Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

QoS Marking Question

I know this has been asked to death, but I cannot get this to work.

The setup: Cisco 3750. Multiple LAN ports and one WAN port.

The request: mark all RDP traffic from the LAN as AF31.

the commands I used:

access-list 180 permit tcp any any eq 3389

class-map match-all RDP-TRAFFIC

  match access-group 180

policy-map SETDSCP-EF


  set dscp af31

int *Wan

mls qos trust dscp

int *lan

service-policy input SETDSCP-EF

I thought it was working, using the command "show mls qos int * statistic" I could see traffic in the queues incrementing, then I wanted to check further and am now convinced its not working. (When I remove all my rewrite config I still get a bit of traffic in the queues so that is no longer a valid test)

I was not able to sniff the packets with an analyzer because its a remote site, so what I did instead was, put an access-list on the interface as follows (in both directions in and out):

access-list 123 permit ip any any dscp ef log

access-list 123 permit ip any any dscp af31 log

access-list 123 permit tcp any any eq 3389 log

access-list 123 permit ip any any

That clearly told me it wasn't working, I cleared the access-list counters, left it for a while and got this:

Extended IP access list 123

    10 permit ip any any dscp ef log

    20 permit ip any any dscp af31 log (374 matches)

    25 permit tcp any any eq 3389 log (73487 matches)

    30 permit ip any any (43612 matches)

Now the access list is sequential, so I should see zero hits against my 3389 rule and a ton against the af31 rule. Because anyting that is 3389, should also be marked as af31 and match the first statement. But I am seeing a lot of traffic that is 3381 that does not have af31 set.

I tried removing the  service policy off the physical interface and onto the vlan instead but I see the same results!


QoS Marking Question

Where is the ACL applied? It could be seeing the traffic before the marking takes place. If show mls qos interface statistics says that the counters are increasing then I would trust that.

If you control the WAN side you could apply a policy map that does nothing but only counts the packets. Something like:

class-map AF31_COUNT

match ip dscp af31

policy-map PM_COUNT

class AF31_COUNT

class class-default

int x

service-policy input PM_COUNT

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
Community Member

QoS Marking Question

QoS is enabled:

sh mls qos

QoS is enabled

QoS ip packet dscp rewrite is enabled

The set descp policy is applied  incoming on the LAn interface, and the ACL is applied outgoing on the WAN interface so I expect that the packets should be re-written in the middle of that.

The mls counters increase even with all my config removed though so thats why i cant trust them. Some application must also be marking packets on the LAN. The WAN interface goes directly to a service provider NID so I cant do anything on that side unfortunately.

The real problem is, after marking the traffic the user still gets poor rdp performance across the WAN (the WAN provider is QoS enabled and honors our markings)

Super Bronze

QoS Marking Question

Is QoS enabled on the switch?

CreatePlease to create content