qos trust required when match in policy-map?

r.pfffli · ‎10-02-2013

Hi

I have a simple question but got confused due to different information in various docs regarding the qos mode of operation..

If I want to match in a policy map in a class on a certain dscp value, but on another class I want to match based on an ACL, do I need to configure the qos trust dscp or mls qos trust dscp on the interface, or is it depending on the hardware?

Here a simple example config:

ip access-list Gold

permit ip any any

!

class-map match-any Platinum

match dscp ef

class-map match-any Gold

match access-group name Gold

!

policy-map test

class Platinum

police 10000 8000 exceed-action policed-dscp-transmit

class Gold

set dscp cs4

!

int gig1/1

service-policy input test

qos trust dscp

!

The reason for this is that I want to trust and "use" some markings from the client, but other markings do not get set on the client and therefore I do the classification on the port via ACL.

The result of having a trust on the inteface or not can be quite different.

Would be very great if someone could bring light into this...

Thanks

Roger

acampbell · ‎10-02-2013

Roger,

Please see this link:-

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1044294

Classification using a port trust state (for example, mls qos trust [

cos

|

dscp

|

ip-precedence

] and a policy map (for example,

service-policy input

policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration. Classification using a port trust state (for example, mls qos trust [cos | dscp | ip-precedence] and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.

So in your case your policy map on the interface g1/1 is overwritten by your mls qos trust dscp command.

Basically use one or the other not both as only the last one will be used.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

Lei Tian · ‎10-02-2013

Hi Roger,

That depends on the platform. The order that Alex mentioned is true for 3750, but 3750X and 6500 are different.

HTH,

Lei Tian

r.pfffli · ‎10-02-2013

Thanks Alex and Lei,

it helps "somehow", which means that I have to check in detail all different HW and the impelentation in it.

The goal was to make a very simple access-port policy, which can be used on any access-switch but it seems that this does not work. It has to be specific based on the switch model....

...very frustrating :-(

regards

Roger

Lei Tian · ‎10-03-2013

Hi Roger,

I agree with you. QoS concept is not hard, but implementing QoS across different platform can be frustrating. The BUs aware that issue as well, and they are trying to make it easy with tool like C3PL (cisco policy language), MediaNet.

With your requirement, maybe you can try the follwing config. So, you only classify packets that do not have DSCP value, and trust the DSCP for default.

ip access-list Gold

permit ip any any dscp default

!

class-map match-any Platinum

match dscp ef

class-map match-any Gold

match access-group name Gold

!

policy-map test

class Platinum

police 10000 8000 exceed-action policed-dscp-transmit

class Gold

set dscp cs4

class class-default

trust dscp

!

int gig1/1

service-policy input test

HTH,

Lei Tian

r.pfffli · ‎10-03-2013

Lei,

Thanks for the input and example but this has two problems :-)

1. I cannot put a trust dscp in class-default because the whole buch of applications going to the class default should get a set dscp default, the should just be marked with default.

2. This config does unfortunately not work on some boxes like 3750 because trust dscp and set dscp within a policy-map are mutually exclusive:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swqos.html#wp1027339

Note

This command is mutually exclusive with the

set

command within the same policy map. If you enter the

trust

command, go to Step 6.

So on the low end boxes I do the following policy without the trust statement on the interface, I do a match - set operation if I want to trust an incoming marking, the traffic which I want to classify gets matche by an ACL and the whole big rest goes into class-default where it gets dscp default.

ip access-list Gold

permit ip any any

!

class-map match-any Platinum

match dscp ef

class-map match-any Gold

match access-group name Gold

class-map match-any Silver

match dscp af11

!

policy-map test

class Platinum

set dscp ef

police 10000 8000 exceed-action policed-dscp-transmit

class Gold

set dscp cs4

class Silver

set dscp af11

class class-default

set dscp default

!

int gig1/1

service-policy input test

!

On other boxes like Cat4k, Cat6k I have to figure out the QoS mode of operation case by case, if trust statement on interface is needed or not in order to reach the same result as shown in the example policy above.

As you have mentionend, very frustrating to figure out the implementation on a per box base...

Thanks

Roger

Lei Tian · ‎10-03-2013

Hi Roger,

I think your solution should work on all mentioned platform. The different behavior comes in play when you have both port trust and policy-map on interface, but if you only have policy-map on the port, it should behave all same.

HTH,

Lei Tian

r.pfffli · ‎10-03-2013

Thanks, I will verify it while checking the different hardware plattforms, which I anyway have to do since queuing is totally different between many models :-(

If I find anything crazy, I will post it here...

regards

Roger