Use the ip access-list global configuration command to create Layer 3 ACLs and enter IP-access list configuration Mode. To delete an IP ACL, use the no form of this command.
Syntax
ip access-list name
no ip access-list name
name—Enter the IP ACL name.
Default Configuration
The default is deny-all.
Command Mode
Global Configuration Mode
User Guidelines
The ip-access-list command enters the IP-access list configuration mode.
Example
The following example creates an ACL named Dell.
Console (config)# ip-access-list Dell
permit (IP)
Use the permit ip access-list configuration mode command to allow traffic if the conditions defined in the permit statement are matched.
source source-wildcard—IP address and wildcard for host from which the packet is sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
Destination IP address can be one of the following:
any—Packets sent to any IP address.
destination destination-wildcard—IP address and wildcard for host to which the packet is sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
protocol—The name or the number of an IP protocol. Use ? to see list of available protocols (icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, esp, ah, ipv6-icmp, eigrp, ospf, ipip, pim, l2tp, isis), use any for all protocols.
destination-port—Specifies the UDP/TCP destination port. Use any for all ports.
source-port—Specifies the UDP/TCP source port. Use any for all ports.
dscp—Matches dscp number with the packet DSCP value.
precedence—Matches ip-precedence with the packet ip-precedence value.
Default Configuration
This command has no default configuration.
Command Mode
IP Access-List Configuration Mode
User Guidelines
The matching criteria in IP-ACLs are defined in ACEs. The ACE is defined using the permit (IP) or deny (IP) command. Up to 256 ACEs are combined into an IP-ACL.
If there are no matches, the packets are denied.
Example
The following example creates an ACE allowing RSVP protocol traffic from 12.1.1.1 with DSCP 56.
disable-port—if the statement is deny, then the port is disabled.
Source IP address can be one of the following:
any—Packets received from any MAC address.
source source-wildcard—IP address and wildcard for host from which the packet is sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
Destination IP address can be one of the following:
any—Packets sent to any IP address.
destination destination-wildcard—IP address and wildcard for host to which the packet is sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
protocol—The name or the number of an IP protocol. Use ? to see a list of available protocols (icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, esp, ah, ipv6-icmp, eigrp, ospf, ipip, pim, l2tp, isis) use any for all protocols
destination-port—Specifies the UDP/TCP destination port. Use any for all ports.
source-port—Specifies the UDP/TCP source port. Use any for all ports.
dscp—Matches dscp number with the packet DSCP value.
precedence—Matches ip-precedence with the packet ip-precedence value.
Default Configuration
This command has no default configuration.
Command Mode
IP Access-List Configuration Mode
User Guidelines
The matching criteria in IP-ACLs are defined in ACEs. The ACE is defined using the permit (IP) or deny (IP) command. Up to 248 ACE's are combined into an IP-ACL.
If there are no matches, the packets are denied.
Example
The following example creates an ACE denying any IP traffic from address 192.1.1.10 with wildcard 0.0.0.255 or traffic to 192.168.1.10 with the mask 255.255.255.0.
Console (config-ip-al)# deny any 192.1.1.10 0.0.0.255
192.168.1.10 255.255.255.0
mac access-list
Use the mac access-list global configuration command to create Layer 2 MAC ACLs and enter the MAC-Access list configuration mode. To delete a MAC ACL, use the no form of this command.
Syntax
mac access-list name
no mac access-listname
name—Enter the IP ACL name consisting of a character string up to 32 characters long.
Default Configuration
The default for all ACLs is deny.
Command Mode
Global Configuration Mode
User Guidelines
Entering the mac access-list command enables the MAC-access list configuration mode.
Example
The following example creates a MAC ACL named dell.
Console (config)# mac access-list dell
permit (MAC)
Use the permit extended mac-list configuration mode command to allow traffic if the conditions defined in the permit statement are matched.
Syntax
permit {any | {host source source-wildcard} any | {destination destination-wildcard}}[vlanvlan-id]
Source MAC address can be one of the following:
any—Packets received from any MAC address.
source source-wildcard—MAC address and wildcard for host from which the packet is sent. Specify the MAC address and wildcard using hexadecimal format (HH:HH:HH:HH:HH:HH).
Destination MAC address can be one of the following:
any—Packets sent to any MAC address.
destination destination-wildcard—MAC address and wildcard for host to which the packet is sent. Specify the MAC address and wildcard using hexadecimal format (HH:HH:HH:HH:HH:HH).
vlan vlan-id—The packet VLAN.
Default Configuration
This command has no default configuration.
Command Mode
MAC-List Configuration Mode
User Guidelines
The matching criteria in MAC-ACLs are defined in ACEs.
Example
The following example creates a MAC ACE that allows traffic from MAC address 6:6:6:6:6:6 with any destination on VLAN 4.
Console (config-mac-al)# permit 6:6:6:6:6:6 0:0:0:0:0:0 any
vlan 4
deny (MAC)
Use the deny extended mac-list configuration mode command to allow traffic if the conditions defined in the permit statement are matched.
disable-port—If the statement is deny, then the port is disabled.
Source MAC address can be one of the following:
any—Packets received from any MAC address.
source source-wildcard—MAC address and wildcard for host from which the packet is sent. Specify the MAC address and wildcard using hexadecimal format (HH:HH:HH:HH:HH:HH).
Destination MAC address can be one of the following:
any—Packets sent to any MAC address.
destination destination-wildcard—MAC address and wildcard for host to which the packet is sent. Specify the MAC address and wildcard using hexadecimal format (HH:HH:HH:HH:HH:HH).
vlan vlan-id—The packet VLAN.
Default Configuration
This command has no default configuration.
Command Mode
Extended MAC-List Configuration Mode
User Guidelines
The matching criteria in MAC-ACLs are defined in ACEs.
Example
The following example creates a MAC ACE that denies traffic from MAC address 6:6:6:6:6:6.
Use the service-acl interface configuration command to apply an access-list to the interface input. To detach an access-list from an interface, use the no form of this command.
Only one ACL per interface per direction is supported.
Example
The following example attaches the ACL named dell to the interface input.
Console (config-if)# service acl input dell
show access-lists
Use the show access-lists privileged EXEC command to display access control lists (ACLs) defined on the device.
Syntax
show access-lists [name]
name—The ACL name.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC Mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays access control lists (ACLs) configured on the device.
Console # show access-lists
IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any
permit 234 172.30.8.8 0.0.0.0 any
show interfaces access-lists
Use the show interfaces access-lists privileged EXEC command to display access lists applied on interfaces.
show interfaces access-lists [ethernetinterface | vlan vlan-id | port-channel port-channel-number]
interface—The full syntax is: unit/port.
vlan-id—VLAN number
port-channel-number—Port-channel index.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC Mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays access control lists (ACLs) configured on the device.
Console# show interfaces access-lists
Interface Input ACL
--------- ----------
1/1 ACL1
2/1 ACL3
qos
Use the qos global configuration command to enable quality of service (QoS) on the device. To disable the QoS features on the device, use the no form of this command.
Syntax
qos
no qos
Default Configuration
The default QoS value is enabled.
Command Mode
Global Configuration Mode
User Guidelines
There are no user guidelines for this command.
Example
The following example enables QoS on the device.
Console (config)# qos
show qos
Use the show qos user EXEC command to display the QoS activity status.
Syntax
show qos
Default Configuration
This command has no default configuration.
Command Mode
User EXEC Mode
User Guidelines
There are no user guidelines for this command.
Examples
The following example displays a device QoS status.
Console>show qos
Qos: disable
Trust: dscp
wrr-queue cos-map
Use the wrr-queue cos-map global configuration command to map assigned CoS values to the egress queues. To return to the default values, use the no form of this command.
Syntax
wrr-queue cos-mapqueue-id cos1...cosn
no wrr-queue cos-map {queue-id}
queue-id—The queue number to which the following CoS values are mapped.
cos1...cosn—Map to specific queues up to eight CoS values from 1 to 7.
Default Configuration
Default values for three queues are as follows:
CoS value 1 select queue 1
CoS value 2 select queue 1
CoS value 0 select queue 2
CoS value 3 select queue 2
CoS value 4 select queue 2
CoS value 5 select queue 3
CoS value 6 select queue 3
CoS value 7 select queue 3
Command Mode
Global Configuration Mode
User Guidelines
This command is used to distribute traffic into different queues, where each queue is configured with different weighted round robin (WRR) and weighted random early detection (WRED) parameters.
Use the wrr-queue bandwidth global configuration command to assign weighted round robin (WRR) weights to egress queues. The weights ratio determines the frequency in which the packet scheduler dequeues packets from each queue. To return to the default values use, the no form of this command.
Syntax
wrr-queue bandwidthweight1 weight2 ... weight_n
no wrr-queue bandwidth
weight1... weight_n—Sets the frequency ratio in which the WRR packet scheduler dequeues packets. Separate each value by spaces (Range: 1 - 65535).
Default Configuration
The default WRR weight is 1/4 ratio for all queues (each weight is set to 1).
Command Mode
Global Configuration Mode
User Guidelines
The ratio is calculated and managed as follows:
The ratio for each queue is defined by the queue weight divided by the sum of all queue weights (that is, the normalized weight). This sets the ratio of the frequency in which the WRR packet scheduler dequeues packets, and not the bandwidth. Thus, the ratio will be of the number of packets and not bytes sent from each queue.
A weight of 0 means no bandwidth is allocated for the same queue, and the share bandwidth is divided among the remaining queues.
Example
The following example sets queue weights as follows:
Queue 1—10/100
Queue 2—20/100
Queue 3—30/100
Queue 4—40/100
Console (config)# wrr-queue bandwidth 10 20 30 40
priority-queue out num-of-queues
Use the priority-queue out num-of-queues global configuration command to enable the egress queues to be strict priority (Expedite) queues. To set all queues to strict priority (Expedite) queues, use the no form of this command. EF refers to expedite
Syntax
priority-queue out num-of-queues [number-of-queues]
no priority-queue out num-of-queues
number-of-queue—Assigns the number of queues to be strict priority (Expedite) queues. The strict priority (Expedite) queues are the queues with higher indexes. The range is 0 – 4.
Default Configuration
All queues are strict priority (Expedite) queues.
Command Mode
Global Configuration Mode
User Guidelines
When configuring the priority-queue out num-of-queues command, the weighted round robin (WRR) weight ratios are affected because there are fewer queues participating in WRR. This means that corresponding weight in the wrr-queue bandwidth command is ignored (not used in the ratio calculation).
Example
The following example sets queues 3, 4 to be EF queues.
Console (config)# priority-queue out num-of-queues 2
show qos interface
Use the show qos interface user EXEC command to display interface QoS data. EF refers to expedite
Syntax
show qos interface [ethernetinterface-number | port-channel number] [ queuing]
ethernetinterface-number—Ethernet port number
port-channel number—Port channel number
queuing—Display the queue strategy (WRR or EF) and the weight for WRR queues and the CoS to queue map and the EF priority.
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration Mode
User Guidelines
If no keyword is specified with the show qos interface command, the port QoS mode trusted, untrusted, and default CoS values are displayed. If a specific interface is not specified, the information for all interfaces is displayed.
Example
The following example displays the output from the show qos interface ethernet 1/e5 queueing command for 4 queues.
Console> show qos interface ethernet 1/e5 queueing
Ethernet 1/e5
wrr bandwidth weights and EF priority:
qid-weights Ef - Priority
1 — 125 dis- N/A
2 — 125 dis- N/A
3 — 125 dis- N/A
4 — 125 dis- N/A
Cos-queue map:
cos-qid
0 - 2
1 - 1
2 - 1
3 - 2
4 - 3
5 - 3
6 - 4
7 - 4
qos map dscp-queue
Use the qos map dscp-queue global configuration command to modify the DSCP to CoS map. To return to the default map, use the no form of this command.
Syntax
qos map dscp-queue dscp-list to queue-id
no qos map dscp-queue
dscp-list—Specify 4 DSCP values, separate each DSCP with a space (Range: 0-63).
queue-id—Enter the queue number to which the DSCP value corresponds.
Default Configuration
The following table describes default map.
DSCP value
0-15
16-39
40-63
Queue-ID
1
2
3
Command Mode
Global Configuration Mode
User Guidelines
There are no user guidelines for this command.
Example
The following example maps DSCP values 33, 40, and 41 to queue 1.
Console (config)# qos map dscp-queue 33 40 41 to 1
qos trust(Global)
Use the qos trust global configuration command to configure the system trust state. To return to the untrusted state, use the no form of this command.
Syntax
qos trust cos | dscp | tcp-udp-port
no qos trust
cos—Classifies ingress packets with the packet CoS values. For untagged packets, the port default CoS is used.
dscp—Classifies ingress packets with the packet DSCP values.
tcp-udp-port to dscp—Classifies ingress packets with the packet destination port values.
Default Configuration
The default trust mode is CoS.
Command Mode
Global Configuration Mode
User Guidelines
Packets entering a quality of service (QoS) domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the domain.
Use this command to specify whether the port is trusted and to specify which packet fields to use to classify traffic.
If DSCP is trusted, the DSCP field of the IP packet is not modified.
If TCP-UDP-port is trusted then the packet destination port is not modified.
If CoS is trusted, CoS or the packet is not modified.
Example
The following example configures the system to the trust state.
Console (config)# qos trust dscp
qos trust(Interface)
Use the qos trust interface configuration command to enable each port trust state. To disable the trust state on each port use the no form of this command.
The following example configures port 1/e5 to the trust state.
Console (config)# interface ethernet 1/e5
Console (config-if)# qos trust
qos cos
Use the qos cos interface configuration command to configure the default port CoS value. To return to the default setting, use the no form of this command.
Syntax
qos cos default-cos
no qos cos default-cos
default-cos—Specifies the default CoS value assigned to the port. If the port is trusted and the packet is untagged, then the default CoS value becomes the CoS value (Range: 0-7).
The default value assigns a CoS value to all untagged packets entering the port.
Example
The following example configures port 1/e5 default CoS value to 3.
Console (config)# interface ethernet 1/e5
Console (config-if)# qos cos 3
qos map tcp-port-queue
Use the qos map tcp-port-queue global configuration command to modify the TCP-Port to DSCP table. To delete table entries use the no form of this command. When there are no entries to delete and the no form of this command is used, the entire table is deleted.
Syntax
qos map tcp-port-dscp port1...port8 to queue-id
no qos map tcp-port-dscp [port1...port8]
port1...port8—Specifies up to 8 ports (destination ports) separated by commas that are being mapped (Range: 0-65535).
queue-id—Specifies the queue number being mapped.
Default Configuration
The table is empty.
Command Mode
Global Configuration Mode
User Guidelines
This command maps the TCP destination port in the ingress packet to a specified queue.
This map is used when the TCP trust mode is enabled and when trust command is enabled.
Example
The following example modifies the mapped TCP ports 2000 and 80 to queue 2.
Console (config)# qos map tcp-port-queue 2000 80 to 2
qos map udp-port-queue
Use the qos map udp-port-queue global configuration command to modify the UDP-Port to DSCP table. To delete table entries, use the no form of this command. When there are no entries to delete and the no form of this command is used, the entire table is deleted.
Syntax
qos map udp-port-dscpport1...port8 to queue-id
no qos map udp-port-dscp [port1...port8]
port1...port8—Specify up to 8 ports (destination ports) separated by commas that are being mapped (Range: 0-65535).
queue-id—Specify the queue number being mapped.
Default Configuration
The table is empty.
Command Mode
Global Configuration Mode
User Guidelines
This command maps the UDP destination port in the ingress packet to a specified queue.
This map is used when the UDP trust mode is enabled and when the trust command is enabled.
Example
The following example modifies the mapped UDP ports 2000 and 80 to queue 2.
Console (config)# qos map udp-port-queue 2000 80 to 2
show qos map
Use the show qos map user EXEC command to display all the QoS maps.
Syntax
show qos map [dscp-queue | tcp-port-queue | udp-port-queue
dscp-queue—Displays the DSCP to queue map.
tcp-port-queue—Displays the TCP Port to queue map.
udp-port-queue—Displays the UDP Port to queue map.
Default Configuration
This command has no default configuration.
Command Mode
User EXEC command
User Guidelines
There are no user guidelines for this command.
The following example displays the DSCP queue map.
Dscp-queue map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 01 01 01 01 01 01 01 01 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 02 02 02 02 02 02
3 : 02 02 03 03 03 03 03 03 03 03
4 : 03 03 03 03 03 03 03 03 04 04
5 : 04 04 04 04 04 04 04 04 04 04
6 : 04 04 04 04
The following table appears if tcp-port-queue is supported.
