Solved: Catalyst QoS trust DSCP with double tagged Ethernet frames

1pipantom2 · ‎05-28-2008

Hello,

In our Cisco Catalyst network we are using QoS.

Traffic entering Catalyst Ethernet ports is marked with IP DSCP bits (User CPE equipment set DSCP).

We are using "mls qos trust dscp" command for automatic traffic classification.

Everything seems O'k.

But in some places in network traffic entering Catalyst trunk ports is actually double tagged (two VLAN tags, QinQ).

Does switch in this case recognize correctly IP traffic inside double tagged Ethernet frame? Or switch will interprete payload inside Ethernet frame like non-IP traffic ?

Additional question.

If single tagged customer traffic is entering Cisco Catalyst dot1q-tunnel ports (switch add second VLAN), does in this case switch correctly recognize IP traffic?

What is the order of operations ?

Switch add second VLAN and try to classify traffic (according to mls qos trust dscp command) or vice versa ?

Cisco Catalyst 3560. SW 12.2 (25) SEE

Best Regards,

Tomas.

n.nandrekar · ‎05-30-2008

hi!

In that case, no. there is no way to detect the inner dscp/ip and classify based on that. It is not supported on a double tagged frame / tunnel port.

Atleast not in c6500 / 7600. I also tried that. You can classify based on dscp only for a single tagged frame coming on a trunk port ( or untagged on access port).

One thing we should notice is that cisco uses the same ethertype even for the outer tag. This wouldnt let the switch to know how to interpret the inner packet.

Regards,

niranjan

View solution in original post

n.nandrekar · ‎05-30-2008

Hi!

I just verified the things you asked on a cat6500

Here are my observations:

The DSCP is trusted by default in both the cases irrespective of the trust command.

In case you recieve a double tagged frame on a trunk interface, the DSCP is maintained and not modified/re-written to 0.

Same is the case when a single tagged frame is recieved on a tunnel interface. the second tag is added but the DSCP is not modified. the original is maintained irrespective of the trust command.

Also as a general case, the vlan tag is always added at the egress. The ingress just maps the packet to the recieving vlan internally but the actual tag is added only at the egress trunk port.

Regards,

Niranjan

1pipantom2 · ‎05-30-2008

Hi Niranjan

You are right DSCP is not modified.

But question is if at all switch recognizes IP inside double tagged Ethernet frame.

To be more precise. If for example one IP packet inside double tagged frame has DSCP 46 (EF)value and other 34 (AF21) will these Ethernet frame mapped to different egress queue or to the same queue.

Normally switch should map to differnet queues according to switch default DSCP to output queue map.

But again I am asking if switch correctly recognize IP traffic.

I suppose switch logic is following:

Check first Ethertype field. It is 8100 for VLAN. Next check second Ethertype. And again switch see 8100, because frame is double tagged. What next step? Will switch check next Etyhertype field or simply assume, that this is non IP traffic, because second Ethertype is not IP (0080).

Best Regards,

Tomas

n.nandrekar · ‎05-30-2008

hi!

In that case, no. there is no way to detect the inner dscp/ip and classify based on that. It is not supported on a double tagged frame / tunnel port.

Atleast not in c6500 / 7600. I also tried that. You can classify based on dscp only for a single tagged frame coming on a trunk port ( or untagged on access port).

One thing we should notice is that cisco uses the same ethertype even for the outer tag. This wouldnt let the switch to know how to interpret the inner packet.

Regards,

niranjan