I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.
At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.
A very basic diagram of the setup:
To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.
ip access-list extended CLIENT-ACL
permit ip 19x.xx.xx.40 0.0.0.7 any
class-map match-all CLIENT-ACL
match access-group name CLIENT-ACL
class-map match-all CLIENT-INT
match input-interface GigabitEthernet1/0/1
police 1000000000 1000000 exceed-action policed-dscp-transmit
set dscp af11
ip address 19x.xx.xx.41 255.255.255.248
service-policy input CLIENT-MAP