10-17-2007 11:47 AM - edited 03-05-2019 07:09 PM
Grrr... I'm wanting to create a QoS class-map that matches when a packet has the DSCP value "ef"
Unfortunately, it seems my version of IOS (12.4(11)T Adv. Security on an 871 router) doesn't support dscp matching. Is there a way around this using access-lists or something else?
I think "match ip precedence 5" will do the same thing and this cmap match statement IS accepted by my router.
Any comments? suggestions?
10-17-2007 12:10 PM
...and before you suggest "match ip dscp", that doesn't work either.
My only sub-options shown when I do a
"match ip ?"
are "precedence" and "rtp"
10-17-2007 12:44 PM
I just tested this on a 877 running 12.4(15)T1 Advanced IP Services and it works on this.....
class-map EF
match dscp ef
You could try the 'old' way:
ip access-list extended Any-EF
permit ip any any dscp ef
!
class-map EF
match access-group name Any-EF
!
HTH
Andy
10-17-2007 12:54 PM
Nope, maybe the "IP Security" version of IOS just doesn't like "dscp"...here's what happens when I tried your suggestion:
R#config t
Enter configuration commands, one per line. End with CNTL/Z.
R(config)#ip access-list extended Any-EF
R(config-ext-nacl)#permit ip any any dscp ef
^
% Invalid input detected at '^' marker.
R(config-ext-nacl)#
(note the '^' marker is supposed to be pointing at "dscp", but when I cut-and-paste into this Cisco forum, it gets rid of all the leading whitespace)
In any case, here are my options available on a "permit ip any any" access-list:
R(config-ext-nacl)#permit ip any any ?
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
reflect Create reflexive access list entry
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
10-17-2007 01:40 PM
I have had a quick look at feature navigator but (as usual...) can't find any references - I'm not 100% sure what the feature would be called?
There are some QoS differences between the Advanced IP Services & Advanced Security but nothing that seems to reference DSCP.
I suggest you upgrade to 12.4(15)T1 Advanced Security and see whether the commands are accepted with that.
The upgrade should be free since you are not changing feature set or moving to a different major release.
There are also a couple of advisories against 12.4(11)T so you should try and upgrade anyway.
Andy
10-18-2007 07:53 AM
Yeah, I upgraded the 871 to:
c870-advsecurityk9-mz.124-15.T1.bin
and it still didn't work, so I said "what the heck" and upgraded to:
c870-advipservicesk9-mz.124-15.T1.bin
Finally "match dscp ef" works now.
So it was a IOS version problem, just not a version NUMBER problem.
Oh well...it's only money...luckily the $$$ difference between Adv. Security and Adv. IP services isn't that much on the 800 series.
Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: