I'm trying to match LWAPP/CAPWAP traffic, so that it's classified as critical traffic for our outbound QoS policy that's applied on the CE WAN router.
There are hits on ACL, but when I look at "show policy-map interface", stats is zero.
So my question is if matching ACL along w/ DSCP is a valid configuration within MQC?
ip access-list extended LWAPP permit udp any any eq 12223 permit udp any any eq 5246 permit udp any eq 12223 any permit udp any eq 5246 any
class-map match-any missioncritical match ip dscp cs3 af31 af32 af33 cs6 cs7 match access-group name LWAPP
policy-map CHILD-POLICY class realtime priority 2048 police 2048000 conform-action transmit exceed-action drop class priority bandwidth remaining percent 30 random-detect dscp-based class missioncritical bandwidth remaining percent 20 random-detect dscp-based class transactional bandwidth remaining percent 20 random-detect dscp-based class general bandwidth remaining percent 10 random-detect dscp-based class class-default bandwidth remaining percent 20 random-detect dscp-based policy-map PARENT-POLICY class class-default shape average 8500000 service-policy CHILD-POLICY
service-policy output PARENT-POLICY
Router#sh access-list LWAPP Extended IP access list LWAPP 10 permit udp any any eq 12223 (3837 matches) 20 permit udp any any eq 5246 30 permit udp any eq 12223 any (466137 matches) 40 permit udp any eq 5246 any (14184 matches)
Router#show policy-map int fa0/0/0.2 FastEthernet0/0/0.2
Class-map: missioncritical (match-any) 2610146 packets, 811329309 bytes 30 second offered rate 11000 bps, drop rate 0 bps Match: ip dscp cs3 (24) af31 (26) af32 (28) af33 (30) cs6 (48) cs7 (56) 2124221 packets, 330567230 bytes 30 second rate 0 bps Match: access-group name LWAPP 0 packets, 0 bytes 30 second rate 0 bps
>> So my question is if matching ACL along w/ DSCP is a valid configuration within MQC?
your configuration is correct because you have used match-any in defining the class-map.
The question can be: are you using any form of tunneling and/or encryption on the WAN interface that could hide the traffic flows?
DSCP settings are propagated to external headers both for GRE and IPSec so it is possible to match on them even if you are using tunnels and/or IPSec.
Another possible hint is: if the LWAPP packets are marked with a DSCP value matched by first match for the match-any directive there is no need to have them processed by second match statement to be classified in this traffic class.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...