More QoS questions (QoS and PAT)

Unanswered Question
Mar 25th, 2009
User Badges:
  • Purple, 4500 points or more

All,


I was playing around with QoS shaping and policing. The router that I have is using PAT. I know that translation happens before QoS and special "things" need to be done to get it to work correctly.


I was shaping/policing after marking the packet inbound on the inside interface, and then I would match that packet outbound and shape it based on the dscp marking. I sent a file to an FTP server, and it did exactly what I expected by shaping or dropping the traffic. Problem is that I could download with no problems.


Okay, so my question is that in order for me to shape downloads, my policy map would need to reference my public address list like "permit any <public address>" for me to be able to police that traffic back in.


Is there a way to also base it off of port that way I could limit ftp traffic, but allow all http downloads?


Thanks!

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Wed, 03/25/2009 - 07:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Download is considered inbound traffic and you are unable to shape inbound, you are only able to police inbound.


If you want to police inbound, your matching criteria must be the source of the packet. The value can be a source IP address|port or a QoS marking if the remote device is marking their packets at egress.


__


Edison.

John Blakley Wed, 03/25/2009 - 08:06
User Badges:
  • Purple, 4500 points or more

So I could police inbound like:


ip access-list ext WEB

deny tcp any eq 80

permit tcp any eq 8080

permit tcp any eq 21


class-map WEBTRAFFIC

match access-group WEB


policy-map POLICE

class WEBTRAFFIC

police 1024000


int fa4 (public interface)

ip nat outside

service-policy input POLICE


int bvi1

ip nat inside


I just put the nat statements to clarify what I was trying to do. Would this work in theory? I'll have to try it tonight.


Thanks!

John



Edison Ortiz Wed, 03/25/2009 - 08:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

ip access-list ext WEB

deny tcp any eq 80

permit tcp any eq 8080

permit tcp any eq 21


You don't need to deny port 80, the deny is implicit for all ports.


I would modify the config a bit:



ip access-list ext WEB

permit tcp any eq 8080

permit tcp any eq ftp

permit tcp any eq ftp-data





Other than that, in theory - it should work. Good luck tonight :)



__


Edison.

Edison Ortiz Wed, 03/25/2009 - 10:08
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Addendum:


You need to take into account the flow of the traffic. In the ACL above, the destination will have the tcp port evaluated, not the source.


If the source isn't the server, then the ACL will work as expected. I'm assuming the source is the server on this case so you must have the port on the source ip, not the destination ip.


HTH,


__


Edison.

John Blakley Wed, 03/25/2009 - 11:07
User Badges:
  • Purple, 4500 points or more

Thanks Edison. I'll be sure and let you know tomorrow.


I figured that I would need to do it based on port since a webserver address won't be known most of the time. This is strictly for testing.



Thanks,

John

Actions

This Discussion