06-16-2014 01:25 PM - edited 03-07-2019 07:44 PM
I can't seem to get my 3750X to mark DSCP values.
I am testing with HTTP from a server on another VLAN.
Using WireShark, the HTTP packets are all marked 0.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(1)E3, RELEASE SOFTWARE (fc1)
QoS is enabled
QoS ip packet dscp rewrite is enabled
Extended IP access list QoS-ACL-Ceton-InfiniTV-Data
10 permit udp any any range 5001 5016
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
10 permit tcp any any eq 554
20 permit udp any any range 5757 5772
30 permit tcp any any eq www
Class Map match-all QoS-Ceton-InfiniTV-Signaling-Class (id 9)
Match access-group name QoS-ACL-Ceton-InfiniTV-Signaling
Class Map match-all QoS-Ceton-InfiniTV-Data-Class (id 10)
Match access-group name QoS-ACL-Ceton-InfiniTV-Data
Policy Map QoS-Ceton-InfiniTV-Policy
Class QoS-Ceton-InfiniTV-Data-Class
set dscp af41
Class QoS-Ceton-InfiniTV-Signaling-Class
set dscp af21
interface GigabitEthernet1/0/36
description VLAN 100 - Ceton InfiniTV 6 ETH
switchport access vlan 100
switchport mode access
ipv6 nd raguard
spanning-tree portfast
service-policy input QoS-Ceton-InfiniTV-Policy
end
Any suggestions?
Thanks.
Solved! Go to Solution.
06-16-2014 04:56 PM
Hi,
I think the issue you are seeing is being caused by
your access list
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
10 permit tcp any any eq 554
20 permit udp any any range 5757 5772
30 permit tcp any any eq www ?????
The service policy is inbound from your http (www) server
So you need to match the packets from the server as WWW
Try this
!
no Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
!
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
10 permit tcp any any eq 554
20 permit udp any any range 5757 5772
30 permit tcp any eq www any
40 permit tcp any eq 443 any
!
Hope this helps
Regards
Alex
06-16-2014 04:56 PM
Hi,
I think the issue you are seeing is being caused by
your access list
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
10 permit tcp any any eq 554
20 permit udp any any range 5757 5772
30 permit tcp any any eq www ?????
The service policy is inbound from your http (www) server
So you need to match the packets from the server as WWW
Try this
!
no Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
!
Extended IP access list QoS-ACL-Ceton-InfiniTV-Signaling
10 permit tcp any any eq 554
20 permit udp any any range 5757 5772
30 permit tcp any eq www any
40 permit tcp any eq 443 any
!
Hope this helps
Regards
Alex
06-16-2014 06:11 PM
06-17-2014 04:28 AM
Hi,
The just to clear up the ACL format.
permit/deny | protocol | source address | source port | dest address | dest port
So in you case the server will be responding with a source PORT of 80 (www-http) or 443 (HTTPS)
To match this we can use
permit tcp any eq www any
permit tcp any eq 443 any
If it was a end users PC etc we were matching then we move the 80/443 to the destination PORT
permit tcp any any eq www
permit tcp any any eq 443
Hope this helps
Regards
Alex
06-18-2014 10:41 AM
Thanks Alex.
ACLs and direction always confuses me.
To me, it always seems like it should be the other way.
I always write them backwards.
Anyway,
I tested the HTTP daemon on the Ceton from another machine and verified with Wireshark.
Packets are marked correctly.
I worked out (through trial and error) the rest of the ACL.
Here is my current (working) QoS-ACL:
ip access-list extended QoS-ACL-Ceton-InfiniTV-Data
permit udp any any range 5001 5016
permit udp any any range 8000 8015
ip access-list extended QoS-ACL-Ceton-InfiniTV-Signaling
permit tcp any eq www any
permit tcp any eq 554 any
permit udp any range 5757 5772 any
permit tcp any eq 8554 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide