RE: mls qos use policy-map for marking

Hi Joe

yes, i did the some configuration as what u did, and the ping can result the same acl hit, and show policy-map interface fa0/1 is nothing as what u said.

now if i use

R1------cat1--------cat2-------r2,

mark all incoming traffic from r1 to ef on cat1, between cat1 and cat 2 are trunk port, and trust dscp, then can r2 still can see the ef marking?

Thank you so much.

> From: jastorino_at_ipexpert.com
> Date: Wed, 21 Apr 2010 03:00:51 -0400
> Subject: Re: mls qos use policy-map for marking
> To: kagahian_at_ccbootcamp.com
> CC: apache7220_at_hotmail.com; ccielab_at_groupstudy.com
>
> Oh, BTW "show policy-map interface" is not "supported" on the 3550 : )
> Yes, it will run but the numbers basically mean nothing : ) To test
> your markings try something like what I have shown above.
>
> On Wed, Apr 21, 2010 at 2:54 AM, Joe Astorino <jastorino_at_ipexpert.com> wrote:
> > What does your configuration look like? I have tested this myself and
> > it seems to work for me. However, I would agree with Kambiz that you
> > should check out the documentation:
> >
> > R1---Cat1---R2
> >
> > Here I have R1 and R2 connected to the same 3550 switch: They operate
> > on VLAN 12 on the 12.12.12.0/24 subnet. I have the following ACL
> > configured on R2 inbound:
> > access-list 101 permit ip any any dscp ef
> > access-list 101 permit ip any any dscp default
> >
> >
> > Cat1
> > --------
> >
> > mls qos
> > !
> > vlan 12
> > !
> > access-list 101 permit ip any any
> > !
> > class-map match-all MARK-EF
> > match access-group 101
> > !
> > !
> > policy-map foo
> > class MARK-EF
> > set dscp ef
> > !
> > interface FastEthernet0/1
> > description R1
> > switchport access vlan 12
> > switchport mode access
> > spanning-tree portfast
> > service-policy input foo
> > !
> > interface GigabitEthernet0/2
> > description R2
> > switchport access vlan 12
> > switchport mode access
> > spanning-tree portfast
> >
> >
> > Here are the results when R2 pings R1. Note that the 3550 marks the
> > return packet as DSCP EF:
> >
> > R2#show access-list 101
> > Extended IP access list 101
> > 10 permit ip any any dscp ef
> > 20 permit ip any any dscp default
> >
> > R2#sh run int gi0/0 | i access
> > ip access-group 101 in
> >
> > R2#ping 12.12.12.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> > R2#show access-list 101
> > Extended IP access list 101
> > 10 permit ip any any dscp ef (5 matches)
> > 20 permit ip any any dscp default
> >
> >
> > With regards to your "mls qos trust dscp" on a trunk port -- Yes, it
> > is a layer 2 port but it is still a layer 3 switch : ) The 3550 still
> > has the ability to look into the IP header and take action based on
> > that information. If you configure that command it will allow the
> > trunk to trust the layer 3 DSCP markings on incoming IP traffic
> >
> >
> >
> >
> >
> > On Wed, Apr 21, 2010 at 2:27 AM, Kambiz Agahian <kagahian_at_ccbootcamp.com> wrote:
> >> Hi Bao,
> >>
> >> Instead of a YES/NO answer I want you to spend a couple of hours on the
> >> following link:
> >>
> >> http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186
> >> a00800feff5.shtml
> >>
> >> Believe me; rarely does Cisco develop such a nice article.
> >>
> >> --------------------------
> >> Kambiz Agahian
> >> CCIE (R&S)
> >> CCSI, WAASSE, RSSSE
> >> Technical Instructor
> >> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> >> Email: kagahian_at_ccbootcamp.com
> >> Toll Free: 877-654-2243 begin_of_the_skype_highlighting
> >> 877-654-2243 end_of_the_skype_highlighting
> >> International: +1-702-968-5100 begin_of_the_skype_highlighting
> >> +1-702-968-5100 end_of_the_skype_highlighting
> >> Skype: skype:ccbootcamp?call
> >> FAX: +1-702-446-8012
> >> YES! We take Cisco Learning Credits!
> >> Training And Remote Racks: http://www.ccbootcamp.com
> >> OEQ Voice Waiver: http://www.ccbootcamp.com/noeqvoice.html
> >> OEQ R&S Waiver: http://www.ccbootcamp.com/noeqrs.html
> >> OEQ Commercial: http://www.ccbootcamp.com/noeq.mp
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com on behalf of Bao Bao Chou
> >> Sent: Tue 4/20/2010 10:50 PM
> >> To: ccielab_at_groupstudy.com
> >> Subject: mls qos use policy-map for marking
> >>
> >> Hi Group Study experts
> >>
> >> Recently i tested use policy-map for marking on my 3550 switch. And found some
> >> problems.
> >>
> >> First, i configured a class map to match all the traffic, and use policy-map
> >> to match that class to set dscp EF. Then i applied that policy map to the
> >> incoming direction of an access port(layer 2), which is connected to a router.
> >> After that i tried generate some traffic from the router, and then on the
> >> switch, i found there is nothing matched when i tried "show policy-map
> >> interface".
> >>
> >> but after i changed the switch port to a layer 3 port, the marking is
> >> successfully done.
> >>
> >> so i am wondering policy-map marking is only working on a layer 3 port. Please
> >> help me to confirm it. Thanks a lot.
> >>
> >>
> >> And by the way, what is the meaning if i put "mls qos trust dscp " on a trunk
> >> port?? since trunk port is a layer 2 port, it wont check layer 3 portion, is
> >> it??
> >>
> >>
> >>
> >>
> >>
> >>
> >> _________________________________________________________________
> >> Hotmail: Powerful Free email with security by Microsoft.
> >> https://signup.live.com/signup.aspx?id=60969
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > --
> > Regards,
> >
> >
> >
> > Joe Astorino - CCIE #24347
> > Sr. Technical Instructor - IPexpert
> > Mailto: jastorino_at_ipexpert.com
> > Telephone: +1.810.326.1444
> > Live Assistance, Please visit: www.ipexpert.com/chat
> > eFax: +1.810.454.0130
> >
> > IPexpert is a premier provider of Self-Study Workbooks, Video on
> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
> > certification(s) with training locations throughout the United States,
> > Europe, South Asia and Australia. Be sure to visit our online
> > communities at www.ipexpert.com/communities and our public website at
> > www.ipexpert.com
> >
>
>
>
> --
> Regards,
>
>
>
> Joe Astorino - CCIE #24347
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on
> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> certification(s) with training locations throughout the United States,
> Europe, South Asia and Australia. Be sure to visit our online
> communities at www.ipexpert.com/communities and our public website at
> www.ipexpert.com
                                               
Received on Wed Apr 21 2010 - 07:43:38 ART