube.com, but 3 others I don't.


Also, would it be *easier* for me to set up an inbound policy to set dscp markings on traffic, and then drop those dscp markings in the policy that's applied outbound on the egress interface?


Thanks,

John


Istvan_Rabai Fri, 03/13/2009 - 13:20
User Badges:
  • Gold, 750 points or more

Hi John,


When you do PAT, you have no option to differentiate between outgoing packets because the source ip address is the same for all inside hosts (it is 5.5.5.5), the source port of packets is ephemeral (temporary) and therefore not deterministic.


I think your solution of deterministically differentiating packets with dscp marking would work quite correctly.


But it makes the router do more than necessary processing, because it allows many packets through the router just to be dropped at the end:


1. process the inbound policy

2. process NAT translation

3. process the outbound policy

4. drop unnecessary packets


The least processing could be achieved by simply denying the unnecessary traffic on the incoming interface, and to allow further processing of those packets only that should be allowed to youtube.com


So point 4. would become point 0.


Cheers:

Istvan


John Blakley Fri, 03/13/2009 - 13:27
User Badges:
  • Purple, 4500 points or more

Well, the problem that I have is I've been trying to block shockwave games and youtube type videos (.flv). I've been using NBAR, but it won't block it for anything, and this is the last thing that I could come up with being that NAT could be causing my problem. I can get nbar to work on the egress (public) interface, but I can't get it to match packets when my acl references my internal network. I don't want to block just game site domains because they always change. I know that nbar has the "match protocol http mime" command, but it's not matching against the "application/x-shockwave-flash" or "video/flv".


I guess my next question would be:


What good does QoS do for a small office if it doesn't see to be easy enough to perform QoS for "a single point?" It seems like I can't shape by host because of natting, I can't restrict certain filetypes unless I use my public address, which in turn affects everyone else.


Thanks,

John

Istvan_Rabai Fri, 03/13/2009 - 13:52
User Badges:
  • Gold, 750 points or more

Hi John,


If you are definitely forced to use your public ip address then the dscp marking solution would be OK.

You could restrict and shape by the dscp marking.


If possible, please post your config here so I can see how exactly you wish to implement this.

Then I would be able to make comments if you wish.


Thank you:

Istvan

John Blakley Fri, 03/13/2009 - 13:59
User Badges:
  • Purple, 4500 points or more

I've got this posted on another forum also because to me it makes no sense (getting closer though).


Here's the config:


Here's the config for the class-map, policy-map, and all of the interfaces:


class-map match-all NO_FLASH

match access-group 151

match protocol http mime "application/x-shockwave-flash"


policy-map OUTBOUND

class ROKU-OUTBOUND

priority percent 25

class NO_FLASH

drop

class class-default

fair-queue 256



interface FastEthernet0

description Router Trunk

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

duplex full

speed 100

!

interface FastEthernet3

duplex full

speed 100

!

interface FastEthernet4

bandwidth 6144

ip address dhcp client-id FastEthernet4

ip access-group EXTERNAL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect NEMESIS-FW out

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

service-policy output OUTBOUND

!


interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

!

encryption vlan 1 mode ciphers tkip

!

ssid ISIS

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

infrastructure-client

ip nbar protocol-discovery

!

interface Dot11Radio0.1

description Normal WIFI

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!


interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description DMZ$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

service-policy input ROKU


interface BVI1

description Internal Interface$ES_LAN$$FW_INSIDE$

ip address 10.20.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

hold-queue 100 out

!

access-list 151 permit ip 10.20.1.0 0.0.0.255 any



I was trying both youtube.com and addictinggames.com. I need to be able to block any online game or video anywhere, not just these two sites.


John



Istvan_Rabai Fri, 03/13/2009 - 18:28
User Badges:
  • Gold, 750 points or more

Well, if you need to block any online game or video anywhere, then I would do the following based on your config above:


1. remove "match access-group 151" from class-map match-all NO_FLASH.


Though I don't see the "ip nat" commands, I suppose users in the 10.20.1.0/24 subnet are NATted on interface FastEthernet4. If this is so, then "match access-group 151" will block all traffic because on Fa4 we are after NAT, so our source addresses for packets sourced from the 10.20.1.0/24 subnet are different at this stage (see my 2nd post on processing order of packets).

Therefore no traffic will match "class NO_FLASH".

[EDIT]

Traffic will be processed through class class-default which permits all traffic that were not matched by the previous class-maps.


2. Modify "class-map match-all NO_FLASH" to "class-map match-any NO_FLASH"


3. List all the protocols you want to match under "class-map match-any NO_FLASH" with the "match protocol" command, or define extended ACLs if you cannot match them otherwise.


The result of this will be that any protocol that you list under "class-map match-any NO_FLASH" will be dropped by the "policy-map OUTBOUND" that is applied to Fa4.


Note:

Again, I don't see the contents of "class ROKU-OUTBOUND", but make sure it does not match any traffic in its body that you wanted to deny:


"class ROKU-OUTBOUND" is listed in "policy-map OUTBOUND" before any other class. As policy-maps are processed top-down, any traffic that is permitted by this class-map will be put into the priority-queue and transmitted (or policed and dropped if this traffic class exceeds 25 percent of interface bandwidth) before traffic that matches "class NO_FLASH".


Cheers:

Istvan

Actions

This Discussion