03-25-2009 07:40 AM - edited 03-04-2019 04:05 AM
All,
I was playing around with QoS shaping and policing. The router that I have is using PAT. I know that translation happens before QoS and special "things" need to be done to get it to work correctly.
I was shaping/policing after marking the packet inbound on the inside interface, and then I would match that packet outbound and shape it based on the dscp marking. I sent a file to an FTP server, and it did exactly what I expected by shaping or dropping the traffic. Problem is that I could download with no problems.
Okay, so my question is that in order for me to shape downloads, my policy map would need to reference my public address list like "permit any <public address>" for me to be able to police that traffic back in.
Is there a way to also base it off of port that way I could limit ftp traffic, but allow all http downloads?
Thanks!
John
03-25-2009 07:44 AM
Download is considered inbound traffic and you are unable to shape inbound, you are only able to police inbound.
If you want to police inbound, your matching criteria must be the source of the packet. The value can be a source IP address|port or a QoS marking if the remote device is marking their packets at egress.
__
Edison.
03-25-2009 08:06 AM
So I could police inbound like:
ip access-list ext WEB
deny tcp any
permit tcp any
permit tcp any
class-map WEBTRAFFIC
match access-group WEB
policy-map POLICE
class WEBTRAFFIC
police 1024000
int fa4 (public interface)
ip nat outside
service-policy input POLICE
int bvi1
ip nat inside
I just put the nat statements to clarify what I was trying to do. Would this work in theory? I'll have to try it tonight.
Thanks!
John
03-25-2009 08:51 AM
ip access-list ext WEB
deny tcp any
permit tcp any
permit tcp any
You don't need to deny port 80, the deny is implicit for all ports.
I would modify the config a bit:
ip access-list ext WEB
permit tcp any
permit tcp any
permit tcp any
Other than that, in theory - it should work. Good luck tonight :)
__
Edison.
03-25-2009 10:08 AM
Addendum:
You need to take into account the flow of the traffic. In the ACL above, the destination will have the tcp port evaluated, not the source.
If the source isn't the server, then the ACL will work as expected. I'm assuming the source is the server on this case so you must have the port on the source ip, not the destination ip.
HTH,
__
Edison.
03-25-2009 11:07 AM
Thanks Edison. I'll be sure and let you know tomorrow.
I figured that I would need to do it based on port since a webserver address won't be known most of the time. This is strictly for testing.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide