How can I handle a QoS condition with this statement:
All the traffic with source vlan 1 and destination IP = 1.1.1.254/24
I have tried this but this isn`t the correct way:
policy condition cond1 source vlan 1 destination ip 1.1.1.254 mask 255.255.255.0
But the swith interprets that command as follows:
cond1: SRC/DEST
VLAN: 2 -> any
IP: Any -> 1.1.1.254 mask 255.255.255.0
I need to block all the traffic from vlan 1 to one specific ip address, Is that possible ?
Well thanks for your time
Regards
Help with QoS condition !!
-
one6f
Re: Help with QoS condition !!
Hi,
you can try to associate vlan1 with an ip range and create a simple ip based policy rule thereabout:
you can try to associate vlan1 with an ip range and create a simple ip based policy rule thereabout:
Code: Select all
qos
policy network group vlan1 10.1.0.0 mask 255.255.0.0 172.16.0.0 mask 255.255.0.0
policy condition vlan1 source network group vlan1 destination ip 1.1.1.254
policy action deny disposition deny
policy rule vlan1 precedence 50 condition vlan1 action deny
qos apply
Re: Help with QoS condition !!
why they have a precedence?
-
one6f
Re: Help with QoS condition !!
Here you don't need the precedence because you have only one rule, but it is good form to have this entry for later, especially by big ACLs . The rule precedence is based on the order in which the rule entry is entered or by defining the precedence in the rule. Take a look at the QoS/ACL design guides for 6800 or 6850.
-
20deoctubre
Re: Help with QoS condition !!
Hey one6f your idea about network groups works good, I tried this:
policy network group IPinterfaces 101.40.4.110 101.40.4.111 101.40.4.112
policy condition cond1 source port 1/3 destination network group IPinterfaces
policy action accion disposition deny
But I want to be sure that I have understood the concept with the network group, Does my condition says this ?
"All the traffic from port 1/3 with destination IPinterfaces will be blocked"
And another thing, When I type
qos apply
ah and another question, Why when I apply qos policies to the switch the working and certified are still synchronized? I mean, If I add a new port to a new VLAN, then the working and certified files are no longer synchronized, Why does this is not happening with my qos policies?
then all it's woking fine. But if I make a qos disable and then again a qos apply, the rules are not respected, why is that? Or, How can I do to apply qos again?
Regards
policy network group IPinterfaces 101.40.4.110 101.40.4.111 101.40.4.112
policy condition cond1 source port 1/3 destination network group IPinterfaces
policy action accion disposition deny
But I want to be sure that I have understood the concept with the network group, Does my condition says this ?
"All the traffic from port 1/3 with destination IPinterfaces will be blocked"
And another thing, When I type
qos apply
ah and another question, Why when I apply qos policies to the switch the working and certified are still synchronized? I mean, If I add a new port to a new VLAN, then the working and certified files are no longer synchronized, Why does this is not happening with my qos policies?
then all it's woking fine. But if I make a qos disable and then again a qos apply, the rules are not respected, why is that? Or, How can I do to apply qos again?
Regards
-
one6f
Re: Help with QoS condition !!
Exactly. But you must take care that the reverse communication will be blocked too. In other words, you get no reply from device on 1/3 if you will try to ping it from IPinterfaces group, although the device on 1/3 will be get icmp requests and send icmp replies.Hey one6f your idea about network groups works good, I tried this:
policy network group IPinterfaces 101.40.4.110 101.40.4.111 101.40.4.112
policy condition cond1 source port 1/3 destination network group IPinterfaces
policy action accion disposition deny
But I want to be sure that I have understood the concept with the network group, Does my condition says this ?
"All the traffic from port 1/3 with destination IPinterfaces will be blocked"
Use show configuration status command.And another thing, When I type
qos apply
ah and another question, Why when I apply qos policies to the switch the working and certified are still synchronized? I mean, If I add a new port to a new VLAN, then the working and certified files are no longer synchronized, Why does this is not happening with my qos policies?
Working and certified will be different after write memory command, since running config will be written in working/boot.cfg.
You need also qos enable command to activate QoS rules.then all it's woking fine. But if I make a qos disable and then again a qos apply, the rules are not respected, why is that? Or, How can I do to apply qos again?
-
sonicwu
Re: Help with QoS condition !!
Hello sir
I have 6850X-48 being the LAN core switch...
There're 6850 and 6400...
I think the core with the ACL/QoS policy for , ...
I want to block any source ip go to internet , and allow only 172.27.0.0/16 , 172.28.0.0/16...subnet
the Lan subnet is 172.21.0.0/16
The command that I try to is following :
policy network group LAN 172.21.0.0 mask 255.255.0.0
policy network group LAN-172 172.27.0.0 mask 255.255.0.0 172.28.0.0 mask 255.255.0.0
policy condition c1 source network group LAN destination network group LAN-172
policy condition c2 source network group LAN destination ip any
policy action accept
policy action deny disposition deny
policy rule r1 condition c1 action accept
policy rule r2 condition c2 action deny
Is it RIGHT ?
and there's problem with the ip ospf interface dynamic routing when I qos apply...
There're 6850 with the ospf interface work well , but I want the subnet ex: 172.21.10.0/24 or 172.21.11.0/24 ...etc
couldn't go to internet , and allow the subnet 172.27.0.0/16 ...,
I got the ospf routing table miss when I qos apply...
Thanks with your help...
I have 6850X-48 being the LAN core switch...
There're 6850 and 6400...
I think the core with the ACL/QoS policy for , ...
I want to block any source ip go to internet , and allow only 172.27.0.0/16 , 172.28.0.0/16...subnet
the Lan subnet is 172.21.0.0/16
The command that I try to is following :
policy network group LAN 172.21.0.0 mask 255.255.0.0
policy network group LAN-172 172.27.0.0 mask 255.255.0.0 172.28.0.0 mask 255.255.0.0
policy condition c1 source network group LAN destination network group LAN-172
policy condition c2 source network group LAN destination ip any
policy action accept
policy action deny disposition deny
policy rule r1 condition c1 action accept
policy rule r2 condition c2 action deny
Is it RIGHT ?
and there's problem with the ip ospf interface dynamic routing when I qos apply...
There're 6850 with the ospf interface work well , but I want the subnet ex: 172.21.10.0/24 or 172.21.11.0/24 ...etc
couldn't go to internet , and allow the subnet 172.27.0.0/16 ...,
I got the ospf routing table miss when I qos apply...
Thanks with your help...
Re: Help with QoS condition !!
Hi,
you should better also allow traffic from nw group LAN to nw group LAN.
and for working correctly you need precedences. Traffic that matched the allow condition does also match the deny condition. So you has to add to rule r1 a higher precedence (eg 100) and to the r2 a lower one (eg 50).
your second question about ospf I didn't understand. Is it the same switch?
And which policies do you activate with qos apply (make the following command after apply: show configuration snapshot qos)?
Or do you mean "qos enable/disable" ( global switch on/off ) of all policies and qos settings?
regards
Silvio
you should better also allow traffic from nw group LAN to nw group LAN.
and for working correctly you need precedences. Traffic that matched the allow condition does also match the deny condition. So you has to add to rule r1 a higher precedence (eg 100) and to the r2 a lower one (eg 50).
your second question about ospf I didn't understand. Is it the same switch?
And which policies do you activate with qos apply (make the following command after apply: show configuration snapshot qos)?
Or do you mean "qos enable/disable" ( global switch on/off ) of all policies and qos settings?
regards
Silvio
