Jump to content
Калькуляторы

Cisco ASR 1001 nbar

Доброго времени суток, коллеги.

имею следующую ситуацию:

есть ASR1k c последним IOS

asr1001-universalk9.03.13.01.S.154-3.S1-ext

 

Необходимо повесить service-policy output на Tunnel интерфейс.

Полиси собственно простая

 

class-map match-all SNMP
match access-group name SNMP
class-map match-all TELNET
match access-group name TELNET
class-map match-all WSUS
match access-group name WSUS
class-map match-all WINBOX
match access-group name WINBOX
class-map match-all EMULFR
match access-group name EMULFR
class-map match-all OSPF
match protocol ospf
class-map match-all OPEN
match access-group name OPEN
class-map match-all ICMP
match protocol icmp
class-map match-all HTTP
match access-group name HTTP
class-map match-all Web_Base
match access-group name Web_Base
class-map match-all ADM_SRV
match access-group name ADM_SRV
class-map match-all FTP
match access-group name FTP
class-map match-all RDP
match access-group name RDP-QOS
class-map match-all NTP
match access-group name NTP
class-map match-all SIP
match access-group name SIP
class-map match-all HTTPS
match access-group name HTTPS
class-map match-all MCAFE
match access-group name MCAFE
class-map match-all RTP
match protocol rtp
class-map match-all DNS
match access-group name DNS
class-map match-all 1C
match access-group name CITRIX
class-map match-any TunnelCls
match any 
!
policy-map Tunnel-child
class OSPF
 bandwidth percent 2 
class ICMP
 bandwidth percent 1 
class NTP
 bandwidth percent 1 
class TELNET
 bandwidth percent 1 
class RDP
 bandwidth percent 5 
class 1C
 bandwidth percent 10 
class Web_Base
 bandwidth percent 20 
class WINBOX
 bandwidth percent 2 
class SNMP
 bandwidth percent 2 
class SIP
 bandwidth percent 5 
class DNS
 bandwidth percent 2 
class HTTP
 bandwidth percent 10 
class HTTPS
 bandwidth percent 10 
class FTP
 bandwidth percent 2 
class EMULFR
 bandwidth percent 2 
class WSUS
 police cir percent 2
class MCAFE
 police cir percent 2
class ADM_SRV
 bandwidth percent 15 
class RTP
 bandwidth percent 2 
class OPEN
 police cir 500000
  violate-action drop 
class class-default
 fair-queue
 random-detect
policy-map Tunnel_2M
class class-default
 shape average 2048000
 police rate 2048000 
  violate-action drop 
  service-policy Tunnel-child
policy-map Tunnel_1M
class class-default
 shape average 1000000
 police rate 1000000 
  violate-action drop 
  service-policy Tunnel-child
policy-map Tunnel_1M_IN
class TunnelCls
 police rate 1000000 
  violate-action drop 
policy-map Tunnel_2M_IN
class TunnelCls
 police rate 2000000 
  violate-action drop 
policy-map Tunnel_5M_IN
class TunnelCls
 police rate 5000000 
  violate-action drop 
policy-map [b]Tunnel_5M[/b]
class class-default
 shape average 5000000
 police rate 5000000 
  violate-action drop 
  service-policy Tunnel-child

 

При попытки повесить её на интерфейс вижу в логах

(nbar): (err): NBAR is not supported on  TunnelХХХ

 

Туннель простой:

 

interface TunnelХХХ
ip address 172.20.2.5 255.255.255.252
ip mtu 1450
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip policy route-map Forward_GlobalIP
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf cost 40
tunnel source 1.1.1.1
tunnel mode ipip
tunnel destination 2.2.2.2
tunnel protection ipsec profile IPSec-AES
service-policy input Tunnel_5M_IN

 

Собственно понятно что это ограничение платформы IOS XE (хотя почему не понятно).

 

Есть возможности отключить NBAR что бы можно было вешать политику Tunnel_5M на логические интерфейсы? На обычных IOS точно такая же service-policy прекрасно работает.

Раскурка документации ясности не принесла.

Edited by myst

Share this post


Link to post
Share on other sites

Поправьте, если не прав, но полиси нужно вешать на физ. интрефейс, а на туннеле писать

qos pre-classify

.

Оно бы было так, НО, у туннелей разный BW,а полиси у меня с bandwidth percent я сомневаюсь что оно станет работать.

Темболее это направление output, тоесть трафика в туннель. Если я повешую полиси аутпут на физ интерфейс, направление будет инвертировано.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.