From: Sam Munzani (sam@munzani.com)
Date: Thu Sep 02 2004 - 10:43:17 GMT-3
Sam Munzani wrote:
> gladston@br.ibm.com wrote:
>
>> I realize that I configured the service output; then I configured
>> input expecting now packets would be marked with DSCP 50 and be
>> logged, but not changed. NBAR still works but no log of packets with
>> DSCP 50.
>>
>>
>>
> You can't mark & match on same interface. Apply service policy in
> input mode to your lan interface and let it mark the packet with DSCP
> 50, then apply outbound interface on your WAN interface that checks
> for any DSCP 50 packets and drops them with log.
>
Before flames start, typo Correction.
Apply out bound ACL(I am sure you can't apply an interface to an
interface ;-))
> In short, make following changes to your config and it will work.
>
> policy-map Not-Authorized-Traffic
> class Not-Authorized-Traffic
> set dscp 50
> !
> interface Vlanxx
> service-policy input Not-Authorized-Traffic
> !
> interface ATM y/y/y.500 ip access-group LOG out
> !
> ip access-list extended LOG
> permit ip any any dscp 50 log
> permit ip any any
>
> Sam Munzani
> CCIE # 6479 (R&S, Security)
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:34 GMT-3