From: Scott Morris (smorris@ipexpert.com)
Date: Mon Oct 15 2007 - 10:43:32 ART
Being that you have an IP access list, you are only looking at IP traffic to
begin with. So if an IPX packet comes in, there is nothing in that class
which will tell it to be evaluated.
You can use match-not anyplace you want, you just have to step through the
logic you build with the policy-map to see whether it makes most sense in
class-default or not.
And for your ports, that's fine, but why would you need 1720? It's TCP
anyway, and it's very low bandwidth. From a functional standpoint, we
typically only bother to set guarantees on the actual data stream itself.
(but the same logic of "it's low bandwidth" allows you to say "why not do
both then?") ;)
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
smorris@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Simon Grace
Sent: Monday, October 15, 2007 3:08 AM
To: Brian McGahan
Cc: Jeff Koh; ccielab@groupstudy.com
Subject: RE: Question on QoS
Just so I get this straight (sorry if I'm repeating what's already been
said).
Even if the acl said permit ip any any and then we have a match NOT in the
class-map, it's not going to match everything BUT IP traffic.
Which would make me think that the only time for match not would be with the
default-class.
Getting back to the OP, I suppose if you want to match voice traffic then
have an ACL that permits tcp 1720 and udp range 16384 32767 and deny's
everything else.
Cheers,
Simon
-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: Sunday, October 14, 2007 7:21 PM
To: Simon Grace
Cc: Jeff Koh; ccielab@groupstudy.com
Subject: Re: Question on QoS
Don't confuse "match not" with "don't match". The acl in the class
will not match non-IP traffic, instead it will not match IP traffic.
The deny in an acl says don't match, not match the opposite. In this
particular case then the acl does effectively nothing. Only dscp 43 and 46
will be matched.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.internetworkexpert.com
On Oct 14, 2007, at 10:49 AM, "Simon Grace" <SimonG@pcsystems.gr> wrote:
> HI Jef
>
> I'm just about to finish up for the day but a quick one from me.
>
> The access list will not match anything as you don't have any permit
> statements and there is a explicit deny everythin at the end. You need
> the ACL to match something if you are stating it with the match
> statement in the class-map.
>
> Off the top of my head, have you thought about permitting IP with the
> ACL and then doing a "match not" in the class-map.
>
> All of the above is a bit rushed but I thought I'd jot a couple of
> things down in case they gave you some other things to think about
>
> Cheers,
> Simon.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Jeff Koh
> Sent: Sunday, October 14, 2007 5:33 PM
> To: ccielab@groupstudy.com
> Subject: Re: Question on QoS
>
> Hi there,
>
> class-map match-any DSCP-IN-Voice
> match access-group name DSCP-IN-Voice
> match ip dscp ef
> match ip dscp 43
>
> policy-map COS-IN
> class DSCP-IN-Voice
> set ip dscp ef
>
> ip access-list extended DSCP-IN-Voice
> deny ip any any
>
> interface Vlan200
> service-policy input COS-IN
>
> in the class-map, the first match statement is infact deny any ip, my
> question is, does this condition match and it will move out of this
> class and set ip dscp ef?
>
> Or it should never be matched since the access-list will only be
> matched for a permit statement else it wont? Since i have the
> match-any on the class-map it will go to the next statement? thanks!!
>
> thanks!
>
> jef
> _________________________________________________________________
> Get your free suite of Windows Live services!
> http://www.get.live.com/wl/all
>
>
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:15 ART