Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3494
Views
0
Helpful
5
Replies

QoS and ACL on Catalyst 4500 switches

getamessay
Level 1
Level 1

‎07-07-2010 04:47 AM - edited ‎03-06-2019 11:55 AM

Hello,

I am trying to classifiy incoming packets from IP phones using ACL. Below shown my detail config. However, when I use Wireshark and check packets arriving from IP phone, it shows DSCP=0.  It seems teh ACL doesn't applied on the access port.

FYI, I use QoS practice document to configure.

!!!!!!!!!  MQC !!!!!!!!!!!!!!!!!!

class-map match-all DVLAN-PC-VIDEO
match access-group name DVLAN-PC-VIDEO
class-map match-all VVLAN-CALL-SIGNALING
match access-group name VVLAN-CALL-SIGNALING
class-map match-all VVLAN-VOICE
match access-group name VVLAN-VOICE
class-map match-all VVLAN-ANY
match access-group name VVLAN-ANY
!

policy-map DBL

class class-default
    dbl
policy-map IPPHONE+PC
class VVLAN-VOICE
  set ip dscp ef
class VVLAN-CALL-SIGNALING
  set ip dscp cs3
class DVLAN-PC-VIDEO
  set ip dscp af41
class VVLAN-ANY
  set ip dscp default
class class-default
  set ip dscp default


!!!!!!!!! Access Port config !!!!!!!!!!!

interface GigabitEthernet2/1
switchport access vlan dynamic
switchport mode access
switchport voice vlan 77
ip arp inspection limit rate 100
speed auto 10 100
qos trust device cisco-phone
tx-queue 3
   priority high
   shape percent 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input IPPHONE+PC
service-policy output DBL
ip verify source vlan dhcp-snooping port-security

!!!!!!!!!!   ACL !!!!!!!!!!!!!!!!!

ip access-list extended DVLAN-PC-VIDEO
permit udp any any range 16384 32767
permit udp any any range 5445 5446
ip access-list extended VVLAN-ANY
permit ip 172.10.122.0 0.0.1.255 any
ip access-list extended VVLAN-CALL-SIGNALING
permit tcp 172.10.122.0 0.0.1.255 any range 2000 2002
ip access-list extended VVLAN-VOICE
permit udp 172.10.122.0 0.0.1.255 any range 16384 32767

Thanks.

Labels:
0 Helpful
5 Replies 5

Hitesh Vinzoda
Level 4
Level 4

‎07-07-2010 05:11 AM

Hi,

I think you have to enable

"mls qos trust dscp" under the interface.

HTH

Hitesh Vinzoda

Pls rate useful posts

0 Helpful

getamessay
Level 1
Level 1
In response to Hitesh Vinzoda

‎07-07-2010 05:17 AM

Hi,

Yes, I have already tried it.

If I have the two commands below under interface along with  service-policy input IPPHONE+PC, it doesn't at all mark any traffic. However, if I have the two commands below and not used service-policy input IPPHONE+PC, yes I can see the marking.


qos trust dscp
qos trust device cisco-phone

Thanks

0 Helpful

Hitesh Vinzoda
Level 4
Level 4
In response to getamessay

‎07-07-2010 05:53 AM

Alright,

Whats the goal, Trust the marking from phone

OR

Using Policy map or ACL to mark the packets using DSCP.

Coz in your ACL you are not matching dscp bits you are matching traffic based on layer 4 info.

HTH

Hitesh Vinzoda

Pls rate useful posts

0 Helpful

getamessay
Level 1
Level 1
In response to Hitesh Vinzoda

‎07-07-2010 06:00 AM

The goal is to conditionally trust Cisco phone and extend DSCP trust to the phone. In addition using the ACL to classify voice and other traffics in voice VLAN.

I used the SRND for QoS.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card