Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2305
Views
10
Helpful
6
Replies

QoS DSCP Classification

Go to solution
jnewton83985
Level 1
Level 1

‎02-04-2022 01:26 PM

We are not using cisco phones so the trust boundary is set at the access switch. Per the cisco QoS guide:

 

Classification is enabled only if QoS is enabled on the switch. By default, QoS is enabled on the switch.

During classification, the switch performs a lookup and assigns a QoS label to the packet. The QoS label identifies all QoS actions to be performed on the packet and from which queue the packet is sent.

 

  • Does this mean the switch is automatically categorizing traffic? I'm assuming it is not and that this is referring to "classification" that has been configured?

 

 

I'm marking traffic per best practices and the QoS baseline model.

 

Interactive Video: DSCP AF41
Streaming video: DSCP CS4 (DSCP CS1 if not work related)
Best effort data: DSCP 0 (default class for all traffic )
Mission critical: DSCP AF31
Bulk data: DSCP AF11
IP routing: DSCP CS6
Network mgmt: DSCP CS2
Scavenger: DSCP CS1
Voice: DSCP EF

 

 

  • Following the above, are ACLs the only way to specify the traffic I want to mark? I realize NBAR exists and wish that worked on switches but that is only applicable on our routers and it is best practice to mark traffic as close to the source as possible.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-04-2022 03:07 PM

(NB: in this posting, when referring to switches, I have in mind Enterprise switches like the Catalyst 2K and 3K series.)

"Classification is enabled only if QoS is enabled on the switch."

Yes and no.  On switches, I recall you do need to have QoS enabled to do "classification", but by default, I also recall, "classification" is not done, excluding, on older Cisco switches, all frames and packets, being remarked with "default" tag.

"By default, QoS is enabled on the switch."

I believe that's true for the later gen Cisco switches, but not true on older Cisco switches, like 3560/3750 and earlier.  I also recall that also true for earlier/original 2960 switches, but don't know about the later gens of that series of switches.

"Does this mean the switch is automatically categorizing traffic? I'm assuming it is not and that this is referring to "classification" that has been configured?"

Again, depends on generation of switch.  Also again, besides earlier switches, when QoS (optionally) enabled, by default, reset QoS tags to default (zero) setting.  Later switches have QoS enabled by default, but also by default, don't remark/retag (much like a router, although switches, I believe, will have default of multiple egress queues where routers, generally, just have one FIFO queue).

Also depends whether AutoQoS has be triggered.  (The later versions of AutoQoS, I believe, tries to provide Cisco's 11/12 class model, both for ingress and egress.)

"Following the above, are ACLs the only way to specify the traffic I want to mark?"

No they are not, but options vary per platform, and sometimes, IOS version and/or IOS feature set (or license).

Recall switches, except for some very old models, can use class-map (using non-ACL match and/or set tag statements) and policy-map to classify and/or tag in an ingress policy.  Later switches might support class-map and policy-map egress classification and/or tagging too.

". . . and it is best practice to mark traffic as close to the source as possible."

Yes and no.  Assuming you "trust" the markings, often marking ASAP is good, but if there a need to remark, even "trusted" markings, that's fine too.  Further, I've often delayed classification and/or tagging (BTW, tagging often appears to be misunderstood, it's really there to more quickly process frames/packets, looking at a tag, rather than a lengthy frame/packet analysis, again and again and again . . . ) until I really needed it, like dealing with traffic from LAN to WAN where there's often a major loss in available bandwidth.

"I'm marking traffic per best practices and the QoS baseline model."

Marking per the 11/12 class models (Cisco's or the RFC's) usually doesn't "hurt" anything, but using that model, for actual QoS, in my (not so humble) opinion, is overly complex; often disappointing those using such with its results (beyond, perhaps, for real-time traffic).

0 Helpful

Go to solution
jnewton83985
Level 1
Level 1
In response to Joseph W. Doherty

‎02-07-2022 08:57 AM

@Joseph W. Doherty If I am not trusting any traffic coming into the switch and want to classify/mark traffic leaving the switch, how would you recommend going about it? ( Prefer not to use Auto QoS and assume the switches are all 3850s)

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jnewton83985

‎02-07-2022 10:19 AM

I'm not really familiar with 3650/3850 series QoS.  I believe (?) their egress capabilities are "improved" vs. the prior gen (3560/3750) switches.  I.e. you might have to classify traffic upon ingress.  If the 3850 is limited to ingress classification, but you don't want that, the next upstream device might be able to classify upon its ingress (i.e. the 3850's egress).

0 Helpful

Go to solution
jnewton83985
Level 1
Level 1
In response to Joseph W. Doherty

‎02-07-2022 12:12 PM

What I'm trying to figure out is the best way to classify & mark traffic. I've been reading End-to-End QoS Network Design by Tim Szigeti  and he recommends using DSCP. Since DSCP is a layer 3 parameter, that means the only method I can use to classify and then mark traffic is access lists right? I realize that can be broken down into standard and extended access lists but I want to make sure that's it, that I am not missing anything. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jnewton83985

‎02-07-2022 12:40 PM

 

If the traffic is not already marked then yes you are pretty much restricted to using acls (or potentially the vlan) - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/command_reference/b_mqc_qt_3se_3850_cr/b_mqc_qt_3se_3850_cr_chapter_0100.html#ref_1002684

 

Jon

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jnewton83985

‎02-08-2022 07:13 AM

As @Jon Marshall's link shows, ACLs (or VLAN) are "pretty much" but, there are a couple other options, such as matching on IPPrec, DSCP or (L2) CoS.  There's another match statement variation, in Jon's reference (depending on IOS version), match non-client-nrt (not well explained what it actually matches on).

As to Tim Szigeti recommending using DSCP - yup, I do too.  As part of the packet's fields, it can go end-to-end, where as L2 CoS needs a VLAN tagged frame and needs to be regenerated at every L3 hop.

That noted, again, the same DSCP tag might not be used end-to-end, nor is QoS always dependent on having it (to correctly function).

Customers Also Viewed These Support Documents