QoS Pre-Classify on Cisco IOS

Lessons Discussion
12

Hello

I used the example above and everything works until I apply encryption and now I noticed that classification no longer works. Here are the configs from R1.
The only thing I changed was the routing protocol over the tunnel and added some VTY password and now Im using VTI.
When I classify based on the ESP header it works as I see matches in my policy-map but thats not very useful when you want to match specific traffic within the inner packet as in this case, Telnet and police that traffic.


R1#sh running-config
Building configuration...

Current configuration : 2198 bytes
!
! Last configuration change at 06:50:33 UTC Thu Aug 11 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
class-map match-all TELNET
 match access-group name TELNET
class-map match-all GRE
 match access-group name GRE
class-map match-all esp
 match access-group name esp
!
policy-map POLICE
 class TELNET
  police 128000
!
!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des
 mode tunnel
!
crypto ipsec profile VTI
 set transform-set vpn
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.13.1 255.255.255.0
 ip ospf 100 area 0
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel destination 192.168.23.3
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex full
 service-policy output POLICE
!
!
router eigrp 100
 network 192.168.12.0
 network 192.168.23.0
!
router ospf 100
 network 172.30.13.1 0.0.0.0 area 0
!
router bgp 100
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 172.16.13.3 remote-as 200
 neighbor 172.16.13.3 prefix-list TEST out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE
 permit gre any any
ip access-list extended REMOTE
 permit tcp any any eq 5055
 deny   tcp any any eq telnet
ip access-list extended TELNET
 permit tcp any any eq telnet
 permit tcp any any eq 5055
ip access-list extended esp
 permit esp any any
!
!
ip prefix-list TEST seq 5 deny 1.1.1.0/24 le 32
ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 access-class REMOTE in
 password cisco
 login
 rotary 55
!
!
end