Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QOS police issue and question

I have a star network with multiple l2l tunnels. I am trying to give priority to RDP (3389) traffic. The following is my config that I am trying to use:

hostname(config)#class-map RDP_Pri

hostname(config-cmap)#description "This class-map matches all RDP traffic for 1XX.XXX.XXX.XXX 1"

hostname(config-cmap)#match port tcp eq 3389

hostname(config-cmap)#match tunnel-group 1XX.XXX.XXX.XXX

hostname(config-cmap)#class-map RDP_BestEffort

hostname(config-cmap)#description "This class-map matches all best-effort traffic for 1XX.XXX.XXX.XXX"

hostname(config-cmap)#match tunnel-group 1XX.XXX.XXX.XXX

hostname(config-cmap)#match flow ip destination-address

hostname(config-cmap)#policy-map QOS

hostname(config-pmap)#class RDP_Pri

hostname(config-pmap-c)#priority

hostname(config-pmap-c)#class RDP_BestEffort

hostname(config-pmap-c)#police output 200000 37500

hostname(config-pmap-c)#class class-default

hostname(config-pmap-c)#police output 1000000 37500

hostname(config-pmap-c)#service-policy QOS interface outside

hostname(config)#priority-queue outside

hostname(config-priority-queue)#queue-limit 2048

hostname(config-priority-queue)#tx-ring-limit 256

When I get to the command:

police output 200000 37500

I get the following error message:

ERROR: Must deconfigure priority in this class before issuing this command

ERROR: tunnel-group can only be policed on a flow basis

Questions:

1. Why do I need to deconfigure priority? How would I do this?

2. Other than the errors, does this config look good? Can it be made better?

Thanks

1 REPLY
Cisco Employee

Re: QOS police issue and question

Hi,

I'm not an PIX/ASA expert but priority queue can't be policed so you have to choose. If you remove the policer, the second error message should also disappear.

If you want to keep the policer, you need the match flow ip destination-address command in the class-map.

HTH

Laurent.

822
Views
0
Helpful
1
Replies