Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
10
Helpful
5
Replies

More QoS questions (QoS and PAT)

John Blakley
VIP Alumni
VIP Alumni

‎03-25-2009 07:40 AM - edited ‎03-04-2019 04:05 AM

All,

I was playing around with QoS shaping and policing. The router that I have is using PAT. I know that translation happens before QoS and special "things" need to be done to get it to work correctly.

I was shaping/policing after marking the packet inbound on the inside interface, and then I would match that packet outbound and shape it based on the dscp marking. I sent a file to an FTP server, and it did exactly what I expected by shaping or dropping the traffic. Problem is that I could download with no problems.

Okay, so my question is that in order for me to shape downloads, my policy map would need to reference my public address list like "permit any <public address>" for me to be able to police that traffic back in.

Is there a way to also base it off of port that way I could limit ftp traffic, but allow all http downloads?

Thanks!

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎03-25-2009 07:44 AM

Download is considered inbound traffic and you are unable to shape inbound, you are only able to police inbound.

If you want to police inbound, your matching criteria must be the source of the packet. The value can be a source IP address|port or a QoS marking if the remote device is marking their packets at egress.

__

Edison.

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-25-2009 08:06 AM

So I could police inbound like:

ip access-list ext WEB

deny tcp any eq 80

permit tcp any eq 8080

permit tcp any eq 21

class-map WEBTRAFFIC

match access-group WEB

policy-map POLICE

class WEBTRAFFIC

police 1024000

int fa4 (public interface)

ip nat outside

service-policy input POLICE

int bvi1

ip nat inside

I just put the nat statements to clarify what I was trying to do. Would this work in theory? I'll have to try it tonight.

Thanks!

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-25-2009 08:51 AM

ip access-list ext WEB

deny tcp any eq 80

permit tcp any eq 8080

permit tcp any eq 21

You don't need to deny port 80, the deny is implicit for all ports.

I would modify the config a bit:

ip access-list ext WEB

permit tcp any eq 8080

permit tcp any eq ftp

permit tcp any eq ftp-data

Other than that, in theory - it should work. Good luck tonight :)

__

Edison.

Edison Ortiz
Hall of Fame
Hall of Fame
In response to Edison Ortiz

‎03-25-2009 10:08 AM

Addendum:

You need to take into account the flow of the traffic. In the ACL above, the destination will have the tcp port evaluated, not the source.

If the source isn't the server, then the ACL will work as expected. I'm assuming the source is the server on this case so you must have the port on the source ip, not the destination ip.

HTH,

__

Edison.

John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-25-2009 11:07 AM

Thanks Edison. I'll be sure and let you know tomorrow.

I figured that I would need to do it based on port since a webserver address won't be known most of the time. This is strictly for testing.

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card