> James Bensley > Sent: Saturday, June 24, 2017 8:50 AM > > On 21 Jun 2017 14:24, "Eric Van Tol" <[email protected]> wrote: > > For anyone else in the future who may be experiencing a similar issue: > > Problem turned out to be QoS ACL matching conditions. Docs here state: > > http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/s > oftware/ > release/15-5_1_S/configuration/guide/3800x3600xscg/swqos.html > > "Not all IP ACL options are supported in QoS ACLs. Only these protocols are > supported for permit actions in an IP ACL: TCP, and UDP > > Although you can configure many options in ACLs, only some are supported > for QoS ACLs. > > For permit protocol , the supported keywords are: tcp , and udp . > For source and destination address, the supported entries are ip-address , > any , or host . > For match criteria, the supported keywords are dscp or tos . You can also > specify a time-range." > > I ended up having to modify the ACLs to only match on IP and remove the > ICMP ACE and it works. > > -evt > > > Hi Eric, > > Sorry for the late response, I wanted to say that the problem here is likely > the ACL on the IP interface. We tested IP address matching ACLs on a layer 3 > interface on a 15.3.3 version of IOS and it basically didn't work. > > As per the link you have provided not many features can be "matched" in the > ACL, we had to reduce the ACEs to be broader than we originally wanted. We > also tried on an SVI and I don't think we matched any traffic at the time (this > was an older buggy IOS version). In the end we just stopped using IPs in QoS > ACLs and just match on qos-group, DSCP and EXP. These three are working > fine for us. > Oh and I seem to remember there's also the limitation on which match criteria can be combined, but I can't find it in my notes, it was something like L2 fields L3 fields and some selected mix, but for example you could not match for Dot1.p and EXP at the same time.
adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
