I also believe we have on our blog an article written by Vik Malhi
that touches on this subject:
This is part #1 of a 3-part series:
-- Marko Milivojevic - CCIE #18427 (SP R&S) Senior CCIE Instructor / Managing Partner - IPexpert On Wed, Feb 13, 2013 at 1:32 PM, marc edwards <renorider_at_gmail.com> wrote: > Tom, > > That is right on spot. I will test and let you know. > > Regards, > > Marc > > On Wed, Feb 13, 2013 at 12:20 PM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote: >> Marc, >> If I understand what you are trying to do try this: >> >> >> ip access-list extended EF >> deny ip 10.1.1.0 0.0.0.255 any dscp ef >> permit ip any any dscp ef >> >> ip access-list extended KNOWN-ACL >> permit ip 10.1.1.0 0.0.0.255 any dscp ef >> >> >> >> class-map match-all VOIP >> match access-group name EF >> >> class-map match-all KNOWN-APP >> match access-group name KNOWN-ACL >> >> >> >> policy-map POLICE >> class VOIP >> police 128000 8000 exceed-action drop >> trust dscp >> class KNOW-APP >> trust dscp >> >> >> >> interface FastEthernet0/1 >> service-policy input POLICE >> >> ..I think what you are missing is that you can set trust setting on each >> class-map. I hope that's what you were looking for. I haven't tested the >> config, just for syntax. Let me know if that works for you. I used 3560 >> Catalyst for this. >> >> >> Thanks >> >> Tom >> >> >> >> >> >> On Wed, Feb 13, 2013 at 1:10 PM, marc edwards <renorider_at_gmail.com> wrote: >>> >>> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF >>> <---known so bypass policer >>> ip access list EF permit ip any any dscp EF <--- unknown so police >>> >>> class-map VOICE >>> match access-group EF >>> >>> policy-map POLICE >>> class VOICE <Corrected >>> police 128 k 8000 >>> >>> On Wed, Feb 13, 2013 at 11:09 AM, marc edwards <renorider_at_gmail.com> >>> wrote: >>> > BTW disappointed to find out 2960 doesn't have ingress queuing :( keep >>> > that in mind >>> > >>> > On Wed, Feb 13, 2013 at 11:08 AM, marc edwards <renorider_at_gmail.com> >>> > wrote: >>> >> Thanks Tom. I am looking for a way to trust known apps w/out policer >>> >> but trust unknown apps w/policer AKA >>> >> >>> >> ip access list extended EF deny ip 10.1.1.0 0.0.0.255 any dscp EF <--- >>> >> known so bypass policer >>> >> ip access list EF permit ip any any dscp EF >>> >> >>> >> class-map VOICE >>> >> match access-group EF >>> >> >>> >> policy-map POLICE >>> >> class EF >>> >> police 128 k 8000 >>> >> >>> >> Then trust all markings but have a policer to ward off any apps we >>> >> don't want hogging pipe. Does that make sense? >>> >> >>> >> Marc >>> >> >>> >> On Wed, Feb 13, 2013 at 10:37 AM, Tom Kacprzynski <tom.kac_at_gmail.com> >>> >> wrote: >>> >>> I believe you'll be able to do that as long as your policy-map does >>> >>> not have >>> >>> any classification included. I think if it does, once you apply the >>> >>> policy-map it will remove the port trust. >>> >>> Can you send the policy-map? >>> >>> >>> >>> Thanks >>> >>> >>> >>> >>> >>> Tom Kacprzynski >>> >>> >>> >>> >>> >>> On Sat, Feb 9, 2013 at 8:40 PM, marc edwards <renorider_at_gmail.com> >>> >>> wrote: >>> >>>> >>> >>>> Can I trust and have service-policy policer work togethers? >>> >>>> >>> >>>> Is the following config kosher? >>> >>>> >>> >>>> ! >>> >>>> interface GigabitEthernet1/0/1 >>> >>>> switchport access vlan 7 >>> >>>> srr-queue bandwidth share 10 10 60 20 >>> >>>> priority-queue out >>> >>>> mls qos trust dscp >>> >>>> service-policy input INTOPORT >>> >>>> ! >>> >>>> >>> >>>> >>> >>>> Blogs and organic groups at http://www.ccie.net >>> >>>> >>> >>>> >>> >>>> _______________________________________________________________________ >>> >>>> Subscription information may be found at: >>> >>>> http://www.groupstudy.com/list/CCIELab.html > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Wed Feb 13 2013 - 15:45:14 ART
This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART