Hi,We are using SVI as an

pruthviraj · ‎01-16-2015

Hi,

I do not see packets matching in policy.

output below:

Switch#sh policy-map interface vlan 2232

Vlan2232

Service-policy input: HARDPHONE-VVLAN

Class-map: VOICETRAFFIC (match-all)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: access-group name VOICETRAFFIC

Class-map: VOICESIGNALING (match-all)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: access-group name VOICESIGNALING

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: any

0 packets, 0 bytes

5 minute rate 0 bps

I also not find packets matching ACL:

switch#sh access-lists

Extended IP access list VIDEOTRAFFIC

10 permit udp any any range 16384 32767

Extended IP access list VOICESIGNALING

10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002

20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060

30 permit udp any 10.128.0.0 0.3.255.255 eq 5060

40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002

50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060

60 permit udp any 172.20.10.0 0.0.1.255 eq 5060

Extended IP access list VOICETRAFFIC

10 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 range 16384 32767

I checked policies, they looks applied correctly.

On SUP-720-10GE, I modified ACL to 'permit udp any any' but not found any matching packets. There are plenty of IP phones connected directly to this switch belongs to voice VLAN. I applied VLAN based QoS under voice VLAN and other VLANs too.

I observed different thing on SUP 2T. I saw packets matching ACL statement 'permit udp any any' but when I took off this line, ACL was not showing packets matching.

OUTPUT of IP phones connected to switch:

switch#sh cdp neighbors | in SEP

SEP0008308A5D7B Gig 13/38 143 H P M IP Phone Port 1

SEP0008308A5DE0 Gig 10/1 121 H P M IP Phone Port 1

SEP0023049C6348 Gig 3/42 152 H P M IP Phone Port 1

SEP0021A02D64D4 Gig 9/28 120 H P M IP Phone Port 1

SEP1C6A7AE0588E Gig 3/9 127 H P M IP Phone Port 1

SEP00229059969E Gig 12/48 166 H P M IP Phone Port 1

SEP0008308AF26F Gig 2/7 161 H P M IP Phone Port 1

SEP00235EB7BE0E Gig 4/2 154 H P M IP Phone Port 1

SEP00229059BE5A Gig 6/37 158 H P M IP Phone Port 1

SEP1CAA07115CF3 Gig 12/29 148 H P M IP Phone Port 1

SEP00235EB7884F Gig 9/3 156 H P M IP Phone Port 1

SEP0008308B03FB Gig 2/30 178 H P M IP Phone Port 1

SEP006440B42CD3 Gig 3/45 132 H P M IP Phone Port 1

SEP0022905991C9 Gig 11/4 145 H P M IP Phone Port 1

SEP0008308A5E6C Gig 6/36 124 H P M IP Phone Port 1

SEP006440B427CA Gig 13/31 170 H P M IP Phone Port 1

SEP006440B425FF Gig 3/19 168 H P M IP Phone Port 1

SEP0008308A7AD7 Gig 2/3 159 H P M IP Phone Port 1

SEP0008308A3EB2 Gig 10/4 132 H P M IP Phone Port 1

SEP002414B45A0E Gig 10/28 170 H P M IP Phone Port 1

SEP04C5A4B19C8B Gig 2/15 162 H P M IP Phone Port 1

SEP006440B43DE6 Gig 9/48 162 H P M IP Phone Port 1

SEP006440B42B0D Gig 9/23 179 H P M IP Phone Port 1

Could anyone please help, how to make sure that packets are hitting correct ACL and policy on 6500 with SUP720-10GE and SUP2T.

Thanks,

Pruthvi

shh5455 · ‎01-19-2015

Can you post your configuration?

pruthviraj · ‎01-22-2015

Please note that 6500 is used as L2 switch only and SVI are used for applying policies only.

------------------------

Configuration below:

-------------------

class-map match-all VOICESIGNALING
match access-group name VOICESIGNALING
class-map match-all VOICETRAFFIC
match access-group name VOICETRAFFIC
class-map match-all VIDEOTRAFFIC
match access-group name VIDEOTRAFFIC

policy-map HARDPHONE-VVLAN
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class class-default
police flow mask src-only 32000 8000 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STUDENT-DVLAN
class class-default
police flow mask src-only 25000000 1562500 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STAFF-DVLAN
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VIDEOTRAFFIC
police flow mask src-only 2000000 150000 conform-action set-dscp-transmit ef exceed-action drop
class class-default
police flow mask src-only 50000000 1000000 conform-action set-dscp-transmit ef exceed-action drop

ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VOICETRAFFIC
permit udp any any dscp ef
permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
permit udp any any range 16384 32767 dscp ef
ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VIDEOTRAFFIC
permit udp any any range 16384 32767 dscp ef

interface Vlan104
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
!
interface Vlan105
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
!
interface Vlan573
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
!
interface Vlan604
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
!
interface Vlan654
description PolicyOnlyInt
no ip address
service-policy input STUDENT-DVLAN
!
interface Vlan674
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
!
interface Vlan807
ip address 172.18.128.5 255.255.255.0
!
interface Vlan860
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
!
interface Vlan2016
description PolicyOnlyInt
no ip address
service-policy input HARDPHONE-VVLAN
!
interface Vlan3124
description PolicyOnlyInt
no ip address
shutdown
service-policy input HARDPHONE-VVLAN

----------------------------------------

switch#sh access-lists
Extended IP access list VOICESIGNALING
10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef <----- not showing any match
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 <----not shwoing any match
12 permit udp any any range 16384 32767 dscp ef<----not shwoing any match

-----------------------------

If I user "permit udp any any ", acl is showing match.

switch#sh access-lists
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
12 permit udp any any range 16384 32767 dscp ef
13 permit udp any any (527055 matches)
______________________________________

shh5455 · ‎01-23-2015

You say you are only using it as an L2 switch, but you have multiple SVIs. Do you route between them? If so, you are doing L3 switching. These policies only come into play when you cross the SVI (L3 switching). Otherwise just the L2 QOS on the port will be used.

Also, I don't see VLAN 2232. Can you post the port configuration for the port you're testing?

pruthviraj · ‎01-26-2015

Hi,

We are using SVI as an interface to apply QoS policy only. Not using it for L-3 or routing. You may see there is no IP address on SVIs and the QoS policy is applied on SVI.

interface Vlan2016
description PolicyOnlyInt
no ip address
service-policy input HARDPHONE-VVLAN

interface Vlan2232
description PolicyOnlyInt
no ip address
service-policy input HARDPHONE-VVLAN

Port config:

interface GigabitEthernet1/4
switchport
switchport access vlan 159
switchport mode access
switchport nonegotiate
switchport voice vlan 2232
switchport port-security
switchport port-security maximum 10
switchport port-security aging time 5
switchport port-security violation restrict
wrr-queue bandwidth percent 5 25 70
priority-queue queue-limit 25
wrr-queue queue-limit 5 25 40
wrr-queue threshold 1 100 100 100 100 100 100 100 100
wrr-queue threshold 2 100 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 2 100 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 3 60 70 80 90 100 100 100 100
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 3 70 80 90 100 100 100 100 100
wrr-queue cos-map 1 1 1
wrr-queue cos-map 2 1 0
wrr-queue cos-map 3 2 2
wrr-queue cos-map 3 3 3
wrr-queue cos-map 3 4 6
wrr-queue cos-map 3 5 7
priority-queue cos-map 1 4 5
mls qos vlan-based
end

shh5455 · ‎01-27-2015

Ok, if you are not talking between subnets then you are not using the SVIs. There is no reason for the switch to send the traffic to an SVI as it will know (based on subnet mask) that the destination is on its subnet. The MAC address for the destination will be known in the CAM table on the switch. Therefore only the L2 QOS on the ports will be used.

In that case you will not see anything in "show policy-map..."

pruthviraj · ‎01-28-2015

Hi,

Thanks for your answer.

We are using VLAN based QoS. As per my knowledge, to apply VLAN based QoS, policy must be applied on SVI.

What about the traffic going out of SVI ? i.e the signalling traffic to call manager. We also have phone call between VLANs and also between two different L-3 zones. Will all such traffic be seen on show policy-map ?

Thanks,

Pruthvi

shh5455 · ‎01-29-2015

Any traffic that uses the SVI to L3 route will use your L3 QOS. What you are saying about routing vs. a non-routing network is inconsistent, so I'm not sure how to answer. If the traffic uses the SVI then you should be able to see the statistics change on the policy map.

QoS Packets not matching on 6500 with SUP720-10GE and SU2T