Hi JosephThanks for taking

Marc Luethi · ‎02-02-2015

Hi all

We're in the not very comfortable situation that our WAN service provider will accept only a very small set of DSCP values to assign traffic to their "Classes of Service".

Our 2960s are directly connected to the carrier's CPE, and on that link we must make sure that egress traffic towards the service provider's CPE is properly marked.

We have no trouble marking traffic with policy-maps on the switch ports while it is ingress into our 2960 on the client/user facing ports, but of course, self-generated traffic ( for example RADIUS requests for 802.1x, or TACACS requests to our AAA-Servers ) will never hit any of these switchports or policy-maps.

Still, we do want RADIUS traffic to leave our switch with a configurable DSCP value.

The QoS section in the software configuration guide (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swqos.html#wp1199585) is somewhat silent on that topic, or I am too blind to see it.

How does one customize DSCP flags for self-generated traffic on a 2960? I'll assume that 3560s and 3750s are not very different...

Thanks for your thoughts, documentation pointers or config examples.

Cheers

Marc

Joseph W. Doherty · ‎02-02-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I recall there is some configuration command dealing with device generated traffic, but I'm unable to recall the specifics. It also might only apply to routers, not switches.

I also recall, there's usually not much for selectively marking device generated traffic, except router egress policies.

Most device generated traffic will have a ToS value of zero. Some traffic, like some routing protocol updates, on L3 switches, will be marked with a DSCP of 6. I think I recall some Cisco devices also default a non-zero for Telnet traffic too.

If you have extra ports, you might be able to "self loop" your egress traffic. I.e., have its initial egress port go to another ingress port on the same switch, where you can apply an ingress policy (for remarking), and then forward it to another (2nd) egress port toward your WAN.

Marc Luethi · ‎02-03-2015

Hi Joseph

Thanks for taking the time to think along. Meanwhile, i found this in the software configuration guide(s):

(in Overview - Features - Performance Features)

Support for QoS marking of CPU-generated traffic and queue CPU-generated traffic on the egress network ports.

Interestingly, none of this reappears later on in Overview - Features - QoS and CoS Features, nor in the Configuring QoS section.

Be as it may... we also considered using a loopback cable from the 2960's oob management port into an access port, and handling all management traffic through that interface. We hit some strange (non)reachability effects that were very difficult to analyze - and we stopped the attempt. At the given customer installation, switch ports are a pretty scarce ressource, anyway.

I also tried setting up an ACL/class-map/policy-map bit and attach it as service policy output to the egress interface, but although the command is shown in context-sensitive help, it will be refused ("not supported").

Next, I'll try attaching the same MQC bit to the SVI the switch is using as source-interface for radius. A first attempt on an elderly 2960G-8TC for the sake of experimentation was unsuccessful, though. The service-policy output command was accepted on interface vlan 1, but did not show up in the config afterwards. We'll see...

Joseph W. Doherty · ‎02-03-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Often management ports, even if they support the logical configuration you need, don't have the performance of the normal ports.

I've often suggested using small switch for QoS purposes on an egress port. If you have one, placing it in-line, on your egress path, should allow you to tag internally generated traffic from your main switch.

Most small (older?) Cisco switches do not support egress policies.

QoS on 2960/3560/3750: How to set DSCP for self-generated traffic?