QOS ans mac access-list

mohamed louhab · ‎02-07-2013

Hi ,

in switch 2960s ( c2960s-universalk9-mz.122-55.SE5 ) , i want to marking the trafic between two hosts ( Data replication ), i choose to use " mac access-list" to classify my trafic before apply the policy marking . but did'nt work . can you help me plz

! my mac ACL

mac access-list extended test

permit host 000a.1a41.aa52 host 000a.1a41.1bc2

!

class-map match-all test

match access-group name test

!

! marking the trafic between tow hosts

policy-map test

class test

set dscp af32

! i apply the policy in intetface LAN

interface GigabitEthernet1/0/1

switchport mode trunk

service-policy input test

! 0 match in policy

sh policy-map interface gigabitEthernet 1/0/1

GigabitEthernet1/0/1

Service-policy input: test

Class-map: test (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name test

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

5 minute rate 0 bps

! 0 match in mac acl

sh access-lists

Extended MAC access list test

permit host 000a.1a41.aa52 host 000a.1a41.1bc2

thank you ,

Peter Paluch · ‎02-07-2013

Hello Mohamed,

On 2960-S switches, MAC ACLs apply only to non-IP traffic. An IP packet can only be matched by an IP ACL. Therefore, if the data replication traffic is IP-based, you can not use MAC ACLs, rather, you must modify your configuration to use IP ACLs.

Best regards,

Peter

mohamed louhab · ‎02-07-2013

Hello Peter ,

thank you for your reply .

yes , the data replication is IP-based , but the reason why I made mac ACL is that the IP ACL did not work, , i dont' any match in ACL and in Policy-map when i do IP ACL ( really i do the IP-ACL thousand times but in switch I do not understand why it does not work anymore ) .

1 ) is there something to activate in the switch so that it support IP ACL ??

2 ) is what I apply the QOS policy in interface layer 2 or i must applying in layer 3 interface to supporting IP ACL ??

thanak you for your time and help

glenn.newman · ‎02-07-2013

Are these hosts on the same VLAN? It will not work if they aren't as the destination MAC will be the next hop interface and not the destination host.

I recommend doing a port mirror on this port to capture the traffic and verify the MACs and then a port mirror of the port that the traffic is exting out of to see if the DSCP value is set.

Do a "show mls qos" to see the QoS status and trust state.

mohamed louhab · ‎02-08-2013

Hi Glenn ,

yes all the hosts in the some VLAN.

the QOS is enabled in Switch :

SW2960_A#sh mls qos

QoS is enabled

QoS ip packet dscp rewrite is enabled

.

i change the MAC-acl with IP-ACL but i still have the issue !!

thanks ,