« Clearing BGP Sessions
Cisco Mobile Lab Updates »
h1

Per-Port Per-Vlan alternative

November 13, 2008

I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.

At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.

A very basic diagram of the setup:

isp2

To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.

ip access-list extended CLIENT-ACL
permit ip 19x.xx.xx.40 0.0.0.7 any
!
class-map match-all CLIENT-ACL
match access-group name CLIENT-ACL
class-map match-all CLIENT-INT
match input-interface  GigabitEthernet1/0/1
!
policy-map CLIENT-PMAP-INT
class CLIENT-INT
police 1000000000 1000000 exceed-action policed-dscp-transmit
policy-map CLIENT-MAP
class CLIENT-ACL
set dscp af11
service-policy CLIENT-PMAP-INT
!
interface Vlan657
description CLIENT-outside
ip address 19x.xx.xx.41 255.255.255.248
service-policy input CLIENT-MAP
end

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


Posted in Switching | Tagged , |

Leave a Comment