Could anybody help me understand the following example taken from cisco.com (DMVPN SRND) and mentioned there as a "best practice":
class match-any voice
class match-any mission-critical
! Other classes
priority percent 20
priority percent 40
shape average 256000
service-policy output my-shaper
Shaping is used here because not all bandwidth of fa0/0 is available (ISP polices our traffic). Inside the shaper voice and mision-critical classes should have priority treatment.
Unfortunately it simply doesn't work (IOS 12.4(5)). ALL traffic classes are shaped equally. ALL packets (voice, data, etc.) go to the shaper buffers in FIFO order (!), delayed there (!) and then processed by the inner policy-map (my-policy). Policy-map my-shaper has no idea about priorities of classes in the inner policy-map (my-policy). This is not good for voice, to say the least.
I've verified this with IPSec (DMVPN) and without IPSec configured, so this is not an IPSec problem, it is the QoS problem.
Can anybody tell me is this a bug or feature? Are there workarounds?
Also, does anybody know why is "match protocol" not working with IPSec qos-preclassify feature ("match access-group" works well)? So far as I know "match protocol icmp" doesn't mean that NBAR (which is not supported with IPSec) must be used by the router to classify traffic. In this simple case the router can classify traffic by Protocol field in the IP header, right? Am I mistaken?
I assume the second post with nearly the same content answered most of your questions.
Just to note: "match protocol" with any protocol mentioned IS using NBAR. You are right one could detect ICMP by other means than NBAR on a router, but the command "match protocol icmp" is instructing the router to use NBAR for protocol classification.
As you already know it is currently not supported with IPSec and therefore can not be used in your environment.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...