Solved: Shaping and NAT

John Blakley · ‎03-16-2009

All,

I've seen first hand what NAT does to QoS. How can one ever shape an inside host when using PAT? Is it even possible?

What about policing traffic? NBAR can see traffic like bittorrent, but let's say that I want to give one person full access to it, but I want to limit bandwidth that another person uses. Using PAT, I would have to source my traffic from my public IP on the public interface, but that would limit everyone.

Another question would be:

If I have several sites that don't use NAT, but their internet goes through the corporate office which does, I've still lost control of that traffic and I wouldn't be able to shape or police it, right?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎03-16-2009

The idea is there. You need to modify the ACL to reflect the FTP, P2P, Bittorrent stuff - but I know the intent of the post and great job while doing from memory :)

__

Edison.

View solution in original post

Edison Ortiz · ‎03-16-2009

Mark the traffic closes to the source, that's the rule.

If you want to 'shape an inside host' (never seen shaping an individual, but let's go with this example :)), then you mark that host at ingress on the switch. NAT does its thing but the marking is preserved and when shaping outbound you are matching against the marking not the source IP.

It works the same for bandwidth guarantee, priority, policing or shaping.

Same idea applies to your 2nd questions. If you have an end-to-end QoS in your network, you can assign the packets to the appropriate class of service when they hit your internet routers regardless of the location they are coming from.

HTH,

__

Edison.

John Blakley · ‎03-16-2009

Edison,

Would this type of shaping work for anything that includes return traffic? Say I wanted to give 128k to a host for FTP traffic, but that was the max download I wanted them to have.

Theoretically, I could do:

access-list 101 permit ip host 192.168.1.50 any

class-map match-all RESTRICTED

match access-group 101

class-map match-all DSCP

match dscp 1

policy-map INSIDE

class RESTRICTED

set dscp 1

policy-map OUTSIDE

class DSCP

police 128000

int fa0/0 (outside)

ip address 5.15.23.33 255.255.255.0

ip nat outside

service-policy output OUTSIDE

int fa0/1 (inside)

ip address 192.168.1.1 255.255.255.0

ip nat inside

service-policy input INSIDE

ip nat inside sourc list 5 inter fa0/0 overload

access-list 5 permit ip 192.168.1.0 0.0.0.255

*This is all from memory*

I wanted to show where nat was, but the class-map and policy maps are the most important. I would mark everything coming into the inside interface, and then police on the outside? Would this work for stuff like FTP, bittorrent, p2p, etc?

Thanks!

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎03-16-2009

The idea is there. You need to modify the ACL to reflect the FTP, P2P, Bittorrent stuff - but I know the intent of the post and great job while doing from memory :)

__

Edison.

John Blakley · ‎03-17-2009

Edison,

When you say that I needed to modify the acl to reflect ftp, p2p, etc, are you talking about tying it down to ports?

Should the acl look more like:

access-list 101 permit ip host 192.168.1.50 any eq 21

Thanks,

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎03-17-2009

Yes, identifying the ports as 'ip' defines all ports.

No, the ACL would look like:

access-list 101 permit tcp host 192.168.1.50 any eq ftp

access-list 101 permit tcp host 192.168.1.50 any eq ftp-data

John Blakley · ‎03-17-2009

LOL! Yeah, that's what I meant. :)

HTH, John *** Please rate all useful posts ***