03-16-2009 12:18 PM - edited 03-04-2019 03:57 AM
All,
I've seen first hand what NAT does to QoS. How can one ever shape an inside host when using PAT? Is it even possible?
What about policing traffic? NBAR can see traffic like bittorrent, but let's say that I want to give one person full access to it, but I want to limit bandwidth that another person uses. Using PAT, I would have to source my traffic from my public IP on the public interface, but that would limit everyone.
Another question would be:
If I have several sites that don't use NAT, but their internet goes through the corporate office which does, I've still lost control of that traffic and I wouldn't be able to shape or police it, right?
Thanks,
John
Solved! Go to Solution.
03-16-2009 03:32 PM
The idea is there. You need to modify the ACL to reflect the FTP, P2P, Bittorrent stuff - but I know the intent of the post and great job while doing from memory :)
__
Edison.
03-16-2009 12:44 PM
Mark the traffic closes to the source, that's the rule.
If you want to 'shape an inside host' (never seen shaping an individual, but let's go with this example :)), then you mark that host at ingress on the switch. NAT does its thing but the marking is preserved and when shaping outbound you are matching against the marking not the source IP.
It works the same for bandwidth guarantee, priority, policing or shaping.
Same idea applies to your 2nd questions. If you have an end-to-end QoS in your network, you can assign the packets to the appropriate class of service when they hit your internet routers regardless of the location they are coming from.
HTH,
__
Edison.
03-16-2009 02:03 PM
Edison,
Would this type of shaping work for anything that includes return traffic? Say I wanted to give 128k to a host for FTP traffic, but that was the max download I wanted them to have.
Theoretically, I could do:
access-list 101 permit ip host 192.168.1.50 any
class-map match-all RESTRICTED
match access-group 101
class-map match-all DSCP
match dscp 1
policy-map INSIDE
class RESTRICTED
set dscp 1
policy-map OUTSIDE
class DSCP
police 128000
int fa0/0 (outside)
ip address 5.15.23.33 255.255.255.0
ip nat outside
service-policy output OUTSIDE
int fa0/1 (inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
service-policy input INSIDE
ip nat inside sourc list 5 inter fa0/0 overload
access-list 5 permit ip 192.168.1.0 0.0.0.255
*This is all from memory*
I wanted to show where nat was, but the class-map and policy maps are the most important. I would mark everything coming into the inside interface, and then police on the outside? Would this work for stuff like FTP, bittorrent, p2p, etc?
Thanks!
John
03-16-2009 03:32 PM
The idea is there. You need to modify the ACL to reflect the FTP, P2P, Bittorrent stuff - but I know the intent of the post and great job while doing from memory :)
__
Edison.
03-17-2009 06:50 AM
Edison,
When you say that I needed to modify the acl to reflect ftp, p2p, etc, are you talking about tying it down to ports?
Should the acl look more like:
access-list 101 permit ip host 192.168.1.50 any eq 21
Thanks,
John
03-17-2009 06:55 AM
Yes, identifying the ports as 'ip' defines all ports.
No, the ACL would look like:
access-list 101 permit tcp host 192.168.1.50 any eq ftp
access-list 101 permit tcp host 192.168.1.50 any eq ftp-data
03-17-2009 06:57 AM
LOL! Yeah, that's what I meant. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide