Classification and Marking 155
Figure 6-6 Trust DSCP Example
To configure a switch interface to trust DSCP, use the following interface command:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
dd
dd
ss
ss
cc
cc
pp
pp
Example 6-8 illustrates an interface configured for trusting DSCP on ingress packets.
Trust IP Precedence
The trust IP precedence configuration mirrors trusting CoS. Trusting IP precedence is a
feature only available on the Catalyst 3550 Family of switches. Trusting IP precedence uses
the IP precedence mapping table to map an ingress packet’s IP precedence value to an
internal DSCP value. Because some applications only mark IP precedence, trusting IP
precedence rather than DSCP allows for ease of understanding and configuration. Table 6-
3, in the “Internal DSCP and Mapping Tables” section, shows the default mapping table for
mapping IP precedence to internal DSCP. Example 6-3, in the same section, illustrates a
user modifying the IP precedence to internal DSCP mapping table.
To configure a switch interface to assign a trust DSCP, use the following interface
command:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
ii
ii
pp
pp
--
--
pp
pp
rr
rr
ee
ee
cc
cc
ee
ee
dd
dd
ee
ee
nn
nn
cc
cc
ee
ee
Example 6-8 Sample Interface Configuration of Classifying Frames Based on DSCP Values
Switch# show running-config
Building configuration. . .
!
(text deleted)
interface FastEthernet0/1
switchport access vlan 53
switchport voice vlan 700
no ip address
mls qos trust dscp
spanning-tree portfast
(text deleted)
end
Catalyst 3550
(EMI)
Switch-1 Switch-2
Trust
DSCP
Trust
DSCP
Cisco IP Phone
Catalyst 3550
(EMI)
Trust
DSCP
156 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
Example 6-9 shows a sample configuration of a switch interface configured for trusting IP
precedence.
Voice VLANs and Extended Trust
Both the Catalyst 2950 Family and 3550 Family of switches support voice VLANs and
extended trust options. The “Voice VLANs and Extended Trust” section of Chapter 2,
“End-to-End QoS: Quality of Service at Layer 3 and Layer 2,” discusses the concept and
configurations of voice VLANs and extended trust.
Trust Cisco IP Phone Device
The trust CoS configuration trusts the CoS values of all ingress frames on tagged frames.
The trust DSCP configuration trusts the DSCP values of all ingress frames. In the case of
an attached Cisco IP Phone, the desired configuration is to trust CoS or trust DSCP
depending on desired configuration.
In most configurations, workstations attach directly to Cisco IP Phones, which, in turn, are
attached to switches as shown in Figure 6-7.
Figure 6-7 Cisco IP Phone Physical Network Diagram
Because the trust CoS or trust DSCP configuration does not validate the ingress frames, it
is possible to send frames with specific DSCP values for malicious use on interfaces
configured for trusting CoS or DSCP. As a result, the Catalyst 2950 Family and 3550
Family of switches support trusting CoS only when the switch connects to a Cisco IP
Phone. In addition, the Catalyst 3550 Family of switches also supports trusting DSCP only
Example 6-9 Sample Interface Configuration of Classifying Frames Based on IP Precedence Values
Switch# show running-config
Building configuration…
!
(text deleted)
interface FastEthernet0/1
switchport access vlan 53
switchport voice vlan 700
no ip address
mls qos trust ip-precedence
spanning-tree portfast
(text deleted)
end
Catalyst
Switch
IP Phone Workstation
Classification and Marking 157
when the switch connects to a Cisco IP Phone. These switches achieve this level of security
by using the CDP. Because all Cisco IP Phones send CDP periodically and on linkup by
default, the switch learns of connected Cisco IP Phones dynamically. When using this
configuration option with trusting enabled, these switches only trust ingress frames when a
Cisco IP Phone is attached. If the switch does not detect CDP packets from a Cisco IP
Phone using this configuration, the switches use the port CoS configuration for determining
CoS values associated with ingress frames. Because CDP is a proprietary protocol, only
Cisco IP Phones support CDP.
To configure a switch interface to trust CoS only when a Cisco IP Phone is attached, use the
following interface commands:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
cc
cc
oo
oo
ss
ss
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
t
t
tt
rr
rr
uu
uu
ss
ss
tt
tt
dd
dd
ee
ee
vv
vv
ii
ii
cc
cc
ee
ee
cc
cc
ii
ii
ss
ss
cc
cc
oo
oo
--
--
pp
pp
hh
hh
oo
oo
nn
nn
ee
ee
To configure a switch interface to trust DSCP only when a Cisco IP Phone is attached, use
the following interface commands:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
dd
dd
ss
ss
cc
cc
pp
pp
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
dd
dd
ee
ee
vv
vv
ii
ii
cc
cc
ee
ee
cc
cc
ii
ii
ss
ss
cc
cc
oo
oo
--
--
pp
pp
hh
hh
oo
oo
nn
nn
ee
ee
Example 6-10 illustrates a sample configuration of an interface on a Catalyst 3550
configured for trusting DSCP when a Cisco IP Phone is connected to interface FastEthernet 0/1.
Classifying Traffic by Using ACLs
The Catalyst 2950 Family and 3550 Family of switches support standard and extended IP
ACLs and MAC ACLs for security and QoS purposes. For QoS purposes, these switches
utilize ACLs in class maps for classifying packets. Using ACLs for classification allow for
granularity when classifying packets. By using ACLs for classification, for example, the
switch can classify packets that match only specific IP addresses or Layer 4 ports.
These switches use class maps to organize and group multiple ACLs for application to policy
maps. Policy maps group class maps and class actions such as trusting, marking, and policing.
Example 6-10 Sample Interface Configuration of Classifying Frames Based on DSCP and Whether an IP Phone Is
Connected to an Interface
Switch# show running-config
Current configuration : 157 bytes
!
(text deleted)
interface FastEthernet0/1
switchport access vlan 53
switchport voice vlan 700
no ip address
mls qos trust device cisco-phone
mls qos trust dscp
spanning-tree portfast
(text deleted)
end
158 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
Chapter 5, “Introduction to the Modular QoS Command-Line Interface,” expands on how
to create and implement class maps and policy maps and includes examples. Consult
Chapter 5 before reading the configuration examples and guidelines in the “Class Maps and
Policy Maps” section later in this chapter.
To apply a policy map to an interface for ingress-supported classification, marking, or rate
policing, use the following command:
service-policy input
policy-map-name
policy-map-name refers to the name you configure for the policy map.
To apply a policy map to an interface for egress-supported classification, marking, or rate
policing, use the following command:
service-policy output
policy-map-name
policy-map-name refers to the name you configure for the policy map.
Example 6-11 illustrates a policy map, class map, and interface configuration for classi-
fying traffic based on an ACL.
Example 6-11 Sample Configuration for Classifying Traffic Based on an ACL
Switch#show running-config
Building configuration…
!
mls qos
!
class-map match-all MATCH_ACL_100
match access-group 100
!
!
policy-map Classify_ACL
class MATCH_ACL_100
trust dscp
!
!
(text deleted)
!
interface FastEthernet0/1
switchport access vlan 2
switchport voice vlan 700
no ip address
duplex full
speed 100
service-policy input Classify_ACL
spanning-tree portfast
!
(text deleted)
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
!
(text deleted)
end
Classification and Marking 159
Classification Passthrough Option
The classification passthrough option forces the switch to treat CoS and DSCP indepen-
dently. The default behavior, and the lone behavior for all software versions prior to Cisco
IOS versions 12.1.11(EA)1, of the switch is to modify the CoS or DSCP value depending
on internal trust DSCP and any mapping tables. This is the behavior described in the
previous sections of this chapter.
To recap earlier chapters, an interface configured for trusting DSCP modifies the CoS value
on the frame on egress based on the internal DSCP and DSCP-to-CoS mapping table.
Conversely, an interface configured for trusting CoS modifies the internal DSCP value on
ingress according to the CoS-to-DSCP mapping table. The internal DSCP values determine
the egress DSCP value.
To force the switch to treat CoS and DSCP independently, use the classification
passthrough option. For trusting CoS configurations, the classification DSCP passthrough
option uses the ingress CoS value of a frame for policing and scheduling without modifying
the DSCP value of the frame on egress. Both the Catalyst 2950 Family and 3550 Family of
switches support the trust CoS passthrough DSCP option.
The Catalyst 3550 Family of switches also supports the opposite behavior, trust DSCP
passthrough CoS. Trust DSCP passthrough CoS enables the interface to classify, mark,
police, and schedule packets without modifying the egress CoS value.
In practice, network administrators occasionally use these features to preserve CoS and
DSCP values of frames when packets cross multivendor and multiplatform networks or ISP
networks.
To configure an interface to trust CoS and passthrough DSCP, use the following interface
command:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
cc
cc
oo
oo
ss
ss
pp
pp
aa
aa
ss
ss
ss
ss
--
--
tt
tt
hh
hh
rr
rr
oo
oo
uu
uu
gg
gg
hh
hh
dd
dd
ss
ss
cc
cc
pp
pp
To configure an interface on a Catalyst 3550 Family of switches to trust DSCP and
passthrough CoS, use the following interface command:
mm
mm
ll
ll
ss
ss
qq
qq
oo
oo
ss
ss
tt
tt
rr
rr
uu
uu
ss
ss
tt
tt
dd
dd
ss
ss
cc
cc
pp
pp
pp
pp
aa
aa
ss
ss
ss
ss
--
--
tt
tt
hh
hh
rr
rr
oo
oo
uu
uu
gg
gg
hh
hh
cc
cc
oo
oo
ss
ss
Example 6-12 illustrates a sample interface configuration of trusting CoS while passing
through DSCP values.
Example 6-12 Sample Interface Configuration of Trusting CoS and Passthrough DSCP
Switch#show running-config
Building configuration…
!
mls qos
!
(text deleted)
!
interface FastEthernet0/1
switchport access vlan 2
continues
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.