[c-nsp] Matching EXP bits in ME3600

Eric Van Tol eric at atlantech.net
Wed Jun 21 08:24:12 EDT 2017 

For anyone else in the future who may be experiencing a similar issue:

Problem turned out to be QoS ACL matching conditions. Docs here state:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-5_1_S/configuration/guide/3800x3600xscg/swqos.html

"Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP

Although you can configure many options in ACLs, only some are supported for QoS ACLs.

For permit protocol , the supported keywords are: tcp , and udp .
For source and destination address, the supported entries are ip-address , any , or host .
For match criteria, the supported keywords are dscp or tos . You can also specify a time-range."

I ended up having to modify the ACLs to only match on IP and remove the ICMP ACE and it works.

-evt

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric
> Van Tol
> Sent: Friday, June 16, 2017 11:37 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Matching EXP bits in ME3600
> 
> Hi all,
> Working on ME3600X-24FS on 15.4(3)S6a and I am testing out a very simple QoS
> policy and it's not working. Here's my config:
> 
> class-map match-all ING-EF-CLASS
>  match access-group name EF-CLASS-ACL
> class-map match-all ING-EF-CLASS-EXP
>  match mpls experimental topmost 5
> !
> ip access-list extended EF-CLASS-ACL
>  permit udp any any dscp ef
>  permit udp any any dscp cs5
>  permit udp any any precedence critical
>  permit icmp any any dscp ef
>  deny   ip any any
> !
> policy-map ING-UPLINK
>  class ING-EF-CLASS
>   set ip dscp ef
>  class ING-EF-CLASS-EXP
>   set mpls experimental topmost 5
> !
> interface GigabitEthernet0/24
>  no switchport
>  mtu 9800
>  ip address 10.0.10.2 255.255.255.252
>  ip mtu 9100
>  ip router isis
>  mpls ip
>  mpls mtu 9100
>  service-policy input ING-UPLINK
> 
> It seems that every packet on the wire is matching the class 'ING-EF-CLASS-
> EXP':
> 
> ME3600X#sh policy-map interface
>  GigabitEthernet0/24
> 
>   Service-policy input: ING-UPLINK
> 
>     Class-map: ING-EF-CLASS (match-all)
>       0 packets, 0 bytes
>       30 second offered rate 0000 bps, drop rate 0000 bps
>       Match: access-group name EF-CLASS-ACL
>         set dscp 46
> 
>     Class-map: ING-EF-CLASS-EXP (match-all)
>       1710 packets, 175484 bytes
>       30 second offered rate 1000 bps, drop rate 0000 bps
>       Match: mpls experimental topmost 5
>         set mpls exp topmost 5
> 
>     Class-map: class-default (match-any)
>       0 packets, 0 bytes
>       30 second offered rate 0000 bps, drop rate 0000 bps
>       Match: any
> 
> I've verified through packet captures that NO traffic I am sending across
> this link should be matching the EXP class-map. All the traffic being
> matched is verified to be straight IP or ISO (IS-IS) with no MPLS
> encapsulation. What is happening here?
> 
> -evt
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list