I was playing around with QoS shaping and policing. The router that I have is using PAT. I know that translation happens before QoS and special "things" need to be done to get it to work correctly.
I was shaping/policing after marking the packet inbound on the inside interface, and then I would match that packet outbound and shape it based on the dscp marking. I sent a file to an FTP server, and it did exactly what I expected by shaping or dropping the traffic. Problem is that I could download with no problems.
Okay, so my question is that in order for me to shape downloads, my policy map would need to reference my public address list like "permit any <public address>" for me to be able to police that traffic back in.
Is there a way to also base it off of port that way I could limit ftp traffic, but allow all http downloads?