07-07-2010 04:47 AM - edited 03-06-2019 11:55 AM
Hello,
I am trying to classifiy incoming packets from IP phones using ACL. Below shown my detail config. However, when I use Wireshark and check packets arriving from IP phone, it shows DSCP=0. It seems teh ACL doesn't applied on the access port.
FYI, I use QoS practice document to configure.
!!!!!!!!! MQC !!!!!!!!!!!!!!!!!!
class-map match-all DVLAN-PC-VIDEO
match access-group name DVLAN-PC-VIDEO
class-map match-all VVLAN-CALL-SIGNALING
match access-group name VVLAN-CALL-SIGNALING
class-map match-all VVLAN-VOICE
match access-group name VVLAN-VOICE
class-map match-all VVLAN-ANY
match access-group name VVLAN-ANY
!
policy-map DBL
class class-default
dbl
policy-map IPPHONE+PC
class VVLAN-VOICE
set ip dscp ef
class VVLAN-CALL-SIGNALING
set ip dscp cs3
class DVLAN-PC-VIDEO
set ip dscp af41
class VVLAN-ANY
set ip dscp default
class class-default
set ip dscp default
!!!!!!!!! Access Port config !!!!!!!!!!!
interface GigabitEthernet2/1
switchport access vlan dynamic
switchport mode access
switchport voice vlan 77
ip arp inspection limit rate 100
speed auto 10 100
qos trust device cisco-phone
tx-queue 3
priority high
shape percent 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input IPPHONE+PC
service-policy output DBL
ip verify source vlan dhcp-snooping port-security
!!!!!!!!!! ACL !!!!!!!!!!!!!!!!!
ip access-list extended DVLAN-PC-VIDEO
permit udp any any range 16384 32767
permit udp any any range 5445 5446
ip access-list extended VVLAN-ANY
permit ip 172.10.122.0 0.0.1.255 any
ip access-list extended VVLAN-CALL-SIGNALING
permit tcp 172.10.122.0 0.0.1.255 any range 2000 2002
ip access-list extended VVLAN-VOICE
permit udp 172.10.122.0 0.0.1.255 any range 16384 32767
Thanks.
07-07-2010 05:11 AM
Hi,
I think you have to enable
"mls qos trust dscp" under the interface.
HTH
Hitesh Vinzoda
Pls rate useful posts
07-07-2010 05:17 AM
Hi,
Yes, I have already tried it.
If I have the two commands below under interface along with service-policy input IPPHONE+PC, it doesn't at all mark any traffic. However, if I have the two commands below and not used service-policy input IPPHONE+PC, yes I can see the marking.
qos trust dscp
qos trust device cisco-phone
Thanks
07-07-2010 05:53 AM
Alright,
Whats the goal, Trust the marking from phone
OR
Using Policy map or ACL to mark the packets using DSCP.
Coz in your ACL you are not matching dscp bits you are matching traffic based on layer 4 info.
HTH
Hitesh Vinzoda
Pls rate useful posts
07-07-2010 06:00 AM
The goal is to conditionally trust Cisco phone and extend DSCP trust to the phone. In addition using the ACL to classify voice and other traffics in voice VLAN.
I used the SRND for QoS.
Thanks
07-07-2010 06:03 AM
Hi,
Please also see this document.
under Cisco Catalyst 4500/4900 and 4500-E/4900M QoS Design.
I have tried this also and no sucess.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide