cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1318
Views
0
Helpful
6
Replies

CISCO 2960 access switch -QOS

alison.hou
Level 1
Level 1

I am creating input QOS service policy to classify my business critical traffic. Can I use mls qos trust dscp to trust IP phones and service-policy QOS-LAN for my business critical traffic on the same interface?       

interface FastEthernet0/1

description VOIP-NETWORK DEVICES

switchport access vlan 100

switchport mode access

switchport voice vlan 200

srr-queue bandwidth share 10 10 60 20

priority-queue out

mls qos trust dscp

auto qos voip trust

no cdp enable

service-policy input QOS-LAN

thanks,

Alison

6 Replies 6

Peter Paluch
Cisco Employee
Cisco Employee

Hello Alison,

Can I use mls qos trust dscp to trust IP phones and service-policy  QOS-LAN for my business critical traffic on the same interface?

I am afraid you can not. According to:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/15.0_2_se/command/reference/cli2.html#wp6193114

Classification using a port trust state (for example, mls qos trust [ cos | dscp| ip-precedence ] ) and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.

You will have to deal with all traffic using only one of these approaches.

Best regards,

Peter

THANKS FOR THE INPUT.

I applied service-policy  after configuring mls qos trust. But I did not see any matched packets by typing show policy-map interfaces    

How do I verify that my input policy has been correctly configured and matching packets. see result here: I did see some matched packets from my router but not much.

from 2960 access switch.

FastEthernet0/2

  Service-policy input: QOS-LAN

    Class-map: BUSCRIT-INTER-1 (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name ACL-BUSCRIT-INTER-1

        0 packets, 0 bytes

        5 minute rate 0 bps

    Class-map: BUSCRIT-INTER-2 (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name ACL-BUSCRIT-INTER-2

        0 packets, 0 bytes

        5 minute rate 0 bps

    Class-map: BUSCRIT-TRANS-1 (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name ACL-BUSCRIT-TRANS-1

        0 packets, 0 bytes

        5 minute rate 0 bps

    Class-map: BUSCRIT-TRANS-2 (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name ACL-BUSCRIT-TRANS-2

        0 packets, 0 bytes

        5 minute rate 0 bps

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

        0 packets, 0 bytes

        5 minute rate 0 bps

Hello Alison,

The statistics in the show policy-map output are not to be trusted - the reason is that these switches are performing the operations in hardware while the counters shown in this output are based on software packet processing that does not take place on switches.

The command reference at

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/command/reference/cli2.html#wp1948343

states: Though visible in the command-line help string, the control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored.

Unfortunately, I have no immediate idea how to verify that your configuration works indeed. Generally, this is a problem on platforms where the packet processing is offloaded to specialized hardware.

Best regards,

Peter

Thanks for the information. that made me feel better.

Will the show policy-map work in a router (2801 or 2911 etc)? I did see some traffic there. are the resultes correct?

Serial0/1/0

  Service-policy output: QOS-WAN

    Class-map: VOIP (match-any)

      1132010 packets, 73940855 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: ip dscp ef (46)

        1132010 packets, 73940855 bytes

        5 minute rate 0 bps

      Queueing

        Strict Priority

        Output Queue: Conversation 264

        Bandwidth 40 (%)

        Bandwidth 614 (kbps) Burst 15350 (Bytes)

        (pkts matched/bytes matched) 17268/1149112

        (total drops/bytes drops) 0/0

    Class-map: BUSCRIT-INTER (match-any)

      104901 packets, 17929287 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: ip dscp af31 (26)

        104724 packets, 17888299 bytes

        5 minute rate 0 bps

      Match: ip dscp af32 (28)

        177 packets, 40988 bytes

        5 minute rate 0 bps

      Queueing

        Output Queue: Conversation 265

        Bandwidth 36 (%)

        Bandwidth 552 (kbps)Max Threshold 64 (packets)

        (pkts matched/bytes matched) 2607/862982

        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: BUSCRIT-TRANS (match-any)

      698338 packets, 45863498 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: ip dscp af21 (18)

        697992 packets, 45783119 bytes

        5 minute rate 0 bps

      Match: ip dscp af22 (20)

        346 packets, 80379 bytes

        5 minute rate 0 bps

      Queueing

        Output Queue: Conversation 266

        Bandwidth 18 (%)

        Bandwidth 276 (kbps)Max Threshold 64 (packets)

        (pkts matched/bytes matched) 6171/4969583

        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)

      1634436 packets, 338482388 bytes

      5 minute offered rate 38000 bps, drop rate 0 bps

      Match: any

      Queueing

        Flow Based Fair Queueing

        Maximum Number of Hashed Queues 256

        (total queued/total drops/no-buffer drops) 0/1026/0

Alison

Hi Alison,

Yes, on software based routers such as ISR or ISR G2, the show policy-map counters are correct and you can trust them.

Best regards,

Peter

Eloy Pascal
Level 1
Level 1

You have to think in terms of trust regardless of IOS accepting the configuration or not. To make the point clearer, if the port is trusted (meaning for example it is an uplink Port to Distribution Switch or Next-Hop Router) then you configure "mls qos trust dscp" however if the port is untrusted (meaning for example the port connects to an end Host) then you want to mark incoming packets with an inbound policy like "service-policy input QOS-LAN". I recommend these set of commands as well whether the port is trusted or untrusted: "priority-queue out", "queue-set 1", "srr-queue bandwidth share 10 10 60 20", and "srr-queue bandwidth shape 10 0 0 0" -> The reason for these 4 commands is because Cat2960 does not provide the optimum egress queueing configuration. Specifically this occurs when one type of traffic predominates on the switch ports, usually when the switch is used to connect a server (then if you can see drops in some queues while other queues are under utilized. This is due to the way the buffer resources have been divided between the queues).