组网及说明
MSR======ipsec=======MSR
问题描述
MSR设备 做ipsec vpn时,基于ipsec的流量做qos 流通时的acl调用情况实验室测试如下:
版本:Release 0707P16 其余版本测试接口基本一致
MSR1:内网地址10.1.1.1 ,wan口地址100.1.1.1
MSR2: 内网地址10.1.2.1 ,wan口地址100.1.1.2
配置:
|
MSR1 |
MSR2 |
|
# traffic classifier 1 operator and if-match acl 3001 # traffic behavior 1 filter permit # qos policy 1 classifier 1 behavior 1 # interface LoopBack0 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0 port link-mode route description Single_Line1 ip address 100.1.1.1 255.255.255.0 qos apply policy 1 inbound qos apply policy 1 outbound ipsec apply policy map1 # ip route-static 0.0.0.0 0 100.1.1.2 # acl advanced 3000 rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # acl advanced 3001 rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0 rule 10 permit ip source 10.1.2.1 0 destination 10.1.1.1 0 # ipsec transform-set tran1 esp encryption-algorithm aes-cbc-128 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp transform-set tran1 security acl 3000 local-address 100.1.1.1 remote-address 100.1.1.2 ike-profile profile1 # ike profile profile1 keychain keychain1 match remote identity address 100.1.1.2 255.255.255.0 # ike keychain keychain1 pre-shared-key address 100.1.1.2 255.255.255.0 key cipher $c$3$hGd/G70U2sNc62XvPnFTJ+FaK+vre8zqsA== |
# interface LoopBack0 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0 port link-mode route ip address 100.1.1.2 255.255.255.0 ipsec apply policy use1 # ip route-static 0.0.0.0 0 100.1.1.1 # acl advanced 3000 rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec transform-set tran1 esp encryption-algorithm aes-cbc-128 esp authentication-algorithm sha1 # ipsec policy use1 10 isakmp transform-set tran1 security acl 3000 local-address 100.1.1.2 remote-address 100.1.1.1 ike-profile profile1 # ike profile profile1 keychain keychain1 match remote identity address 100.1.1.1 255.255.255.0 # ike keychain keychain1 pre-shared-key address 100.1.1.1 255.255.255.0 key cipher $c$3$UwmBOA4QAvEHrnXloqrbHyRYL0j1Zmez4g== |
测试1:基于内网地址做qos
<830>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
9 100.1.1.2 RD IPsec
<830>dis ipsec sa brief
-----------------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------------
GE0/0 100.1.1.2 3613014362 ESP Active
GE0/0 100.1.1.1 4167624094 ESP Active
GE0/0 100.1.1.2 1670495072 ESP Active
GE0/0 100.1.1.1 1609372173 ESP Active
<830>ping -a 10.1.1.1 10.1.2.1 //内网地址ping测试
Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=1.085 ms
56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.617 ms
56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.582 ms
56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.568 ms
56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.517 ms
<830>dis qos policy int g0/0 //入方向不配置pre-classify也能统计到,出方向无法统计到
Interface: GigabitEthernet0/0
Direction: Inbound
Policy: 1
Classifier: default-class
Matched : 5 (Packets) 830 (Bytes)
5-minute statistics:
Forwarded: 0/22 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 5 (Packets) 490 (Bytes)
5-minute statistics:
Forwarded: 0/13 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
Interface: GigabitEthernet0/0
Direction: Outbound
Policy: 1
Classifier: default-class
Matched : 5 (Packets) 830 (Bytes)
5-minute statistics:
Forwarded: 0/22 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
测试2:添加qos pre-classify
添加配置:
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 100.1.1.1
remote-address 100.1.1.2
qos pre-classify
ike-profile profile1
<830>reset counters interface //清空qos统计
<830>ping -a 10.1.1.1 10.1.2.1
Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=1.096 ms
56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.593 ms
56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.601 ms
56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.601 ms
56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.598 ms
<830>dis qos policy int g0/0
Interface: GigabitEthernet0/0
Direction: Inbound
Policy: 1
Classifier: default-class
Matched : 5 (Packets) 830 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 5 (Packets) 490 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
Interface: GigabitEthernet0/0
Direction: Outbound
Policy: 1
Classifier: default-class
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 5 (Packets) 830 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
测试3:基于内外网地址的acl做qos。
#
acl advanced 3001
rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0
rule 10 permit ip source 10.1.2.1 0 destination 10.1.1.1 0
rule 20 permit ip source 100.1.1.1 0 destination 100.1.1.2 0 .//添加wan口的rule
rule 30 permit ip source 100.1.1.2 0 destination 100.1.1.1 0
#
Undo qos pre-classify (删除qos pre-classify)
#
<830>reset counters interface //清空qos统计
<830>ping -a 10.1.1.1 10.1.2.1
Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=2.048 ms
56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.840 ms
56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.783 ms
56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.674 ms
56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.777 ms
<830>dis qos policy int g0/0
Interface: GigabitEthernet0/0
Direction: Inbound
Policy: 1
Classifier: default-class
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 10 (Packets) 1320 (Bytes) //能统计到两次,内网外网rule都能匹配到
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
Interface: GigabitEthernet0/0
Direction: Outbound
Policy: 1
Classifier: default-class
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: 1
Matched : 5 (Packets) 830 (Bytes) //统计到外网的rule
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: 1
Filter enable: Permit
过程分析
针对ipsec流量的qos,MSR设备入方向可直接统计到基于内网地址的流量,出方向需要配置pre-classify后才能统计到内网地址流量
解决方法
最佳的配置方式,基于内网地址acl做qos,同时配置pre-classify,出入方向都能匹配上。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作