port (un)trust state on a cisco 7600

bindar.marius · ‎09-12-2006

hy guys,

there is a lot of documentation on the cisco site who explains in great detail how the switch ports on a 6500/7600 device trust or not the CoS, DSCP, IP Precedence of the packets entering in the switch. Please consider the following situations and if is possible, try to give me an answer :

1. an ethernet frame enters on a 6500/7600 on a access port. the trust state of the port is "mls qos trust cos".

what the switch will trust in this case, because the ethernet frame doesn't have an 802.1p field inserted.

2. the trust or untrust state is applied also on the physical routed ports on a 6500/7600 device ?

swaroop.potdar · ‎09-13-2006

Hi,

1) configuring the trust state on a port where you receive untagged traffic is a configuration error. should be enabled only on 802.1Q frames. having said that, if you are able ot do it it will result nothing but into default cos of 0. as the .1P would be left untouched at default value.

HTH-Cheers,

Swaroop

bindar.marius · ‎09-13-2006

swaroop,

i do some tests in the mean time. on a access or routed port (ports who receives untagged frames), if the port is configured to untrusted state, if the mls qos cos is set to a non-zero value on the incoming port, on the outgoing the internal COS value is copied on the ip precedence (dscp) field.

swaroop.potdar · ‎09-13-2006

Hi Bindar,

If I understand the problem your COS value is getting rewritten to DSCP on the Egress.

Can u quickly attach the output of "show mls qos"

HTH-CHeers,

Swaroop

bindar.marius · ‎09-13-2006

hmmm,

i do the tests again ...

if the port on the ingress is in untrusted state and the mls qos cos is 3, the packets on the output get DSCP equal to 0. but if on the same port i set to trust de cos and the same mls qos cos is 3, all the packets on the output has DSCP precedence 3. the port is an routed port.

also , on the cisco site there is a document who explains this behaviour :

If the port is in untrusted state, mark the frame with the port default CoS ans pass the header to the switching engine (PFC). If the port is set to one of the trust states, perform one of these two options :

. if the frame does not have a received CoS (dot1q or ISL), apply the default port CoS.

. for dot1q and ISL frames, keep the frame as it is.

http://www.cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_note09186a008014a29f.shtml

swaroop.potdar · ‎09-13-2006

Yes thats correct...as I had mentioned earlier..if you trust untagged packets (Non-ISL/Dot1Q) it will use the default COS for the frame which is Cos 0.

Untill you have manually set the COS for that port. which in your case is 3.

Also note one more point that the COS should not be written to your DSCP values. As your customer may want to preserve the internal Prec/DSCP values. Have that checked.

HTH-Cheers,

Swaroop

bindar.marius · ‎09-13-2006

did u refer to the

no mls qos rewrite ip dscp

command ?

bindar.marius · ‎09-13-2006

also,

if the port is in untrusted state, mark the frame with the default port CoS ... in my case the default was 3, but i received the packets with the precedence 0 ; they not mention if the frames are tagged or tagged for this scenario.

swaroop.potdar · ‎09-13-2006

Hi Bindar,

If you have a live issue at hand may be you can elaborate the issue with proper background. So that its easy to get a perspective to give an answer.

Thats because if you are trying to test the commands available, what may happen is they are 'N' number of configuration options available in 7600 for QOS. And in testing the commands and their funtionality you amy be overriding each others function, and getting contradictory results.

HTH-Cheers,

Swaroop.