QoS: make switch to trust PC's DSCP marking
Hi,
As you all know, it's possible to override 802.1p/CoS field coming from PC attached to Catalyst switch.
This is accomplished in 2 (two) ways:
- either by '(config-if)# mls qos trust extend cos <value>'
- or via '(config-if)# switchport priority extend cos <value>'
But what about to make Cisco IP Phone to trust PC's DSCP marking ? Is this possible ?
P.S.
Can you also explain, why there 2 (two) flavors of CLI to allow switch to trust to PC's 802.1p marking ?
Thanks.
Tobi,
the PC basically send untagged frames to the switch, these will normally be send as CoS=0.
the following link has some scenarios for you
http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml#cg211
I think you will find example 6 usefull
Similar Messages
-
Mls qos trust "cos or dscp" ?
I have an uplink from an access switch configured as a trunk 802.1q that needs to trust Qos towards the distribution switch, does this have to trust cos or dscp ? the issue is that the access switch has a local voice vlan and the trunk uses another vlan to connect to the distribution.
You don't trust "to" a device, only from.
The advice I've gotten from switching guys is "If you're not sure - just trust DSCP".
If you try to trust cos on an access port where there is no VLAN header, there is no cos, and you can have problems.
If you have a trunk to another switch, you can trust cos and you shouldn't have any problems.
hth,
nick -
DSCP marking for non WMM-clients
hello,
i just made several tries but didn´t find the result which i expected. i have the following scenario:
non WMM-clients in branches in our WAN
traffic over the wan line must be shaped
there is no local breakout, the traffoic should be tunneled to the central datacenter
so what i want to achieve is that every traffic from this non WMM-clients (which are using a special SSID (i call it here "EXTERNAL")) is getting marked in that way that the CAPWAP-packets are holding dscp-values so that i can refer on these packets beforer they are going over the WAN-connection
what i did:
the ssid uses the QOS-Profile "bronze"
WMM is disabled
the QOS-Profile itself has 802.1p enabled with a value of 1
so i expected that every traffic via this ssid "EXTERNAL" gets a dscp marking in the capwap packet of 10 (perhaps also 12 or 14, i´m not sure whcih value really is used). in reality i see 0.
i´m using Wismv1 with version 7.0.230. i also tried it with 5508 with the same version but it didn´t work. APs are 1142.
is my expectation wrong that this scenario is working in this way? do i forget something??
thanks for your helpThe WLAN can only re-mark client traffic that has existing DSCP values in the original packet, typically at the application layer. The platinum profile itself has 46 as VoWLAN, 48 as Mgmt traffic (CAPWAP etc), and 56 as network traffic, classifying them as such based on the original marking. The values are only remarked if the configured SSID is different.
This link provides a few more details:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807e9717.shtml -
QoS Problem ( nt getting same DSCP marking at diff.. vpls customer sites
Hi we are having 3 locations A , B & C
we are providing l2 vpls service to customer .
customer is connected to our mpls cloud via EoSDH on my mpls switch on locations A , B & C.
customer is marking his traffic with DSCP bit XX from Location A when customer checking the traffic
at location B via packet sniffer ethereal they are not getting the same DSCP Tagging .
can anyone help me to find out the possible cause of this .
As far as i know in VPLS services there is limitation of provide multi-QoS.
But here in this case i m only trusting DSCP on the Lastmile port as well as on the trunks connected from my switches to my PEs .
so customer tagging should reach from location A to Location B .
Here we go:
CPE-A------CPE-A-SW--------SP-SW-A----PE-A======MPLS CLOUD=====PE-B------SP-SW-B-------CPE-B-SW-------CPE-B
here :CPE-A = customer router
CPE-A-SW = 4500
SP-SW-A = 4500
PE-A = 7600
PE-B = 7600
SP-SW-B = 3500
CPE-B-SW = 4500
CPE-B = customer routerI m getting blew output on the trunk interface connected to my PE on both the switches.
SP-SW-A#sh qos interface GigabitEthernet4/3
QoS is enabled globally
Port QoS is enabled
Administrative Port Trust State: 'dscp'
Operational Port Trust State: 'dscp'
Trust device: none
Default DSCP: 0 Default CoS: 0
Appliance trust: none
Tx-Queue Bandwidth ShapeRate Priority QueueSize
(bps) (bps) (packets)
1 250000000 disabled N/A 2336
2 250000000 disabled N/A 2336
3 250000000 disabled normal 2336
4 250000000 disabled N/A 2336
SP-SW-B#sh mls qos interface GigabitEthernet0/2 statistics
GigabitEthernet0/2
Ingress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 0 0 0 0 0
Egress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 0 n/a n/a 0 0
WRED drop counts:
qid thresh1 thresh2 FreeQ
1 : 0 0 1024
2 : 0 0 1024
3 : 0 0 1024
4 : 0 0 1024 -
Hello Experts,
I currently have QoS settings on my switch:
class-map match-any VOIP
match dscp cs5
match dscp ef
class-map match-all VIDEO_Conference
match dscp af41
class-map match-all ROUTING
match dscp cs6
policy-map myLAN
class VOIP
set dscp ef
class VIDEO_Conference
set dscp af41
class ROUTING
set dscp cs6
interface g1/1
ip address 10.10.12.1 255.255.255.0
ip pim sparse-mode
service-policy input myLAN
service-policy output myLAN
I understand that the class-map is for defining the traffic and policy-map is for creating policy for the map traffic. But still confusing the ways they're working.
For this example:
class-map match-any VOIP
match dscp cs5
match dscp ef
How do i know that VOIP packet is cs5/ef? are there any predefined info for VOIP packets? what are cs5 and ef really playing the roles here?
Thanks.Hi,
Thanks for the reply, for this CS5 again:
class-map match-any VOIP
match dscp cs5
match dscp ef
I've checked from my switch:
Switch(config-cmap)#match dscp ?
<0-63> Differentiated services codepoint value
af11 Match packets with AF11 dscp (001010)
af12 Match packets with AF12 dscp (001100)
af13 Match packets with AF13 dscp (001110)
af21 Match packets with AF21 dscp (010010)
af22 Match packets with AF22 dscp (010100)
af23 Match packets with AF23 dscp (010110)
af31 Match packets with AF31 dscp (011010)
af32 Match packets with AF32 dscp (011100)
af33 Match packets with AF33 dscp (011110)
af41 Match packets with AF41 dscp (100010)
af42 Match packets with AF42 dscp (100100)
af43 Match packets with AF43 dscp (100110)
cs1 Match packets with CS1(precedence 1) dscp (001000)
cs2 Match packets with CS2(precedence 2) dscp (010000)
cs3 Match packets with CS3(precedence 3) dscp (011000)
cs4 Match packets with CS4(precedence 4) dscp (100000)
cs5 Match packets with CS5(precedence 5) dscp (101000)
cs6 Match packets with CS6(precedence 6) dscp (110000)
cs7 Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef Match packets with EF dscp (101110)
when it says 'cs5 Match packets with CS5(precedence 5) dscp (101000)', does that mean the network packet's binary has to match this binary 101000 to able to define it as cs5?
I need to wrap my head around this QoS since i've been having a serious confusion about this QoS things. How would you explain this below in our language?
class-map match-any VOIP
match dscp cs5
match dscp ef
policy-map myLAN
class VOIP
set dscp ef
interface g1/1
ip address 10.10.12.1 255.255.255.0
ip pim sparse-mode
service-policy input myLAN
service-policy output myLAN
Thanks a lot! -
QOS for Switches - CallManager
CallManager 4.0 installed and i want to collect QOS statistics, we have Cisco 500 switches and 2950 switches which run QOS, however, when i check callManager there are no Statistics collected,
please assist,If your Gateway is H.323 all the calls that use that GW will be cataloge as NA since H.323
do not has the ability for QOS reports.
1. if the endpoint device does not support CMR data (packet loss, jitter, etc.) This
includes all h323 devices, some mgcp, and some sccp devices
2. if the call potentially matches multiple rules it may result in N/A:
If that is not our case make sure to enable the CMR records in the CCM Service Parameters, those records are the ones used for the QoS reports.
HTH
//Jorge -
Make switching apps (Cmd-Tab) skip hidden apps?
Prior to using Mac OS X 10.8, I used 10.6.8. In that version of the OS, and probably all the previous ones, I was used to hidden apps being moved to the right end of the apps list used by Cmd-Tab when switching from one app to another. When hidden apps were moved to the end, they were less likely to be selected and unhidden. It also meant that after an app was hidden and moved to the end of the list, a simple press of Cmd-Tab to switch to the previous app would not select the hidden one (unless it was one of only two apps running).
However, in 10.8, hidden apps aren't shifted to the end of the list. Therefore, hiding an app, followed by a simple press of Cmd-Tab will make the just-hidden app reappear, even if there are several apps running.
Is there some way to get the Mac OS X 10.6 functionality back that moves hidden apps to the end of the list?
That is, if the apps list currently contains:
A B C D
"A" is the current app. If I hide that app, "B" becomes active and "A" should move to the end of the list:
B C D A
While app "B" is active, pressing Cmd-Tab will switch to app "C".Please bring this functionality back! If I hide an app it's because I want to completely remove it from thought and view. I would close instead if I didn't want to receive notifications from it or for it to continue playing music, etc. I can't tell you how many times I've hidden an app just to accidentally cmd+tab back to it a minute later. The same goes for minimized apps when all windows are minimized. If there are no windows to cmd+tab to it should go to the end of the list.
-
Make client to trust server's certificate?
hi,
I am new to SSL, and I ran into this problem:
I have a simple https server (written in java) which gives out certificate to its https client (written
in C++, Win Inet API). Server certificate is generated using java keytool command:
"keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw"
Each time the client gets a certificate, a "security alert" window pops up saying "The certificate issuer
for this site is untrusted or unknown. Do you wish to proceed?" with "YES", "NO", ... choices.
Is there a way to get rid of this pop up window? So the client can "trust" the https server??
Any ideas/comments welcome.
Thanks .
jkYes - you need to get your certificate signed by one of the Certificate Authorities (CAs) whose root certs are in your client's "trusted certificate" storage. The general approach is to ask a CA (like, say, Verisign or Thawte) to sign your server-cert. You do this by generating your cert, and then then generating a CSR (Cert Signing Request) and sending the CSR to the CA. The CA sends your cert back with their root-cert at the top of the cert-chain. The client will then trust your cert, because it trusts the CA.
The other way to achieve this is to arrange for your client to store your cert in their "trusted store". Specific steps depend on the client. I don't recall where the Inet API looks for its trusted-cert storage.
Grant -
QOS configuration - Is there a way to prevent marking SIP signaling as media
I have configured QOS for Lync 2013 per all the documenation, blogs, etc.
While reviewing network captures to make sure it is working, I noticed something: normal SIP signaling traffic from the Lync servers to port 5067 uses random source ports, and when those source ports fall into the ranges defined for media, gets marked
as if it was media traffic. This is over-prioritizing: marking SIP signaling traffic with a higher DSCP than is warranted.
Any way to prevent this?The two main methods are marking source ports or marking anything coming from the service executables with a DSCP value. Sometimes SIP signaling traffic will fall into the source range, and it will always come from the service executable. You
can't force only signaling to use a set range source ports, so there's not too much you can do. That being said, SIP signaling traffic is generally negligible compared to the media traffic so I generally just let it be.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
WLC 5508 - management frames without DSCP marking
hello,
we are facing an issue that our wireless lan controller (5508 with version 7.6.100) doesn´t mark management frames (e.g. reassociation repsonse - necessary for roaming) with CS6. therefore some of them are dropped leaving the clients not to roam...
does anybody have an idea? in my view it can only be a biug because it´s noit possible to reconfigure this....
thxwe are seeing managemt frames getting marked on Wism. i strongly believe they were marked in the past also on 5508. moreover frames are getting marked when they arinitiated by the AP
if we trust CoS frames are getting marked because it contains the dot1p tag. the switch generates the dscp-value out of it. but we want to trust dscp.
we see also a very strange behaviour when trusting COS that sometimes a reassociation request has dot1p value 2 and the next one has 5. so it seems that the tag is there, but not working properly.
changing to CoS in general would mean testing the whole infrastructure for voip over wireless lan again. and i don´t want to do that -
HWIC-4ESW capable of DSCP marking?
Hello. Does anyone know if the HWIC-4ESW card is capable of classifying traffic and marking DSCP values on those packets?
Thanks,
MikeHello Mike,
this is from the relevant Q&A: QoS to DSCP mapping is supported:
Q. What features are supported on the Cisco EtherSwitch HWICs?
A. The following features are supported on the Cisco EtherSwitch HWICs:
Up to 15 individual VLANs per 4- or 9-port Cisco EtherSwitch HWIC
IEEE 802.1Q tagged and untagged VLANs
Virtual Trunking Protocol (VTP) support for client, server, and transparent modes
Layer 2 MAC-related feature support:
Secure MAC addresses
Static and Dynamic MAC addressing
2000 MAC addresses
Port application support
SPAN port monitoring
Per-port storm control for broadcasts, unicasts, and multicasts
QoS feature support
IEEE 802.1p class-of-service (CoS) priority for 802.1Q tagged frame
Port-based priority for native frames
Port priority to overwrite the IEEE 802.1p priority
Strict priority and Weighted Round Robin CoS policies
CoS-to-differentiated services code point (DSCP) mapping
Internet Group Management Protocol (IGMP) snooping
Network Time Protocol (NTP) support
IEEE 802.1D spanning tree and Spanning Tree Protocol PortFast
Secure port filtering (200 secure MAC addresses)
Simple Network Management Protocol (SNMP) support
Telnet client and server support
Cisco Discovery Protocol Versions 1 and 2 support
Fallback bridging
802.1x authentication
IEEE 802.3af-compliant PoE
Q. What features are not supported on the 4- and 9-port Cisco EtherSwitch HWICs?
A. The following features are not supported on the Cisco EtherSwitch HWICs:
Layer 3 switching (this is done through the router)
Dynamic VLAN for access port
VTP pruning
Network port
Routed port
Per-port enabling and disabling of unknown multicast and unicast packets
Cisco Group Management Protocol (GMP) client
Rate limiting
Cisco Cluster Management Suite (CMS) support
HTH,
GP -
6500 Sup 2T Etherchannel DSCP marking
Good Morning,
We are in the middle of a CUCM deployment and on the 6500 I need to set a DSCP or COS value on egress for the CUCM servers. So far I have not found the correct way to set the DSCP. I have attempted to create a service policy and apply it to the physical ports (and I tried the etherchannel just for kicks) and I get the following error:
Policy can not be installed because interface GigabitEthernet2/12 is a member of Port-channel
MQC features are not supported for this interface
How do I correctly set the DSCP value to EF on egress on these ports or the port-channel?
Thank you in advance for your assistance.
JustinHi Jon
Many thanks
I'm using vlan based QOS because later I'll add more vlans to the configuration, this is just initially to see how to use the QOS function on the 6500 - later we'll use this with more vlans. Essentially the port that is currently gi1/1 may later be a truck port with 10+ vlan's bound to it (with associated vlan interfaces on the 6500).
Data arriving from the Server to the 6500 most likely won't have any or valid dscp markings,
allvoip is currently simplified just for icmp traffic for testing - so it's looking like this:
class-map match-all allvoip
match access-group 100
access-list 100 permit icmp any any
What is just concerning me is that when I have a continuous ping running I'm getting deltas in the ping times when I have other data downloading off gi1/1 (which makes me think the strict priority queue isn't quite right).
If I can ask, if I wanted to rate limit the data on vlan6 (say limit the data to 10Mbit) and still also do marking in dscp to enable allocation to the differnet egress queues do you have any suggestions? I can use a police statement classes on the policy-map but I don't really want to police each class seperately
kind of like
vlan 6 entire capacity policed to 10mbit
then inside that
allvoip marked EF (and then assigned COS 5 and 1P)
etc etc
cheers
Mark -
I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
class-map type http loadbalance match-any URL-AF21
2 match http url /aaa/.*
4 match http url /bbb/.*
policy-map type loadbalance http first-match LB-WITH-DSCP
class URL-AF21
set ip tos 72
serverfarm MyServerFram
class default
set ip tos 0
serverfarm MyServerFram
Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
Any idea which config might work ?Hi,
If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
parameter-map type connection SET_TOS
set ip tos 72
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Cisco 3560 switch| mls qos trust dscp question
Hi everybody
Hi everybody .
Please consider the following example:
3560 sw f1/1--------trunk---SW2
3560 sw
f1/1
mls qos trust dscp
3560 is using default cos-dscp map, assume a 3560 receives a frame carrying IP packet on f1/1 with COS 4, what will 3560 switch do?
1) will it use its default cos --dscp map ( cos 4--.dscp 32) and rewrite 32 in dscp field of the packet in the frame and provide PHB for dscp 32 ?
Much appreciated!!
Have a great weekend.Hi
No it will not trust the cos value, because You have configured to trust dcsp. So, the switch will trust the dcsp value in the incoming frame.
/Mikael -
QoS - can u trust dscp and cos?
Hello,
is it possible to trust DSCP and COS at the same time?
If so, which one wins?G'day,
It does not really make sense to trust both DSCP and CoS at the same time. You configure your switch to trust one or none of these.
As an example, if you did have the capability to trust both DSCP and CoS, imagine what would happen if you received a frame with DSCP EF and CoS 0 ? You would be faced with a conflicting situation ... if you trusted CoS, you would give a potentially high-priority packet lesser service. Whereas if you trusted DSCP, you could end up giving a potentially low-priority packet voice-like service... So the option of trusting both is not allowed.
Hope that helps - pls rate the post if it does.
Paresh
Maybe you are looking for
-
Sharing Preference Pane no longer works.
Hi, I can no longer open my Sharing pref pane. When I try to open it I have a message telling that pane loading failed. In console.log I have this : 2006-09-03 01:08:00.023 System Preferences[22750] * -[NSBundle load]: Error loading code /System/Libr
-
BAPI_SALESORDER_CREATEFROMDAT2 not can save with configure
Hi. I need to create sale order with configure using BAPI_SALESORDER_CREATEFROMDAT2. But BAPI always give me error message as shown below " SALES_HEADER_IN has been processed successfully" " Internal error: 000100, 000100, NOT_ALL_INPUT_
-
Requirements reappear in Sourcing Cockpit after running BBP_GET_STATUS_2
I have set up plan-driven procurement in the extended classic scenario in SRM 5.0 with an ECC 5.0 back-end. When I assign a vendor to a shopping cart in the sourcing cockpit for an external requirement, it disappears from the worklist. As soon as I h
-
Display Traffic Lights in ALV TREE
Hi, I have to display traffic light in ALV tree but i am not able to find out what parameter i should pass like in ALV grid where we can set is_layout (BCALV_GRID_04). Thanks in advance. Regards, Harsh
-
Why there is not decline button in 4S after upgraded to iOS7
In iOS6, the "Decline" button was there along with "Remind me", "Reply with Message" and "Accept". After upgrading my iPhone 4S with iOS7, the "Decline" is missing. Do you have any idea to get it back or its a bug in iOS7 Thanks, J Ayyappaswami.