11-05-2010 07:39 AM - edited 03-16-2019 01:45 AM
If mls qos trust cos and service-policy input are applied on the same interface wich one takes preference?
a) mls qos trust cos uses the cos-to-dscp map for getting the final DSCP value
b) service-policy input can have their own mapping depending on the policy configuration for getting the DSCP value
Also service-policy input can do some policy and mls qos trust cos does not.
I am seing both comamnd being applied when using auto-qos for ip phones.
Thanks
11-10-2010 02:59 AM
Hello aalejo,
I understand that you are using "auto qos voip cisco-phone" and you observed a configuration similar to the following:
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
interface FastEthernet1/0/5
...
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
service-policy input AutoQoS-Police-CiscoPhone
The answer to your question can be found here:
http://tools.cisco.com/squish/1E6eb
cisco-phone | Identify this port as connected to a Cisco IP Phone, and automatically configure QoS for VoIP. The QoS labels of incoming packets are trusted only when the telephone is detected. |
When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is
connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 2-2 and Table 2-3
I hope it helps!
German
11-11-2010 10:31 AM
According to my experience service-policy are applied no matter if the port is trusted or not. That's why looks like the policy remarking feature and the trusting feature are in a "collision course". I need to know wich one is applied first.
11-11-2010 11:55 PM
Hello aalejo,
If the port is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the telephone is detected (thus, "mls qos trust cos" takes precedence over the "service-policy input").
If the Cisco IP Phone is not detected (i.e. it is absent or packets come from a non Cisco IP Phone), the "service-policy input" applies.
I hope it helps!
German
11-15-2010 06:37 AM
Hi German
Do you know if this is documented somewhere?. On the 3550 and 3650 it is clearly stated that the policy and the trust are mutually exclusive: the last command prevails.
Thanks for your answer.
- Alex
11-15-2010 06:53 AM
Hello Alex,
I used the document I mentioned on my first reply:
http://tools.cisco.com/squish/1E6eb
When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is
connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 2-2 and Table 2-3
I hope it helps!
German
11-15-2010 07:06 AM
Hi German
Yes, i read that document. The policy map it is not mentioned on that document when the trust is configured. Looks to me that the policy-map is also doing some work when the trust is configured.
I wil lab to get some answers ...
Thanks
- Alex
11-15-2010 07:22 AM
Hello Alex,
The service-policies are configured by default when enabling auto-qos and will only apply if we don't discover a Cisco IP Phone via CDP.
Check these links in case they may be helpful:
http://tools.cisco.com/squish/317Cc
7. Cisco AutoQoS VoIP automatically creates either AutoQoS-Policy-Trust or AutoQoS-Policy-UnTrust to handle VoIP traffic on an interface or PVC. The user can tune the configurations within the AutoQoS-created policy map if desired. However, users are advised not to attach this policy map by service-policy command manually to an interface or PVC, as the above created policy map and its associated class maps and access lists will not be cleaned up if the no auto qos voip command is configured (to remove AutoQoS) (when no auto qos voip is issued on the interface/PVC and if the user does not attach the corresponding policy map to any other interfaces/PVC manually, all policy maps generated by Cisco AutoQoS and associated class maps and access lists will be removed completely)
http://tools.cisco.com/squish/078c9
Catalyst 3550 & 2950EI
However, in these kind of situations, as you mentioned, the best is to test it in the lab to fully understand how it works
Thanks,
German
11-15-2010 07:42 AM
Hi German
First, nice to have a chatting session about QoS!
Looking at the configs, the auto qos cisco-phones creates an class called "AutoQoS-VoIP-RTP-Trust" and this class is having an especial treatment inside a policy map that is applied to the service port. For the class name i will deduct that this class is applied when the traffic is trusted and not when the traffic is NOT trusted.
My thinking is that:
1.- Traffic is trusted or not trusted on the port depending on "mls qos trust device cisco-phone" and if there is a IP Phone (CDP)
2.- If traffic is not trusted because a phone is no connected, it is re-marked as DSCP 0 (cos 0) and does not match any policy map class.
3.- if traffic is trusted because a phone is connected, the COS to DSCP map is applied and that means that voice gets DSCP 46 and signaling gets DSCP CS3.
4.- Voice Signaling and streaming Traffic matches the classes: AutoQoS-VoIP-Control-Trust and AutoQoS-VoIP-RTP-Trust
5.- Whatever is on the policy map is applied (policy, remark, etc)
By default, traffic from the PC if is connected to a IP phone is remarked to cos 0 and translated to DSCP 0 and DOES not match any policy map class.
Then, first the trusting stated of the ports is being watched and later the SAME traffic is sent to the policy map.
11-15-2010 08:33 AM
Hello Alex,
I think you understood it perfectly. Sorry for the confusion, I was wrong with my previous statement that service-policy will apply if traffic is not trusted.
They key point here is whether we are able to discover the Cisco IP Phone via CDP. If we do, we trust the DSCP/COS and apply the service policies automatically created with auto-qos (i.e. AutoQoS-Policy-Trust). Otherwise, traffic is not trusted and will be remarked as DSCP 0 (cos 0).
Thanks,
German
11-15-2010 08:35 AM
No problem!
Nice chatting with you!
- Alex
12-14-2018 01:20 PM
This is the best answer and thanks for clearing the confusion. I think it makes more sense that first trust and then apply policy map as oppose to just blindly trusting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide