Specifications
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 58 of 89
The NO TRUST form of the keyword is used when a frame arrives from an un-trusted port. This allows the frame to
have a DSCP value assigned during the process of policing.
Lets look at an example of how a new priority (DSCP) can be assigned to different flows coming into the PFC using
the following policy definition.
Cat6500(config-pmap)# class test access-group 102
Cat6500(config-pmap-c)# no trust
Cat6500(config-pmap-c)# set ip dscp 24
Cat6500(config-pmap-c)# exit
Cat6500(config-pmap)# exit
The above example shows the following:
1. An access list being created to identify http flows coming into the port
2. A policy map called new-dscp-for-flow
3. A class map (names test) that uses access list 102 to identify the traffic that this class-map will perform its
action for.
4. The class map test will set the trust state for the incoming frame to un-trusted and assign a DSCP of 24 to that
flow
5. This class map will also limit the aggregate of all http flows to a maximum of 1Mb.
8.12 MAC ACL Filtering
Starting with the PFC3B and PFC3BXL and a minimum of 12.2(18)SXD software, MAC ACL’s can be applied on
specific interfaces to inspect all ingress traffic types, including IPv4, IPv6, MPLS and other MAC layer traffic. This
feature is referred to as protocol independent MAC filtering and can be applied to any of the following interfaces:
1. VLAN interfaces with no IP address assigned
2. (Physical) Switch ports configured to support Ethernet over MPLS (EoMPLS)
3. (Logical) Sub-Interfaces on switch ports configured for EoMPLS.
This feature is enabled on a per interface basis and can be applied as follows:
Cat6500(config-if)# mac packet-classify