Catalyst 6500 Series Software Configuration Guide, 5.5
Configuring Quality of Service
Download this chapter
Configuring Quality of ServiceConfiguring Quality of Service
give_us_feedback

Table Of Contents

Configuring Quality of Service

Understanding How QoS Works

Definitions

Flowcharts

QoS Feature Set Summary

Ethernet Ingress Port Features

Layer 3 Switching Engine Features

Layer 2 Switching Engine Features

Ethernet Egress Port Features

Single-Port ATM OC-12 Switching Module Features

Multilayer Switch Feature Card

Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification

Marking at Untrusted Ports

Marking at Trusted Ports

Ethernet Ingress Port Scheduling and Congestion Avoidance

Receive Queues

Scheduling

Congestion Avoidance

Ethernet Ingress Port Classification Features with a Layer 3 Switching Engine

Classification, Marking, and Policing with a Layer 3 Switching Engine

Internal DSCP Values

ACLs

Named ACLs

Default ACLs

Marking Rules

Policing Rules

Attaching ACLs

Final Layer 3 Switching Engine CoS and ToS Values

Classification and Marking with a Layer 2 Switching Engine

Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking

Transmit Queues

Scheduling

Congestion Avoidance on Dual Transmit Queue Ports

Congestion Avoidance on Triple Transmit Queue Ports

Marking

QoS Default Configuration

Configuring QoS

Enabling QoS

Enabling Port-Based or VLAN-Based QoS

Configuring the Trust State of a Port

Configuring the CoS Value for a Port

Creating Policing Rules

Deleting Policing Rules

Creating or Modifying ACLs

ACL Names

ACE Name, Marking Rule, Policing, and Filtering Syntax

Named IP ACLs

Default IP ACL

Named IPX ACLs

Named MAC ACLs

Default IPX and MAC ACLs

Deleting Named ACLs

Reverting to Default Values in Default ACLs

Discarding Uncommitted ACLs

Committing ACLs

Attaching ACLs to Interfaces

Detaching ACLs from Interfaces

Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair

Deleting a CoS Value to a Host Destination MAC Address/VLAN Pair

Enabling Microflow Policing of Nonrouted Traffic

Disabling Microflow Policing of Nonrouted Traffic

Configuring Receive Queue Tail-Drop Thresholds

Configuring Dual Transmit Queue Tail-Drop Thresholds

Configuring Triple Transmit Queue WRED Drop Thresholds

Allocating Bandwidth Between Transmit Queues

Configuring the Transmit Queue Size Ratio

Mapping CoS Values to Drop Thresholds

Configuring Single-Receive, Dual-Transmit Queue Ports

Clearing Single-Receive, Dual-Transmit Queue Ports

Configuring Dual-Receive, Triple-Transmit Queue Ports

Clearing Dual-Receive, Triple-Transmit Queue Ports

Configuring DSCP Value Maps

Mapping CoS Values to DSCP Values

Mapping IP Precedence Values to DSCP Values

Mapping DSCP Values to CoS Values

Mapping DSCP Markdown Values

Displaying QoS Information

Displaying QoS Statistics

Reverting to QoS Defaults

Disabling QoS

Configuring COPS-DS Support

Port ASICs

Understanding QoS Policy

Selecting COPS-DS as the QoS Policy Source

Selecting Locally Configured QoS Policy

Enabling Use of Locally Configured QoS Policy

Configuring Port Roles

Removing Roles From Port ASICs

Deleting Roles

Configuring Policy Decision Point Servers

Deleting PDP Server Configuration

Configuring the COPS-DS Domain Name

Deleting the COPS-DS Domain Name

Configuring the COPS-DS Communications Parameters

Configuring RSVP Support

Enabling RSVP Support

Disabling RSVP Support

Enabling Participation in the DSBM Election

Disabling Participation in the DSBM Election

Configuring Policy Decision Point Servers

Deleting PDP Server Configuration

Configuring RSVP Policy Timeout

Configuring RSVP Use of Local Policy


Configuring Quality of Service

This chapter describes how to configure the quality of service (QoS) feature on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 and 6500 Series Command Reference publication.

This chapter consists of these sections:

Understanding How QoS Works

QoS Default Configuration

Configuring QoS

Note You can configure QoS using SNMP, Common Open Policy Service for Differentiated Services (COPS-DS) protocol (and through COPS-DS, Resource ReSerVation Protocol [RSVP] null service template and receiver proxy functionality), and the command-line interface (CLI). This chapter describes QoS configuration using the CLI, including the configuration required to support COPS-DS (see the "Configuring COPS-DS Support" section) and RSVP (see the "Configuring RSVP Support" section). COPS-DS can configure QoS only for IP traffic. Use the CLI or SNMP to configure QoS for all other traffic.

Understanding How QoS Works

NoteThroughout this publication and all Catalyst 6500 series documents, the term "QoS" refers to the QoS feature as implemented on the Catalyst 6500 series.

Supervisor Engine 1 provides policing only for ingress traffic.

Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.

The QoS feature on the Catalyst 6000 family switches selects network traffic, prioritizes it according to its relative importance, and provides priority-indexed treatment through congestion avoidance techniques. Implementing QoS in your network makes network performance more predictable and bandwidth utilization more effective.

There are three ways to configure QoS on the Catalyst 6000 family switches:

Port QoS configuration—Gives the same treatment to all traffic received through a port

QoS access control lists (ACLs)—Applies specific QoS parameters to received network traffic that matches the selection criteria in the ACLs

Note For information on configuring and storing ACLs in Flash memory instead of NVRAM, refer to the Multilayer Switch Feature Card and Policy Feature Card Configuration Guide.

A combination of port configuration and ACLs

QoS sets Layer 2 and Layer 3 values in network traffic to a configured value or to a value based on received Layer 2 or Layer 3 values. IP traffic retains the Layer 3 value when it leaves the switch.

Note On the Catalyst 6000 family switches, queue architecture and QoS queuing features such as Weighted-Round Robin (WRR) and Weighted Random Early Detection (WRED) are implemented with a fixed configuration in Application Specific Integrated Circuits (ASICs); they cannot be reconfigured to different queue structures or different dequeuing methods.

These sections describe QoS:

Definitions

Flowcharts

QoS Feature Set Summary

Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification

Classification, Marking, and Policing with a Layer 3 Switching Engine

Classification and Marking with a Layer 2 Switching Engine

Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking

Definitions

This section defines some QoS terminology.

Packets carry traffic at Layer 3.

Frames carry traffic at Layer 2. Layer 2 frames carry Layer 3 packets.

Labels are prioritization values carried in packets and frames:

Layer 2 class of service (CoS) values, which range between zero for low priority and seven for high priority:

Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p CoS value in the three least significant bits.

Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the three most significant bits, which are called the User Priority bits.

Other frame types cannot carry CoS values.

Note On ports configured as ISL trunks, all traffic is in ISL frames. On ports configured as 802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.

Layer 3 IP precedence values—The IP version 4 specification defines the three most significant bits of the 1-byte Type of Service (ToS) field as IP precedence. IP precedence values range between zero for low priority and seven for high priority.

Layer 3 differentiated services code point (DSCP) values—The Internet Engineering Task Force (IETF) defines the six most significant bits of the 1-byte ToS field as the DSCP. The priority represented by a particular DSCP value is configurable. DSCP values range between 0 and 63 (for more information, see the "Configuring DSCP Value Maps" section).

Note Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS supports the use of either value, because DSCP values can be set equal to IP precedence values (see Table 35-1).

Table 35-1 IP Precedence and DSCP Values

3-bit IP
Precedence
6 MSb of ToS
6-bit
DSCP
 
3-bit IP
Precedence
6 MSb of ToS
6-bit
DSCP
8
7
6
 
5
4
3
8
7
6
 
5
4
3

0

0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

 0
 1
 2
 3
 4
 5
 6
 7

 

4

1
1
1
1
1
1
1
1

0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

32
33
34
35
36
37
38
39

1

0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0

1
1
1
1
1
1
1
1

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

 8
 9
10
11
12
13
14
15

 

5

1
1
1
1
1
1
1
1

0
0
0
0
0
0
0
0

1
1
1
1
1
1
1
1

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

40
41
42
43
44
45
46
47

2

0
0
0
0
0
0
0
0

1
1
1
1
1
1
1
1

0
0
0
0
0
0
0
0

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

16
17
18
19
20
21
22
23

 

6

1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1

0
0
0
0
0
0
0
0

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

48
49
50
51
52
53
54
55

3

0
0
0
0
0
0
0
0

1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

24
25
26
27
28
29
30
31

 

7

1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1

 

0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1

56
57
58
59
60
61
62
63


Classification is the selection of traffic to be marked.

Marking, according to RFC 2475, is the process of setting a Layer 3 DSCP value in a packet; in this publication, the definition of marking is extended to include setting Layer 2 CoS values.

Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values.

Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for traffic with high-priority CoS values. QoS implements congestion avoidance with CoS value-based drop thresholds. A drop threshold is the percentage of buffer utilization at which traffic with a specified CoS value is dropped, leaving the buffer available for traffic with higher-priority CoS values.

Policing is the process by which the switch limits the bandwidth consumed by a flow of traffic. Policing can mark or drop traffic.

Flowcharts

Figure 35-1 illustrates traffic flow through the QoS features; Figure 35-2 through Figure 35-7 show more details of the traffic flow through QoS features.

Figure 35-1 Traffic Flow Through QoS Features

Note Traffic that is Layer 3 switched does not go through the Multilayer Switch Feature Card (MSFC) and retains the CoS value assigned by the Layer 3 switching engine.

Figure 35-2 Ethernet ingress Port Classification, Marking, Scheduling, and Congestion Avoidance

Note Enter a show port capabilities command to see the queue structure of a port (for more information, see the "Receive Queues" section).

Figure 35-3 Layer 3 Switching Engine Classification, Marking, and Policing

Figure 35-4 Layer 2 Switching Engine Classification and Marking

Figure 35-5 Multilayer Switch Feature Card Marking

Figure 35-6 Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking

Note Enter a show port capabilities command to see the queue structure of a port (for more information, see the "Transmit Queues" section).

Figure 35-7 Single-Port ATM OC-12 Switching Module Marking

QoS Feature Set Summary

The QoS feature set on your switch is determined by which switching engine daughter card is installed on the supervisor engine. Enter a show module command for the supervisor engine to determine which switching engine is installed in your switch. The display shows the "Sub-Type" to be one of the following:

Layer 3 switching engine WS-F6K-PFC (Policy Feature Card or PFC)

Layer 2 switching engine II WS-F6020A

Layer 2 switching engine I WS-F6020

Note The two Layer 2 switching engines support the same QoS feature set.

Ethernet Ingress Port Features

With any switching engine, QoS supports classification, marking, scheduling, and congestion avoidance using Layer 2 CoS values at Ethernet ingress ports. Classification, marking, scheduling, and congestion avoidance at Ethernet ingress ports do not use or set Layer 3 IP precedence or DSCP values. With a Layer 3 switching engine, you can configure Ethernet ingress port trust states that can be used by the switching engine to set Layer 3 IP precedence or DSCP values and the Layer 2 CoS value. For more information, see the "Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification" section.

Layer 3 Switching Engine Features

With a Layer 3 switching engine, QoS supports classification, marking, and policing using IP, IPX, and MAC access control lists (ACLs). ACLs contain access control entries (ACEs) that specify Layer 2, 3, and 4 classification criteria, a marking rule, and policing rules. Marking sets the Layer 3 IP precedence or DSCP values and the Layer 2 CoS value to either received or configured Layer 2 or Layer 3 values. Policing uses bandwidth limits to either drop or mark nonconforming traffic. For more information, see the "Classification, Marking, and Policing with a Layer 3 Switching Engine" section.

Note During processing, a Layer 3 switching engine associates a DSCP value with all traffic, including non-IP traffic (for more information, see the "Internal DSCP Values" section).

Layer 2 Switching Engine Features

With a Layer 2 switching engine, QoS supports classification using Layer 2 destination MAC addresses and VLANs and marking using Layer 2 CoS values. Classification and marking with a Layer 2 switching engine do not use or set Layer 3 IP precedence or DSCP values. For more information, see the "Classification and Marking with a Layer 2 Switching Engine" section.

Ethernet Egress Port Features

With any switching engine, QoS supports Ethernet egress port scheduling and congestion avoidance using Layer 2 CoS values. Ethernet egress port marking sets Layer 2 CoS values and, with a Layer 3 switching engine, Layer 3 DSCP values. For more information, see the "Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking" section.

Single-Port ATM OC-12 Switching Module Features

The ingress interface from a single-port ATM OC-12 switching module is untrusted and QoS sets CoS to zero in all traffic received from it. With a Layer 3 switching engine, QoS can mark IP traffic transmitted to a single-port ATM OC-12 switching module with Layer 3 DSCP values.

Multilayer Switch Feature Card

QoS marks IP traffic transmitted to an MSFC with Layer 3 DSCP values. CoS is zero in all traffic sent from an MSFC to egress ports.

Note Traffic that is Layer 3 switched does not go through the MFSC and retains the CoS value assigned by the Layer 3 switching engine.

Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification

The trust state of an Ethernet port determines how it marks, schedules, and classifies received traffic, and whether or not congestion avoidance is implemented. You can configure the trust state of each port with one of these keywords:

untrusted (default)

trust-ipprec (Layer 3 switching engine only—not supported on 1q4t ports except Gigabit Ethernet)

trust-dscp (Layer 3 switching engine only—not supported on 1q4t ports except Gigabit Ethernet)

trust-cos

Note1q4t ports (except Gigabit Ethernet) do not support the trust-ipprec and trust-dscp port keywords. You must configure a trust-ipprec or trust-dscp ACL that matches the ingress traffic to apply the trust-ipprec or trust-dscp trust state.

On 1q4t ports (except Gigabit Ethernet), the trust-cos port keyword displays an error message, activates receive queue drop thresholds, and—as indicated by the error message—does not apply the trust-cos trust state to traffic. You must configure a trust-cos ACL that matches the ingress traffic to apply the trust-cos trust state.

For more information, see the "Configuring the Trust State of a Port" section.

Note In addition to the port configuration keywords listed above, QoS uses trust-ipprec, trust-dscp, and trust-cos ACE keywords. Do not confuse the ACE keywords with the port keywords.

Ports configured with the untrusted keyword are called untrusted ports. Ports configured with the trust-ipprec, trust-dscp, or trust-cos keywords are called trusted ports. QoS implements ingress port congestion avoidance only on ports configured with the trust-cos keyword.

Note Ingress port marking, scheduling, and congestion avoidance use Layer 2 CoS values. Ingress port marking, scheduling, and congestion avoidance do not use or set Layer 3 IP precedence or DSCP values.

Marking at Untrusted Ports

With either a Layer 2 switching engine or a Layer 3 switching engine, QoS marks all frames received through untrusted ports with the port CoS value (the default is zero). QoS does not implement ingress port congestion avoidance on untrusted ports: the traffic goes directly to the switching engine.

Marking at Trusted Ports

When an ISL frame enters the switch through a trusted port, QoS accepts the three least significant bits in the User field as a CoS value. When an 802.1Q frame enters the switch through a trusted port, QoS accepts the User Priority bits as a CoS value. QoS marks all traffic received in other frame types with the port CoS value.

Note The port CoS value is configurable for each Ethernet port (for more information, see the "Configuring the CoS Value for a Port" section).

Ethernet Ingress Port Scheduling and Congestion Avoidance

Note QoS does not implement ingress port congestion avoidance on ports configured with the untrusted, trust-ipprec, or trust-dscp keywords: the traffic goes directly to the switching engine.

QoS uses CoS-value-based receive queue drop thresholds to avoid congestion in traffic entering the switch through a port configured with the trust-cos keyword (for more information, see the "Configuring the Trust State of a Port" section).

Receive Queues

Note Ethernet ports have either single or dual receive queues. Enter a show port capabilities command to see the queue structure of a port. The command displays rx-(1q4t) for single-receive-queue ports (1q4t indicates one standard queue with four thresholds). The command displays rx-(1p1q4t) for dual-receive-queue ports (1p1q4t indicates one strict-priority queue and one standard queue with four thresholds).

Strict-priority queues are serviced in preference to other queues. QoS services traffic in a strict-priority queue before servicing the standard queue. When QoS services the standard queue, after receiving a packet, it checks for traffic in the strict-priority queue. If QoS detects traffic in the strict-priority queue, it suspends its service of the standard queue and completes service of all traffic in the strict-priority queue before returning to the standard queue.

Scheduling

QoS schedules traffic through the receive queues based on CoS values. In the dual-receive-queue default configuration, QoS assigns all traffic with CoS 5 to the strict priority queue; QoS assigns all other traffic to the standard queue. In the single-receive-queue default configuration, QoS assigns all traffic to the standard queue.

Congestion Avoidance

If a port is configured with the trust-cos keyword, QoS implements CoS-value-based receive drop thresholds to avoid congestion in received traffic.

Ports with a single receive queue have this default drop threshold configuration:

Using receive queue drop threshold 1, the switch drops incoming frames with CoS 0 or 1 when the receive queue buffer is 50 percent or more full.

Using receive queue drop threshold 2, the switch drops incoming frames with CoS 2 or 3 when the receive queue buffer is 60 percent or more full.

Using receive queue drop threshold 3, the switch drops incoming frames with CoS 4 or 5 when the receive queue buffer is 80 percent or more full.

Using receive queue drop threshold 4, the switch drops incoming frames with CoS 6 or 7 when the receive queue buffer is 100 percent full.

Ports with dual receive queues have this default drop threshold configuration:

Frames with CoS 0, 1, 2, 3, 4, 6, or 7 go to the standard receive queue.

Using standard receive queue drop threshold 1, the switch drops incoming frames with CoS 0 or 1 when the receive queue buffer is 50 percent or more full.

Using standard receive queue drop threshold 2, the switch drops incoming frames with CoS 2 or 3 when the receive queue buffer is 60 percent or more full.

Using standard receive queue drop threshold 3, the switch drops incoming frames with CoS 4 when the receive queue buffer is 80 percent or more full.

Using standard receive queue drop threshold 4, the switch drops incoming frames with CoS 6 or 7 when the receive queue buffer is 100 percent full.

Frames with CoS 5 go to the strict-priority receive queue (queue 2), where the switch drops incoming frames only when the strict-priority receive queue buffer is 100 percent full.

Note The explanations in this section use default values. You can configure many of the parameters (for more information, see the "Configuring QoS" section). All ports of the same type use the same drop threshold configuration.

Figure 35-8 illustrates the drop thresholds for a port with a single receive queue. Drop thresholds in other configurations function similarly.

Figure 35-8 Receive Queue Drop Thresholds

Ethernet Ingress Port Classification Features with a Layer 3 Switching Engine

You can use the untrusted, trust-ipprec, trust-dscp, and trust-cos port keywords to classify traffic on a per-port basis for a Layer 3 switching engine to mark.

Note In addition to per-port classification, you can create ACEs that classify traffic on a per-packet basis (for IP and IPX traffic, see the "Named IP ACLs" section and the "Named IPX ACLs" section) or on a per-frame basis (for other traffic, see the "Named MAC ACLs" section), regardless of the port configuration (see the "Marking Rules" section).

For a Layer 3 switching engine to mark traffic in response to per-port classification, the traffic must match an ACE that contains the dscp ACE keyword (see the "Marking Rules" section). Table 35-2 lists the per-port classifications and the marking rules that they invoke.

Table 35-2 Marking Based on Per-Port Classification

Port Keyword
ACE Keyword
Marking Rule

untrusted

dscp

Set DSCP as specified in the ACE.

trust-ipprec

dscp

For IP traffic, set DSCP from the received Layer 3 IP precedence value.

For other traffic, set DSCP from the received or port Layer 2 CoS value.

trust-dscp

dscp

For IP traffic, set DSCP from the received Layer 3 DSCP value.

For other traffic, set DSCP from the received or port Layer 2 CoS value.

trust-cos

dscp

Set DSCP from the received or port Layer 2 CoS value.


QoS uses configurable mapping tables to set DSCP, which is a 6-bit value, from CoS and IP precedence, which are 3-bit values (for more information, see the "Internal DSCP Values" section and the "Configuring DSCP Value Maps" section).

Classification, Marking, and Policing with a Layer 3 Switching Engine

Note With a Layer 3 switching engine, the Catalyst 6000 family switches provide QoS only for the Ethertype field values shown in Table 35-3 in the following frame types: Ethernet_II, Ethernet_802.3, Ethernet_802.2, and Ethernet_SNAP.

These sections describe classification, marking, and policing with a Layer 3 switching engine:

Internal DSCP Values

ACLs

Named ACLs

Default ACLs

Marking Rules

Policing Rules

Attaching ACLs

Final Layer 3 Switching Engine CoS and ToS Values

Note Classification with a Layer 3 switching engine uses Layer 2, 3, and 4 values. Marking with a Layer 3 switching engine uses Layer 2 CoS values and Layer 3 IP precedence or DSCP values.

Internal DSCP Values

During processing, a Layer 3 switching engine represents the priority of all traffic (including non-IP traffic) with a DSCP value. QoS uses configurable mapping tables to derive DSCP, which is a 6-bit value, from CoS or IP precedence, which are 3-bit values (for more information, see the "Mapping CoS Values to DSCP Values" section and the "Mapping IP Precedence Values to DSCP Values" section).

When traffic leaves a Layer 3 switching engine, QoS uses a configurable mapping table to derive a CoS value from the DSCP value associated with traffic (see the "Mapping DSCP Values to CoS Values" section). For IP traffic, QoS sends the internal DSCP value to Ethernet egress ports to be written into IP packets. QoS sends the CoS value to Ethernet egress ports and ATM modules for use in scheduling and to be written into ISL and 802.1Q frames.

For trust-dscp and trust-ipprec IP traffic, QoS creates a ToS byte from the 6-bit DSCP value (which may equal an IP precedence value) plus the original 2 least-significant bits from the received ToS byte and sends it to the egress port to be written into IP packets.

ACLs

On a Layer 3 switching engine, QoS uses ACLs that contain ACEs. The ACEs specify classification criteria, a marking rule, and policing rules. QoS compares received traffic to the ACEs in ACLs until a match occurs. When the traffic matches the classification criteria in an ACE, QoS marks and polices the packet as specified in the ACE and makes no further comparisons.

A Layer 3 switching engine supports up to 250 ACLs and a combined total (all ACEs in all ACLs) of up to approximately 8,000 ACEs (other features configured on the switch may decrease the space available to store ACEs).

There are three ACL types: IP, IPX, and MAC. QoS compares traffic of each type (IP, IPX, and MAC) only to the corresponding ACL type (see Table 35-3).

Table 35-3 Supported Ethertype Field Values

ACL Type
Ethertype Field Value
Protocol

IP

0x0800

IP

IPX

0x8137 and 0x8138

IPX

MAC

0x0600 and 0x0601

XNS

0x0BAD and 0x0BAF

Banyan VINES

0x6000-0x6009 and 0x8038-0x8042

DECnet

0x809b and 0x80f3

AppleTalk


QoS supports user-created named ACLs, each containing an ordered list of ACEs, and user-configurable default ACLs, each containing a single ACE.

Named ACLs

You create a named ACL when you enter an ACE with a new ACL name. You add an ACE to an existing ACL when you enter an ACE with the name of the existing ACL.

You can specify the classification criteria for each ACE in a named ACL. The classification criteria can be specific values or wildcards (for more information, see the "Creating or Modifying ACLs" section).

These sections describe the classification criteria that can be specified in a named ACL:

IP ACE Layer 3 Classification Criteria

IP ACE Layer 4 Protocol Classification Criteria

IP ACE Layer 4 TCP Classification Criteria

IP ACE Layer 4 UDP Classification Criteria

IP ACE Layer 4 ICMP Classification Criteria

IP ACE Layer 4 IGMP Classification Criteria

IPX ACE Classification Criteria

MAC ACE Layer 2 Classification Criteria

Note QoS does not support Internet Group Management Protocol (IGMP) traffic when IGMP snooping is enabled.

IP ACE Layer 3 Classification Criteria

You can create IP ACEs that match traffic with specific Layer 3 values by including these Layer 3 parameters (see the "Named IP ACLs" section):

IP source address and mask, entered as specific values or with the any keyword or with the host keyword and a host address.

IP destination address and mask, entered as specific values or with the any keyword or with the host keyword and a host address.

DSCP value (0-63) or IP precedence specified with a numeric value (0-7) or these keywords:

Network (IP precedence 7)

Internet (IP precedence 6)

Critical (IP precedence 5)

Flash-override (IP precedence 4)

Flash (IP precedence 3)

Immediate (IP precedence 2)

Priority (IP precedence 1)

Routine (IP precedence 0)

Note IP ACEs that do not include a DSCP or IP precedence value parameter match all DSCP or IP precedence values.

IP ACE Layer 4 Protocol Classification Criteria

You can create IP ACEs that match specific Layer 4 protocol traffic by including a Layer 4 protocol parameter (see the "IP ACLs for Other Layer 4 Protocols" section). You can specify the protocol numerically (0-255) or with these keywords: ahp (51), eigrp (88), esp (50), gre (47), igrp (9), icmp (1), igmp (2), igrp (9), ip (0), ipinip (4), nos (94), ospf (89), pcp (108), pim (103), tcp (6), or udp (17).

Note IP ACEs that do not include a Layer 4 protocol parameter or that include the ip keyword match all IP traffic.

IP ACE Layer 4 TCP Classification Criteria

You can create Transmission Control Protocol (TCP) ACEs that match traffic for specific TCP ports by including TCP source and/or destination port parameters (for more information, see the "IP ACEs for TCP Traffic" section). You can specify TCP port parameters numerically (0-65535) or with these keywords:

Keyword
Port
 
Keyword
Port
 
Keyword
Port
 
Keyword
Port

bgp

179

 

ftp

21

 

lpd

515

 

telnet

23

chargen

19

ftp-data

20

nntp

119

time

37

daytime

13

gopher

70

pop2

109

uucp

540

discard

9

hostname

101

pop3

110

whois

43

domain

53

irc

194

smtp

25

www

80

echo

7

klogin

543

sunrpc

111

   

finger

79

kshell

544

tacacs

49

   

Note TCP ACEs that do not include a Layer 4 TCP port parameter match all TCP traffic.

IP ACE Layer 4 UDP Classification Criteria

You can create User Datagram Protocol (UDP) ACEs that match traffic for specific UDP source and/or destination ports by including UDP port parameters (for more information, see the "IP ACEs for UDP Traffic" section). You can specify UDP port parameters numerically (0-65535) or with these keywords:

Keyword
Port
 
Keyword
Port
 
Keyword
Port
 
Keyword
Port

biff

512

 

echo

7

 

rip

520

 

talk

517

bootpc

68

mobile-ip

434

snmp

161

tftp

69

bootps

67

nameserver

42

snmptrap

162

time

37

discard

9

netbios-dgm

138

sunrpc

111

who

513

dns

53

netbios-ns

137

syslog

514

xdmcp

177

dnsix

195

ntp

123

tacacs

49

   

Note UDP ACEs that do not include a Layer 4 UDP port parameter match all UDP traffic.

IP ACE Layer 4 ICMP Classification Criteria

You can create Internet Control Management Protocol (ICMP) ACEs that match traffic containing specific ICMP messages by including ICMP types and, optionally, ICMP codes (for more information, see the "IP ACEs for ICMP Traffic" section). You can specify ICMP types and codes numerically (0-255) or with these keywords:

Keyword
Type
Code
Keyword
Type
Code

administratively-prohibited

3

13

net-tos-unreachable

3

11

alternate-address1

6

net-unreachable

3

0

conversion-error

31

0

network-unknown

3

6

dod-host-prohibited

3

10

no-room-for-option

12

2

dod-net-prohibited

3

9

option-missing

12

1

echo

8

0

packet-too-big

3

4

echo-reply

0

0

parameter-problem

12

0

general-parameter-problem1

12

port-unreachable

3

3

host-isolated

3

8

precedence-unreachable

3

15

host-precedence-unreachable

3

14

protocol-unreachable

3

2

host-redirect

5

1

reassembly-timeout

11

1

host-tos-redirect

5

3

redirect1

5

host-tos-unreachable

3

12

router-advertisement

9

0

host-unknown

3

7

router-solicitation

10

0

host-unreachable

3

1

source-quench

4

0

information-reply

16

0

source-route-failed

3

5

information-request

15

0

time-exceeded1

11

mask-reply

18

0

timestamp-reply

14

0

mask-request

17

0

timestamp-request

13

0

mobile-redirect

32

0

traceroute

30

0

net-redirect

5

0

ttl-exceeded

11

0

net-tos-redirect

5

2

unreachable1

3

1 Matches all code values


Note ICMP ACEs with only a Layer 4 ICMP type parameter match all code values for that type value. ICMP ACEs that do not include any Layer 4 ICMP type and code parameters match all ICMP traffic.

IP ACE Layer 4 IGMP Classification Criteria

You can create IGMP ACEs that match traffic containing specific IGMP messages by including an IGMP type parameter (for more information, see the "IP ACEs for IGMP Traffic" section). You can specify the IGMP type numerically (0-255) or with these keywords: host-query (1), host-report (2), dvmrp (3), pim (4), or trace (5).

Note IGMP ACEs that do not include a Layer 4 IGMP type parameter match all IGMP traffic.

IPX ACE Classification Criteria

You can create IPX ACEs that match specific IPX traffic by including these parameters (for more information, see the "Named IPX ACLs" section):

IPX source network (-1 matches any network number)

Protocol, which can be specified numerically (0-255) or with these keywords: any, ncp (17), netbios (20), rip (1), sap (4), spx (5)

IPX ACEs support the following optional parameters:

IPX destination network (-1 matches any network number)

If you specify an IPX destination network, IPX ACEs support the following optional parameters: an IPX destination network mask (-1 matches any network number), an IPX destination node, and an IPX destination node mask

MAC ACE Layer 2 Classification Criteria

You can create MAC ACEs that match specific Ethernet traffic by including these Layer 2 parameters (for more information, see the "Named MAC ACLs" section):

Ethernet source and destination addresses and masks, entered as specific values or with the any keyword or with the host keyword and a host Ethernet address.

Optionally, an ethertype parameter from this list:

0x809B (or ethertalk)

0x80F3 (or aarp)

0x6001 (or dec-mop-dump)

0x6002 (or dec-mop-remote-console)

0x6003 (or dec-phase-iv)

0x6004 (or dec-lat)

0x6005 (or dec-diagnostic-protocol)

0x6007 (or dec-lavc-sca)

0x6008 (or dec-amber)

0x6009 (or dec-mumps)

0x8038 (or dec-lanbridge)

0x8039 (or dec-dsm)

0x8040 (or dec-netbios)

0x8041 (or dec-msdos)

&