QoS: make switch to trust PC's DSCP marking

Similar Messages

• Mls qos trust "cos or dscp" ?

  I have an uplink from an access switch configured as a trunk 802.1q that needs to trust Qos towards the distribution switch, does this have to trust cos or dscp ? the issue is that the access switch has a local voice vlan and the trunk uses another vlan to connect to the distribution.

  You don't trust "to" a device, only from.
  The advice I've gotten from switching guys is "If you're not sure - just trust DSCP".
  If you try to trust cos on an access port where there is no VLAN header, there is no cos, and you can have problems.
  If you have a trunk to another switch, you can trust cos and you shouldn't have any problems.
  hth,
  nick

• DSCP marking for non WMM-clients

  hello,
  i just made several tries but didn´t find the result which i expected. i have the following scenario:
  non WMM-clients in branches in our WAN
  traffic over the wan line must be shaped
  there is no local breakout, the traffoic should be tunneled to the central datacenter
  so what i want to achieve is that every traffic from this non WMM-clients (which are using a special SSID (i call it here "EXTERNAL")) is getting marked in that way that the CAPWAP-packets are holding dscp-values so that i can refer on these packets beforer they are going over the WAN-connection
  what i did:
  the ssid uses the QOS-Profile "bronze"
  WMM is disabled
  the QOS-Profile itself has 802.1p enabled with a value of 1
  so i expected that every traffic via this ssid "EXTERNAL" gets a dscp marking in the capwap packet of 10 (perhaps also 12 or 14, i´m not sure whcih value really is used). in reality i see 0.
  i´m using Wismv1 with version 7.0.230. i also tried it with 5508 with the same version but it didn´t work. APs are 1142.
  is my expectation wrong that this scenario is working in this way? do i forget something??
  thanks for your help

  The WLAN can only re-mark client traffic that has existing DSCP values in the original packet, typically at the application layer. The platinum profile itself has 46 as VoWLAN, 48 as Mgmt traffic (CAPWAP etc), and 56 as network traffic, classifying them as such based on the original marking. The values are only remarked if the configured SSID is different.
  This link provides a few more details:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807e9717.shtml

• QoS Problem ( nt getting same DSCP marking at diff.. vpls customer sites

  Hi we are having 3 locations A , B & C
  we are providing l2 vpls service to customer .
  customer is connected to our mpls cloud via EoSDH on my mpls switch on locations A , B & C.
  customer is marking his traffic with DSCP bit XX from Location A when customer checking the traffic
  at location B via packet sniffer ethereal they are not getting the same DSCP Tagging .
  can anyone help me to find out the possible cause of this .
  As far as i know in VPLS services there is limitation of provide multi-QoS.
  But here in this case i m only trusting DSCP on the Lastmile port as well as on the trunks connected from my switches to my PEs .
  so customer tagging should reach from location A to Location B .
  Here we go:
  CPE-A------CPE-A-SW--------SP-SW-A----PE-A======MPLS CLOUD=====PE-B------SP-SW-B-------CPE-B-SW-------CPE-B
  here :CPE-A = customer router
  CPE-A-SW = 4500
  SP-SW-A = 4500
  PE-A = 7600
  PE-B = 7600
  SP-SW-B = 3500
  CPE-B-SW = 4500
  CPE-B = customer router

  I m getting blew output on the trunk interface connected to my PE on both the switches.
  SP-SW-A#sh qos interface GigabitEthernet4/3
  QoS is enabled globally
  Port QoS is enabled
  Administrative Port Trust State: 'dscp'
  Operational Port Trust State: 'dscp'
  Trust device: none
  Default DSCP: 0 Default CoS: 0
  Appliance trust: none
  Tx-Queue Bandwidth ShapeRate Priority QueueSize
  (bps) (bps) (packets)
  1 250000000 disabled N/A 2336
  2 250000000 disabled N/A 2336
  3 250000000 disabled normal 2336
  4 250000000 disabled N/A 2336
  SP-SW-B#sh mls qos interface GigabitEthernet0/2 statistics
  GigabitEthernet0/2
  Ingress
  dscp: incoming no_change classified policed dropped (in bytes)
  Others: 0 0 0 0 0
  Egress
  dscp: incoming no_change classified policed dropped (in bytes)
  Others: 0 n/a n/a 0 0
  WRED drop counts:
  qid thresh1 thresh2 FreeQ
  1 : 0 0 1024
  2 : 0 0 1024
  3 : 0 0 1024
  4 : 0 0 1024

• Questions for QoS on switches

  Hello Experts,
  I currently have QoS settings on my switch:
  class-map match-any VOIP
    match dscp cs5
    match dscp ef
  class-map match-all VIDEO_Conference
    match dscp af41
  class-map match-all ROUTING
    match  dscp cs6
  policy-map myLAN
    class VOIP
     set dscp ef
    class VIDEO_Conference
     set dscp af41
    class ROUTING
     set dscp cs6
  interface g1/1
   ip address 10.10.12.1 255.255.255.0
   ip pim sparse-mode
   service-policy input myLAN
   service-policy output myLAN
  I understand that the class-map is for defining the traffic and policy-map is for creating policy for the map traffic. But still confusing the ways they're working. 
  For this example:
       class-map match-any VOIP
              match dscp cs5
              match dscp ef
  How do i know that VOIP packet is cs5/ef? are there any predefined info for VOIP packets? what are cs5 and ef really playing the roles here?
  Thanks.

  Hi,
  Thanks for the reply, for this CS5 again:   
  class-map match-any VOIP
              match dscp cs5
              match dscp ef
  I've checked from my switch:
  Switch(config-cmap)#match dscp ?
    <0-63>   Differentiated services codepoint value
    af11     Match packets with AF11 dscp (001010)
    af12     Match packets with AF12 dscp (001100)
    af13     Match packets with AF13 dscp (001110)
    af21     Match packets with AF21 dscp (010010)
    af22     Match packets with AF22 dscp (010100)
    af23     Match packets with AF23 dscp (010110)
    af31     Match packets with AF31 dscp (011010)
    af32     Match packets with AF32 dscp (011100)
    af33     Match packets with AF33 dscp (011110)
    af41     Match packets with AF41 dscp (100010)
    af42     Match packets with AF42 dscp (100100)
    af43     Match packets with AF43 dscp (100110)
    cs1      Match packets with CS1(precedence 1) dscp (001000)
    cs2      Match packets with CS2(precedence 2) dscp (010000)
    cs3      Match packets with CS3(precedence 3) dscp (011000)
    cs4      Match packets with CS4(precedence 4) dscp (100000)
    cs5      Match packets with CS5(precedence 5) dscp (101000)
    cs6      Match packets with CS6(precedence 6) dscp (110000)
    cs7      Match packets with CS7(precedence 7) dscp (111000)
    default  Match packets with default dscp (000000)
    ef       Match packets with EF dscp (101110)
  when it says 'cs5  Match packets with CS5(precedence 5) dscp (101000)', does that mean the network packet's binary has to match this binary 101000 to able to define it as cs5?
  I need to wrap my head around this QoS since i've been having a serious confusion about this  QoS things. How would you explain this below in our language?
  class-map match-any VOIP
    match dscp cs5
    match dscp ef
  policy-map myLAN
    class VOIP
     set dscp ef
  interface g1/1
   ip address 10.10.12.1 255.255.255.0
   ip pim sparse-mode
   service-policy input myLAN
   service-policy output myLAN
  Thanks a lot!

• QOS for Switches - CallManager

  CallManager 4.0 installed and i want to collect QOS statistics, we have Cisco 500 switches and 2950 switches which run QOS, however, when i check callManager there are no Statistics collected,
  please assist,

  If your Gateway is H.323 all the calls that use that GW will be cataloge as NA since H.323
  do not has the ability for QOS reports.
  1. if the endpoint device does not support CMR data (packet loss, jitter, etc.) This
  includes all h323 devices, some mgcp, and some sccp devices
  2. if the call potentially matches multiple rules it may result in N/A:
  If that is not our case make sure to enable the CMR records in the CCM Service Parameters, those records are the ones used for the QoS reports.
  HTH
  //Jorge

• Make switching apps (Cmd-Tab) skip hidden apps?

  Prior to using Mac OS X 10.8, I used 10.6.8.  In that version of the OS, and probably all the previous ones, I was used to hidden apps being moved to the right end of the apps list used by Cmd-Tab when switching from one app to another.  When hidden apps were moved to the end, they were less likely to be selected and unhidden.  It also meant that after an app was hidden and moved to the end of the list, a simple press of Cmd-Tab to switch to the previous app would not select the hidden one (unless it was one of only two apps running).
  However, in 10.8, hidden apps aren't shifted to the end of the list.  Therefore, hiding an app, followed by a simple press of Cmd-Tab will make the just-hidden app reappear, even if there are several apps running.
  Is there some way to get the Mac OS X 10.6 functionality back that moves hidden apps to the end of the list?
  That is, if the apps list currently contains:
    A B C D
  "A" is the current app.  If I hide that app, "B" becomes active and "A" should move to the end of the list:
    B C D A
  While app "B" is active, pressing Cmd-Tab will switch to app "C". 

  Please bring this functionality back!  If I hide an app it's because I want to completely remove it from thought and view.  I would close instead if I didn't want to receive notifications from it or for it to continue playing music, etc.  I can't tell you how many times I've hidden an app just to accidentally cmd+tab back to it a minute later.  The same goes for minimized apps when all windows are minimized.  If there are no windows to cmd+tab to it should go to the end of the list.

• Make client to trust server's certificate?

  hi,
  I am new to SSL, and I ran into this problem:
  I have a simple https server (written in java) which gives out certificate to its https client (written
  in C++, Win Inet API). Server certificate is generated using java keytool command:
  "keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw"
  Each time the client gets a certificate, a "security alert" window pops up saying "The certificate issuer
  for this site is untrusted or unknown. Do you wish to proceed?" with "YES", "NO", ... choices.
  Is there a way to get rid of this pop up window? So the client can "trust" the https server??
  Any ideas/comments welcome.
  Thanks .
  jk

  Yes - you need to get your certificate signed by one of the Certificate Authorities (CAs) whose root certs are in your client's "trusted certificate" storage. The general approach is to ask a CA (like, say, Verisign or Thawte) to sign your server-cert. You do this by generating your cert, and then then generating a CSR (Cert Signing Request) and sending the CSR to the CA. The CA sends your cert back with their root-cert at the top of the cert-chain. The client will then trust your cert, because it trusts the CA.
  The other way to achieve this is to arrange for your client to store your cert in their "trusted store". Specific steps depend on the client. I don't recall where the Inet API looks for its trusted-cert storage.
  Grant

• QOS configuration - Is there a way to prevent marking SIP signaling as media

  I have configured QOS for Lync 2013 per all the documenation, blogs, etc.
  While reviewing network captures to make sure it is working, I noticed something:  normal SIP signaling traffic from the Lync servers to port 5067 uses random source ports, and when those source ports fall into the ranges defined for media, gets marked
  as if it was media traffic.  This is over-prioritizing: marking SIP signaling traffic with a higher DSCP than is warranted.
  Any way to prevent this?

  The two main methods are marking source ports or marking anything coming from the service executables with a DSCP value.  Sometimes SIP signaling traffic will fall into the source range, and it will always come from the service executable.  You
  can't force only signaling to use a set range source ports, so there's not too much you can do.  That being said, SIP signaling traffic is generally negligible compared to the media traffic so I generally just let it be. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• WLC 5508 - management frames without DSCP marking

  hello,
  we are facing an issue that our wireless lan controller (5508 with version 7.6.100) doesn´t mark management frames (e.g. reassociation repsonse - necessary for roaming) with CS6. therefore some of them are dropped leaving the clients not to roam...
  does anybody have an idea? in my view it can only be a biug because it´s noit possible to reconfigure this....
  thx

  we are seeing managemt frames getting marked on Wism. i strongly believe they were marked in the past also on 5508. moreover frames are getting marked when they arinitiated by the AP
  if we trust CoS frames are getting marked because it contains the dot1p tag. the switch generates the dscp-value out of it. but we want to trust dscp. 
  we see also a very strange behaviour when trusting COS that sometimes a reassociation request has dot1p value 2 and the next one has 5. so it seems that the tag is there, but not working properly.
  changing to CoS in general would mean testing the whole infrastructure for voip over wireless lan again. and i don´t want to do that

• HWIC-4ESW capable of DSCP marking?

  Hello. Does anyone know if the HWIC-4ESW card is capable of classifying traffic and marking DSCP values on those packets?
  Thanks,
  Mike

  Hello Mike,
  this is from the relevant Q&A: QoS to DSCP mapping is supported:
  Q. What features are supported on the Cisco EtherSwitch HWICs?
  A. The following features are supported on the Cisco EtherSwitch HWICs:
  Up to 15 individual VLANs per 4- or 9-port Cisco EtherSwitch HWIC
  IEEE 802.1Q tagged and untagged VLANs
  Virtual Trunking Protocol (VTP) support for client, server, and transparent modes
  Layer 2 MAC-related feature support:
  Secure MAC addresses
  Static and Dynamic MAC addressing
  2000 MAC addresses
  Port application support
  SPAN port monitoring
  Per-port storm control for broadcasts, unicasts, and multicasts
  QoS feature support
  IEEE 802.1p class-of-service (CoS) priority for 802.1Q tagged frame
  Port-based priority for native frames
  Port priority to overwrite the IEEE 802.1p priority
  Strict priority and Weighted Round Robin CoS policies
  CoS-to-differentiated services code point (DSCP) mapping
  Internet Group Management Protocol (IGMP) snooping
  Network Time Protocol (NTP) support
  IEEE 802.1D spanning tree and Spanning Tree Protocol PortFast
  Secure port filtering (200 secure MAC addresses)
  Simple Network Management Protocol (SNMP) support
  Telnet client and server support
  Cisco Discovery Protocol Versions 1 and 2 support
  Fallback bridging
  802.1x authentication
  IEEE 802.3af-compliant PoE
  Q. What features are not supported on the 4- and 9-port Cisco EtherSwitch HWICs?
  A. The following features are not supported on the Cisco EtherSwitch HWICs:
  Layer 3 switching (this is done through the router)
  Dynamic VLAN for access port
  VTP pruning
  Network port
  Routed port
  Per-port enabling and disabling of unknown multicast and unicast packets
  Cisco Group Management Protocol (GMP) client
  Rate limiting
  Cisco Cluster Management Suite (CMS) support
  HTH,
  GP

• 6500 Sup 2T Etherchannel DSCP marking

  Good Morning,
  We are in the middle of a CUCM deployment and on the 6500 I need to set a DSCP or COS value on egress for the CUCM servers.   So far I have not found the correct way to set the DSCP.  I have attempted to create a service policy and apply it to the physical ports (and I tried the etherchannel just for kicks) and I get the following error:
  Policy can not be installed because interface GigabitEthernet2/12 is a member of Port-channel
  MQC features are not supported for this interface
  How do I correctly set the DSCP value to EF on egress on these ports or the port-channel?
  Thank you in advance for your assistance.
  Justin

  Hi Jon
  Many thanks
  I'm using vlan based QOS because later I'll add more vlans to the configuration, this is just initially to see how to use the QOS function on the 6500 - later we'll use this with more vlans.   Essentially the port that is currently gi1/1 may later be a truck port with 10+ vlan's bound to it (with associated vlan interfaces on the 6500).
  Data arriving from the Server to the 6500 most likely won't have any or valid dscp markings,
  allvoip is currently simplified just for icmp traffic for testing - so it's looking like this:
  class-map match-all allvoip
    match access-group 100
  access-list 100 permit icmp any any
  What is just concerning me is that when I have a continuous ping running I'm getting deltas in the ping times when I have other data downloading off gi1/1 (which makes me think the strict priority queue isn't quite right).
  If I can ask, if I wanted to rate limit the data on vlan6 (say limit the data to 10Mbit) and still also do marking in dscp to enable allocation to the differnet egress queues do you have any suggestions?   I can use a police statement classes on the policy-map but I don't really want to police each class seperately
  kind of like
  vlan 6 entire capacity policed to 10mbit
  then inside that
  allvoip marked EF (and then assigned COS 5 and 1P)
  etc etc
  cheers
  Mark

• ACE 4710 and DSCP marking

  I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
  class-map type http loadbalance match-any URL-AF21
    2 match http url /aaa/.*
    4 match http url /bbb/.*
  policy-map type loadbalance http first-match LB-WITH-DSCP
    class URL-AF21
      set ip tos 72
      serverfarm MyServerFram
    class default
      set ip tos 0
      serverfarm MyServerFram
  Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
  Any idea which config might work ?

  Hi,
  If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
  The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
  If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
  parameter-map type connection SET_TOS
  set ip tos 72
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Cisco 3560 switch| mls qos trust dscp question

  Hi everybody
  Hi everybody .
  Please consider the following example:
  3560 sw f1/1--------trunk---SW2
  3560 sw
  f1/1
  mls qos trust dscp
  3560 is using default cos-dscp map, assume a 3560 receives a frame carrying IP packet on f1/1 with COS 4, what will 3560 switch do?
  1) will it use its default cos --dscp map  ( cos 4--.dscp 32) and rewrite 32 in dscp field  of the packet in the frame and provide PHB for dscp 32 ?
  Much appreciated!!
  Have  a great weekend.

  Hi
  No it will not trust the cos value, because You have configured to trust dcsp. So, the switch will trust the dcsp value in the incoming frame.
  /Mikael

• QoS - can u trust dscp and cos?

  Hello,
  is it possible to trust DSCP and COS at the same time?
  If so, which one wins?

  G'day,
  It does not really make sense to trust both DSCP and CoS at the same time. You configure your switch to trust one or none of these.
  As an example, if you did have the capability to trust both DSCP and CoS, imagine what would happen if you received a frame with DSCP EF and CoS 0 ? You would be faced with a conflicting situation ... if you trusted CoS, you would give a potentially high-priority packet lesser service. Whereas if you trusted DSCP, you could end up giving a potentially low-priority packet voice-like service... So the option of trusting both is not allowed.
  Hope that helps - pls rate the post if it does.
  Paresh