Re: lan qos design

Ovidiu_Marius · ‎01-05-2009

Hello

I've been reading a book called End-to-end qos network design and the author sugest a setup which i don't think it works anyway just wanted your opinion about it.

So i have a 3750 access switch with poe, cisco ip phones are conected to it and pc to phone.

The author of the books sugests something like this (copy-paste)

CAT2970(config)#interface GigabitEthernet0/1

CAT2970(config-if)# switchport access vlan 10 ! DVLAN

CAT2970(config-if)# switchport voice vlan 110 ! VVLAN

CAT2970(config-if)# mls qos trust device cisco-phone ! Conditional Trust

CAT2970(config-if)# service-policy input IPPHONE+PC-BASIC ! Attaches policy

The policy-map references ip voice traffic.

My questions are:

That is a layer 2 port.As far as i understand it the policy map should be put on a layer 3 interface because it references layer 3 traffic

And second on that interface it should also be "mls qos trust cos" so that the cos is only trusted when the device connected is a cisco phone

Giuseppe Larosa · ‎01-05-2009

Hello Ovidiu,

yours are good questions.

the qos configuration should work.

the port becomes an implicit mini trunk 802.1Q with only two vlans.

the IP Phone will send out 802.1Q tagged frames with vlan-id=110 (voice vlan) CoS = 5.

the command mls qos trust cos is an alternate option of the command

mls qos trust [cos | device cisco-phone | dscp | ip-precedence]

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/command/reference/cli1.html#wp2331034

And multilayer switches use an internal DSCP tag for QoS implementation.

From this comes all the DSCP to COS mapping for outbound queues.

the following chapter can help

http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/configuration/guide/swqos.html

Hope to help

Giuseppe

andrew.butterworth · ‎01-05-2009

No the author is correct (almost). Although this is a Layer-2 switchport ingress service policies can be applied that reference layer-3 (or even layer-4) information, this is very common and adheres to the logic of classifying traffic as it enters the network.

What is slightly misleading is the conditional trust since you can either apply an ingress service policy or trust the markings, not both. In fact in later IOS releases I don't think this is even possible as typing one command will overwrite the other.

If you are applying conditional trust then you would have two lines in the configuration:

CAT2970(config-if)# mls qos trust device cisco-phone ! Conditional Trust

CAT2970(config-if)# mls qos trust cos|dscp ! Choose either DSCP or CoS

The issue with trusting DSCP in this case is the host connected behind the IP Phone may set DSCP which is probably not the desired behavior (can you imagine a PC marking FTP traffic with DSCP EF and 'hijacking' the priority queues?). This is why creating an ingress service policy is considered a better approach as it allows you to identify each class of traffic (Voice RTP, Voice Signalling, Data etc) and mark its DSCP value as it enters the switch. If you look the service policy 'IPPHONE+PC-BASIC' you will see that there are four classes of traffic - Voice Media (RTP) Voice Signalling, Voice Other and everything else (class-default). Each class is marked with a DSCP value and indeed either dropped (RTP traffic over 128Kbps) or marked down for traffic exceeding its configured rate.

HTH

Andy

Giuseppe Larosa · ‎01-05-2009

Hello Andy,

I may be wrong but my understanding is different

Classification using a port trust state (for example, mls qos trust [cos | dscp | ip-precedence] and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/command/reference/cli1.html#wp2331034

So in this case the mls qos trust cos|dscp is overriden by the input service-policy

Hope to help

Giuseppe

Jon Marshall · ‎01-05-2009

Giuseppe / Andy

Actually the documentation is even more confusing. From the 3750 configuration doc -

Beginning with Cisco IOS Release 12.2(40)SE, a policy-map and a port trust state can both run on a physical interface. The policy-map is applied before the port trust state.

Full link -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/command/reference/cli1.html#wp2331034

Unfortunately i don't have a 3750 to test with. Andy have you tried this on a 3750 runing 12.2(40)SE or above ?

Jon

andrew.butterworth · ‎01-05-2009

Hi Jon, I hope you had a good Christmas & New Year?

With 12.2(46)SE the last command you added is applied - for example if I do this:

switch(config-if)# mls qos trust dscp

switch(config-if)# service-policy input qos-policy

Then the service-policy command is shown in the configuration. If I do it the other way around:

switch(config-if)# service-policy input qos policy

switch(config-if)# mls qos trust dscp

Then the 'mls qos trust dscp' appears in the configuration. I seem to remember is earlier releases both commands appeared in the configuration, however they are mutually exclusive so I assume the code was changed to reflect this.

Andy

Jon Marshall · ‎01-05-2009

Andy

Thanks for confirming that. Looks like the documentation is a bit misleading then.

Yep had a good xmas and New Year due mainly to a fair amount of whisky :-).

Hope you had a good one too.

Jon

l.mourits · ‎01-20-2009

Andy,Jon and others,

On another topic I have been raising the same/similar question. See this thread:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2c3f7/1

Jon pointed me to this thread. After some investigation I confirm the service-policy and mls qos trust are mutually exclusive and only older version keep showing the mls qos trust comments allthough they do not work after adding the service policy.

I also found the documentation to support this. See this link:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

In this doc the following is stated about ingres classification and marking on the 3750 switches.

Classification and Marking

Unlike the routers, the QoS classification and marking act differently in Cisco Catalyst switches. In Cisco routers, you can classify the packets using MQC either based on the incoming packet DSCP value or based on the access control list (ACL). This depends on whether you trust the QoS label of the incoming packet or not. In the Cisco Catalyst 3750 Switch, you can classify the frames either based on the incoming CoS/DSCP values or based on the ACL.

The configuration based on the incoming CoS/DSCP value is achieved in three different ways:

- Port based configuration using the mls qos interface based commands

- MQC based configuration using class-map and policy-map

- VLAN based configuration

You can use either one of these three methods. You cannot use more than one method in a port. For example, you have configured the mls qos trust cos command on a port. When you configure the port with the service-policy input command, it removes the mls qos trust cos command automatically.

Kind regards,

Leo