[c-nsp] QoS configuration conflict for flowmask on SVI interface behind FWSM

[Joseph Jackson]

Hey List,

I'm wanting to apply a policy-map to rate limit a port that is a
member of a vlan that is configured as a firewalled vlan.  When I
apply the service-policy input to the port directly connected to the
server I get this message in the logs:


 %FM_EARL7-2-SWITCH_PORT_QOS_FLOWMASK_CONFLICT: QoS configuration on
switch port FastEthernet1/5 conflicts for flowmask with feature
configuration on SVI interface Vlan912


Vlan912 is the OUTSIDE interface for the FWSM.  I figured OK maybe
that makes sense since the flows will be seen as ingress and egress
from that SVI.  Thinking that I removed the service-policy from the
fastE1/5 and applied it to the vlan912 interface.  I checked the log
for any warning messages and see this new entry.



%FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan912 have
conflicting flowmask requirements, traffic may be switched in software



Now having traffic be switched by the sup720 isn't ideal. cisco.com
says " The configured features for this interface have a flow mask
conflict. The traffic on this interface and the interfaces sharing the
TCAM label with this interface may not comply with the features under
this condition. The traffic on these interfaces will be sent to the
software."

I'm reading this message as ONLY traffic sharing that TCAM label will
be effect so only traffic that egress/ingress the FWSM outside port
will be software switched.  That might be OK since the traffic levels
are very light on that port but I'd rather not have anything be
software switched.

So whats the best way to apply rate limiting to a port that is
configured as a member of a firewalled vlan?

Thanks!