Solved: Quality of service - access-list problem?

Nicholas Richardson · ‎05-24-2012

Basically, I am having issues with my access-list on a qos policy. Doing telnet/ssh session through this interface to the router I expect to see marking AF21. It doesnt though, it marks it AF41. It is almost as if the policy-map doesnt like matching the protocol, if I remove "permit ip tcp any any eq www" it marks it AF31 - which should only be smtp traffic...it just seems to match the "permit tcp any any" portion and ignore the destination port...

The router is ME3800X and the port is a trunk port and traffic enters/leaves by the same interface - though it makes no difference if i telnet to the router or hosts through the router:

interface GigabitEthernet0/4

switchport trunk allowed vlan 2-101,104-4094

switchport mode trunk

mtu 2000

speed nonegotiate

no cdp enable

no vtp

spanning-tree bpdufilter enable

service-policy input EFM-IN

service-policy output UPLINKS

policy-map EFM-IN

class CS7

set ip dscp CS7

set mpls exp top 6

class EF

set ip dscp EF

set mpls exp top 5

class AF41

set ip dscp AF41

set mpls exp top 4

class AF31

set ip dscp AF31

set mpls exp top 3

class AF21

set ip dscp AF21

set mpls exp top 2

class AF11

set ip dscp AF11

set mpls exp top 1

class class-default

set mpls exp top 0

set ip dscp default

class-map match-any CS7

match access-group name CS7

class-map match-any EF

match access-group name EF

class-map match-any AF11

match access-group name AF11

class-map match-any AF21

match access-group name AF21

class-map match-any AF31

match access-group name AF31

class-map match-any AF41

match access-group name AF41

[greyed out a couple of values]

ip access-list extended CS7

permit ip host xxx.xxx xxx.xxx

ip access-list extended EF

permit ip any xxx.xxx.0.0 0.0.15.2

permit ip any xxx.xxx.6.0 0.0.0.25

permit ip any xxx.xxx.64.0 0.0.63.255

permit ip any xxx.xxx.0.0 0.0.255.255

ip access-list extended AF41

permit tcp any any eq www

ip access-list extended AF31

permit tcp any any eq smtp

ip access-list extended AF21

permit tcp any any eq 22

permit tcp any any eq 23

ip access-list extended AF11

permit tcp any any eq ftp

permit tcp any any eq ftp-data

any ideas greatly appreciated!

Nicholas

Giuseppe Larosa · ‎05-24-2012

Hello Nicholas,

according to configuration guide for the ME3600-ME3800 you need a global command to be able to match on layer 4 ports.

In addition to this there is a limitation on a maximum of 8 port matching operation per interface on received traffic

>>

To enable layer 4 port matching on the switch use the

platform qos enable layer4-port-match

command.

see

http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/15.2_2_S/configuration/guide/swqos.html#wp1000748

You may need to review your QoS policy taking in account the per interface L4 port matching limitation

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-24-2012