11-02-2009 03:11 PM - edited 03-04-2019 06:35 AM
I'm having trouble getting QoS to work on my router. I'm trying to get traffic from one specific address to be put in the priority queue. I will eventually fine tune this to specific ports but can't understand why this does not work. It does not match against the access list when I specify the address (192.168.1.15) but when match against any it matches meaning that it checks the access list but not working the way I expect it to.
boot system flash:c2600-ik9o3s3-mz.123-26.bin
!
no aaa new-model
ip subnet-zero
no ip source-route
ip flow-cache timeout active 1
ip cef
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.149
ip dhcp excluded-address 192.168.1.200 192.168.1.255
ip dhcp ping timeout 1000
!
ip dhcp pool Home
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.3
default-router 192.168.1.251
lease 14
!
no ip bootp server
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
class-map match-all TEST
match access-group name TEST
!
!
policy-map TEST
class TEST
priority 512
class class-default
fair-queue
!
interface Ethernet0/0
description Uplink to WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet0/1
description Uplink to LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
full-duplex
!
interface Ethernet0/1.1
description Default VLAN
encapsulation dot1Q 1 native
!
interface Ethernet0/1.100
description Home VLAN
encapsulation dot1Q 100
ip address 192.168.1.251 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nbar protocol-discovery
no ip mroute-cache
!
interface Dialer1
description ADSL WAN Dialer
mtu 1492
bandwidth 768000
ip address negotiated
no ip unreachables
ip nat outside
ip flow ingress
ip nbar protocol-discovery
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username@isp.net ppp chap password 7 *
ppp pap sent-username username@isp.net password 7 *
ppp ipcp dns request
ppp ipcp address accept
service-policy output TEST
!
ip nat inside source list 10 interface Dialer1 overload
no ip http server
no ip http secure-server
ip classless
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard TEST
permit host 192.168.1.15
dialer-list 1 protocol ip permit
Solved! Go to Solution.
11-04-2009 02:18 AM
Hi
You are trying to match 192.168.1.15. This ip is on the inside. Maybe the router does nat before service-policy, then the match must be on the natted address.
You can try to set the policy on inside and set a dscp value. Then match the dscp value on outside.
example
policy-map inside
class TEST
set dscp ef
class-map match-all OUT
match dscp ef
policy-map outside
class OUT
priority 512
interface ethernet0/1.100
service-policy in TEST
interface dialer1
service-policy out OUT
/Mikael
11-02-2009 04:27 PM
Try using an extended ACL instead
ip access-list extended TEST
permit host 192.168.1.15 any
11-02-2009 04:32 PM
Thanks for the reply. I have tried an extended ACL, and also with numbers instead of names and no change. I've also tried between match-any and match-all. I have also tried applying the service-policy to the Ethernet0/0 interface and see the same results. Is there a way to debug class-maps or access-lists to see what address it is trying to match against?
11-04-2009 02:18 AM
Hi
You are trying to match 192.168.1.15. This ip is on the inside. Maybe the router does nat before service-policy, then the match must be on the natted address.
You can try to set the policy on inside and set a dscp value. Then match the dscp value on outside.
example
policy-map inside
class TEST
set dscp ef
class-map match-all OUT
match dscp ef
policy-map outside
class OUT
priority 512
interface ethernet0/1.100
service-policy in TEST
interface dialer1
service-policy out OUT
/Mikael
11-04-2009 03:17 AM
MiKael is right. Nat is done before doing queueing policies. What he has provided is a good solution.
HTH,
Toshi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: