Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

QoS and ACL on Catalyst 4500 switches

Hello,

I am trying to classifiy incoming packets from IP phones using ACL. Below shown my detail config. However, when I use Wireshark and check packets arriving from IP phone, it shows DSCP=0.  It seems teh ACL doesn't applied on the access port.

FYI, I use QoS practice document to configure.

!!!!!!!!!  MQC !!!!!!!!!!!!!!!!!!

class-map match-all DVLAN-PC-VIDEO
match access-group name DVLAN-PC-VIDEO
class-map match-all VVLAN-CALL-SIGNALING
match access-group name VVLAN-CALL-SIGNALING
class-map match-all VVLAN-VOICE
match access-group name VVLAN-VOICE
class-map match-all VVLAN-ANY
match access-group name VVLAN-ANY
!

policy-map DBL

class class-default
    dbl
policy-map IPPHONE+PC
class VVLAN-VOICE
  set ip dscp ef
class VVLAN-CALL-SIGNALING
  set ip dscp cs3
class DVLAN-PC-VIDEO
  set ip dscp af41
class VVLAN-ANY
  set ip dscp default
class class-default
  set ip dscp default


!!!!!!!!! Access Port config !!!!!!!!!!!

interface GigabitEthernet2/1
switchport access vlan dynamic
switchport mode access
switchport voice vlan 77
ip arp inspection limit rate 100
speed auto 10 100
qos trust device cisco-phone
tx-queue 3
   priority high
   shape percent 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input IPPHONE+PC
service-policy output DBL
ip verify source vlan dhcp-snooping port-security

!!!!!!!!!!   ACL !!!!!!!!!!!!!!!!!

ip access-list extended DVLAN-PC-VIDEO
permit udp any any range 16384 32767
permit udp any any range 5445 5446
ip access-list extended VVLAN-ANY
permit ip 172.10.122.0 0.0.1.255 any
ip access-list extended VVLAN-CALL-SIGNALING
permit tcp 172.10.122.0 0.0.1.255 any range 2000 2002
ip access-list extended VVLAN-VOICE
permit udp 172.10.122.0 0.0.1.255 any range 16384 32767

Thanks.

5 REPLIES

Re: QoS and ACL on Catalyst 4500 switches

Hi,

I think you have to enable

"mls qos trust dscp" under the interface.

HTH

Hitesh Vinzoda

Pls rate useful posts

Community Member

Re: QoS and ACL on Catalyst 4500 switches

Hi,

Yes, I have already tried it.

If I have the two commands below under interface along with  service-policy input IPPHONE+PC, it doesn't at all mark any traffic. However, if I have the two commands below and not used service-policy input IPPHONE+PC, yes I can see the marking.


qos trust dscp
qos trust device cisco-phone

Thanks

Re: QoS and ACL on Catalyst 4500 switches

Alright,

Whats the goal, Trust the marking from phone

OR

Using Policy map or ACL to mark the packets using DSCP.

Coz in your ACL you are not matching dscp bits you are matching traffic based on layer 4 info.

HTH

Hitesh Vinzoda

Pls rate useful posts

Community Member

Re: QoS and ACL on Catalyst 4500 switches

The goal is to conditionally trust Cisco phone and extend DSCP trust to the phone. In addition using the ACL to classify voice and other traffics in voice VLAN.

I used the SRND for QoS.

Thanks

Community Member

Re: QoS and ACL on Catalyst 4500 switches

2895
Views
0
Helpful
5
Replies
CreatePlease to create content