Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1780
Views
15
Helpful
4
Replies

2960x QoS to mark dscp

p.juarezponte
Level 1
Level 1

‎10-11-2018 02:25 AM - edited ‎03-08-2019 04:21 PM

Hello Community

I am trying to implement what should be an easy configuration, but I am facing some problems.

I just need to mark some packets from the hosts connected to my system.

I have some C2960XR running 15.2(4)E6. working as layer 3 devices.

I copy relevant config:

mls qos

!
!
class-map match-any CLASS_CRITICAL_DATA_IN
match access-group name ACL_CRITICAL_DATA
match ip dscp af31
class-map match-any CLASS_VOICE_RTP_IN
match ip dscp ef
match access-group name ACL_VOICE_RTP
class-map match-any CLASS_VOICE_SIGNALING_IN
match ip dscp af41
match access-group name ACL_VOICE_SIGNALING
class-map match-any CLASS_NETWORK-MGMT_IN
match access-group name ACL_NETWORK-MGMT
match ip dscp cs2
class-map match-any CLASS_NETWORK-CTRL_IN
match access-group name ACL_NETWORK-CTRL
match ip dscp cs6
!
policy-map MARK_INPUT
class CLASS_NETWORK-CTRL_IN
set ip dscp cs6
class CLASS_VOICE_RTP_IN
set ip dscp ef
class CLASS_VOICE_SIGNALING_IN
set ip dscp af41
class CLASS_CRITICAL_DATA_IN
set ip dscp af31
class CLASS_NETWORK-MGMT_IN
set ip dscp cs2
class class-default
set ip dscp default
!

 

The problem is that when I apply policy-map to the interface, I don't see errors but really it doesn't get it:


SW-RED-ISO10(config)#
SW-RED-ISO10(config)#interface Vlan20
SW-RED-ISO10(config-if)#
SW-RED-ISO10(config-if)#service-policy input MARK_INPUT
SW-RED-ISO10(config-if)#
SW-RED-ISO10(config-if)#do sh run int vlan 20
Building configuration...

Current configuration : 101 bytes
!
interface Vlan20
description VCS_LAN
ip address 10.3.20.1 255.255.255.0
ip pim sparse-mode
end

 

 

SW-RED-ISO10(config)#
SW-RED-ISO10(config)#interface GigabitEthernet1/0/37
SW-RED-ISO10(config-if)#
SW-RED-ISO10(config-if)#service-policy input MARK_INPUT
SW-RED-ISO10(config-if)#
SW-RED-ISO10(config-if)#do sh run interface GigabitEthernet1/0/37
Building configuration...

Current configuration : 171 bytes
!
interface GigabitEthernet1/0/37
description VCS CWP 2 Eth0
switchport access vlan 20
switchport mode access
speed 100
duplex full
spanning-tree portfast edge
end

 

SW-RED-ISO10#sho mls qos interface GigabitEthernet1/0/37
GigabitEthernet1/0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

 

Does anybody could help me?

Should I apply policy to virtual interfaces (interface vlan) or to physical interfaces?

 

Thanks for your help

Labels:
0 Helpful
4 Replies 4

coolbreeze
Level 1
Level 1

‎10-15-2018 12:39 PM - edited ‎10-15-2018 12:41 PM

1)  Can you clarify what exactly is the end goal you are wanting?  It looks like all the class-maps "match any," based on ACL or ip dscp value specified - then the policy-map (re-)marks the traffic with same dscp value from the class-map match statements.  Is this the desired behavior?  Can you provide configs of your ACLs used for the class-map matching criteria also to help further clarify the end result?

 

2)  Is the issue also that the the service-policy input command is not displayed in the running-config of the SVI or the Gi1/0/37, so unsure if it was applied or not?  Are you able to execute and supply the output of these commands to verify the QoS?

  • #show run all | beg Gi1/0/37      (need include only the output for that interface)
  • #show run all | interface vl 20     (need include only output for that interface)
  • #show policy-map MARK_INPUT
  • #show policy-map interface Gi1/0/37
  • #show policy-map interface vl 20

Wasn't exactly sure why the service-policy cmd was applied on both the SVI and the physical interface...

The below is from the QoS configuration guide for C2960XR running 15.2(4)E code, indicating to do either one or the other -

 

"Follow these guidelines when configuring policy maps on physical ports or SVIs:

 

  • You cannot apply the same policy map to a physical port and to an SVI.

  • If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs."

 

p.juarezponte
Level 1
Level 1
In response to coolbreeze

‎10-17-2018 01:23 AM

Hello coolbreeze,

The goal of this configuration was to remark the traffic.

Some of them were sending as cs0 (ssh for example).

The problem appeared when I was trying to apply the policy:

I couldn't apply on the physical or the SVI.

Oct 11 13:03:57.796: %QOS-6-POLICY_INST_FAILED:  Service policy installation failed

 

I could fix it and remark traffic by removing match dscp sentence.

 

This is my config now:

class-map match-any CLASS_CRITICAL_DATA_IN
 match access-group name ACL_CRITICAL_DATA
class-map match-any CLASS_VOICE_RTP_IN
 match access-group name ACL_VOICE_RTP
class-map match-any CLASS_VOICE_SIGNALING_IN
 match access-group name ACL_VOICE_SIGNALING
class-map match-any CLASS_NETWORK-MGMT_IN
 match access-group name ACL_NETWORK-MGMT
class-map match-any CLASS_NETWORK-CTRL_IN
 match access-group name ACL_NETWORK-CTRL
!
policy-map MARK_INPUT
 class CLASS_NETWORK-CTRL_IN
  set ip dscp cs6
 class CLASS_VOICE_RTP_IN
  set ip dscp ef
 class CLASS_VOICE_SIGNALING_IN
  set ip dscp af41
 class CLASS_CRITICAL_DATA_IN
  set ip dscp af31
 class CLASS_NETWORK-MGMT_IN
  set ip dscp cs2
 class class-default
  set ip dscp default

 

int range gi1/0/1-50
service-policy input MARK_INPUT

 

It works and is being remarked, but I am not sure if it's better to apply the policy on the interface vlan or the physical port.

Any suggest?

 

 

0 Helpful

coolbreeze
Level 1
Level 1
In response to p.juarezponte

‎10-17-2018 03:35 PM

Sounds like you got it working then.

And good question...

After researching, according to QoS documentation for that switch, one specific difference between applying QoS to a physical interface vs. SVI is:

"You can configure policing (either individual or aggregate policers) on a physical port or an SVI. When configuring policy maps on an SVI, you can create a hierarchical policy map and can define an individual policer only in the secondary interface-level policy map"

 

In other words, you can configure only individual policers on an SVI, not aggregate policers, in your policy maps.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-2_4_e/configuration_guide/b_1524e_consolidated_2960xr_cg/b_1524e_consolidated_2960xr_cg_chapter_0100101.html

 

Depending on how you have your egress QoS configured, that may help you determine if one is better than the other in your particular situation?

 

Hope that helps...

Alex Pfeil
Level 7
Level 7
In response to coolbreeze

‎10-17-2018 04:29 PM

You have to do the marking on the physical ports and auto QoS trust dscp on the trunk.

Please mark helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card