cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
35
Helpful
11
Replies

mls qos trust cos and service-policy input

aalejo
Level 5
Level 5

If mls qos trust cos and service-policy input are applied on the same interface wich one takes preference?

a) mls qos trust cos uses the cos-to-dscp map for getting the final DSCP value

b) service-policy input can have their own mapping depending on the policy configuration for getting the DSCP value

Also service-policy input  can do some policy and mls qos trust cos does not.

I am seing both comamnd being applied when using auto-qos for ip phones.

Thanks

11 Replies 11

gmendivi
Cisco Employee
Cisco Employee

Hello aalejo,

I understand that you are using "auto qos voip cisco-phone" and you observed a configuration similar to the following:

class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3  af31
!
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
  set dscp ef
  police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit

interface FastEthernet1/0/5
...
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
service-policy input AutoQoS-Police-CiscoPhone

The answer to your question can be found here:

http://tools.cisco.com/squish/1E6eb

cisco-phone

Identify this port as connected to a Cisco IP Phone, and automatically  configure QoS for VoIP. The QoS labels of incoming packets are trusted  only when the telephone is detected.


When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is
connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 2-2 and Table 2-3


I hope it helps!

German



According to my experience service-policy are applied no matter if the port is trusted or not. That's why looks like the policy remarking feature and the trusting feature are in a "collision course".  I need to know wich one is applied first.

Hello aalejo,

If the port is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the telephone is detected (thus, "mls qos trust cos" takes precedence over the "service-policy input").

If the Cisco IP Phone is not detected (i.e. it is absent or packets come from a non Cisco IP Phone), the "service-policy input" applies.

I hope it helps!

German

Hi German

Do you know if this is documented somewhere?. On the  3550 and 3650 it is clearly stated that the policy and the trust are mutually exclusive: the last command prevails.

Thanks for your answer.

- Alex

Hello Alex,

I used the document I mentioned on my first reply:

http://tools.cisco.com/squish/1E6eb

When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is
connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 2-2 and Table 2-3

I hope it helps!

German

Hi German

Yes, i read that document. The policy map it is not mentioned on that document when the trust is configured. Looks to me that the  policy-map is also doing some work when the trust is configured.

I wil lab to get some answers ...

Thanks

- Alex

Hello Alex,

The service-policies are configured by default when enabling auto-qos and will only apply if we don't discover a Cisco IP Phone via CDP.

Check these links in case they may be helpful:

http://tools.cisco.com/squish/317Cc

7. Cisco AutoQoS VoIP automatically creates either AutoQoS-Policy-Trust or AutoQoS-Policy-UnTrust to handle VoIP traffic on an interface or PVC. The user can tune the  configurations within the AutoQoS-created policy map if desired.  However, users are advised not to attach this policy map by service-policy command manually to an interface or PVC, as the above created policy  map and its associated class maps and access lists will not be cleaned  up if the no auto qos voip command is configured (to remove AutoQoS) (when no auto qos voip is issued on the interface/PVC and if the user does not attach the  corresponding policy map to any other interfaces/PVC manually, all  policy maps generated by Cisco AutoQoS and associated class maps and  access lists will be removed completely)

http://tools.cisco.com/squish/078c9

Catalyst 3550 & 2950EI

auto qos voip cisco-phone - Extends trust boundary if IP Phone detected

However, in these kind of situations, as you mentioned, the best is to test it in the lab to fully understand how it works

Thanks,

German

Hi German

First, nice to have a chatting session about QoS!

Looking at the configs, the auto qos cisco-phones creates an class called "AutoQoS-VoIP-RTP-Trust" and this class is having an especial treatment inside a policy map that is applied to the service port. For the class name i will deduct that this class is applied when the traffic is trusted and not when the traffic is NOT trusted.

My thinking is that:

1.- Traffic is trusted or not trusted on the port depending on  "mls qos trust device cisco-phone" and if there is a IP Phone (CDP)

2.- If traffic is not trusted because a phone is no connected, it is re-marked as DSCP 0 (cos 0)  and does not match any policy map class.

3.- if traffic is trusted because a phone is connected, the COS to DSCP map is applied and  that means that voice gets DSCP 46 and signaling gets DSCP CS3.

4.- Voice Signaling and streaming Traffic matches the classes:  AutoQoS-VoIP-Control-Trust and AutoQoS-VoIP-RTP-Trust

5.- Whatever is on the policy map is applied (policy, remark, etc)

By default, traffic from the PC if is connected to a IP phone is remarked to cos 0 and translated to DSCP 0 and DOES not match any policy map class.

Then, first the trusting stated of the ports is being watched and later the SAME traffic is sent to the policy map.

Hello Alex,

I think you understood it perfectly. Sorry for the confusion, I was wrong with my previous statement that service-policy will apply if traffic is not trusted.

They key point here is whether we are able to discover the Cisco IP Phone via CDP. If we do, we trust the DSCP/COS and apply the service policies automatically created with auto-qos (i.e. AutoQoS-Policy-Trust). Otherwise, traffic is not trusted and will be remarked as DSCP 0 (cos 0).

Thanks,

German

No problem!

Nice chatting with you!

- Alex

This is the best answer and thanks for clearing the confusion. I think it makes more sense that first trust and then apply policy map as oppose to just blindly trusting.