i like to implement QoS for a Catalyst 3550 Switch.
We already deployed a policy but this seems to be not working we see no matches in the access lists. Here what we have configured.
class-map match-all gold
match access-group 125
set ip precedence 5
police 2000000 8000 exceed-action policed-dscp-transmit
access-list 125 permit tcp any any range ftp-data ftp
access-list 125 permit tcp any range ftp-data ftp any
access-list 125 permit udp any any eq 12004
access-list 125 permit udp any eq 12004 any
access-list 125 permit tcp any any eq smtp
access-list 125 permit tcp any eq smtp any
access-list 125 permit tcp any any eq pop3
access-list 125 permit tcp any eq pop3 any
access-list 125 permit udp any any eq 110
access-list 125 permit udp any eq 110 any
access-list 125 permit tcp any any range 11000 11001
access-list 125 permit tcp any range 11000 11001 any
access-list 125 permit udp any any range 11000 11001
access-list 125 permit udp any range 11000 11001 any
switchport access vlan 159
switchport mode access
no ip address
mls qos monitor dscp 8 16 24 32
service-policy input mark-in-pkts
But this is not working. We don´t see any matches for the access-list 125.
Did we something wrong ?
Or ist it possible that the switch by default not look at the ip header and forward the packets througgh the mac-forward-table ??
And if so can we avoid this ??
So we like, that the switch will set the ip precedence bit for particular packets. For Routers the above described configuration is working.
Can you help ??
I beleive your problem is the 'match-all' parameter , see below
Creating a Traffic Class
The class-map global configuration command is used to create a traffic class. The syntax of the class-map command is as follows:
class-map [match-any | match-all] class-name
no class-map [match-any | match-all] class-name
The match all and match any options need to be specified only if more than one match criterion is configured in the traffic class. The class-map match-all command is used when all of the match criteria in the traffic class must be met in order for a packet to match the specified traffic class. The class-map match-any command is used when only one of the match criterion in the traffic class must be met in order for a packet to match the specified traffic class. If neither the match-all nor match-any keyword is specified, the traffic class will behave in a manner consistent with class-map match-all command.
i have tried to change the policy configurtaion, but by default the router insert "match-all" to the running configuration. So this couldn´t be the problem. So i think maybe that the switch is not checking the incoming packet through the IP Header.
He checks the MAC Address and forwards the packet.
Do you have a another idea ?
I've found almost identical example config on CCO in the end of http://www.cisco.com/warp/public/473/153.pdf
The only differences are:
in your config (might be crucial if really omited)
mls qos map policed-dscp 48 to 16
(modifies QoS map, should not be crucial but should be in config for correct functionality, I think).
Is your switch 3550 or 2950?
If 2950, this can't work at all.
If 3550, which IOS are you running?
Have you tried to use some simple ACL 125 (permit ip any any, e.g.) to be sure some data should pass it?
the 2 "missing" commands are in the configuration. I´ve missed it to insert it into the chat.
It´s a 3550 Switch and we use IOS 12.1(11)
We also tried to to use a simple ACL 125 (with permit icmp any any). But we we still see no matches for this ACL.
Do you have another idea ?
In fact, I encounter the exact problem as yours. I tried the same configuration in a Cat 6509 (with PFC card), it works fine.
I've checked the IOS documentaion, and compare the difference between 3550 and 6500 configuration guide, it seems that in the 3550, it mentions about the requiremennt to turn off flowcontrol. Yet, I don't have chance to retest it. Maybe you can try and I would like to know your finding.
I have successfully configured QOS on a 3550. The documentation states that the hits won't show up on the ACLs. You can verify the classifications using the "sh mls qos int stats" commands. If you need to see which flows have been classified and you are using diffserv then you can use the "mls qos monitor dscp" command on each interface to view to packets matching and marking.
Hope that helps,
But what about using "show policy-map interface ...." command, as I find that in router or Cat 6509, this command shows the # of packets matches, but in Cat 3550, the counter doesn't increase (remain 0).
Eventually, I've got some time to retest the QoS in the 3550 again. I find that though the "show policy-map interface ...." doesn't show the correct # of packets being processed, the QoS actually work. As I try monitor the outgoing packet by router, the IP precedence field is correctly set by the 3550.