To put different policies on different traffic we can use Virtual tunnel interface (VTI) on IOS router.
VTI site to site static
! R1
conf t
! Old tunnel for DMVPN
int tun 0
shutdown
exit
crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile P2P-PROFILE
set transform-set P2P-SET
exit
do show run | section crypto
interface tunnel 1
ip unnumbered loopback 0 : borrow ip address from loopback addresses
tunnel source serial 1/0
tunnel destination 35.0.0.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile P2P-PROFILE
exit
router eigrp 777
network 1.1.1.1 0.0.0.0
end
! R3
conf t
! Old tunnel for DMVPN
int tun 0
shutdown
exit
crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile P2P-PROFILE
set transform-set P2P-SET
exit
do show run | section crypto
interface tunnel 1
ip unnumbered loopback 0
tunnel source serial 1/0
tunnel destination 15.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile P2P-PROFILE
exit
router eigrp 777
network 3.3.3.3 0.0.0.0
end
show crypto isakmp sa
show crypto engine connection active
show ip eigrp neighbors
show ip route eigrp
ping 10.1.1.1 source 10.3.3.3
show ip int brief | exclude unassigned
let's apply different policies for traffic going through tunnel interface and traffic flowing in clear text ie through the physical interface
! R3 Policies
conf t
class-map match-all VTI-CLASS
match any
exit
class-map match-all Serial-CLASS
match any
exit
do show class-map
policy-map VTI-MAP
class VTI-CLASS
set precedence 2
exit
exit
policy-map Serial-MAP
class Serial-CLASS
set precedence 4
exit
exit
do show policy-map
int tunnel 1
service-policy output VTI-MAP
exit
int serial 1/0
service-policy output Serial-MAP
end
show policy-map interface tunnel 1
show policy-map interface serial 1/0
ping 15.0.0.1 repeat 3
show policy-map interface serial 1/0
No comments:
Post a Comment