2960X MLS Trust QOS best practices

PLC · ‎12-16-2016

Hi!

I am working on creating template for 2960x lan base and wanted to put some feelers out there to get some thoughts. From my understanding that it's best practice to put the mls qos trust cos on the end user access switchport that is configured for data vlan and voice vlan. configure mls qos trust dscp on the trunkports uplink to other switches and trunkport to router. for wireless access points configure mls qos trust cos.

1. the switch is lan based so it may not be worth configuring the mls qos trust cos or dscp? dscp is Ip based and that would not do anything for a pure layer 2 switch.

2. since it is lan base layer 2 would it be best to configure a switchport mode trunk (uplink to another switch) mls qos trust dscp? or should it all be cos since its default dot1q ?

3. the trunkport interface connected to the router should i put a mls qos trust? cos or dscp?

4 wireless access points would that be right to configure mls qos cos? or dscp or nothing?

end user switchport with data access vlan and voice vlan

!

interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 105
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

Trunk connected to switch 2

interface GigabitEthernet1/0/24
switchport mode trunk
mls qos trust dscp

Mark Malone · ‎12-19-2016

Hi

1 LanBase supports DSCP ......

Additional QoS capabilities: The LAN Base IOS supports policing, class and policy maps, differentiated services code point (DSCP), AutoQoS, and configurable queue weights, buffers, and thresholds

2 configure access ports as mls qos trust dscp and uplinks as mls qos trust dscp

3 dscp

4 dscp

other option

access ports trust mls qos cos but then make sure the auto generated mappings are correct in gobal config and cos maps to dscp 5-46

mls qos map cos-dscp 0 8 16 24 32 46 48 56

1 2 3 4 5

You don't need auto qos enabled if using mls its overkill , use one or the other

you can test the qos is working by checking show mls qos int gx/x statistics or by sticking a span session on an uplink and opening the wireshark and checking your packets are marked with EF

if phones switches support dscp its always best to use dscp instead of cos

PLC · ‎12-19-2016

Thank you both.

ok, makes sense that having auto and mls configured on access port would be overkill. I will remove the trust cos on the access ports. So it's prefered to leave mls trust dscp on the trunk uplinks to other switches?

Joseph W. Doherty · ‎12-19-2016

So it's prefered to leave mls trust dscp on the trunk uplinks to other switches?

Hmm, "preferred", really depends on what you want your QoS to do. That said, if you're supporting L3 ToS, for devices that don't implicitly already "trust" DSCP, I would expect to see it.

PLC · ‎12-21-2016

thanks Joseph. one more question..

what does the auto qos trust command do? instead of hardcoding mls qos trust cos or dscp?

Joseph W. Doherty · ‎12-21-2016

I recall (?) the auto qos command configures the port (and device) to support Cisco auto QoS model, that's supported by the IOS version. (Their latest version might still be based on the SRND QoS v4 model.)

BTW, removing auto qos doesn't automatically remove all the other QoS statements that might have been added. One reason for this, after auto qos adds whatever it adds, you can modify the configuration.

PLC · ‎12-21-2016

ok, so does that command need to be configured in addition to the mls qos trust (cos/dscp)?

PLC · ‎12-21-2016

btw ios version is flash:/c2960x-universalk9-mz.150-2.EX5/c2960x-universalk9-mz.150-2.EX5.bin"

Joseph W. Doherty · ‎12-22-2016

In theory, when using auto QoS, you only need the auto QoS command.

paulhieb1 · ‎10-06-2017

In my practical experience, auto qos commands will apply the qos template that is coded into the specific version of the switch IOS. So using auto qos command is something of an evoloution that could apply new template configuration when the switch software is updated.

Auto QoS isn't magic or overkill, if you apply auto-qos to a port and then manually remove the additional qos commands that are added in addidtion to the auto qos line, the net result is no qos at all.

Using auto-qos then is something of a 'one-shot' configuration command to get the set of commands in the template applied to the port.

Joseph W. Doherty · ‎12-19-2016

Like Mark, I would want to use packet's ToS (DSCP) rather than a VLAN frame's CoS.

If you have traffic that using VLAN frame CoS, and only it, you might also consider using it to determine the packet's ToS.

As to the subject of "trust", much depends if you really "trust" what's being provided to you, and where you're seeing it. At the edge, or first policy check that come from an edge, you might want to trust but verify and/or limit special marking bandwidth consumption. One you're beyond the edge policy check, you often just trust markings (because you've, in theory, have verified what you're seeing at later QoS usage points is already valid).