Wednesday, December 12, 2012

3560 Qos 1



Cisco 3560 MLS QOS – Part 1

MLS QOS has been one of the greatest fear for my CCIE RS exam. I’ve read it several times, labbed it more than 3 times, but still I just cannot understand it. Then I decided to write my own notes to teach myself and hopefully any of you mere mortals like me.
I’ll start with this Classification and Marking and let see how deep the rabbit hole goes for the next few parts.
Enjoy!

Classification and Marking.
Let’s just say that you have a switchport Fa0/1 configured for Vlan 100 and want to mark it as DSCP CS1 (Decimal 8).
SW-3560(config)#mls qos
SW-3560(config)#int f0/1
SW-3560(config-if)#switchport access vlan 100
SW-3560(config-if)#mls qos ?
  cos            cos keyword
  dscp-mutation  dscp-mutation keyword
  trust          trust keyword
  vlan-based     vlan-based keyword
We only left with COS option and no DSCP option available. COS field can only be found in 802.1q/ISL traffic which is the traffic on the trunk interface, and switchport access is not a trunk interface. In this case, we can use the COS option and then the switch will use the COS-DSCP mapping table to mark the packet as DSCP CS1 (Decimal 8).
SW-3560# sh mls qos maps cos-dscp 
   Cos-dscp map:
        cos:   0  1  2  3  4  5  6  7 
     --------------------------------
       dscp:   0  8 16 24 32 40 48 56
We can actually change this mapping. For example, for most implementation we would like to set COS 5 = DSCP EF (Decimal 46). This is to keep the uniformity from end-to-end that DSCP EF (mostly for VOICE RTP) is mapped to COS 5.
SW-3560(config)#mls qos map cos-dscp 0 8 16 24 32 46 48 56
SW-3560(config)#mls qos map cos-dscp 0 8 16 24 32 46 48 56
SW-3560(config)#do sh mls qos map cos-dscp
   Cos-dscp map:
        cos:   0  1  2  3  4  5  6  7 
     --------------------------------
       dscp:   0  8 16 24 32 46 48 56
Based on the COS-DSCP map, to mark the packet to DSCP CS1 (Decimal 8), we can use mls qos cos 1.
SW-3560(config)#mls qos
SW-3560(config)#int f0/1
SW-3560(config-if)#switchport access vlan 100
SW-3560(config-if)#mls qos cos 1
!
SW-3560#sh mls qos int f0/1
FastEthernet0/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
we can combine the mls qos cos 1 with several commands below.
If the host is capable of marking the packets entering the switchport Fa0/1, we can also honour its value by trusting its DSCP or IP-PRECEDENCE or COS marking.
For IP packets, we can use mls qos trust dscp or mls qos trust ip-precedence. If the packets are NON-IP but we are trusting IP packets (via DSCP or IP-PRECEDENCE), then the switch will have no choice but to check other than DSCP or IP-PRECEDENCE. It will check the COS marking, which again, only available on trunk port. If there is no COS field available or if it is not an 802.1q/ISL, the packets will be marked with whatever the value in mls qos coscommand, look at the COS-DSCP table, then mark it with the appropriate DSCP value. In this case DSCP CS1 (Decimal 8).
SW-3560#sh mls qos int f0/1
FastEthernet0/1
trust state: trust dscp
trust mode: trust dscp
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
On the other hand, mls qos trust cos will works for both IP and NON-IP packets marking. If there is a COS value in it, int this case has to be an 802.1q/ISL, it will uses that COS value. If there is no COS value, it will use the mls qos cos 1 despite whatever DSCP/IP-PRECEDENCE value it already has. The switch will rewrite this DSCP/IP-PRECEDENCE based on the new COS value (COS 1).
SW-3560#sh mls qos int f0/1
FastEthernet0/1
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
If we just want to override the existing COS or DCSCP/IP-PRECEDENCE value we can use mls qos cos override. This will override any COS value and deduce the DSCP value based on the COS-DSCP mapping table.
SW-3560#sh mls qos int f0/1
FastEthernet0/1
trust state: cos override
trust mode: cos override
trust enabled flag: ena
COS override: ena
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
Besides having mls qos cos command, we can use the MQC framework to perform the marking. This can be done as below
policy-map PM_QOS_MARKING
 class class-default
  set dscp cs1

int f0/1
 switchport access vlan 100
 service-policy in PM_QOS_MARKING

SW-3560#sh mls qos int f0/1
FastEthernet0/1
Attached policy-map for Ingress: PM_QOS_MARKING
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
As shown above, we can use the MQC to mark any packet to DSCP CS1. Using this scenario we cannot use it to mark it as COS 1. Instead we can use DSCP CS1 and use DSCP-COS mapping table
SW-3560#sh mls qos maps dscp-cos
   Dscp-cos map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     ---------------------------------------
      0 :    00 00 00 00 00 00 00 00 01 01
      1 :    01 01 01 01 01 01 02 02 02 02
      2 :    02 02 02 02 03 03 03 03 03 03
      3 :    03 03 04 04 04 04 04 04 04 04
      4 :    05 05 05 05 05 05 05 05 06 06
      5 :    06 06 06 06 06 06 07 07 07 07
      6 :    07 07 07 07
In this DSCP-COS map, we can see that DSCP CS1, read as decimal 08, has COS 1 mapped to it. Therefore, if the packet has 802.1q/ISL header, then the switch will rewrite it to COS 1.
We can alter this map like we alter cos-dscp map, but now we actually alter the dscp-cos map. Please note that changing cos-dscp map doesn’t automatically change dscp-cos map. These two maps are not linked to each other and keep its own mapping
the DSCP-COS map above shows that DSCP EF (Decimal 46) has COS value of 5. We can change this value using the command below
SW-3560(config)#mls qos map dscp-cos  46 to 4
SW-3560(config)#do sh mls qos map dscp-cos   
   Dscp-cos map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9 
     ---------------------------------------
      0 :    00 00 00 00 00 00 00 00 01 01 
      1 :    01 01 01 01 01 01 02 02 02 02 
      2 :    02 02 02 02 03 03 03 03 03 03 
      3 :    03 03 04 04 04 04 04 04 04 04 
      4 :    05 05 05 05 05 05 0405 06 06 
      5 :    06 06 06 06 06 06 07 07 07 07 
      6 :    07 07 07 07
Let see another example below:
int f0/1
 switchport access vlan 100
 switchport voice vlan 200
 mls qos trust device cisco-phone

SW-3560#sh mls qos int f0/37
FastEthernet0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
qos mode: port-based
The command mls qos trust device cisco-phone will trust the marking if the port can sense a Cisco-phone via CDPv2 or LLDP-Med. The port itself turns into a pseudo-trunk which caries 802.1q header and contains COS value. Again, this can also alter the DSCP value based on COS-DSCP mapping table. However, the switch will not trust the PC on the vlan 100 thus will rewrite it to COS 0 based on the switchport default COS value.
This also means that once you enable the mls qos globally, the switchport will rewrite any packets to COS 0 or DSCP default (decimal 0). If you want, you can change this default COS 0 value to mls qos cos 2 to mark the traffic that are not from known Cisco-phone
MQC
We can actually use MQC inline with the mls qos. This is when you need to differentiate several different traffic on vlan 100 and mark those traffic differently.
ip access-list ext ACL_HTTP
 permit tcp any any eq www
ip access-list ext ACL_TELNET
 permit  tcp any any eq telnet

class-map CM_HTTP
 match access-group name ACL_HTTP
class-map CM_TELNET
 match access-group name ACL_TELNET

policy-map PM_QOS_MARKING
 class CM_HTTP
  set dscp cs1
 class CM_TELNET
  set dscp af41
 class class-default
  set dscp cs1

int f0/1
 switchport access vlan 100
 switchport voice vlan 200
 mls qos trust device cisco-phone
 service-policy input PM_QOS_MARKING
The above combination will trust the DSCP marking from the Cisco-phone and mark any HTTP packets on vlan 100 as CS1, TELNET as CS3, and the rest will be marked as DSCP cs1. Note that any other packet will not be marked as CS 0 as per the default COS value, this is because the matched class-default inside PM_QOS_MARKING is acting as a catch all. Unless there is no class-default inside the PM_QOS_MARKING, CS 0 will be used.
Also remember on the early paragraph I’ve showed that we cannot use mls qos dscpcommand, the only available marking is mls qos cos
The moral of this DSCP/IP-PRECEDENCE/COS confusion is basically quite simple. It doesn’t really matter what marking you’re trusting, as long as you have the map correctly adjusted then the switch can use both L2 and L3 marking.
Of course, it will make more sense if you trust COS on trunk ports and DSCP/IP-Prec on non-trunk port for efficiency, but again it doesn’t really matter as long as you have the mapping correctly adjusted.
Another example, you can trust DSCP (instead of COS) on your ingress trunk L2 switch from the dot1q WAN router interface. The reason for this is just merely because packet from the WAN doesn’t have any COS value in it.
This is it so far for Marking and Classification.
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to use Telus Actionec T3200M as a wireless Access point

when you install Telus Internet, they will offer you a modem + router + wireless device Actionec T3200M, a lot of users still want to use th...