I've seen first hand what NAT does to QoS. How can one ever shape an inside host when using PAT? Is it even possible?
What about policing traffic? NBAR can see traffic like bittorrent, but let's say that I want to give one person full access to it, but I want to limit bandwidth that another person uses. Using PAT, I would have to source my traffic from my public IP on the public interface, but that would limit everyone.
Another question would be:
If I have several sites that don't use NAT, but their internet goes through the corporate office which does, I've still lost control of that traffic and I wouldn't be able to shape or police it, right?
Mark the traffic closes to the source, that's the rule.
If you want to 'shape an inside host' (never seen shaping an individual, but let's go with this example :)), then you mark that host at ingress on the switch. NAT does its thing but the marking is preserved and when shaping outbound you are matching against the marking not the source IP.
It works the same for bandwidth guarantee, priority, policing or shaping.
Same idea applies to your 2nd questions. If you have an end-to-end QoS in your network, you can assign the packets to the appropriate class of service when they hit your internet routers regardless of the location they are coming from.
Would this type of shaping work for anything that includes return traffic? Say I wanted to give 128k to a host for FTP traffic, but that was the max download I wanted them to have.
Theoretically, I could do:
access-list 101 permit ip host 192.168.1.50 any
class-map match-all RESTRICTED
match access-group 101
class-map match-all DSCP
match dscp 1
set dscp 1
int fa0/0 (outside)
ip address 184.108.40.206 255.255.255.0
ip nat outside
service-policy output OUTSIDE
int fa0/1 (inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
service-policy input INSIDE
ip nat inside sourc list 5 inter fa0/0 overload
access-list 5 permit ip 192.168.1.0 0.0.0.255
*This is all from memory*
I wanted to show where nat was, but the class-map and policy maps are the most important. I would mark everything coming into the inside interface, and then police on the outside? Would this work for stuff like FTP, bittorrent, p2p, etc?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...