Tags:


Notable Replies

  1. Very clear and concise explanation, thank you

  2. Thanks a lot for your excelent explanation…

  3. Hello Rene,

    I was very happy to find you had a lab on this subject. I went through this myself and everything worked as described, except one area. When I moved the service policy off the FA0/0 interface and put it on the Tunnel 0 interface (and removed the qos pre-qualify from the tunnel), the encapsulated IP header had the CS5 markings, but the outer header did not (as seen below)

    Outer:

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

    Inner:

    Differentiated Services Field: 0xa0 (DSCP 0x28: Class Selector 5; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

    If I check the output from show policy-map interface tunnel 0, it shows my “interesting” traffic being identified and marked.

    With no service policy applied, if I do the extended ping commands (as you did), then both IP headers are marked with CS5 as expected.

    The only deviation I had from your lab was to use a policy-map set command of “set dscp cs5” instead of a police command

    R1#sh policy-map
    Policy Map PM_ICMP
    Class CM_ICMP
    set dscp cs5
    

    Odd, huh?

     

  4. Hi None N
    I tested this scenario again (GNS3, IOS 15.1), and confirmed my prior results. It sure looks like your configuration is the same as mine. When you did your extended ping, you chose TOS of 96, right?

    Since all the config happens on R1, here’s the full config. If you paste this in, and still get different results, try again using an IOS 15 version for R1 (mine is c7200-adventerprisek9-mz.152-4.M6)

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    class-map match-all CM_ICMP
     match access-group name ACL_ICMP
    !
    policy-map PM_ICMP
     class CM_ICMP
      set dscp cs5
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.255
    !
    interface Tunnel0
     ip address 172.16.13.1 255.255.255.0
     tunnel source FastEthernet0/0
     tunnel destination 192.168.23.3
     service-policy output PM_ICMP
    !
    interface FastEthernet0/0
     ip address 192.168.12.1 255.255.255.0
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    ip route 3.3.3.3 255.255.255.255 172.16.13.3
    ip route 192.168.23.0 255.255.255.0 192.168.12.2
    !
    ip access-list extended ACL_ICMP
     permit icmp any any
    !
    no cdp log mismatch duplex
    !
    !
    !
    control-plane
    !
    !
    !
    mgcp profile default
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line vty 0 4
     login
     transport input all
    !
    !
    end
  5. Hello

    I used the example above and everything works until I apply encryption and now I noticed that classification no longer works. Here are the configs from R1.
    The only thing I changed was the routing protocol over the tunnel and added some VTY password and now Im using VTI.
    When I classify based on the ESP header it works as I see matches in my policy-map but thats not very useful when you want to match specific traffic within the inner packet as in this case, Telnet and police that traffic.

    
    R1#sh running-config
    Building configuration...
    
    Current configuration : 2198 bytes
    !
    ! Last configuration change at 06:50:33 UTC Thu Aug 11 2016
    !
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    ip cef
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    !
    class-map match-all TELNET
     match access-group name TELNET
    class-map match-all GRE
     match access-group name GRE
    class-map match-all esp
     match access-group name esp
    !
    policy-map POLICE
     class TELNET
      police 128000
    !
    !
    !
    crypto isakmp policy 10
     authentication pre-share
    crypto isakmp key cisco address 0.0.0.0
    !
    !
    crypto ipsec transform-set vpn esp-3des
     mode tunnel
    !
    crypto ipsec profile VTI
     set transform-set vpn
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.0
    !
    interface Tunnel0
     ip address 172.16.13.1 255.255.255.0
     ip ospf 100 area 0
     qos pre-classify
     tunnel source FastEthernet0/0
     tunnel destination 192.168.23.3
     tunnel protection ipsec profile VTI
    !
    interface FastEthernet0/0
     ip address 192.168.12.1 255.255.255.0
     duplex full
     service-policy output POLICE
    !
    !
    router eigrp 100
     network 192.168.12.0
     network 192.168.23.0
    !
    router ospf 100
     network 172.30.13.1 0.0.0.0 area 0
    !
    router bgp 100
     bgp log-neighbor-changes
     network 1.1.1.0 mask 255.255.255.0
     neighbor 172.16.13.3 remote-as 200
     neighbor 172.16.13.3 prefix-list TEST out
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended GRE
     permit gre any any
    ip access-list extended REMOTE
     permit tcp any any eq 5055
     deny   tcp any any eq telnet
    ip access-list extended TELNET
     permit tcp any any eq telnet
     permit tcp any any eq 5055
    ip access-list extended esp
     permit esp any any
    !
    !
    ip prefix-list TEST seq 5 deny 1.1.1.0/24 le 32
    ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
    !
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line vty 0 4
     access-class REMOTE in
     password cisco
     login
     rotary 55
    !
    !
    end
    
    

Continue the discussion forum.networklessons.com

6 more replies!

Participants