Switch QoS

Example 1: Layer 3/Access port Trust DSCP

If the port is an access port or Layer 3 port, you need to configure the “mls qos trust dscp”
command. You cannot use the “mls qos trust cos” command because the frame from the access port or
Layer 3 port does not contain dot1q or ISL tag. CoS bits are present in the dot1q or ISL frame only.

interface GigabitEthernet1/0/1
description **** Layer 3 Port ****
no switchport
ip address 192.168.10.1 255.255.255.0
mls qos trust dscp
end
!
interface GigabitEthernet1/0/2
description **** Access Port ****
switchport access vlan 10
switchport mode access
mls qos trust dscp
end

Example 2: Trunk Port Trust COS

If the port is trunk port, you can configure either the “mls qos trust cos” or “mls qos trust
dscp” command. The dscp<->cos map table is used to calculate the CoS value if the port is configured to trust DSCP. Similarly, the cos<->dscp map table is used to calculate the DSCP value if the port is
configured to trust CoS.

interface GigabitEthernet1/0/3
description **** Trunk Port ****
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan 5,10,20,30,40,50
mls qos trust cos
end
!
interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
spanning-tree portfast
end
!The Cisco IP Phone uses IEEE 802.1Q frames for Voice VLAN traffic.

Example 3: Trunk Port. Native Vlan QoS Markings

If the port is a dot1q trunk port and the port is configured with the “mls qos trust cos”
command, native VLAN frames will have CoS and DSCP values as 0. Because native VLAN frames
are untagged and the frame is tagged after it enters the switch, the switch will set the default CoS
value to 0 and the CoS<->DSCP table sets the DSCP value to 0.
Note: The DSCP value of the packet coming from native VLAN will be reset to 0.
You can also configure the switch port to change the default CoS value of the untagged frames from 0
to any other values between 0-7 using the “mls qos cos <0-7>” command. This command does not
change the CoS values of the tagged frames. For example, the port GigabitEthernet1/0/12 is configured with access VLAN 10 and voice VLAN 20.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
spanning-tree portfast
!The Cisco IP Phone uses IEEE 802.1Q frames for Voice VLAN traffic.
!Voice VLAN is only supported on access ports and not on trunk ports,
!even though the configuration is allowed.
end

By default, the PC sends data untagged. Untagged traffic from the device attached to the Cisco IP
Phone passes through the phone unchanged, regardless of the trust state of the access port on the
phone. The phone sends dot1q tagged frames with voice VLAN ID 20. Therefore, if you configure the
port with the “mls qos trust cos” command, it trusts the CoS values of the frames from the phone
(tagged frames) and sets the CoS value of the frames (untagged) from the PC to 0. After that, the
CoS<->DSCP map table sets the DSCP value of the packet inside the frame to 0 because the
CoS<->DSCP map table has DSCP value 0 for the CoS value 0. If the packets from the PC have any
specific DSCP value, that value will be reset to 0. If you configure the mls qos cos 3 command on the
port, it sets the CoS value of all the frames from the PC to 3 and does not alter the CoS value of the
frames from the phone.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
mls qos cos 3
spanning-tree portfast
end

If you configure the port with the “mls qos cos 3 override” command, it sets the CoS values of all the
frames (both the tagged and untagged) to 3. It overrides the previously configured trust values.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
mls qos cos 3 override
!Overrides the mls qos trust cos.
!Applies CoS value 3 on all the incoming packets on both the vlan 10 and 20.
spanning-tree portfast
end

Example 4: Force IP Phone to set COS value on PC Traffic

For example, take a look at the port gi 1/0/12 configuration:

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
spanning-tree portfast
end

If the PC tags its frame with the VLAN 20, it also sets the CoS value to 5. The switch processes
tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to
the access port on the Cisco IP Phone. Because the interface is configured to trust the CoS value, all
traffic received through the access port on the Cisco IP Phone passes through the phone unchanged.
The switch also trusts and allows the traffic from the PC, and gives the same priority as the IP phone
traffic. This is not a desirable result you want to see. This can be avoided using the “switchport
priority extend cos <cos-value>” command.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
switchport priority extend cos 0
!Overrides the CoS value of PC traffic to 0.
spanning-tree portfast
end

The “switchport priority extend cos <cos-value>” command configures the phone such that the IP
phone changes the CoS value of the PC traffic to 0.

Example 5: Trust QoS only of IP Phone is plug into Switch Port

For example, in the same interface, someone connects the PC directly to the switch and
tags the PC data with dot1q frame with a higher CoS value. This can be avoided using the “mls qos
trust device cisco-phone” command.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust cos
switchport priority extend cos 0
mls qos trust device cisco-phone
!Specify that the Cisco IP Phone is a trusted device.
spanning-tree portfast
end

Example 6: Trust DSCP value of native vlan

For example, in the interface GigabitEthernet1/0/12, you have to trust the QoS labels
from the PC. Also, the PC is connected to the native VLAN 10. In this case, the “mls qos trust cos”
command does not help because the PC packet does not tag the CoS value. It is going to tag only the
DSCP value. Therefore, the switch adds the dot1q frame and configures the default CoS value to 0.
Then, the CoS<->DSCP table calculates and resets the DSCP value to 0.
In order to fix this problem, you have two choices. One is to configure classification and marking
using MQC. You can create an ACL to match your PC traffic based on source, destination IP
addresses, and source/destination port numbers. Then, you can match this ACL in class-map. You
can create a policy-map to trust this traffic. This solution is discussed in the next section. This section
discusses the second method. The second method is to trust the DSCP label instead of the CoS label.
Then the DSCP<->CoS label calculates and sets the CoS value that corresponds to the DSCP value.

interface GigabitEthernet1/0/12
description **** Cisco IP Phone  ****
switchport access vlan 10
switchport mode access
switchport voice vlan 20
mls qos trust dscp
spanning-tree portfast
end

The first method is the preferred one because it is not recommended to trust all the PC traffic’s QoS
labels.

Classification and Marking – MQC Based

It is assumed the the data VLAN is 10 and its subnet address is 172.16.10.0/24. The voice VLAN is 100 and
its subnet address is 192.168.100.0/24.

!Section A
Classifies the IP phone traffic to Class-A. The IP phone belongs to voice VLAN and has an IP
address in the 192.168.100.0 subnet.
Classifies the database application traffic to Class-B. The PC traffic (actually any traffic as per the
configuration) destined to any destination with the port numbers 1521, 1810, 2481, 7778 are classified
into the Class-B class map.

ip access-list extended voice?traffic
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended database-application
permit tcp any any eq 1521
permit tcp any any eq 1810
permit tcp any any eq 2481
permit tcp any any eq 7778
exit
class-map Class-A
match access-group name voice-traffic
exit
class-map Class-B
match access-group name database-application
exit

Section B
The traffic matches Class-A are configured to trust the CoS label. This means the CoS values of all
the traffic from the IP phone are trusted. The DSCP value is derived from the CoS-DSCP map table for the
Class-A traffic.

The traffic matches Class-B are configured to set the DSCP value to AF21. The DSCS value is derived from
the DSCP<->CoS map table for the Class-B traffic.

The configurations under each class of policy-map are called PHB actions. Marking, queuing,
policing, shaping, and congestion avoidance are the supported PHB actions in Cisco routers. Marking
and policing are the only supported PHB actions in the Cisco Catalyst 3750 Switch.

policy-map sample-policy1
class Class-A
trust cos
exit
class Class-B
set dscp af21
exit
class class-default
set dscp 0
exit
exit

Section C
The policy can only be applyed in the input direction. When you apply the policy it will also remove
any trust commands on the interface. All other PC traffic (except database application
defined in the access-list) is classified under the class?default class of the policy-map. This is a
catch-all traffic which catches the traffic that does not match the defined class-maps attached to the
policy-map. Therefore, this traffic that belongs to the class-default is not trusted by the port, and
those packets are set with the default CoS and DSCP labels as 0. You can configure to set any default
CoS or DSCP value to this class?default traffic.

interface gigabitEthernet 1/0/13
switchport access vlan 10
switchport mode access
switchport voice vlan 100
spanning-tree portfast
service-policy input sample-policy1
exit

Policing

On the Cisco Catalyst 3750 Switch, policing can only be configured on the ingress port. Policing can
only be configured through MQC. This means there is no interface specific command to police the traffic.
2 actions can be done on excessive data. Drop packets or remark them

1)Policing configuration that drops the excessive traffic.
Incoming rate to the configured bits per second

Example below implements the following requerments
>Police ftp, pop3, imap traffic to 10Mbps.
>Trust the DSCP value of the IP communicator application packets from the PC which is connected to
>the IP phone. Also, the requirement is to police this traffic to 256 Kbps.
>Mark and police the filnet application. The incoming packets are marked with the DSCP value
>CS2, and the CoS value is derived from the DSCP?CoS table which is 2. Then, the Class C traffic is
>policed at the rate of 25 Mbps. The excessive packets are dropped by the policer

!Create Access-list and Class map Class-A
ip access-list extended BULK-DATA
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq 143
exit
class-map Class-A
match access-group name BULK-DATA
exit

!Create Access-list and Class map Class-B
ip access-list extended IP-Communicator
remark *** Voice Payload ***
permit udp any any range 16384 32767
remark *** Voice Signalling ***
permit tcp any any range 2000 2002
exit
class-map Class-B
match access-group name IP-Communicator
exit
!Create Access-list and Class map Class-C
ip access-list extended application
remark *** Application for example ***
permit tcp any any eq 32768
permit udp any any eq 32768
permit tcp any any eq 32769
permit udp any any eq 32769
exit
!
class-map Class-C
match access-group name application
exit
!Create Policy map
policy-map sample-policy2
class Class-A
police 10000000 8000 exceed-action drop
class Class-B
trust dscp
police 256000 8000 exceed-action drop
class Class-C
set dscp CS2
police 25000000 8000 exceed-action drop
exit
exit

!Apply Policy map to the interface
interface GigabitEthernet1/0/20
service-policy input sample-policy2

Classification, Marking and Policing (exceed action – policed-dscp-transmit)
The requirements of this example are:
Configure the policed-DSCP map table to map:
EF to AF31
CS3 to AF13
CS2 to AF11

Trust the DSCP values of the IP communicator packets and police it to 256Kbps. If the traffic exceeds
256Kbps, remark the DSCP values using the policed?DSCP map table.

Mark and police the filnet application. If the traffic exceeds 25Mbps, remark the DSCP values using
the policed-DSCP map table.

This configuration represents the policy?map mentioned in the diagram:

!Policed DSCP table Configuration
mls qos map policed-dscp 46 to 26
mls qos map policed-dscp 24 to 14
mls qos map policed-dscp 16 to 10

!Create Access-list and Class map Class-A
ip access-list extended IP-Communicator
remark *** Voice Payload ***
permit udp any any range 16384 32767
remark *** Voice Signalling ***
permit tcp any any range 2000 2002
exit
!
class-map Class-A
match access-group name IP-Communicator
exit

!Create Access-list and Class map Class-B
ip access-list extended application
remark *** Application for example ***
permit tcp any any eq 32768
permit udp any any eq 32768
permit tcp any any eq 32769
permit udp any any eq 32769
exit
!
class-map Class-B
match access?group name application
exit

!Create Policy map
policy-map sample-policy3
class Class-A
trust dscp
police 256000 8000 exceed?action policed-dscp-transmit
class Class-B
set dscp CS2
police 25000000 8000 exceed?action policed-dscp-transmit
exit
exit

Class-A: The voice payload and the voice control from the softphone are classified in the Class?A
class map. Voice payload traffic has the DSCP value of EF and the voice control has the DSCP value
of CS3. As per the policy?map configuration, these DSCP values are trusted. The traffic is policed at
the rate of 256 Kbps. The traffic that conforms this rate will be sent with the incoming DSCP value.
The traffic that exceeds this rate will be remarked by the policed DSCP table and transmitted. The
policed DSCP table will remark the EF to AF31 and the CS3 to AF13 as per the configured values.
Then, the CoS values that correspond will be derived from the DSCP<->CoS table.

Class-B: Incoming packets that match Class-B are marked with the DSCP value of CS2. The
Class-B traffic is policed at the rate of 25 Mbps. The traffic that conforms this rate will be sent with
the DSCP value of 2 and the CoS value is derived from the DSCP<->CoS table which is 2. The traffic
that exceeds this rate will be remarked by the policed DSCP table and transmitted. The policed DSCP
table will remark the EF to AF31 and the CS3 to AF13 as per the configred values. Then, the CoS
values that correspond will be derived from the DSCP<->CoS table

show mls qos
show mls qos input-queue
show mls qos maps cos-dscp
show mls qos maps dscp-cos
show mls qos map policed-dscp
show mls qos maps cos-input-q
show mls qos maps dscp-input-q

Tags: ,

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK. www.NetPacket.co.uk