QoS Trust

Similar Messages

• Problem on the QoS trust boundary on FEX

  HI: all
       During a test, we found the N5K attached FEX will override all the DSCP marking to 0  for the class-default traffic. Based on my understanding, the N5K will enable the qos trust on all access port by defual. But how about I configure a policy-map on the interface for DSCP marking, and want to leave the unclassified traffic as the original DSCP tag, is that possible?
      Thanks!
  BR
  LIBING

  Hi There,
  Take a look at the QoS config guide, it has some of the answers you are after.
  You should refer to the guide relevant to your OS version.
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/nexus5500/sw/qos/602_N1_1/b_5500_QoS_Config_602N11_chapter_0110.html
  Any incoming packet not tagged with an 802.1p CoS value is assigned the default untagged CoS value of zero (which maps to the default Ethernet drop system class). You can override the default untagged CoS value for an Ethernet or EtherChannel interface.
  On a Cisco Nexus device, you can configure a type qos policy map and untagged CoS on the same interface.
  Trust Boundaries
  The trust boundary is enforced by the incoming interface as follows:
  All Fibre Channel and virtual Fibre Channel interfaces are automatically classified into the FCoE system class.
  By default, all Ethernet interfaces are trusted interfaces.The 802.1p CoS and DSCP are preserved unless the marking is configured. There is no default CoS to queue and DSCP to queue mapping. You can define and apply a policy to create these mappings. By default, without a user defined policy, all traffic is assigned to the default queue.
  Any packet that is not tagged with an 802.1p CoS value is classified into the default drop system class. If the untagged packet is sent over a trunk, it is tagged with the default untagged CoS value, which is zero.
  You can override the default untagged CoS value for an Ethernet interface or port channel.
  You can override the default untagged CoS value for an Ethernet interface or a port channel interface using the untagged cos cos-value command.
  You can override the default untagged Cos value for an Ethernet or a Layer 3 interface or a port channel interface using the untagged cos cos-value command.
  After the system applies the untagged CoS value, QoS functions the same as for a packet that entered the system tagged with the CoS value.
  Hope that helps.

• Qos trust cos or qos trust dscp?

  My core switches are a pair Cisco catalyst 4006s with a sup 4 module. The questions are:
  1. Should I use qos trust cos or qos trust dscp when setting up qos on a per port basis?
  2. Which is preferred?
  3. I have a cos to dscp mapping so does it really matter?
  Any help is greatly appreciated. I just want to make sure that I'm honoring all tags.
  Mark

  If you have ip phones connected to the switch, you can enter qos trust cos on the switch and in the router which is connected to the switch enter the command to trust the DSCP since the switch will pass the dscp information to teh router.
  http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1015945

• Cisco 3560 switch| mls qos trust dscp question

  Hi everybody
  Hi everybody .
  Please consider the following example:
  3560 sw f1/1--------trunk---SW2
  3560 sw
  f1/1
  mls qos trust dscp
  3560 is using default cos-dscp map, assume a 3560 receives a frame carrying IP packet on f1/1 with COS 4, what will 3560 switch do?
  1) will it use its default cos --dscp map  ( cos 4--.dscp 32) and rewrite 32 in dscp field  of the packet in the frame and provide PHB for dscp 32 ?
  Much appreciated!!
  Have  a great weekend.

  Hi
  No it will not trust the cos value, because You have configured to trust dcsp. So, the switch will trust the dcsp value in the incoming frame.
  /Mikael

• Mls qos VS mls qos trust

  Hello world!
  I want to enable qos on a 3560 switch,
  So, I put:
  Overall setup mode "mls qos"
  Question:
  is what it is Verily nessaiire to interface configuration mode: "mls qos trust"?
  Regards,

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Generally, on many Catalyst switches, once you enable QoS, they will erase an ingress CoS/ToS markings unless your trust it or otherwise (i.e. policy) maintain it.
  I.e. the answer to your question is an "it depends"; but unless you want the markings reset to zero, the answer is probably yes (you want to trust).

• Why does mls qos trust dscp dissapear after reboot?

  The command takes but after reboot, Invlaid inputs detected show up and "mls qos tust dscp" is gone from every interface.
  Happens on both 2960-24PC-S / 2960-48PST-S switches.

  Hi,
  thanks for your reply.
  mls qos
  interface GigabitEthernet3/34
  description *** DATA VLAN 35 - VOICE VLAN 34 ***
  switchport
  switchport trunk native vlan 36
  switchport trunk allowed vlan 34,36
  switchport mode trunk
  mls qos trust dscp
  no cdp enable
  spanning-tree portfast trunk
  If i don't include the global 'mls qos' command then the voice packets keep the dscp 46 value.  If I add the mls qos command this causes the switch to set the dscp values to zero.
  Thanks again 
  ps.  there are some other mls commands on the switch... i don't know if these could interfere but they were already on there so i'm reluctant to remove them..

• Mls qos trust dscp??? is setting my DSCP values to zero!?

  Hi,
  I was just doing some testing to ensure that the command 'mls qos trust dscp' is working on my 6509 switches before rolling out QoS.
  Before adding any configuration I could see using wireshark that traffic from my Avaya 9608 handset was coming through with a DSCP value of 46 (as it is supposed to).
  I then added the command 'mls qos' (at global level)
  on examining the wireshark output this time, the DSCP value had been set to zero (i.e. it defaulted it to best effort)
  I then expected by adding the commmand 'mls qos trust dscp' on the interface the phone is connected to that the DSCP value would would again be left alone?
  does anybody know why this is happening?
  Many thanks in advance.
  Andy

  Hi,
  thanks for your reply.
  mls qos
  interface GigabitEthernet3/34
  description *** DATA VLAN 35 - VOICE VLAN 34 ***
  switchport
  switchport trunk native vlan 36
  switchport trunk allowed vlan 34,36
  switchport mode trunk
  mls qos trust dscp
  no cdp enable
  spanning-tree portfast trunk
  If i don't include the global 'mls qos' command then the voice packets keep the dscp 46 value.  If I add the mls qos command this causes the switch to set the dscp values to zero.
  Thanks again 
  ps.  there are some other mls commands on the switch... i don't know if these could interfere but they were already on there so i'm reluctant to remove them..

• Mls qos trust

  Hello, if the command 'mls qos trust xxxxx' is not issued, and qos is turned on for the interface, does this mean the switch will erase all cos and dscp markings received, therefore preventing me from testing packets/frames against these cos/dscp values ?
  So if I want to set up class maps, policy maps, and then service policies, it is essential that I:
  1. turn on mls qos ?
  2. enter a trust statement in order to preserve the cos or dscp values that I want to test against ?
  3. now I can test against against cos or dscp values ?
  Thanks for clarification.

  That is correct, when you would use for instance mls qos trust cos. You would need to define you cos<>dscp mappings on the switch and the switch will apply qos accordingly.
  So really if you have an ingress switch port and you trust cos or dscp, you can still have egress policies on a port (on the same switch), using these cos or dscp values.
  the mls qos trus command is just a way to make it easier to rely on existing cos/dscp values that a phone sends (based on your CUCM configuration,), without the need for you having to configure it explicitly on each access port.
  =============================
  Please remember to rate useful posts, by clicking on the stars below. 
  =============================

• Mls qos trust{cos/ip-precedence/dscp} command

  Hi every body!
  I have few questions
  1)
  The command " mls qos trust dscp" is only valid on mulilayer switch or it is also valid for layer 2 switch? If layer 2 switch is configured with that command, can it modify the dcsp value based on policy?
  2)is the following correct:
  switch(config-if) mls qos trust dscp
  switch will set the cos value to set default. If the default set is zero, then frame will be processed by best-effort delivery.
  But the egress-queue will be decided by dscp value in the packet. A dscp to cos map will be used to drive the cos value and then frame will be placed in the queue that corresponds to cos value.( off course if egress port is configured for trunk)
  thanks a lot and I wish America and all of you a happy new year!
  thanks a lot!

  Sarah
  1) L2 switches can trust the dscp marking as well. The 2960 is a layer 2 only switch and the default is untrusted but if you then enter
  "mls qos trusted" you have a choice of 'cos|dscp|ip-precedence'. The default if no choice is entered is DSCP.
  2) If "mls qos trust dscp" is entered then the switch will use the DSCP marking found in the packet. This will then be used as the internal DSCP marking that all switches use. Unless you have a DSCP-DSCP mutation map the value used will be the value received in the packet.
  Jon

• Mls qos trust cos vs mls qos cos in cat6k

  Hello
  I am trying to configure basic qos topology with two 6k connected to each other by the trunk port.
  According to the documentation, if I set the mls qos cos value at the interface level I should modify the default cos on it, and all packets leaving incoming to this port, should be marked with the new cos value.
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/24055-173.html
  Unfortunately, when I set such config, all incoming packets transmitted through this interface was tagged with cos = 0 until I set the "mls qos trust cos" on the same interface.
  Does anybody can explain to me this strange behavior?
  I would like to mention that both 6k was connected to each other with ws-x6548-GE-TX modules.
  Thank you in advance.
  Ragards
  Lukas

  Sarah
  1) L2 switches can trust the dscp marking as well. The 2960 is a layer 2 only switch and the default is untrusted but if you then enter
  "mls qos trusted" you have a choice of 'cos|dscp|ip-precedence'. The default if no choice is entered is DSCP.
  2) If "mls qos trust dscp" is entered then the switch will use the DSCP marking found in the packet. This will then be used as the internal DSCP marking that all switches use. Unless you have a DSCP-DSCP mutation map the value used will be the value received in the packet.
  Jon

• "mls qos trust dscp" vs. "mls qos trust cos"

  Are these statements correct ?
  1. If using QoS profile without setting "wired qos protocol", always use "mls qos trust dscp" on the WLC trunk port
  - downstream wmm traffic will be policed down to "?" (this one I'm not sure, is it "not policed" or "policed down to cos 6 for platinum, etc")
  2. If using QoS profile with setting "wired qos protocol",
  - use "mls qos trust cos" on the WLC trunk port if you want outgoing LWAPP traffic COS/DSCP to reflect QoS profile setting and if you want to rewrite DSCP in the outgoing upstream traffic to QoS profile setting
  - use "mls qos trust dscp" on the WLC trunk port if you want LWAPP traffic COS/DSCP to reflect original DSCP setting and if you want to leave DSCP alone in the outgoing upstream traffic
  3. With either "mls qos trust cos" or "mls qos trust dscp" on WLC trunk port, downstream wmm traffic will be policed down to "wired qos protocol" setting (What if "wired qos protocol" is not set, will it be policed down to, for example, cos 6 for Platinum?)
  4. Always use "mls qos trust dscp" on non-HREAP AP ports
  Use "mls qos trust dscp" on HREAP AP ports, if you want to preserve upstream DSCP for locally switched WLANs
  Use "mls qos trust cos" on HREAP AP ports, if you want to QoS profile 802.1p to override upstream DSCP for locally switched WLANs
  5. Use either "mls qos trust dscp" or "mls qos trust cos" on switch-to-switch trunks

  Are these statements correct ?
  1. If using QoS profile without setting "wired qos protocol", always use "mls qos trust dscp" on the WLC trunk port
    - downstream wmm traffic will be policed down to "?" (this one I'm not sure, is it "not policed" or "policed down to cos 6 for platinum, etc")
  Ans: Not sure about always. you can use both 'mls qos trust dscp' and 'mls qos trust cos'. Since it is a trunk port the packets will have a cos value (802.1p tag) and hence you can trust cos. Downstream and upstream traffic both are capped to the WLAN max QoS value. for example if Wlan is set to silver, and if a packet comes in at platinum QoS, the AP will cap it to silver in upstream direction. Same holds true for a cos 5 / dscp 46 packet coming in from the wired side.
  2. If using QoS profile with setting "wired qos protocol",
    - use "mls qos trust cos" on the WLC trunk port if you want outgoing LWAPP traffic COS/DSCP to reflect QoS profile setting and if you want to rewrite DSCP in the outgoing upstream traffic to QoS profile setting
    - use "mls qos trust dscp" on the WLC trunk port if you want LWAPP traffic COS/DSCP to reflect original DSCP setting and if you want to leave DSCP alone in the outgoing upstream traffic
  Ans:
  3. With either "mls qos trust cos" or "mls qos trust dscp" on WLC trunk port, downstream wmm traffic will be policed down to "wired qos protocol" setting (What if "wired qos protocol" is not set, will it be policed down to, for example, cos 6 for Platinum?)
  Ans: Traffic in both direction wil always get capped to WLAN max QoS. Untagged (802.1p = 0) traffic will be treated as best effort.
  4. Always use "mls qos trust dscp" on non-HREAP AP ports
     Use "mls qos trust dscp" on HREAP AP ports, if you want to preserve upstream DSCP for locally switched WLANs
     Use "mls qos trust cos" on HREAP AP ports, if you want to QoS profile 802.1p to override upstream DSCP for locally switched WLANs
  Ans:
  5. Use either "mls qos trust dscp" or "mls qos trust cos" on switch-to-switch trunks
  Ans: I think on purely layer 2 switches you can trust dscp, but am not 100% sure.

• QoS trust dscp or cos on catalyst 4500

  We have a 4510R with Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1).
  I want use qos trust dscp or qos trust cos on the interface conected to other cisco switch or wlan controller.
  The current IOS version, do not support qos trust dscp:
  SW(config)#interface gi10/16
  SW(config-if)#qos tr
  SW(config-if)#qos trust ?
    device  trusted device class
    extend  Extend trust through a connected device
  SW(config-if)#qos trust device ?
    cisco-phone   Cisco IP Phone
    cts           Cisco-telepresence
    ip-camera     Cisco video surveillance camera
    media-player  Cisco Digital Media Player
  SW(config-if)#qos trust device
  What is the software that I need for this?. I tried with command lookup tool but the cat4500 do not appears.

  That is even new for me.
  I did a search and found that, now a days you no longer have to provide the Trust DSCP command, it is by default trusted.
  Went through this White Paper and excerpts are below:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/white_paper_c11-539588.html
  The answer to your question comes from the following excerpt :-
  "Previously supervisor engines relied on “port trust” to classify traffic; however, this does not fall into the MQC CLI construct. MQC provides a more flexible capability, i.e. all traffic is trusted by default, an administrator can change this trust state using a policy map. Another difference is the “internal DSCP” value used within the switch to place packets in the proper queue.
  Cisco Catalyst 4500E Supervisor Engines do not use “internal DSCP”; rather, it relies on explicit matching of QoS values using class maps so that packets can be placed in the correct queue.
  Also, note that there is no specific priority queue: it is not queue 3 or queue 1. The priority queue is simply configured within a class; therefore, it is not tied to a specific queue. One final difference is that of classification. Cisco Catalyst 4500E Supervisor Engines provide sequential classification rather than parallel. This allows the network administrator to classify traffic at egress based on the ingress markings. These markings can be done unconditionally, using a policer or using a table map. Based on these changes, QoS CLI will now be more contiguous on the Supervisor Engines as it will now have standard Cisco MQC CLI, making configuration management much simpler"
  HTH,
  Please rate all helpful posts.
  Regards

• 'qos trust extend' command on 4500E causes Alcatel phones to reboot

  Hi, We have autoqos configured on our 3560G access layer switches, when entering the 'qos trust extend' command on the 4500 interfaces which connect to the access layer switches this caused out Alcatel Phones to reboot.
  I thought that this command just trusts the DSCP/CoS markings but obviously there is something else going on.
  Any advice would be appreciated.
  Thanks,
  Paul

  Hello.
  I doubt if "auto qos voip trust" would suit you on inter-switch links, as per documentation the command applies policy-map that gives only 320K for voice and signalling traffic (+ remarking exceeded traffic to BE).
  If you want to protect your video traffic in the future, you will have to design new QoS policy and apply it per link.
  Regarding "trust dscp" toward WLC/AP - if you configure this, all your laptops will be able to inject marked traffic into your network, abusing your QoS policy; that is why the best practice for VoIP phones is to be placed into dedicated voice VLAN + trust cos (not dscp).
  PS: I would suggest you to try the command[s] on one switch and see what configuration will be applied per port (+global).

• Mls qos trust "cos or dscp" ?

  I have an uplink from an access switch configured as a trunk 802.1q that needs to trust Qos towards the distribution switch, does this have to trust cos or dscp ? the issue is that the access switch has a local voice vlan and the trunk uses another vlan to connect to the distribution.

  You don't trust "to" a device, only from.
  The advice I've gotten from switching guys is "If you're not sure - just trust DSCP".
  If you try to trust cos on an access port where there is no VLAN header, there is no cos, and you can have problems.
  If you have a trunk to another switch, you can trust cos and you shouldn't have any problems.
  hth,
  nick

• Question about "Auto Qos Voip Trust" on 3560X

  Hi,
  I applied command "auto qos voip trust" to the uplink interface.
  But I found that the interface shown command "auto qos trust" was applied when i show running-config.
  Could the command "auto qos voip trust" show in the configuration after i applied?
  If not, how can i check the interface that applied "auto qos voip trust"? Thanks!
  James Lai

  No.
  After i aplied "auto qos voip trust" to the interface Gi1/1
  When i show running-config, that shown asa below:
  interface GigabitEthernet1/1
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  mls qos trust cos
  auto qos trust
  I found that the interface configured as auto qos trust but not auto qos voip trust.
  Is the command "auto qos voip trust" no applied to the interface Gi1/1?
  How can i apply auto qos voip trust to the interface? Thanks!