Policy-Map for shaping not working

support-SPR · ‎12-01-2021

Hi,

I configured a policy-map in order to shape the trafic toward the ipsec tunnel.

The VPN is done by a cryptomap on the outgoing interface (FE4). Tunnel is up, no problem.

Here are my ACL, class-map then my policy-map configurations :

Extended IP access list Vers_VPN_Siege_Data
10 permit ip 192.168.30.0 0.0.0.255 192.168.12.0 0.0.0.255
20 permit ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255
30 permit ip 192.168.30.0 0.0.0.255 10.25.25.0 0.0.0.255

class-map match-any VPN-DATA-OUT
match access-group name Vers_VPN_Siege_Data

policy-map WAN_OUT_VPN
class VPN-DATA-OUT
shape average percent 20
bandwidth percent 20

policy-map INTERNET-VPN
class class-default
shape average percent 100
service-policy WAN_OUT_VPN

Here is the outgoing interface configuration, with the service policy output applied :

interface FastEthernet4
description INTERCO-WAN-LAB_Orange
ip address 192.168.8.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map VPN_LAB
service-policy output INTERNET-VPN

The source interface is VLAN 30 :

interface Vlan30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
end

Then, I copy a file from 192.168.30.3 to 192.168.12.8 (first line of ACL)

Extended IP access list Vers_VPN_Siege_Data
10 permit ip 192.168.30.0 0.0.0.255 192.168.12.0 0.0.0.255

But, the shaping does not work and when I look at the policy-map stats on the interface, all the packets are considered as default traffic :

Service-policy output: INTERNET-VPN

Class-map: class-default (match-any)
97711 packets, 131759781 bytes
5 minute offered rate 1758000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 97711/131759781
shape (average) cir 100000000, bc 1000000, be 1000000
target shape rate 100000000

Service-policy : WAN_OUT_VPN

Class-map: VPN-DATA-OUT (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name Vers_VPN_Siege_Data
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 20000000, bc 200000, be 200000
target shape rate 20000000
bandwidth 20% (20000 kbps)

Class-map: class-default (match-any)
97711 packets, 131759781 bytes
5 minute offered rate 1758000 bps, drop rate 0000 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 97711/131759781

Any idea on what I am doing wrong ?

Routeur Cisco C881

Firmware version : c800-universalk9-mz.SPA.158-3.M7.bin

Fabrice

Joseph W. Doherty · ‎12-01-2021

Two possible causes.

First, by default, policies on tunnels "see" the tunneled packet's headers, not the internal packet's headers. (BTW, you're doing your tunneling without a tunnel interface. Not 100% positive whether what I note next is 100% accurate for those. Yours is an old technique, newer technique would be to use a VTI and place the policy on it.)

Two ways to deal with encapsulation. First, if original packets have ToS tags, they are copied to the tunneled packet's ToS; allowing matching on that. Second, there's a config statement (which I don't call at the moment) to make a "shadow" copy of the original packet's header allowing a policy to work on original packet's header information.

Second possible cause (may not be exclusive, either), NAT changes packet IPs, which, depending when done to packet encapsulation, can hide original IPs from policy maps too. (BTW, ToS, again, is copied through NAT.)

Georg Pauwen · ‎12-01-2021

Hello,

what if you pre-classify ?

interface FastEthernet4
description INTERCO-WAN-LAB_Orange
ip address 192.168.8.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map VPN_LAB
--> qos pre-classify
service-policy output INTERNET-VPN

Joseph W. Doherty · ‎12-01-2021

From my OP: ". . . there's a config statement (which I don't call at the moment) to make a "shadow" copy of the original packet's header allowing a policy to work on original packet's header information."

@Georg Pauwen has provided that command, i.e.: "qos pre-classify"

However, I don't recall ever using it with a crypto-map but you do normally place it on the physical interface handling the encapsulated packets. I.e. I would expect where Georg placed it, would be the correct interface. Again, though, if that doesn't fix the issue, it might also be related to your NAT usage.

support-SPR · ‎12-01-2021

Hi guys,

Thanks for your replies !

First, unfortunately, I can't use VTI technology on this case because on the other end, there an old Sonicwall which is unable to deal with VTI, too bad...

So, I have to go on with cryptomap.

I tried before to post to enable the "qos pre-classify" but no way on the interface. However, thanks to your post, I tried directly on the cryptomap object, which is accepted, thanks !

crypto map VPN_LAB 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address ACL-NID-LAB
qos pre-classify

However, even with this change, the policy does not work....

@joseph : about the possible NAT issue, what I don't understant is the the NAT policy output is working in order to "not not NAT with public IP" all the tunneled traffic". So, if it works for this purpose, why doesn't it work for the policy rule ?

It's like the ACL is seen by the policy map but not considered.

If I apply the policy for all the traffic, ie like that :

policy-map INTERNET-VPN
class class-default
shape average percent 20
service-policy WAN_OUT_VPN

instead of that :

policy-map INTERNET-VPN
class class-default
shape average percent 100
service-policy WAN_OUT_VPN

it works ! (tunnelled and Internet traffic)

But I would like to avoid that because what I want is only shaping the tunnel traffic, not Internet one.

Maybe that's why you said Joseph if I understood well : the packet is first encapsulated so that the policy is unable to apply on it...But if the policy is applied on all the traffic, why does it work too on the tunneled trafic ?

I hope I could have been clear.

If you have any other suggestions, you're welcome !

Fabrice

Georg Pauwen · ‎12-01-2021

Hello,

maybe it would be helpful to see the entire running configuration (sh run), can you post that ?

support-SPR · ‎12-02-2021

Sure, here it is :

Current configuration : 8254 bytes
!
! Last configuration change at 12:01:21 Reunion Thu Dec 2 2021 by cisco
! NVRAM config last updated at 11:47:55 Reunion Thu Dec 2 2021 by cisco
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-LAB
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M7.bin
boot-end-marker
!
!
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone Reunion 4 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.200
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.30.254
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.92
!
ip dhcp pool LAB-PC
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.12.10 192.168.12.26
lease 8
!
ip dhcp pool LAB-HOME
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 8.8.8.8 8.8.4.4
lease 8
!
!
!
no ip domain lookup
ip domain name lab.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ2325C1A2
!
!
username cisco password 7 xxxxxxxxxxxx
!
redundancy
!
!
!
!
no cdp run
!
!
class-map match-any VPN-DATA-OUT
match access-group name Vers_VPN_Siege_Data
!
policy-map WAN_OUT_VPN
class VPN-DATA-OUT
shape average percent 20
bandwidth percent 20
policy-map INTERNET-VPN
class class-default
shape average percent 100
service-policy WAN_OUT_VPN
!
!
crypto keyring LQR
pre-shared-key address x.x.x.x key xxxxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxx address x.x.x.x
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map VPN_LAB 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address ACL-NID-LAB
qos pre-classify
!
!
!
!
!
!
interface FastEthernet0
switchport trunk allowed vlan 1,2,25,1002-1005
switchport mode trunk
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet1
switchport trunk allowed vlan 1,2,25,1002-1005
switchport mode trunk
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 30
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 30
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet4
description INTERCO-WAN-LAB_Orange
ip address 192.168.8.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map VPN_LAB
service-policy output INTERNET-VPN
!
interface Vlan1
description LAN HOME
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan25
description LAN LAB TOIP
ip address 10.25.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-DENY-LAB-NID interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.8.254
ip ssh version 2
!
ip access-list extended ACL-NID-LAB
permit ip 192.168.30.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 10.25.25.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 10.3.1.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.44.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.46.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.79.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.44.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.46.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 10.25.25.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 10.3.1.0 0.0.0.255
ip access-list extended Depuis_AWS_Masterprint
permit ip host 35.181.163.31 192.168.30.0 0.0.0.255
ip access-list extended Depuis_VPN_Siege_Data
permit ip 192.168.12.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 10.25.25.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 10.3.1.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.46.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 10.25.30.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 10.25.30.0 0.0.0.255
permit ip 10.25.25.0 0.0.0.255 10.25.30.0 0.0.0.255
permit ip 10.3.1.0 0.0.0.255 10.25.30.0 0.0.0.255
ip access-list extended Depuis_VPN_Siege_TOIP
permit ip 10.25.25.0 0.0.0.255 10.25.30.0 0.0.0.255
ip access-list extended NAT-DENY-LAB-NID
deny ip 192.168.30.0 0.0.0.255 192.168.12.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.254.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 10.25.25.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.22.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.44.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.46.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.79.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 192.168.12.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 10.25.25.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 192.168.22.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 192.168.44.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 192.168.46.0 0.0.0.255
deny ip 10.25.30.0 0.0.0.255 10.3.1.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 any
permit ip 10.25.30.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended Vers_AWS_Masterprint
permit ip 192.168.30.0 0.0.0.255 host 35.181.163.31
ip access-list extended Vers_VPN_Siege_Data
permit ip 192.168.30.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 10.25.25.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 10.3.1.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.44.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.46.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 10.25.25.0 0.0.0.255
permit ip 10.25.30.0 0.0.0.255 10.3.1.0 0.0.0.255
ip access-list extended Vers_VPN_Siege_TOIP
permit ip 10.25.30.0 0.0.0.255 10.25.25.0 0.0.0.255
!
ipv6 ioam timestamp
!
snmp-server community xxxxxxxxx RO
snmp-server location NID
snmp-server contact Support Informatique
access-list 23 permit 10.3.1.0 0.0.0.255
access-list 23 permit 192.168.12.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.2.1.0 0.0.0.255
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 23 permit 192.168.46.0 0.0.0.255
access-list 23 permit 165.169.5.4 0.0.0.3
access-list 23 permit 192.168.30.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.8.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
!
scheduler allocate 60000 1000
ntp update-calendar
ntp server x.x.x.x prefer source FastEthernet4
!
!
!
!
!
!
!
end

support-SPR · ‎12-02-2021

Hi again,

I found it and it seems working !

I was lookin for again and again on the web and finally I found someone this page (https://flylib.com/books/en/2.650.1/designing_qos_for_ipsec_vpns.html) which explains more or less the same thing you told me :

1/ qos pre-classify is mandatory, so I let it on the crypto map as you suggested before

2/ my actual policy-map enabled on the outgoing interface contains the default class-map then the other PM with the shaping. Even if it seems to be a best practice usually, I noticed that on the example given, the PM only contains all the class-map declined.

So I changed my MP from this :

policy-map WAN_OUT_VPN
class VPN-DATA-OUT
shape average percent 20
bandwidth percent 20
policy-map INTERNET-VPN
class class-default
shape average percent 100
service-policy WAN_OUT_VPN

to this :

policy-map WAN_OUT_VPN
class VPN-DATA-OUT
shape average percent 20
bandwidth percent 20
class class-default
shape average percent 100

And now, tunnelled trafic is correctly matching the right class-map, the same for normal traffic matching the default CM :

RTR-LAB#sh policy-map interface fastEthernet 4
FastEthernet4

Service-policy output: WAN_OUT_VPN

Class-map: VPN-DATA-OUT (match-any)
956263 packets, 1384761065 bytes
5 minute offered rate 16403000 bps, drop rate 17000 bps
Match: access-group name Vers_VPN_Siege_Data
956263 packets, 1384761065 bytes
5 minute rate 16403000 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 34/1609/0
(pkts output/bytes output) 954654/1437841860
shape (average) cir 20000000, bc 200000, be 200000
target shape rate 20000000
bandwidth 20% (20000 kbps)

Class-map: class-default (match-any)
109477 packets, 86382577 bytes
5 minute offered rate 996000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 109477/86382577
shape (average) cir 100000000, bc 1000000, be 1000000
target shape rate 100000000

So now, I can create other CM into the same PM in order to have different queues according to the type of traffic.

If you have other or best suggestions or solutions, I'll take it, but now I can go forward.

Thank you!

Fabrice

support-SPR · ‎12-02-2021

In the meantime, now Qos for traffic output works, I come back with a similar problem but with the input tunneled traffic...

Indeed, I would like to restrict the bandwidth too for the traffic coming from the ipsec tunnel.

Shaping and Bandwitdth commands do not work in inbound.

So I decided to police the traffic, accepted in inbound.

I applied CM and PM as the same way as outboud objects.

However, whan applied for a policing for traffic exceeding 20Mb/s, it does nt work.

Qos pre-classify is already enabled (on the cryptomap, works for outbound as my previous post).

Here are the CM and PM objects, and the application on the interface :

class-map match-any VPN-DATA-IN
match access-group name Depuis_VPN_Siege_Data

policy-map WAN_IN_VPN
class VPN-DATA-IN
police 20000000
class class-default

interface FastEthernet4
service-policy input WAN_IN_VPN

Stats : (all is captured by default queue, no policing applied)

RTR-LAB#sh policy-map interface fastEthernet 4
FastEthernet4

Service-policy input: WAN_IN_VPN

Class-map: VPN-DATA-IN (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name Depuis_VPN_Siege_Data
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 20000000 bps, bc 625000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: class-default (match-any)
169 packets, 72066 bytes
5 minute offered rate 1000 bps, drop rate 0000 bps
Match: any

Service-policy output: WAN_OUT_VPN

Class-map: VPN-DATA-OUT (match-any)
2339388 packets, 2455150848 bytes
5 minute offered rate 116000 bps, drop rate 0000 bps
Match: access-group name Vers_VPN_Siege_Data
2339388 packets, 2455150848 bytes
5 minute rate 116000 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3164/0
(pkts output/bytes output) 2336224/2590156640
shape (average) cir 20000000, bc 200000, be 200000
target shape rate 20000000
bandwidth 20% (20000 kbps)

Class-map: class-default (match-any)
4519914 packets, 5894504160 bytes
5 minute offered rate 26000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/584/0
(pkts output/bytes output) 4519330/5893714208
shape (average) cir 100000000, bc 1000000, be 1000000
target shape rate 100000000

Any idea also there ?

Fabrice