Impossible to implement "Service policy-map" on my IP Phone Fa interface

Unanswered Question
Jan 7th, 2009


First Happy new year for 2009.

I have a Catalyst 3560-48PS-S in 12.2(46)SE IPBASEK9 IOS and I can't apply a "service policy-map input" on my L2 IP Phone FastEthernet ?

This syslog is displayed :

%QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap Voice

Please have a look on the attached file to my config and how the error is occuring.

Many thanks in advance for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lejoe.thomas Wed, 01/07/2009 - 17:02

Hi Oliver,

You need to configure second level policy maps. The only match supported on the those class maps are match input interface.

policy-map Limit_G711Voice_BW

class Voice

service-policy Voice_child

class CallSignaling

set dscp cs3

police 32000 8000 exceed-action policed-dscp-transmit

class voice_Any

set dscp default

policy-map Voice_child

class CVoice_child

police 128000 8000 exceed-action policed-dscp-transmit

class-map match-all CVoice_child

match input-interface FastEthernet0/45

Hopefully this should work


lejoe.thomas Wed, 01/07/2009 - 17:48

Hi Oliver,

My solution is applicable to SVIs, however in your case you're applying the policymap to physical interface itself.


ogor Wed, 01/07/2009 - 22:43

Thanks Lejoe,

It's very strange cause it's not mentionned in the Cisco 3560 doc ?

I saw that :

CAT2970(config)#class-map match-all VVLAN-VOICE

CAT2970(config-cmap)# match access-group name VVLAN-VOICE


CAT2970(config-cmap)#class-map match-all VVLAN-CALL-SIGNALING

CAT2970(config-cmap)# match access-group name VVLAN-CALL-SIGNALING


CAT2970(config-cmap)#class-map match-all VVLAN-ANY

CAT2970(config-cmap)# match access-group name VVLAN-ANY



CAT2970(config-cmap)#policy-map IPPHONE+PC-BASIC

CAT2970(config-pmap)#class VVLAN-VOICE

CAT2970(config-pmap-c)# set ip dscp 46 ! DSCP EF (Voice)

CAT2970(config-pmap-c)# police 128000 8000 exceed-action drop

! Only one voice call is permitted per switchport VVLAN

CAT2970(config-pmap-c)#class VVLAN-CALL-SIGNALING

CAT2970(config-pmap-c)# set ip dscp 24 ! DSCP CS3 (Call-Signaling)

CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

! Out-of-profile Call-Signaling is marked down to Scavenger (CS1)

CAT2970(config-pmap-c)#class VVLAN-ANY

CAT2970(config-pmap-c)# set ip dscp 0

CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

! Unauthorized VVLAN traffic is marked down to Scavenger (CS1)

CAT2970(config-pmap-c)#class class-default

CAT2970(config-pmap-c)# set ip dscp 0

CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit

! Out-of-profile data traffic is marked down to Scavenger (CS1)

CAT2970(config-pmap-c)# exit




CAT2970(config)#interface GigabitEthernet0/1

CAT2970(config-if)# switchport access vlan 10 ! DVLAN

CAT2970(config-if)# switchport voice vlan 110 ! VVLAN

CAT2970(config-if)# mls qos trust device cisco-phone ! Conditional Trust

CAT2970(config-if)# service-policy input IPPHONE+PC-BASIC ! Attaches policy



ogor Wed, 01/07/2009 - 22:56


It's working, I have just added the set ip dscp 46 in the Voice class

BUT, the show policy-map int fa 0/45 is displaying nothing of nothing ;))

Any ideas ?

Is it displaying something on your config and when ?

My VVLAN-Voice ACL for example is :

ip access-list extended VVLAN-VOICE

permit udp any range 16384 32767 dscp ef

My new Voice class is :

class Voice

set ip dscp ef

police 128000 8000 exceed-action drop

Many thanks in advance for your helps


lejoe.thomas Wed, 01/07/2009 - 23:43

Hi Oliver,

I agree it's a strange issue. Did you check if you are getting any matches on your VVLAN-Voice ACL and then show policy-map int.


ogor Thu, 01/08/2009 - 00:09

Hi Lejoe,

Yes I did and there is no match in the ACL ???

I'm in 12.2(46)SE since yesterday evening and the problem is still the same.

It look like that the packets identification is not possible on a switch 3560 ?

Did someone have successful identify Voice flow and if yes is it possible to send me the full config and the IOS version ?



patrickvanham Thu, 01/08/2009 - 00:39

Fa0/45 is a switchport, not a layer 3 port, so I don't believe it supports matching on IP packets. You could try setting up the port as a layer 3 port and use a subinterface for each vlan. If necessary you could use unnumbered subinterfaces and apply an appropriate policymap on the subinterface.

I've had a similar issue, and the acl never matched because the port was layer 2. as soon as the ports was made layer 3 it matched on the acl.

lejoe.thomas Thu, 01/08/2009 - 03:09

Hi Oliver,

What I would suggest is to try simplifying the ACL, and see if a match occurs.

ip access-list extended VVLAN-VOICE

permit udp any any range 16384 32767

If the above works, apply the same ACL as before without trying to match dscp ef in the ACL



lejoe.thomas Thu, 01/08/2009 - 05:35

Hi Oliver,

I did some tests on my 3550

I applied an ACL to deny traffic (deny ip any any) on a L2 port in one vlan. The result was quite surprising.

The ACL did the job of denying access to host in another VLAN, however ACL did not display any matches. When making the same port an L3 port (no switchport), ACL displays matches. So, the correct ACL does the job but not matches are displayed when it is part of the L2 port.

Now I dont have a 3560, but on the 3550 show policymap interface command does not work. Instead we can use the mls qos monitor dscp interface configuration command, and then the show mls qos interface interface-id statistics command.

I didnt read of any example of show policy-map int command in 3560 documentation.

So apply the ACL as before and also add the mls qos trust cos interface configuration command and use the above show commands (3550). I guess things should be fine.



ogor Thu, 01/08/2009 - 05:48

Thanks Lejoe for your investigation ;)

So in fact it's not possible to implement service-policy input on a L2 interface, contrary of the Cisco doc explanation.



lejoe.thomas Thu, 01/08/2009 - 14:26

Hi Oliver,

It does work if you apply service-policy input on the L2 interface, it just doesnt show it in ACL matches or show policy-map interface.

Solution would be to

Configure your policy maps and apply it to the interface.

Make the port an L3 port and verify results using show policy-map interface

Once this is complete convert that port back to a L2 port. Again you can verify this using show commands mentioned for the 3550 (mls qos monitor dscp etc)




This Discussion