Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
0
Replies

service-policy input command for LAN QOS on switch crashed site

Dean Romanelli
Level 4
Level 4

‎12-22-2015 09:05 AM - edited ‎03-08-2019 03:12 AM

Hi All,

So I began rolling out QOS to a test site today, and when I configured the switch with the service-policy and applied it, I lost connectivity to the switch and subsequently all site services went down.  Had to call site and have switch power cycled to restore.  I am boggled as to why. I've configured the below in my SG300-28P:

ip access-list extended qos_priority_in_from_hosts
permit ip 192.168.154.0 0.0.0.255 192.xx.xx.0 0.0.0.255
permit ip 192.168.154.0 0.0.0.255 192.xx.xx.0 0.0.0.255
permit ip 192.168.154.0 0.0.0.255 63.xxx.xx.0 0.0.0.255
permit ip 192.168.154.0 0.0.0.255 8.x.xxx.0 0.0.0.255
permit ip 192.168.154.0 0.0.0.255 8.xx.x.0 0.0.3.255

class-map QOS-VOICE-IN-FROM-HOSTS
match access-group qos_priority_in_from_hosts

class-map QOS-SIGNALING-IN-FROM-HOSTS
match access-group qos_priority_in_from_hosts

policy-map QOS-POLICY-IN-FROM-HOSTS
class QOS-VOICE-IN-FROM-HOSTS
set dscp 46

class QOS-SIGNALING-IN-FROM-HOSTS
set dscp 24

Ports with VOIP Phones / PC combo:
int gi9
service-policy input QOS-POLICY-IN-FROM-HOSTS
int gi21
service-policy input QOS-POLICY-IN-FROM-HOSTS
int gi8
service-policy input QOS-POLICY-IN-FROM-HOSTS
int gi7
service-policy input QOS-POLICY-IN-FROM-HOSTS
int gi19
service-policy input QOS-POLICY-IN-FROM-HOSTS


ip access-list extended qos_priority_return_from_provider
permit ip 192.xx.xx.0 0.0.0.255 192.168.154.0 0.0.0.255
permit ip 192.xx.xx.0 0.0.0.255 192.168.154.0 0.0.0.255
permit ip 63.xxx.xx.0 0.0.0.255 192.168.154.0 0.0.0.255
permit ip 8.x.xxx.0 0.0.0.255 192.168.154.0 0.0.0.255
permit ip 8.xx.x.0 0.0.3.255 192.168.154.0 0.0.0.255

class-map QOS-VOICE-RETURN-FROM-PROVIDER
match access-group qos_priority_return_from_provider

class-map QOS-SIGNALING-RETURN-FROM-PROVIDER
match access-group qos_priority_return_from_provider

policy-map QOS-POLICY-RETURN-FROM-PROVIDER
class QOS-VOICE-RETURN-FROM-PROVIDER
set dscp 46

class QOS-SIGNALING-RETURN-FROM-PROVIDER
set dscp 24

Switch uplink to ASA:
int gi25
service-policy input QOS-POLICY-RETURN-FROM-PROVIDER

When I applied the 2nd service policy to the uplink to the ASA on my switch, I lost connectivity to the switch, and the site lost all services except for voice.  I use the 2nd policy to re-mark the return traffic from the VOIP provider with their appropriate DSCP values for re-entry into the LAN because the internet and the ASA drop the marks, so return traffic re-enters LAN unmarked unless I mark it again.

The most obvious answer for why this happened that I can determine is that applying the service policy to the ports makes the ports follow the ACL's being called in the service policy in a "permit/deny" fashion, but that doesn't make sense to me, because I am not setting "ip access-group QOS-POLICY-RETURN-FROM-PROVIDER in," I am setting "service-policy input QOS-POLICY-RETURN-FROM-PROVIDER."  It was my understanding that if an ACL is called in a class-map which is called in a policy-map, the ACL is used to define the interesting traffic so that the action specified under the "class" command in the policy-map can be excuted (in this case, DSCP marking), not to permit/deny flows like a traditional ACL.

Any help is much appreciated, as I am quite confused.  Thanks.

EDIT: I just thought of a 2nd theory. Could it be because I am calling the same ACL for two different class maps, and setting two different actions under the service policy based on the same ACL? So the switch doesn't know whether to tag with 46 or 24 and that is causing the switch to lock up, subsequently taking the branch down?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents