QoS Pre-Classify on Cisco IOS

This topic is to discuss the following lesson:

Very clear and concise explanation, thank you

Thanks a lot for your excelent explanation…

Hello Rene,

I was very happy to find you had a lab on this subject. I went through this myself and everything worked as described, except one area. When I moved the service policy off the FA0/0 interface and put it on the Tunnel 0 interface (and removed the qos pre-qualify from the tunnel), the encapsulated IP header had the CS5 markings, but the outer header did not (as seen below)

Outer:

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

Inner:

Differentiated Services Field: 0xa0 (DSCP 0x28: Class Selector 5; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

If I check the output from show policy-map interface tunnel 0, it shows my “interesting” traffic being identified and marked.

With no service policy applied, if I do the extended ping commands (as you did), then both IP headers are marked with CS5 as expected.

The only deviation I had from your lab was to use a policy-map set command of “set dscp cs5” instead of a police command

R1#sh policy-map
Policy Map PM_ICMP
Class CM_ICMP
set dscp cs5

Odd, huh?

 

Hi Andrew,

That’s interesting, it seems that when you use a policy-map to set the DSCP that this happens after the automatic copying of the TOS byte.

What happens if you keep your policy-map and then try an extended ping where you set the TOS to CS3 or something? I’m guessing that it will copy CS3 from the inner to outer header and then afterwards it changes your inner header to CS5.

Rene

As usual, you are exactly right.

Doing what you described, set CS3 for the outer packet:

Differentiated Services Field: 0x60 (DSCP 0x18: Class Selector 3; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

And kept CS5 for the inner packet:

Differentiated Services Field: 0xa0 (DSCP 0x28: Class Selector 5; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

--Andrew

 

Hi Andrew and Rene,

I’ve tried to repeat this odd behavior mentioned by Andrew.
In my try I’ve used IOS 12.4(23) under GNS3, extended ping with DSCP cs3, PM was applied to tun0 (inner classification), in my test both inner and outer packet were marked the DSCP cs5 value from PM in Wireshark.

So it seems that first packet (inner) is firstly remarked by PM, then its ToS bait is copied to outer packet.

R1#sh policy-map PM_ICMP
  Policy Map PM_ICMP
    Class CM_ICMP
      set dscp cs5
R1#sh class-map CM_ICMP
 Class Map match-all CM_ICMP (id 3)
   Match access-group name ACL_ICMP

R1#sh ip access-lists ACL_ICMP
Extended IP access list ACL_ICMP
    10 permit icmp any any (30 matches)
R1#sh policy-map int tun0
 Tunnel0

  Service-policy output: PM_ICMP

    Class-map: CM_ICMP (match-all)
      10 packets, 1000 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACL_ICMP
      QoS Set
        dscp cs5
          Packets marked 10

    Class-map: class-default (match-any)
      10 packets, 1000 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R1#

Hi None N
I tested this scenario again (GNS3, IOS 15.1), and confirmed my prior results. It sure looks like your configuration is the same as mine. When you did your extended ping, you chose TOS of 96, right?

Since all the config happens on R1, here’s the full config. If you paste this in, and still get different results, try again using an IOS 15 version for R1 (mine is c7200-adventerprisek9-mz.152-4.M6)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 1
!
class-map match-all CM_ICMP
 match access-group name ACL_ICMP
!
policy-map PM_ICMP
 class CM_ICMP
  set dscp cs5
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 192.168.23.3
 service-policy output PM_ICMP
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 3.3.3.3 255.255.255.255 172.16.13.3
ip route 192.168.23.0 255.255.255.0 192.168.12.2
!
ip access-list extended ACL_ICMP
 permit icmp any any
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

quick question - in your lesson you note " This tells the router to create a copy of the original IP header and to use that for the policy"
Does it clone the IP header or the entire packet. If it clones just the IP Header then there wont be a way for QoS to work in your lesson as it will not see the TCP header. What do you think?

I believe it is just the IP Header. From Cisco:

The qos pre-classify mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion.

Hi Andrew P,

I’ve tested again as you suggested with IOS 15.1 and I confirmed it works as in your example. It seems that there is a different order of action in IOS 12.x and newer 15.x. In older one router first does remarking action then makes a copy o ToS byte that’s why I saw the same DSCP value in inner and outer IP header.

Hello

I used the example above and everything works until I apply encryption and now I noticed that classification no longer works. Here are the configs from R1.
The only thing I changed was the routing protocol over the tunnel and added some VTY password and now Im using VTI.
When I classify based on the ESP header it works as I see matches in my policy-map but thats not very useful when you want to match specific traffic within the inner packet as in this case, Telnet and police that traffic.


R1#sh running-config
Building configuration...

Current configuration : 2198 bytes
!
! Last configuration change at 06:50:33 UTC Thu Aug 11 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
class-map match-all TELNET
 match access-group name TELNET
class-map match-all GRE
 match access-group name GRE
class-map match-all esp
 match access-group name esp
!
policy-map POLICE
 class TELNET
  police 128000
!
!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des
 mode tunnel
!
crypto ipsec profile VTI
 set transform-set vpn
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.13.1 255.255.255.0
 ip ospf 100 area 0
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel destination 192.168.23.3
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex full
 service-policy output POLICE
!
!
router eigrp 100
 network 192.168.12.0
 network 192.168.23.0
!
router ospf 100
 network 172.30.13.1 0.0.0.0 area 0
!
router bgp 100
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 172.16.13.3 remote-as 200
 neighbor 172.16.13.3 prefix-list TEST out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE
 permit gre any any
ip access-list extended REMOTE
 permit tcp any any eq 5055
 deny   tcp any any eq telnet
ip access-list extended TELNET
 permit tcp any any eq telnet
 permit tcp any any eq 5055
ip access-list extended esp
 permit esp any any
!
!
ip prefix-list TEST seq 5 deny 1.1.1.0/24 le 32
ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 access-class REMOTE in
 password cisco
 login
 rotary 55
!
!
end