Solved: Re: mls trust qos question

scottman29 · ‎03-08-2011

We have a medium sized campus. Our 2950/60's trunk back to our 3550/60's and those trunk back to our 6500 core. We also run a Call Manager server with several IP phones. I inherited this network and was never able to talk to the original consultants that set up the switches and the Call Manager.

The question is: We have MLS trust COS set up on just about every switch that will support it. It is set up both globally and on the ports. We recently had traffic problems that resolved down to changing the queue size on some of our 3560 switches. I've read up a bit on QOS from Cisco, but have not really figured out where exactly MLS trust QOS has to be set. Does it need to be set on trunks? for instance, the trunks from the 3560's back to the core were done as switchport access vlan x instead of trunk ports. MLS trust QOS is set up on these ports. Does it need to be set up between switches like this? or does it just need to be set up on the switch itself, and only the ports where QOS needs to be controlled?

Thanks!

Kishore Chennupati · ‎03-08-2011

Hi Scott,

When you enable mls qos globally on a switch, it puts all the ports in a "untrusted" state. You then manually set whatever ports(access/trunk) to "trust"

Without the " mls qos" globally, all the ports enter in trust state by default. The "mls qos" command globally turns on additional features on the switch

"mls qos" globally enabled helps to use QoS classification, policing, mark down or drop, queueing, and traffic shaping features in HW.

In regards to your CCM and Gateway, you can set those ports to "trust" and leave the others to a non-trust.

HTH,

Regards,

Kishore

Please rate if helpful

View solution in original post

cadet alain · ‎03-09-2011

Its covered in the Qos exam certification guide for CCIP curriculum.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎03-08-2011

Hi,

for instance, the trunks from the 3560's back to the core were done as switchport access vlan x instead of trunk ports.

This command doesn't change the port to an access port it can still be a trunk port.

the global command for QoS is mls qos and then on interfaces you can trust cos or dscp.

cos is 3 bits value valid on trunk ports only, traffic untagged hasn't got any cos value.

the best practice is to trust on access and distribution switches. On access you can trust conditionaly if you have cisco phones and on trunks

you can trust cos.

Core switches should concentrate on one thing only: forward traffic.

Regards.

Alain.

Don't forget to rate helpful posts.

scottman29 · ‎03-08-2011

Thanks for your reply Alain.

So as another example, our core doesn't have any phones on it at all, it

just forwards out to the distribution switches.

Yet MLS QOS is enabled globally, and mls qos trust cos is on almost all of

our access ports, even though those access ports do not have phones

connected to them. These access ports connect the core to various

distribution switches. So I am wondering what the implications of removing

mls qos from the core entirely would be. Does mls qos need to be set on

every switch? Or only if you are trying to control qos?

One thing that might be important to note is that our call manager and our

2691 voice gateway router are also connected to the core. So I'm afraid if

I remove the mls command, it would negatively impact my phone system.

Thanks again!

On Tue, Mar 8, 2011 at 10:06 AM, cadetalain <

Kishore Chennupati · ‎03-08-2011

Hi Scott,

When you enable mls qos globally on a switch, it puts all the ports in a "untrusted" state. You then manually set whatever ports(access/trunk) to "trust"

Without the " mls qos" globally, all the ports enter in trust state by default. The "mls qos" command globally turns on additional features on the switch

"mls qos" globally enabled helps to use QoS classification, policing, mark down or drop, queueing, and traffic shaping features in HW.

In regards to your CCM and Gateway, you can set those ports to "trust" and leave the others to a non-trust.

HTH,

Regards,

Kishore

Please rate if helpful

cadet alain · ‎03-08-2011

Hi,

Without the " mls qos" globally, all the ports enter in trust state by default

for 3550-3560 without the mls qos command the switch doesn't care about QoS and everything is Best Effort, so no trust state in this case.

On 2950 the default is all ports untrusted ( no need for mls qos command).

For other models you'll have to look at the config guides.

Regards.

Alain.

Don't forget to rate helpful posts.

Kishore Chennupati · ‎03-09-2011

Thanks Alain. stars to you for that. I should have made myself clear about different switch models.

Regards,

Kishore

scottman29 · ‎03-09-2011

Thanks for all your help on this. Do either of you know where the info is covered in any of the cisco tracks? I was reading some of the Cisco documentation on line, but the concept kind of escapes me. Do you know if it's in the Cisco SWTICH book for CCNP?

Your help has been greatly appreciated!

cadet alain · ‎03-09-2011

Its covered in the Qos exam certification guide for CCIP curriculum.

Regards.

Alain.

Don't forget to rate helpful posts.

scottman29 · ‎03-10-2011

To add just another dimention to this question, I was having speed issues on a few of my switches, and after researching on the internet, found that if I modified the QOS queue, it would help the problem. I'm not sure why it worked for one, and the other question would be how do I know that the speed issues are related to this solution?

So could you tell me why this works first of all, and then how to test for it on the switches second of all.

Thanks!

mls qos queue-set output 1 threshold 2 400 400 100 400
mls qos queue-set output 1 buffers 15 45 20 20