Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
567
Views
0
Helpful
4
Replies

ASR QoS Class based policy not working as expected

Go to solution
manugarg19
Level 1
Level 1

ā€Ž02-07-2021 11:21 PM

Hi All,

 

I configured an ASR with following QoS

 

Ip access-list ext AF4

permit ip 10.0.0.0 255.255.255.0 any

 

ip access-list extended 197

permit ip any host 20.0.0.2

 

class-map match-all AF4_include

match not access-group 197

 

class-map match-any AF4_output

match class-map AF4_include

match access-group name AF4

 

Policy-map child

class AF4_output

set dscp af41

class class-default

 

policy-map parent

class class-default

service-policy child

 

As per my understanding QoS should only match AF4 ACL entry and mark then with AF41

However All the packet including not in the ACL AF4 are classified and marked as AF41.

 

Any help to understand what has been done wrong ?

 

Thanks in advance for help !!

 

Rgds

MG

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to manugarg19

ā€Ž02-08-2021 03:52 AM

Hello @manugarg19 ,

>> all packets not matching ACL 197 are a match for class-map -- will there be further lookup for ACL AF4 ?

I was referring to the child class-map called AF4_include that is then invoked in class-map AF4_output that uses match-any that is a logical OR between (not matching ACL 197 ) OR ( matching ACL named AF4)

 

The further lookup for ACL AF4 is meaningful only for packets matching ACL 197 in that case AF4 ACL can decide the packet is a match if it sourced by subnet 10.0.0.0/24 .

Only one match is enough.

 

The final part does not change

 

Hope to help

Giuseppe

 

with match any all criteria must match at the same time.

 

Coming to your last post:

 

class-map match-all AF4_include

match not access-group 197

match not access-group 198

 

becomes

class-map match-all AF4_include

match not access-group 197 198

 

because a OR operator is used for similar match so packets not matching ACL 197 or not matching ACL 198 are a match for this class-map.

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

ā€Ž02-08-2021 02:00 AM

Hello @manugarg19 ,

all packets not matching ACL 197 are a match for class-map

 

ip access-list extended 197

permit ip any host 20.0.0.2

 

class-map match-all AF4_include

match not access-group 197

 

class-map match-any AF4_output

match class-map AF4_include

match access-group name AF4

 

so class-map AF4_output will mark with DSCP AF41 all packets not matching ACL 197 or packets matching named ACL AF4.

 

Hope to help

Giuseppe

 

 

0 Helpful

Go to solution
manugarg19
Level 1
Level 1
In response to Giuseppe Larosa

ā€Ž02-08-2021 03:26 AM

@Giuseppe Larosa 

 

Thanks for your reply.

 

all packets not matching ACL 197 are a match for class-map -- will there be further lookup for ACL AF4 ? I am confused here, as to me seems like all packets are already matching class-map and thus dropping further lookup and reason I am seeing every outgoing packet marked with DSCP AF4.

 

Can you help me understand. How Class-map match-all will work with this configuration ?

 

ip access-list ext 198 

permit tcp host 10.16.15.2 eq bgp any

permit tcp host 10.16.15.2 any eq bgp <<<<<<<<<<<< this is  configured WAN IP.

 

ip access ext 197

permit ip host 20.0.0.2 any <<<<<<<<<<<<<<<<<<<< its a device loopback IP.

 

ip access extended AF4

10.0.0.0 255.255.255.0 any

 

class-map match-all AF4_include

match not access-group 197

match not access-group 198

 

class-map match-any AF4_output

match class-map AF4_include

match access-group name AF4

 

Rgds

Manu Garg

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to manugarg19

ā€Ž02-08-2021 03:52 AM

Hello @manugarg19 ,

>> all packets not matching ACL 197 are a match for class-map -- will there be further lookup for ACL AF4 ?

I was referring to the child class-map called AF4_include that is then invoked in class-map AF4_output that uses match-any that is a logical OR between (not matching ACL 197 ) OR ( matching ACL named AF4)

 

The further lookup for ACL AF4 is meaningful only for packets matching ACL 197 in that case AF4 ACL can decide the packet is a match if it sourced by subnet 10.0.0.0/24 .

Only one match is enough.

 

The final part does not change

 

Hope to help

Giuseppe

 

with match any all criteria must match at the same time.

 

Coming to your last post:

 

class-map match-all AF4_include

match not access-group 197

match not access-group 198

 

becomes

class-map match-all AF4_include

match not access-group 197 198

 

because a OR operator is used for similar match so packets not matching ACL 197 or not matching ACL 198 are a match for this class-map.

 

 

0 Helpful

Go to solution
manugarg19
Level 1
Level 1
In response to Giuseppe Larosa

ā€Ž02-08-2021 08:27 PM

@Giuseppe Larosa  Thanks for describing it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card