For anyone else in the future who may be experiencing a similar issue: Problem turned out to be QoS ACL matching conditions. Docs here state:
http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-5_1_S/configuration/guide/3800x3600xscg/swqos.html "Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP Although you can configure many options in ACLs, only some are supported for QoS ACLs. For permit protocol , the supported keywords are: tcp , and udp . For source and destination address, the supported entries are ip-address , any , or host . For match criteria, the supported keywords are dscp or tos . You can also specify a time-range." I ended up having to modify the ACLs to only match on IP and remove the ICMP ACE and it works. -evt > -----Original Message----- > From: cisco-nsp [mailto:[email protected]] On Behalf Of Eric > Van Tol > Sent: Friday, June 16, 2017 11:37 AM > To: [email protected] > Subject: [c-nsp] Matching EXP bits in ME3600 > > Hi all, > Working on ME3600X-24FS on 15.4(3)S6a and I am testing out a very simple QoS > policy and it's not working. Here's my config: > > class-map match-all ING-EF-CLASS > match access-group name EF-CLASS-ACL > class-map match-all ING-EF-CLASS-EXP > match mpls experimental topmost 5 > ! > ip access-list extended EF-CLASS-ACL > permit udp any any dscp ef > permit udp any any dscp cs5 > permit udp any any precedence critical > permit icmp any any dscp ef > deny ip any any > ! > policy-map ING-UPLINK > class ING-EF-CLASS > set ip dscp ef > class ING-EF-CLASS-EXP > set mpls experimental topmost 5 > ! > interface GigabitEthernet0/24 > no switchport > mtu 9800 > ip address 10.0.10.2 255.255.255.252 > ip mtu 9100 > ip router isis > mpls ip > mpls mtu 9100 > service-policy input ING-UPLINK > > It seems that every packet on the wire is matching the class 'ING-EF-CLASS- > EXP': > > ME3600X#sh policy-map interface > GigabitEthernet0/24 > > Service-policy input: ING-UPLINK > > Class-map: ING-EF-CLASS (match-all) > 0 packets, 0 bytes > 30 second offered rate 0000 bps, drop rate 0000 bps > Match: access-group name EF-CLASS-ACL > set dscp 46 > > Class-map: ING-EF-CLASS-EXP (match-all) > 1710 packets, 175484 bytes > 30 second offered rate 1000 bps, drop rate 0000 bps > Match: mpls experimental topmost 5 > set mpls exp topmost 5 > > Class-map: class-default (match-any) > 0 packets, 0 bytes > 30 second offered rate 0000 bps, drop rate 0000 bps > Match: any > > I've verified through packet captures that NO traffic I am sending across > this link should be matching the EXP class-map. All the traffic being > matched is verified to be straight IP or ISO (IS-IS) with no MPLS > encapsulation. What is happening here? > > -evt > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
