05-17-2005 08:57 AM - edited 03-02-2019 10:48 PM
Hi,
I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 any
class-map match-all Internet-Class
match access-group 112
policy-map Internet
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
interface FastEthernet0/1
service-policy input Internet
interface FastEthernet0/24
service-policy input Internet
Any help would be very appreciated!
Regards,
Harald
05-17-2005 01:33 PM
I'm not sure if you forgot it, but you need to call ACL 111:
class-map match-all local_traffic
match access-group 111
!
policy-map Internet
class local_traffic
police 98000000 65536
!
And in case you don't have it already:
Hope this helps,
-Mark Turpin
05-17-2005 11:46 PM
Thanks for your reply Mark!
However, when I try to add the local_traffic map to the policy map I get the following error:
Error:Class-map has a different mask than the Policymap
If I change the access-list to something like:
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
then I am able to put both class statements in the policy-map, but I would like to use "any" since it is traffic bound for the Internet.
Is it possible to do this in some way?
Thanks again for your help!
Regards,
Harald
05-18-2005 01:17 AM
Hi Harald,
As far as i understand class- maps u can use deny statements in acl's for class-maps... A deny in an acl simply tells the class-map that this kind of traffic do not match.
regards,
Sebastian
05-18-2005 01:36 AM
Thanks for your reply Sebastian!
Unfortunately, the Catalyst 2950 QoS configuration documents states that "Deny statements are not supported for QoS ACLs", which I noted when I could not define them on the switch.
Regards,
Harald
05-18-2005 04:51 AM
Harald,
Can you paste your config again? It sounds as if you're trying to call two different ACP's or "masks" as your error indicates.
Thanks,
Mark Turpin
05-18-2005 05:07 AM
Thanks again for the reply!
My "working" configuration is as follows:
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
class-map match-all Local-Class
match access-group 111
class-map match-all Internet-Class
match access-group 112
policy-map Internet-Policy
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
class Local-Class
police 98000000 65536
interface FastEthernet0/1
description [ Local LAN facing interface ]
service-policy input Internet-Policy
interface FastEthernet0/24
description [ Internet facing interface ]
service-policy input Internet-Policy
However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
Regards,
Harald
05-18-2005 05:37 AM
Just out of curiousity, tell me what "show mls masks" tells you.
I have a feeling that the 2950 is looking at the 10/8 -> 192.168/16 and 10/8 -> any statements as overlapping.
Let's assume you have 10.15.x.x as your network. What happens if you leave ACL111 as is, and rewrite ACL112 as:
access-list 112 remark [ Traffic to be rate limited]
access-list 112 permit ip 10.15.0.0 0.0.255.255 any
Let me know what you find out! :)
-Mark
05-18-2005 06:30 AM
I tried to change the access-list 112 as you suggested, but I still got the "mask error" when trying to define the policy.
The "show mls masks" gives (with only Local-Class in the policy-map):
Mask1
Type : qos
Fields : ip-sa(255.0.0.0), ip-da(255.255.0.0)
Policymap : Internet-Policy
Interfaces : Fa0/1, Fa0/24
Regards,
Harald
05-18-2005 07:40 AM
You will probably want to open a TAC case to confirm. I'm guessing that we're hitting a wall when we call the 'any' keyword which is mixing masks. You can't mix masks inside the same policy, and I am guessing that the any mask falls in to a system mask, and your other ACL is a user defined mask.
Only one other thing I can think of to try: put the policy only on f0/1 - your ingress interface and see if it makes a difference.
If changing the interface the policy is applied to, I'd try calling the TAC :)
Sorry I couldn't help more, here's a URL I've been referencing:
-Mark
05-18-2005 10:29 PM
Only applying the policy to one interface unfortunately did not solve the problem either.
I will try to find another solution to the problem.
Thanks again for your help!
Regards,
Harald
07-10-2005 02:34 AM
Hi I have a Cisco 2950EI and while the rate limiting is good in ingress, I wanted to also blend in prioritization in the prority queue. However in the policy map I would like to make bsd10 traffic low priority, while the rest is high. I typed some stuff into the 2950 'policy-map bsd10' but I am not sure how these rules behave:
!
!
class-map match-all match-any
match access-group 1
class-map match-all bsd10only
match access-group name bsd10
class-map match-all bsd10
match access-group name bsd10
!
!
policy-map 8Mbps
class match-any
police 16000000 32768 exceed-action drop
set ip dscp 56
policy-map bsd10
class match-any
police 11000000 32768 exceed-action drop
set ip dscp 8
class bsd10
set ip dscp 8
police 17000000 32768 exceed-action drop
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide