Trust Boundaries, Cat6506E/Sup32 CatOS

Unanswered Question

I am looking at attaching Cisco IP Phones to a Cat6509E on WS-X6148A-GE-45AF line cards. The IP Phones will not share a port with a PC/Device but all devices connected to line card access ports will be in the same Vlan.

I have QoS enabled and have customized some queuing paramters.

I am ready to apply trust boundaries and can only find config docs for implementations where a PC/Device is connected to the Cisco Ip Phone and trunked over separate vlan(s) into the switch. I will not be using that model.

I only want to trust dscp/cos on Cisco Ip Phones.. nothing else.

Has any Netpro had experience in setting up QoS trust boundaries in this scenario?

Thanks in advance

Bill

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
allan.thomas Wed, 10/29/2008 - 16:32

The only concern I have with the WS-X6148A-GE-45AF line card is that I'm not sure sure whether the same restrictions apply, which applied to the WS-X6148-RJ45V?

With the WS-X6148-RJ45V it was not possible to configure the port for mls qos trust cos or dscp.

Below is a sample configuration that you can apply for the switchport:-

interface fastethernet ?/?

switchport mode access

switchport access vlan

spanning-tree portfast

power inline auto

mls qos trust cos

wrr-queue cos-map 1 1 1

wrr-queue cos-map 1 2 0

wrr-queue cos-map 2 1 2 3 4 6 7

wrr-queue cos-map 2 2 5

If you receive an error when configuring the command 'mls qos trust cos' or 'dscp' then you will need to configure the port for vlan-base QoS, and apply a service-policy to the SVI:-

You can tie these ACLs down, the Voice_Control ACL covers most signalling protocols so you probably only limit it to only SCCP?

ip access-list extended Voice_Media

permit udp any any range 16384 32767

!

ip access-list extended Voice_Control

permit tcp any any eq 1720

permit tcp any any range 11000 11999

permit udp any any eq 2427

permit tcp any any eq 2428

permit tcp any any range 2000 2002

permit udp any any eq 1719

permit udp any any eq 5060

permit tcp any eq 1720 any

permit tcp any range 11000 11999 any

permit udp any eq 2427 any

permit tcp any eq 2428 any

permit tcp any range 2000 2002 any

permit udp any eq 1719 any

permit udp any eq 5060 any

!

class-map Voice_Media

match access-group Voice_Media

!

class-map Voice_Control

match access-group Voice_Control

!

policy-map Voice_Marking

class Voice_Media

set ip dscp 46

class Voice_Control

set ip dscp 24

!

interface vlan (Voice-vlan-id)

service-policy input Voice_Marking

!

HTH

Allan.

allan.thomas Wed, 10/29/2008 - 17:08

Apologies Bill, I notice that you refered to CatOS not IOS, however the same restriction may still possibly apply.

Therefore sample config as follows:-

set port qos 2/1-48 vlan-based

set port qos 2/1-48 trust untrusted

set qos acl ip ACL-IP-PHONES dscp 26 tcp any any range 2000 2002

set qos acl ip ACL-IP-PHONES dscp 46 udp any any range 16384 32767

set qos acl ip ACL-IP-PHONES trust-cos ip any any

#

commit qos acl all

#

set qos acl map ACL-IP-PHONES

HTH

Allan.

Actions

This Discussion