We are looking to build up a very tight trusted bundary for different none Cisco voice-hard/soft-phones on the edge of the LAN.
We are trying to use vendors mac address and used voice/UDP/RTP-ports to classify the "trusted" traffic for EF.
Config could look like:
mac access-list extended vendmac
permit 0080.9f00.0000 0000.00ff.ffff any
access-list 2250 permit udp any range 32514 32515 any range 32560 32570
access-list 2226 permit tcp any any eq 1720
access-list 2226 permit tcp any any range 16340 16800
class-map match-all voice
match access-group name vendmac
match access-group 2250
class-map match-all voice-control
match access-group 2226
class-map match-any best_effort
match access-group 2201
set dscp ef
set dscp af21
set dscp default
int fa0/1 - 48
service-policy input VoIP
Unfortunately, the service-policy VoIP is not being accepted on the switch ports (fa0/1 -48), since the "class-map match-all voice" contains 2 match statements. (if either of the two match statements is kept as a single entry in the class-map, everything is OK, but then we are loosing the relation VendorMac<>used RTP stream to qualify for real voice traffic!!)
-> Is this a bug ? Works as designed?
-> Any work around??
thank you for any input on this