Re: QoS policy marking and classification not working for IP dsc

sam-lee · ‎05-24-2006

Hi,I am setting the dscp for MPLS network QoS.

However the packets were not marked although clas-map and policy-map has been defined.When I start ftp transfer,basically to generate ftp traffic,all packets goes to class-default.Attached is the config at both ends,pls help!

mheusinger · ‎05-24-2006

Hello,

your class-map will not match all FTP packets. The reason is that in many cases passive FTP is used and thus the file transfer takes place with other ports than 20 and 21. This has been introduced, because otherwise FTP clients behind a simple NAT router would not be able to download (if the server starts to send at port 20 there is no NAT entry present, hence the packets are dropped). With passive FTP the server suggests a random port to which the client connects to download. An access-list is not able to match this type of traffic. NBAR however will do the trick.

To be sure to get all FTP traffic please use in both routers:

class-map match-all ftp

match protocol ftp

!

policy-map police

class ftp

set ip dscp af43

The router will then observe the port negotiation between client and server and match all FTP packets.

Hope this helps! Please rate all posts.

Regards, Martin

michael_davis · ‎05-25-2006

To ensure that the match protocol statement Martin mentioned works, be sure to include:

interface Serial0.1 point-to-point

ip nbar protocol-discovery

in your config.

Regards,

Michael

mheusinger · ‎05-25-2006

Hello Michael,

according to my experience "ip nbar protocol-discovery" is not needed for NBAR to work correctly. I am also not aware of any Cisco documentation stating this prerequisit. Can you highlight, why you recommend this or even refer to documentation for further reading?

Regards, Martin

michael_davis · ‎05-25-2006

Hi Martin,

I'm trying to recall - I thought I'd remembered applying a service-policy with a match protocol clause to an interface, only to have the cli kick it back telling me to enable nbar on the interface. Unfortunately, I don't remember the particulars, I've just kept that notion in the back of my mind.

However, now that you've asked, I've tried to prove/disprove the notion. And I can't re-create the experience. So, either I'm remembering incorrectly, or IOS has changed.

Either way, I'm glad you called me out on this - everyday I learn something new ( or in this case something old...) 5pts to you, my friend.

Thanks,

Michael

robert.hyde · ‎06-06-2006

Michael,

I read this post a few weeks ago, and then just now came across this passage from the CCIE Routing and Switching Official Exam Certification Guide, 2nd edition:

"Before the 12.2T/12.3 IOS releases, the ip nbar protocol-discovery command was required on an interface before using a service-policy command that used NBAR matching. With 12.2T/12.3 train releases, this command is no longer required."

Just in case you were still trying to remember, thought I would provide you some relief :-)

Best Regards

Robert

michael_davis · ‎06-06-2006

Thanks Robert!

5 to you as well. That was driving me nuts...

Michael

sam-lee · ‎06-06-2006

I have upgrade my ios to 12.2 and hence I can use the match protocol ftp cmd.

Otherwise the older version of ios doesn't support this cmd which in case have to use access-list to control and the ip nbar protocol-discovery.

Thanks for all the info,guys!

anthony.f · ‎07-13-2006

Hi guys. This was one of the better threads. Would it be possible to post the FINAL configs? :)

Anthony

QoS policy marking and classification not working for IP dscp