how can i get QoS to control the inbound traffic from internet ?

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Often not very effectively.  You can police ingress traffic and you can shape outbound ACKs.  On "special" traffic management devices, they might also spoof TCP RWINs.

Can you give some examples of it,l? I need to block the downloaded traffic from internet

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Block or slow it down?

If block, you match the inbound traffic you want to eliminate and drop it.

If slow it down, again you match the inbound traffic you want to slow and drop any of that traffic over the specific rate.

How to do this depends much on you equipment.

Assuming you have Cisco router that supports NBAR, you might have a policy like:

class-map match-any BadTraffic

match protocol ftp

policy-map ControlBadTraffic

class BadTraffic

drop

*or*

policy-map ControlBadTraffic

class BadTraffic

police 1000000

(NB: I haven't checked the syntax of the above.)

You apply the policy-map on your Internet faxing interface, for input.

FastEthernet 0

service-policy input ControlBadTraffic

so you mean apply this on the inbound interface of the Outside port (Internet facing) ?

i want some sort of acl (which i can create) and limit the traffic on the firewall

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Correct.

If you want to do something similar on a firewall, it should work there too.  Much depends on what the features the firewall provides such as a rate limiter if you want to slow but not totally block some kind of traffic.

Hi Joseph,

is it correct if I say the result may greatly depend on the type of traffic ? I had the same problem in the past but after some reading I understood that:

a) dropping could be effective with TCP traffic but not UDP because UDP has no congestion control mechanism while TCP has sliding window

b) the result is not predicable: I found a lot of studies that try to model and evaluate the effect of dropping TCP packet on the bandwidth used by the TCP session;the overall impression is that it's really hard to predict the effect of dropping packets

c) WRED should be used to avoid a synchronization of TCP session

Thanks in advance for your replay,

enrico

Thx

Enrico