08-14-2018 02:52 PM - edited 03-08-2019 03:54 PM
Hi All. I'd like to change the dscp on some network management traffic (ie. ssh, ntp). SSH and NTP are already in the ACL I have applied "in" on the VLAN interface. I'd like to leave ssh and ntp in the existing ACL, but create another ACL with only those protocols specifically for QoS purposes. Then I want to apply the service policy to the vlan interface will the service policy take precedence on ssh and ntp traffic over the existing ACL?
I was thinking of applying something similar to below
conf t
ip access-list extended EXISTING_ACL
permit udp any eq ntp any
permit udp any gt 0 any eq syslog
permit udp any eq snmptrap any
permit tcp any eq 22 any gt 0
deny ip any any
!
ip access-list extended QOS_ACL
permit tcp any eq 22 any gt 0
permit udp any eq ntp any
deny ip any any
!
class-map match-any CLASSMAP_QOS
match access-group name QOS_ACL
end
conf t
policy-map POLICYMAP_QOS
class CLASSMAP_QOS
set dscp 48
end
conf t
int vlan 933
description Management_VLAN
ip access-group EXISTING_ACL in
service-policy input POLICYMAP_QOS
Solved! Go to Solution.
08-15-2018 09:11 PM
08-14-2018 06:41 PM
Hi
Your question is to know the operation order between QoS and Access-list applied?
Here is the official doc to answer your question:
08-15-2018 02:55 PM
Francesco thanks for the article. At this point I'm not even seeing hits/statistics that my service policy is working. I'm doing some testing on a VLAN that only has one workstation which I'm continually pinging. So, I have the below configured
mls qos
!
ip access-list extended QOS_MGMT_TRAFFIC
permit icmp host 10.10.10.243 host 172.16.12.146
permit ip any any
!
class-map match-any CLASSMAP_QOS_MGMT_TRAFFIC
match access-group name QOS_MGMT_TRAFFIC
!
policy-map POLICYMAP_MGMT_TRAFFIC
class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
class class-default
!
!
interface Vlan976
ip address 10.10.10.241 255.255.255.248
no ip redirects
no ip unreachables
service-policy input POLICYMAP_MGMT_TRAFFIC
!
!
interface GigabitEthernet1/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
!
interface GigabitEthernet2/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
end
SOME VARIOUS SHOW OUTPUT
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC
Policy Map POLICYMAP_MGMT_TRAFFIC
Class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
SW_1#show mls qos int gi1/1/1
GigabitEthernet1/1/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: vlan-based
SW_1#show mls qos int gi2/1/1
GigabitEthernet2/1/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: vlan-based
08-15-2018 09:11 PM
08-16-2018 07:53 AM
Francesco,
Hello. I don't have the option to "show policy-map POLICYMAP_MGMT_TRAFFIC int gi1/1/1" available. Below is output I could get though.
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC ?
class Show Policy actions for a individual class
| Output modifiers
<cr>
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC
Policy Map POLICYMAP_MGMT_TRAFFIC
Class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
Class class-default
SW_1#show policy-map POLICYMAP_MGMT_TRAFFIC class CLASSMAP_QOS_MGMT_TRAFFIC
Class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
SW_1#
08-16-2018 04:58 PM
08-17-2018 08:32 AM
Francesco,
Thanks for recommending doing a capture as I was able to see the dscp value had been changed per the service policy. I would like to see how I can verify statistics via the IOS. Nonetheless, I found that I can have my existing ACL applied inbound on the int vlan 976 as well as have the service-policy input on the int vlan 976. Below is the show policy output as well as my relevant config.
SW_1#
SW_1#show policy ?
% Ambiguous command: "show policy "
SW_1#show policy-map int gi1/1/1
SW_1#
SW_1#
mls qos
!
**** taken from show access-list ****
Extended IP access list MGMT_TRAFFIC
40 permit tcp any eq 22 any gt 0 log
55 permit icmp host 10.10.10.243 host 172.16.12.146 log (574 matches)
58 permit icmp host 10.10.10.243 host 172.16.12.1 log (256027 matches)
60 permit tcp any eq 443 any gt 0 log
Extended IP access list QOS_MGMT_TRAFFIC
10 permit icmp host 10.10.10.243 host 172.16.12.146
12 permit icmp host 10.10.10.243 host 172.16.12.1
****************************************
!
class-map match-any CLASSMAP_QOS_MGMT_TRAFFIC
match access-group name QOS_MGMT_TRAFFIC
!
policy-map POLICYMAP_MGMT_TRAFFIC
class CLASSMAP_QOS_MGMT_TRAFFIC
set dscp cs6
class class-default
trust dscp
!
!
interface Vlan976
ip address 10.10.10.241 255.255.255.248
ip access-group MGMT_TRAFFIC in
no ip redirects
no ip unreachables
service-policy input POLICYMAP_MGMT_TRAFFIC
!
!
interface GigabitEthernet1/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
!
interface GigabitEthernet2/1/1
switchport trunk allowed vlan 811,930,970-972,976,979
switchport trunk encapsulation dot1q
switchport trunk native vlan 915
switchport mode trunk
mls qos vlan-based
channel-group 3 mode on
end
08-18-2018 06:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide