01-20-2009 04:11 AM - edited 02-21-2020 03:13 AM
I have DMVPN network and no QoS.
I want implement QoS in WAN network.
I use cisco 28xx router with IOS c2800nm-advipservicesk9-mz.124-22.T.bin - on Tunnel interface no "service-policy output" command only on GigabitEthernet.
This is my configuration:
class-map match-any MANAGEMENT
match ip dscp cs6
match protocol ssh
match access-group 120
class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SETUP
match ip dscp af31
match ip dscp cs3
!
!
policy-map DMVPN_policy
description VoIPandDATA
class VOICE
priority percent 35
class CALL-SETUP
bandwidth percent 2
class MANAGEMENT
bandwidth percent 20
class class-default
fair-queue
random-detect
policy-map SHAPER
class class-default
shape average 2048000
service-policy DMVPN_policy
interface GigabitEthernet0/0
service-policy output DMVPN_policy
ip nbar protocol-discovery
interface Tunnel 11
bandwidth 2048
ip address x.x.x.x 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nbar protocol-discovery
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 11
tunnel protection ipsec profile PROFILE shared
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq 22
access-list 120 permit tcp any eq 22 any
access-list 120 deny ip any any
Shaper SHAPER work correctly.
The question is relevant whit "class-map match-any MANAGEMENT"
When use ping (icmp) class-map MANAGEMENT and ACL 120 match it and this is fine, but when i use ssh neither - "match protocol ssh" or ACL 120 match ssh. I tested whit telnet don't work too.
When use:
#show policy-map interface gigabitEthernet 0/0
......
Class-map: MANAGEMENT (match-any)
8658 packets, 1072204 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs6 (48)
8643 packets, 1069564 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group 120
15 packets, 2640 bytes
30 second rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 8650/1356496
bandwidth 20% (20000 kbps)
........
class-map MANAGEMENT match cs6 - EIGRP, match ACL, but only icmp match:
#show access-lists
....
Extended IP access list 120
10 permit icmp any any (15 matches)
30 permit udp any any eq isakmp
40 permit tcp any any eq 22
50 permit tcp any eq 22 any
60 deny ip any any (14 matches)
....
No SSH or Telnet
Can anyone help me?
Thanks in advanced.
01-21-2009 06:11 AM
Hi,
I stumble on the same thing a few month ago. Made some test, it seem's like you can match on the IP header only. (Not the tcp). Bizzare that you can have match on encrypted packet...
The best way to go in this case is to classify your packet when they enter the router using DSCP. When leaving your router, only use DSCP to match packet.
01-21-2009 09:34 AM
I've never used QoS pre-classify, but from its documentation, suspect Dominic is correct. I.e., only the IP header is copied.
You could mark packet upon router ingress or perhaps on tunnel egress, and then as Dominic also suggests, use DSCP ToS on physical egress.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: