-
Catalyst 3750 Metro Switch Software Configuration Guide, 12.2(25)SEG
-
Index
-
Preface
-
Overview
-
Using the Command-Line Interface
-
Assigning the Switch IP Address and Default Gateway
-
Clustering Switches
-
Configuring Cisco IOS CNS Agents
-
Administering the Switch
-
Configuring SDM Templates
-
Configuring Switch-Based Authentication
-
Configuring 802.1X Port-Based Authentication
-
Configuring Interface Characteristics
-
Configurint Smartports Macros
-
Configuring VLANs
-
Configuring VTP
-
Configuring Private VLANs
-
Configuring Voice VLAN
-
Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
-
Configuring STP
-
Configuring MSTP
-
Configuring Optional Spanning-Tree Features
-
Configuring Flex Links
-
Configuring DHCP Features and IP Source Guard
-
Configuring Dynamic ARP Inspection
-
Configuring IGMP Snooping and MVR
-
Configuring Port-Based Traffic Control
-
Configuring CDP
-
Configuring UDLD
-
Configuring SPAN and RSPAN
-
Configuring RMON
-
Configuring System Message Logging
-
Configuring SNMP
-
Configuring Network Security with ACLs
-
Configuring QoS
-
Configuring EtherChannels
-
Configuring IP Unicast Routing
-
Configuring HSRP
-
Configuring Ethernet CFM and E-LMI
-
Configuring MPLS and EoMPLS
-
Configuring IP Multicast Routing
-
Configuring MSDP
-
Configuring Fallback Bridging
-
Troubleshooting
-
Supported MIBs
-
Working with the Cisco IOS File System, Configuration Files, and Software Images
-
Unsupported Commands in Cisco IOS Release 12.2(25)SEG
-
Table Of Contents
Ingress Classification Based on QoS ACLs
Ingress Classification Based on Traffic Classes and Traffic Policies
Nonhierarchical Single-Level Policing
Hierarchical Dual-Level Policing on SVIs
Queueing and Scheduling Overview
Queueing and Scheduling of Ingress Queues
Queueing and Scheduling of Egress Queue-Sets
Understanding Hierarchical QoS
Hierarchical Classification Based on Traffic Classes and Traffic Policies
Hierarchical Policing and Marking
Queueing and Scheduling of Hierarchical Queues
Congestion-Management and Congestion-Avoidance Features
Generated Auto-QoS Configuration
Effects of Auto-QoS on the Configuration
Auto-QoS Configuration Guidelines
Upgrading from a Previous Software Release
Auto-QoS Configuration Example
Displaying Auto-QoS Information
Default Standard QoS Configuration
Default Ingress Queue Configuration
Default Egress Queue-Set Configuration
Default Mapping Table Configuration
Standard QoS Configuration Guidelines
Configuring Ingress Classification by Using Port Trust States
Configuring the Trust State on Ports Within the QoS Domain
Configuring the CoS Value for an Interface
Configuring a Trusted Boundary to Ensure Port Security
Enabling DSCP Transparency Mode
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain
Configuring an Ingress QoS Policy
Classifying Ingress Traffic by Using ACLs
Classifying Ingress Traffic by Using Class Maps
Classifying, Policing, and Marking Ingress Traffic by Using Nonhierarchical Single-Level Policy Maps
Classifying, Policing, and Marking Traffic by Using Hierarchical Dual-Level Policy Maps
Classifying, Policing, and Marking Ingress Traffic by Using Aggregate Policers
Configuring the CoS-to-DSCP Map
Configuring the IP-Precedence-to-DSCP Map
Configuring the Policed-DSCP Map
Configuring the DSCP-to-CoS Map
Configuring the DSCP-to-DSCP-Mutation Map
Configuring Ingress Queue Characteristics
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds
Allocating Buffer Space Between the Ingress Queues
Allocating Bandwidth Between the Ingress Queues
Configuring the Ingress Priority Queue
Configuring Egress Queue-Set Characteristics
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set
Mapping DSCP or CoS Values to an Egress Queue-Set and to a Threshold ID
Configuring SRR Shaped Weights on an Egress Queue-Set
Configuring SRR Shared Weights on an Egress Queue-Set
Configuring the Egress Priority Queue
Limiting the Egress Bandwidth on a Queue-Set
Displaying Standard QoS Information
Default Hierarchical QoS Configuration
Hierarchical QoS Configuration Guidelines
Configuring a Hierarchical QoS Policy
Classifying Traffic by Using Hierarchical Class Maps
Configuring a Hierarchical Two-Rate Traffic Policer
Configuring Class-Based Packet Marking in a Hierarchical Traffic Policy
Configuring CBWFQ and Tail Drop
Configuring CBWFQ and DSCP-Based WRED
Configuring CBWFQ and IP Precedence-Based WRED
Displaying Hierarchical QoS Information
Configuring QoS
This chapter describes how to use different methods to configure quality of service (QoS) on the Catalyst 3750 Metro switch. With QoS, you can provide preferential treatment to certain types of traffic traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
You can use auto-QoS to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted voice over IP (VoIP) traffic.
You can use standard QoS to classify, police, mark, queue, and schedule inbound traffic on any port as well as queue and schedule outbound traffic. On ingress, standard QoS offers classification based on the class of service (CoS), Differentiated Services Code Point (DSCP), or IP precedence value in the inbound packet. You can perform the classification based on Layer 2 MAC, IP-standard, or IP-extended access control lists (ACLs). Standard QoS also offers nonhierarchical single-level policy maps and hierarchical dual-level on ingress. Drop policy actions are passing through the packet without modification, marking down the assigned DSCP in the packet, or dropping the packet. Standard QoS performs ingress queueing based on the weighted tail drop (WTD) algorithm and ingress scheduling based on shaped round robin (SRR). On egress, standard QoS offers queueing based on WTD and scheduling based on SRR shared or shaped weights. An egress priority queue is also offered.
Note
In the Catalyst 3750, 3560, and 2970 switch software documentation, single-level policy maps are referred to as nonhierarchical policy maps. Dual-level policy maps are referred to as hierarchical policy maps with two levels.
You can use hierarchical QoS to classify, police, mark, queue, and schedule inbound or outbound traffic on an enhanced-services (ES) port. Hierarchical QoS offers classification based on the CoS, DSCP, IP precedence, or the multiprotocol label switching (MPLS) experimental (EXP) bits in the packet. You also can classify a packet based on its VLAN. Hierarchical QoS offers two-rate traffic policing. Drop policy actions are passing the packet through without modification; marking down the CoS, DSCP, IP precedence, or the MPLS EXP bits in the packet; or dropping the packet. Hierarchical QoS performs queueing based on tail drop or Weighted Random Early Detection (WRED). The queue scheduling management feature is class-based weighted fair queueing (CBWFQ), and the scheduling congestion-management feature is low-latency queueing (LLQ). You can use traffic shaping to decrease the burstiness of traffic.
For information about multiprotocol label switching (MPLS), Ethernet over MPLS (EoMPLS), and QoS, see the "Configuring MPLS and EoMPLS QoS" section.
Note
This chapter consists of these sections:
•
•
•
•
QoS Overview
Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
When you configure the QoS feature, you can select specific network traffic, prioritize it according to its relative importance, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your network makes network performance more predictable and bandwidth utilization more effective.
The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network.
The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information. Classification also can be carried in the Layer 2 frame. These special bits in the Layer 2 frame or in the Layer 3 packet are described here and shown in Figure 32-1:
•
Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p CoS value in the three least-significant bits. On ports configured as Layer 2 ISL trunks, all traffic is in ISL frames.
Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the three most-significant bits, which are called the User Priority bits. On ports configured as Layer 2 802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.
Other frame types cannot carry Layer 2 CoS values.
Layer 2 CoS values range from 0 for low priority to 7 for high priority.
•
Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence values.
IP precedence values range from 0 to 7.
DSCP values range from 0 to 63.
Figure 32-1 QoS Classification Layers in Frames and Packets
Note
All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both. Detailed examination of the packet is expected to happen closer to the edge of the network so that the core switches and routers are not overloaded with this task.
Switches and routers along the path can use the class information to limit the amount of resources allocated per traffic class. The behavior of an individual device when handling traffic in the DiffServ architecture is called per-hop behavior. If all devices along a path provide a consistent per-hop behavior, you can construct an end-to-end QoS solution.
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over inbound and outbound traffic.
Basic QoS Model
Figure 32-2 shows the basic QoS model for traffic on all ports, including ES ports.
Figure 32-2 Basic QoS Model
To implement QoS, the switch must distinguish (classify) packets or flows from one another, assign a label to indicate the given quality of service as the packets move through the switch, make the packets comply with the configured resource usage limits (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists. The switch also needs to ensure that the traffic it sends meets a specific traffic profile (shape).
These are the standard actions when traffic is received on any port:
•
•
•
•
•
These are the standard actions when traffic is sent to a standard port:
•
•
These are the additional actions when traffic is received on or sent to an ES port:
•
•
•
•
•
Understanding Standard QoS
Standard QoS involves standard ingress policies to classify, police, and mark traffic received on any port. Ingress queues prevent congestion by storing packets before forwarding them into the switch fabric. Egress queue-sets prevent congestion when multiple ingress ports simultaneously send packets to a port. You configure the ingress queues and the egress queue-sets for queueing and scheduling activities.
This section includes these topics:
•
Ingress Classification
Ingress classification distinguishes one kind of traffic from another by examining the fields in the packet upon receipt. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
During ingress classification, the switch performs a lookup and assigns a QoS label to the packet. The QoS label identifies all QoS actions to be performed on the packet and from which queue the packet is sent.
The QoS label is based on the DSCP or the CoS value in the packet and decides the queueing and scheduling actions to perform on the packet. The label is mapped according to the trust setting and the packet type as shown in Figure 32-3.
You specify which fields in the frame or packet that you want to use to classify inbound traffic. For non-IP traffic, you have these ingress classification options as shown in Figure 32-3:
•
•
•
For IP traffic, you have these ingress classification options as shown in Figure 32-3:
•
For ports that are on the boundary between two QoS administrative domains, you can modify the DSCP to another value through the configurable DSCP-to-DSCP-mutation map.
•
•
•
For information on the maps described in this section, see the "Mapping Tables" section. For configuration information on port trust states, see the "Configuring Ingress Classification by Using Port Trust States" section.
You can configure classification through ACLs, traffic classes, and traffic policies. For more information, see the "Ingress Classification Based on QoS ACLs" section and the "Ingress Classification Based on Traffic Classes and Traffic Policies" section.
After ingress classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages.
Figure 32-3 Ingress Classification Flowchart
Ingress Classification Based on QoS ACLs
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs:
•
•
•
•
Note
After a traffic class is defined with the ACL, you can attach a policy to it. A policy might contain multiple classes with actions specified for each one of them. A policy might include commands to classify the class as a particular aggregate (for example, assign a DSCP) or to rate-limit the class. This ingress policy is then attached to a port.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command; you implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global configuration command. For configuration information, see the "Configuring an Ingress QoS Policy" section.
Ingress Classification Based on Traffic Classes and Traffic Policies
You define a traffic class to classify traffic, use a traffic policy to decide how to treat the classified traffic, and attach the ingress policy to a port to create a service policy.
You use the class map to define a specific traffic flow (or class) and to isolate it from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it. The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values. If you have more than one type of traffic that you want to classify, you can create another class map and use a different name.
You create a class map by using the class-map global configuration command. When you enter the class-map command, the switch enters the class-map configuration mode. In this mode, you define the match criterion for the traffic by using the match class-map configuration command. Inbound packets are checked against the match criteria configured for a class map to decide if the packet belongs to that class. If a packet matches the specified criteria, the packet is considered a member of the class and is forwarded according to the QoS specifications set in the traffic policy. If a packet fails to meet any of the matching criteria, it is classified as a member of the default traffic class if one is configured.
You use the policy map to create the traffic policy, to specify the traffic class to act on, and to configure the QoS features associated with the traffic class. Actions on ingress can include trusting the received CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; or specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile.
You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you use the class policy-map configuration command to name the traffic class associated with the traffic policy. If you specify class-default as the class name in the class policy-map configuration command, packets that fail to meet any of the matching criteria are classified as members of the default traffic class. You can manipulate this class (for example, police it and mark it) just like any traffic class, but you cannot delete it. After you name the traffic class with the class command, the switch enters policy-map class configuration mode, and you can specify the actions to take on this traffic class.
An ingress policy map can include police, police aggregate, trust, or set policy-map class configuration commands. You attach the ingress policy map to a port by using the service-policy input interface configuration command.
In software releases earlier than Cisco IOS Release 12.2(25)EY, you can apply a nonhierarchical single-level policy map only to a physical port. In Cisco IOS Release 12.2(25)EY or later, you can apply the single-level policy map to a physical port, an SVI, or an ES port. However, a hierarchical dual-level policy map can only be applied to an SVI. The dual-level policy map contains two levels. The first level, the VLAN level, specifies the actions to be taken against a traffic flow on the SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI. The interface-level actions are specified in the interface-level policy map. For more information, see the "Ingress Policing and Marking" section. For configuration information, see the "Configuring an Ingress QoS Policy" section.
Ingress Policing and Marking
After a packet is classified and has a DSCP-based or CoS-based QoS label assigned to it, the traffic policing and marking process can begin. Figure 32-4 shows an ingress, single-rate traffic policer. Figure 32-5 shows the ingress policing and marking process.
Ingress traffic policing controls the maximum rate of traffic received on a port. The policer defines the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. It is often configured on ports at the edge of a network to limit traffic into or out of the network. In most policing configurations, traffic that falls within the rate parameters is sent. Traffic that exceeds the parameters is considered to be out of profile or nonconforming and is dropped or sent with a different priority.
Note
The switch supports nonhierarchical and hierarchical policing on ingress. Nonhierarchical single-level policing is supported on ingress standard physical ports, on ingress SVIs, and on ingress ES ports. Single-level policy maps have one level and support single-rate and aggregate policers.
You can attach nonhierarchical policies to ES ports, but if you attempt to put a hierarchical configuration such as a 3-rate, 2-color policer, within a nonhierarchical input service policy, you are not allowed to attach the service policy to the interface. You can match access groups on ES ports with a non-hierarchical policy.
Note
For more information, see the "Nonhierarchical Single-Level Policing" section.
Hierarchical policing is supported only on SVIs and ES ports.The switch supports these types of hierarchical policing:
•
•
Note
In software releases earlier than Cisco IOS Release 12.2(25)EY, you can configure only nonhierarchical single-level policing. You can configure the trust state, set a new DSCP or IP precedence value in the packet, or define an individual or aggregate policer in single-level policy maps.
In Cisco IOS Release 12.2(25)EY or later, you can configure hierarchical single-level policing on an ingress standard physical port, an SVI, or an ES port. You can also configure hierarchical dual-level policing per SVI. When configuring dual-level policing on an SVI, you can create a dual-level policy map and can define an individual policer only in the secondary interface-level policy map.
Note
Nonhierarchical Single-Level Policing
In nonhierarchical single-level policy maps on physical ports, you can create these types of policers:
You can create these types of ingress policers:
•
QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You can configure a single-rate policer within a policy map by using the police policy-map class configuration command.
•
QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows. You configure this type of policer by specifying the aggregate policer name within a policy map by using the police aggregate policy-map class configuration command. You specify the bandwidth limits of the policer by using the mls qos aggregate-policer global configuration command. In this way, the aggregate policer is shared by multiple classes of traffic within a policy map.
Note
A single-rate traffic policer decides on a packet-by-packet basis whether the packet is in or out of profile and specifies the actions on the packet. These actions, carried out by the marker, include passing through the packet without modification, dropping the packet, or modifying (marking down) the assigned DSCP of the packet and allowing the packet to pass through. The configurable policed-DSCP map provides the packet with a new DSCP-based QoS label. For information on the policed-DSCP map, see the "Mapping Tables" section. Marked-down packets use the same queues as the original QoS label to prevent packets in a flow from getting out of order.
Single-level policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bps. Each time a token is added to the bucket, the switch verifies that there is enough room in the bucket. If there is not enough room, the packet is marked as nonconforming, and the specified policer action is taken (dropped or marked down).
How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an upper limit on the burst length and limits the number of frames that can be sent back-to-back. If the burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that burst.
You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command.
After you configure the policy map and policing actions, attach the ingress policy to a port by using the service-policy input interface configuration command. For configuration information, see the "Classifying, Policing, and Marking Ingress Traffic by Using Nonhierarchical Single-Level Policy Maps" section and the "Classifying, Policing, and Marking Ingress Traffic by Using Aggregate Policers" section.
Figure 32-4 shows the policing and marking process when these types of policy maps are configured:
•
•
Figure 32-4 Ingress, Nonhierarchical Single-Level Policing and Marking Flowchart
Hierarchical Dual-Level Policing on SVIs
Note
A dual-level policy map has two levels. The first level, the VLAN level, specifies the actions to be taken against a traffic flow on an SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map.
When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels:
•
Note
•
See the "Classifying, Policing, and Marking Traffic by Using Hierarchical Dual-Level Policy Maps" section for an example of a dual-level policy map.
Figure 32-5 shows the policing and marking process when hierarchical dual-level policy maps are attached to an SVI.
Figure 32-5 Ingress Hierarchical Dual-Level Policing and Marking Flowchart on SVIs
Mapping Tables
During QoS ingress processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage:
•
On an ingress port configured in the DSCP-trusted state, if the DSCP values are different between the QoS domains, you can apply the configurable DSCP-to-DSCP-mutation map to the port that is on the boundary between the two QoS domains. You configure this map by using the mls qos map dscp-mutation global configuration command.
•
•
The CoS-to-DSCP, DSCP-to-CoS, and the IP-precedence-to-DSCP maps have default values that might or might not be appropriate for your network.
The default DSCP-to-DSCP-mutation map and the default policed-DSCP map are null maps; they map an inbound DSCP value to the same DSCP value. The DSCP-to-DSCP-mutation map is the only map you apply to a specific port. All other maps apply to the entire switch.
For configuration information, see the "Configuring DSCP Maps" section.
For information about the DSCP and CoS input queue threshold maps, see the "Queueing and Scheduling of Ingress Queues" section. For information about the DSCP and CoS output queue threshold maps, see the "Queueing and Scheduling of Egress Queue-Sets" section.
Queueing and Scheduling Overview
The switch has queues at specific points to help prevent congestion, as shown in Figure 32-6. Figure 32-6 shows the ingress and egress queues for traffic on all ports, including ES ports.
Figure 32-6 Ingress and Egress Queue Locations
Because the total ingress bandwidth of all ports can exceed the bandwidth of the internal ring, ingress queues are located after the packet is classified, policed, and marked and before packets are forwarded into the switch fabric. Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion, egress queue-sets are located after the internal ring.
Each port belongs to an egress queue-set, which defines all the characteristics of the four queues per port. The ES ports also use a hierarchical queueing model in which each packet is assigned to a hierarchical queue based on the physical interface, VLAN, or class. Traffic received from or destined for an ES port passes through the queue-set. If congestion occurs in the hierarchical queues and backs up to the queue-sets, the queue-set configuration controls how traffic is dropped.
Ingress queues use WTD for congestion management. The egress queue-sets also use WTD. For more information, see the next section.
Ingress queues support SRR in shared mode for scheduling. The egress queue-sets also support SRR in shared or shaped mode for scheduling. For more information, see the "SRR Shaping and Sharing" section.
For information about ingress queueing and scheduling, see the "Queueing and Scheduling of Ingress Queues" section. For information about egress queue-set queueing and scheduling, see the "Queueing and Scheduling of Egress Queue-Sets" section.
The hierarchical queues for ES ports use tail drop or WRED for congestion management. These ports also use CBWFQ or LLQ for scheduling. For more information, see the "Queueing and Scheduling of Hierarchical Queues" section.
Weighted Tail Drop
The ingress queues and the egress queue-sets use an enhanced version of the tail-drop congestion-avoidance mechanism called WTD. WTD manages the queue lengths and provides drop precedences for different traffic classifications.
As a frame is sent to a particular queue, WTD uses the frame's assigned QoS label to subject it to different thresholds. If the threshold is exceeded for that QoS label (the space available in the destination queue is less than the size of the frame), the switch drops the frame.
Figure 32-7 shows an example of WTD operating on a queue whose size is 1000 frames. Three drop percentages are configured: 40, 60, and 100 percent. These percentages mean that up to 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.
In this example, CoS values 6 and 7 have a greater importance than the other CoS values, and they are assigned to the 100-percent drop threshold (queue-full state). CoS values 4 and 5 are assigned to the 60-percent threshold, and CoS values 0 to 3 are assigned to the 40-percent threshold.
Suppose the queue is already filled with 600 frames, and a new frame arrives. It contains CoS values 4 and 5 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded, so the switch drops it.
Figure 32-7 WTD and Queue Operation
For more information, see the "Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds" section, the "Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set" section, and the "Mapping DSCP or CoS Values to an Egress Queue-Set and to a Threshold ID" section.
SRR Shaping and Sharing
The ingress queues and egress queue-sets are serviced by SRR, which controls the rate at which packets are sent. On the ingress queues, SRR sends packets to the internal ring. On the egress queue-sets, SRR sends packets to a standard port.
You can configure SRR on the egress queue-sets for sharing or for shaping. However, for ingress queues, sharing is the default mode and is the only mode supported.
In shaped mode, the queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues.
In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.
For more information, see the "Allocating Bandwidth Between the Ingress Queues" section, the "Configuring SRR Shaped Weights on an Egress Queue-Set" section, and the "Configuring SRR Shared Weights on an Egress Queue-Set" section.
Queueing and Scheduling of Ingress Queues
Figure 32-8 shows the ingress queueing and scheduling flowchart.
Figure 32-8 Ingress Queueing and Scheduling Flowchart
Note
The switch supports two configurable ingress queues, which are serviced by SRR in shared mode only. Table 32-1 describes the queues.
Table 32-1 Ingress Queue Types
Normal
User traffic that is considered to be normal priority. You can configure three different thresholds to differentiate among the flows. You can use the mls qos srr-queue input threshold, the mls qos srr-queue input dscp-map, and the mls qos srr-queue input cos-map global configuration commands.
Expedite
High-priority user traffic such as differentiated services (DF) expedited forwarding or voice traffic. You can configure the bandwidth required for this traffic as a percentage of the total traffic by using the mls qos srr-queue input priority-queue global configuration command. The expedite queue has guaranteed bandwidth.
1 The switch uses two nonconfigurable queues for traffic that is essential for proper network operation.
You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command. You can display the DSCP input queue threshold map and the CoS input queue threshold map by using the show mls qos maps privileged EXEC command.
WTD Thresholds
The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state. You assign the two explicit WTD threshold percentages for threshold ID 1 and ID 2 to the ingress queues by using the mls qos srr-queue input threshold queue-id threshold-percentage1 threshold-percentage2 global configuration command. Each threshold value is a percentage of the total number of allocated buffers for the queue. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. For more information about how WTD works, see the "Weighted Tail Drop" section.
Buffer and Bandwidth Allocation
You define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two queues by using the mls qos srr-queue input buffers percentage1 percentage2 global configuration command. The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped. You allocate bandwidth as a percentage by using the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue to the internal ring.
Priority Queueing
You can configure one ingress queue as the priority queue by using the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. The priority queue should be used for traffic (such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the internal ring.
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCP or CoS values into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the "Configuring Ingress Queue Characteristics" section.
Queueing and Scheduling of Egress Queue-Sets
Figure 32-9 shows the egress queue-set queueing and scheduling flowchart.
Figure 32-9 Egress Queue-Set Queueing and Scheduling Flowchart
Note
Each port supports four egress queues, one (queue 1) of which can be the egress priority queue. These queues are assigned to a queue-set. All traffic exiting the switch on a standard port flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet. Traffic destined for an ES port passes through the queue-set before reaching the hierarchical queues. If congestion occurs in the hierarchical queues that backs up to the queue-sets, the queue-set configuration controls how traffic is dropped.
Figure 32-10 shows the egress queue-set buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue. The switch detects whether or not the target queue has consumed more buffers than its reserved amount (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Figure 32-10 Egress Queue-Set Buffer Allocation
Buffer and Memory Allocation
You guarantee the availability of buffers, set drop thresholds, and configure the maximum memory allocation for a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold global configuration command. Each threshold value is a percentage of the queue's allocated memory, which you specify by using the mls qos queue-set output qset-id buffers allocation1 ... allocation4 global configuration command. The sum of all the allocated buffers represents the reserved pool, and the remaining buffers are part of the common pool.
Through buffer allocation, you can ensure that high-priority traffic is buffered. For example, if the buffer space is 400, you can allocate 70 percent of it to queue 1 and 10 percent to queues 2 through 4. Queue 1 then has 280 buffers allocated to it, and queues 2 through 4 each have 40 buffers allocated to them.
You can guarantee that the allocated buffers are reserved for a specific queue in a queue-set. For example, if there are 100 buffers for a queue, you can reserve 50 percent (50 buffers). The switch returns the remaining 50 buffers to the common pool. You also can enable a queue in the full condition to obtain more buffers than are reserved for it by setting a maximum threshold. The switch can allocate the needed buffers from the common pool if the common pool is not empty.
WTD Thresholds
You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue-set and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command.
The queue-set uses WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state. You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. For more information about how WTD works, see the "Weighted Tail Drop" section.
Shaped or Shared Mode
SRR services each queue-set in shared or shaped mode.You map a port to a queue-set by using the queue-set qset-id interface configuration command. You assign shared or shaped weights to a standard port by using the srr-queue bandwidth share weight1 weight2 weight3 weight4 or the srr-queue bandwidth shape weight1 weight2 weight3 weight4 interface configuration command. You can assign only shared weights to an ES port. For an explanation of the differences between shaping and sharing, see the "SRR Shaping and Sharing" section.
The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent before packets are dropped. The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue.
All four queues participate in the SRR unless the egress priority queue is enabled, in which case the first bandwidth weight is ignored and is not used in the ratio calculation. Before servicing the other queues, SRR services the priority queue until it is empty. You enable the priority queue by using the priority-queue out interface configuration command.
You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCP or CoS values into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the "Configuring Egress Queue-Set Characteristics" section.
Note
Understanding Hierarchical QoS
The switch supports a hierarchical QoS configuration (traffic classification, CBWFQ, LLQ, shaping, and two-rate three-color policing) that is applied to the input or to the output of an ES port.
Hierarchical QoS configuration is based on the concept of a bandwidth-limited stream of traffic, which is a stream of packets that has its departure rate constrained in some manner. At each level of the hierarchy, the switch must classify each packet to select into which traffic stream in that level the packet belongs. When the stream is classified, if its arrival rate exceeds its departure rate, queueing can become congested. To compensate for this, you can configure policies that contain policer drops, configure tail drop or WRED, a congestion-avoidance technique, or to influence whether the packet is queued. You also can implement scheduling policies (CBWFQ, LLQ, and shaping) to influence how quickly a packet is sent out the port.
This section includes these topics:
•
•
•
Hierarchical Levels
Hierarchical QoS configuration involves traffic classification, policing, queueing, and scheduling. You can create a hierarchy by associating a class-level policy map with a VLAN-level policy map, by associating that VLAN-level policy map with a physical-level policy map, and by attaching the physical-level policy map to an ES port. You can omit hierarchical levels, but the order of the levels (class level, VLAN level, and then the physical level) must be preserved.
You can configure these three QoS levels in the hierarchy:
•
–
–
–
–
–
The switch supports eight classes (including the default class) per policy map at this level. The default class is reserved for packets that do not meet any of the matching criteria.
This is an example of a class-level classification and its naming convention:
Switch(config)# class-map match-any class-level-class-map-nameSwitch(config-cmap)# match ip dscp 10 11 12This is an example of a class-level policy map and its naming convention:
Switch(config)# policy-map class-level-policy-map-nameSwitch(config-pmap)# class class-level-class-nameSwitch(config-pmap-c)# bandwidth percent 20Switch(config-pmap-c)# shape average 20000000This is a class-level configuration example that combines a class-level classification and a class-level policy map to create a service policy:
Switch(config)# class-map c1Switch(config-cmap)# match ip precedence 4Switch(config-cmap)# exitSwitch(config)# policy-map policy1Switch(config-pmap)# class c1Switch(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 conform-action transmit exceed-action set-prec-transmit 2 violate-action dropSwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/1/1Switch(config-if)# service-policy input policy1•
For a finer level of control, you can associate a previously defined child policy at the class level with a new service policy by using the service-policy policy-map class configuration command. In the class-level child policy, you can configure tail drop or WRED drop policies, set Layer 2 and Layer 3 QoS fields, or enable the strict-priority queue. These features are available only at the class level. By using a child policy, you apply a class-level policy only to traffic that matches the VLAN class.
You cannot mix VLAN-level and class-level matches within a class map.
You can attach up to 2045 user-created VLAN-level classes. This means that you can have 1022 unique classes and can associate them with the two ES ports (and have one left over), or you can add more classes to one ES port and can subtract from the other one. You can shape every class that you configure. You can create up to 4093 class maps.
This is an example of a VLAN-level classification and its naming convention:
Switch(config)# class-map match-all vlan-level-class-map-nameSwitch(config-cmap)# match vlan 5Switch(config-cmap)# match vlan inner 3 - 8This is an example of a VLAN-level policy map and its naming convention:
Switch(config)# policy-map vlan-level-policy-map-nameSwitch(config-pmap)# class vlan-level-class-nameSwitch(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 conform-action transmit exceed-action set-prec-transmit 2 violate-action dropThis is an example of a VLAN-level policy map and its naming convention when a previously defined child policy is associated at the class level:
Switch(config)# policy-map vlan-level-policy-map-nameSwitch(config-pmap)# class vlan-level-class-nameSwitch(config-pmap-c)# bandwidth percent 30Switch(config-pmap-c)# service-policy class-level-policy-map-nameThis is a VLAN-level configuration example that combines a VLAN-level classification and a VLAN-level policy map:
Switch(config)# class-map match-all vlan203Switch(config-cmap)# match vlan 203Switch(config-cmap)# exitSwitch(config)# policy-map vlan-policySwitch(config-pmap)# class vlan203Switch(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 conform-action transmit exceed-action set-prec-transmit 2 violate-action dropThis is an example of a VLAN-level policy map that combines a VLAN-level classification with a VLAN-level policy map and associates a previously defined child policy at the class level:
Switch(config)# class-map cls-classSwitch(config-cmap)# match mpls experimental 2Switch(config-cmap)# exitSwitch(config)# class-map log-classSwitch(config-cmap)# match vlan 203Switch(config-cmap)# exitSwitch(config)# policy-map cls-policySwitch(config-pmap)# class cls-classSwitch(config-pmap-c)# set mpls experimental 5Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# policy-map log-policySwitch(config-pmap)# class log-classSwitch(config-pmap-c)# service-policy cls-policySwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/1/2Switch(config-if)# switchport trunk encapsulation dot1qSwitch(config-if)# switchport mode trunkSwitch(config-if)# service-policy output log-policy•
Within a policy map, the class-default applies to all traffic that is not explicitly matched within the policy map but does match the parent policy. If no parent policy is configured, the parent policy represents the physical port. In a physical-level policy map, class-default is the only class that you can configure.
You use the service-policy [input | output] policy-map-name interface configuration command to attach a hierarchical policy to an ES port.
This is an example of a physical-level configuration. All hierarchical levels exist, and the order is preserved. The class level at the bottom, the VLAN level in the middle, and the physical level at the top.
Switch(config)# class-map my-classSwitch(config-cmap)# match ip precedence 1Switch(config-cmap)# exitSwitch(config)# class-map my-logical-classSwitch(config-cmap)# match vlan 5Switch(config-cmap)# exitSwitch(config)# policy-map my-class-policySwitch(config-pmap)# class my-classSwitch(config-pmap-c)# set precedence 2Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# policy-map my-logical-policySwitch(config-pmap)# class my-logical-classSwitch(config-pmap-c)# shape average 400000000Switch(config-pmap-c)# service-policy my-class-policySwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# policy-map my-physical-policySwitch(config-pmap)# class class-defaultSwitch(config-pmap-c)# shape average 500000000Switch(config-pmap-c)# service-policy my-logical-policySwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/1/1Switch(config-if)# service-policy output my-physical-policyHierarchical Classification Based on Traffic Classes and Traffic Policies
Hierarchical classification distinguishes one kind of traffic from another on receipt or before sending. The switch examines the fields in the packet, processes the match commands, and creates the queues. The switch forwards the traffic according to the QoS specifications set in the hierarchical policy.
You use the class map to define a specific traffic flow (or class) and to isolate it from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it. At the class level, the criteria can include matching CoS, DSCP, IP precedence, or MPLS EXP bits in the header. At the VLAN level, the criteria can include matching a packet based on the inner and the outer VLAN IDs. If you have more than one type of traffic that you want to classify, you can create another class map and use a different name.
You create a class map by using the class-map global configuration command. When you enter the class-map command, the switch enters the class-map configuration mode. In this mode, you define the match criterion for the traffic by using the match class-map configuration command. Packets are checked against the match criteria configured for a class map. If a packet matches the specified criteria, the packet is considered a member of the class, the switch creates a queue for it, and the packet is forwarded according to the QoS specifications set in the traffic policy. If a packet fails to meet any of the matching criteria, it is classified as a member of the default traffic class if one is configured.
You use the policy map to create the traffic policy, to specify the traffic class to act on, and to configure the QoS features associated with the traffic class. Actions can include trusting the received CoS, DSCP, or IP precedence bits in the traffic class; setting specific CoS, DSCP, IP precedence, or MPLS EXP bits in the traffic class; or specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile.
You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you use the class policy-map configuration command to name the traffic class associated with the traffic policy. If you specify class-default as the class name in the class policy-map configuration command, packets that fail to meet any of the matching criteria are classified as members of the default traffic class. You can manipulate this class (for example, police it and mark it) just like any traffic class, but you cannot delete it.
Within a policy map, the class-default designates all traffic that is not explicitly matched within the policy map but does match the policy map of the parent policy. If no parent policy is configured, the parent policy represents the physical port. In the physical-level policy map, class-default is the only class that can be configured.
After you name the traffic class with the class command, the switch enters policy-map class configuration mode, and you can specify the actions to take on this traffic class.
You attach a hierarchical policy map to an ES port by using the service-policy [input | output] policy-map-name interface configuration command. The policy map can include the bandwidth, police cir, police cir percent, priority, queue-limit, random-detect, shape, or set policy-map class configuration commands. If the policy map contains the class-default class, you can configure settings only through the police cir, police cir percent, and shape commands.
For more information, see the "Hierarchical Policing and Marking" section and the "Queueing and Scheduling of Hierarchical Queues" section.
Hierarchical Policing and Marking
Hierarchical traffic policing controls the maximum rate of traffic received or sent on an ES port. A policer defines the bandwidth limitations of the traffic and the action to take if the limits are exceeded. It is often configured on ports at the edge of a network to limit traffic into or out of the network. In most policing configurations, traffic that falls within the rate parameters is sent. Traffic that exceeds the parameters is considered to be out of profile or nonconforming and is dropped or sent with a different priority.
You can configure a two-rate traffic policer within a policy map at the class level, at the VLAN level, and at the physical level by using the police cir or the police cir percent policy-map class configuration command. At the physical level of the hierarchy, you can police only the class-default class in a policy attached to an ES port.
You can configure a two-rate traffic policer to limit the transmission rate of a traffic class and mark actions (conform, exceed, and violate) for each packet. Within the conform, exceed, and violate categories, you decide packet treatments. In the most common configurations, you configure packets that conform to be sent, packets that exceed to be sent with a decreased priority, and packets that violate to be dropped. You can decrease the priority of the CoS, the DSCP, the IP precedence, or the MPLS EXP bits in the packet.
The two-rate policer manages the maximum rate of traffic through a token-bucket algorithm. The algorithm uses the configured committed information rate (CIR) and the peak information rate (PIR) rate values to control the maximum rate of traffic allowed on a port at a given moment in time. The algorithm is affected by all traffic leaving the port, and it manages network bandwidth when several large packets are sent in the same traffic stream.
A token bucket is provided for the CIR and the PIR as shown in Figure 32-11.
Figure 32-11 Two-Rate Policing and Marking Flowchart
You configure the CIR and PIR rates in bps (or as a percentage of the bandwidth available on an ES port), and these rates control how fast the bucket fills (is updated) with tokens. The conform burst size (bc) and the peak burst size (be) represent the depth of the CIR and PIR buckets in bytes. This depth limits the number of tokens that the bucket can accumulate. If the bucket fills to capacity, newly arriving tokens are discarded.
Each token is permission for the source to send a certain number of bits into the network. To send a packet, the number of tokens equal to the packet size must be drained from the bucket. If there are enough tokens in the bucket, the packet conforms and can pass to the next stage. Otherwise, the exceed action associated with the bucket is applied to the packet. The packet might be dropped, or its priority value might be marked down.
In this token-bucket example, if the CIR rate is 2 kbps, 2000 tokens are added to the bucket every second (for this example, consider each token to represent a single bit of information). If a 1500-byte packet arrives, 12000 tokens (1500 bytes x 8 bits per byte) must be in the bucket for the packet to pass to the next state without triggering the exceed action. If enough tokens are in the bucket, they are drained, and the packet conforms and passes to the next stage. If there are less than 12000 tokens in the bucket, the exceed action is applied to the packet. The deeper the bucket, the more data can burst through at a rate greater than the rate at which the bucket is filling. For example, if the CIR bucket holds 6000 tokens, 750 bytes of traffic can instantaneously burst without draining the bucket (and without triggering an exceed action), even though the instantaneous burst is at a greater rate than the CIR rate of 2000 bps.
If the burst sizes approach the system maximum transmission unit (MTU), the policer strictly enforces the CIR and PIR. Normal traffic jitter can cause some percentage of inbound traffic to be flagged as nonconforming even if the average inbound rate appears to conform. If the burst size is very large, on the other hand, large traffic bursts at nonconforming data rates can be passed through the policer and flagged as conforming. Setting the burst sizes too low can result in less traffic than expected, and setting them too high can result in more traffic than expected.
For packet marking actions, if the CIR is 100 kbps, the PIR is 200 kbps, and a data stream with a rate of 250 kbps arrives at the two-rate policer:
•
•
•
If you set the CIR equal to the PIR, a traffic rate that is less than the CIR or that meets the CIR is in the conform range. Traffic that exceeds the CIR rate is in the violate range.
If you set the PIR greater than the CIR, a traffic rate less than the CIR is in the conform range. A traffic rate that exceeds the CIR but is less than or equal to the PIR is in the exceed range. A traffic rate that exceeds the PIR is in the violate range.
After you configure the policy map and policing actions, attach the policy to an ES port by using the service-policy [input | output] policy-map-name interface configuration command. For configuration information, see the "Configuring Hierarchical QoS" section.
An input hierarchical service policy can contain the same configuration options as an output hierarchical service policy (policing, shaping, CBWFQ), but cannot include configurations such as ACLs or aggregate policers). Access group matches are allowed on ES ports if the policy is non-hierarchical. Violating this rule prevents the policy from being attached to an interface.
Queueing and Scheduling of Hierarchical Queues
Figure 32-12 shows the queueing and scheduling flowchart for a hierarchical queue.
Figure 32-12 Queueing and Scheduling Flowchart for a Hierarchical Queue
Hierarchical Queues
The switch uses a hierarchical queueing model for traffic received on or sent from an ES port. Each packet is assigned a queue based on its physical interface, VLAN, or class:
•
•
•
The switch creates the default queue and uses it to send all traffic when a service policy is not attached to an ES port. User traffic on a physical port without an attached service policy bypasses the QoS classification and is queued to the default queue. The minimum and maximum bandwidth for the default queue is the same as the port bandwidth.
Under congested conditions, the switch discards packets for all classes configured for the same sending queue with equal probability. To achieve the full queueing capacity, there must be an equal division of traffic among the classes for each sending queue.
Congestion-Management and Congestion-Avoidance Features
You use congestion-management features to control congestion and to control the order in which packets are received on or are sent from an ES port based on the priorities assigned to those packets. You manage congestion by creating queues, by assigning packets based on the packet classification, and by scheduling the packets to be sent from the queue.
During periods with light traffic (when no congestion exists), the switch sends packets as soon as they arrive. During periods of congestion at the inbound or at the outbound port, packets arrive faster than the port can send them. If you use congestion-management features, the switch queues accumulating packets at a port until it is free to send them. They are then scheduled for transmission according to their assigned priorities and the queueing mechanism for the port.
You can configure either tail drop or WRED. You cannot configure both tail drop and WRED in the same class policy, but they can be used in two different class policies in the same policy map.
You can configure CBWFQ as a queue scheduling management feature, LLQ as a scheduling congestion-management feature, and traffic shaping to decrease the burstiness of traffic.
Tail Drop
With tail drop, packets are queued for the class until the maximum threshold is exceeded, and then all the packets destined for the class queue are dropped. You enable tail drop at the class level by using the queue-limit policy-map class configuration command. For configuration information, see the "Configuring a Hierarchical QoS Policy" section.
WRED
Cisco Systems implements a version of Random Early Detection (RED), called WRED, differently from other congestion-avoidance techniques. WRED attempts to anticipate and avoid congestion, rather than controlling congestion when it occurs. WRED takes advantage of the TCP congestion control to try to control the average queue size by signaling end hosts when they should temporarily stop sending packets. By randomly dropping packets before periods of high congestion, it tells the packet source to decrease its sending rate. Assuming the packet source is using TCP, WRED tells it to decrease its sending rate until all the packets reach their destination, meaning that the congestion is cleared. By dropping some packets early rather than waiting until the queue is full, WRED avoids dropping large numbers of packets at once.
When a packet arrives and WRED is enabled, these events occur:
•
•
•
•
You enable WRED by using the random-detect policy-map class configuration command at the class level. This command allows for preferential drop treatment among packets with different IP precedence or DSCP values. The WRED algorithm discards or marks packets destined for a queue when that queue is congested. It discards packets fairly and before the queue is full. Packets with high IP-precedence values are preferred over packets with low IP-precedence values. For configuration information, see the "Configuring a Hierarchical QoS Policy" section.
CBWFQ
CBWFQ provides guaranteed bandwidth to particular traffic classes, such as voice, that are delay sensitive, while still fairly serving all other traffic in the network. You define traffic classes based on match criteria. Packets satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for each class, and traffic belonging to a class is directed to the queue for that class.
The bandwidth assigned to a class is the minimum bandwidth that is delivered to the class during congestion. CBWFQ uses the bandwidth weight to ensure that the queue for the class is serviced fairly.
You enable CBWFQ and specify the minimum bandwidth as a rate in kbps or as a percentage of the available bandwidth by using the bandwidth policy-map class configuration command at the class level or at the VLAN level. During periods of congestion, the classes are serviced in proportion to their configured bandwidth. The amount of bandwidth available to a class is dependent on the amount of bandwidth reserved by the parent class. For configuration information, see the "Configuring a Hierarchical QoS Policy" section.
LLQ
LLQ provides strict-priority queueing for a traffic class. It enables delay-sensitive data, such as voice, to be sent before packets in other queues are sent. The priority queue is serviced first until it is empty. Only one traffic stream can be destined for the priority queue per class-level policy. The priority queue restricts all traffic streams in the same hierarchy, and you should use care when configuring this feature. You enable the priority queue for a traffic class by using the priority policy-map class configuration command at the class level. For configuration information, see the "Configuring a Hierarchical QoS Policy" section.
With Cisco IOS Release 12.1(14)AX2, you can use LLQ and the egress priority queue (enabled with the priority-queue out interface configuration command) to give priority to a class of traffic and to avoid a loss of traffic when the switch is congested. In previous releases (before the egress priority queue was supported), you could put a traffic class into the strict-priority queue, but congestion at the egress queue-sets could result in the dropping of that priority traffic. You can use the priority-queue out interface configuration command to prioritize the same traffic class at the egress queue-sets, ensuring that priority traffic reaches the hierarchical queues and is processed with priority.
Shaping
Shaping provides a process for delaying out-of-profile packets in queues so that they conform to a specified profile. Shaping is distinct from policing. Policing drops packets that exceed a configured threshold, but shaping buffers packets so that traffic remains within a threshold. Shaping offers greater smoothness in handling traffic than policing. You enable average-rate traffic shaping on a traffic class by using the shape policy-map class configuration command at the class level or at the VLAN level. At the physical level of the hierarchy, you can shape only the class-default class by using the shape policy-map class configuration command in a policy attached to an ES port. For configuration information, see the "Configuring a Hierarchical QoS Policy" section.
Configuring Auto-QoS
You can use the auto-QoS feature to simplify the deployment of existing QoS features. Auto-QoS makes assumptions about the network design, and as a result, the switch can prioritize different traffic flows and appropriately use the ingress and egress queues instead of using the default QoS behavior. (The default is that QoS is disabled. The switch then offers best-effort service to each packet, regardless of the packet contents or size, and sends it from a single queue.)
When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress packet label. The switch uses the resulting classification to choose the appropriate egress queue.
You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink. Auto-QoS then performs these functions:
•
•
•
These sections describe how to configure auto-QoS on your switch:
•
•
•
•
•
Generated Auto-QoS Configuration
By default, auto-QoS is disabled on all ports.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress queues and egress queue-sets as shown in Table 32-2.
Table 32-2 Traffic Types, Packet Labels, and Queues
TrafficDSCP
46
24, 26
48
56
34
-
CoS
5
3
6
7
4
-
CoS-to-Ingress Queue Map
2, 3, 4, 5, 6, 7 (queue 2)
0, 1 (queue 1)
CoS-to-Egress Queue Map
5 (queue 1)
3, 6, 7 (queue 2)
4 (queue 3)
2 (queue 3)
0, 1
(queue 4)
1 VoIP = voice over IP
Table 32-3 shows the generated auto-QoS configuration for the ingress queues.
Table 32-4 shows the generated auto-QoS configuration for the egress queue-set.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
•
•
•
•
For information about the trusted boundary feature, see the "Configuring a Trusted Boundary to Ensure Port Security" section.
When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and the ingress packet label and applies the commands listed in Table 32-5 to the port.
Note
Effects of Auto-QoS on the Configuration
When auto-QoS is enabled, the switch adds the auto qos voip interface configuration command and the generated configuration to the running configuration.
The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail, or the user configuration might be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands are not applied, the previous running configuration is restored.
Auto-QoS Configuration Guidelines
Before configuring auto-QoS, you should be aware of this information:
•
•
Note
•
•
•
•
•
•
•
•
Upgrading from a Previous Software Release
In Cisco IOS Release 12.2(25)EY, the implementation for auto-QoS changed from the previous release. The generated auto-QoS configuration was changed, support for the Cisco SoftPhone feature was added, and support for Cisco IP Phones on routed ports was added.
If auto-QoS is configured on the switch, your switch is running a release earlier than Cisco IOS Release 12.2(25)EY, and you upgrade to Cisco IOS Release 12.2(25)EY or later, the configuration file will not contain the new configuration, and auto-QoS will not operate. Follow these steps to update the auto-QoS settings in your configuration file:
1.
2.
3.
4.
Enabling Auto-QoS for VoIP
Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain:
To display the QoS commands that are automatically generated when auto-QoS is enabled or disabled, enter the debug autoqos privileged EXEC command before enabling auto-QoS. For more information, see the "debug autoqos" command in the command reference for this release.
To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
This example shows how to enable auto-QoS on a port and to trust the QoS labels received in inbound packets when the switch or router connected to a port is a trusted device:
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# auto qos voip trustAuto-QoS Configuration Example
This section describes how you could implement auto-QoS in a network, as shown in Figure 32-13.
Figure 32-13 Auto-QoS Configuration Example Network
Figure 32-13 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domains.
Note
Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic:
Step 1
debug auto qos
Enable debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled.
Step 2
configure terminal
Enter global configuration mode.
Step 3
cdp enable
Enable CDP globally. By default, it is enabled.
Step 4
interface interface-id
Specify the switch port connected to the Cisco IP Phone, and enter interface configuration mode.
Step 5
auto qos voip cisco-phone
Enable auto-QoS on the port, and specify that the port is connected to a Cisco IP Phone.
The QoS labels of inbound packets are trusted only when the Cisco IP Phone is detected.
Step 6
exit
Return to global configuration mode.
Step 7
Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone.
Step 8
auto qos voip cisco-phone
Enable auto-QoS on the port, and specify that the port is connected to a Cisco IP Phone.
Step 9
exit
Return to global configuration mode.
Step 10
interface interface-id
Specify the port identified as connected to a trusted switch or router. See Figure 32-13. Enter interface configuration mode.
Step 11
auto qos voip trust
Enable auto-QoS on the port, and specify that the port is connected to a trusted router or switch.
Step 12
end
Return to privileged EXEC mode.
Step 13
show auto qos
Verify your entries.
This command displays the auto-QoS configuration that is initially applied; it does not display any user changes to the configuration that might be in effect.
For information about the QoS configuration that might be affected by auto-QoS, see the "Displaying Auto-QoS Information" section on page 26-12.
Step 14
copy running-config startup-config
Save the auto qos voip interface configuration commands and the generated auto-QoS configuration in the configuration file.
Displaying Auto-QoS Information
To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command displays to identify the user-defined QoS settings.
To display information about the QoS configuration that might be affected by auto-QoS, use one of these commands:
•
•
•
•
•
•
For more information about these commands, see the command reference for this release.
Configuring Standard QoS
Before configuring standard QoS, you must have a thorough understanding of these items:
•
•
•
•
These sections describe how to configure standard QoS on your switch:
•
•
•
•
•
•
•
•
If you need to configure outbound traffic on an ES port, see the "Configuring Hierarchical QoS" section.
Default Standard QoS Configuration
QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
When QoS is enabled with the mls qos global configuration command and all other QoS settings are at their defaults, traffic is classified as best effort (the DSCP and CoS value is set to 0) without any policing. No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress queues and egress queue-set settings are described in the "Default Ingress Queue Configuration" section and the "Default Egress Queue-Set Configuration" section. For outbound traffic on an ES port, see the "Default Hierarchical QoS Configuration" section.
Default Ingress Queue Configuration
Table 32-6 shows the default ingress queue configuration when QoS is enabled.
Table 32-6 Default Ingress Queue Configuration
Buffer allocation
90 percent
10 percent
Bandwidth allocation 1
4
4
Priority queue bandwidth 2
0
10
WTD drop threshold 1
100 percent
100 percent
WTD drop threshold 2
100 percent
100 percent
1 The bandwidth is equally shared between the queues. SRR sends packets in shared mode only.
2 Queue 2 is the priority queue. SRR services the priority queue for its configured share before servicing the other queue.
Table 32-7 shows the default CoS input queue threshold map when QoS is enabled.
Table 32-7 Default CoS Input Queue Threshold Map
0-4
1-1
5
2-1
6, 7
1-1
Table 32-8 shows the default DSCP input queue threshold map when QoS is enabled.
Table 32-8 Default DSCP Input Queue Threshold Map
0-39
1-1
40-47
2-1
48-63
1-1
Default Egress Queue-Set Configuration
Table 32-9 shows the default egress queue-set configuration when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent, and the rate is unlimited.
Table 32-9 Default Egress Queue-Set Configuration
Buffer allocation
25 percent
25 percent
25 percent
25 percent
WTD drop threshold 1
100 percent
200 percent
100 percent
100 percent
WTD drop threshold 2
100 percent
200 percent
100 percent
100 percent
Reserved threshold
50 percent
50 percent
50 percent
50 percent
Maximum threshold
400 percent
400 percent
400 percent
400 percent
SRR shaped weights (absolute) 1
25
0
0
0
SRR shared weights 2
25
25
25
25
1 A shaped weight of zero means that this queue is operating in shared mode.
2 One quarter of the bandwidth is allocated to each queue.
Table 32-10 shows the default CoS output queue threshold map when QoS is enabled.
Table 32-10 Default CoS Output Queue Threshold Map
0, 1
2-1
2, 3
3-1
4
4-1
5
1-1
6, 7
4-1
Table 32-11 shows the default DSCP output queue threshold map when QoS is enabled.
Table 32-11 Default DSCP Output Queue Threshold Map
0-15
2-1
16-31
3-1
32-39
4-1
40-47
1-1
48-63
4-1
Default Mapping Table Configuration
The default CoS-to-DSCP map is shown in Table 32-12.
The default IP-precedence-to-DSCP map is shown in Table 32-13.
The default DSCP-to-CoS map is shown in Table 32-14.
The default DSCP-to-DSCP-mutation map is a null map, which maps an inbound DSCP value to the same DSCP value.
The default policed-DSCP map is a null map, which maps an inbound DSCP value to the same DSCP value (no markdown).
Standard QoS Configuration Guidelines
Before beginning the QoS configuration, you should be aware of this information:
•
•
•
•
•
•
•
•
•
•
•
•
–
–
–
•
–
–
–
–
–
For outbound traffic on an ES port, see the "Hierarchical QoS Configuration Guidelines" section.
Packet Modification
A packet is classified, policed, and queued to provide QoS. Packet modifications can occur during this process:
•
When the ES ports classify traffic at egress, this classification can be used for queuing or for marking the CoS, DSCP, IP precedence, or MPLS EXP bits. Any packet modifications that result from ingress classification are applied before the packet reaches the egress classification stage. For example, if the switch receives traffic with a CoS value of 2 and an ingress action resets the CoS to 4, the packet will have a CoS of 4 (instead of a CoS of 2 and an indicator that the CoS should be set to 4) when it moves to the egress classification stage.
•
During egress policing on the ES ports, marking actions can set the CoS, DSCP, IP precedence, or the MPLS EXP bits. Any markings performed by an ingress policer are applied before the packet reaches the egress classification stage.
•
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten.
This information applies to both standard and ES ports. On the ES ports, the switch also applies trust policies to 802.1Q tunneling frames at egress.
•
Enabling QoS Globally
By default, QoS is disabled on the switch.
Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required.
Step 1
configure terminal
Enter global configuration mode.
Step 2
mls qos
Enable QoS globally.
QoS runs from the default settings described in the "Default Standard QoS Configuration" section and the "Default Hierarchical QoS Configuration" section.
Step 3
end
Return to privileged EXEC mode.
Step 4
show mls qos
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable QoS, use the no mls qos global configuration command.
Configuring Ingress Classification by Using Port Trust States
These sections describe how to classify inbound traffic through port trust states. Depending on your network configuration, you must perform one or more of these tasks or one or more of the tasks in the "Configuring an Ingress QoS Policy" section:
•
•
•
•
•
Configuring the Trust State on Ports Within the QoS Domain
Packets entering a QoS domain are classified at the edge of the QoS domain. The switch port within the QoS domain can then be configured to one of the trusted states because there is no need to classify the packets at every switch within the domain. Figure 32-14 shows a sample network topology.
Figure 32-14 Port Trusted States Within the QoS Domain
Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives:
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the port to be trusted, and enter interface configuration mode.
Valid interfaces include physical ports.
Step 3
mls qos trust [cos | dscp | ip-precedence]
Configure the port trust state.
By default, the port is not trusted. If no keyword is specified, the default is dscp.
For 802.1Q tunnels, the switch processes inbound traffic on a standard port according to the trusted setting applied to this port. The switch configures the inner and outer tags for packets sent over the ES trunk port.
The keywords have these meanings:
•
For 802.1Q tunnels, the switch copies the inner CoS value to the outer CoS value and sends the packet out an ES port.
•
For 802.1Q tunnels, for a non-IP packet that is untagged, the switch configures the outer CoS value from the DSCP-to-CoS map, does not modify the inner CoS value, and sends the packet out an ES port. For an IP packet, the switch modifies the DSCP value in the packet if there is a DSCP-to-DSCP mutation map configured on the standard port. The switch uses the mutated DSCP value to configure the outer CoS value from the DSCP-to-CoS map and sends the packet out an ES port
•
For 802.1Q tunnels, the switch converts the generated DSCP value from the DSCP-to-CoS map and uses it as the outer CoS value in the packet. The switch does not modify the inner CoS value in the packet and sends the packet out an ES port.
Note
Step 4
end
Return to privileged EXEC mode.
Step 5
show mls qos interface
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return a port to its untrusted state, use the no mls qos trust interface configuration command.
For information on how to change the default CoS value, see the "Configuring the CoS Value for an Interface" section. For information on how to configure the CoS-to-DSCP map, see the "Configuring the CoS-to-DSCP Map" section.
Configuring the CoS Value for an Interface
QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports.
Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all inbound packets on the port:
To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command.
Configuring a Trusted Boundary to Ensure Port Security
In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 32-14, and cascade devices that generate data packets from the back of the telephone. The Cisco IP Phone guarantees the voice quality through a shared data link by marking the CoS level of the voice packets as high priority (CoS = 5) and by marking the data packets as low priority (CoS = 0). Traffic sent from the telephone to the switch is typically marked with a tag that uses the 802.1Q header. The header contains the VLAN information and the CoS 3-bit field, which is the priority of the packet.
For most Cisco IP Phone configurations, the traffic sent from the telephone to the switch should be trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network. By using the mls qos trust cos interface configuration command, you configure the switch port to which the telephone is connected to trust the CoS labels of all traffic received on that port.
With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue. Note that the trusted boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected to the switch.
In some situations, you can prevent a PC connected to the IP phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Beginning in privileged EXEC mode, follow these steps to enable trusted boundary on a port:
To disable the trusted boundary feature, use the no mls qos trust device interface configuration command.
Enabling DSCP Transparency Mode
In software releases earlier than Cisco IOS Release 12.1(14)AX2, if QoS is disabled, the DSCP value of the incoming IP packet is not modified. If QoS is enabled and you configure the interface to trust DSCP, the switch does not modify the DSCP value. If you configure the interface to trust CoS, the switch modifies the DSCP value according to the CoS-to-DSCP map.
In Cisco IOS Release 12.1(14)AX2 or later, the switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet.
Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic. The switch also uses the internal DSCP value to select an egress queue and threshold.
On an ES port, if an action in an egress policy map modifies the DSCP value of the packet and the policy map is applied to the ES port, the switch modifies the DSCP value regardless of the DSCP transparency configuration.
Beginning in privileged EXEC mode, follow these steps to enable DSCP transparency on a switch:
To configure the switch to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP transparency, use the mls qos rewrite ip dscp global configuration command.
If you disable QoS by using the no mls qos global configuration command, the CoS and DSCP values are not changed (the default QoS setting).
If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is still enabled.
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain
If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown in Figure 32-15. Then the receiving port accepts the DSCP-trusted value and avoids the classification stage of QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain.
Figure 32-15 DSCP-Trusted State on a Port Bordering Another QoS Domain
Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map. To ensure a consistent mapping strategy across both QoS domains, you must perform this procedure on the ports in both domains:
To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi1/1/1-mutation) so that inbound DSCP values 10 to 13 are mapped to DSCP 30:
Switch(config)# mls qos map dscp-mutation gi1/1/1-mutation 10 11 12 13 to 30Switch(config)# interface gigabitethernet1/1/1Switch(config-if)# mls qos trust dscpSwitch(config-if)# mls qos dscp-mutation gi1/1/1-mutationSwitch(config-if)# endConfiguring an Ingress QoS Policy
Configuring an ingress QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching the policies to a port.
For background information, see the "Ingress Classification" section and the "Ingress Policing and Marking" section. For configuration guidelines, see the "Standard QoS Configuration Guidelines" section.
These sections describe how to classify, police, and mark inbound traffic. Depending on your network configuration, you must perform one or more of these tasks:
•
•
•
•
For information on configuring policies for the ES ports, see the "Configuring a Hierarchical QoS Policy" section. This section describes how to classify traffic by using class maps, how to configure a two-rate traffic policer, how to configure class-based packet marking in a traffic policy, how to configure CBWFQ, tail drop, DSCP-based WRED, and IP precedence-based WRED, how to enable LLQ, and how to configure shaping.
Classifying Ingress Traffic by Using ACLs
You can classify ingress IP traffic by using IP standard or IP extended ACLs. You also can classify ingress non-IP traffic by using Layer 2 MAC ACLs.
Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for inbound IP traffic:
To delete an access list, use the no access-list access-list-number global configuration command.
This example shows how to allow access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements is rejected.
Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255! (Note: all other access implicitly denied)Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for inbound IP traffic:
To delete an access list, use the no access-list access-list-number global configuration command.
This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value set to 32:
Switch(config)# access-list 100 permit ip any any dscp 32This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5:
Switch(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32:
Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for inbound non-IP traffic:
To delete an access list, use the no mac access-list extended access-list-name global configuration command.
This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
Switch(config)# mac access-list extended maclist1Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp! (Note: all other access implicitly denied)Classifying Ingress Traffic by Using Class Maps
You use the class-map global configuration command to create a class map for matching packets to the class whose name you specify. The class map isolates a specific ingress traffic flow (class) from all other traffic by defining the criteria to use to match against a specific flow. A match criterion is defined with a match statement entered within the class-map configuration mode. Packets are checked against the match criteria configured for a class map. If a packet matches the specified criteria, the packet is considered a member of the class and is forwarded according to the QoS specifications set in the traffic policy.
Note
For information on how to classify traffic on an ES port, see the "Classifying Traffic by Using Hierarchical Class Maps" section.
Beginning in privileged EXEC mode, follow these steps to create a class map and to define the match criterion to classify inbound traffic:
Step 1
configure terminal
Enter global configuration mode.
Step 2
access-list access-list-number {deny | permit} source [source-wildcard]
or
access-list access-list-number {deny | permit} protocol source [source-wildcard] destination [destination-wildcard]
or
mac access-list extended name
{permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask]
Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary.
For more information, see the "Classifying Ingress Traffic by Using ACLs" section.
Note
Step 3
class-map [match-all | match-any] class-map-name
Create a class map, and enter class-map configuration mode.
By default, no class maps are defined.
•
•
•
If neither the match-all nor the match-any keyword is specified, the default is match-all.
Step 4
match {access-group acl-index-or-name | ip dscp dscp-list | ip precedence ip-precedence-list}
Define the match criterion to classify traffic.
By default, no match criterion is defined.
Only one ACL per class map is supported.
•
•
•
Step 5
end
Return to privileged EXEC mode.
Step 6
show class-map
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete an existing class map, use the no class-map [match-all | match-any] class-map-name global configuration command. To remove a match criterion, use the no match {access-group acl-index-or-name | ip dscp | ip precedence} class-map configuration command.
This example shows how to configure the class map called class1. The class1 has one match criterion, which is access list 103. It permits traffic from any host to any destination that matches a DSCP value of 10.
Switch(config)# access-list 103 permit any any dscp 10Switch(config)# class-map class1Switch(config-cmap)# match access-group 103Switch(config-cmap)# exitThis example shows how to create a class map called class2, which matches inbound traffic with DSCP values of 10, 11, and 12:
Switch(config)# class-map class2Switch(config-cmap)# match ip dscp 10 11 12Switch(config-cmap)# exitThis example shows how to create a class map called class3, which matches inbound traffic with IP-precedence values of 5, 6, and 7:
Switch(config)# class-map class3Switch(config-cmap)# match ip precedence 5 6 7Switch(config-cmap)# exitClassifying, Policing, and Marking Ingress Traffic by Using Nonhierarchical Single-Level Policy Maps
On a physical port, a nonhierarchical single-level policy map specifies which inbound traffic class to act on. You can specify which CoS, DSCP, or IP precedence values in the traffic class to trust. You can specify which DSCP or IP precedence values in the traffic class to set. You can specify the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking).
A policy map also has these characteristics:
•
•
•
Follow these guidelines when configuring single-level policy maps:
•
•
Before beginning this procedure, make sure that you have created the class map to isolate traffic. For more information, see the "Classifying Ingress Traffic by Using ACLs" section and the "Classifying Ingress Traffic by Using Class Maps" section.
For information about configuring a policy map for an ES port, see the "Configuring a Hierarchical Two-Rate Traffic Policer" section and the "Configuring Class-Based Packet Marking in a Hierarchical Traffic Policy" section.
Beginning in privileged EXEC mode, follow these steps to create an ingress single-level policy map:
Step 1
configure terminal
Enter global configuration mode.
Step 2
policy-map policy-map-name
Create a policy map by entering the policy-map name, and enter policy-map configuration mode.
By default, no policy maps are defined.
The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Step 3
class class-name
Specify the name of the class whose traffic policy you want to create or change, and enter policy-map class configuration mode.
By default, no traffic classes are defined.
Step 4
trust [cos | dscp | ip-precedence]
Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label.
By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
The keywords have these meanings:
•
•
•
For more information, see the "Configuring the CoS-to-DSCP Map" section.
Step 5
set {dscp new-dscp | precedence new-precedence}
Mark IP traffic by setting a new value in the packet:
•
•
Note
Step 6
police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}]
Define a policer for the classified traffic.
By default, no policer is defined. For information on the number of policers supported, see the "Standard QoS Configuration Guidelines" section.
•
•
•
Step 7
exit
Return to policy-map configuration mode.
Step 8
exit
Return to global configuration mode.
Step 9
interface interface-id
Specify the port to attach to the policy map, and enter interface configuration mode.
Valid interfaces include physical ports.
Step 10
service-policy input policy-map-name
Specify the ingress policy-map name, and apply it to a port.
Step 11
end
Return to privileged EXEC mode.
Step 12
show policy-map [policy-map-name [class class-map-name]]
Verify your entries.
Step 13
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete an existing policy map, use the no policy-map policy-map-name global configuration command. To delete an existing class, use the no class class-name policy-map configuration command. To return to the untrusted state, use the no trust policy-map class configuration command. To remove an assigned DSCP or IP precedence value, use the no set {dscp new-dscp | precedence new-precedence} policy-map class configuration command. To remove an existing policer, use the no police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] policy-map class configuration command. To remove the policy map and interface association, use the no service-policy input policy-map-name interface configuration command.
This example shows how to create an ingress policy map and attach it to a port. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the inbound packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 bps and a normal burst size of 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent.
Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255Switch(config)# class-map ipclass1Switch(config-cmap)# match access-group 1Switch(config-cmap)# exitSwitch(config)# policy-map flow1tSwitch(config-pmap)# class ipclass1Switch(config-pmap-c)# trust dscpSwitch(config-pmap-c)# police 48000 8000 exceed-action policed-dscp-transmitSwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/0/1Switch(config-if)# service-policy input flow1tThis example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to a port. The first permit statement allows traffic from the host with MAC address 0001.0000.0001 destined for the host with MAC address 0002.0000.0001. The second permit statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 destined for the host with MAC address 0002.0000.0002.
Switch(config)# mac access-list extended maclist1Switch(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idpSwitch(config-ext-mac)# exitSwitch(config)# mac access-list extended maclist2Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarpSwitch(config-ext-mac)# exitSwitch(config)# class-map macclass1Switch(config-cmap)# match access-group maclist1Switch(config-cmap)# exitSwitch(config)# policy-map macpolicy1Switch(config-pmap)# class macclass1Switch(config-pmap-c)# set dscp 63Switch(config-pmap-c)# exitSwitch(config-pmap)# class macclass2 maclist2Switch(config-pmap-c)# set dscp 45Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/0/1Switch(config-if)# mls qos trust cosSwitch(config-if)# service-policy input macpolicy1Classifying, Policing, and Marking Traffic by Using Hierarchical Dual-Level Policy Maps
In Cisco IOS Release 12.2(25)EY or later, you can configure hierarchical dual-level policy maps on SVIs, (but not on other types of interfaces). Dual-level policing combines the VLAN- and interface-level policy maps to create a single policy map. For more information, see the "Hierarchical Dual-Level Policing on SVIs" section.
On an SVI, the VLAN-level policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values or setting a specific DSCP or IP precedence value in the traffic class. Use the interface-level policy map to specify the physical ports that are affected by individual policers.
Follow these guidelines when configuring hierarchical dual-level policy maps:
•
•
•
•
•
•
•
•
•
•
•
•
Beginning in privileged EXEC mode, follow these steps to create a hierarchical dual-level policy map:
Step 1
configure terminal
Enter global configuration mode.
Step 2
class-map [match-all | match-any] class-map-name
Create a VLAN-level class map, and enter class-map configuration mode. For information about creating a class map, see the "Classifying Ingress Traffic by Using Class Maps" section.
By default, no class maps are defined.
•
•
•
If neither the match-all or match-any keyword is specified, the default is match-all.
Note
Step 3
match {access-group acl-index-or-name | ip dscp dscp-list | ip precedence ip-precedence-list}
Define the match criterion to classify traffic.
By default, no match criterion is defined.
Only one match criterion per class map is supported, and only one ACL per class map is supported.
•
•
•
Step 4
exit
Return to class-map configuration mode.
Step 5
exit
Return to global configuration mode.
Step 6
class-map [match-all | match-any] class-map-name
Create an interface-level class map, and enter class-map configuration mode.
By default, no class maps are defined.
•
•
•
If neither the match-all or match-any keyword is specified, the default is match-all.
Note
Step 7
match input-interface interface-id-list
Specify the physical ports on which the interface-level class map acts. You can specify up to six ports as follows:
•
•
•
This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map.
Step 8
exit
Return to class-map configuration mode.
Step 9
exit
Return to global configuration mode.
Step 10
policy-map policy-map-name
Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode.
By default, no policy maps are defined, and no policing is performed.
Step 11
class-map class-map-name
Define an interface-level traffic classification, and enter policy-map configuration mode.
By default, no policy-map class-maps are defined.
If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Step 12
police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}]
Define an individual policer for the classified traffic.
By default, no policer is defined. For information on the number of policers supported, see the "Standard QoS Configuration Guidelines" section.
•
•
•
Step 13
exit
Return to policy-map configuration mode.
Step 14
exit
Return to global configuration mode.
Step 15
policy-map policy-map-name
Create a VLAN-level policy map by entering the policy-map name, and enter policy-map configuration mode.
By default, no policy maps are defined.
The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Step 16
class class-map-name
Define a VLAN-level traffic classification, and enter policy-map class configuration mode.
By default, no policy-map class-maps are defined.
If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Step 17
trust [cos | dscp | ip-precedence]
Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label.
Note
By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
The keywords have these meanings:
•
•
•
For more information, see the "Configuring the CoS-to-DSCP Map" section.
Step 18
set {dscp new-dscp | precedence new-precedence}
Classify IP traffic by setting a new value in the packet.
•
•
Step 19
service-policy policy-map-name
Specify the interface-level policy-map name (from Step 10) and associate it with the VLAN-level policy map.
If the VLAN-level policy map specifies more than one class, all classes must include the same service-policy policy-map-name command.
Step 20
exit
Return to policy-map configuration mode.
Step 21
exit
Return to global configuration mode.
Step 22
interface interface-id
Specify the SVI to which to attach the dual-level policy map, and enter interface configuration mode.
Step 23
service-policy input policy-map-name
Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs.
If the dual-level VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Step 24
end
Return to privileged EXEC mode.
Step 25
show policy-map [policy-map-name [class class-map-name]]
or
show mls qos vlan-based
Verify your entries.
Step 26
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To delete an existing policy map, use the no policy-map policy-map-name global configuration command. To delete an existing class map, use the no class class-map-name policy-map configuration command.
To return to the untrusted state in a policy map, use the no trust policy-map configuration command. To remove an assigned DSCP or IP precedence value, use the no set {dscp new-dscp | ip precedence new-precedence} policy-map configuration command.
To remove an existing policer in an interface-level policy map, use the no police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] policy-map configuration command. To remove the dual-level policy map and port associations, use the no service-policy input policy-map-name interface configuration command.
This example shows how to create a hierarchical dual-level policy map and attach it to an SVI:
Switch(config)# access-list 101 permit ip any anySwitch(config)# class-map match-all cm-1Switch(config-cmap)# match access-group 101Switch(config-cmap)# exitSwitch(config)# exitSwitch(config)# class-map match-all cm-interface-1Switch(config-cmap)# match input-interface gigabitethernet1/0/1 gigabitethernet1/0/2Switch(config-cmap)# exitSwitch(config)# exitSwitch(config)# policy-map port-plcmapSwitch(config-pmap)# class cm-interface-1Switch(config-pmap-c)# police 9000000 9000 exceed-action policed-dscp-transmitSwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# policy-map vlan-plcmapSwitch(config-pmap)# class cm-1Switch(config-pmap-c)# set dscp 7Switch(config-pmap-c)# service-policy port-plcmapSwitch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface vlan 10Switch(config-if)# service-policy input vlan-plcmapClassifying, Policing, and Marking Ingress Traffic by Using Aggregate Policers
By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or ports.
You can configure aggregate policers only in nonhierarchical single-level policy maps.
Before beginning this procedure, make sure that you have created the class map to isolate traffic. For more information, see the "Classifying Ingress Traffic by Using ACLs" section and the "Classifying Ingress Traffic by Using Class Maps" section.
Beginning in privileged EXEC mode, follow these steps to create an aggregate policer for inbound traffic:
Step 1
configure terminal
Enter global configuration mode.
Step 2
mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action {drop | policed-dscp-transmit}
Define the policer parameters that can be applied to multiple traffic classes within the same policy map.
By default, no aggregate policer is defined. For information on the number of policers supported, see the "Standard QoS Configuration Guidelines" section
•
•
•
•
Step 3
policy-map policy-map-name
Create a policy map by entering the policy-map name, and enter policy-map configuration mode.
For more information, see the "Classifying, Policing, and Marking Ingress Traffic by Using Nonhierarchical Single-Level Policy Maps" section.
Step 4
class class-name
Specify the name of the class whose traffic policy you want to create or change, and enter policy-map class configuration mode.
By default, no traffic classes are defined.
Step 5
police aggregate aggregate-policer-name
Apply an aggregate policer to multiple classes in the same policy map.
For aggregate-policer-name, enter the name specified in Step 2.
Step 6
exit
Return to global configuration mode.
Step 7
interface interface-id
Specify the port to attach to the policy map, and enter interface configuration mode.
Valid interfaces include s.
Step 8
service-policy input policy-map-name
Specify the ingress policy-map name, and apply it to a port.
Step 9
end
Return to privileged EXEC mode.
Step 10
show mls qos aggregate-policer [aggregate-policer-name]
Verify your entries.
Step 11
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy-map class configuration command. To delete an aggregate policer and its parameters, use the no mls qos aggregate-policer aggregate-policer-name global configuration command.
This example shows how to create an aggregate policer and attach it to multiple classes within a policy map. In the configuration, the IP ACLs permit traffic from network 10.1.0.0 and from host 11.3.1.1. For traffic coming from network 10.1.0.0, the DSCP in the inbound packets is trusted. For traffic coming from host 11.3.1.1, the DSCP in the packet is changed to 56. The traffic rate from the 10.1.0.0 network and from host 11.3.1.1 is policed. If the traffic exceeds an average rate of 48000 bps and a normal burst size of 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent. The ingress policy map is attached to a port.
Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255Switch(config)# access-list 2 permit 11.3.1.1Switch(config)# mls qos aggregate-police transmit1 48000 8000 exceed-action policed-dscp-transmitSwitch(config)# class-map ipclass1Switch(config-cmap)# match access-group 1Switch(config-cmap)# exitSwitch(config)# class-map ipclass2Switch(config-cmap)# match access-group 2Switch(config-cmap)# exitSwitch(config)# policy-map aggflow1Switch(config-pmap)# class ipclass1Switch(config-pmap-c)# trust dscpSwitch(config-pmap-c)# police aggregate transmit1Switch(config-pmap-c)# exitSwitch(config-pmap)# class ipclass2Switch(config-pmap-c)# set dscp 56Switch(config-pmap-c)# police aggregate transmit1Switch(config-pmap-c)# exitSwitch(config-pmap)# exitSwitch(config)# interface gigabitethernet1/0/1Switch(config-if)# service-policy input aggflow1Switch(config-if)# exitConfiguring DSCP Maps
These sections describe how to configure the DSCP maps:
•
•
•
•
•
All the maps, except the DSCP-to-DSCP-mutation map, are globally defined and are applied to all ports.
Configuring the CoS-to-DSCP Map
You use the CoS-to-DSCP map to map CoS values in inbound packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Table 32-12 shows the default CoS-to-DSCP map.
If these values are not appropriate for your network, you need to modify them.
Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional.
To return to the default map, use the no mls qos cos-dscp global configuration command.
This example shows how to modify and display the CoS-to-DSCP map:
Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45Switch(config)# endSwitch# show mls qos maps cos-dscpCos-dscp map:cos: 0 1 2 3 4 5 6 7--------------------------------dscp: 10 15 20 25 30 35 40 45Configuring the IP-Precedence-to-DSCP Map
You use the IP-precedence-to-DSCP map to map IP precedence values in inbound packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Table 32-13 shows the default IP-precedence-to-DSCP map:
Table 32-13 Default IP-Precedence-to-DSCP Map
0
0
1
8
2
16
3
24
4
32
5
40
6
48
7
56
If these values are not appropriate for your network, you need to modify them.
Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional.
To return to the default map, use the no mls qos ip-prec-dscp global configuration command.
This example shows how to modify and display the IP-precedence-to-DSCP map:
Switch(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45Switch(config)# endSwitch# show mls qos maps ip-prec-dscpIpPrecedence-dscp map:ipprec: 0 1 2 3 4 5 6 7--------------------------------dscp: 10 15 20 25 30 35 40 45Configuring the Policed-DSCP Map
You use the policed-DSCP map to mark down a DSCP value to a new value as the result of an ingress policing and marking action.
The default policed-DSCP map is a null map, which maps an inbound DSCP value to the same DSCP value.
Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map. This procedure is optional.
To return to the default map, use the no mls qos policed-dscp global configuration command.
This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0:
Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0Switch(config)# endSwitch# show mls qos maps policed-dscpPoliced-dscp map:d1 : d2 0 1 2 3 4 5 6 7 8 9---------------------------------------0 : 00 01 02 03 04 05 06 07 08 091 : 10 11 12 13 14 15 16 17 18 192 : 20 21 22 23 24 25 26 27 28 293 : 30 31 32 33 34 35 36 37 38 394 : 40 41 42 43 44 45 46 47 48 495 : 00 00 00 00 00 00 00 00 58 596 : 60 61 62 63
Note
Configuring the DSCP-to-CoS Map
You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four queues in the egress queue-set.
Table 32-14 shows the default DSCP-to-CoS map.
Table 32-14 Default DSCP-to-CoS Map
0-7
0
8-15
1
16-23
2
24-31
3
32-39
4
40-47
5
48-55
6
56-63
7
If these values are not appropriate for your network, you need to modify them.
Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional.
To return to the default map, use the no mls qos dscp-cos global configuration command.
This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display the map:
Switch(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0Switch(config)# endSwitch# show mls qos maps dscp-cosDscp-cos map:d1 : d2 0 1 2 3 4 5 6 7 8 9---------------------------------------0 : 00 00 00 00 00 00 00 00 00 011 : 01 01 01 01 01 01 00 02 02 022 : 02 02 02 02 00 03 03 03 03 033 : 03 03 00 04 04 04 04 04 04 044 : 00 05 05 05 05 05 05 05 00 065 : 00 06 06 06 06 06 07 07 07 076 : 07 07 07 07
Note
Configuring the DSCP-to-DSCP-Mutation Map
If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate one set of DSCP values to match the definition of another domain. You apply the DSCP-to-DSCP-mutation map to the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
With ingress mutation, the new DSCP value overwrites the one in the packet, and QoS treats the packet with this new value. The switch sends the packet out the port with the new DSCP value.
You can configure multiple DSCP-to-DSCP-mutation maps and apply them to traffic received on a port. The default DSCP-to-DSCP-mutation map is a null map, which maps an inbound DSCP value to the same DSCP value.
Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional.
To return to the default map, use the no mls qos dscp-mutation dscp-mutation-name global configuration command.
This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map).
Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# mls qos trust dscpSwitch(config-if)# mls qos dscp-mutation mutation1Switch(config-if)# endSwitch# show mls qos maps dscp-mutation mutation1Dscp-dscp mutation map:mutation1:d1 : d2 0 1 2 3 4 5 6 7 8 9---------------------------------------0 : 00 00 00 00 00 00 00 00 10 101 : 10 10 10 10 14 15 16 17 18 192 : 20 20 20 23 24 25 26 27 28 293 : 30 30 30 30 30 35 36 37 38 394 : 40 41 42 43 44 45 46 47 48 495 : 50 51 52 53 54 55 56 57 58 596 : 60 61 62 63
Note
Configuring Ingress Queue Characteristics
Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections. You will need to make decisions about these characteristics:
•
•
•
•
•
These sections describe how to configure ingress queue characteristics:
•
•
•
•
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds
You can prioritize inbound traffic by placing packets with particular DSCP or CoS values into certain queues and by adjusting the queue thresholds so that packets with lower priorities are dropped.
Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
To return to the default CoS input queue threshold map or the default DSCP input queue threshold map, use the no mls qos srr-queue input cos-map or the no mls qos srr-queue input dscp-map global configuration command. To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command.
This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent.
Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26Switch(config)# mls qos srr-queue input threshold 1 50 70In this example, the DSCP values (0 to 6) are assigned the WTD threshold of 50 percent and will be dropped sooner than the DSCP values (20 to 26) assigned to the WTD threshold of 70 percent.
Allocating Buffer Space Between the Ingress Queues
You define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two queues. The buffer and the bandwidth allocation control how much data can be buffered before packets are dropped.
Beginning in privileged EXEC mode, follow these steps to allocate the buffers between the ingress queues. This procedure is optional.
To return to the default setting, use the no mls qos srr-queue input buffers global configuration command.
This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2:
Switch(config)# mls qos srr-queue input buffers 60 40Allocating Bandwidth Between the Ingress Queues
You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue to the internal ring. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode.
Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional.
Step 1
configure terminal
Enter global configuration mode.
Step 2
mls qos srr-queue input bandwidth weight1 weight2
Assign shared round robin weights to the ingress queues.
The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
For weight1 and weight2, the range is 1 to 100. Separate each value with a space.
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. For more information, see the "Configuring the Ingress Priority Queue" section.
Step 3
end
Return to privileged EXEC mode.
Step 4
show mls qos interface queueing
or
show mls qos input-queue
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default setting, use the no mls qos srr-queue input bandwidth global configuration command.
This example shows how to assign the ingress bandwidth to the queues. Priority queueing is disabled, and the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75).
Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0Switch(config)# mls qos srr-queue input bandwidth 25 75Configuring the Ingress Priority Queue
You should use the ingress priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter).
The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
Beginning in privileged EXEC mode, follow these steps to configure the ingress priority queue. This procedure is optional.
To return to the default setting, use the no mls qos srr-queue input priority-queue queue-id global configuration command. To disable priority queueing, set the bandwidth weight to 0, for example, mls qos srr-queue input priority-queue queue-id bandwidth 0.
This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4). SRR services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR equally shares the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue.
Switch(config)# mls qos srr-queue input priority-queue 1 bandwidth 10Switch(config)# mls qos srr-queue input bandwidth 4 4Configuring Egress Queue-Set Characteristics
Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections. You will need to make decisions about these characteristics:
•
•
•
•
•
•
These sections describe how to configure egress queue-set characteristics:
•
•
•
•
•
•
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set
You can guarantee the availability of buffers, set WTD thresholds, and configure the maximum memory allocation for a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold global configuration command.
Each threshold value is a percentage of the queue's allocated memory, which you specify by using the mls qos queue-set output qset-id buffers allocation1 ... allocation4 global configuration command. The queues use WTD to support distinct drop percentages for different traffic classes.
Note
Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and drop thresholds for a queue-set. This procedure is optional.
To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command. To return to the default WTD threshold percentages, use the no mls qos queue-set output qset-id threshold [queue-id] global configuration command.
This example shows how to map a port to queue-set 2. It allocates 40 percent of the buffer space to egress queue 1 and 20 percent each to egress queues 2, 3, and 4. It configures the drop thresholds for queue 2 to 40 and 60 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures 200 percent as the maximum memory that this queue can have before packets are dropped.
Switch(config)# mls qos queue-set output 2 buffers 40 20 20 20Switch(config)# mls qos queue-set output 2 threshold 2 40 60 100 200Switch(config)# interface fastethernet1/0/1Switch(config-if)# queue-set 2Mapping DSCP or CoS Values to an Egress Queue-Set and to a Threshold ID
You can prioritize traffic by placing packets with particular DSCP or CoS values into certain queues and by adjusting the queue thresholds so that packets with lower priorities are dropped.
Note
Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional.
To return to the default DSCP output queue threshold map or the default CoS output queue threshold map, use the no mls qos srr-queue output dscp-map or the no mls qos srr-queue output cos-map global configuration command.
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2:
Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11Configuring SRR Shaped Weights on an Egress Queue-Set
You can specify how much of the available bandwidth is allocated to each queue in the queue-set. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from a standard port.
Note
You can configure the egress queues for shaped weights, shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time. For conceptual information, see the "SRR Shaping and Sharing" section. For configuration information, see the "Configuring SRR Shared Weights on an Egress Queue-Set" section.
Note
Beginning in privileged EXEC mode, follow these steps to assign the shaped weights and to enable bandwidth shaping on a standard port mapped to the four egress queues. This procedure is optional.
To return to the default setting, use the no srr-queue bandwidth shape interface configuration command.
This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent.
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# srr-queue bandwidth shape 8 0 0 0Configuring SRR Shared Weights on an Egress Queue-Set
In shared mode, the queues in the queue-set share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.
Note
Beginning in privileged EXEC mode, follow these steps to assign the shared weights and to enable bandwidth sharing on a port mapped to the four egress queues. This procedure is optional.
To return to the default setting, use the no srr-queue bandwidth share interface configuration command.
This example shows how to configure the weight ratio of the SRR scheduler running on an egress port. Four queues are used, and the bandwidth ratio allocated for each queue in shared mode is 1/(1+2+3+4), 2/(1+2+3+4), 3/(1+2+3+4), and 4/(1+2+3+4), which is 10 percent, 20 percent, 30 percent, and 40 percent for queues 1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3.
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# srr-queue bandwidth share 1 2 3 4Configuring the Egress Priority Queue
Beginning in Cisco IOS Release 12.1(14)AX2, you can ensure that certain packets have priority over all others by queuing them in the egress priority queue on a port. SRR services this queue until it is empty and before servicing the other queues.
If you expect that the traffic classes mapped to the egress priority queue will pass through an ES port, you also might want to map those classes for strict-priority queuing as described in the "Enabling LLQ" section.
Beginning in privileged EXEC mode, follow these steps to enable the egress priority queue. This procedure is optional.
To disable the egress priority queue, use the no priority-queue out interface configuration command.
This example shows how to enable the egress priority queue when the SRR weights are configured. The egress expedite queue overrides the configured SRR weights.
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# srr-queue bandwidth shape 25 0 0 0Switch(config-if)# srr-queue bandwidth share 30 20 25 25Switch(config-if)# priority-queue outSwitch(config-if)# endLimiting the Egress Bandwidth on a Queue-Set
You can limit the egress bandwidth on a standard port mapped to a queue-set. For example, if a customer pays only for a small percentage of a high-speed link, you can limit the bandwidth to that amount.
Note
Beginning in privileged EXEC mode, follow these steps to limit the egress bandwidth on a standard port. This procedure is optional.
To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
This example shows how to limit the bandwidth on a standard port to 80 percent:
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# srr-queue bandwidth limit 80When you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops to 80 percent of the connected speed, which is 800 Mbps. These values are not exact because the hardware adjusts the line rate in increments of six.
Displaying Standard QoS Information
To display standard QoS information, use one or more of the privileged EXEC commands in Table 32-15:
Configuring Hierarchical QoS
You can configure hierarchical QoS (traffic classification, CBWFQ, LLQ, shaping, and two-rate, three-color policing) and apply it to inbound or outbound traffic on an ES port.
Before configuring hierarchical QoS, you must have a thorough understanding of these items:
•
•
•
•
These sections describe how to configure hierarchical QoS on your switch. Read these sections if traffic is flowing from a standard or an ES port to an ES port:
•
•
•
Default Hierarchical QoS Configuration
QoS is disabled.
No traffic classes, class maps, policy maps, or policers are defined.
LLQ is disabled.
CBWFQ is disabled.
Tail drop is enabled.
WRED is disabled.
Average-rate traffic shaping is disabled.
Hierarchical QoS Configuration Guidelines
These hierarchical QoS configuration guidelines apply to ingress and egress service-policies on an ES port:
•
•
•
•
•
•
