Catalyst QoS: VLAN Access-map for IP traffic filtering
September 12, 2008 at 3:31 pm | In QoS, Switching | Leave a CommentTask: Configuring VLAN access-map to only allow Telnet and Ping and routing (OSPF) traffic within VLAN145.
If the default action of the VLAN access-map is dropping, then we need to explicitly permit ARP frames as well, otherwise, two PC hosts within the VLAN145 won’t be able to ARP for each other MAC address, and the connectivity between them will fail.
Configuration
access-list 100 permit tcp any any eq telnet access-list 100 permit tcp any eq telnet any access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit ospf any any ! mac access-list extended ARP permit any any 0x806 0x0 ! vlan access-map VLAN145_FILTER 10 action forward match ip address 100 vlan access-map VLAN145_FILTER 15 action forward match mac address ARP vlan access-map VLAN145_FILTER 20 action drop ! vlan filter VLAN145_FILTER vlan-list 145
Catalyst QoS – Using Hierarchical Policy-Maps for Policing Markdown on 3560
September 12, 2008 at 11:44 am | In QoS, Switching | Leave a CommentConfiguration
SW2#
class-map match-all IP_TRAFFIC
match access-group 100
class-map match-all INPUT_INTERFACES
match input-interface FastEthernet0/13 - FastEthernet0/15
!
!
policy-map POLICE_32K
class INPUT_INTERFACES
police 32000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_64K
class INPUT_INTERFACES
police 64000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_VLAN200
class IP_TRAFFIC
set ip precedence 5
service-policy POLICE_64K
policy-map POLICE_VLAN100
class IP_TRAFFIC
set ip precedence 4
service-policy POLICE_32K
mls qos map policed-dscp 32 to 24
mls qos map policed-dscp 40 to 32
mls qos
interface range fa0/13-15
mls qos vlan-based
interface Vlan100
service-policy input POLICE_VLAN100
!
interface Vlan200
service-policy input POLICE_VLAN200
Verification
SW1#ping 200.0.0.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 200.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/9 ms
SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 18 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 82 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 18 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 82 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 102 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 0 0 0 0 18
5 - 7 : 82 0 0
Policer: Inprofile: 0 OutofProfile: 0
SW2#clear mls qos int statistic
SW1#ping 100.0.0.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 100.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/9 ms
SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 26
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 74 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 26
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 74 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 109 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 0 0 0 26 74
5 - 7 : 0 0 0
Policer: Inprofile: 0 OutofProfile: 0
SW2#show mls qos maps policed-dscp
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 24 33 34 35 36 37 38 39
4 : 32 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Doc CD Navigation
- Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)S
- Configuring QoS
- Configuring Standard QoS
- Configuring a QoS Policy
- Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
- Configuring DSCP Maps
- Configuring the Policed-DSCP Map
- Configuring a QoS Policy
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
