|
Author
|
Topic: Marking GETVPN
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted October 28, 2011 01:10 AM
How to match GET VPN with class map if there is no option for marking traffic with ACL?
What to match ?
UDP 848 ? and IPSEC? Or just UDP 848?
Is this possible.....do port mapping with NBAR for udp 848 and match that custom protocol....
ANY COMMENT?
THANKS AND REGARDS!
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
vek
Jr Member
Member # 31469
Rate Member
|
posted October 28, 2011 12:31 PM
udp 848 between KeyServer and GroupMembers.
esp between GroupMembers.
Posts: 11 | From: SF Bay Area | Registered: Oct 2011
| IP: Logged
|
|
CCIEG
Member
Member # 31052
Rate Member
|
posted October 28, 2011 09:44 PM
udp 848 and UDP 500 (IKE)between KeyServer and GroupMembers.ESP between GroupMembers.
NOTE: UDP 848 and IKE ( udp 500) are only use during registration to the KS and also during RE-registration. In the sho crypto isakmp ,you will see GDOI idle. In GET VPN ,the phase one policy parameters are only used during registration and RE-registration.
Posts: 17 | From: United States | Registered: Jul 2011
| IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted October 29, 2011 11:02 AM
THANKS for the replies!
I understand the ports and the traffic between KS--GMS..and way of communication... but how to mark it without using ACL.....and when we asked to mark GETVPN...is that mean just udp 848 or all set of protocols that are involved in whole process......
as you said if we have, for example KS i assume we need to mark IKE and UDP 848....
if we have GM we need to mark IKE, ESP and UDP 848?
Correct?
Since there is now protocol definition for udp 848 is it possible to use NBAR to define custom protocol...udp 848 and than use it in class map....
REGARDS
THANKS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
CCIEG
Member
Member # 31052
Rate Member
|
posted October 29, 2011 12:47 PM
i will suggest you create an ACL that matches all the port udp 848, 500 and esp
Posts: 17 | From: United States | Registered: Jul 2011
| IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted October 30, 2011 12:55 AM
What if we dont have option to use ACL?
THANKS!
REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
CCIEG
Member
Member # 31052
Rate Member
|
posted October 30, 2011 08:16 PM
if you do not to create and ACL, you can create a classmap that match only those port.
Posts: 17 | From: United States | Registered: Jul 2011
| IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted October 31, 2011 02:53 AM
Yes you can do that with class-map type port-filter but with policy-map type port-filter you can just drop that traffic...no option for any qos...
REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
Smeans
unregistered
|
posted November 02, 2011 02:54 PM
This post has been going on for days, have you labbed it yet? lol!
IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted November 02, 2011 11:38 PM
I lab it up..but i dont know how to verify qos policy regarding bandwidth reservation so...... ![[Smile]](smile.gif) )))))
REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
Smeans
unregistered
|
posted November 03, 2011 08:28 AM
sho policy-map interface should show you counters increasing if the 848 traffic is actually matched after you do your port map.
IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted November 03, 2011 09:02 AM
That is OK! Policy is matched but i dont know how to check ...qos policy action that should reserve for example 25% of bandwidth....
THANKS MAN!!
REGARDS!
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
Smeans
unregistered
|
posted November 03, 2011 09:08 AM
If the traffic is matched then you're fine as far as the lab is concerned.
Real world, bandwidth reservation occurs during congestion so you'd have to artificially load the interface (traffic generation app/appliance) and see if the gdoi traffic got through.
Of course you'd never care to reserve 25% of bandwidth just for GDOI as it's only used during registration and rekey, you'd want to ID/reserve for the actual ESP traffic.
IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted November 03, 2011 09:10 AM
That is what i mean....how to produce that much esp traffic in lab and how to measure that... ))))
THANKS MAN!!!
REGARDS!!!
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
Smeans
unregistered
|
posted November 03, 2011 11:43 AM
You don't HAVE to produce a bunch of ESP traffic to test though. If the Q is:
Identify GET traffic and give it 25% of interface s0/0/0 bandwidth. You may not use an ACL to accomplish this.
If the GDOI and ESP traffic are identified (counters increase when GDOI and ESP traffic happen) and the action in the policy-map is "bandwidth percent 25" then you're good. You don't have to actually test under congestion to know that it's working, the simple fact that the counters for the class work lets you know it's good for lab purposes.
IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted November 05, 2011 08:53 AM
Use UDP port 848 and 4500 (NAT-T). 500 is not used with GDOI.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
dogfartbig
Guru
Member # 30698
Rate Member
|
posted November 09, 2011 12:35 AM
You are right as always! ISAKMP phase 1 is in UDP 848 and behind NAT like NAT-T udp 4500.
THANKS!!!!
REGARDS
Posts: 234 | From: Bosnia and Herzegovina | Registered: Mar 2011
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic