QOS pre-classify

When packets pass through a VPN, the original IP header is encapsulated. For eg, in case of GRE tunnel, GRE is the encapsulation protocol and IP becomes the passenger protocol, ofcourse using IP again as the transport protocol.

Original Packet

IP

TCP

Data

After entering the VPN tunnel

New IP Header

Encrypted Original Packet

However Cisco IOS has a feature, in which it copies the TOS byte of the original IP header to new IP Header. This is good, because intermediate nodes can examine the TOS byte for classification purpose, but are unable to use a multifield classifer, which examines more than just the TOS byte for classifcation purposes.


Qos Preclassify, allows the router which starts the encapsulation and encryption to examine more than the TOS byte. With the Qos Preclassify, it stores headers of the original packet before encapsulation and encrytion in memory. This helps in classifying based on multi field classifiers.

Copied directly from http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008017405e.shtml
----------------------------------------------------

Where Do I Apply the Service Policy?

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.

• Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.

• Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.

• Apply the policy to a physical interface and enable qos-preclassify on a tunnel interface when you want to classify packets based on the pre-tunnel header.

----------------------------------------------------

Lets verify the usage of qos-preclassify in as mentioned above with out example topology below

3640a class-map match-all TELNET match access-group 102 ! ! policy-map telnetmap class TELNET interface Tunnel0 ip address 11.0.0.2 255.255.255.0 load-interval 30 tunnel source Ethernet0/0 tunnel destination 192.168.1.18 interface Ethernet0/0 ip address 192.168.1.17 255.255.255.0 half-duplex ip route 12.0.0.1 255.255.255.255 11.0.0.1 access-list 102 permit tcp any host 12.0.0.1 eq telnet

2610xm interface Loopback0 ip address 12.0.0.1 255.255.255.255 ! interface Tunnel0 ip address 11.0.0.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 192.168.1.17 ! interface FastEthernet0/0 ip address 192.168.1.18 255.255.255.0 duplex auto speed auto line vty 0 4 password telnet login

Case 1) Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.

Our match statement above is multi field classifier in class-map TELNET , it has to examine more than the TOS byte to classify packets based on the access-group 102.

3640a(config)#int tunnel 0 3640a(config-if)#service-policy output telnetmap 3640a(config-if)#^Z --Generate telnet traffic 3640a#telnet 12.0.0.1 Trying 12.0.0.1 ... Open User Access Verification Password: 2610XM>exit [Connection to 12.0.0.1 closed by foreign host] 3640a#show policy-map int tunnel 0 Tunnel0 Service-policy output: telnetmap Class-map: TELNET (match-all) 30 packets, 1255 bytes 30 second offered rate 0 bps Match: access-group 102 Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any 3640a#

By applying the policy-map to the tunnel interface and generating the telnet traffic to 2610xm, we can see that it classifies packets based on our class-map TELNET rather than class-default, which means the tunnel interface is able to read the pre-tunnel header to perform a multi field classification.


Case 2)Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header.

Now we need to apply the service-policy command to the physical interface (remove from the tunnel interface) and it should only be able to the see the post-tunnel header, unable to classify packets based on class-map TELNET. Make sure you issue a clear counters to get a clean slate when using show policy-map int command

3640a(config)#int e0/0 3640a(config-if)#service-policy output telnetmap 3640a(config-if)# --Generate telnet traffic 3640a#telnet 12.0.0.1 Trying 12.0.0.1 ... Open User Access Verification Password: 2610XM>exit [Connection to 12.0.0.1 closed by foreign host] 3640a# 3640a#show policy-map int e0/0 Ethernet0/0 Service-policy output: telnetmap Class-map: TELNET (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: access-group 102 Class-map: class-default (match-any) 26 packets, 2040 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any 3640a#

As seen, it could not classify packets because the original IP header has been encapsulated, hence all traffic (telnet) matched the class-default.


3) Apply the policy to a physical interface and enable qos-preclassify on a tunnel interface when you want to classify packets based on the pre-tunnel header.
Below will be the output of the show policy-map interface, after adding qos-preclassify to the tunnel interface.

3640a#sh policy-map int e0/0 Ethernet0/0 Service-policy output: telnetmap Class-map: TELNET (match-all) 24 packets, 1920 bytes 5 minute offered rate 0 bps Match: access-group 102 Class-map: class-default (match-any) 3 packets, 180 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 3640a#

As said, it could successfully classify based on class-map TELNET.

IP NAT OUTSIDE

Requirements
1) R1 only accepts connections from 172.30.1.0/24 network
2) R2 sees R1 only as 192.168.1.0/24 node (i.e 192.168.1.200)


First starting with basic interface configs

R2#sh run int f0/23 Building configuration... Current configuration : 89 bytes ! interface FastEthernet0/23 no switchport ip address 192.168.1.104 255.255.255.0 end R1#sh run int e0 Building configuration... Current configuration : 88 bytes ! interface Ethernet0 ip address 172.30.1.2 255.255.255.0 ip access-group 101 in end access-list 101 permit ip 172.30.1.0 0.0.0.255 any

NAT_ROUTER#sh run int e0/0 Building configuration... interface Ethernet0/0 description connection to R1 ip address 172.30.1.1 255.255.255.0 ip nat inside ip virtual-reassembly half-duplex end interface Ethernet0/1 description connection to R2 ip address 192.168.1.100 255.255.255.0 ip nat outside ip virtual-reassembly half-duplex end ip nat inside source static 172.30.1.2 192.168.1.200

As you would already noticed R2, is a Cat 3550 switch. We have finished designating the nat inside and outside interfaces. Also notice the access-list 101 on R1 E0 interface permitting only connections from 172.30.1.0/24 subnet. Also notice the static translation 172.30.1.2 ----> 192.168.1.200

Lets verify connection from R2 to R1

R2#ping 192.168.1.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#

*Mar 1 03:14:34.587: ICMP: dst (172.30.1.2) administratively prohibited unreachable sent to 192.168.1.104 R1# *Mar 1 03:14:36.587: ICMP: dst (172.30.1.2) administratively prohibited unreachable sent to 192.168.1.104 R1# *Mar 1 03:14:38.587: ICMP: dst (172.30.1.2) administratively prohibited unreachable sent to 192.168.1.104 R1# *Mar 1 03:14:40.587: ICMP: dst (172.30.1.2) administratively prohibited unreachable sent to 192.168.1.104 R1#

Thats right R3 only accepts connections from 172.30.1.0/24 subnet. So lets add the ip nat outside statement on the nat router.

NAT_ROUTER(config)#access-list 102 permit ip 192.168.1.0 0.0.0.255 any NAT_ROUTER(config)#ip nat pool poolout 172.30.1.3 172.30.1.254 netmask 255.255.255.0 NAT_ROUTER(config)#ip nat outside source list 102 pool poolout

Please note that when a source list, which specifies an access-list is used, the outside global address must be matched to an outside local pool, specified by pool keyword. Lets try the test again

R2#ping 192.168.1.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#

Well it's still not working! Let take a closer look at R1 and NAT_ROUTER

*Mar 1 03:21:06.143: ICMP: echo reply sent, src 172.30.1.2, dst 172.30.1.6 R1# *Mar 1 03:21:08.143: ICMP: echo reply sent, src 172.30.1.2, dst 172.30.1.6 R1# *Mar 1 03:21:10.143: ICMP: echo reply sent, src 172.30.1.2, dst 172.30.1.6 R1# *Mar 1 03:21:12.143: ICMP: echo reply sent, src 172.30.1.2, dst 172.30.1.6 R1# *Mar 1 03:21:14.143: ICMP: echo reply sent, src 172.30.1.2, dst 172.30.1.6 R1#

It seems like the NAT_ROUTER translated the outside global address (192.168.1.104) orginating from R2's f0/23 interface is mapped to an outside local address 172.30.1.6 and sent to R1. R1 did reply as indicated the debug ip icmp messages on R1. Obviously the echo reply has not reached R2. Let's examine the NAT_ROUTER

NAT_ROUTER# *Mar 14 21:04:47.547: IP: tableid=0, s=172.30.1.2 (Ethernet0/0), d=172.30.1.6 (Ethernet0/0), routed via RIB *Mar 14 21:04:47.551: IP: s=172.30.1.2 (Ethernet0/0), d=172.30.1.6 (Ethernet0/0), len 100, rcvd 3 *Mar 14 21:04:47.551: ICMP: echo reply rcvd, src 172.30.1.2, dst 172.30.1.6 NAT_ROUTER# *Mar 14 21:04:49.547: IP: tableid=0, s=172.30.1.2 (Ethernet0/0), d=172.30.1.6 (Ethernet0/0), routed via RIB *Mar 14 21:04:49.551: IP: s=172.30.1.2 (Ethernet0/0), d=172.30.1.6 (Ethernet0/0), len 100, rcvd 3 *Mar 14 21:04:49.551: ICMP: echo reply rcvd, src 172.30.1.2, dst 172.30.1.6

The NAT_ROUTER also shows it correctly forwarded the icmp echo reply from 172.30.1.2 (R1) to 172.30.1.6.

NAT_ROUTER#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 172.30.1.3 192.168.1.100 --- --- --- 172.30.1.6 192.168.1.104 --- 192.168.1.200 172.30.1.2 --- --- NAT_ROUTER#

As seen from above command, there is a mapping from 172.30.1.6 --> 192.168.1.104 (R2's F0/23 int). However, the traffic was not routed to R2. This because the add-route keyword in the ip nat outside was not configured.

Let's make the change on NAT_ROUTER

NAT_ROUTER(config)#no ip nat outside source list 102 pool poolout NAT_ROUTER(config)#ip nat outside source list 102 pool poolout add-route

Lets test connectivty from R2 again

R2#ping 192.168.1.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms

So what did the add-route keyword on the NAT_ROUTER do. Well to answer the question, we need to examine the routing table on NAT_ROUTER

NAT_ROUTER#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 192.168.1.254 to network 0.0.0.0 172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks S 172.30.1.3/32 [1/0] via 192.168.1.104 C 172.30.1.0/24 is directly connected, Ethernet0/0 S 172.30.1.7/32 [1/0] via 192.168.1.100 C 192.168.1.0/24 is directly connected, Ethernet0/1 S* 0.0.0.0/0 [1/0] via 192.168.1.254 NAT_ROUTER#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 172.30.1.3 192.168.1.104 --- --- --- 172.30.1.7 192.168.1.100 --- 192.168.1.200 172.30.1.2 --- --- NAT_ROUTER#

*The outside local --> Outside global mapping changed because we issued no ip nat pool statement in the previous, which cleared the translations. It has automatically added a host route pointing the outside local address to the outside global address, which was not present before.

Study Update

Well, at present I am reading Cisco QOS Exam certification guide. Previously, I had not bought Internet Routing Architectures, the definitive guide to BGP. I couldnt do without it, also I realised by reading that I am somewhere there to the SP track. Well, I guess I am getting ahead of myself here (havent even finished R&S and there he goes talking about SP). My love for MPLS and other service provider technologies is a hint to where I am heading. Hopefully the new year will bring something I always yearned for!