Configuring and managing security ACLs 507
Nortel WLAN—Security Switch 2300 Series Configuration Guide

Filtering based on DSCP values

You can configure an ACE to filter based on a packet’s Differentiated Services Code Point (DSCP) value, and
change the packet’s CoS based on the DSCP value. A CoS setting marked by an ACE overrides the CoS
setting applied from the switch’s QoS map.
Table 28 lists the CoS values to use when reassigning traffic to a different priority. The CoS determines the AP
forwarding queue to use for the traffic when sending it to a wireless client.

Using the dscp option

The easiest way to filter based on DSCP is to use the dscp codepoint option. The following commands remap
IP packets from IP address 10.10.50.2 that have DSCP value 46 to have CoS value 7 when they are forwarded
to any 10.10.90.x address on Distributed AP 4:
WSS# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255
dscp 46
success: change accepted.
WSS# set security acl ip acl2 permit any
success: change accepted.
WSS# commit security acl acl2
success: change accepted.
WSS# set security acl map acl2 ap 4 out
success: change accepted.

Using the precedence and ToS options

You also can indirectly filter on DSCP by filtering on both the IP precedence and IP ToS values of a packet.
However, this method requires two ACEs. To use this method, specify the combination of precedence and ToS
values that is equivalent to the DSCP value. For example, to filter based on DSCP value 46, configure an ACL
that filters based on precedence 5 and ToS 12. (To display a table of the precedence and ToS combinations for
each DSCP value, use the show qos dscp-table command.)

Table 30: Class-of-Service (CoS) Packet

Handling

WMM Priority
Desired
CLI CoS Value to
Enter
Background 1 or 2
Best effort 0 or 3
Video 4 or 5
Voice 6 or 7