problem with marking thu VPN

MACattackMACattack Member Posts: 121
Hi, I need a little help. I am trying to mark an icmp packet that was been mark from its orign and should be mark when received from the tunnel interface from its destination.

for example:
from router A I send ICMP message to Router B
From Router A it is mark with dscp af13 as I used a acl to match
From Router B it has been detected that it is mark with dscp af13 and I have a policy that when it I received af13 again I want to mark the traffic.

here's my config

On R1:
R1#sh run
Building configuration...

Current configuration : 1955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R2 192.168.1.2
!
ip audit po max-events 100
!
!!
class-map match-all icmp_test_mark
match access-group 102
!
!
policy-map icmp_test
class icmp_test_mark
set dscp af13
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.2
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R1 to R2
set peer 192.168.1.2
set transform-set aes-sha
match address 101
qos pre-classify
!

!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.2
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy output icmp_test
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 101 permit gre host 192.168.1.1 host 192.168.1.2
access-list 102 permit icmp host 172.16.1.1 host 172.16.2.1
!

!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end



R2's config

R2#sh running-config
Building configuration...

Current configuration : 1864 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R1 192.168.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-any icmp_rec_mark
match ip dscp af13
!
!
policy-map icmp_mark
class icmp_rec_mark
set dscp af21
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.1
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R2 to R1
set peer 192.168.1.1
set transform-set aes-sha
match address 102
qos pre-classify
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy input icmp_mark
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.2.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 102 permit gre host 192.168.1.2 host 192.168.1.1
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end


The Show policy int s1/0 from R1:
R1#ping 172.16.2.1 source 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/52 ms
R1#show policy-map interface serial 1/0
Serial1/0

Service-policy output: icmp_test

Class-map: icmp_test_mark (match-all)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
QoS Set
dscp af13
Packets marked 5

Class-map: class-default (match-any)
6 packets, 829 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

From Show policy from R2
R2#show policy-map interface serial 1/0
Serial1/0

Service-policy input: icmp_mark

Class-map: icmp_rec_mark (match-any)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af13 (14)
5 packets, 940 bytes
5 minute rate 0 bps
QoS Set
dscp af21
Packets marked 0

Class-map: class-default (match-any)
13 packets, 1388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

"AS THE ABOVE OUTPUT IT HAS BEEN DETECTED BUT IT IS NOT MARKED"

I hope somebody will help me. Thanks

Comments

  • MACattackMACattack Member Posts: 121
    even changing the set ip dscp af21
    it is not marking but it has been classified:

    R2#show policy-map interface serial 1/0
    Serial1/0

    Service-policy input: icmp_mark

    Class-map: icmp_rec_mark (match-any)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: ip dscp af13 (14)
    0 packets, 0 bytes
    5 minute rate 0 bps
    QoS Set
    dscp af21
    Packets marked 0

    Class-map: class-default (match-any)
    6 packets, 528 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any
    R2#show policy-map interface serial 1/0
    Serial1/0

    Service-policy input: icmp_mark

    Class-map: icmp_rec_mark (match-any)
    5 packets, 940 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: ip dscp af13 (14)
    5 packets, 940 bytes
    5 minute rate 0 bps
    QoS Set
    dscp af21
    Packets marked 0

    Class-map: class-default (match-any)
    37 packets, 3692 bytes
    5 minute offered rate 1000 bps, drop rate 0 bps
    Match: any
    R2#
Sign In or Register to comment.