10-02-2013 09:58 AM - edited 03-07-2019 03:48 PM
Hi
I have a simple question but got confused due to different information in various docs regarding the qos mode of operation..
If I want to match in a policy map in a class on a certain dscp value, but on another class I want to match based on an ACL, do I need to configure the qos trust dscp or mls qos trust dscp on the interface, or is it depending on the hardware?
Here a simple example config:
ip access-list Gold
permit ip any any
!
!
class-map match-any Platinum
match dscp ef
class-map match-any Gold
match access-group name Gold
!
!
policy-map test
class Platinum
police 10000 8000 exceed-action policed-dscp-transmit
class Gold
set dscp cs4
!
int gig1/1
service-policy input test
qos trust dscp
!
The reason for this is that I want to trust and "use" some markings from the client, but other markings do not get set on the client and therefore I do the classification on the port via ACL.
The result of having a trust on the inteface or not can be quite different.
Would be very great if someone could bring light into this...
Thanks
Roger
10-02-2013 05:01 PM
Roger,
Please see this link:-
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1044294
Classification using a port trust state (for example, mls qos trust [
cos
|
dscp
|
ip-precedence
] and a policy map (for example,
service-policy input
policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration. Classification using a port trust state (for example, mls qos trust [cos | dscp | ip-precedence] and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.
So in your case your policy map on the interface g1/1 is overwritten by your mls qos trust dscp command.
Basically use one or the other not both as only the last one will be used.
Regards,
Alex.
Please rate useful posts.
10-02-2013 06:49 PM
Hi Roger,
That depends on the platform. The order that Alex mentioned is true for 3750, but 3750X and 6500 are different.
HTH,
Lei Tian
10-02-2013 11:20 PM
Thanks Alex and Lei,
it helps "somehow", which means that I have to check in detail all different HW and the impelentation in it.
The goal was to make a very simple access-port policy, which can be used on any access-switch but it seems that this does not work. It has to be specific based on the switch model....
...very frustrating :-(
regards
Roger
10-03-2013 03:40 AM
Hi Roger,
I agree with you. QoS concept is not hard, but implementing QoS across different platform can be frustrating. The BUs aware that issue as well, and they are trying to make it easy with tool like C3PL (cisco policy language), MediaNet.
With your requirement, maybe you can try the follwing config. So, you only classify packets that do not have DSCP value, and trust the DSCP for default.
ip access-list Gold
permit ip any any dscp default
!
!
class-map match-any Platinum
match dscp ef
class-map match-any Gold
match access-group name Gold
!
!
policy-map test
class Platinum
police 10000 8000 exceed-action policed-dscp-transmit
class Gold
set dscp cs4
class class-default
trust dscp
!
int gig1/1
service-policy input test
HTH,
Lei Tian
10-03-2013 04:40 AM
Lei,
Thanks for the input and example but this has two problems :-)
1. I cannot put a trust dscp in class-default because the whole buch of applications going to the class default should get a set dscp default, the should just be marked with default.
2. This config does unfortunately not work on some boxes like 3750 because trust dscp and set dscp within a policy-map are mutually exclusive:
Note
This command is mutually exclusive with the
set
command within the same policy map. If you enter the
trust
command, go to Step 6.
So on the low end boxes I do the following policy without the trust statement on the interface, I do a match - set operation if I want to trust an incoming marking, the traffic which I want to classify gets matche by an ACL and the whole big rest goes into class-default where it gets dscp default.
ip access-list Gold
permit ip any any
!
class-map match-any Platinum
match dscp ef
class-map match-any Gold
match access-group name Gold
class-map match-any Silver
match dscp af11
!
!
policy-map test
class Platinum
set dscp ef
police 10000 8000 exceed-action policed-dscp-transmit
class Gold
set dscp cs4
class Silver
set dscp af11
class class-default
set dscp default
!
int gig1/1
service-policy input test
!
On other boxes like Cat4k, Cat6k I have to figure out the QoS mode of operation case by case, if trust statement on interface is needed or not in order to reach the same result as shown in the example policy above.
As you have mentionend, very frustrating to figure out the implementation on a per box base...
Thanks
Roger
10-03-2013 04:58 AM
Hi Roger,
I think your solution should work on all mentioned platform. The different behavior comes in play when you have both port trust and policy-map on interface, but if you only have policy-map on the port, it should behave all same.
HTH,
Lei Tian
10-03-2013 05:02 AM
Thanks, I will verify it while checking the different hardware plattforms, which I anyway have to do since queuing is totally different between many models :-(
If I find anything crazy, I will post it here...
regards
Roger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide