mls qos map WS-C3750X-12S-S cos-dscp 0 8 16 24 32 46 48 56
mls qos
...
policy-map POLICY-VOIP-LAN17
class class-default
trust cos
...
interface GigabitEthernet1/0/1
description *** Uplink ***
no switchport
ip address 172.18.254.250 255.255.255.252
mls qos trust dscp
...
interface GigabitEthernet1/0/24
description *** Downlink ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 4094
switchport trunk allowed vlan 31,33,41,101,102,117,1101,4094
switchport mode trunk
switchport nonegotiate
mls qos vlan-based
!
interface Vlan117
description *** LAN ***
ip address 10.254.32.3 255.255.254.0
service-policy input POLICY-VOIP-LAN17
Show mls qos interface statistic:
DSW1-2#sh mls qos interface g1/0/24 statistics
GigabitEthernet1/0/24 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 9579 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 6
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 364 0 0 0 0
45 - 49 : 0 0 0 30 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 7781 0 0 0 0
5 - 9 : 0 0 0 100 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 1 0 30 0
20 - 24 : 0 0 0 0 0
25 - 29 : 9 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 48 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 9609 1 0 6 1
5 - 7 : 364 30 22
cos: outgoing
-------------------------------
0 - 4 : 7911 100 31 9 0
5 - 7 : 0 48 0
output queues enqueued:
queue: threshold1 threshold2 threshold3
-----------------------------------------------
queue 0: 0 0 0
queue 1: 7914 160 93
queue 2: 40 0 0
queue 3: 6 0 14
output queues dropped:
queue: threshold1 threshold2 threshold3
-----------------------------------------------
queue 0: 0 0 0
queue 1: 0 0 0
queue 2: 0 0 0
queue 3: 0 0 0
Policer: Inprofile: 0 OutofProfile: 0
DSW1-2#sh mls qos interface g1/0/1 statistics
GigabitEthernet1/0/1 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 3370 0 0 0 0
5 - 9 : 0 0 0 338 0
10 - 14 : 11 0 0 0 0
15 - 19 : 0 4 0 139 0
20 - 24 : 0 0 0 0 94
25 - 29 : 1233 5 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 2 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 3271 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 2 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 5198 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 3271 0 0 0 0
5 - 7 : 0 2 0
output queues enqueued:
queue: threshold1 threshold2 threshold3
-----------------------------------------------
queue 0: 0 0 0
queue 1: 3273 163 80
queue 2: 0 0 0
queue 3: 2 0 0
output queues dropped:
queue: threshold1 threshold2 threshold3
-----------------------------------------------
queue 0: 0 0 0
queue 1: 0 0 0
queue 2: 0 0 0
queue 3: 0 0 0
Policer: Inprofile: 0 OutofProfile: 0
Why packets leave interface g1/0/1 not marked with DSCP 46 and 24?
you set your cos-dscp mapping so CoS 3 and 5 maps to DSCP 24 and 46 respectively. but be advised, u use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
So, it does NOT mean that at the egress point ur switch changes the incomming CoS to the mapped DSCP value, actually when you trust CoS on a dot1q ingress port, switch uses that value or its equivalent dscp mapping for the QoS and queueing uses. it removes the dot1q tag and the CoS value, and at the egress rewrites it in order to retain the same value (trust), since here your egress point is a Layer 3 interface, there is no dot1q tag, so no CoS!
I think WS-C3750V2-48PS-S it is a best practice to trust DSCP instead of CoS since you'r changing to Layer 3 network (egress) or explicty configure to Set the dscp value of the packets you want for that interface.
2014年2月27日星期四
B-ACD with Non CME 2900 series H232 Gateway
I got a request to block non-notice (calls with blank calling numbers) calls with voice prompt. The calls are comming Cisco 2921 price from BRI configured in a 2921 H323 gateway.
For this I am thinking of putting BACD application with a welcome prompt for the caller and drop through after that to a random number to end the call. This is only the requirtement and not planing to use the ACD feature of the script.
Can I do this with a h232 gateway 2921 that is not CME (only CME-SRST)? is there any other better way to do this. In normal mode calls are going to CUCM 6.1 using voip dialpeers. Callmanager related configurations are not shown here.
Configuration:
------------------------------------------------------------------------------------------------------------ Identifying blank calls
voice translation-rule 1
rule 1 / / /100/
voice translation-profile PSTN_Calls
translate calling 1
dial-peer voice 1 pots
translation-profile incoming PSTN_Calls
incoming called-number .
direct-inward-dial
port 0/1/1
-------------------------------------------------------------------------------------------------------------------- Call application Configuration
dial-peer voice 2 voip
service aa
session target ipv4: <srst-cme ip>
incoming called-number 100$
dtmf-relay h245-alphanumeric
codec g711ulaw
application
service queue flash:app-b-acd-2.1.0.0.tcl
param aa-hunt 200
service aa flash:app-b-acd-a-2.1.0.0.tcl
paramspace english index 1
paramspace english language en
paramspace english location flash:
param service-name queue
param handoff-string aa
param aa-pilot 100
param welcome-prompt custome_welcome.au
param drop-through-prompt custome_welcome.au
--------------------------------------------------------------------------------------------------- To block call to 200 afer the prompt
voice translation-rule 2
rule 1 reject /200/
voice translation- profile UNKNOWN_BLOCK
translate called 2
dial-peer voice 2 voip
translation- profile outgoing BLOCK
session target ipv4: <srst-cme ip>
incoming called-number 200$
-------------------------------------------------------------------------------------------------- Telephony service for SRST and Transcoding in CME mode
telephoney service
srst mode auto-provision all
ip source address <loopback>
max-dn 2
max-ephone 2
Though you could do it with BACD & a drop through, I wouldn't do it like that. A cleaner solution is to throw the call to your AA (Unity, CUE, IPCC).
voice translation-rule 1
rule 1 /.*/ /8675309/
voice translation-profile block
translate called 1
dial-peer voice 1 pots
answer-address ^$
translation-profile incoming block
direct-inward-dial
port 0/0/0:23
dial-peer voice 2 voip
destination-pattern 8675309
Add other h323 peer stuff here....
What this does is match peer 1 inbound for any inbound POTS call that doesn't contain an ANI. It then takes that call and translates the DNIS to a special pattern, and sends it to CUCM. Then configure CUCM/Unity/whatever to router 8675309 to an AA that say 'Hey your call is being blocked because you aren't presenting CLID Cisco 2951 price ' and hang up.
For this I am thinking of putting BACD application with a welcome prompt for the caller and drop through after that to a random number to end the call. This is only the requirtement and not planing to use the ACD feature of the script.
Can I do this with a h232 gateway 2921 that is not CME (only CME-SRST)? is there any other better way to do this. In normal mode calls are going to CUCM 6.1 using voip dialpeers. Callmanager related configurations are not shown here.
Configuration:
------------------------------------------------------------------------------------------------------------ Identifying blank calls
voice translation-rule 1
rule 1 / / /100/
voice translation-profile PSTN_Calls
translate calling 1
dial-peer voice 1 pots
translation-profile incoming PSTN_Calls
incoming called-number .
direct-inward-dial
port 0/1/1
-------------------------------------------------------------------------------------------------------------------- Call application Configuration
dial-peer voice 2 voip
service aa
session target ipv4: <srst-cme ip>
incoming called-number 100$
dtmf-relay h245-alphanumeric
codec g711ulaw
application
service queue flash:app-b-acd-2.1.0.0.tcl
param aa-hunt 200
service aa flash:app-b-acd-a-2.1.0.0.tcl
paramspace english index 1
paramspace english language en
paramspace english location flash:
param service-name queue
param handoff-string aa
param aa-pilot 100
param welcome-prompt custome_welcome.au
param drop-through-prompt custome_welcome.au
--------------------------------------------------------------------------------------------------- To block call to 200 afer the prompt
voice translation-rule 2
rule 1 reject /200/
voice translation- profile UNKNOWN_BLOCK
translate called 2
dial-peer voice 2 voip
translation- profile outgoing BLOCK
session target ipv4: <srst-cme ip>
incoming called-number 200$
-------------------------------------------------------------------------------------------------- Telephony service for SRST and Transcoding in CME mode
telephoney service
srst mode auto-provision all
ip source address <loopback>
max-dn 2
max-ephone 2
Though you could do it with BACD & a drop through, I wouldn't do it like that. A cleaner solution is to throw the call to your AA (Unity, CUE, IPCC).
voice translation-rule 1
rule 1 /.*/ /8675309/
voice translation-profile block
translate called 1
dial-peer voice 1 pots
answer-address ^$
translation-profile incoming block
direct-inward-dial
port 0/0/0:23
dial-peer voice 2 voip
destination-pattern 8675309
Add other h323 peer stuff here....
What this does is match peer 1 inbound for any inbound POTS call that doesn't contain an ANI. It then takes that call and translates the DNIS to a special pattern, and sends it to CUCM. Then configure CUCM/Unity/whatever to router 8675309 to an AA that say 'Hey your call is being blocked because you aren't presenting CLID Cisco 2951 price ' and hang up.
2014年2月25日星期二
DHCP Issue on 3560 Switch
I'm aiming to achieve something WS-C3560X-48T-L so simple I cannot believe it isn't working already!
Essentially I have a 24 port 3560 switch in our company DMZ. All ports on the switch are in VLAN98 (DMZ VLAN). A few servers with static IPs in the relevant range (192.168.98.0/24) are currently connected to the switch and work just fine.
I now want to create a DHCP pool on this switch as it is going to provide IP addresses for hosts connecting to public WiFi in the building.
The pool is as follows:
Start Address: 192.168.98.192
End Address: 192.168.98.254
x2 excluded addresses: 192.168.98.198 & 192.168.98.199
Default gateway: 192.168.98.1
Granted the address block is a little odd but I needed to grab the end of the subnet range in a way that would be easy to summarise the IP addresses for the firewall ACL (wanted to use 192.168.98.200-254 but 192.168.98.192 was the closest summary for that)
My switch config looks as attached - I have used Cisco documentation to do it but my connected client is not getting an IP address and the "debug dhcp" command has resulted in no output so far.
It's gotta be something silly but I cant see what. Any help greatly appreciated.
(The client is plugged into fa0/2 - all other unused ports are in the shutdown state)
that won't work. You pool must be a /24 if it's a /24
ip dhcp excluded-address 192.168.98.1 192.168.98.192
ip dhcp excluded-address 192.168.98.198 192.168.98.199
!
ip dhcp pool DMZ_Pool
network 192.168.98.0 255.255.255.0
default-router WS-C3560X-48T-S 192.168.98.1
Essentially I have a 24 port 3560 switch in our company DMZ. All ports on the switch are in VLAN98 (DMZ VLAN). A few servers with static IPs in the relevant range (192.168.98.0/24) are currently connected to the switch and work just fine.
I now want to create a DHCP pool on this switch as it is going to provide IP addresses for hosts connecting to public WiFi in the building.
The pool is as follows:
Start Address: 192.168.98.192
End Address: 192.168.98.254
x2 excluded addresses: 192.168.98.198 & 192.168.98.199
Default gateway: 192.168.98.1
Granted the address block is a little odd but I needed to grab the end of the subnet range in a way that would be easy to summarise the IP addresses for the firewall ACL (wanted to use 192.168.98.200-254 but 192.168.98.192 was the closest summary for that)
My switch config looks as attached - I have used Cisco documentation to do it but my connected client is not getting an IP address and the "debug dhcp" command has resulted in no output so far.
It's gotta be something silly but I cant see what. Any help greatly appreciated.
(The client is plugged into fa0/2 - all other unused ports are in the shutdown state)
that won't work. You pool must be a /24 if it's a /24
ip dhcp excluded-address 192.168.98.1 192.168.98.192
ip dhcp excluded-address 192.168.98.198 192.168.98.199
!
ip dhcp pool DMZ_Pool
network 192.168.98.0 255.255.255.0
default-router WS-C3560X-48T-S 192.168.98.1
2014年2月24日星期一
How to configure policy based routing on 3750
In our datacenter we have a WS-C3750X-12S-S stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:
It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
Jason, the deny statement will prevent that traffic of be select by PBR. Then that traffic will be forwarded by normal routing table.
But I did a mistake. The ACL must be:
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_1
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_4
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_254
access WS-C3750V2-48PS-S -list 102 permit ip host 10.2.4.240 any
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:
It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
Jason, the deny statement will prevent that traffic of be select by PBR. Then that traffic will be forwarded by normal routing table.
But I did a mistake. The ACL must be:
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_1
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_4
access-list 102 deny ip host 10.2.4.240 YOUR_VLAN_254
access WS-C3750V2-48PS-S -list 102 permit ip host 10.2.4.240 any
2014年2月18日星期二
3900 ios gateway Software MTP
I
currently have 3 Cisco 3925E call manager clusters.
Cluster
1
Cluster
2
SME Cluster
I
have two 3900 gateways currently connected to cluster 2 that are configured for
as 500 software MTP's. That is all these gatways do now, nothing else.
I
would like to share these software MTP's with the other 2 call manager
cluster. I do not see a way to do this.
Is it possable to share the software MTP's between mulitple CUCM 9.x clusters?
You
cannot share the same dspfarm. You can however create separate dspfarms
(subdividing the total capacity in the process) and separate call manager
groups which point to Cisco 3945 separate clusters.
2014年2月13日星期四
SPAN configuration on 3750
I'm trying to configure a mirror port on a WS-C3750X-48T-L . This configuration needs to replicate data from local ports, but I need that also act as a regular access port.
With the initial configuration, SPAN port, there is no problem, all the data of the configurated ports is replicating in the configurated port. On the port configurated as mirror there is a PC connected for audio recording. When the port is not operating as SPAN there is communications without problem over the LAN. But when I configure the port as SPAN, communication is interrupted.
Here is the actual configuration:
SWITCH1-PISO7#sh
monitor session 1
Session 1
Type : Local Session
Source
Ports :
Both :
Fa1/0/1-7,Fa1/0/9-12,Fa1/0/32-33,Fa1/0/35,Fa1/0/38
Destination
Ports : Fa1/0/47
Encapsulation : Native
Ingress :
Enabled, default VLAN = 215
Ingress encap : Untagged
SWITCH1-PISO7#sh
run int fa1/0/47
Building configuration...
Current configuration : 112 bytes
interface
FastEthernet1/0/47
switchport
access vlan 215
switchport
mode access
spanning-tree
portfast
end
SWITCH1-PISO7#sh
ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(50)SE1, RELEASE SOFTWARE (fc2)
****output omitted****
Switch Ports Model SW Version SW Image
* 1 52 WS-C3750V2-48PS 12.2(50)SE1 C3750-IPSERVICES-M
****output omitted****
beforehand
thanks for your help
For
the 3750 family, the span destination ingress forwarding capability's only purpose is to enable
ingress traffic forwarding of frames
received on the span destination port from an Intrusion Detection Systems (IDS) or comparable device. Like a
span destination port without ingress
forwarding, MAC address learning is disabled on a span destination port with ingress forwarding, and
a span destination port with ingress
forwarding does not transmit any traffic except that WS-C3750X-48T-S required for the SPAN session.
2013年12月11日星期三
Cisco 3560 switchport light stays orange when VLAN is applied.
 |
i have configured
the WS-C3560X-24P-L switch port to the VLAN I require, I am able to plug in a laptop and talk
on the network correctly (pull DHCP and get on the internet on the correct
network). But when I try plugging up my DSLAM the port stays orange. If I leave
the VLAN set to the default (vlan1) it will turn green but as soon as I change
the VLAN it turns orange again. The settings are the same on both DLSAMS as far
as port and VLAN configuration goes. The port is linking up correctly at 100
Full on both sides.
I will add more
information as I continue to troubleshoot this. But for now hopefully this
should give a brief explanation of my problem in case I am just overlooking
something very simple.
no cdp enable
spanning-tree bpdufilter enable
订阅:
博文 (Atom)