RE: Per Port Per Vlan..
From: Josh Heesen (inforsecla@yahoo.com)
Date: Thu Dec 01 2005 - 22:28:02 GMT-3
Mine works, I�ve had problems with this in the past. I think using the class-default will mess things up because it�s not strictly IP based traffic. If asked to change all traffic on a particular interface I would probably use mls qos override though.
access-list 180 permit ip any any
class-map match-all IP
match access-group 180
!
!
policy-map IP
class IP
set ip precedence 5
interface FastEthernet0/5
switchport access vlan 66
switchport mode access
switchport nonegotiate
no ip address
mls qos monitor dscp 40
service-policy input IP
FastEthernet0/5
Ingress
dscp: incoming no_change classified policed dropped (in bytes)
40: 0 0 3581 0 0
Others: 12818 6233 3004 0 0
"HIERS, DAVID (AIT)" <dh4578@sbc.com> wrote: I know of nothing that forces matching on vlan to make service policy work on an access port.
David Hiers
CCIE 10734, CISSP
-###-
-----Original Message-----
From: Venkataramanaiah.R [mailto:vramanaiah@gmail.com]
Sent: Thursday, December 01, 2005 12:55 AM
To: Chris Lewis
Cc: HIERS, DAVID (AIT); Cisco certification
Subject: Re: Per Port Per Vlan..
Guys, I made a silly mistake. I did not have the mls qos command
enabled on the switch. After i enabled it, it works with either
policy-maps. This confirms that we need not match vlan for an access
port.
However i keep hearing from people that we must match vlan always(even
for an access port). I do not understand why? Any thoughts..? I am
more concerned about what to configure in the exam, if i face a
similar question.
Regards
-Venkat
On 12/1/05, Venkataramanaiah.R wrote:
> Hi,
>
> Just to make to sure, i understood it correctly, I labbed it up.
>
> I have the following setup
>
> R2-Fa0/0---Fa0/17-S1--int Vlan12(on S1)
>
> I am trying to match all traffic coming from R2 into the
> switchport fa0/17 and marking them with Prec 5.
>
> I have ACL 101 in Vlan12 to verify that marking is working.
>
> Unfortunately i see that irrespective of whether i match the vlan or
> not, i could not see the marking happening.
>
> Am i doing something wrong here..
>
> Regards
> -Venkat
>
> R2#sr int fa0/0
> interface FastEthernet0/0
> ip address 134.9.22.2 255.255.255.0
>
>
> S1(config-if)#do sr int fa0/17
> Building configuration...
>
> Current configuration : 112 bytes
> !
> interface FastEthernet0/17
> switchport access vlan 12
> switchport mode access
> service-policy input test (Same result even if i use withvlan policy here)
> end
>
> interface Vlan12
> ip address 134.9.22.7 255.255.255.0
> ip access-group 101 in
> end
>
>
> S1(config-if)#do sac
> Standard IP access list 1
> 10 permit any
> Extended IP access list 101
> 10 permit ip any any precedence critical
> <-----Nothing Matches here
> 20 permit ip any any (113 matches)
>
> S1#sh policy-map
> Policy Map test
> Class all
> set ip precedence 5
>
> Policy Map withvlan
> Class withvlan
> set ip precedence 5
>
>
> S1#sh class-map
> Class Map match-all withvlan (id 2)
> Match vlan 12
> Match class-map all
>
> Class Map match-any class-default (id 0)
> Match any
>
> Class Map match-all all (id 1)
> Match access-group 1
>
> S1#
>
> On 11/30/05, Chris Lewis wrote:
> > Good point, with a voice vlan on an access port it would also make sense.
> >
> > I agree, to get per port per vlan working you need hierarchy of some kind, the following is an example.
> >
> > class-map match-any dscp_class
> > match ip dscp 9
> > exit
> > class-map match-all vlan_class
> > match vlan 10 20-30 40
> > match class-map dscp_class
> > exit
> >
> >
> > "HIERS, DAVID (AIT)" wrote:
> > Per-port/per-vlan is required on the trunk-like-access-ish port that is connected to the typical ip-phone/pc combo.
> >
> > According to one book, a nested class structure is required to make Per-port/per-vlan work on a 3550.
> >
> >
> > David Hiers
> >
> > CCIE 10734, CISSP
> >
> > -###-
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Chris Lewis
> > Sent: Tuesday, November 29, 2005 1:05 PM
> > To: Venkataramanaiah.R; Cisco certification
> > Subject: Re: Per Port Per Vlan..
> >
> >
> > It is perfectly reasonable to configure parent/child class maps for an access port, something like shaping the output to an overall rate, then providing differentiated guarantees for different traffic types within that shaped rate.
> >
> > Per port per vlan configurations are applied on trunk ports, not access ports.
> >
> > "Venkataramanaiah.R" wrote:
> > Hi,
> >
> > i would like to know whether it makes any sense to configure the
> > parent/child class maps for an access port, if we want to just
> > classify some traffic on the given access port.
> >
> > My understanding is that per port/per vlan applies only to the trunk
> > ports.. Correct me if i am wrong.
> >
> > Regards
> > -Venkat
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > ---------------------------------
> > Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Mon Jan 09 2006 - 07:07:50 GMT-3