03-12-2008 09:54 AM - edited 03-05-2019 09:42 PM
I want to know whether the QoS ACL supports deny statement.
Here is the scenario: I have 6500 running in native mode. The QoS configured on it marks all outbound ssl and web traffic to CS3. I have a new requirement to mark ssl and web traffic for a few particular subnets to Default CS0.
I am thinking of applying DENY statement for those subnets in the named QOS ACL on top. It will put the traffic for these subnets in default class??? DENY statement will be followed by the the other permit statements which I currently have.
Is this the correct implementation approach?? Any recommendations or thoughts!!!!
03-12-2008 10:41 AM
Hi
It would be helpful to see your config but if you don't match them in any acl then they will be grouped into the class class-default so you don't need to explicitly deny them as such.
Jon
03-12-2008 11:16 AM
Here is the config:
class-map match-any SILVER-CLASS
match access-group name SILVER-TRAFFIC
policy-map cust2provider-QOS
class REAL-TIME-CLASS
set dscp cs5
class GOLD-CLASS
set dscp cs4
class SILVER-CLASS
set dscp cs2
class class-default
set dscp default
ip access-list extended SILVER-TRAFFIC
deny tcp any 10.252.40.0 0.0.0.255 eq www
deny tcp any 10.252.40.0 0.0.0.255 eq 443
permit tcp any 10.0.0.0 0.255.255.255 eq www
permit tcp any 10.0.0.0 0.255.255.255 eq 443
This is the proposed config. I want to mark http and https traffic for 10.252.40.0 subnet with default dscp 0.
The current config (last 2 acl lines ) mark all http & https with CS2.
03-12-2008 11:29 AM
Okay that makes more sense.
Yes it will work as you want. The 10.252.40.0 will not be matched in the SILVER-TRAFFIC class and will fall through to the class-default.
HTH
Jon
03-12-2008 06:22 PM
hi Jon,
I just found a reference to it in qos config guide for cat 2970 and now i am not little doubtful after reading this. According to this guide after matching the deny statement it will continue to check ACL and in my case it will find a permit and as I understand it the traffic will still be be marked with CS2.
**Classification Based on QoS ACLs **
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs:
â¢If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
â¢If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed.
â¢If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing occurs on the packet, and the switch offers best-effort service to the packet.
tx
fawad
03-13-2008 12:47 AM
Hi Fawad
Okay, i tested this in our lab and it works as i suggested. This was tested on a 2600 router, i can retest on a 3560 switch if needed.
From what you posted
"If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed"
Note that it does not say the next ACE (Access control Entry) but the next ACL. So it is saying stop processing that ACL and move onto the next ACL which may well be contained under another class map entry.
So when it hits the deny it stops running through that ACL, does not mark the packet and moves on in the policy map. If you had a BRONZE class configured which did match the packet it would be marked accordingly. But after SILVER you only have class-default so your packet gets processed in there.
HTH
Jon
03-13-2008 03:30 AM
hi Jon,
This makes perfect sense. Thanks much for your help!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide