11-11-2013 07:50 PM - edited 03-04-2019 09:33 PM
I know this has been asked to death, but I cannot get this to work.
The setup: Cisco 3750. Multiple LAN ports and one WAN port.
The request: mark all RDP traffic from the LAN as AF31.
the commands I used:
access-list 180 permit tcp any any eq 3389
class-map match-all RDP-TRAFFIC
match access-group 180
policy-map SETDSCP-EF
class RDP-TRAFFIC
set dscp af31
int *Wan
mls qos trust dscp
int *lan
service-policy input SETDSCP-EF
I thought it was working, using the command "show mls qos int * statistic" I could see traffic in the queues incrementing, then I wanted to check further and am now convinced its not working. (When I remove all my rewrite config I still get a bit of traffic in the queues so that is no longer a valid test)
I was not able to sniff the packets with an analyzer because its a remote site, so what I did instead was, put an access-list on the interface as follows (in both directions in and out):
access-list 123 permit ip any any dscp ef log
access-list 123 permit ip any any dscp af31 log
access-list 123 permit tcp any any eq 3389 log
access-list 123 permit ip any any
That clearly told me it wasn't working, I cleared the access-list counters, left it for a while and got this:
Extended IP access list 123
10 permit ip any any dscp ef log
20 permit ip any any dscp af31 log (374 matches)
25 permit tcp any any eq 3389 log (73487 matches)
30 permit ip any any (43612 matches)
Now the access list is sequential, so I should see zero hits against my 3389 rule and a ton against the af31 rule. Because anyting that is 3389, should also be marked as af31 and match the first statement. But I am seeing a lot of traffic that is 3381 that does not have af31 set.
I tried removing the service policy off the physical interface and onto the vlan instead but I see the same results!
11-11-2013 10:46 PM
Where is the ACL applied? It could be seeing the traffic before the marking takes place. If show mls qos interface statistics says that the counters are increasing then I would trust that.
If you control the WAN side you could apply a policy map that does nothing but only counts the packets. Something like:
class-map AF31_COUNT
match ip dscp af31
policy-map PM_COUNT
class AF31_COUNT
class class-default
int x
service-policy input PM_COUNT
Daniel Dib
CCIE #37149
11-12-2013 01:03 PM
QoS is enabled:
sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
The set descp policy is applied incoming on the LAn interface, and the ACL is applied outgoing on the WAN interface so I expect that the packets should be re-written in the middle of that.
The mls counters increase even with all my config removed though so thats why i cant trust them. Some application must also be marking packets on the LAN. The WAN interface goes directly to a service provider NID so I cant do anything on that side unfortunately.
The real problem is, after marking the traffic the user still gets poor rdp performance across the WAN (the WAN provider is QoS enabled and honors our markings)
11-12-2013 02:24 AM
Is QoS enabled on the switch?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: