210 Chapter 7: QoS Features Available on the Catalyst 4000 IOS Family of Switches and the Catalyst
Untrusted Interfaces
The term untrusted port refers to an interface that does not utilize the DSCP or CoS value of an
ingress frame for determining the internal DSCP value. Unlike the default behavior of the
Catalyst 4000 CatOS switches where all ports are trusted, the default behavior for all interfaces
of a Catalyst 4000 IOS switch is to not trust DSCP or CoS (that is, untrusted). As a result, the
switch classifies the frame with an internal DSCP value of zero by default. The terms port DSCP
configuration and port CoS configuration identify untrusted ports as well. Unless the switch
changes the DSCP value of the frames by policing or marking, the egress value is also zero.
Use the following commands to configure a switch to override an untrusted interface with
specific DSCP and CoS values:
qos dscp
dscp_value
qos cos
cos_value
dscp_value and cos_value symbolize the DSCP or CoS value used in determining the
internal DSCP value.
Example 7-7 illustrates a sample configuration of an interface configured for reclassifying
the DSCP value to 40.
Non-IP Frames
IP frames contain bits for IP precedence and DSCP; non-IP frames do not include an IP
header or bits for IP precedence or DSCP. The Catalyst 4000 IOS switch prioritizes packets
based only on DSCP or CoS. As a result, the switch classifies non-IP frames exclusively
based on ingress CoS values or port CoS configuration. Trusting CoS is a valid configu-
ration for non-IP frames. Port CoS configuration treats a port as untrusted and rewrites CoS
values to a specified value. By default, the switch reclassifies the CoS value to zero.
Because the internal DSCP value does not require an IP header, the switch subsequently
maps the configured or trusted CoS value to an internal DSCP value using the configurable
CoS-to-DSCP mapping table. The preceding classification sections—“Trusting CoS” and
“Untrusted Interfaces”—include examples for displaying, configuring, and verifying
trusting CoS configurations and untrusted configurations.
Example 7-7 Sample configuration of an Interface Configured for Reclassifying DSCP
Switch#show running-config
Building configuration...
(text deleted)
!
interface FastEthernet6/1
switchport access vlan 2
qos dscp 40
no snmp trap link-status
spanning-tree portfast
!
(text deleted)
!
end
QoS Support on the Catalyst 4000 IOS Family of Switches 211
Displaying Port Trust Configuration
To verify an interface trust configuration, use the following command:
show qos interface
{{FastEthernet
interface-number
} | {GigabitEthernet
interface-
number
} | {VLAN
vlan_id
} | {Port-channel
number
}}
Example 7-8 displays a sample output of the show qos interface interface_name
command. This example illustrates an interface configured for trusting DSCP. The output
displays both the global and interface QoS configuration. In addition, the command
displays the trust port state as either DSCP, CoS, or untrusted with the respective reclassi-
fication values for the untrusted configuration.
The appliance trust field indicates the 802.1p trust configuration to communicate via Cisco
Discovery Protocol (CDP) to a neighbor appliance. Appliance trust is the IOS term for
extended trust, as discussed in Chapter 2. The “Output Scheduling” section of this chapter
discusses the transmit queues, bandwidth, and shape rate output.
ACL-Based Classification
Because the ultimate goal of classification is to determine the marking and scheduling of
the frame, multiple methods of classification exist. The Catalyst 4000 IOS Family of
switches allows for classification of ingress packets based on standard, extended, and
named IP ACLs in addition to the port trust configuration. In addition, the switches support
classification occurring strictly on IP precedence values or DSCP values without the use of
an ACL. ACL-based classification often inherits properties of the untrusted configuration
because the switch does not use the packet’s DSCP or CoS values for determining packet
classification.
Chapter 5, “Introduction to the Modular QoS Command-Line Interface,” elaborates on how
to create and implement class maps and policy maps and includes examples that show you
how to do so. Consult Chapter 5 before reading the following “Class Map” and “Policy
Map” sections. The following sections discuss class maps and policy maps, with a focus on
options supported by hardware switching.
Example 7-8 Sample Output of the show qos interface Command
Switch#show qos interface GigabitEthernet 1/1
QoS is enabled globally
Port QoS is enabled
Port Trust State: ’DSCP’
Default DSCP: 0 Default CoS: 0
Appliance trust: none
Tx-Queue Bandwidth ShapeRate Priority QueueSize
(bps) (bps) (packets)
1 250000000 disabled N/A 1920
2 250000000 disabled N/A 1920
3 250000000 disabled normal 1920
4 250000000 disabled N/A 1920
212 Chapter 7: QoS Features Available on the Catalyst 4000 IOS Family of Switches and the Catalyst
Class Maps
As with mainline Cisco IOS Software, class maps label ACLs for application on policy
maps. A limited subset of available Cisco IOS class map match commands is available for
hardware switching on the Catalyst 4000 IOS Family of switches. The following class map
criteria are available for hardware switching:
• Standard, extended, or named IP or MAC ACLs
• IP precedence values
• DSCP values
• All packets MAC-address based ACL is also supported
To create class map clauses for ACL-based classification, use the following class map
configuration command:
match access-group {
acl_index
| name
acl_name
}
acl_index represents the ACL number and acl_name refers to a named ACL. Up to eight
class clauses are configurable per class map. Example 7-9 illustrates a user configuring a
class map for matching packets against either of two ACLs.
To configure IP precedence and DSCP value matching criteria, use the following class map
commands, respectively:
match ip precedence
ipp_value1
[
ipp_value2
[
ipp_valueN
]]
match ip dscp
dscp_value1
[
dscp_value2
[
dscp_valueN
]]
To match against IP precedence or DSCP, you must use the qos trust dscp configuration
on the interface. Otherwise, the switch uses the default or port DSCP configuration value.
The match-any class map configuration command configures the class map to match
packets on any ACL. Moreover, the match-all class map configuration command option
configures the class map to match packets against all ACLs.
Example 7-10 shows a class map configured to match packets against several DSCP values.
For additional information about creating and applying class maps, see Chapter 5.
Example 7-9 User Configuring a Class Map Matching One of Two Configured ACLs
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 110 permit udp any host 10.1.1.2 eq 12000
Switch(config)#access-list 111 permit tcp any host 192.168.100.1 eq 50000
Switch(config)#class-map match-any TEST
Switch(config-cmap)#match access-group 110
Switch(config-cmap)#match access-group 111
Switch(config-cmap)#end
Example 7-10 Class Map Configured to Match Against DSCP Values
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#class-map match-all MATCH_DSCP_VALUES_4-7
Switch(config)#match ip dscp 50 51 52 53 54 55
Switch(config-cmap)#end
QoS Support on the Catalyst 4000 IOS Family of Switches 213
Policy Maps
Class maps define classification criteria; policy maps organize the class map classification
criteria with policing and marking actions. Policing and marking configuration derive the
class actions. Do not confuse policing with policy maps. Whereas policy maps may include
an action based on rates, they also include support for other QoS actions such as marking.
On the Catalyst 4000 IOS Family of switches, policy maps tie up to eight class map actions
together. A class map action may consist of a traffic-limiting policer. Each interface on the
Catalyst 4000 IOS Family of switches supports a single policy for ingress traffic and a
single policy for egress traffic.
Example 7-11 illustrates a sample policy map configuration for marking packets based on
UDP port. The class action shown, set ip precedence 5, rewrites all ingress packets
received on interface FastEthernet2/1 matching the ACL 101 criteria.
Example 7-11 Sample Policy Map and Class Map Configuration
Switch#show running-config
Building configuration...
(text deleted)
!
qos
!
(text deleted)
!
class-map match-all UDP_PORT_50000_59000
description MATCH PACKETS ON UDP PORTS 50000 TO 59000
match access-group 101
!
policy-map TEST
description MARK FRAMES ON UDP PORT 50000 TO 59000 WITH IP PRECEDENCE 5
class UDP_PORT_50000_59000
set ip precedence 5
!
interface FastEthernet2/1
service-policy input TEST
no snmp trap link-status
spanning-tree portfast
(text deleted)
!
(text deleted)
!
access-list 101 permit udp any any range 50000 59000
!
(text deleted)
!
end
214 Chapter 7: QoS Features Available on the Catalyst 4000 IOS Family of Switches and the Catalyst
To view ingress packet matching against the class map clauses of a policy map, use the
following command:
show policy-map interface [{FastEthernet
interface-number
} | {GigabitEthernet
interface-number
} | {Port-channel
number
} | {VLAN
vlan_id
}] [input | output]
Example 7-12 shows the sample output of the show policy-map interface command for
the policy map sample configuration in Example 7-11.
Policing
The Catalyst 4000 IOS Family of switches supports individual and aggregate policing in
both ingress and egress configurations. In brief, aggregate policing limits a shared rate and
burst parameter among all associated ports or VLANs. With individual policing, each port
or VLAN uses its own exclusive rate and burst parameters. This section discusses the
following policing topics:
• Policing Resources
• Port-based and VLAN-based Policing
• Individual and Aggregate Policing
• Policing Actions
• Traffic-Rate Policing
• Leaky Token Bucket Algorithm
• Burst Size Parameter
• Guaranteed Rate of Policer
• Policing Accuracy
• DSCP Policed Action
• Marking Action
• Trusting Action
Example 7-12 Viewing Class Map Matches of a Policy Map
Switch#show policy-map interface FastEthernet6/1
FastEthernet6/1
service-policy input: TEST
class-map: UDP_PORT_50000_59000 (match-all)
9628 packets
match: access-group 101
set:
ip precedence 5
class-map: class-default (match-any)
3948 packets
match: any
3948 packets
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.