WOW, this is what I call a serious investigation :) Thanks for this interesting input. This confirms my observations.
In your opinion, what would be the results in such scenario: 1) conditional trust configured on the switch port: mls qos trust device cisco+ mls qos trust dscp 2) IP phone connected to the switchport 3) PC connected to IP phone 4) PC tags all traffic it sends with EF Documentation says: *mls qos trust dscp - *Classify an ingress packet by using the packet DSCP value (most significant 6 bits of 8-bit service-type field). For a non-IP packet, the packet CoS is used if the packet is tagged. For an untagged packet, the default port CoS value is used. I'd say that since the PC sends untagged traffic, its markings would be ignored. switchport's "mls qos cos VALUE" setting would be use to override non-existing COS and finally COS-to-DSCP map applied to decide about final DSCP marking for such packet. do you agree? regards kobel On Sat, Jan 29, 2011 at 16:41, Friderich Claude <cfrider...@netcore.lu>wrote: > Hi Miron, > > > > I have made some tests regarding your statements. > > > > I have a 3750 switch version 12.2(44)SE6. -----> Cisco IOS Software, C3750 > Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE > (fc1) > > > > > > *As Roger said, QoS SRND is outdated.* > > > > I have configured the port 14 as below : > > switchport access vlan 30 > > switchport mode access > > switchport voice vlan 20 > > srr-queue bandwidth share 10 10 60 20 > > priority-queue out > > mls qos trust device cisco-phone > > mls qos trust dscp > > auto qos voip cisco-phone > > spanning-tree portfast > > service-policy input AutoQoS-Police-CiscoPhone > > > > I put my PC on this port and as you can see below the port is not trusted > thanks to the mls qos trust device Cisco-phone > > My service-policy and mls qos trust cmd are still there even after > rebooting the switch. > > > > > > HQ-3750#show mls qos interface giga 1/0/14 > > GigabitEthernet1/0/14 > > Attached policy-map for Ingress: AutoQoS-Police-CiscoPhone > > trust state: not trusted > > trust mode: trust dscp > > trust enabled flag: dis > > COS override: dis > > default COS: 0 > > DSCP Mutation Map: Default DSCP Mutation Map > > Trust device: cisco-phone > > qos mode: port-based > > > > *In this case*, I just trust DSCP without mls qos trust device Cisco-phone > > As you can see, the port is trusted as I put my PC on this interface. > > > > interface GigabitEthernet1/0/12 > > description LapTop VMWare > > switchport access vlan 30 > > switchport mode access > > mls qos trust dscp > > spanning-tree portfast > > > > HQ-3750#show mls qos interface giga 1/0/12 > > GigabitEthernet1/0/12 > > trust state: trust dscp > > trust mode: trust dscp > > trust enabled flag: ena > > COS override: dis > > default COS: 0 > > DSCP Mutation Map: Default DSCP Mutation Map > > Trust device: none > > qos mode: port-based > > > > So to resume, service-policy and mls qos trust device Cisco-phone can be > configured together without removing mls qos trust command as you put the > service-policy command. > > Reboot the switch, same config still there, no modifications. > > > > As we trust dscp, a rogue PC is not going to be trusted if you put the mls > qos trust device cisco-phone. (and this cmd is not removed J). So I think > this is what you(we) expect, isn’t it ? > > > > Best Regards, > > > > Claude. > > > > > > *Claude Friderich* > > *PreSales Support* > > *[image: ccvp_voice_sm]*** > > *NETCORE PSF S.A.*** > > 49 rue du Baerendall > > B.P.65 L-8201 Mamer > > Téléphone: 31 33 80-407 > > Fax: 31 33 80 8-407 > > GSM: 621 303 616 > > E-mail: cfrider...@netcore.lu > > > > *From:* ccie_voice-boun...@onlinestudylist.com [mailto: > ccie_voice-boun...@onlinestudylist.com] *On Behalf Of *Miron Kobelski > *Sent:* jeudi 27 janvier 2011 19:49 > *To:* Roger Källberg > *Cc:* ccie_voice@onlinestudylist.com > *Subject:* Re: [OSL | CCIE_Voice] 3750 QoS: service-policy + mls qos trust > commands on the same port > > > > Thanks Roger, I need to check this in my lab. Have you tried to save the > config and reload the switch to see if this configuration persists? > > Any idea since which IOS version this is possible? Is it available in the > 3750 software used in the actual lab (version is not under NDA?) > > regards > kobel > > 2011/1/27 Roger Källberg <roger.kallb...@cygate.se> > > Hi Kobel, > > I belive that the QoS SRND have it wrong, or at least is outdated, in this > case. > > > > I used this configuration on PL's 3750 during my study for the lab. > > > > class-map match-all MGCP > match access-group 101 > class-map match-all AutoQoS-VoIP-RTP-Trust > match ip dscp ef > class-map match-all AutoQoS-VoIP-Control-Trust > match ip dscp cs3 af31 > ! > ! > policy-map Police-MGCP > class MGCP > set dscp cs3 > police 16000 8000 exceed-action policed-dscp-transmit > policy-map AutoQoS-Police-CiscoPhone > class AutoQoS-VoIP-RTP-Trust > set dscp ef > police 320000 8000 exceed-action policed-dscp-transmit > class AutoQoS-VoIP-Control-Trust > set dscp cs3 > police 32000 8000 exceed-action policed-dscp-transmit > > ! > > interface FastEthernet1/0/1 > switchport trunk encapsulation dot1q > switchport trunk native vlan 10 > switchport mode trunk > speed 100 > duplex full > srr-queue bandwidth share 10 10 60 20 > priority-queue out > mls qos trust dscp > auto qos voip trust > service-policy input Police-MGCP > ! > interface FastEthernet1/0/2 > switchport access vlan 10 > switchport mode access > switchport voice vlan 20 > srr-queue bandwidth share 10 10 60 20 > priority-queue out > mls qos trust device cisco-phone > mls qos trust cos > auto qos voip cisco-phone > spanning-tree portfast > service-policy input AutoQoS-Police-CiscoPhone > > ! > > access-list 101 permit udp any any eq 2427 > access-list 101 permit udp any eq 2427 any > access-list 101 permit tcp any any eq 2428 > > access-list 101 permit tcp any eq 2428 any > > > > As you can see it has both "mls qos trust cos" and "service-policy input > AutoQoS-Police-CiscoPhone" or "mls qos trust dscp" and "service-policy input > Police-MGCP" attached to the same interface, and this works as expected. > > > > This can also be seen in vol2 PG for the labs that has this requirement. > > Sincerely > > > > *Roger Källberg* > CCIE #26199 (Voice) > Consultant > Cygate AB > Eric Perssons väg 21, SE-217 62 MALMÖ > > > ------------------------------ > > *Från:* Miron Kobelski [findko...@gmail.com] > *Skickat:* den 26 januari 2011 19:07 > *Till:* ccie_voice@onlinestudylist.com > *Ämne:* [OSL | CCIE_Voice] 3750 QoS: service-policy + mls qos trust > commands on the same port > > Hello, > > I'm working on Vol2 Lab8 QoS section. Task 5.2 requires to conditionally > trust DSCP markings from the Cisco IP phone, which can be accomplished with: > > mls qos trust device cisco-phone > mls qos trust dscp > > But 5.3 requires policing and remarking using service-policy for the same > switch port. > In the Enterprise QoS SRND page 106 we have: > > At the time of writing, the Catalyst 2970/3560/3750 does not support a > trust statement (such as mls qos > trust device cisco-phone) in conjunction with a service-policy input > statement applied to given port at > the same time. While this may be configurable, if the switch is reset, one > or the other statement may be > removed when the switch reloads. This limitation is to be addressed; > consult the latest Catalyst > 2970/3560/3750 QoS documentation for updates on this limitation > > PG's solution seems to ignore this fact. What's your opinion on this? I was > unable to find anything on this in the archive. > > BTW, how can I find QoS SRND via cisco.com documentation portal? > > regards > kobel > > >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
