Auteur: moiwinfred

Cisco VTI IPsec

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-cfg-ikev2-flex.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-flex-serv.html#GUID-DB69AED1-1068-4700-B837-5F2967CCD9D2

https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

https://learningnetwork.cisco.com/thread/127085

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-334CA827-6CC6-4743-9DC8-D4F8F31F79B5

Cisco

IOS security

no service call-home
no service config
no service dhcp
no service finger
no service old-slip-prompts
no service pad
service password-encryption
no service pt-vty-logging
service sequence-numbers
no service slave-log
no service tcp-keepalives-in
no service tcp-keepalives-out
no service tcp-small-servers
no service telnet-zeroidle
service timestamps
no service udp-small-servers

Cisco

Cisco Radius VSA

FreeRadius : https://freeradius.org/rfc/rfc2865.html

RADIUS Attributes : https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/bng/configuration/guide/b_bng_cg42asr9k/b_bng_cg42asr9k_appendix_01000.pdf

ASR9k VSA : https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-vsa-s-vendor-specific-attributes-and-services/ta-p/3141601

Cisco

Matching EXP bits in ME3600

For anyone else in the future who may be experiencing a similar issue:

Problem turned out to be QoS ACL matching conditions. Docs here state:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-5_1_S/configuration/guide/3800x3600xscg/swqos.html

“Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP

Although you can configure many options in ACLs, only some are supported for QoS ACLs.

For permit protocol , the supported keywords are: tcp , and udp .
For source and destination address, the supported entries are ip-address , any , or host .
For match criteria, the supported keywords are dscp or tos . You can also specify a time-range.”

I ended up having to modify the ACLs to only match on IP and remove the ICMP ACE and it works.

Working on ME3600X-24FS on 15.4(3)S6a and I am testing out a very simple QoS
policy and it’s not working. Here’s my config:

class-map match-all ING-EF-CLASS
match access-group name EF-CLASS-ACL
class-map match-all ING-EF-CLASS-EXP
match mpls experimental topmost 5
!
ip access-list extended EF-CLASS-ACL
permit udp any any dscp ef
permit udp any any dscp cs5
permit udp any any precedence critical
permit icmp any any dscp ef
deny ip any any
!
policy-map ING-UPLINK
class ING-EF-CLASS
set ip dscp ef
class ING-EF-CLASS-EXP
set mpls experimental topmost 5
!
interface GigabitEthernet0/24
no switchport
mtu 9800
ip address 10.0.10.2 255.255.255.252
ip mtu 9100
ip router isis
mpls ip
mpls mtu 9100
service-policy input ING-UPLINK
It seems that every packet on the wire is matching the class ‘ING-EF-CLASS-
EXP’:
ME3600X#sh policy-map interface
GigabitEthernet0/24
Service-policy input: ING-UPLINK
Class-map: ING-EF-CLASS (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group name EF-CLASS-ACL
set dscp 46
Class-map: ING-EF-CLASS-EXP (match-all)
1710 packets, 175484 bytes
30 second offered rate 1000 bps, drop rate 0000 bps
Match: mpls experimental topmost 5
set mpls exp topmost 5
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any

Cisco, Netwerk (C-NSP)
1 2 3 4 7