Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3750X QoS Not Working

I can't seem to get my 3750X to mark DSCP values.

I am testing with HTTP from a server on another VLAN.

Using WireShark, the HTTP packets are all marked 0.

 

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(1)E3, RELEASE SOFTWARE (fc1)

QoS is enabled
QoS ip packet dscp rewrite is enabled

Extended IP access list QoS-ACL-Ceton-InfiniTV-Data
    10 permit udp any any range 5001 5016
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
    10 permit tcp any any eq 554
    20 permit udp any any range 5757 5772
    30 permit tcp any any eq www

Class Map match-all QoS-Ceton-InfiniTV-Signaling-Class (id 9)
   Match access-group name QoS-ACL-Ceton-InfiniTV-Signaling

 Class Map match-all QoS-Ceton-InfiniTV-Data-Class (id 10)
   Match access-group name QoS-ACL-Ceton-InfiniTV-Data

  Policy Map QoS-Ceton-InfiniTV-Policy
    Class QoS-Ceton-InfiniTV-Data-Class
      set dscp af41
    Class QoS-Ceton-InfiniTV-Signaling-Class
      set dscp af21

interface GigabitEthernet1/0/36
 description VLAN 100 - Ceton InfiniTV 6 ETH
 switchport access vlan 100
 switchport mode access
 ipv6 nd raguard
 spanning-tree portfast
 service-policy input QoS-Ceton-InfiniTV-Policy
end

 

Any suggestions?

Thanks.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Hi,I think the issue you are

Hi,

I think the issue you are seeing is being caused by
your access list


Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
    10 permit tcp any any eq 554
    20 permit udp any any range 5757 5772
    30 permit tcp any any eq www   ?????

The service policy is inbound from your http (www) server

So you need to match the packets from the server as WWW

Try this

!
no Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
!
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
    10 permit tcp any any eq 554
    20 permit udp any any range 5757 5772
    30 permit tcp any eq www any
    40 permit tcp any eq 443 any
!

Hope this helps
Regards
Alex

Regards, Alex. Please rate useful posts.
4 REPLIES
Green

Hi,I think the issue you are

Hi,

I think the issue you are seeing is being caused by
your access list


Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
    10 permit tcp any any eq 554
    20 permit udp any any range 5757 5772
    30 permit tcp any any eq www   ?????

The service policy is inbound from your http (www) server

So you need to match the packets from the server as WWW

Try this

!
no Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
!
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
    10 permit tcp any any eq 554
    20 permit udp any any range 5757 5772
    30 permit tcp any eq www any
    40 permit tcp any eq 443 any
!

Hope this helps
Regards
Alex

Regards, Alex. Please rate useful posts.
New Member

I will try that soon.

I will try that soon. The device that I applied the policy to (Gig1/0/36) has all these services. I'm just trying to access the web deamon (http) from a machine (happens to be a server) on another vlan to check the DSCP values. Hope that makes things a little clearer. I just copied the same formating from the auto QoS policies that the switch generated. In those policies, the ACLs are all: permit proto any any eq port. Thanks.
Green

Hi,The just to clear up the

Hi,

The just to clear up the ACL format.

permit/deny | protocol | source address | source port | dest address | dest port

So in you case the server will be responding with a source PORT of 80 (www-http) or 443 (HTTPS)

To match this we can use

permit tcp any eq www any
permit tcp any eq 443 any


If it was a end users PC etc we were matching then we move the 80/443 to the destination PORT

permit tcp any any eq www
permit tcp any any eq 443

Hope this helps
Regards
Alex

Regards, Alex. Please rate useful posts.
New Member

Thanks Alex.ACLs and

Thanks Alex.

ACLs and direction always confuses me.

To me, it always seems like it should be the other way.

I always write them backwards.

 

Anyway,

I tested the HTTP daemon on the Ceton from another machine and verified with Wireshark.

Packets are marked correctly.

I worked out (through trial and error) the rest of the ACL.

 

Here is my current (working) QoS-ACL:

ip access-list extended QoS-ACL-Ceton-InfiniTV-Data
 permit udp any any range 5001 5016
 permit udp any any range 8000 8015
ip access-list extended QoS-ACL-Ceton-InfiniTV-Signaling
 permit tcp any eq www any
 permit tcp any eq 554 any
 permit udp any range 5757 5772 any
 permit tcp any eq 8554 any

128
Views
0
Helpful
4
Replies
CreatePlease login to create content