> Following on, the best way is to 'trust' on all uplinks between devices > and filter at the edge. So you have a customer who shouldn't be sending > tagged traffic, set the port to not trusted (should be the default > state) and any customer using QoS should have "mls qos trust dscp" on > the demark port. > > If you don't have a trusted core, then all it takes is a simple switch > in the path traffic takes and you'll find yourself scratching your head > as to why the DSCP tags are disappearing all of a sudden!
indeed, i do see another dscp value in the counters. (besides mine). i tried with dscp mutation and re-mapping, but it did't work. so..start NOT trusting the edge/customers ports. > > > Paul > > > > -----Original Message----- > From: Scott Morris [mailto:s...@emanon.com] > Sent: 12 November 2009 14:41 > To: Bogdan > Cc: nanog@nanog.org > Subject: Re: qos 3560 > > Look at "show mls qos map" to see the defaults that may be rewriting > your information depending on trust (or non-trust) mechanisms you have > configured. > > If you trust CoS, a frame received with cos5 and dscp46 will get > rewritten to dscp 40 with default maps... > > "show mls qos interface (intf)" is also good to see status. > > Scott > > > > Bogdan wrote: >> hello >> >> indeed, a fellow nanoger gave me this hint. >> >> 1. i had to enable mls qos globally in "network" switches >> 2. set the mls qos trust dscp on the uplinks (ingress port) >> >> >> thanks >> >> ps thanks to andrey.gordon too :) >> >> >> >> >> >> On 11/12/2009 03:21 PM, Brian Feeny wrote: >> >>> You should make sure that any links that go between devices have > trust >>> set. In your case if your doing DSCP, >>> then make sure each link that goes between devices which must carry >>> tagged packets have trust dscp set. >>> >>> Brian >>> >>> On Nov 12, 2009, at 5:11 AM, Bogdan wrote: >>> >>> >>>> hello >>>> >>>> i am playing with qos on some devices >>>> - cisco 3560 >>>> - cisco 7609 >>>> and i have some things that i don't seem to understand. >>>> >>>> 1. in 3560, i enable mls qos, on the ingress port applyed policy > map, >>>> classify the packets with acl, mark, all good. on the egress ports i > use >>>> srr-queue with shape/share, everything is fine, it is working. >>>> >>>> > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea > se/12.2_20_se/configuration/guide/swqos.html#wp1028614 >>>> >>>> >>>> >>>> 2. reset to defaults the 3560 >>>> in 7606 i pick up a vlan, and apply a policy-map and set dscp 40 on >>>> egress of that vlan >>>> 3560 in uplinked in 7609 >>>> in 3560 i can see the "marked" packets, and i have matches on the > dscp >>>> set earlier (sh mls qos int xx stat). >>>> the problem is: when i apply the srr-queue in 3560 on egress > (towards >>>> the test port), it does not work. >>>> if i enable mls qos on 3560, i cannot match anymore the dscp 40 from > the >>>> 7609 >>>> >>>> is it normal? do i have to apply the qos stuff (point1) on all > switches >>>> i want qos on? i mean, i cannot set dscp in one "core" device and > use >>>> that in the whole network ? >>>> >>>> >>>> thanks >>>> >>>> >>>> >>> >> >> >> >> >> > > > > For more information about the Viatel Group, please visit www.viatel.com > > VTL (UK) Limited Registered in England and Wales > Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR > Company Registration No: 04287100 VAT Registration Number: 781 4991 88 > > THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO > WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, > CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is > not the intended recipient, or an employee or agent responsible for > delivering the message to the intended recipient, you are notified that > any dissemination, distribution or copying of this e-mail is prohibited, > and you should delete this e-mail from your system. > > This message has been scanned for viruses and spam by Viatel MailControl - > www.viatel.com > >
