Tom,
That is right on spot. I will test and let you know.
Regards,
Marc
On Wed, Feb 13, 2013 at 12:20 PM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
> Marc,
> If I understand what you are trying to do try this:
>
>
> ip access-list extended EF
> deny ip 10.1.1.0 0.0.0.255 any dscp ef
> permit ip any any dscp ef
>
> ip access-list extended KNOWN-ACL
> permit ip 10.1.1.0 0.0.0.255 any dscp ef
>
>
>
> class-map match-all VOIP
> match access-group name EF
>
> class-map match-all KNOWN-APP
> match access-group name KNOWN-ACL
>
>
>
> policy-map POLICE
> class VOIP
> police 128000 8000 exceed-action drop
> trust dscp
> class KNOW-APP
> trust dscp
>
>
>
> interface FastEthernet0/1
> service-policy input POLICE
>
> ..I think what you are missing is that you can set trust setting on each
> class-map. I hope that's what you were looking for. I haven't tested the
> config, just for syntax. Let me know if that works for you. I used 3560
> Catalyst for this.
>
>
> Thanks
>
> Tom
>
>
>
>
>
> On Wed, Feb 13, 2013 at 1:10 PM, marc edwards <renorider_at_gmail.com> wrote:
>>
>> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF
>> <---known so bypass policer
>> ip access list EF permit ip any any dscp EF <--- unknown so police
>>
>> class-map VOICE
>> match access-group EF
>>
>> policy-map POLICE
>> class VOICE <Corrected
>> police 128 k 8000
>>
>> On Wed, Feb 13, 2013 at 11:09 AM, marc edwards <renorider_at_gmail.com>
>> wrote:
>> > BTW disappointed to find out 2960 doesn't have ingress queuing :( keep
>> > that in mind
>> >
>> > On Wed, Feb 13, 2013 at 11:08 AM, marc edwards <renorider_at_gmail.com>
>> > wrote:
>> >> Thanks Tom. I am looking for a way to trust known apps w/out policer
>> >> but trust unknown apps w/policer AKA
>> >>
>> >> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF <---
>> >> known so bypass policer
>> >> ip access list EF permit ip any any dscp EF
>> >>
>> >> class-map VOICE
>> >> match access-group EF
>> >>
>> >> policy-map POLICE
>> >> class EF
>> >> police 128 k 8000
>> >>
>> >> Then trust all markings but have a policer to ward off any apps we
>> >> don't want hogging pipe. Does that make sense?
>> >>
>> >> Marc
>> >>
>> >> On Wed, Feb 13, 2013 at 10:37 AM, Tom Kacprzynski <tom.kac_at_gmail.com>
>> >> wrote:
>> >>> I believe you'll be able to do that as long as your policy-map does
>> >>> not have
>> >>> any classification included. I think if it does, once you apply the
>> >>> policy-map it will remove the port trust.
>> >>> Can you send the policy-map?
>> >>>
>> >>> Thanks
>> >>>
>> >>>
>> >>> Tom Kacprzynski
>> >>>
>> >>>
>> >>> On Sat, Feb 9, 2013 at 8:40 PM, marc edwards <renorider_at_gmail.com>
>> >>> wrote:
>> >>>>
>> >>>> Can I trust and have service-policy policer work togethers?
>> >>>>
>> >>>> Is the following config kosher?
>> >>>>
>> >>>> !
>> >>>> interface GigabitEthernet1/0/1
>> >>>> switchport access vlan 7
>> >>>> srr-queue bandwidth share 10 10 60 20
>> >>>> priority-queue out
>> >>>> mls qos trust dscp
>> >>>> service-policy input INTOPORT
>> >>>> !
>> >>>>
>> >>>>
>> >>>> Blogs and organic groups at http://www.ccie.net
>> >>>>
>> >>>>
>> >>>> _______________________________________________________________________
>> >>>> Subscription information may be found at:
>> >>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Feb 13 2013 - 13:32:20 ART
This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART