I know this has been asked to death, but I cannot get this to work.
The setup: Cisco 3750. Multiple LAN ports and one WAN port.
The request: mark all RDP traffic from the LAN as AF31.
the commands I used:
access-list 180 permit tcp any any eq 3389
class-map match-all RDP-TRAFFIC
match access-group 180
set dscp af31
mls qos trust dscp
service-policy input SETDSCP-EF
I thought it was working, using the command "show mls qos int * statistic" I could see traffic in the queues incrementing, then I wanted to check further and am now convinced its not working. (When I remove all my rewrite config I still get a bit of traffic in the queues so that is no longer a valid test)
I was not able to sniff the packets with an analyzer because its a remote site, so what I did instead was, put an access-list on the interface as follows (in both directions in and out):
access-list 123 permit ip any any dscp ef log
access-list 123 permit ip any any dscp af31 log
access-list 123 permit tcp any any eq 3389 log
access-list 123 permit ip any any
That clearly told me it wasn't working, I cleared the access-list counters, left it for a while and got this:
Extended IP access list 123
10 permit ip any any dscp ef log
20 permit ip any any dscp af31 log (374 matches)
25 permit tcp any any eq 3389 log (73487 matches)
30 permit ip any any (43612 matches)
Now the access list is sequential, so I should see zero hits against my 3389 rule and a ton against the af31 rule. Because anyting that is 3389, should also be marked as af31 and match the first statement. But I am seeing a lot of traffic that is 3381 that does not have af31 set.
I tried removing the service policy off the physical interface and onto the vlan instead but I see the same results!
The set descp policy is applied incoming on the LAn interface, and the ACL is applied outgoing on the WAN interface so I expect that the packets should be re-written in the middle of that.
The mls counters increase even with all my config removed though so thats why i cant trust them. Some application must also be marking packets on the LAN. The WAN interface goes directly to a service provider NID so I cant do anything on that side unfortunately.
The real problem is, after marking the traffic the user still gets poor rdp performance across the WAN (the WAN provider is QoS enabled and honors our markings)
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...