Re: [OSL | CCIE_RS] Rendom Early Detection on IPSEC

[abdel el anazi]

The packet are correctly  classified in to Prec 5 but I don't see RED doing 
anything to avoid tail Drop. 


Service-policy output: CBWFQ

    Class-map: class-default (match-any)
      467193 packets, 171110953 bytes
      1 minute offered rate 374000 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
          6000000/6000000   37500  150000    150000    25        18750

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         467193    171110953 164       67061     no
      Queueing
        Output Queue: Conversation 265
        Bandwidth 6000 (kbps)
        (pkts matched/bytes matched) 248/122177
        (depth/total drops/no-buffer drops) 0/0/0
         exponential weight: 9
         mean queue depth: 0

  class    Transmitted      Random drop      Tail drop    Minimum Maximum  Mark
           pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
      0    6025/813174          0/0              0/0           20      40  1/10
      1       0/0                    0/0              0/0           22      40  
1/10
      2       0/0                    0/0              0/0           24      40  
1/10
      3       0/0                    0/0              0/0           26      40  
1/10
      4       0/0                    0/0              0/0           28      40  
1/10
      5  461154/170295503    0/0              0/0           30      40  1/10
      6      14/2276              0/0               0/0           32      40  
1/10
      7       0/0                    0/0              0/0           34      40  
1/10
   rsvp       0/0                   0/0              0/0           36      40  
1/10

strange is that the interface is showing output drops:

Total output drops: 1132

so why is that?



> Subject: RE: [OSL | CCIE_RS] Rendom Early Detection on IPSEC
> Date: Wed, 18 Nov 2009 22:51:54 +0000
> From: erik.fairbanks....@fe.navy.mil
> To: rgam...@gmail.com; a.elan...@hotmail.com
> CC: ccie_rs@onlinestudylist.com
> 
> Roglio is correct.  Check out the following link for additional info.
> 
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftqosvpn.
> html
> 
> Also, the end-to-end QoS design book states that the TOS markings are
> automatically copied to the tunnel header without any configuration, but
> when QoS-Preclassify is enabled, some additional information is added (I
> don't have the book in front of me to provide specifics - sorry).  In
> testing a while back, I found that nothing is copied to the ToS field of
> the tunnel packet header unless the qos-preclassify is explicitly
> configured.  It is possible that the automatic population of ToS
> information from the clear-side to encrypted-side was "turned off" in
> later IOS releases because it presents a potential covert channel.  For
> instance, somebody could write a small program and run it on their
> computer that uses the ToS bits as a mechanism to transmit data from the
> trusted network to the untrusted network.  Somebody on the untrusted
> network could then intercept the packets and reassemble the data passed
> via the ToS bit.  Obviously, if your routers are configured to not trust
> incoming packets and rewrite the bit, this isn't possible...
> 
> 
> 
> -----Original Message-----
> From: ccie_rs-boun...@onlinestudylist.com
> [mailto:ccie_rs-boun...@onlinestudylist.com] On Behalf Of Rogelio Gamino
> Sent: Thursday, November 19, 2009 7:27 AM
> To: abdel el anazi
> Cc: ccie_rs@onlinestudylist.com
> Subject: Re: [OSL | CCIE_RS] Rendom Early Detection on IPSEC
> 
> I think you need "qos pre-classify" in your "crypto map" configuration.
> 
> 
> 
> 
> On Wed, Nov 18, 2009 at 4:08 PM, abdel el anazi <a.elan...@hotmail.com>
> wrote:
> 
> 
>       Hi all,
>        
>       I stumbled into a real life scenario where I had to avoid
> congestion on a leased line. So I try to use Random Early Detection on
> an output direction the same interface is having a crypto map applied to
> run ipsec in tunnel mode. Now I notice that when I use sh policy-map int
> fa0/2/0 RED is not dropping any traffic and not controlling the burst. I
> used allot of test with Jperf TCP, but dont see any diffrent on the
> performance when I enable RED or disable it.
>        
>       Is it posible that RED is not detecting the TCP flow becuse of
> the ipsec?
>        
>       is there any why to work around this issue.
>        
>        
>       Best Regards
>        
>        
> 
> 
> 
> ________________________________
> 
>       Express yourself instantly with MSN Messenger! MSN Messenger
> <http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/> 
> 
>       _______________________________________________
>       For more information regarding industry leading CCIE Lab
> training, please visit www.ipexpert.com
>       
>       
> 
> 
                                          
_________________________________________________________________
New Windows 7: Find the right PC for you. Learn more.
http://windows.microsoft.com/shop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com