Re: [Cisco 3560] How to configure MAC based QoS?

rund · ‎11-18-2010

Hi,

I've tried to configure MAC based DSCP marking on a Cisco 3560 switch.

I was using the sample from the following Cisco site:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swqos.html#wp1032145 :




mac access-list extended WIFI-CLIENTS
 permit host 0027.1046.7350 any
 permit any host 0027.1046.7350
!

policy-map WIFI-CLIENTS
  class WIFI-CLIENTS
   set dscp af21

  class class-default
   set dscp default
!
interface FastEthernet0/5
 mls qos trust cos
 service-policy input WIFI-CLIENTS
!

The switch accepts all commands, but with "show run int fast0/5" I can only see one of them on the interface.

"mls qos..." is kicking the service-policy command and vise versa. The same thing happens on the VLAN interface.

If I try to configure the first command on the physical interface and the second one on the VLAN I get an error:

"Master SVI send all failed for interface Vlan3, cmd = 38".

If I use the service-policy without the "mls qos" command I can't see a match on "show policy-map interfaces" and "show access-lists":

Service-policy input: WIFI-CLIENTS

    Class-map: WIFI-CLIENTS (match-any)
      0 packets, 0 bytes
       offered rate 0 bps, drop rate 0 bps
      Match: access-group name WIFI-CLIENTS
        0 packets, 0 bytes
         rate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
       offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
         rate 0 bps
...

Extended MAC access list WIFI-CLIENTS
permit host 0027.1046.7350 any
permit any host 0027.1046.7350

Any idea what's causing this?

Do I have to enable somthing global? (already tried "mls qos", "ip routing", "ip cef" - doesn't work either)?

Do I need a special IOS?

show version:

Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB2, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 07-Jun-05 23:34 by yenanh

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEA, RELEASE SOFTWARE (fc)

de-ipc-ulmdon-sw-01 uptime is 1 hour, 59 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipbase-mz.122-25.SEB2/c3560-ipbase-mz.122-25.SEB2.bin"

cisco WS-C3560-48PS (PowerPC405) processor (revision L0) with 118784K/12280K bytes of memory.
Processor board ID CAT0927N0ZF
Last reset from power-on
6 Virtual Ethernet interfaces
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:14:F2:59:41:00
Motherboard assembly number     : 73-9676-09
Power supply part number        : 341-0029-04
Motherboard serial number       : CAT09270EXJ
Power supply serial number      : DTH09247PAE
Model revision number           : L0
Motherboard revision number     : A0
Model number                    : WS-C3560-48PS-S
System serial number            : CAT0927N0ZF
SFP Module assembly part number : 73-7757-03
SFP Module revision Number      : A0
SFP Module serial number        : CAT09270ARR
Top Assembly Part Number        : 800-25859-03
Top Assembly Revision Number    : A0
Version ID                      : V04
CLEI Code Number                : CNMV3N0CRC
Hardware Board Revision Number : 0x01

Switch   Ports Model              SW Version              SW Image
------   ----- -----              ----------              ----------
*    1   52     WS-C3560-48PS      12.2(25)SEB2            C3560-IPBASE-M

Configuration register is 0xF

Edison Ortiz · ‎11-18-2010

You can't have a service-policy and a mls qos trust on the same interface.

If you want to trust all packets except those from the ACL, you must use the option 'trust cos' under the class class-default.

As for the policy-map counter, this is a software counter and QoS is done on ASICs (hardware based).

The commands you must use is 'show mls qos interface statistics'

Regards,

Edison

rund · ‎11-18-2010

Edit: Rewritten Version:

Hello again,

in the meantime I've done an IOS update to c3560-advipservicesk9-mz.122-44.SE6.bin.
Now the router can accept both commands on the interface at the same time.
But I still can't establish a working config (with or without mls qos).

I'm wondering that you're saying that I shouldn't use both commands at the same time, because this is stated on the Cisco sample:

Switch(config)# mac access-list extended maclist1
Switch(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0
Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp
Switch(config-ext-mac)# exit
Switch(config)# mac access-list extended maclist2
Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0
Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp
Switch(config-ext-mac)# exit
Switch(config)# class-map macclass1
Switch(config-cmap)# match access-group maclist1
Switch(config-cmap)# exitSwitch(config)# policy-map macpolicy1
Switch(config-pmap)# class macclass1
Switch(config-pmap-c)# set dscp 63
Switch(config-pmap-c)# exit
Switch(config-pmap)# class macclass2 maclist2
Switch(config-pmap-c)# set dscp 45
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mls qos trust cos
Switch(config-if)# service-policy input macpolicy1

Thank you for showing me the right command to view the policy matching, but I also can't see any matching for af21 there:

show mls qos int f0/5 st

FastEthernet0/5 (All statistics are in packets)
dscp: incoming-------------------------------
0 - 4 :        1262            0            0            0            0
5 - 9 :           0            0            0            0            0
10 - 14 :           0            0            0            0            0
15 - 19 :           0            0            0            0            0
20 - 24 :           0            0            0            0            0
25 - 29 :           0            0            0            0            0
30 - 34 :           0            0            0            0            0
35 - 39 :           0            0            0            0            0
40 - 44 :           0            0            0            0            0
45 - 49 :           0            0            0            0            0
50 - 54 :           0            0            0            0            0
55 - 59 :           0            0            0            0            0
60 - 64 :           0            0            0            0

I also tried a match-any IP ACL (second policy term to set dscp af11), but also no change with that.
I can't see any marked packets on the output interface as well.
On the "show mls qos int" output I can see that the policy is bound to the interface:

show mls qos int f0/5

FastEthernet0/5
Attached policy-map for Ingress: WIFI-CLIENTS
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation MapTrust device: none
qos mode: port-based

Maybe I'm moving into a completely wrong direction so I want to explain the purpose of what I'm doing:

On the switchport FastEthernet0/5 I got an accesspoint (sadly not from Cisco and without QoS or VLAN capabilities)
I have two usergroups using this AP. The first groups are guests or lab users.
They can have a full speed VPN-Access or a very limited internet access.
The policing is done on the internet gateway by matching the dscp, set by the default-gateway of the clients.
The second group are standard employees which should get full internet access.
To simplify administration (on the router and the client side) both usergroups get DHCP adresses from the same network. According to that I have to use a MAC filter to seperate them.
Because VLAN advertising by MAC won't work when there are multiple clients on one switchport I think the separation can only be done by setting different DSCP values on the switch, based on the MAC ACL.

But even if there is another way I havn't thought about yet, now want to see how this one will work .