hello i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand. 1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... 2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the dscp set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from the 7609 is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ? thanks
You should make sure that any links that go between devices have trust set. In your case if your doing DSCP, then make sure each link that goes between devices which must carry tagged packets have trust dscp set. Brian On Nov 12, 2009, at 5:11 AM, Bogdan wrote:
hello
i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand.
1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1...
2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the dscp set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from the 7609
is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ?
thanks
hello indeed, a fellow nanoger gave me this hint. 1. i had to enable mls qos globally in "network" switches 2. set the mls qos trust dscp on the uplinks (ingress port) thanks ps thanks to andrey.gordon too :) On 11/12/2009 03:21 PM, Brian Feeny wrote:
You should make sure that any links that go between devices have trust set. In your case if your doing DSCP, then make sure each link that goes between devices which must carry tagged packets have trust dscp set.
Brian
On Nov 12, 2009, at 5:11 AM, Bogdan wrote:
hello
i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand.
1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1...
2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the dscp set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from the 7609
is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ?
thanks
Look at "show mls qos map" to see the defaults that may be rewriting your information depending on trust (or non-trust) mechanisms you have configured. If you trust CoS, a frame received with cos5 and dscp46 will get rewritten to dscp 40 with default maps... "show mls qos interface (intf)" is also good to see status. Scott Bogdan wrote:
hello
indeed, a fellow nanoger gave me this hint.
1. i had to enable mls qos globally in "network" switches 2. set the mls qos trust dscp on the uplinks (ingress port)
thanks
ps thanks to andrey.gordon too :)
On 11/12/2009 03:21 PM, Brian Feeny wrote:
You should make sure that any links that go between devices have trust set. In your case if your doing DSCP, then make sure each link that goes between devices which must carry tagged packets have trust dscp set.
Brian
On Nov 12, 2009, at 5:11 AM, Bogdan wrote:
hello
i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand.
1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1...
2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the dscp set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from the 7609
is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ?
thanks
hello
indeed, a fellow nanoger gave me this hint.
1. i had to enable mls qos globally in "network" switches 2. set the mls qos trust dscp on the uplinks (ingress port)
thanks
ps thanks to andrey.gordon too :)
On 11/12/2009 03:21 PM, Brian Feeny wrote:
You should make sure that any links that go between devices have
set. In your case if your doing DSCP, then make sure each link that goes between devices which must carry tagged packets have trust dscp set.
Brian
On Nov 12, 2009, at 5:11 AM, Bogdan wrote:
hello
i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand.
1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se/12.2_20_se/configuration/guide/swqos.html#wp1028614
2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the
dscp
set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from
Following on, the best way is to 'trust' on all uplinks between devices and filter at the edge. So you have a customer who shouldn't be sending tagged traffic, set the port to not trusted (should be the default state) and any customer using QoS should have "mls qos trust dscp" on the demark port. If you don't have a trusted core, then all it takes is a simple switch in the path traffic takes and you'll find yourself scratching your head as to why the DSCP tags are disappearing all of a sudden! Paul -----Original Message----- From: Scott Morris [mailto:swm@emanon.com] Sent: 12 November 2009 14:41 To: Bogdan Cc: nanog@nanog.org Subject: Re: qos 3560 Look at "show mls qos map" to see the defaults that may be rewriting your information depending on trust (or non-trust) mechanisms you have configured. If you trust CoS, a frame received with cos5 and dscp46 will get rewritten to dscp 40 with default maps... "show mls qos interface (intf)" is also good to see status. Scott Bogdan wrote: trust the
7609
is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ?
thanks
For more information about the Viatel Group, please visit www.viatel.com VTL (UK) Limited Registered in England and Wales Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR Company Registration No: 04287100 VAT Registration Number: 781 4991 88 THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system. This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com
Following on, the best way is to 'trust' on all uplinks between devices and filter at the edge. So you have a customer who shouldn't be sending tagged traffic, set the port to not trusted (should be the default state) and any customer using QoS should have "mls qos trust dscp" on the demark port.
If you don't have a trusted core, then all it takes is a simple switch in the path traffic takes and you'll find yourself scratching your head as to why the DSCP tags are disappearing all of a sudden!
indeed, i do see another dscp value in the counters. (besides mine). i tried with dscp mutation and re-mapping, but it did't work. so..start NOT trusting the edge/customers ports.
Paul
-----Original Message----- From: Scott Morris [mailto:swm@emanon.com] Sent: 12 November 2009 14:41 To: Bogdan Cc: nanog@nanog.org Subject: Re: qos 3560
Look at "show mls qos map" to see the defaults that may be rewriting your information depending on trust (or non-trust) mechanisms you have configured.
If you trust CoS, a frame received with cos5 and dscp46 will get rewritten to dscp 40 with default maps...
"show mls qos interface (intf)" is also good to see status.
Scott
hello
indeed, a fellow nanoger gave me this hint.
1. i had to enable mls qos globally in "network" switches 2. set the mls qos trust dscp on the uplinks (ingress port)
thanks
ps thanks to andrey.gordon too :)
On 11/12/2009 03:21 PM, Brian Feeny wrote:
You should make sure that any links that go between devices have
set. In your case if your doing DSCP, then make sure each link that goes between devices which must carry tagged packets have trust dscp set.
Brian
On Nov 12, 2009, at 5:11 AM, Bogdan wrote:
hello
i am playing with qos on some devices - cisco 3560 - cisco 7609 and i have some things that i don't seem to understand.
1. in 3560, i enable mls qos, on the ingress port applyed policy map, classify the packets with acl, mark, all good. on the egress ports i use srr-queue with shape/share, everything is fine, it is working.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se/12.2_20_se/configuration/guide/swqos.html#wp1028614
2. reset to defaults the 3560 in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on egress of that vlan 3560 in uplinked in 7609 in 3560 i can see the "marked" packets, and i have matches on the
dscp
set earlier (sh mls qos int xx stat). the problem is: when i apply the srr-queue in 3560 on egress (towards the test port), it does not work. if i enable mls qos on 3560, i cannot match anymore the dscp 40 from
Bogdan wrote: trust the
7609
is it normal? do i have to apply the qos stuff (point1) on all switches i want qos on? i mean, i cannot set dscp in one "core" device and use that in the whole network ?
thanks
For more information about the Viatel Group, please visit www.viatel.com
VTL (UK) Limited Registered in England and Wales Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR Company Registration No: 04287100 VAT Registration Number: 781 4991 88
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system.
This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com
participants (4)
-
Bogdan -
Brian Feeny -
Martin, Paul -
Scott Morris