Unsolved
1 Rookie
•
24 Posts
0
38
Dell OS10 can't use input access-list and input service-policy together?
I am experiencing a weird issue when trying to apply input ACL and input service-policy to an interface on Dell OS10 S5232F-ON switch. When I individually add access-list or service-policy they work, however, when I add both of them at the same time service-policy stops working. I had no issues like that with dell os9 as I had both the access-list and rate policy applied to the same interface. Has anyone experienced something similar?
class-map type qos example-cmap-all-traffic
!
policy-map type qos example-interface-policer
!
class example-cmap-all-traffic
police cir 2000000 pir 3000000
!
ip access-list testserver-acl1
seq 10 permit ip 192.168.50.50 255.255.255.255 any
!
interface ethernet1/1/7:1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 66
flowcontrol receive off
service-policy input type qos example-interface-policer
ip access-group testserver-acl1 in
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
May 22nd, 2024 18:43
Hello,
Even though we have not found clear documentation about this, please try the configuration after small modifications (without type-qos)
class-map type qos example-cmap-all-traffic
!
policy-map type qos example-interface-policer
!
class example-cmap-all-traffic
police cir 2000000 pir 3000000
!
ip access-list testserver-acl1
seq 10 permit ip 192.168.50.50 255.255.255.255 any
!
interface ethernet1/1/7:1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 66
flowcontrol receive off
service-policy input type qos example-interface-policer
ip access-group testserver-acl1 in
AndriusLi
1 Rookie
1 Rookie
•
24 Posts
0
May 24th, 2024 06:31
@DELL-Charles R But the point here is to use the ACL as an access-group which either permits or denys IPs. When I set "match" case the acl is used as an identifier not as a way to permit or block traffic. I tried it and it doesn't block or permit traffic when applied as a "match" case in class map. It does work when I apply the ACL as an access group on the interface but then again we are at the same problem where I can't use service-policy and access-group together. I will try to update OS10 firmware to inspect if there are any changes between versions.
AndriusLi
1 Rookie
1 Rookie
•
24 Posts
0
June 17th, 2024 08:05
I contacted dell official support regarding this and I got an answer of "It's not supposed to work together". I either have to use INPUT access-group or INPUT service policy, I can't do both. This basically makes the switch useless for our production use (it's not a cheap switch too). The saddest part is that this is most likely software related as "sonic OS" on the same hardware is able to do this. There are more fun things dell doesn't support on OS10 like mixing ipv4 and ipv6 qos match cases in the same class-map. I suppose dell never thought that someone might want to police ipv4 and ipv6 at the same time.
Official message from dell tech: