Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
0
Replies

NX-OS QoS - DSCP marking takes place before static nat

GediCoder08111
Level 1
Level 1

‎05-05-2021 01:37 PM

Hi,
I'm testing QoS service policy to mark all outgoing packets with DSCP CS3 on NX-OS on 9300 ver 9.3.(1).  Service policy is applied to the uplink interface.
The subnet which this policy is applied to (Floating subnet), is not configured on the switch, instead, only a portion of the addresses are being used in a cloud platform that is advertising only those addresses being used by the platform,  to the switch via BGP. And only those addresses are then configured in the routing table. Some of the IP addresses from the upper range of the floating subnet are used for static NAT to route out of the cluster.
The cloud platform is using private segment (i.e. 192.168.6.1/24) which has a GW on the switch.
Floating subnet is 10.1.1.0/27 which is also configured in an IP access List that the policy is referencing.
Static nat rules essentially translate from the 192.168 IPs to IPs from the upper range of the 10. 1.1.x segment.

The problem I'm seeing is when I apply the service policy on the uplink, only the addresses usedby the platform and thus configured in the routing table (the lower range of the floating subnet) are being marked correctly with CS3, but none of the global inside Natted addresses (those that have been translated to the upper range of the floating subnet).
I tried to find any documentation on precedence on operation between QoS and NAT, but found nothing clear to suggest that a QoS policy applies before Nat.
I could clearly see this is the case, because when I added the private segment into the same access list where the floating subnet is configured, all Natted IP addresses were marked correctly.
Is this the correct behavior or an issue with NXOS?
If it's document somewhere pls point me to it, also if there is a better alternative to the above configuration, pls do propose.
  Here is the applicable configuration:

ip access-list FloatingSubnet
10 permit ip 10.1.1.0/25 any

Static Nat:
ip nat inside source static 192.168.6.10 10.1.1.30 add-route
ip nat inside source static 192.168.6.11 10.1.1.29 add-route

interface Vlan3
description "private"
ip address 192.168.6.1/24
ip nat inside

interface eth1/54
description "public"
service-policy type qos output
ip address 10.2.2.1/30
ip nat ouside

Policy-map:

Type qos policy-maps
====================

policy-map type qos SET_DSCP
Description: mark floating subnet with DSCP CS3
class MATCH_FLOATING_SUBNETS
set dscp 24

Class-map:
Type qos class-maps
====================

class-map type qos match-any MATCH_FLOATING_SUBNETS
Description: match floating subnet
match access-group name FloatingSubnet

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents