ip access-list qos

ip access-list qos

Defines a QoS remarking IP access list by name and enters access-list configuration mode.

Syntax: [no] ip access-list qos name

qos

Defines a QoS remarking IP access list.

name

Name of this access list. Names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

Description: Access lists are filters that enable you to restrict the routing information a router learns from or advertises to a neighbor. Standard access lists create filters based on permit/deny, prefix, and prefix don't-care-bits. Extended access lists enable you to specify the type of protocol, network mask, and mask don't-care-bits as well as the elements that you can configure with a standard access list. Extended lists enable you to define range filters with masks and are more flexible for range matching.

NOTE Only extended access-lists can be used to filter data traffic that traverses the fabric. Only standard access-lists are used for inbound and outbound server based filtering.

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

All IP access lists can be named.

Use the ip access-list qos command to define a named access list for QoS remarking. This command names the access list and changes the command mode to access-list configuration mode. This command is used for packet based filtering in qos mode.

Enter the IP address and network mask for each system the access list controls. Use the permit and deny commands to specify whether that system is permitted access.

Once in access-list configuration mode, use the attributes listed in Table 5-1 to build configuration commands.

Table 5-2. QoS-based Packet Attributes and Valid Values
Attribute Description

permit

Permits access of packet if conditions are matched.

deny

Denies access of packet if conditions are matched.

protocol

Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ipinip (IP encap-
sulated in IP), ospf, pim, rsvp, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.

source

IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The source attribute applies to all protocols

source-mask

Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.

destination

IP address of network or host to which the packet is being sent. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The destination attribute applies to all protocols.

destination-mask

Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.

operator

For udp and tcp packets only. Compares destination ports.

When used after the source IP address/source-mask, specifies a source port.

When used after the destination IP address/destination-mask, specifies a destination port.

Valid values are:

eq- specifies the port number is equal to the operand.

range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3.

gt- Match packets with port number greater than this port.

operand

Specifies the destination port. Valid values are either a port number or a predefined port number keyword:

0 - 65535- port number

Predefined port number keywords for tcp are:

bgp- Border Gateway Protocol (179)

cmd- Remote command execution (rexec, 514)

domain- Domain Name Service (53)

echo- Echo (7)

exec- Exec (rsh, 512)

ftp- File Transfer Protocol (21)

ftp-data- FTP data connections (used infrequently, 20)

login- Login (rlogin, 513)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

nntp- Network News Transport Protocol (119)

smtp- Simple Mail Transport Protocol (25)

snmp- Simple Network Management Protocol (161)

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

telnet- Telnet (23)

www- World Wide Protocol (80)

Predefined port number keywords for udp are:

bootpc- Server port for the bootp protocol

bootps- DNS packets

cmd- Remote command execution (rexec, 514)

domain- echo - UDP echo port

echo- echo (7)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

ntp- Network Time Protocol packets

nntp- Network News Transport Protocol (119)

rip- RIP routing protocol packets

smtp- Simple Mail Transport Protocol (25)

snmp- SNMP packets

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

tftp- Trivial File Transfer Protocol (69)

icmpType, icmpCode

ICMP type and code as defined in RFC 792. For ICMP messages only

icmpMessage

ICMP message text. For ICMP messages only.

igmpType

IGMP message type. For IGMP messages only.

established

For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.

eq | gt

<0-65535> Port number

bgp- Border Gateway Protocol (179)

cmd- Remote command execution (rexec, 514)

domain- Domain Name Service (53)

echo- Echo (7)

exec- Exec (rsh, 512)

ftp- File Transfer Protocol (21)

ftp-data- FTP data connections (used infrequently, 20)

login- Login (rlogin, 513)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

nntp- Network News Transport Protocol (119)

smtp- Simple Mail Transport Protocol (25)

snmp- Simple Network Management Protocol (161)

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

telnet- Telnet (23)

www- World Wide Protocol (80)

fragment

Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.

tos range

IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space.

The tos attribute is not used for the ICMP or IGMP protocols.

dscp range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values:

ef = 46

af11 = 10

af12 = 12

af13 = 14

af21 = 18

af22 = 20

af23 = 22

af31 = 26

af32 = 28

af33 = 30

af41 = 34

af42 = 36

af43 = 38

For range, specify the low and high number delineated by a space.

length range

The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.

log

Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.

precedence range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported:

critical-ecp = 0xa0

internet-control = 0xc0

network-control = 0xe0

flash = 0x60

flash-override = 0x80

immediate = 0x40

priority = 0x20

routine = 0x00

For range, specify the low and high number delineated by a space.

range

Specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. Valid Values <0-65535>

classify psc dropPref fabricPriority

Specifies remarking values for permit only access-list entries for PSC, drop preference, and fabric priority as follows:

psc - Specify the PSC to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric.Valid values: 0 - 7 Default: None, must specify a value.

dropPref - Specifies the drop preference to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric. Valid values: green, yellow, red. Default: None, must specify a value.

fabricPriority - Specifies the fabric priority to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric. Valid values: best-effort, regulated, priority. Default: None, must specify a value.

Use the [permit|deny] source source-mask syntax to create a standard address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] ip source source-mask destination destination-mask [tos [range tos-range | tos-value | tos-keyword]] [length [range length-range | bytes]] [log] syntax to create an IP extended packet-based access list entry to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] icmp source source-mask destination destination-mask [icmp-type [icmp-code] | icmp-message] [log] syntax to create an ICMP packet-based IP access list entry to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] igmp source source-mask destination destination-mask [igmp-type] [log] syntax to create an IGMP packet-based IP access list entry to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] syntax to create a TCP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [tos [range tos-range | tos-value | tos-keyword]] [length [range length-range | bytes]] [log] [fragment] syntax to create a UDP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the ip access-group interface configuration command to apply packet-based access lists to an interface.

Use the no ip access list command to delete a named access list.

Note that a deny any any statement is automatically appended to all access lists.

Factory Default: No IP access lists defined.

Command Mode: Configuration.

Example: In the following example:

An extended IP access list is configured named src-filter set to deny packets from network 12.160/16.

All forwarded packets for IP 191.0.0.0 are remarked for internal QoS purposes with a PSC of 1, a drop preference of green, and a fabric priority of best-effort.

All other packets are permitted.

IP access list src-filter is associated with interface pos 1/14/1 for packets forwarded across the fabric.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip access-list qos src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 any classify psc 1 droppref green fabricpriority best-effort

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter qos-in

router(config-if)#exit

router(config)#end

router#

Related Commands: show access-lists
show ip access-lists

qos	Defines a QoS remarking IP access list.
name	Name of this access list. Names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

**Table 5-2.** QoS-based Packet Attributes and Valid Values
Attribute	Description
permit	Permits access of packet if conditions are matched.
deny	Denies access of packet if conditions are matched.
protocol	Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ipinip (IP encap- sulated in IP), ospf, pim, rsvp, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.
source	IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The source attribute applies to all protocols
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.
destination	IP address of network or host to which the packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The destination attribute applies to all protocols.
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq- specifies the port number is equal to the operand. range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. gt- Match packets with port number greater than this port.
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number Predefined port number keywords for tcp are: bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80) Predefined port number keywords for udp are: bootpc- Server port for the bootp protocol bootps- DNS packets cmd- Remote command execution (rexec, 514) domain- echo - UDP echo port echo- echo (7) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) ntp- Network Time Protocol packets nntp- Network News Transport Protocol (119) rip- RIP routing protocol packets smtp- Simple Mail Transport Protocol (25) snmp- SNMP packets snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) tftp- Trivial File Transfer Protocol (69)
icmpType, icmpCode	ICMP type and code as defined in RFC 792. For ICMP messages only
icmpMessage	ICMP message text. For ICMP messages only.
igmpType	IGMP message type. For IGMP messages only.
established	For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.
eq \| gt	<0-65535> Port number bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80)
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
tos range	IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space. The tos attribute is not used for the ICMP or IGMP protocols.
dscp range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values: ef = 46 af11 = 10 af12 = 12 af13 = 14 af21 = 18 af22 = 20 af23 = 22 af31 = 26 af32 = 28 af33 = 30 af41 = 34 af42 = 36 af43 = 38 For range, specify the low and high number delineated by a space.
length range	The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.
log	Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.
precedence range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported: critical-ecp = 0xa0 internet-control = 0xc0 network-control = 0xe0 flash = 0x60 flash-override = 0x80 immediate = 0x40 priority = 0x20 routine = 0x00 For range, specify the low and high number delineated by a space.
range	Specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. Valid Values <0-65535>
classify psc dropPref fabricPriority	Specifies remarking values for permit only access-list entries for PSC, drop preference, and fabric priority as follows: psc - Specify the PSC to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric.Valid values: 0 - 7 Default: None, must specify a value. dropPref - Specifies the drop preference to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric. Valid values: green, yellow, red. Default: None, must specify a value. fabricPriority - Specifies the fabric priority to be used for internal QoS processing of any valid packets for this ACL forwarded across the fabric. Valid values: best-effort, regulated, priority. Default: None, must specify a value.

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list qos src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 any classify psc 1 droppref green fabricpriority best-effort router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter qos-in router(config-if)#exit router(config)#end router#

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol8.html
    Last Updated: 05/10/04 at 16:38:37

ip access-list qos

Please email suggestions and comments to: doc@avici.com