QOS police issue and question

Unanswered Question
Aug 16th, 2009
User Badges:

I have a star network with multiple l2l tunnels. I am trying to give priority to RDP (3389) traffic. The following is my config that I am trying to use:

hostname(config)#class-map RDP_Pri

hostname(config-cmap)#description "This class-map matches all RDP traffic for 1XX.XXX.XXX.XXX 1"

hostname(config-cmap)#match port tcp eq 3389

hostname(config-cmap)#match tunnel-group 1XX.XXX.XXX.XXX

hostname(config-cmap)#class-map RDP_BestEffort

hostname(config-cmap)#description "This class-map matches all best-effort traffic for 1XX.XXX.XXX.XXX"

hostname(config-cmap)#match tunnel-group 1XX.XXX.XXX.XXX

hostname(config-cmap)#match flow ip destination-address

hostname(config-cmap)#policy-map QOS

hostname(config-pmap)#class RDP_Pri


hostname(config-pmap-c)#class RDP_BestEffort

hostname(config-pmap-c)#police output 200000 37500

hostname(config-pmap-c)#class class-default

hostname(config-pmap-c)#police output 1000000 37500

hostname(config-pmap-c)#service-policy QOS interface outside

hostname(config)#priority-queue outside

hostname(config-priority-queue)#queue-limit 2048

hostname(config-priority-queue)#tx-ring-limit 256

When I get to the command:

police output 200000 37500

I get the following error message:

ERROR: Must deconfigure priority in this class before issuing this command

ERROR: tunnel-group can only be policed on a flow basis


1. Why do I need to deconfigure priority? How would I do this?

2. Other than the errors, does this config look good? Can it be made better?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Tue, 08/18/2009 - 20:13
User Badges:
  • Cisco Employee,


I'm not an PIX/ASA expert but priority queue can't be policed so you have to choose. If you remove the policer, the second error message should also disappear.

If you want to keep the policer, you need the match flow ip destination-address command in the class-map.




This Discussion