Hello
I used the example above and everything works until I apply encryption and now I noticed that classification no longer works. Here are the configs from R1.
The only thing I changed was the routing protocol over the tunnel and added some VTY password and now Im using VTI.
When I classify based on the ESP header it works as I see matches in my policy-map but thats not very useful when you want to match specific traffic within the inner packet as in this case, Telnet and police that traffic.
R1#sh running-config
Building configuration...
Current configuration : 2198 bytes
!
! Last configuration change at 06:50:33 UTC Thu Aug 11 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
class-map match-all TELNET
match access-group name TELNET
class-map match-all GRE
match access-group name GRE
class-map match-all esp
match access-group name esp
!
policy-map POLICE
class TELNET
police 128000
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des
mode tunnel
!
crypto ipsec profile VTI
set transform-set vpn
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.13.1 255.255.255.0
ip ospf 100 area 0
qos pre-classify
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex full
service-policy output POLICE
!
!
router eigrp 100
network 192.168.12.0
network 192.168.23.0
!
router ospf 100
network 172.30.13.1 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 172.16.13.3 remote-as 200
neighbor 172.16.13.3 prefix-list TEST out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE
permit gre any any
ip access-list extended REMOTE
permit tcp any any eq 5055
deny tcp any any eq telnet
ip access-list extended TELNET
permit tcp any any eq telnet
permit tcp any any eq 5055
ip access-list extended esp
permit esp any any
!
!
ip prefix-list TEST seq 5 deny 1.1.1.0/24 le 32
ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
access-class REMOTE in
password cisco
login
rotary 55
!
!
end