Cisco 3560 MLS QOS – Part 1

Posted on February 14, 2012

MLS QOS has been one of the greatest fear for my CCIE RS exam. I’ve read it several times, labbed it
more than 3 times, but still I just cannot understand it. Then I decided to write my own notes to teach myself
and hopefully any of you mere mortals like me.

I’ll start with this Classification and Marking and let see how deep the rabbit hole goes for the next few
parts.

Enjoy!

Classification and Marking.

Let’s just say that you have a switchport Fa0/1 configured for Vlan 100 and want to mark it as DSCP CS1
(Decimal 8).

SW-3560(config)#mls qos
SW-3560(config)#int f0/1
SW-3560(config-if)#switchport access vlan 100
SW-3560(config-if)#mls qos ?
cos cos keyword
dscp-mutation dscp-mutation keyword
trust trust keyword
vlan-based vlan-based keyword

We only left with COS option and no DSCP option available. COS field can only be found in 802.1q/ISL
traffic which is the traffic on the trunk interface, and switchport access is not a trunk interface. In this case,
we can use the COS option and then the switch will use the COS-DSCP mapping table to mark the packet as
DSCP CS1 (Decimal 8).

SW-3560# sh mls qos maps cos-dscp

Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56

We can actually change this mapping. For example, for most implementation we would like to set COS 5 =
DSCP EF (Decimal 46). This is to keep the uniformity from end-to-end that DSCP EF (mostly for VOICE
RTP) is mapped to COS 5.

SW-3560(config)#mls qos map cos-dscp 0 8 16 24 32 46 48 56

SW-3560(config)#mls qos map cos-dscp 0 8 16 24 32 46 48 56
SW-3560(config)#do sh mls qos map cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 46 48 56

Based on the COS-DSCP map, to mark the packet to DSCP CS1 (Decimal 8), we can use mls qos cos 1.

SW-3560(config)#mls qos
1
SW-3560(config)#int f0/1
SW-3560(config-if)#switchport access vlan 100
SW-3560(config-if)#mls qos cos 1
!
SW-3560#sh mls qos int f0/1
FastEthernet0/1
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

we can combine the mls qos cos 1 with several commands below.

If the host is capable of marking the packets entering the switchport Fa0/1, we can also honour its value by
trusting its DSCP or IP-PRECEDENCE or COS marking.

For IP packets, we can use mls qos trust dscp or mls qos trust ip-precedence. If the packets are
NON-IP but we are trusting IP packets (via DSCP or IP-PRECEDENCE), then the switch will have no
choice but to check other than DSCP or IP-PRECEDENCE. It will check the COS marking, which again,
only available on trunk port. If there is no COS field available or if it is not an 802.1q/ISL, the packets will
be marked with whatever the value in mls qos cos command, look at the COS-DSCP table, then mark it
with the appropriate DSCP value. In this case DSCP CS1 (Decimal 8).

SW-3560#sh mls qos int f0/1

FastEthernet0/1
trust state: trust dscp
trust mode: trust dscp
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

On the other hand, mls qos trust cos will works for both IP and NON-IP packets marking. If there is a
COS value in it, int this case has to be an 802.1q/ISL, it will uses that COS value. If there is no COS value,
it will use the mls qos cos 1 despite whatever DSCP/IP-PRECEDENCE value it already has. The switch
will rewrite this DSCP/IP-PRECEDENCE based on the new COS value (COS 1).

SW-3560#sh mls qos int f0/1

FastEthernet0/1
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

2
If we just want to override the existing COS or DCSCP/IP-PRECEDENCE value we can use mls qos cos
override. This will override any COS value and deduce the DSCP value based on the COS-DSCP mapping
table.

SW-3560#sh mls qos int f0/1

FastEthernet0/1
trust state: cos override
trust mode: cos override
trust enabled flag: ena
COS override: ena
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Besides having mls qos cos command, we can use the MQC framework to perform the marking. This can
be done as below

policy-map PM_QOS_MARKING
class class-default
set dscp cs1

int f0/1
switchport access vlan 100
service-policy in PM_QOS_MARKING

SW-3560#sh mls qos int f0/1

FastEthernet0/1
Attached policy-map for Ingress: PM_QOS_MARKING
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 1
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

As shown above, we can use the MQC to mark any packet to DSCP CS1. Using this scenario we cannot use
it to mark it as COS 1. Instead we can use DSCP CS1 and use DSCP-COS mapping table

SW-3560#sh mls qos maps dscp-cos

Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07

In this DSCP-COS map, we can see that DSCP CS1, read as decimal 08, has COS 1 mapped to it.
Therefore, if the packet has 802.1q/ISL header, then the switch will rewrite it to COS 1.

3
We can alter this map like we alter cos-dscp map, but now we actually alter the dscp-cos map. Please note
that changing cos-dscp map doesn’t automatically change dscp-cos map. These two maps are not linked to
each other and keep its own mapping

the DSCP-COS map above shows that DSCP EF (Decimal 46) has COS value of 5. We can change this
value using the command below

SW-3560(config)#mls qos map dscp-cos 46 to 4

SW-3560(config)#do sh mls qos map dscp-cos
Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 0405 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07

Let see another example below:

int f0/1
switchport access vlan 100
switchport voice vlan 200
mls qos trust device cisco-phone

SW-3560#sh mls qos int f0/37

FastEthernet0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
qos mode: port-based

The command mls qos trust device cisco-phone will trust the marking if the port can sense a Cisco-
phone via CDPv2 or LLDP-Med. The port itself turns into a pseudo-trunk which caries 802.1q header and
contains COS value. Again, this can also alter the DSCP value based on COS-DSCP mapping table.
However, the switch will not trust the PC on the vlan 100 thus will rewrite it to COS 0 based on the
switchport default COS value.

This also means that once you enable the mls qos globally, the switchport will rewrite any packets to COS
0 or DSCP default (decimal 0). If you want, you can change this default COS 0 value to mls qos cos 2 to
mark the traffic that are not from known Cisco-phone

MQC

We can actually use MQC inline with the mls qos. This is when you need to differentiate several different
traffic on vlan 100 and mark those traffic differently.

ip access-list ext ACL_HTTP

permit tcp any any eq www
4
ip access-list ext ACL_TELNET
permit tcp any any eq telnet

class-map CM_HTTP
match access-group name ACL_HTTP
class-map CM_TELNET
match access-group name ACL_TELNET

policy-map PM_QOS_MARKING
class CM_HTTP
set dscp cs1
class CM_TELNET
set dscp af41
class class-default
set dscp cs1

int f0/1
switchport access vlan 100
switchport voice vlan 200
mls qos trust device cisco-phone
service-policy input PM_QOS_MARKING

The above combination will trust the DSCP marking from the Cisco-phone and mark any HTTP packets on
vlan 100 as CS1, TELNET as CS3, and the rest will be marked as DSCP cs1. Note that any other packet
will not be marked as CS 0 as per the default COS value, this is because the matched class-default inside
PM_QOS_MARKING is acting as a catch all. Unless there is no class-default inside the
PM_QOS_MARKING, CS 0 will be used.

Also remember on the early paragraph I’ve showed that we cannot use mls qos dscp command, the only
available marking is mls qos cos

The moral of this DSCP/IP-PRECEDENCE/COS confusion is basically quite simple. It doesn’t really
matter what marking you’re trusting, as long as you have the map correctly adjusted then the switch can use
both L2 and L3 marking.

Of course, it will make more sense if you trust COS on trunk ports and DSCP/IP-Prec on non-trunk port for
efficiency, but again it doesn’t really matter as long as you have the mapping correctly adjusted.

Another example, you can trust DSCP (instead of COS) on your ingress trunk L2 switch from the dot1q
WAN router interface. The reason for this is just merely because packet from the WAN doesn’t have any
COS value in it.

This is it so far for Marking and Classification.