首页 科技问答 罗梦恺,MSR 基于ipsec隧道流量做流通qos时acl的调用方式

罗梦恺,MSR 基于ipsec隧道流量做流通qos时acl的调用方式

科技问答 251
1676538189,

组网及说明

MSR======ipsec=======MSR

问题描述

MSR设备 做IPSec VPN时,基于ipsec的流量做QoS 流通时的acl调用情况实验室测试如下:

版本:Release 0707P16 其余版本测试接口基本一致

MSR1:内网地址10.1.1.1 wan口地址100.1.1.1

MSR2:  内网地址10.1.2.1 wan口地址100.1.1.2

 配置:

MSR1

MSR2

#

traffic classifier 1 operator and

if-match acl 3001

#

traffic behavior 1

filter permit

#

qos policy 1

classifier 1 behavior 1

#

interface LoopBack0

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0

port link-mode route

description Single_Line1

ip address 100.1.1.1 255.255.255.0

qos apply policy 1 inbound

 qos apply policy 1 outbound

 ipsec apply policy map1

#

ip route-static 0.0.0.0 0 100.1.1.2

#

acl advanced 3000

rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

#

acl advanced 3001

rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0

rule 10 permit ip source 10.1.2.1 0 destination 10.1.1.1 0

#

ipsec transform-set tran1

esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec policy map1 10 isakmp

transform-set tran1

 security acl 3000

 local-address 100.1.1.1

remote-address 100.1.1.2

ike-profile profile1

#

ike profile profile1

keychain keychain1

match remote identity address 100.1.1.2 255.255.255.0

#

ike keychain keychain1

pre-shared-key address 100.1.1.2 255.255.255.0 key cipher $c$3$hGd/G70U2sNc62XvPnFTJ+FaK+vre8zqsA==

#

interface LoopBack0

ip address 10.1.2.1 255.255.255.0

#

interface GigabitEthernet0/0

port link-mode route

ip address 100.1.1.2 255.255.255.0

ipsec apply policy use1

#

ip route-static 0.0.0.0 0 100.1.1.1

#

acl advanced 3000

rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

#

ipsec transform-set tran1

esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec policy use1 10 isakmp

transform-set tran1

 security acl 3000

 local-address 100.1.1.2

remote-address 100.1.1.1

ike-profile profile1

#

ike profile profile1

keychain keychain1

match remote identity address 100.1.1.1 255.255.255.0

#

ike keychain keychain1

pre-shared-key address 100.1.1.1 255.255.255.0 key cipher $c$3$UwmBOA4QAvEHrnXloqrbHyRYL0j1Zmez4g==

测试1:基于内网地址做qos

<830>dis ike sa

    Connection-ID   Remote                Flag         DOI   

------------------------------------------------------------------

9               100.1.1.2             RD           IPsec 

<830>dis ipsec sa brief

-----------------------------------------------------------------------------

Interface/Global          Dst Address       SPI         Protocol    Status     

-----------------------------------------------------------------------------

GE0/0                     100.1.1.2         3613014362  ESP         Active     

GE0/0                     100.1.1.1         4167624094  ESP         Active     

GE0/0                     100.1.1.2         1670495072  ESP         Active     

GE0/0                     100.1.1.1         1609372173  ESP         Active 

<830>ping -a 10.1.1.1 10.1.2.1    //内网地址ping测试

Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=1.085 ms

56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.617 ms

56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.582 ms

56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.568 ms

56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.517 ms

 

<830>dis qos policy int g0/0    //入方向不配置pre-classify也能统计到,出方向无法统计到

Interface: GigabitEthernet0/0

Direction: Inbound

  Policy: 1

   Classifier: default-class

     Matched : 5 (Packets) 830 (Bytes)

     5-minute statistics:

      Forwarded: 0/22 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 5 (Packets) 490 (Bytes)

     5-minute statistics:

      Forwarded: 0/13 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

              

Interface: GigabitEthernet0/0

  Direction: Outbound

  Policy: 1

   Classifier: default-class

     Matched : 5 (Packets) 830 (Bytes)

     5-minute statistics:

      Forwarded: 0/22 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

 

测试2:添加qos pre-classify

添加配置:

#

ipsec policy map1 10 isakmp

transform-set tran1

 security acl 3000

 local-address 100.1.1.1

remote-address 100.1.1.2

qos pre-classify

ike-profile profile1

 

<830>reset counters interface //清空qos统计

 

 

<830>ping -a 10.1.1.1 10.1.2.1

Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=1.096 ms

56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.593 ms

56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.601 ms

56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.601 ms

56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.598 ms

 

 

 

 

<830>dis qos policy int g0/0

Interface: GigabitEthernet0/0

Direction: Inbound

  Policy: 1

   Classifier: default-class

     Matched : 5 (Packets) 830 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 5 (Packets) 490 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

              

Interface: GigabitEthernet0/0

Direction: Outbound

  Policy: 1

   Classifier: default-class

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 5 (Packets) 830 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

 

测试3:基于内外网地址的acl做qos。

#

acl advanced 3001

rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0

rule 10 permit ip source 10.1.2.1 0 destination 10.1.1.1 0

rule 20 permit ip source 100.1.1.1 0 destination 100.1.1.2 0  .//添加wan口的rule

rule 30 permit ip source 100.1.1.2 0 destination 100.1.1.1 0

#

Undo qos pre-classify   (删除qos pre-classify

#

<830>reset counters interface //清空qos统计

 

 

<830>ping -a 10.1.1.1 10.1.2.1

Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=2.048 ms

56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=0.840 ms

56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.783 ms

56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=0.674 ms

56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.777 ms

 

<830>dis qos policy int g0/0

Interface: GigabitEthernet0/0

  Direction: Inbound

  Policy: 1

   Classifier: default-class

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 10 (Packets) 1320 (Bytes)   //能统计到两次,内网外网rule都能匹配到

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

              

Interface: GigabitEthernet0/0

  Direction: Outbound

  Policy: 1

   Classifier: default-class

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: 1

     Matched : 5 (Packets) 830 (Bytes)   //统计到外网的rule

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: 1

      Filter enable: Permit

过程分析

针对ipsec流量的qos,MSR设备入方向可直接统计到基于内网地址的流量,出方向需要配置pre-classify后才能统计到内网地址流量

解决方法

最佳的配置方式,基于内网地址acl做qos,同时配置pre-classify,出入方向都能匹配上。

CRM论坛(CRMbbs.com)——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容,欢迎向我们投稿,共建CRM多元化生态体系,创建CRM客户管理一体化生态解决方案。本文来源:知了社区基于知识共享署名-相同方式共享3.0中国大陆许可协议,MSR 基于ipsec隧道流量做流通qos时acl的调用方式