Skip to main content
Start a Conversation

Unsolved

A

AndriusLi

1 Rookie

 • 

24 Posts

20

May 22nd, 2024 14:17

Dell OS10 can't use input access-list and input service-policy together?

I am experiencing a weird issue when trying to apply input ACL and input service-policy to an interface on Dell OS10 S5232F-ON switch. When I individually add access-list or service-policy they work, however, when I add both of them at the same time service-policy stops working. I had no issues like that with dell os9 as I had both the access-list and rate policy applied to the same interface. Has anyone experienced something similar?

class-map type qos example-cmap-all-traffic

!

policy-map type qos example-interface-policer

!

class example-cmap-all-traffic

police cir 2000000 pir 3000000

!

ip access-list testserver-acl1

seq 10 permit ip 192.168.50.50 255.255.255.255 any

!

interface ethernet1/1/7:1

no shutdown

switchport mode trunk

switchport trunk allowed vlan 66

flowcontrol receive off

service-policy input type qos example-interface-policer

ip access-group testserver-acl1 in

DELL-Charles R

Moderator

 • 

3.4K Posts

May 22nd, 2024 18:43

Hello,

 

Even though we have not found clear documentation about this, please try the configuration after small modifications (without type-qos)

 

class-map type qos example-cmap-all-traffic

!

policy-map type qos example-interface-policer

!

class example-cmap-all-traffic

police cir 2000000 pir 3000000

!

ip access-list testserver-acl1

seq 10 permit ip 192.168.50.50 255.255.255.255 any

!

interface ethernet1/1/7:1

no shutdown

switchport mode trunk

switchport trunk allowed vlan 66

flowcontrol receive off

service-policy input type qos example-interface-policer

ip access-group testserver-acl1 in

 

AndriusLi

1 Rookie

 • 

24 Posts

23-05-2024 05:40 AM

@DELL-Charles R​ "type qos" is added by default even if you emit them from initial input. Also, qos config that I posted was directly copied from Dell OS10 manual.

DELL-Joey C

Moderator

 • 

3.2K Posts

23-05-2024 09:54 AM

Hi,

 

If you could, try the commands without the -type qos-, and feedback to Charles if it is not working. 

 

Do you have the link to the documentation that you mentioned you copied from? 

 

I have a hunch that "service-policy input type qos example-interface-policer", might not be right. I tried looking for the command guide but could find it. I found something similar on QOS policy guide: https://dell.to/3UW6Vf4 page 14

DELL-Joey C

Social Media and Communities Professional

Dell Technologies | Enterprise Support Services

#IWork4Dell

                                       Did I answer your query? Please click on ‘Mark as Accepted Answer’ if I did. 

AndriusLi

1 Rookie

 • 

24 Posts

23-05-2024 11:54 AM

@DELL-Joey C​  I found the manual instantly by typing in google "os10 manual" (I will provide the link). Also as I said I did try omitting "type qos" and when I run "show running-config" it shows the same config line with added "type qos" to the config. Even if you don't specify "type qos" it is added by default to this command. It is just extremely bizarre that there would be an issue for both ACL and service-input to work together as they both seem pretty important.

My OS version is 10.5.6.1
Page: 1627
https://dl.dell.com/content/manual35024495-dell-smartfabric-os10-user-guide-release-10-5-4.pdf?language=en-us

DELL-Charles R

Moderator

 • 

3.4K Posts

23-05-2024 15:23 PM

Hello,

 

You can call the ACL from inside the class-map using “match ip access-group” instead of applying it to the interface. This way only the service policy will be applied to the interface.

 

ip access-list testserver-acl1

seq 10 permit ip 192.168.50.50 255.255.255.255 any

 

class-map   example-cmap-all-traffic

match ip access-group name testserver-acl1

 

policy-map   example-interface-policer

!

class example-cmap-all-traffic

police cir 2000000 pir 3000000

!

!

interface ethernet1/1/7:1

no shutdown

switchport mode trunk

switchport trunk allowed vlan 66

flowcontrol receive off

service-policy input type qos example-interface-policer

 

DELL-Charles R

Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Thumbs up’ the posts you like!

AndriusLi

1 Rookie

 • 

24 Posts

May 24th, 2024 06:31

@DELL-Charles R​ But the point here is to use the ACL as an access-group which either permits or denys IPs. When I set "match" case the acl is used as an identifier not as a way to permit or block traffic. I tried it and it doesn't block or permit traffic when applied as a "match" case in class map. It does work when I apply the ACL as an access group on the interface but then again we are at the same problem where I can't use service-policy and access-group together. I will try to update OS10 firmware to inspect if there are any changes between versions.

AndriusLi

1 Rookie

 • 

24 Posts

June 17th, 2024 08:05

I contacted dell official support regarding this and I got an answer of "It's not supposed to work together". I either have to use INPUT access-group or INPUT service policy, I can't do both. This basically makes the switch useless for our production use (it's not a cheap switch too). The saddest part is that this is most likely software related as "sonic OS" on the same hardware is able to do this. There are more fun things dell doesn't support on OS10 like mixing ipv4 and ipv6 qos match cases in the same class-map. I suppose dell never thought that someone might want to police ipv4 and ipv6 at the same time.

Official message from dell tech:

"Dell OS10 indeed restricts the simultaneous use of both ‘access-group in’ and ‘input traffic commit limit’ on the same interface. Unfortunately, there isn’t a direct way to achieve both functionalities concurrently. You’ll need to choose between applying the access group or enforcing the input traffic commit limit based on your priorities."

View More

View All

No Events found!

Top