QoS: my IOS doesn't allow "match dscp ef"

Unanswered Question
Oct 17th, 2007

Grrr... I'm wanting to create a QoS class-map that matches when a packet has the DSCP value "ef"

Unfortunately, it seems my version of IOS (12.4(11)T Adv. Security on an 871 router) doesn't support dscp matching. Is there a way around this using access-lists or something else?

I think "match ip precedence 5" will do the same thing and this cmap match statement IS accepted by my router.

Any comments? suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
thomasdzubin Wed, 10/17/2007 - 12:10

...and before you suggest "match ip dscp", that doesn't work either.

My only sub-options shown when I do a

"match ip ?"

are "precedence" and "rtp"

andrew.butterworth Wed, 10/17/2007 - 12:44

I just tested this on a 877 running 12.4(15)T1 Advanced IP Services and it works on this.....

class-map EF

match dscp ef

You could try the 'old' way:

ip access-list extended Any-EF

permit ip any any dscp ef


class-map EF

match access-group name Any-EF




thomasdzubin Wed, 10/17/2007 - 12:54

Nope, maybe the "IP Security" version of IOS just doesn't like "dscp"...here's what happens when I tried your suggestion:

R#config t

Enter configuration commands, one per line. End with CNTL/Z.

R(config)#ip access-list extended Any-EF

R(config-ext-nacl)#permit ip any any dscp ef


% Invalid input detected at '^' marker.


(note the '^' marker is supposed to be pointing at "dscp", but when I cut-and-paste into this Cisco forum, it gets rid of all the leading whitespace)

In any case, here are my options available on a "permit ip any any" access-list:

R(config-ext-nacl)#permit ip any any ?

fragments Check non-initial fragments

log Log matches against this entry

log-input Log matches against this entry, including input interface

option Match packets with given IP Options value

precedence Match packets with given precedence value

reflect Create reflexive access list entry

time-range Specify a time-range

tos Match packets with given TOS value

ttl Match packets with given TTL value

andrew.butterworth Wed, 10/17/2007 - 13:40

I have had a quick look at feature navigator but (as usual...) can't find any references - I'm not 100% sure what the feature would be called?

There are some QoS differences between the Advanced IP Services & Advanced Security but nothing that seems to reference DSCP.

I suggest you upgrade to 12.4(15)T1 Advanced Security and see whether the commands are accepted with that.

The upgrade should be free since you are not changing feature set or moving to a different major release.

There are also a couple of advisories against 12.4(11)T so you should try and upgrade anyway.


thomasdzubin Thu, 10/18/2007 - 07:53

Yeah, I upgraded the 871 to:


and it still didn't work, so I said "what the heck" and upgraded to:


Finally "match dscp ef" works now.

So it was a IOS version problem, just not a version NUMBER problem.

Oh well...it's only money...luckily the $$$ difference between Adv. Security and Adv. IP services isn't that much on the 800 series.

Thanks for your help.


This Discussion