h1

Per-Port Per-Vlan alternative

November 13, 2008

I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.

At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.

A very basic diagram of the setup:

isp2

To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.

ip access-list extended CLIENT-ACL
permit ip 19x.xx.xx.40 0.0.0.7 any
!
class-map match-all CLIENT-ACL
match access-group name CLIENT-ACL
class-map match-all CLIENT-INT
match input-interface  GigabitEthernet1/0/1
!
policy-map CLIENT-PMAP-INT
class CLIENT-INT
police 1000000000 1000000 exceed-action policed-dscp-transmit
policy-map CLIENT-MAP
class CLIENT-ACL
set dscp af11
service-policy CLIENT-PMAP-INT
!
interface Vlan657
description CLIENT-outside
ip address 19x.xx.xx.41 255.255.255.248
service-policy input CLIENT-MAP
end

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Advertisements

One comment

  1. I have a fortigate 80CM in a colo that I can’t get Internet working on WAN 2 an internet injection for a private IP VPN – the unit has just been replaced as i could not console into the old one (which had the same issue of no internet.)

    The backup txt I created only had minimal config. I don’t know the password for the .conf backup so am rebuilding config myself though Im not a routing person and don’t know cisco or fortigate.
    I have been connected to a laptop via rdp that is consoled via serial port and I am running xshell into cli.

    I have enabled RIP on the two WAN interfaces
    there is a virtual LAN setup so both WANs can communicate witheach other
    I have pats to put in but no idea how
    any ideas?
    please
    I can set up remote access to anyone who could be willing to help



Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s