QoS and ACL on Catalyst 4500 switches

Unanswered Question
Jul 7th, 2010


I am trying to classifiy incoming packets from IP phones using ACL. Below shown my detail config. However, when I use Wireshark and check packets arriving from IP phone, it shows DSCP=0.  It seems teh ACL doesn't applied on the access port.

FYI, I use QoS practice document to configure.

!!!!!!!!!  MQC !!!!!!!!!!!!!!!!!!

class-map match-all DVLAN-PC-VIDEO
match access-group name DVLAN-PC-VIDEO
class-map match-all VVLAN-CALL-SIGNALING
match access-group name VVLAN-CALL-SIGNALING
class-map match-all VVLAN-VOICE
match access-group name VVLAN-VOICE
class-map match-all VVLAN-ANY
match access-group name VVLAN-ANY

policy-map DBL

class class-default
policy-map IPPHONE+PC
  set ip dscp ef
  set ip dscp cs3
  set ip dscp af41
  set ip dscp default
class class-default
  set ip dscp default

!!!!!!!!! Access Port config !!!!!!!!!!!

interface GigabitEthernet2/1
switchport access vlan dynamic
switchport mode access
switchport voice vlan 77
ip arp inspection limit rate 100
speed auto 10 100
qos trust device cisco-phone
tx-queue 3
   priority high
   shape percent 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input IPPHONE+PC
service-policy output DBL
ip verify source vlan dhcp-snooping port-security

!!!!!!!!!!   ACL !!!!!!!!!!!!!!!!!

ip access-list extended DVLAN-PC-VIDEO
permit udp any any range 16384 32767
permit udp any any range 5445 5446
ip access-list extended VVLAN-ANY
permit ip any
ip access-list extended VVLAN-CALL-SIGNALING
permit tcp any range 2000 2002
ip access-list extended VVLAN-VOICE
permit udp any range 16384 32767


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Hitesh Vinzoda Wed, 07/07/2010 - 05:11


I think you have to enable

"mls qos trust dscp" under the interface.


Hitesh Vinzoda

Pls rate useful posts

getamessay Wed, 07/07/2010 - 05:17


Yes, I have already tried it.

If I have the two commands below under interface along with  service-policy input IPPHONE+PC, it doesn't at all mark any traffic. However, if I have the two commands below and not used service-policy input IPPHONE+PC, yes I can see the marking.

qos trust dscp
qos trust device cisco-phone


Hitesh Vinzoda Wed, 07/07/2010 - 05:53


Whats the goal, Trust the marking from phone


Using Policy map or ACL to mark the packets using DSCP.

Coz in your ACL you are not matching dscp bits you are matching traffic based on layer 4 info.


Hitesh Vinzoda

Pls rate useful posts

getamessay Wed, 07/07/2010 - 06:00

The goal is to conditionally trust Cisco phone and extend DSCP trust to the phone. In addition using the ACL to classify voice and other traffics in voice VLAN.

I used the SRND for QoS.



This Discussion