Service policy to mark PC traffic to DSCP=0

Unanswered Question
Jul 17th, 2007

I'm trying insure that no PC traffic ever leaves the access layer with anything other than dscp/cos 0, so that some smart WinXP user can't mark his traffic like voice.

The access layer is a 6506 running IOS. I figure all I need to do is set up an ACL for all traffic on our data network space, run that through a policy map to mark the permitted traffic to 0, then apply the policy map to the vlan interface that the access layer PCs are plugged into.

Each port on the 6506 blades will have an Avaya IP phone and a PC plugged into the IP phone. The PC data network is 164.72.0.0 vlan 17 and the voice network is 172.26.0.0. vlan 910.

I have a utility I'm using that I can mark the PC (WinXP) packets to dscp=46 to simulate voice traffic.

Here is the pertinent config, and the problem is after spanning the port the PC is plugged into I still see it's packets marked with dscp=46.

Have I set up the correct way to mark all traffic from 164.72.0.0 to dscp=0, or is there another way to do this?

class-map match-all Mark_PC_traffic_to_0

match access-group 161

!

!

policy-map Mark_PC_traffic_to_0

class Mark_PC_traffic_to_0

set dscp default

GHQ-6509A-AU-W271B#sh run int g1/19

Building configuration...

Current configuration : 206 bytes

!

interface GigabitEthernet1/19

description GHQ003

switchport

switchport access vlan 17

switchport mode access

switchport voice vlan 910

no ip address

mls qos trust dscp

spanning-tree portfast

end

interface Vlan17

ip address 164.72.17.1 255.255.255.128

ip helper-address 164.72.54.30

ip helper-address 164.72.241.238

ip pim sparse-mode

load-interval 30

service-policy output Mark_PC_traffic_to_0

end

access-list 161 remark Mark all 164.72.0.0 PC traffic to DSCP=0

access-list 161 permit ip 164.72.0.0 0.0.255.255 any

GHQ-6509A-AU-W271B#sh policy-map int

Vlan17

Service-policy output: Mark_PC_traffic_to_0

class-map: Mark_PC_traffic_to_0 (match-all)

Match: access-group 161

set dscp 0:

Earl in slot 5 :

348865 bytes

30 second offered rate 64 bps

aggregate-forwarded 348865 bytes

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

GHQ-6509A-AU-W271B#sh int status

Port Name Status Vlan Duplex Speed Type

Gi1/1 connected 17 full 100 10/100/1000BaseT

Gi1/2

!

!

Gi1/16 notconnect 17 full auto 10/100/1000BaseT

Gi1/17 Jim's laptop connected 17 a-full a-1000 10/100/1000BaseT

Gi1/18 notconnect 17 full auto 10/100/1000BaseT

Gi1/19 GHQ003 connected 17 a-full a-1000 10/100/1000BaseT

Gi1/20 notconnect 17 full auto 10/100/1000BaseT

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gogasca Tue, 07/17/2007 - 12:08

Add the following command to switchport where IP Phone is connected:

switchport priority extend cos

jkeeffe Tue, 07/17/2007 - 12:37

That command doesn't work on our 6506 IOS=12.2(18)SXF8.

Any other thoughts?

Actions

This Discussion