I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.
At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.
A very basic diagram of the setup:
To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.