Options
problem with marking thu VPN
Hi, I need a little help. I am trying to mark an icmp packet that was been mark from its orign and should be mark when received from the tunnel interface from its destination.
for example:
from router A I send ICMP message to Router B
From Router A it is mark with dscp af13 as I used a acl to match
From Router B it has been detected that it is mark with dscp af13 and I have a policy that when it I received af13 again I want to mark the traffic.
here's my config
On R1:
R1#sh run
Building configuration...
Current configuration : 1955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R2 192.168.1.2
!
ip audit po max-events 100
!
!!
class-map match-all icmp_test_mark
match access-group 102
!
!
policy-map icmp_test
class icmp_test_mark
set dscp af13
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.2
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R1 to R2
set peer 192.168.1.2
set transform-set aes-sha
match address 101
qos pre-classify
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.2
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy output icmp_test
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 101 permit gre host 192.168.1.1 host 192.168.1.2
access-list 102 permit icmp host 172.16.1.1 host 172.16.2.1
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
R2's config
R2#sh running-config
Building configuration...
Current configuration : 1864 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R1 192.168.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-any icmp_rec_mark
match ip dscp af13
!
!
policy-map icmp_mark
class icmp_rec_mark
set dscp af21
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.1
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R2 to R1
set peer 192.168.1.1
set transform-set aes-sha
match address 102
qos pre-classify
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy input icmp_mark
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.2.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 102 permit gre host 192.168.1.2 host 192.168.1.1
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
The Show policy int s1/0 from R1:
R1#ping 172.16.2.1 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/52 ms
R1#show policy-map interface serial 1/0
Serial1/0
Service-policy output: icmp_test
Class-map: icmp_test_mark (match-all)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
QoS Set
dscp af13
Packets marked 5
Class-map: class-default (match-any)
6 packets, 829 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
From Show policy from R2
R2#show policy-map interface serial 1/0
Serial1/0
Service-policy input: icmp_mark
Class-map: icmp_rec_mark (match-any)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af13 (14)
5 packets, 940 bytes
5 minute rate 0 bps
QoS Set
dscp af21
Packets marked 0
Class-map: class-default (match-any)
13 packets, 1388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
"AS THE ABOVE OUTPUT IT HAS BEEN DETECTED BUT IT IS NOT MARKED"
I hope somebody will help me. Thanks
for example:
from router A I send ICMP message to Router B
From Router A it is mark with dscp af13 as I used a acl to match
From Router B it has been detected that it is mark with dscp af13 and I have a policy that when it I received af13 again I want to mark the traffic.
here's my config
On R1:
R1#sh run
Building configuration...
Current configuration : 1955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R2 192.168.1.2
!
ip audit po max-events 100
!
!!
class-map match-all icmp_test_mark
match access-group 102
!
!
policy-map icmp_test
class icmp_test_mark
set dscp af13
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.2
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R1 to R2
set peer 192.168.1.2
set transform-set aes-sha
match address 101
qos pre-classify
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.2
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy output icmp_test
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 101 permit gre host 192.168.1.1 host 192.168.1.2
access-list 102 permit icmp host 172.16.1.1 host 172.16.2.1
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
R2's config
R2#sh running-config
Building configuration...
Current configuration : 1864 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip host R1 192.168.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-any icmp_rec_mark
match ip dscp af13
!
!
policy-map icmp_mark
class icmp_rec_mark
set dscp af21
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.1
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description R2 to R1
set peer 192.168.1.1
set transform-set aes-sha
match address 102
qos pre-classify
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
qos pre-classify
keepalive 10 3
tunnel source Serial1/0
tunnel destination 192.168.1.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.252
serial restart-delay 0
crypto map vpn
service-policy input icmp_mark
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 10
passive-interface Serial1/0
network 1.1.1.0 0.0.0.3
network 172.16.2.0 0.0.0.255
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
!
access-list 102 permit gre host 192.168.1.2 host 192.168.1.1
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
The Show policy int s1/0 from R1:
R1#ping 172.16.2.1 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/52 ms
R1#show policy-map interface serial 1/0
Serial1/0
Service-policy output: icmp_test
Class-map: icmp_test_mark (match-all)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
QoS Set
dscp af13
Packets marked 5
Class-map: class-default (match-any)
6 packets, 829 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
From Show policy from R2
R2#show policy-map interface serial 1/0
Serial1/0
Service-policy input: icmp_mark
Class-map: icmp_rec_mark (match-any)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af13 (14)
5 packets, 940 bytes
5 minute rate 0 bps
QoS Set
dscp af21
Packets marked 0
Class-map: class-default (match-any)
13 packets, 1388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
"AS THE ABOVE OUTPUT IT HAS BEEN DETECTED BUT IT IS NOT MARKED"
I hope somebody will help me. Thanks
Comments
-
Options
MACattack
Member Posts: 121
even changing the set ip dscp af21
it is not marking but it has been classified:
R2#show policy-map interface serial 1/0
Serial1/0
Service-policy input: icmp_mark
Class-map: icmp_rec_mark (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af13 (14)
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
dscp af21
Packets marked 0
Class-map: class-default (match-any)
6 packets, 528 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#show policy-map interface serial 1/0
Serial1/0
Service-policy input: icmp_mark
Class-map: icmp_rec_mark (match-any)
5 packets, 940 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af13 (14)
5 packets, 940 bytes
5 minute rate 0 bps
QoS Set
dscp af21
Packets marked 0
Class-map: class-default (match-any)
37 packets, 3692 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: any
R2#