VACLs and QoS ACL Classification Order of Operation
Please see the attached jpeg diagram for the topology.
Question is: If you specify a VACL on a switch, lets say at ingress to your network for voice/data/video classification for QoS purposes, does your traffic get classfied once at ingress, ie, when coming into your switchport to the switch, and then again, when it reaches the far end access switch (lets just say RTP payload). So, a voice call would get classificed twice when sending an RTP packet from Phone 1 to phone 2?
This is just important to understand from a transit network design point of view?
There seems to be a bit of confusion, ie, when I look at the following documentation,
it shows that VALCs in a bridge environment, only hits the VACL on ingress, but other documentation, says that the VALCs (or VLAN maps) are directionless?
I am a little confused by that?
Also, I am assuming, when you come into another switch (ie frame A arrives at the far end access switch in my diagram), your packet will be coming in with an 802.1q header, that gets stripped, and then you will be in a particular VLAN, and the VACL applies to that?
The VACL gets applied before the 802.1q header is stripped? So, if you came in with a VLAN tag on a dot1q trunk and you had a tag of 100, your frame would get processed by a VACL mapped to VLAN 100 (if any) and then the 802.1q tag removed, and if it was VLAN 600, your frame would be subject to any VLAN 600 VACL and then 802.1q header removed?
Re: VACLs and QoS ACL Classification Order of Operation
The following quote from the docs should help:
"After packets have been processed by ingress PFC QoS and any policing or marking changes have been made, the packets are processed again on the ingress interface by any configured Layer 2 features (for example, VACLs) before being processed by egress PFC QoS."
And the following doc has some very useful guidelines on optimising ACL's for the 6500 hardware:
But I am still a tad confused how this works if a frame comes in from a trunk? Does it look at the 802.1q tag, and then says, you have a VACL, hits the VACL and then strips off the 802.1q tag, or does it strip the 802.1q tag first and then hit the VACL?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.