Solved: Re: Service Policy on VLAN Interface

CompCJtoo · ‎08-14-2018

Hi All. I'd like to change the dscp on some network management traffic (ie. ssh, ntp). SSH and NTP are already in the ACL I have applied "in" on the VLAN interface. I'd like to leave ssh and ntp in the existing ACL, but create another ACL with only those protocols specifically for QoS purposes. Then I want to apply the service policy to the vlan interface will the service policy take precedence on ssh and ntp traffic over the existing ACL?

I was thinking of applying something similar to below

conf t
ip access-list extended EXISTING_ACL
permit udp any eq ntp any
permit udp any gt 0 any eq syslog
permit udp any eq snmptrap any
permit tcp any eq 22 any gt 0
deny ip any any
!
ip access-list extended QOS_ACL
permit tcp any eq 22 any gt 0
permit udp any eq ntp any
deny ip any any
!
class-map match-any CLASSMAP_QOS
match access-group name QOS_ACL
end
conf t
policy-map POLICYMAP_QOS
class CLASSMAP_QOS
set dscp 48
end
conf t
int vlan 933
description Management_VLAN
ip access-group EXISTING_ACL in
service-policy input POLICYMAP_QOS

Francesco Molino · ‎08-15-2018

You're applying a policy-map which means you won't see it using sh mls command.
Can you run the command show policy-map POLICYMAP_MGMT_TRAFFIC int g1/1/1 and share the output please?

Also to make sure your traffic is tagged, you can span these 2 ports and get the traffic copied on a Wireshark machine. You should see all your icmp from your machine tagged with the right dscp.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-14-2018

Hi

Your question is to know the operation order between QoS and Access-list applied?

Here is the official doc to answer your question:

https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/22141-qos-orderofop-3.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CompCJtoo · ‎08-15-2018

Francesco thanks for the article. At this point I'm not even seeing hits/statistics that my service policy is working. I'm doing some testing on a VLAN that only has one workstation which I'm continually pinging. So, I have the below configured

mls qos
!
ip access-list extended QOS_MGMT_TRAFFIC
permit icmp host 10.10.10.243 host 172.16.12.146
permit ip any any
!
class-map match-any CLASSMAP_QOS_MGMT_TRAFFIC
match access-group name QOS_MGMT_TRAFFIC
!
policy-map POLICYMAP_MGMT_TRAFFIC
class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
class class-default
!
!
interface Vlan976
ip address 10.10.10.241 255.255.255.248
no ip redirects
no ip unreachables
service-policy input POLICYMAP_MGMT_TRAFFIC
!
!
interface GigabitEthernet1/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
!
interface GigabitEthernet2/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
end

SOME VARIOUS SHOW OUTPUT
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC
Policy Map POLICYMAP_MGMT_TRAFFIC
Class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6

SW_1#show mls qos int gi1/1/1
GigabitEthernet1/1/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: vlan-based

SW_1#show mls qos int gi2/1/1
GigabitEthernet2/1/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: vlan-based

Francesco Molino · ‎08-15-2018

You're applying a policy-map which means you won't see it using sh mls command.
Can you run the command show policy-map POLICYMAP_MGMT_TRAFFIC int g1/1/1 and share the output please?

Also to make sure your traffic is tagged, you can span these 2 ports and get the traffic copied on a Wireshark machine. You should see all your icmp from your machine tagged with the right dscp.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CompCJtoo · ‎08-16-2018

Francesco,

Hello. I don't have the option to "show policy-map POLICYMAP_MGMT_TRAFFIC int gi1/1/1" available. Below is output I could get though.

SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC ?
class Show Policy actions for a individual class
| Output modifiers
<cr>

SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC
Policy Map POLICYMAP_MGMT_TRAFFIC
    Class CLASSMAP_QOS_MGMT_TRAFFIC
      set dscp cs6
    Class class-default
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC class CLASSMAP_QOS_MGMT_TRAFFIC
        Class CLASSMAP_QOS_MGMT_TRAFFIC
      set dscp cs6
SW_1#

Francesco Molino · ‎08-16-2018

Sorry I've done a quick copy/paste form your post :-)

do please sh policy int g1/1/1 --> Replace g1/1/1 by the right interface and paste the output

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CompCJtoo · ‎08-17-2018

Francesco,

Thanks for recommending doing a capture as I was able to see the dscp value had been changed per the service policy. I would like to see how I can verify statistics via the IOS. Nonetheless, I found that I can have my existing ACL applied inbound on the int vlan 976 as well as have the service-policy input on the int vlan 976. Below is the show policy output as well as my relevant config.

SW_1#
SW_1#show policy ?
% Ambiguous command: "show policy "
SW_1#show policy-map int gi1/1/1
SW_1#
SW_1#

mls qos
!
**** taken from show access-list ****
Extended IP access list MGMT_TRAFFIC
    40 permit tcp any eq 22 any gt 0 log
    55 permit icmp host 10.10.10.243 host 172.16.12.146 log (574 matches)
    58 permit icmp host 10.10.10.243 host 172.16.12.1 log (256027 matches)
    60 permit tcp any eq 443 any gt 0 log
Extended IP access list QOS_MGMT_TRAFFIC
    10 permit icmp host 10.10.10.243 host 172.16.12.146
    12 permit icmp host 10.10.10.243 host 172.16.12.1
****************************************

!
class-map match-any CLASSMAP_QOS_MGMT_TRAFFIC
match access-group name QOS_MGMT_TRAFFIC
!
policy-map POLICYMAP_MGMT_TRAFFIC
class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
class class-default
trust dscp
!
!
interface Vlan976
ip address 10.10.10.241 255.255.255.248
ip access-group MGMT_TRAFFIC in
no ip redirects
no ip unreachables
service-policy input POLICYMAP_MGMT_TRAFFIC
!
!
interface GigabitEthernet1/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
!
interface GigabitEthernet2/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
end

Francesco Molino · ‎08-18-2018

Great to know that I answered your question. For statistics, I believe you're asking for mls statistics which will be shown with command:
show mls qos int gi1/1/1 statistics

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question