01-07-2009 10:24 AM - edited 03-04-2019 03:22 AM
Hi,
First Happy new year for 2009.
I have a Catalyst 3560-48PS-S in 12.2(46)SE IPBASEK9 IOS and I can't apply a "service policy-map input" on my L2 IP Phone FastEthernet ?
This syslog is displayed :
%QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap Voice
Please have a look on the attached file to my config and how the error is occuring.
Many thanks in advance for your help
01-07-2009 05:02 PM
Hi Oliver,
You need to configure second level policy maps. The only match supported on the those class maps are match input interface.
policy-map Limit_G711Voice_BW
class Voice
service-policy Voice_child
class CallSignaling
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class voice_Any
set dscp default
policy-map Voice_child
class CVoice_child
police 128000 8000 exceed-action policed-dscp-transmit
class-map match-all CVoice_child
match input-interface FastEthernet0/45
Hopefully this should work
Lejoe
01-07-2009 05:48 PM
Hi Oliver,
My solution is applicable to SVIs, however in your case you're applying the policymap to physical interface itself.
Lejoe
01-07-2009 10:43 PM
Thanks Lejoe,
It's very strange cause it's not mentionned in the Cisco 3560 doc ?
I saw that :
CAT2970(config)#class-map match-all VVLAN-VOICE
CAT2970(config-cmap)# match access-group name VVLAN-VOICE
CAT2970(config-cmap)#
CAT2970(config-cmap)#class-map match-all VVLAN-CALL-SIGNALING
CAT2970(config-cmap)# match access-group name VVLAN-CALL-SIGNALING
CAT2970(config-cmap)#
CAT2970(config-cmap)#class-map match-all VVLAN-ANY
CAT2970(config-cmap)# match access-group name VVLAN-ANY
CAT2970(config-cmap)#
CAT2970(config-cmap)#
CAT2970(config-cmap)#policy-map IPPHONE+PC-BASIC
CAT2970(config-pmap)#class VVLAN-VOICE
CAT2970(config-pmap-c)# set ip dscp 46 ! DSCP EF (Voice)
CAT2970(config-pmap-c)# police 128000 8000 exceed-action drop
! Only one voice call is permitted per switchport VVLAN
CAT2970(config-pmap-c)#class VVLAN-CALL-SIGNALING
CAT2970(config-pmap-c)# set ip dscp 24 ! DSCP CS3 (Call-Signaling)
CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
! Out-of-profile Call-Signaling is marked down to Scavenger (CS1)
CAT2970(config-pmap-c)#class VVLAN-ANY
CAT2970(config-pmap-c)# set ip dscp 0
CAT2970(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
! Unauthorized VVLAN traffic is marked down to Scavenger (CS1)
CAT2970(config-pmap-c)#class class-default
CAT2970(config-pmap-c)# set ip dscp 0
CAT2970(config-pmap-c)# police 5000000 8000 exceed-action policed-dscp-transmit
! Out-of-profile data traffic is marked down to Scavenger (CS1)
CAT2970(config-pmap-c)# exit
CAT2970(config-pmap)#exit
CAT2970(config)#
CAT2970(config)#
CAT2970(config)#interface GigabitEthernet0/1
CAT2970(config-if)# switchport access vlan 10 ! DVLAN
CAT2970(config-if)# switchport voice vlan 110 ! VVLAN
CAT2970(config-if)# mls qos trust device cisco-phone ! Conditional Trust
CAT2970(config-if)# service-policy input IPPHONE+PC-BASIC ! Attaches policy
CAT2970(config-if)#exit
CAT2970(config)#
01-07-2009 10:56 PM
Hi,
It's working, I have just added the set ip dscp 46 in the Voice class
BUT, the show policy-map int fa 0/45 is displaying nothing of nothing ;))
Any ideas ?
Is it displaying something on your config and when ?
My VVLAN-Voice ACL for example is :
ip access-list extended VVLAN-VOICE
permit udp 10.xxx.xxx.0 0.0.15.255 any range 16384 32767 dscp ef
My new Voice class is :
class Voice
set ip dscp ef
police 128000 8000 exceed-action drop
Many thanks in advance for your helps
Olivier
01-07-2009 11:43 PM
Hi Oliver,
I agree it's a strange issue. Did you check if you are getting any matches on your VVLAN-Voice ACL and then show policy-map int.
Lejoe
01-08-2009 12:09 AM
Hi Lejoe,
Yes I did and there is no match in the ACL ???
I'm in 12.2(46)SE since yesterday evening and the problem is still the same.
It look like that the packets identification is not possible on a switch 3560 ?
Did someone have successful identify Voice flow and if yes is it possible to send me the full config and the IOS version ?
thanks
Olivier
01-08-2009 12:39 AM
Fa0/45 is a switchport, not a layer 3 port, so I don't believe it supports matching on IP packets. You could try setting up the port as a layer 3 port and use a subinterface for each vlan. If necessary you could use unnumbered subinterfaces and apply an appropriate policymap on the subinterface.
I've had a similar issue, and the acl never matched because the port was layer 2. as soon as the ports was made layer 3 it matched on the acl.
01-08-2009 03:09 AM
Hi Oliver,
What I would suggest is to try simplifying the ACL, and see if a match occurs.
ip access-list extended VVLAN-VOICE
permit udp any any range 16384 32767
If the above works, apply the same ACL as before without trying to match dscp ef in the ACL
HTH
Lejoe
01-08-2009 03:43 AM
Same thing :(
01-08-2009 05:35 AM
Hi Oliver,
I did some tests on my 3550
I applied an ACL to deny traffic (deny ip any any) on a L2 port in one vlan. The result was quite surprising.
The ACL did the job of denying access to host in another VLAN, however ACL did not display any matches. When making the same port an L3 port (no switchport), ACL displays matches. So, the correct ACL does the job but not matches are displayed when it is part of the L2 port.
Now I dont have a 3560, but on the 3550 show policymap interface command does not work. Instead we can use the mls qos monitor dscp interface configuration command, and then the show mls qos interface interface-id statistics command.
I didnt read of any example of show policy-map int command in 3560 documentation.
So apply the ACL as before and also add the mls qos trust cos interface configuration command and use the above show commands (3550). I guess things should be fine.
HTH
Lejoe
01-08-2009 05:48 AM
Thanks Lejoe for your investigation ;)
So in fact it's not possible to implement service-policy input on a L2 interface, contrary of the Cisco doc explanation.
Thanks
Olivier
01-08-2009 02:26 PM
Hi Oliver,
It does work if you apply service-policy input on the L2 interface, it just doesnt show it in ACL matches or show policy-map interface.
Solution would be to
Configure your policy maps and apply it to the interface.
Make the port an L3 port and verify results using show policy-map interface
Once this is complete convert that port back to a L2 port. Again you can verify this using show commands mentioned for the 3550 (mls qos monitor dscp etc)
HTH
Lejoe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide