configuring qos - wordpress.com · 27-1 catalyst 2950 and catalyst 2955 switch software...

Catalyst 2950 and Catalyst 29578-11380-07

C H A P T E R27

oS) towitchackets

stalled

f the

mand

MS.

Configuring QoS

This chapter describes how to configure quality of service (QoS) by using automatic-QoS (auto-Qcommands or by using standard QoS commands. With QoS, you can give preferential treatmentcertain types of traffic at the expense of others. Without QoS, the Catalyst 2950 or Catalyst 2955 soffers best-effort service to each packet, regardless of the packet contents or size. It sends the pwithout any assurance of reliability, delay bounds, or throughput.

To use the features described in this chapter, you must have the enhanced software image (EI) inon your switch.

If you have the standard software image (SI) installed on your switch, you cannot configure some ofeatures.Table 27-1 lists the sections that describe the features that you can configure.

Note For complete syntax and usage information for the commands used in this chapter, refer to the comreference for this release.

QoS can be configured either by using the Cluster Management Suite (CMS) or through thecommand-line interface (CLI). Refer to the CMS online help for configuration procedures through CFor information about accessing and using CMS, seeChapter 4, “Getting Started with CMS.”

Table 27-1 Sections Describing Standard Software Features

Topic Section

Queueing and scheduling atthe egress ports

“Queueing and Scheduling” section on page 27-8

Configuring QoS “Configuring Standard QoS” section on page 27-15

“Default Standard QoS Configuration” section onpage 27-16

“Configuring Classification Using Port Trust States”section on page 27-17

“Configuring the Egress Queues” section on page 27-34

27-15 Switch Software Configuration Guide

Chapter 27 Configuring QoSUnderstanding QoS

DP, theard

theevice

urs, see

orityas an

o itsive

ernety intod IP

r

ss ofOnic in

You can also use these wizards to configure QoS only if your switch is running the EI:

• Priority data wizard—Lets you assign priority levels to data applications based on their TCP or Uports. It has a standard list of applications, and you select the ones that you want to prioritizepriority levels, and the interfaces where the prioritization occurs. Refer to the priority data wizonline help for procedures about using this wizard.

• Video wizard—Gives traffic that originates from specified video servers a higher priority than priority of data traffic. The wizard assumes that the video servers are connected to a single din the cluster. Refer to the video wizard online help for procedures about using this wizard.

This chapter consists of these sections:

• Understanding QoS, page 27-2

• Configuring Auto-QoS, page 27-9

• Displaying Auto-QoS Information, page 27-13

• Auto-QoS Configuration Example, page 27-14

• Configuring Standard QoS, page 27-15

• Displaying Standard QoS Information, page 27-36

• Standard QoS Configuration Examples, page 27-36

Understanding QoSThis section describes how QoS is implemented on the switch. If you have the SI installed on yoswitch, some concepts and features in this section might not apply. For a list of available featureTable 27-1 on page 27-1.

Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priand an equal chance of being delivered in a timely manner. When congestion occurs, all traffic hequal chance of being dropped.

When you configure the QoS feature, you can select specific network traffic, prioritize it according trelative importance, and use congestion-management and congestion-avoidance techniques to gpreferential treatment. Implementing QoS in your network makes network performance morepredictable and bandwidth utilization more effective.

The QoS implementation is based on the DiffServ architecture, an emerging standard from the IntEngineering Task Force (IETF). This architecture specifies that each packet is classified upon entrthe network. The classification is carried in the IP packet header, using 6 bits from the deprecatetype-of-service (ToS) field to carry the classification (class) information.

Classification can also be carried in the Layer 2 frame. These special bits in the Layer 2 frame oa Layer 3 packet are described here and shown inFigure 27-1:

• Prioritization values in Layer 2 frames

Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the claservice (CoS) value in the three most-significant bits, which are called the User Priority bits. interfaces configured as Layer 2 802.1Q trunks, all traffic is in 802.1Q frames except for traffthe native VLAN.

Other frame types cannot carry Layer 2 CoS values.

Layer 2 CoS values range from 0 for low priority to 7 for high priority.

27-2Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

78-11380-07


rted

rdingrentes ortailedre

esrvavior,

atures

• Prioritization bits in Layer 3 packets

Layer 3 IP packets can carry a Differentiated Services Code Point (DSCP) value. The suppoDSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56.

Figure 27-1 QoS Classification Layers in Frames and Packets

All switches and routers that access the Internet rely on the class information to give the same forwatreatment to packets with the same class information and different treatment to packets with diffeclass information. The class information in the packet can be assigned by end hosts or by switchrouters along the way, based on a configured policy, detailed examination of the packet, or both. Deexamination of the packet is expected to happen closer to the edge of the network so that the coswitches and routers are not overloaded.

Switches and routers along the path can use the class information to limit the amount of resourcallocated per traffic class. The behavior of an individual device when handling traffic in the DiffSearchitecture is called per-hop behavior. If all devices along a path have a consistent per-hop behyou can construct an end-to-end QoS solution.

Implementing QoS in your network can be a simple or complex task and depends on the QoS feoffered by your internetworking devices, the traffic types and patterns in your network, and thegranularity of control that you need over incoming and outgoing traffic.

6098

0

Encapsulated Packet

Layer 2header

IP header Data

Layer 2 802.1Q/P Frame

Preamble Start framedelimiter

DA

Len

SA Tag PT Data FCS

Layer 3 IPv4 Packet

Versionlength

ToS(1 byte)

ID Offset TTL Proto FCS IP-SA IP-DA Data

3 bits used for CoS (user priority)

DSCP


78-11380-07


,

ble.

and is

ckettion,

place

RR)

Basic QoS ModelFigure 27-2 shows the basic QoS model. Actions at the ingress interface include classifying trafficpolicing, and marking:

Note If you have the SI installed on your switch, only the queueing and scheduling features are availa

• Classifying distinguishes one kind of traffic from another. For more information, see the“Classification” section on page 27-5.

• Policing determines whether a packet is in or out of profile according to the configured policer,the policer limits the bandwidth consumed by a flow of traffic. The result of this determinationpassed to the marker. For more information, see the“Policing and Marking” section on page 27-7.

• Marking evaluates the policer and configuration information for the action to be taken when a pais out of profile and decides what to do with the packet (pass through a packet without modificamark down the DSCP value in the packet, or drop the packet). For more information, see the“Policing and Marking” section on page 27-7.

Actions at the egress interface include queueing and scheduling:

• Queueing evaluates the CoS value and determines which of the four egress queues in which tothe packet.

• Scheduling services the four egress queues based on their configured weighted round robin (Wweights.

Figure 27-2 Basic QoS Model

6097

9

Classification Policing

Actions at ingress Actions at egress

Mark

In profile orout of profile

Classify the packet based on the ACL.

Determine if the packet is in profile or out of profile based on the policer associated with the filter.

Based on whether the packet is in or out of profile and the configured parameters, determine whether to pass through, mark down, or drop the packet. The DSCP and CoS are marked or changed accordingly.

Queueing andscheduling

Based on the CoS, determine into which of the egress queues to place the packet. Then service the queues according to the configured weights.


78-11380-07


s in

t the

lt port

ameield.

isifies

same

the

up of

d

oS

it

Classification

Note This feature is available only if your switch is running the EI.

Classification is the process of distinguishing one kind of traffic from another by examining the fieldthe packet.

Classification occurs only on a physical interface basis. No support exists for classifying packets aVLAN level.

You specify which fields in the frame or packet that you want to use to classify incoming traffic.

For non-IP traffic, you have these classification options:

• Use the port default. If the frame does not contain a CoS value, the switch assigns the defauCoS value to the incoming frame.

• Trust the CoS value in the incoming frame (configure the port to trust CoS). Layer 2 802.1Q frheaders carry the CoS value in the three most-significant bits of the Tag Control Information fCoS values range from 0 for low priority to 7 for high priority.

The trust DSCP configuration is meaningless for non-IP traffic. If you configure a port with thoption and non-IP traffic is received, the switch assigns the default port CoS value and classtraffic based on the CoS value.

For IP traffic, you have these classification options:

• Trust the IP DSCP in the incoming packet (configure the port to trust DSCP). The switch assigns theDSCP to the packet for internal use.The IETF defines the 6 most-significant bits of the 1-byte ToSfield as the DSCP. The priority represented by a particular DSCP value is configurable. Thesupported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56.

• Trust the CoS value (if present) in the incoming packet. The switch generates the DSCP by usingCoS-to-DSCP map.

Note An interface can be configured to trust either CoS or DSCP, but not both at the same time.

Classification Based on QoS ACLs

You can use IP standard, IP extended, and Layer 2 MAC access control lists (ACLs) to define a gropackets with the same characteristics (class). In the QoS context, the permit and deny actions in theaccess control entries (ACEs) have different meanings than with security ACLs:

• If a match with a permit action is encountered (first-match principle), the specified QoS-relateaction is taken.

• If no match with a permit action is encountered and all the ACEs have been examined, no Qprocessing occurs on the packet.

• If multiple ACLs are configured on an interface, the packet matches the first ACL with a permaction, and QoS processing begins.


78-11380-07


class

mask.

r the

”

ain

This

m allherthaname.olicy

alueffic

ic by

y the

sing

he

• Configuration of a deny action is not supported in QoS ACLs on the switch.

• System-defined masks are allowed in class maps with these restrictions:

– A combination of system-defined and user-defined masks cannot be used in the multiplemaps that are a part of a policy map.

– System-defined masks that are a part of a policy map must all use the same type of systemFor example, a policy map cannot have a class map that uses thepermit tcp any any ACE andanother that uses thepermit ip any any ACE.

– A policy map can contain multiple class maps that all use the same user-defined mask osame system-defined mask.

Note For more information about system-defined masks, see the“Understanding Access Control Parameterssection on page 26-4.

For more information about ACL restrictions, see the“Configuring ACLs” section on page 26-6.

After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contmultiple classes with actions specified for each one of them. A policy might include commands toclassify the class as a particular aggregate (for example, assign a DSCP) or rate-limit the class. policy is then attached to a particular port on which it becomes effective.

You implement IP ACLs to classify IP traffic by using theaccess-list global configuration command;you implement Layer 2 MAC ACLs to classify Layer 2 traffic by using themac access-list extendedglobal configuration command.

Classification Based on Class Maps and Policy Maps

A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) froother traffic. The class map defines the criteria used to match against a specific traffic flow to furtclassify it; the criteria can include matching the access group defined by the ACL. If you have moreone type of traffic that you want to classify, you can create another class map and use a different nAfter a packet is matched against the class-map criteria, you further classify it through the use of a pmap.

A policy map specifies which traffic class to act on. Actions can include setting a specific DSCP vin the traffic class or specifying the traffic bandwidth limitations and the action to take when the trais out of profile. Before a policy map can be effective, you must attach it to an interface.

You create a class map by using theclass-map global configuration command or theclass policy-mapconfiguration command. You should use theclass-mapglobal configuration command when the map isshared among many ports. When you enter theclass-map global configuration command, the switchenters the class-map configuration mode. In this mode, you define the match criterion for the traffusing thematch class-map configuration command.

You create and name a policy map by using thepolicy-map global configuration command. When youenter this command, the switch enters the policy-map configuration mode. In this mode, you specifactions to take on a specific traffic class by using theclasspolicy-map configuration orsetpolicy-mapclass configuration command. To make the policy map effective, you attach it to an interface by utheservice-policy interface configuration command.

The policy map can also contain commands that define the policer, the bandwidth limitations of ttraffic, and the action to take if the limits are exceeded. For more information, see the“Policing andMarking” section on page 27-7.


78-11380-07


ceedat

rking

ately

vel.

ced,ured

A policy map also has these characteristics:

• A policy map can contain multiple class statements.

• A separate policy-map class can exist for each type of traffic received through an interface.

• A policy-map configuration state supersedes any actions due to an interface trust state.

For configuration information, see the“Configuring a QoS Policy” section on page 27-23.

Policing and Marking


Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exthe limits areout of profile or nonconforming. Each policer specifies the action to take for packets thare in or out of profile. These actions, carried out by the marker, include dropping the packet or madown the packet with a new user-defined value.

You can create an individual policer. QoS applies the bandwidth limits specified in the policer separto each matched traffic class. You configure this type of policer within a policy map by using thepolicy-map configuration command.

When configuring policing and policers, keep these items in mind:

• By default, no policers are configured.

• Policers can only be configured on a physical port. There is no support for policing at a VLAN le

• Only one policer can be applied to a packet in the input direction.

• Only the average rate and committed burst parameters are configurable.

• Policing occurs on the ingress interfaces:

– 60 policers are supported on ingress Gigabit-capable Ethernet ports.

– 6 policers are supported on ingress 10/100 Ethernet ports.

– Granularity for the average burst rate is 1 Mbps for 10/100 ports and 8 Mbps for GigabitEthernet ports.

• On an interface configured for QoS, all traffic received through the interface is classified, poliand marked according to the policy map attached to the interface. On a trunk interface configfor QoS, traffic inall VLANs received through the interface is classified, policed, and markedaccording to the policy map attached to the interface.

Note You cannot configure policers on the egress interfaces.


78-11380-07


m the

deriveueues.

priate

etworkCoS

in the

ted inre any

the lastt are

ative

thisasses

Mapping Tables


During classification, QoS uses a configurable CoS-to-DSCP map to derive an internal DSCP value froreceived CoS value. This DSCP value represents the priority of the traffic.

Before the traffic reaches the scheduling stage, QoS uses the configurable DSCP-to-CoS map toa CoS value from the internal DSCP value. The CoS value is used to select one of the four egress q

The CoS-to-DSCP and DSCP-to-CoS maps have default values that might or might not be approfor your network.

For configuration information, see the“Configuring CoS Maps” section on page 27-31.

Queueing and Scheduling

Note Both the SI and EI support this feature.

The switch gives QoS-based 802.1P CoS values. QoS uses classification and scheduling to send ntraffic from the switch in a predictable manner. QoS classifies frames by assigning priority-indexedvalues to them and gives preference to higher-priority traffic such as telephone calls.

How Class of Service Works

Before you set up 802.1P CoS on a Catalyst 2950 or Catalyst 2955 switch that operates with theCatalyst 6000 family of switches, refer to the Catalyst 6000 documentation. There are differences802.1P implementation that you should understand to ensure compatibility.

Port Priority

Frames received from users in the administratively-defined VLANs are classified ortaggedfortransmission to other devices. Based on rules that you define, a unique identifier (the tag) is insereach frame header before it is forwarded. The tag is examined and understood by each device befobroadcasts or transmissions to other switches, routers, or end stations. When the frame reachesswitch or router, the tag is removed before the frame is sent to the target end station. VLANs thaassigned on trunk or access ports without identification or a tag are callednative or untagged frames.

For IEEE 802.1Q frames with tag information, the priority value from the header frame is used. For nframes, the default priority of the input port is used.

Port Scheduling

Each port on the switch has a single receive queue buffer (theingressport) for incoming traffic. Whenan untagged frame arrives, it is assigned the value of the port as its port default priority. You assignvalue by using the CLI or CMS. A tagged frame continues to use its assigned CoS value when it pthrough the ingress port.


78-11380-07

Chapter 27 Configuring QoSConfiguring Auto-QoS

ate

e types

erity

theomitselativet of 4,e. By the

ehen thether

ing the

akeslowsffersingle

acket

CoS configures each transmit port (theegressport) with a normal-priority transmit queue and ahigh-priority transmit queue, depending on the frame tag or the port information.Frames in thenormal-priority queue are forwarded only after frames in the high-priority queue are forwarded.

The switch (802.1P user priority) has four priority queues. The frames are forwarded to appropriqueues based on the priority-to-queue mapping that you defined.

Egress CoS Queues

The switch supports four CoS queues for each egress port. For each queue, you can specify thesof scheduling:

• Strict priority scheduling

Strict priority scheduling is based on the priority of queues. Packets in the high-priority queualways transmit first, and packets in the low-priority queue do not transmit until all the high-prioqueues become empty.

The default scheduling method is strict priority.

• Weighted round-robin (WRR) scheduling

WRR scheduling requires you to specify a number that indicates the importance (weight) of queue relative to the other CoS queues. WRR scheduling prevents the low-priority queues frbeing completely neglected during periods of high-priority traffic. The WRR scheduler transmsome packets from each queue in turn. The number of packets it sends corresponds to the rimportance of the queue. For example, if one queue has a weight of 3 and another has a weighthree packets are sent from the first queue for every four that are sent from the second queuusing this scheduling, low-priority queues have the opportunity to send packets even thoughhigh-priority queues are not empty.

• Strict priority and WRR scheduling

Strict priority and WRR scheduling, also referred to as strict priority queueing, uses one of thegress queues as an expedite queue (queue 4). The remaining queues participate in WRR. Wexpedite queue is configured, it is a priority queue and is serviced until it is empty before the oqueues are serviced by WRR scheduling.

You can enable the egress expedite queue and assign WRR weights to the other queues by uswrr-queue bandwidth weight1 weight2 weight30 global configuration commmand.

Configuring Auto-QoS


You can use the auto-QoS feature to simplify the deployment of existing QoS features. Auto-QoS massumptions about the network design, and as a result, the switch can prioritize different traffic fand appropriately use the egress queues instead of using the default QoS behavior (the switch obest-effort service to each packet regardless of the packet contents or size and sends it from a squeue).

When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress plabel. The switch uses the resulting classification to choose the appropriate egress queue.


78-11380-07


s thations:

gress

You use auto-QoS commands to identify ports connected to Cisco IP Phones and to identify portreceive trusted voice over IP (VoIP) traffic through an uplink. Auto-QoS then performs these funct

• Detects the presence or absence of IP phones

• Configures QoS classification

• Configures egress queues

These sections describe how to configure auto-QoS on your switch:

• Generated Auto-QoS Configuration, page 27-10

• Effects of Auto-QoS on the Configuration, page 27-12

• Configuration Guidelines, page 27-12

• Enabling Auto-QoS for VoIP, page 27-12

Generated Auto-QoS ConfigurationWhen auto-QoS is enabled, it uses the ingress packet label to classify traffic and to configure the equeues as described inTable 27-2.

Table 27-3 lists the generated auto-QoS configuration for the egress queues.

When you enable the auto-QoS feature on the first interface, these automatic actions occur:

Table 27-2 Traffic Types, Ingress Packet Labels, Assigned Packet Labels, and Egress Queues

VoIP DataTraffic OnlyFrom Cisco IPPhones

VoIP ControlTraffic OnlyFrom Cisco IPPhones

Routing ProtocolTraffic

STP BPDU1

Traffic

1. BPDU = bridge protocol data unit

All OtherTraffic

Ingress DSCP 46 26 – – –

Ingress CoS 5 3 6 7 –

Assigned DSCP 46 26 48 56 0

Assigned CoS 5 3 6 7 0

CoS-to-QueueMap

5 3, 6, 7 0, 1, 2, 4

Egress Queue Expeditequeue

80% WRR 20% WRR

Table 27-3 Auto-QoS Configuration for the Egress Queues

Egress Queue Queue Number CoS-to-Queue Map Queue Weight

Expedite 4 5 –

80% WRR 3 3, 6, 7 80%

20% WRR 1 0, 1, 2, 4 20%


78-11380-07


nn the

nce or on thent, theterface

c type

• When you enter theauto qos voip trust interface configuration command, the ingress classificatioon the interface is set to trust the QoS label received in the packet, and the egress queues ointerface are reconfigured (seeTable 27-3).

• When you enter theauto qos voip cisco-phone interface configuration command, the trustedboundary feature is enabled. It uses the Cisco Discovery Protocol (CDP) to detect the preseabsence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classificationinterface is set to trust the QoS label received in the packet. When a Cisco IP Phone is abseingress classification is set to not trust the QoS label in the packet. The egress queues on the inare reconfigured (seeTable 27-3).

For information about the trusted boundary feature, see the“Configuring Trusted Boundary” sectionon page 27-20.

When you enable auto-QoS by using theauto qos voip cisco-phoneor theauto qos voip trust interfaceconfiguration command, the switch automatically generates a QoS configuration based on the traffiand ingress packet label and applies the commands listed inTable 27-4 to the interface.

Table 27-4 Generated Auto-QoS Configuration Command Equivalents

Description Automatically Generated QoS Command Equivalent

The switch automatically enables standard QoS and configuresthe CoS-to-DSCP map (maps CoS values in incoming packetsto a DSCP value) as shown inTable 27-2 on page 27-10.

Switch(config)# mls qos map cos-dscp 0 8 16 26 32 4648 56

The switch automatically sets the ingress classification on theinterface to trust the CoS value received in the packet.

Switch(config-if)# mls qos trust cos

If you entered theauto qos voip cisco-phone command, theswitch automatically enables the trusted boundary feature,which uses the CDP to detect the presence or absence of aCisco IP Phone.

Switch(config-if)# mls qos trust device cisco-phone

The switch automatically assigns egress queue usage (asshown inTable 27-3 on page 27-10) on this interface.

The switch enables the egress expedite queue and assignsWRR weights to queues 1 and 3. (The lowest value for a WRRqueue is 1. When the WRR weight of a queue is set to 0, thisqueue becomes an expedite queue.)

The switch configures the CoS-to-egress-queue map:

• CoS values 0, 1, 2, and 4 select queue 1.

• CoS values 3, 6, and 7 select queue 3.

• CoS value 5 selects queue 4 (expedite queue).

Because the expedite queue (queue 4) contains the VoIP datatraffic, the queue is serviced until empty.

Switch(config)# wrr-queue bandwidth 20 1 80 0Switch(config)# wrr-queue cos-map 1 0 1 2 4Switch(config)# wrr-queue cos-map 3 3 6 7Switch(config)# wrr-queue cos-map 4 5


78-11380-07


beforet we

able

.

t

Effects of Auto-QoS on the ConfigurationWhen auto-QoS is enabled, theauto qos voip interface configuration command and the generatedconfiguration are added to the running configuration.

Configuration GuidelinesBefore configuring auto-QoS, you should be aware of this information:

• In this release, auto-QoS configures the switch only for VoIP with Cisco IP Phones.

• To take advantage of the auto-QoS defaults, do not configure any standard QoS commands entering the auto-QoS commands. If necessary, you can fine-tune the QoS configuration, burecommend that you do so only after the auto-QoS configuration is completed.

• You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports.

• By default, the CDP is enabled on all interfaces. For auto-QoS to function properly, do not disthe CDP.

• Policing is not enabled in auto-QoS. You can manually enable policing, as described in the“Configuring a QoS Policy” section on page 27-23.

Enabling Auto-QoS for VoIPBeginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoSdomain:

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 interface interface-id Enter interface configuration mode, and specify the interface that isconnected to a Cisco IP Phone. You also can specify the uplinkinterface that is connected to another switch or router in the interiorof the network.

Step 3 auto qos voip{ cisco-phone | trust } Enable auto-QoS.

The keywords have these meanings:

• cisco-phone—If the interface is connected to a Cisco IP Phone,the QoS labels of incoming packets are trusted only when the IPphone is detected.

• trust—The uplink interface is connected to a trusted switch orrouter, and the VoIP classification in the ingress packet is trusted

Step 4 end Return to privileged EXEC mode.

Step 5 show auto qos interfaceinterface-id Verify your entries.

This command displays the auto-QoS configuration that was initiallyapplied; it does not display any user changes to the configuration thamight be in effect.


78-11380-07

Chapter 27 Configuring QoSDisplaying Auto-QoS Information

abled,n,

ettings

which

n the

n the

these

To display the QoS commands that are automatically generated when auto-QoS is enabled or disenter thedebug autoqosprivileged EXEC command before enabling auto-QoS. For more informatiosee the“Using the debug autoqos Command” section on page 29-16.

To disable auto-QoS on an interface, use theno auto qos voipinterface configuration command. Whenyou enter this command, the switch changes the auto-QoS settings to the standard-QoS default sfor that interface.

To disable auto-QoS on the switch, use theno auto qos voip interface configuration command on allinterfaces on which auto-QoS is enabled. When you enter this command on the last interface onauto-QoS is enabled, the switch enables pass-through mode.

This example shows how to enable auto-QoS and to trust the QoS labels in incoming packets whedevice connected to Fast Ethernet interface 0/1 is detected as a Cisco IP Phone:

Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip cisco-phone

This example shows how to enable auto-QoS and to trust the QoS labels in incoming packets wheswitch or router connected to Gigabit Ethernet interface 0/1 is a trusted device:

Switch(config)# interface gigabitethernet0/1Switch(config-if)# auto qos voip trust

Displaying Auto-QoS InformationTo display the inital auto-QoS configuration, use theshow auto qos[ interface [ interface-id]] privilegedEXEC command. To display any user changes to that configuration, use theshow running-configprivileged EXEC command. You can compare theshow auto qos and theshow running-configcommand output to identify the user-defined QoS settings.

To display information about the QoS configuration that might be affected by auto-QoS, use one ofcommands:

• show mls qos

• show mls qos map cos-dscp

• show wrr-queue bandwidth

• show wrr-queue cos-map

For more information about these commands, refer to the command reference for this release.


78-11380-07

Chapter 27 Configuring QoSAuto-QoS Configuration Example

ndfic..

. You

Auto-QoS Configuration Example

Note This example is applicable only if your switch is running the EI.

This section describes how you could implement auto-QoS in a network, as shown inFigure 27-3.

Figure 27-3 Auto-QoS Configuration Example Network

The intelligent wiring closets inFigure 27-3are composed of Catalyst 2950 switches running the EI aCatalyst 3550 switches. The object of this example is to prioritize the VoIP traffic over all other trafTo do so, enable auto-QoS on the switches at the edge of the QoS domains in the wiring closets

Note You should not configure any standard-QoS commands before entering the auto-QoS commandscan fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoSconfiguration is completed.

Cisco router

Intelligent wiring closetCatalyst 2950 and 3550

switches

Catalyst3550-24-EMIswitch

Catalyst 2950 switchat the edge of theQoS domain

Catalyst 2950 switchat the edge of the

QoS domain

Catalyst3550-24-EMI

switch

FastEthernet 0/1

FastEthernet 0/1

Intelligent wiring closetCatalyst 2950 and 3550

switches

To Internet

Catalyst 3550-12G switch

Gigabit Ethernet 0/5


GigabitEthernet

0/2 GigabitEthernet0/1

Trunklink


Trunklink

Cisco IP phones

Fast Ethernet 0/7

Fast Ethernet 0/3

Fast Ethernet 0/7

Fast Ethernet 0/3

Fast Ethernet 0/5 Fast Ethernet 0/5

Cisco IP phones

Video server172.20.10.16

8643

6

IP

IP

IP

IP

IP

IP


78-11380-07

Chapter 27 Configuring QoSConfiguring Standard QoS

QoS

e

oS

to

to

to

to

itct.

2.

Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of thedomain to prioritize the VoIP traffic over all other traffic:

Configuring Standard QoSBefore configuring standard QoS, you must have a thorough understanding of these items:

• The types of applications used and the traffic patterns on your network.

• Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reservbandwidth for voice and video streams?

• Bandwidth requirements and speed of the network.

• Location of congestion points in the network.

Command Purpose

Step 1 debug autoqos Enable debugging for auto-QoS. When debugging is enabled, the switchdisplays the QoS configuration that is automatically generated when auto-Qis enabled.


Step 3 cdp enable Enable CDP globally. By default, it is enabled.

Step 4 interface fastethernet0/3 Enter interface configuration mode.

Step 5 auto qos voip cisco-phone Enable auto-QoS on the interface, and specify that the interface is connecteda Cisco IP Phone.

The QoS labels of incoming packets are trusted only when the IP phone isdetected.






Step 11 auto qos voip trust Enable auto-QoS on the interface, and specify that the interface is connecteda trusted router or switch.


Step 13 show auto qos Verify your entries.

This command displays the auto-QoS configuration that is initially applied; does not display any user changes to the configuration that might be in effe

For information about the QoS configuration that might be affected byauto-QoS, see the “Displaying Auto-QoS Information” section on page 26-1

Step 14 copy running-configstartup-config

Save theauto qos voipinterface configuration commands and the generatedauto-QoS configuration in the configuration file.


78-11380-07


your

4

ge on

This section describes how to configure standard QoS on your switch:

Note If your switch is running the SI, you can configure only the features described in the “ConfiguringClassification Using Port Trust States” and the “Configuring the Egress Queues” sections. You can alsodisplay the QoS information as described in the “Displaying Standard QoS Information” section.

• Default Standard QoS Configuration, page 27-16

• Configuration Guidelines, page 27-17

• Configuring Classification Using Port Trust States, page 27-17

• Configuring a QoS Policy, page 27-23

• Configuring CoS Maps, page 27-31

• Configuring the Egress Queues, page 27-34

Default Standard QoS ConfigurationThis is the default standard QoS configuration:

Note You can configure policy maps, policers, the CoS-to-DSCP map, and the DSCP-to-CoS map only ifswitch is running the EI.

• The default port CoS value is 0.

• The CoS value of 0 is assigned to all incoming packets.

• The default port trust state is untrusted.

• No policy maps are configured.

• No policers are configured.

• The default CoS-to-DSCP map is shown inTable 27-6.

• The default DSCP-to-CoS map is shown inTable 27-7.

• The default scheduling method for the egress queues is strict priority.

• For default CoS and WRR values, see the“Configuring the Egress Queues” section on page 27-3.

Note In software releases earlier than Release 12.1(11)EA1, the switch uses the CoS value of incominpackets without modifying the DSCP value. You can configure this by enabling pass-through modthe port. For more information, see the“Enabling Pass-Through Mode” section on page 27-22.


78-11380-07


. To

tion,nnel.el.

. IP

ocol

Lntents

ched

Configuration Guidelines

Note These guidelines are applicable only if your switch is running the EI.

Before beginning the QoS configuration, you should be aware of this information:

• You must disable the IEEE 802.3X flowcontrol on all ports before enabling QoS on the switchdisable it, use theflowcontrol receive off andflowcontrol send off interface configurationcommands.

• If you have EtherChannel ports configured on your switch, you must configure QoS classificapolicing, mapping, and queueing on the individual physical ports that comprise the EtherChaYou must decide whether the QoS configuration should match on all ports in the EtherChann

• It is not possible to match IP fragments against configured IP extended ACLs to enforce QoSfragments are sent as best-effort traffic. IP fragments are denoted by fields in the IP header.

• All ingress QoS processing actions apply to control traffic (such as spanning-tree bridge protdata units [BPDUs] and routing update packets) that the switch receives.

• Only an ACL that is created for physical interfaces can be attached to a class map.

• Only one ACL per class map and only onematch command per class map are supported. The ACcan have multiple access control entries, which are commands that match fields against the coof the packet.

• Policy maps with ACL classification in the egress direction are not supported and cannot be attato an interface by using theservice-policy input policy-map-nameinterface configurationcommand.

• In a policy map, the class namedclass-defaultis not supported. The switch does not filter trafficbased on the policy map defined by theclass class-defaultpolicy-map configuration command.

• For more information about guidelines for configuring ACLs, see the“Classification Based on QoSACLs” section on page 27-5.

• For information about applying ACLs to physical interfaces, see the“Guidelines for Applying ACLsto Physical Interfaces” section on page 26-6.

Configuring Classification Using Port Trust StatesThis section describes how to classify incoming traffic by using port trust states:

• Configuring the Trust State on Ports within the QoS Domain, page 27-18

• Configuring the CoS Value for an Interface, page 27-20

• Configuring Trusted Boundary, page 27-20

• Enabling Pass-Through Mode, page 27-22


78-11380-07


areted

Note Both the SI and EI support this feature.

Configuring the Trust State on Ports within the QoS Domain

Packets entering a QoS domain are classified at the edge of the QoS domain. When the packetsclassified at the edge, the switch port within the QoS domain can be configured to one of the trusstates because there is no need to classify the packets at every switch within the QoS domain.Figure 27-4 shows a sample network topology.

Figure 27-4 Port Trusted States within the QoS Domain

8116

3

Catalyst3550-12T switch

Trunk

Trusted interface

Classificationof trafficperformed here

Catalyst 2950wiring closet

IP


78-11380-07


tion

he

dket

ts;

s

Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classificaof the traffic that it receives:

To return a port to its untrusted state, use theno mls qos trust interface configuration command.

For information on how to change the default CoS value, see the“Configuring the CoS Value for anInterface” section on page 27-20. For information on how to configure the CoS-to-DSCP map, see t“Configuring the CoS-to-DSCP Map” section on page 27-32.

Command Purpose


Step 2 interface interface-id Enter interface configuration mode, and specify the interface to betrusted.

Valid interfaces include physical interfaces.

Step 3 mls qos trust [cos | dscp] Configure the port trust state.

By default, the port is not trusted.

The keywords have these meanings:

cos—Classifies ingress packets with the packet CoS values. Fortagged IP packets, the DSCP value of the packet is modified baseon the CoS-to-DSCP map. The egress queue assigned to the pacis based on the packet CoS value.

dscp—Classifies ingress packets with packet DSCP values. Fornon-IP packets, the packet CoS value is set to 0 for tagged packethe default port CoS is used for untagged packets. Internally, theswitch modifies the CoS value by using the DSCP-to-CoS map. Thikeyword is available only if your switch is running the EI.

Note In software releases earlier than Release 12.1(11)EA1, themls qos trust command is available only when the switch isrunning the EI.

Use thecoskeyword if your network is composed of Ethernet LANs.

Use thedscp keyword if your network is not composed of onlyEthernet LANs and if you are familiar with sophisticated QoSfeatures and implementations.

For more information about this command, refer to the commandreference for this release.


Step 5 show mls qos interface[ interface-id][policers]

Verify your entries.

Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.


78-11380-07


or to

heinese to

theh.

u can

d,

ed.

fluee

to

if

re

h

Configuring the CoS Value for an Interface

QoS assigns the CoS value specified with themls qos cosinterface configuration command to untaggedframes received on trusted and untrusted ports.

Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port assign the default CoS to all incoming packets on the port:

To return to the default setting, use theno mls qos cos{ default-cos| override} interface configurationcommand.

Configuring Trusted Boundary

In a typical network, you connect a Cisco IP Phone to a switch port as shown inFigure 27-4 onpage 27-18. Traffic sent from the telephone to the switch is typically marked with a tag that uses t802.1Q header. The header contains the VLAN information and the CoS 3-bit field, which determthe priority of the packet. For most Cisco IP Phone configurations, the traffic sent from the telephonthe switch is trusted to ensure that voice traffic is properly prioritized over other types of traffic innetwork. By using themls qos trust cosinterface configuration command, you can configure the switcport to which the telephone is connected to trust the CoS labels of all traffic received on that port

In some situations, you also might connect a PC or workstation to the IP phone. In these cases, youse theswitchport priority extend cos interface configuration command to configure the telephonethrough the switch CLI to override the priority of the traffic received from the PC. With this commanyou can prevent a PC from taking advantage of a high-priority data queue.

Command Purpose


Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trust


Step 3 mls qos cos {default-cos | override} Configure the default CoS value for the port.

• For default-cos, specify a default CoS value to be assigned to a port. Ithe port is CoS trusted and packets are untagged, the default CoS vabecomes the CoS value for the packet. The CoS range is 0 to 7. Thdefault is 0.

• Use theoverride keyword to override the previously configured truststate of the incoming packets and to apply the default port CoS valueall incoming packets. By default, CoS override is disabled.

Use theoverride keyword when all incoming packets on certain portsdeserve higher priority than packets entering from other ports. Evena port was previously set to trust DSCP, this command overrides thepreviously configured trust state, and all the incoming CoS values aassigned the default CoS value configured with this command. If anincoming packet is tagged, the CoS value of the packet is modified witthe default CoS of the port at the egress port.


Step 5 show mls qos interface Verify your entries.



78-11380-07


abelsmisusect theh port.switch

port:

d.t the

isic that

.

However, if a user bypasses the telephone and connects the PC directly to the switch, the CoS lgenerated by the PC are trusted by the switch (because of the trusted CoS setting) and can allowof high-priority queues. The trusted boundary feature solves this problem by using the CDP to detepresence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switcIf the telephone is not detected, the trusted boundary feature disables the trusted setting on the port and prevents misuse of a high-priority queue.

Beginning in privileged EXEC mode, follow these steps to configure trusted boundary on a switch

When you enter theno mls qos trustinterface configuration command, trusted boundary is not disableIf this command is entered and the port is connected to a Cisco IP Phone, the port does not trusclassification of traffic that it receives. To disable trusted boundary, use theno mls qos trust deviceinterface configuration command

If you enter themls qos cos overrideinterface configuration command, the port does not trust theclassification of the traffic that it receives, even when it is connected to a Cisco IP Phone.

You cannot enable trusted boundary if auto-QoS is already enabled and vice-versa. If auto-QoS enabled and a Cisco IP Phone is absent on a port, the port does not trust the classification of traffit receives.

Command Purpose


Step 2 cdp enable Enable CDP globally. By default, it is enabled.

Step 3 interface interface-id Enter interface configuration mode, and specify the interface to betrusted.


Step 4 cdp enable Enable CDP on the interface. By default, CDP is enabled.

Step 5 mls qos trust device cisco-phone Configure the Cisco IP Phone as a trusted device on the interface

You cannot enable both trusted boundary and auto-QoS (auto qosvoip interface configuration command) at the same time; they aremutually exclusive.

Step 6 mls qos trust cos Configure the port trust state to trust the CoS value of the ingresspacket.

By default, the port is not trusted.

Note In software releases earlier than Release 12.1(11)EA1, themls qos trust cos command is available only when theswitch is running the EI.

For more information on this command, refer to the commandreference for this release.


Step 8 show mls qos interface[ interface-id][policers]




78-11380-07


es thene ofg a

outket

ed

Table 27-5 lists the port configuration when an IP phone is present or absent.

Enabling Pass-Through Mode

In software releases earlier than Release 12.1(11)EA1, the switch is in pass-through mode. It usCoS value of incoming packets without modifying the DSCP value and sends the packets from othe four egress queues. You cannot enable or disable pass-through mode if your switch is runninsoftware release earlier than Release 12.1(11)EA1.

In Release 12.1(11)EA1 or later, the switch assigns a CoS value of 0 to all incoming packets withmodifying the packets. The switch offers best-effort service to each packet regardless of the paccontents or size and sends it from a single egress queue.

Beginning in privileged EXEC mode, follow these steps to enable pass-through mode:

Table 27-5 Port Configurations When Trusted Boundary is Enabled

Port Configuration When a Cisco IP Phone is Present When a Cisco IP Phone is Absent

The port trusts the CoS valueof the incoming packet.

The packet CoS value is trusted. The packet CoS value is assignthe default CoS value.

The port trusts the DSCPvalue of the incoming packet.

The packet DSCP value is trusted. For tagged non-IP packets, thepacket CoS value is set to 0.

For untagged non-IP packets, thepacket CoS value is assigned thedefault CoS value.

The port assigns the defaultCoS value to incomingpackets.

The packet CoS value is assignedthe default CoS value.

The packet CoS value is assignedthe default CoS value.

Command Purpose


Step 2 interface interface-id Enter interface configuration mode, and specify the interface on whichpass-through mode is enabled.


Step 3 mls qos trust cos pass-through dscpEnable pass-through mode. The interface is configured to trust the CoSvalue of the incoming packets and to send them without modifying theDSCP value.


Step 5 show mls qos interface[ interface-id] Verify your entries.



78-11380-07


ied

To disable pass-through mode, use theno mls qos trust pass-through dscpinterface configurationcommand.

If you enter themls qos cos overrideand themls qos trust [cos | dscp] interface commands whenpass-through mode is enabled, pass-through mode is disabled.

If you enter themls qos trust cos pass-through dscp interface configuration command when themlsqos cos overrideand themls qos trust [cos | dscp] interface commands are already configured,pass-through mode is disabled.

Configuring a QoS Policy


Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applto those traffic classes, and attaching policies to interfaces.

For background information, see the“Classification” section on page 27-5 and the“Policing andMarking” section on page 27-7.

This section contains this configuration information:

• Classifying Traffic by Using ACLs, page 27-24

• Classifying Traffic by Using Class Maps, page 27-27

• Classifying, Policing, and Marking Traffic by Using Policy Maps, page 27-28


78-11380-07


by

:

s that

as

.

e

Classifying Traffic by Using ACLs

You can classify IP traffic by using IP standard or IP extended ACLs; you can classify Layer 2 trafficusing Layer 2 MAC ACLs.

Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic

For more information about creating IP standard ACLs, see the“Guidelines for Applying ACLs toPhysical Interfaces” section on page 26-6.

To delete an ACL, use theno access-listaccess-list-number global configuration command.

This example shows how to allow access for only those hosts on the two specified networks. Thewildcard bits apply to the host portions of the network addresses. Any host with a source addresdoes not match the ACL statements is rejected.

Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255

Command Purpose


Step 2 access-listaccess-list-number {permit |remark } { source source-wildcard | hostsource| any}

Create an IP standard ACL, repeating the command as many timesnecessary.

Foraccess-list-number, enter the ACL number. The range is 1 to 99 and1300 to 1999.

Enterpermit to specify whether to permit access if conditions arematched.

Enterremark to specify an ACL entry comment up to 100 characters

Note Deny statements are not supported for QoS ACLs. See the“Classification Based on QoS ACLs” section on page 27-5formore details.

Thesourceis the source address of the network or host from which thpacket is being sent, specified in one of three ways:

• The 32-bit quantity in dotted decimal format.

• The keywordany as an abbreviation forsource andsource-wildcard of 0.0.0.0 255.255.255.255. You do not need toenter a source wildcard.

• The keywordhost as an abbreviation forsource andsource-wildcard of source 0.0.0.0.

(Optional) Thesource-wildcard variable applies wildcard bits to thesource (see first bullet item).


Step 4 show access-lists Verify your entries.



78-11380-07


c:

as

.

son

Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffi

Command Purpose


Step 2 access-listaccess-list-number{ permit | remark } protocol{ source source-wildcard | host source |any} [operator port] { destinationdestination-wildcard | host destination |any} [ operator port] [dscpdscp-value][time-range time-range-name]

Create an IP extended ACL, repeating the command as many timesnecessary.

Foraccess-list-number, enter the ACL number. The range is 100 to 199and 2000 to 2699.

Enterpermit to permit access if conditions are matched.

Enterremark to specify an ACL entry comment up to 100 characters


For protocol, enter the name or number of an IP protocol. Use thequestion mark (?) to see a list of available protocol keywords.

For source, enter the network or host from which the packet is beingsent. Forsource-wildcard, enter the wildcard bits by placing ones in thebit positions that you want to ignore. You specify thesource andsource-wilcardby using dotted decimal notation, by using theanykeyword as an abbreviation forsource 0.0.0.0source-wildcard255.255.255.255, or by using thehost keyword forsource 0.0.0.0.

For destination, enter the network or host to which the packet is beingsent. You have the same options for specifying thedestination anddestination-wildcardas those described forsource andsource-wildcard.

Define a destination or source port.

• Theoperator can be onlyeq (equal).

• If operatoris aftersource source-wildcard, conditions match whenthe source port matches the defined port.

• If operator is afterdestination destination-wildcard, conditionsmatch when the destination port matches the defined port.

• Theport is a decimal number or name of a TCP or UDP port. Thenumber can be from 0 to 65535.

• Use TCP port names only for TCP traffic.

• Use UDP port names only for UDP traffic.

Enterdscpto match packets with any of the 13 supported DSCP value(0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56) or use the questimark (?) to see a list of available values.

The time-range keyword is optional. For information about thiskeyword, see the“Applying Time Ranges to ACLs” section onpage 26-15.



78-11380-07


ress

For more information about creating IP extended ACLs, see the“Guidelines for Applying ACLs toPhysical Interfaces” section on page 26-6.

To delete an ACL, use theno access-listaccess-list-number global configuration command.

This example shows how to create an ACL that permits only TCP traffic from the destination IP add128.88.1.2 with TCP port number 25:

Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq25

Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for Layer 2traffic:

For more information about creating MAC extended ACLs, see the“Creating Named MAC ExtendedACLs” section on page 26-18.

To delete an ACL, use theno mac access-list extendedname global configuration command.

Step 4 show access-lists Verify your entries.


Command Purpose

Command Purpose


Step 2 mac access-list extendedname Create a Layer 2 MAC ACL by specifying the name of the list.

After entering this command, the mode changes to extended MACACL configuration.

Step 3 permit {any | host source MAC address}{ any | host destination MAC address} [ aarp| amber | appletalk | dec-spanning|decnet-iv | diagnostic | dsm | etype-6000 |etype-8042| lat | lavc-sca| mop-console|mop-dump | msdos| mumps | netbios |vines-echo|vines-ip | xns-idp]

Enterpermit to permit access if conditions are matched.

Note Deny statements are not supported for QoS ACLs. See the“Classification Based on QoS ACLs” section on page 27-5for more details.

For source MAC address, enter the MAC address of the host fromwhich the packet is being sent. You specify this by using theanykeyword to deny any source MAC address or by using thehostkeyword and the source in the hexadecimal format (H.H.H).

For destination MAC address, enter the MAC address of the host towhich the packet is being sent. You specify this by using theanykeyword to deny any destination MAC address or by using thehostkeyword and the destination in the hexadecimal format (H.H.H).

(Optional) You can also enter these options:

aarp | amber | appletalk | dec-spanning| decnet-iv |diagnostic | dsm | etype-6000 | etype-8042| lat | lavc-sca|mop-console| mop-dump | msdos| mumps | netbios |vines-echo|vines-ip | xns-idp (a non-IP protocol).


Step 5 show access-lists [number | name] Verify your entries.



78-11380-07


lows001.

lltrafficith

atch

This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement altraffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0

Switch(config)# mac access-list extended maclist1Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.0001

Classifying Traffic by Using Class Maps

You use theclass-mapglobal configuration command to isolate a specific traffic flow (or class) from aother traffic and to name it. The class map defines the criteria to use to match against a specific flow to further classify it. Match statements can only include ACLs. The match criterion is defined wone match statement entered within the class-map configuration mode.

Note You can also create class maps during policy map creation by using theclasspolicy-map configurationcommand. For more information, see the“Classifying, Policing, and Marking Traffic by Using PolicyMaps” section on page 27-28.

Beginning in privileged EXEC mode, follow these steps to create a class map and to define the mcriterion to classify traffic:

Command Purpose


Step 2 access-listaccess-list-numberpermit{ source source-wildcard | host source|any}

or

access-listaccess-list-number{ permit | remark } protocol{ source source-wildcard | host source |any} [ operator port] { destinationdestination-wildcard | host destination |any} [ operator port] [dscpdscp-value][time-range time-range-name]

or

mac access-list extendedname

permit {any | host source MAC address}{ any | host destination MAC address}[aarp | amber | dec-spanning| decnet-iv |diagnostic| dsm | etype-6000| etype-8042| lat | lavc-sca| mop-console| mop-dump| msdos| mumps | netbios | vines-echo|vines-ip | xns-idp]

Create an IP standard or extended ACL for IP traffic or a Layer 2 MACACL for non-IP traffic, repeating the command as many times asnecessary.

For more information, see the“Guidelines for Applying ACLs toPhysical Interfaces” section on page 26-6and the“Classifying Trafficby Using ACLs” section on page 27-24.

For more information on themac access-list extendednamecommand, see the“Creating Named MAC Extended ACLs” section onpage 26-18.


Step 3 class-mapclass-map-name Create a class map, and enter class-map configuration mode.

By default, no class maps are defined.

For class-map-name,specify the name of the class map.


78-11380-07


luesidthfile

cers.

L

4,

To delete an existing class map, use theno class-mapclass-map-nameglobal configuration command.To remove a match criterion, use theno match { access-groupacl-index | nameacl-name| ip dscp}class-map configuration command.

This example shows how to configure the class map calledclass1. Theclass1 has one match criterion,which is an ACL called103.

Switch(config)# access-list 103 permit any any tcp eq 80Switch(config)# class-map class1Switch(config-cmap)# match access-group 103Switch(config-cmap)# endSwitch#

Classifying, Policing, and Marking Traffic by Using Policy Maps

A policy map specifies which traffic class to act on. Actions can include trusting the CoS or DSCP vain the traffic class; setting a specific DSCP value in the traffic class; and specifying the traffic bandwlimitations for each matched traffic class (policer) and the action to take when the traffic is out of pro(marking).

A policy map also has these characteristics:

• A policy map can contain multiple class statements, each with different match criteria and poli

• A separate policy-map class can exist for each type of traffic received through an interface.

You can attach only one policy map per interface in the input direction.

Step 4 match {access-group acl-index |access-group name acl-name| ip dscpdscp-list}

Define the match criterion to classify traffic.

By default, no match criterion is supported.

Only one match criterion per class map is supported, and only one ACper class map is supported.

For access-groupacl-indexor access-group nameacl-name, specifythe number or name of the ACL created in Step 3.

For ip dscpdscp-list, enter a list of up to eight IP DSCP values for eachmatch statement to match against incoming packets. Separate eachvalue with a space. The supported DSCP values are 0, 8, 10, 16, 18, 226, 32, 34, 40, 46, 48, and 56.


Step 6 show class-map [class-map-name] Verify your entries.


Command Purpose


78-11380-07


No

n

Beginning in privileged EXEC mode, follow these steps to create a policy map:

Command Purpose


Step 2 access-listaccess-list-numberpermit{ source source-wildcard | host source|any}

or

access-listaccess-list-number{ permit | remark } protocol{ source source-wildcard | host source |any} [ operator port] { destinationdestination-wildcard | host destination |any} [operator port] [dscp dscp-value][time-range time-range-name]

or

mac access-list extendedname

permit {any | host source MAC address}{ any | host destination MAC address}[aarp | amber | appletalk |dec-spanning|decnet-iv | diagnostic | dsm | etype-6000|etype-8042| lat | lavc-sca| mop-console|mop-dump | msdos| mumps | netbios |vines-echo|vines-ip | xns-idp]

Create an IP standard or extended ACL for IP traffic or a Layer 2 MACACL for non-IP traffic, repeating the command as many times asnecessary.

For more information, see the“Classifying Traffic by Using ACLs”section on page 27-24.


For more information on themac access-list extendednamecommand, see the“Creating Named MAC Extended ACLs” section onpage 26-18.

Step 3 policy-map policy-map-name Create a policy map by entering the policy map name, and enterpolicy-map configuration mode.

By default, no policy maps are defined.

The default behavior of a policy map is to set the DSCP to 0 if thepacket is an IP packet and to set the CoS to 0 if the packet is tagged.policing is performed.

Step 4 classclass-map-name [access-group nameacl-index-or-name]

Define a traffic classification, and enter policy-map class configuratiomode.

By default, no policy map class maps are defined.

If a traffic class has already been defined by using theclass-mapglobalconfiguration command, specify its name forclass-map-namein thiscommand.

Foraccess-group nameacl-index-or-name, specify the number or nameof the ACL created in Step 2.

Note In a policy map, the class namedclass-defaultis not supported.The switch does not filter traffic based on the policy mapdefined by theclass class-default policy-map configurationcommand.


78-11380-07


4,

s.

eo

re

se

h

To delete an existing policy map, use theno policy-map policy-map-name global configurationcommand. To delete an existing class map, use theno classclass-map-name policy-map configurationcommand. To remove an assigned DSCP value, use theno set ip dscpnew-dscp policy-mapconfiguration command. To remove an existing policer, use theno policerate-bps burst-byte[exceed-action{ drop | dscp dscp-value}] policy-map configuration command. To remove the policymap and interface association, use theno service-policy inputpolicy-map-nameinterface configurationcommand.

Step 5 set { ip dscp new-dscp} Classify IP traffic by setting a new value in the packet.

For ip dscp new-dscp, enter a new DSCP value to be assigned to theclassified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 226, 32, 34, 40, 46, 48, and 56.

Step 6 police rate-bps burst-byte [exceed-action{ drop | dscp dscp-value}]

Define a policer for the classified traffic.

You can configure up to 60 policers on ingress Gigabit-capableEthernet ports and up to 6 policers on ingress 10/100 Ethernet port

For rate-bps, specify average traffic rate in bits per second (bps). Thrange is 1 Mbps to 100 Mbps for 10/100 Ethernet ports and 8 Mbps t1000 Mbps for the Gigabit-capable Ethernet ports.

For burst-byte, specify the normal burst size in bytes. The valuessupported on the 10/100 ports are 4096, 8192, 16384, 32768, and65536. The values supported on the Gigabit-capable Ethernet ports a4096, 8192, 16348, 32768, 65536, 131072, 262144, and 524288.

(Optional) Specify the action to take when the rates are exceeded. Utheexceed-action drop keywords to drop the packet. Use theexceed-action dscpdscp-value keywords to mark down the DSCPvalue and send the packet.

Step 7 exit Return to policy-map configuration mode.

Step 8 exit Return to global configuration mode.

Step 9 interface interface-id Enter interface configuration mode, and specify the interface to attacto the policy map.


Step 10 service-policy input policy-map-name Apply specified policy map to the input of a particular interface.

Only one policy map per interface per direction is supported.


Step 12 show policy-map[policy-map-nameclassclass-name]



Command Purpose


78-11380-07


ation, thete

d sent.

to an

This example shows how to create a policy map and attach it to an ingress interface. In the configurthe IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification,DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic raof 5000000 bps and a normal burst size of 8192 bytes, its DSCP is marked down to a value of 10 an

Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255Switch(config)# class-map ipclass1Switch(config-cmap)# match access-group 1Switch(config-cmap)# exitSwitch(config)# policy-map flow1tSwitch(config-pmap)# class ipclass1Switch(config-pmap-c)# police 5000000 8192 exceed-action dscp 10Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet0/1Switch(config-if)# switchport mode accessSwitch(config-if)# service-policy input flow1t

This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it ingress interface. The first permit statement allows traffic from the host with MACaddress 0001.0000.0001 destined for the host with MAC address 0002.0000.0001.

Switch(config)# mac access-list extended maclist1Switch(config-ext-mac)# permit host 0001.0000.0001 host 0002.0000.0001Switch(config-ext-mac)# exitSwitch(config)# mac access-list extended maclist2Switch(config-ext-mac)# permit host 0001.0000.0003 host 0002.0000.0003Switch(config-ext-mac)# exitSwitch(config)# class-map macclass1Switch(config-cmap)# match access-group name maclist1Switch(config-cmap)# exitSwitch(config)# policy-map macpolicy1Switch(config-pmap)# class macclass1Switch(config-pmap-c)# set ip dscp 56Switch(config-pmap-c)# exitSwitch(config-pmap)# class macclass2 maclist2Switch(config-pmap-c)# set ip dscp 48Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet0/1Switch(config-if)# switchport mode trunkSwitch(config-if)# mls qos trust cosSwitch(config-if)# service-policy input macpolicy1

Configuring CoS Maps


This section describes how to configure the CoS maps:

• Configuring the CoS-to-DSCP Map, page 27-32

• Configuring the DSCP-to-CoS Map, page 27-33

All the maps are globally defined.


78-11380-07


uses

0

6,

Configuring the CoS-to-DSCP Map

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoSinternally to represent the priority of the traffic.

Table 27-6 shows the default CoS-to-DSCP map.

If these values are not appropriate for your network, you need to modify them.

Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map:

To return to the default map, use theno mls qos map cos-dscp global configuration command.

This example shows how to modify and display the CoS-to-DSCP map:

Switch# configure terminalSwitch(config)# mls qos map cos-dscp 8 8 8 8 24 32 56 56Switch(config)# endSwitch# show mls qos maps cos-dscp

Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------- dscp: 8 8 8 8 24 32 56 56

Table 27-6 Default CoS-to-DSCP Map

CoS value 0 1 2 3 4 5 6 7

DSCP value 0 8 16 24 32 40 48 56

Command Purpose


Step 2 mls qos map cos-dscpdscp1...dscp8 Modify the CoS-to-DSCP map.

For dscp1...dscp8, enter 8 DSCP values that correspond to CoS valuesto 7. Separate each DSCP value with a space.

The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 448, and 56.


Step 4 show mls qos maps cos-dscp Verify your entries.



78-11380-07


used

ining

ter

6,

Configuring the DSCP-to-CoS Map

You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which isto select one of the four egress queues.

The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56.

Table 27-7 shows the default DSCP-to-CoS map.

If these values are not appropriate for your network, you need to modify them.

Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map:

To return to the default map, use theno mls qos map dscp-cos global configuration command.

This example shows how the DSCP values 26 and 48 are mapped to CoS value 7. For the remaDSCP values, the DSCP-to-CoS mapping is the default.

Switch(config)# mls qos map dscp-cos 26 48 to 7Switch(config)# exit

Switch# show mls qos maps dscp-cos

Dscp-cos map: dscp: 0 8 10 16 18 24 26 32 34 40 46 48 56 ----------------------------------------------- cos: 0 1 1 2 2 3 7 4 4 5 5 7 7

Table 27-7 Default DSCP-to-CoS Map

DSCP values 0 8, 10 16, 18 24, 26 32, 34 40, 46 48 56

CoS values 0 1 2 3 4 5 6 7

Command Purpose


Step 2 mls qos map dscp-cosdscp-listto cos Modify the DSCP-to-CoS map.

Fordscp-list, enter up to 13 DSCP values separated by spaces. Then enthe to keyword.

For cos, enter the CoS value to which the DSCP values correspond.

The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 448, and 56. The CoS range is 0 to 7.


Step 4 show mls qos maps dscp-cos Verify your entries.



78-11380-07


o

Configuring the Egress Queues

Note This feature is supported by both the SI and EI.

This section describes how to configure the egress queues:

• Configuring CoS Priority Queues, page 27-34

• Configuring WRR Priority, page 27-35

• Enabling the Expedite Queue and Configuring WRR Priority, page 27-35

For more information about the egress queues, see the“Egress CoS Queues” section on page 27-9.

Configuring CoS Priority Queues

Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues:

To disable the new CoS settings and return to default settings, use theno wrr-queue cos-mapglobalconfiguration command.

Command Purpose


Step 2 wrr-queue cos-mapqid cos1..cosnSpecify the queue ID of the CoS priority queue. (Ranges are 1 t4 where 1 is the lowest CoS priority queue.)

Specify the CoS values that are mapped to the queue id.

Default values are as follows:

CoS Value CoS Priority Queues

0, 1 1

2, 3 2

4, 5 3

6, 7 4


Step 4 show wrr-queue cos-map Display the mapping of the CoS priority queues.


78-11380-07


aining35

e the

,

Configuring WRR Priority

Beginning in privileged EXEC mode, follow these steps to configure the WRR priority:

To disable the WRR scheduling and enable the strict priority scheduling, use theno wrr-queue bandwidth global configuration command.

To enable one of the queues as the expedite queue and to enable the WRR scheduling for the remqueues, see the“Enabling the Expedite Queue and Configuring WRR Priority” section on page 27-.

Enabling the Expedite Queue and Configuring WRR Priority

In Release 12.1(12c)EA1 or later, beginning in privileged EXEC mode, follow these steps to enablexpedite queue (queue 4) and assign WRR priority to the remaining queues:

Command Purpose


Step 2 wrr-queue bandwidthweight1...weight4

Assign WRR weights to the four CoS queues.

These are the ranges for the WRR values:

• For weight1, weight2, andweight3, the range is 1 to 255.

• For weight4, the range is 0 to 255. When weight4 is set to 0,queue 4 is configured as the expedite queue.

Note In software releases earlier than Release 12.1(12c)EA1the ranges for all queues is 1 to 255.


Step 4 show wrr-queue bandwidth Display the WRR bandwidth allocation for the CoS priorityqueues.

Command Purpose


Step 2 wrr-queue bandwidth weight1weight2 weight30

Configure queue 4 as the expedite queue and assign WRRweights to the remaining egress queues.

The range of WRR weights forweight1, weight2, andweight3is 1 to 255.


Step 4 show wrr-queue bandwidth Display the WRR bandwidth allocation for the CoS priorityqueues.


78-11380-07

Chapter 27 Configuring QoSDisplaying Standard QoS Information

your

n.

ued

Displaying Standard QoS InformationTo display standard QoS information, use one or more of the privileged EXEC commands inTable 27-8:

Standard QoS Configuration Examples

Note These examples are applicable only if your switch is running the EI.

This section shows a QoS migration path to help you quickly implement QoS features based on existing network and planned changes to your network, as shown inFigure 27-5. It contains thisinformation:

• QoS Configuration for the Existing Wiring Closet, page 27-37

• QoS Configuration for the Intelligent Wiring Closet, page 27-38

Table 27-8 Commands for Displaying QoS Information

Command Purpose

show class-map [class-map-name]1

1. Available only on a switch running the EI.

Display QoS class maps, which define the match criteria toclassify traffic.

show policy-map[policy-map-name [classclass-name]] 1 Display QoS policy maps, which define classification criteria forincoming traffic.

show mls qos maps[cos-dscp | dscp-cos]1 Display QoS mapping information. Maps are used to generate ainternal DSCP value, which represents the priority of the traffic

show mls qos interface [interface-id] [policers]1 Display QoS information at the interface level, including theconfiguration of the egress queues and the CoS-to-egress-quemap, which interfaces have configured policers, and ingress anegress statistics (including the number of bytes dropped).

show mls masks [qos | security]1 Display details regarding the masks2 used for QoS and securityACLs.

2. Access control parameters are called masks in the switch CLI commands and output.

show wrr-queue cos-map Display the mapping of the CoS priority queues.

show wrr-queue bandwidth Display the WRR bandwidth allocation for the CoS priorityqueues.


78-11380-07

Chapter 27 Configuring QoSStandard QoS Configuration Examples

.02.1P

net

ag548

hest the

Figure 27-5 QoS Configuration Example Network

QoS Configuration for the Existing Wiring ClosetThe existing wiring closet inFigure 27-5consists of existing Catalyst 2900 XL and 3500 XL switchesThese switches are running IOS release 12.0(5)XP or later, which supports the QoS-based IEEE 8CoS values. QoS classifies frames by assigning priority-indexed CoS values to them and givespreference to higher-priority traffic.

Recall that on the Catalyst 2900 and 3500 XL switches, you can classify untagged (native) Etherframes at the ingress ports by setting a default CoS priority (switchport priority defaultdefault-priority-id interface configuration command) for each port. For IEEE 802.1Q frames with tinformation, the priority value from the header frame is used. On the Catalyst 3524-PWR XL and 3XL switches, you can override this priority with the default value by using theswitchport prioritydefault override interface configuration command. For Catalyst 2950 and Catalyst 2900 XL switcand other 3500 XL models that do not have the override feature, the Catalyst 3550-12T switch adistribution layer can override the 802.1P CoS value by using themls qos cos override interfaceconfiguration command.

Cisco router

Existing wiring closetCatalyst 2900 and 3500 XL

switches

Intelligent wiring closetCatalyst 2950 switches

To Internet

Catalyst 3550-12G switch



GigabitEthernet

0/2 GigabitEthernet0/1

Trunklink


Trunklink

Endstations

Video server172.20.10.16

6528

8


78-11380-07


ith aport

rityiorityueue.

es

46than

e.

For the Catalyst 2900 and 3500 XL switches, CoS configures each transmit port (the egress port) wnormal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or theinformation. Frames in the normal-priority queue are forwarded only after frames in the high-prioqueue are forwarded. Frames that have 802.1P CoS values of 0 to 3 are placed in the normal-prtransmit queue while frames with CoS values of 4 to 7 are placed in the expedite (high-priority) q

QoS Configuration for the Intelligent Wiring ClosetThe intelligent wiring closet inFigure 27-5is composed of Catalyst 2950 switches. One of the switchis connected to a video server, which has an IP address of 172.20.10.16.

The object of this example is to prioritize the video traffic over all other traffic. To do so, a DSCP ofis assigned to the video traffic. This traffic is stored in queue 4, which is serviced more frequentlythe other queues.

Beginning in privileged EXEC mode, follow these steps to configure the switch to prioritize videopackets over all other traffic:

Command Purpose


Step 2 access-list 1 permit 172.20.10.16 Define an IP standard ACL, and permit traffic from the videoserver at 172.20.10.16.

Step 3 class-map videoclass Create a class map calledvideoclass, and enter class-mapconfiguration mode.

Step 4 match access-group 1 Define the match criterion by matching the traffic specified byACL 1.


Step 6 policy-map videopolicy Create a policy map calledvideopolicy, and enter policy-mapconfiguration mode.

Step 7 class videoclass Specify the class on which to act, and enter policy-map classconfiguration mode.

Step 8 set ip dscp 46 For traffic matching ACL 1, set the DSCP of incoming packets to46.

Step 9 police 5000000 8192 exceed-action drop Define a policer for the classified video traffic to drop traffic thatexceeds 5-Mbps average traffic rate with an 8192-byte burst siz

Step 10 exit Return to policy-map configuration mode.


Step 12 interface gigabitethernet0/1 Enter interface configuration mode, and specify the ingressinterface.

Step 13 service-policy input videopolicy Apply the policy to the ingress interface.


Step 15 wrr-queue bandwidth 1 2 3 4 Assign a higher WRR weight to queue 4.

Step 16 wrr-queue cos-map 4 6 7 Configure the CoS-to-egress-queue map so that CoS values 6and 7 select queue 4.



78-11380-07


Step 18 show class-map videoclass

show policy-map videopolicy

show mls qos maps [cos-dscp | dscp-cos]



Command Purpose


78-11380-07



78-11380-07

configuring qos - wordpress.com · 27-1 catalyst 2950 and catalyst 2955 switch software...

Documents