08-01-2007 09:48 AM - edited 03-14-2019 10:53 PM
The 6509 is our access-layer switch and we have Avaya IP phones plugged into each port and a PC plugged into the phone. Usually I have 'mls qos trust dscp' on each port because the IP phone marks the DSCP values and we of course want to trust those.
Also the entire voice world, IP phones, gateways, PBXes etc, are on a seperate network space from the data network like this:
Data = 163.44.0.0
VoIP = 172.23.0.0
Here is a typical port config for the above scenario which works just fine:
mls qos
interface GigabitEthernet1/1
switchport
switchport access vlan 321
switchport mode access
switchport voice vlan 910
no ip address
mls qos trust dscp
spanning-tree portfast
interface Vlan321
ip address 163.x.x.129 255.255.255.128
ip helper-address 163.44.xx.xx
end
interface Vlan910
ip address 172.x.x.129 255.255.255.128
ip helper-address 163.44.xx.xx
end
Now I decided to create a couple of ACLs, one to trust DSCP values of any traffic on the VoIP network, and the other to set all packets coming from the PC to DSCP=0. This is to insure that some smart PC user can't change his DSCP values.
Here is the new config:
mls qos
class-map match-all Trust_phone_DSCP
match access-group 171
class-map match-any Mark_PC_traffic_to_0
match access-group 161
!
!
policy-map Mark_PC_traffic_DSCP=0
class Mark_PC_traffic_to_0
set dscp default
policy-map Trust_phone_DSCP
class Trust_phone_DSCP
trust dscp
interface GigabitEthernet1/1
switchport
switchport access vlan 321
switchport mode access
switchport voice vlan 910
no ip address
mls qos vlan-based
spanning-tree portfast
interface Vlan321
ip address 164.x.x.129 255.255.255.128
ip helper-address 163.44.xx.xx
service-policy input Mark_PC_traffic_DSCP=0
interface Vlan910
ip address 172.x.x.129 255.255.255.128
ip helper-address 163.44.xx.xx
service-policy input Trust_phone_DSCP
end
access-list 161 remark Mark all 164.72.0.0 PC traffic to DSCP=0
access-list 161 permit ip 163.44.0.0 0.0.255.255 any
access-list 171 remark Trust all 172.26.0.0 phone traffic DSCP
access-list 171 permit ip 172.23.0.0 0.0.255.255 any
Now that I have 'mls qos vlan-base' on the interface, the 'sh queueing int g1/1' shows the interface as 'Port QoS enabled' and 'Port is untrusted'.
So after all that, will VoIP packets that traverse int g1/1 be trusted because of the vlan-based service policy and therefore will be effected by the QoS queuing of the port, or will the port config over-ride the vlan-based stuff, resulting in DSCP values being reset to '0' and therefore no QoS will take effect during congestion of the port?
08-01-2007 10:18 AM
Hi,
May be this is not what you expect to hear:
You don't even need to bother, it's gigabit - no congestion is possible.
Edit: really I'm not saying that to minimize your efforts in learning how things work and what is the better configuration. It is just that QoS in LAn switching is largely overplayed and in my personal experince I have never seen any production network, even ISP ones experience congestion severe enough to impact VoIP on gigabit interfaces.
08-01-2007 12:20 PM
I understand your point and agree with it in principle. But these ports will actually be turned to 100mb - not gig - and I just need to set up the case where voice will NEVER be choked out even if a user is doing a huge file transfer. Unix systems can transfer at wire rate and saturate a 100mb link, and many of our users are Unix users - the Windows users I don't much worry about.
Plus the idea of smart users changing their packet markings gals me and I want to insure they can't ride the priority queues throughout our network.
So in theory how does the 6500 platform handle qos trust and service policies? Does the port config or the vlan config take precident?
Thanks for your comments.
08-01-2007 12:24 PM
Thanks for explaining your very reasonable concerns. Too bad I don't really know the answer to your question. Good luck!
08-02-2007 01:16 AM
I suggest you have a read of this http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008014a29f.shtml
This appears to answer your question. Have you also considered marking the voice packets yourself, this would ensure you get the marking of packets that you desire.
08-05-2007 09:41 PM
QOS is per hop based !
so depending on your network toplogy from you trusted switch to you core you want to TRUST your QOS setting but untrust any thing coming from user and maybe ISP depending since the internet is best effort anyway. Since your 6500 is your access layer, then your configs
you have set up engress QOS (internel to external) your Gigibit ethernet is you ingress back into you network which needs to have QOS settings coming back into your network
but since you have gigabit ethernet, unless someone pushs the limit you should be okay
since your using Gigabit ethernet on 6500 which is great, also you may want to provide fair queuing for all other traffic that is non prioritized
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: