Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

7600 SUP720 + FWSM rewriting DSCP


I have a few questions regarding DSCP behavior on the 7600 platform. We are currently running into an issue where DSCP bits are being cleared as they traverse an FWSM module which is not ideal. Below is a simple diagram of the network in question.

Internet -> 7600 -> FWSM -> MPLS cloud

If a layer 3 interface is configured on the 7600 for the inside interface of the FWSM it appears that DSCP is overwritten as it passes through the FWSM. In other words

DSCP tagged traffic->public vlan on 7600->outside FWSM->inside FWSM->private VRF vlan on 7600->remote site = untagged DSCP traffic.

Turning DSCP rewrite off on the 7600 via "no mls qos rewrite ip dscp" seems to "fix" this behavior and allows the DSCP tagged traffic to traverse the entire path. However disabling dscp rewrite globally will have other adverse side effects as I understand it. We don't want to "trust" every DSCP value coming through this router and would prefer the standard "clear everything to zero" behavior.

We are running mls qos vlan-mode on all dot1q trunks. We require vlan-mode to support input tagging policies on several VLANs.

Is there an alternate way to trust DSCP values from the FWSM? Is it possible this behavior is a bug?


Re: 7600 SUP720 + FWSM rewriting DSCP

Internet Group Management Protocol (IGMP) packets classified by QoS to map the DSCP value and the class of service (CoS) value in a QoS policy map might modify only the DSCP property and leave the CoS value at zero