284 Chapter 8: QoS Support on the Catalyst 6500
map options are not supported for QoS. The exception to this limitation is the match
protocol option. With 12.1(13)E and later releases, match protocol can be used to support
network-based application recognition (NBAR) on the Catalyst 6500 with an MSFC 2. At
the time of writing, however, NBAR is implemented only in software. Refer to Chapter 9
for further details regarding NBAR support on the Catalyst 6500. After the traffic flows
have been delineated, you can reference each class map within a policy map. You can assign
only one policy map to each interface. For an example of configuring QoS policies using
the MQC, refer to Example 8-24. Policy maps, like class maps, have certain configuration
limitations. The following class {class-name} keywords are not supported under the QoS
policy map configuration:
• class {class-name} destination-address
• class {class-name} input-interface
• class {class-name} qos-group
• class {class-name} source-address
Finally, remember when configuring QoS policies in Cisco IOS that the console does not
immediately notify the administrator when an unsupported command is used. When the
command is applied to the target interface using the service-policy input command, the
administrator is notified of any discrepancies.
ACL-Based Classification and Marking in Hybrid Mode
Classification and marking are extremely important in determining how a frame is
processed within the 6500, as well as for determining what preference it is given when
forwarded on to the network. These actions determine the internal DSCP value chosen for
a frame, which in turn translates to an egress DSCP and CoS value. After the classification
parameters have been established, you must determine what action to apply to all traffic
meeting those specifications. This section focuses on classification and marking in Hybrid
mode, tying together all previously discussed topics. When a frame is received, it is
forwarded out on the D-bus, where it is seen by all ports and the PFC. At the PFC,
hardware-logic processes configured ACLs, which interact with port trust states to
determine the proper classification or marking settings to derive the internal DSCP value.
Configuring classification and marking with QoS ACLs in Hybrid mode involves four
supported rules. These rules are implemented using the following four keywords: trust-cos,
trust-ipprec, trust-dscp, and dscp. Table 8-10 summarizes the corresponding behavior
Classification and Marking 285
resulting from configuring one of the four ACE keywords and describes how each interacts
with existing ingress port trust states.
1
Configuration settings do not apply to WS-X6224/6248 and WS-X6324/6348 series linecards.
2
The internal DSCP value is derived from the DSCP value specified in the ACL for WS-X6224/6248 and WS-
X6324/6348 series linecards.
As you can see in Table 8-10, when an ACE keyword is specified within a QoS ACL, the
keyword overrides the port trust policy applied to the ingress interface or VLAN. The
exception is when using the dscp keyword. Instead of always marking the frame header
using the DSCP priority configured in the QoS ACE, the keyword operates in conjunction
with the port trust state. If the ingress port is configured to trust the arriving CoS, IP prece-
dence, or DSCP value, dscp instructs the switch to maintain the QoS setting derived from
the ingress port’s classification policy. If the ingress port trust is left at its default setting
(untrusted), however, dscp marks the frame header with the value specified in the ACE.
Other notable behavior includes configuring the trust-cos keyword within an ACE. trust-
cos is not a recommended setting when the inbound port’s trust policy is set to untrusted.
This combination may result in unexpected behavior. Traffic arriving on an interface
configured as untrusted is immediately labeled with the default port CoS setting, thus
overwriting the existing CoS priority. The frame header is then forwarded directly to the
switching engine. As a result, the value maintained by the trust-cos command, within the
ACE, may not be the expected value. Therefore, when using the trust-cos keyword, it is
recommended the port be configured for trust-cos as well.
NOTE Because the WS-X6148 is not subject to the same hardware limitations as the WS-X6224/
6248 and the WS-X6324/6348, all the marking rules provided in Table 8-10 apply.
Table 8-10 Summary of Marking Rules in Hybrid Mode
Port Trust State
ACE Keyword untrusted trust-cos trust-ipprec trust-dscp
trust-cos
Port CoS value:
default value (0)
Port CoS or CoS
value of arriving
frame
Port CoS or CoS
value of arriving
frame
1
Port CoS or CoS
value of arriving
frame
1
trust-ipprec
IP precedence
value of arriving
frame
IP precedence value
of arriving frame
IP precedence value
of arriving frame
1
IP precedence value
of arriving frame
1
trust-dscp
DSCP value of
arriving frame
DSCP value of
arriving frame
DSCP value of
arriving frame
1
DSCP value of
arriving frame
1
dscp
DSCP value
specified in ACE
Port CoS or CoS
value of arriving
frame
2
IP precedence value
of arriving frame
1
DSCP value of
arriving frame
1
286 Chapter 8: QoS Support on the Catalyst 6500
Not all marking rules listed in the Table 8-10 apply to WS-X6224/6248 or WS-X6324/6348
linecards. As mentioned earlier, trust-ipprec and trust-dscp are not supported configura-
tions at the port level for these modules. Also due to hardware limitations, the port ASIC
for these linecards cannot preserve the inbound priority without the administrator entering
additional commands. Therefore, if the desired action is to maintain the inbound CoS
setting, a QoS ACL must be configured with the trust-cos keyword. Furthermore, as a
result of the same port ASIC limitation, if the dscp keyword is specified rather than trust-
cos, the arriving frame is marked based on the specified codepoint rather than the trusted
inbound CoS priority.
Example 8-21 demonstrates how to configure a QoS ACL in Hybrid mode. In this example,
a named ACL called VideoConf is created. For this ACL, the intent is to mark all traffic
destined for TCP ports 1720, 1731, and 1503 with DSCP 26 and to maintain the classifi-
cation established by the default port value for all other traffic. The TCP ports identified are
control ports used in some video conferencing applications. Therefore, DSCP 26, equiv-
alent to precedence 3, is applied to the matching traffic. In this instance, port 4/2 is assumed
to be a trunk port.
After the ACL has been created, a message is sent to the console. It reminds the adminis-
trator to commit the changes to the PFC, removing them from the temporary edit buffer.
Looking at the edit buffer, you can confirm the ACL has not yet been committed.
hybrid (enable) ss
ss
hh
hh
oo
oo
ww
ww
qq
qq
oo
oo
ss
ss
aa
aa
cc
cc
ll
ll
ee
ee
dd
dd
ii
ii
tt
tt
bb
bb
uu
uu
ff
ff
ff
ff
ee
ee
rr
rr
ACL Type Status
-------------------------------- ---- ----------
VideoConf IP Not Committed
hybrid (enable) commit qos acl VideoConf
QoS ACL ’VideoConf’ successfully committed.
hybrid (enable) show qos acl editbuffer
ACL Type Status
-------------------------------- ---- ----------
VideoConf IP Committed
After the ACL has been committed to hardware, you can verify the ACL configuration with
the following command:
hybrid (enable) show qos acl info config VideoConf
set qos acl ip VideoConf
----------------------------------------------
Example 8-21 Configuring and Applying an IP QoS ACL in Hybrid Mode
hybrid (enable) set qos acl ip VideoConf dscp 26 tcp any any eq 1720
VideoConf editbuffer modified. Use ’commit’ command to apply changes.
hybrid (enable) set qos acl ip VideoConf dscp 26 tcp any any eq 1731
VideoConf editbuffer modified. Use ’commit’ command to apply changes.
hybrid (enable) set qos acl ip VideoConf dscp 26 tcp any any eq 1503
VideoConf editbuffer modified. Use ’commit’ command to apply changes.
hybrid (enable) set qos acl ip VideoConf trust-cos ip any any
Warning: ACL trust-cos should only be used with ports that are also configured
with port trust=trust-cos.
VideoConf editbuffer modified. Use ’commit’ command to apply changes.
Classification and Marking 287
Example 8-21 Configuring and Applying an IP QoS ACL in Hybrid Mode (Continued)
1. dscp 26 tcp any any eq 1720
2. dscp 26 tcp any any eq 1731
3. dscp 26 tcp any any eq 1503
4. trust-cos ip any any
After verifying the ACL configuration, you can apply the ACL to the desired port or
VLAN interface. This is accomplished by issuing the command set qos acl map
{ACL_name} {{mod/port} | {VLAN}}. In the example, the ACL is mapped to a port.
Recall that to successfully map the ACL to the desired port, the port must be set for port-
based QoS. After the ACL has been successfully mapped to the desired port or interface,
you can confirm the configuration with show qos acl map {runtime | config}
{ACL_name | all |mod/port| VLAN}.
hybrid (enable) set qos acl map VideoConf 4/2
ACL VideoConf is successfully mapped to port 4/2.
hybrid (enable) show qos acl map config VideoConf
QoS ACL mappings on rx side:
ACL name Type Vlans
-------------------------------- ---- ---------------------------------
VideoConf IP
ACL name Type Ports
-------------------------------- ---- ---------------------------------
VideoConf IP 4/2
Finally, because the ACL has been created, committed to hardware, and applied to the
desired port, it is possible to verify that the configured behavior is the desired behavior.
The verification is based on the port’s QoS configuration information. show qos info
yields the following results:
hybrid (enable) show qos info config 4/2
QoS setting in NVRAM:
QoS is enabled
Policy Source of port 4/2: COPS
Tx port type of port 4/2 : 1p2q2t
Rx port type of port 4/2 : 1p1q4t
Interface type: port-based
ACL attached: VideoConf
The qos trust type is set to untrusted.
Default CoS = 2
(text omitted)
As displayed in the output, the port is configured for port-based QoS, and the QoS trust type
is set to untrusted. Also the show command verifies that an ACL named VideoConf is
attached to the port and that the default port CoS is 2. You may recognize behavior
described in Table 8-10. Although all traffic arriving on port 4/2 is assigned the default CoS
and forwarded directly to the PFC, because of the attached ACL and dscp keyword, all
traffic destined to TCP ports 1720, 173, and 1503 are marked with DSCP 26. This behavior
is attributed to the ingress port trust being set to untrusted. Furthermore, because the desire
is to maintain the default CoS setting, it is necessary to configure the additional ACE with
the trust-cos keyword. If the ACE is not included, all traffic not matching the first ACE is
matched by the default IP ACL and assigned a DSCP value of zero.
288 Chapter 8: QoS Support on the Catalyst 6500
ACL-Based Classification and Marking in Native Mode
The concepts for classification and marking with Native mode are similar to those discussed
for Hybrid mode. In conjunction with the ACLs used to classify interesting traffic, however,
Native mode incorporates the use of the MQC introduced in Chapter 5. As compared to
operation in Hybrid mode, Native mode has its own set of rules for marking traffic. Table 8-11
summarizes these rules.
1
Configuration settings do not apply to WS-X6224/6248 and WS-X6324/6348 series linecards.
Similar to the behavior in Hybrid mode, when the trust keyword is utilized in a policy map
class, and subsequently applied to an interface with the service-policy input statement, the
trust state of the policy map class supersedes the trust state specified at the interface. Also
as specified in Table 8-11, it is not possible to configure the interface trust state for WS-X6224/
6248 and WS-X6324/6348 linecards. On these linecards, all ports default to the nonconfigurable
untrusted state. This behavior differs slightly from options available in Hybrid mode. Also trust
cos is not available when using these series of modules in Native mode.
Prior to 12.1(12c)E1, marking was only possible through policing. Therefore, marking
required the administrator to configure a policer, which did not police but just marked
priority traffic and transmitted it. With the release of 12.1(12c)E1, set ip precedence and
set ip dscp were made available as actions within a class, under the policy map configu-
ration. Therefore, for traffic arriving on an untrusted interface, it became possible to set the
Table 8-11 Summary of Marking Rules in Native Mode
Port Trust
State
Policy Map
Keyword untrusted trust cos
trust
precedence trust dscp
trust cos
Port CoS value:
default value (0)
Port CoS or CoS
value of arriving
frame
1
Port CoS or CoS
value of arriving
frame
1
Port CoS or CoS
value of arriving
frame
1
trust
precedence
IP precedence
value of arriving
frame
IP precedence
value of arriving
frame
1
IP precedence
value of arriving
frame
1
IP precedence
value of arriving
frame
1
trust dscp
DSCP value of
arriving frame
DSCP value of
arriving frame
1
DSCP value of
arriving frame
1
DSCP value of
arriving frame
1
set ip
precedence
Precedence value
derived from
value in policy
map
Port CoS or CoS
value of arriving
frame
1
IP precedence
value of arriving
frame
1
DSCP value of
arriving frame
1
set ip dscp
DSCP value
derived from
value in policy
map
Port CoS or CoS
value of arriving
frame
1
IP precedence
value of arriving
frame
1
DSCP value of
arriving frame
1
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.