Re: MLS QoS

Marc,
If I understand what you are trying to do try this:

ip access-list extended EF
 deny ip 10.1.1.0 0.0.0.255 any dscp ef
 permit ip any any dscp ef

ip access-list extended KNOWN-ACL
 permit ip 10.1.1.0 0.0.0.255 any dscp ef

class-map match-all VOIP
 match access-group name EF

class-map match-all KNOWN-APP
 match access-group name KNOWN-ACL

policy-map POLICE
 class VOIP
  police 128000 8000 exceed-action drop
  trust dscp
 class KNOW-APP
  trust dscp

interface FastEthernet0/1
 service-policy input POLICE

..I think what you are missing is that you can set trust setting on each
class-map. I hope that's what you were looking for. I haven't tested the
config, just for syntax. Let me know if that works for you. I used 3560
Catalyst for this.

Thanks

Tom

On Wed, Feb 13, 2013 at 1:10 PM, marc edwards <renorider_at_gmail.com> wrote:

> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF
> <---known so bypass policer
> ip access list EF permit ip any any dscp EF <--- unknown so police
>
> class-map VOICE
> match access-group EF
>
> policy-map POLICE
> class VOICE <Corrected
> police 128 k 8000
>
> On Wed, Feb 13, 2013 at 11:09 AM, marc edwards <renorider_at_gmail.com>
> wrote:
> > BTW disappointed to find out 2960 doesn't have ingress queuing :( keep
> > that in mind
> >
> > On Wed, Feb 13, 2013 at 11:08 AM, marc edwards <renorider_at_gmail.com>
> wrote:
> >> Thanks Tom. I am looking for a way to trust known apps w/out policer
> >> but trust unknown apps w/policer AKA
> >>
> >> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF <---
> >> known so bypass policer
> >> ip access list EF permit ip any any dscp EF
> >>
> >> class-map VOICE
> >> match access-group EF
> >>
> >> policy-map POLICE
> >> class EF
> >> police 128 k 8000
> >>
> >> Then trust all markings but have a policer to ward off any apps we
> >> don't want hogging pipe. Does that make sense?
> >>
> >> Marc
> >>
> >> On Wed, Feb 13, 2013 at 10:37 AM, Tom Kacprzynski <tom.kac_at_gmail.com>
> wrote:
> >>> I believe you'll be able to do that as long as your policy-map does
> not have
> >>> any classification included. I think if it does, once you apply the
> >>> policy-map it will remove the port trust.
> >>> Can you send the policy-map?
> >>>
> >>> Thanks
> >>>
> >>>
> >>> Tom Kacprzynski
> >>>
> >>>
> >>> On Sat, Feb 9, 2013 at 8:40 PM, marc edwards <renorider_at_gmail.com>
> wrote:
> >>>>
> >>>> Can I trust and have service-policy policer work togethers?
> >>>>
> >>>> Is the following config kosher?
> >>>>
> >>>> !
> >>>> interface GigabitEthernet1/0/1
> >>>> switchport access vlan 7
> >>>> srr-queue bandwidth share 10 10 60 20
> >>>> priority-queue out
> >>>> mls qos trust dscp
> >>>> service-policy input INTOPORT
> >>>> !
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Feb 13 2013 - 14:20:15 ART