Hi Dmitry,

Sorry if you've already received this, but wasn't sure if I sent it correctly!

Thanks for coming back to me.

However this not good news!

So just to make sure I understand what you're saying, traffic arriving with different Vlan-ID's at the Port-channel trunk will have its CoS/ToS/DSCP values remarked to default 0, unless its respective Vlan has a Vlan interface with a service policy configured that classifies and remarks it according to defined class and policy maps.

The problem I have here, is that the Port-chjannel trunk services about 30 Vlans to which some of them don't have locally configured vlan interfaces associated with them - the switch just acts as a transit and their respective Vlan interfaces reside on another switch elswhere.

Also, for those Vlans serviced by the Port-channel that do have locally configured Vlan interfaces, it would therefore be cumbersome (to say the least!) to implement them with service policies of their own.

Are you absolutly sure this is how this works, as I will have to rethink how I'm going to classify and remark traffic for the Vlan I have in mind?

Kind regards

Richard

PS. The port-channel physical interfaces span different modules on the switch.

Hello Richard,

In case you don't utilize "trust" concept for the mentioned trunk interface, as soon as you enabled mls qos globally all traffic are marked down to default.

I have verified the behavior and it matches my previous statement, just in case i am referring to PFC3/DFC3 qos logic.

Thank you

-- 
Best regards,
Dmitry Skotnikov

Hi Dmitry,

I understand the port trust concept as packets ingress but didn't know how this relates when the port is also configured for vlan based qos.

So, are you saying that if I configure the Port-channel to trust dscp, it will leave DSCP values of arriving packets unaltered from those vlans that don't have a service-policy assigned to their vlan interface, and for those vlans that do have a service policy assigned to their vlan interface, the DSCP values can be remarked by an associated poliy-map?

I'll try to explain a bit more clearly what I want to do:

Say Port-channel trunk allows vlans 10,20,30,40 50 and 60.

A.) For ingress packets on the Port-channel assigned to vlan 20, I want to classify those that match a specific source IP address and remark their DSCP value using a service-policy assigned to the locally configured interface Vlan20.

B.) For all other vlan packets arriving on the same Port-channel, I want to trust their DSCP values and leave them unaltered without having to configure a service-policy to acheive that.

I understand to enable A.) the Port-channel must be configured with 'mls qos vlan-based' in order to apply the service-policy on the interface vlan20.

What I think you are saying is:

To acheive both A.) and B.) together, I also need to configure the Port-channel with 'mls qos trust dscp'

Could you please confirm if this is what you mean?

Many thanks

Richard

.

Hello Richard,

You can't use vlan-based and trust concept on the same interface simultaneously, because in this case "trust dscp" will supersedes the vlan-based behavior.

In order to mark down a custom VID and retain marking for all others VIDs there is only a single way to do so.For all VLAN IDs you want to retain DSCP marking you need to apply a policy-map with the following configuration:

policy-map PM-TRUST-DSCP

  class class-default

    trust dscp

  !

!

interface Vlan

  service-policy input PM-TRUST-DSCP

!

...

interface Vlan

  service-policy input PM-TRUST-DSCP

!

-- 
Best regards,
Dmitry Skotnikov

Hi Dmitry,

Thanks agian for coming back to me -  I get it now !

So finally just to complete the picture, packets arriving on the Port-channel trunk (configured with 'mls qos vlan-based') belonging to Vlans that either:

A.) don't have a Vlan interface locally configured on the switch

or

B.) do have a Vlan interface locally configured on the switch BUT don't implement an ingress service-policy

will have their DSCP values remarked to default 0.

Sorry to be a pain, but if you could just confirm what I've said above is correct, then I promise I'll leave alone!!!

Your input has been very much appreciated.

Many thanks

Richard.

Hello Richard,

Don't worry I am glad to help you

The answer to you questions is yes, DSCP will be remarked to default 0.

Don't hesistate to ask anything else and have a nice day

-- 
Best regards,
Dmitry Skotnikov

Thanks Dmitry - your help has been invaluable!

Many kind regards

Richard