cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
0
Helpful
2
Replies
Highlighted

Quality of service - access-list problem?

Basically, I am having issues with my access-list on a qos policy.  Doing telnet/ssh session through this interface to the router I expect to see marking AF21.  It doesnt though, it marks it AF41.  It is almost as if the policy-map doesnt like matching the protocol, if I remove "permit ip tcp any any eq www" it marks it AF31 - which should only be smtp traffic...it just seems to match the "permit tcp any any" portion and ignore the destination port...

The router is ME3800X and the port is a trunk port and traffic enters/leaves by the same interface - though it makes no difference if i telnet to the router or hosts through the router:

interface GigabitEthernet0/4

  switchport trunk allowed vlan 2-101,104-4094

switchport mode trunk

mtu 2000

speed nonegotiate

no cdp enable

no vtp

spanning-tree bpdufilter enable

service-policy input EFM-IN

service-policy output UPLINKS

policy-map EFM-IN

class CS7

set ip dscp CS7

set mpls exp top 6

class  EF

set ip dscp  EF

set mpls exp top 5

class  AF41

set ip dscp AF41

set mpls exp top 4

class  AF31

set ip dscp  AF31

set mpls exp top 3

class  AF21

set ip dscp  AF21

set mpls exp top 2

class AF11

set ip dscp  AF11

set mpls exp top 1

class class-default

set mpls exp top 0

set ip dscp default

class-map match-any CS7

match access-group name CS7

class-map match-any EF

match access-group name EF

class-map match-any AF11

match access-group name AF11

class-map match-any AF21

match access-group name AF21

class-map match-any AF31

match access-group name AF31

class-map match-any AF41

match access-group name AF41

[greyed out a couple of values]

ip access-list extended CS7

permit ip host xxx.xxx xxx.xxx

ip access-list extended EF                                                       

permit ip any xxx.xxx.0.0 0.0.15.2                                                                                 

permit ip any xxx.xxx.6.0 0.0.0.25                                                                                 

permit ip any xxx.xxx.64.0 0.0.63.255

permit ip any xxx.xxx.0.0 0.0.255.255

ip access-list extended AF41

permit tcp any any eq www

ip access-list extended AF31

permit tcp any any eq smtp

ip access-list extended AF21

permit tcp any any eq 22

permit tcp any any eq 23

ip access-list extended AF11

permit tcp any any eq ftp

permit tcp any any eq ftp-data

any ideas greatly appreciated!

Nicholas

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Hello Nicholas,

according to configuration guide for the ME3600-ME3800 you need a global command to be able to match on layer 4 ports.

In addition to this there is a limitation on a maximum of 8 port matching operation per interface on received traffic

>>

To enable layer 4 port matching on the switch use the

platform qos enable layer4-port-match

command.

see

http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/15.2_2_S/configuration/guide/swqos.html#wp1000748

You may need to review your QoS policy  taking in account the per interface L4 port matching limitation

Hope to help

Giuseppe

View solution in original post

2 REPLIES 2
Highlighted
Hall of Fame Master

Hello Nicholas,

according to configuration guide for the ME3600-ME3800 you need a global command to be able to match on layer 4 ports.

In addition to this there is a limitation on a maximum of 8 port matching operation per interface on received traffic

>>

To enable layer 4 port matching on the switch use the

platform qos enable layer4-port-match

command.

see

http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/15.2_2_S/configuration/guide/swqos.html#wp1000748

You may need to review your QoS policy  taking in account the per interface L4 port matching limitation

Hope to help

Giuseppe

View solution in original post

Highlighted

Thanks for this, I shouldve read the guide closer.  Still, only 8 layer 4 matches per interface...they need to work on the IOS for this kit I think.

thanks

Nicholas