- Release 15.4SY Supervisor Engine 2T Software Configuration Guide
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Instant Access
- EnergyWise
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- Virtual Private LAN Services (VPLS)
- L2VPN Advanced VPLS (A-VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- Campus Fabric
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Guidelines and Restrictions
- PFC QoS Overview
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Configuring IGMP Proxy
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- How to Configure the Ingress LAN Port CoS Value
- How to Configure Egress DSCP Mutation
- How to Configure Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports
- How to Configure DSCP Value Maps
- How to Configure Trusted Boundary with Cisco Device Verification
- Legacy Configuration Procedures for Queueing-Only Mode
- Legacy Configuration Procedures for VLAN-Based PFCQoS on Layer2 LAN Ports
- Legacy Configuration Procedures for Port Trust State
- Legacy Configuration Procedures for DSCP-Based Queue Mapping
QoS Global and Interface Options
- How to Configure the Ingress LAN Port CoS Value
- How to Configure Egress DSCP Mutation
- How to Configure Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports
- How to Configure DSCP Value Maps
- How to Configure Trusted Boundary with Cisco Device Verification
- Legacy Configuration Procedures for Queueing-Only Mode
- Legacy Configuration Procedures for VLAN-Based PFC QoS on Layer 2 LAN Ports
- Legacy Configuration Procedures for Port Trust State
- Legacy Configuration Procedures for DSCP-Based Queue Mapping
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.4SY supports only Ethernet interfaces. Cisco IOS Release 15.4SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
How to Configure the Ingress LAN Port CoS Value
Note A service policy applied to a port overrides any commands configured on the port.
Whether or not PFC QoS uses the CoS value applied with the platform qos cos command depends on the trust state of the port and the trust state of the traffic received through the port. The platform qos cos command does not configure the trust state of the port or the trust state of the traffic received through the port.
To use the CoS value applied with the platform qos cos command as the basis of internal DSCP:
- On a port that receives only untagged ingress traffic, configure the ingress port as trusted or configure a trust CoS policy map that matches the ingress traffic.
- On a port that receives tagged ingress traffic, configure a trust CoS policy map that matches the ingress traffic.
- The original ingress CoS value remains known.
– By default, for IPv4 and IPv6 traffic, the ingress CoS value is overwritten by the DSCP value.
– By default, for other traffic that is not tagged, the ingress CoS value is used, rather than the configured port CoS value.
– Use the platform qos cos override interface command to use the value configured with the platform qos cos interface command instead of the original ingress CoS value.
You can configure the CoS value that PFC QoS assigns to untagged frames from ingress LAN ports configured as trusted and to all frames from ingress LAN ports configured as untrusted.
To configure the CoS value for an ingress LAN port, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
This example shows how to configure the CoS value 5 on Fast Ethernet port 5/24 and verify the configuration:
How to Configure Egress DSCP Mutation
Configuring Named DSCP Mutation Maps
To configure a named DSCP mutation map, perform this task:
|
|
|
---|---|---|
Router(config)# platform qos map dscp-mutation map_name dscp1 [ dscp2 [ dscp3 [ dscp4 [ dscp5 [ dscp6 [ dscp7 [ dscp8 ]]]]]]] to mutated_dscp |
||
- You can enter up to 8 DSCP values that map to a mutated DSCP value.
- You can enter multiple commands to map additional DSCP values to a mutated DSCP value.
- You can enter a separate command for each mutated DSCP value.
This example shows how to map DSCP 30 to mutated DSCP value 8:
This example shows how to verify the configuration:
Note In the DSCP mutation map displays, the marked-down DSCP values are shown in the body of the matrix; the first digit of the original DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP 30 maps to DSCP 08.
Attaching an Egress DSCP Mutation Map to an Interface
To attach an egress DSCP mutation map to an interface, perform this task:
This example shows how to attach the egress DSCP mutation map named mutmap1 to Fast Ethernet port 5/36:
How to Configure Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports
- Ingress CoS Mutation Configuration Guidelines and Restrictions
- Configuring Ingress CoS Mutation Maps
- Applying Ingress CoS Mutation Maps to IEEE 802.1Q Tunnel Ports
Note ● IEEE 802.1Q tunnel ports configured to trust received CoS support ingress CoS mutation (see the “Applying Ingress CoS Mutation Maps to IEEE 802.1Q Tunnel Ports” section for the list of supported modules).
When you configure ingress CoS mutation on an IEEE 802.1Q tunnel port that you have configured to trust received CoS, PFC QoS uses the mutated CoS value instead of the received CoS value in the ingress drop thresholds and for any trust CoS marking and policing.
Ingress CoS Mutation Configuration Guidelines and Restrictions
- Ports that are not configured as IEEE 802.1Q tunnel ports do not support ingress CoS mutation.
- Ports that are not configured to trust received CoS do not support ingress CoS mutation.
- Ingress CoS mutation does not change the CoS value carried by the customer frames. When the customer traffic exits the 802.1Q tunnel, the original CoS is intact.
- These switching modules support ingress CoS mutation:
– WS-X6848-SFP-2T, WS-X6748-SFP
– WS-X6824-SFP-2T, WS-X6724-SFP
– WS-X6848-TX-2T, WS-X6748-GE-TX
– WS-X6704-10GE:
4 ports, 4 port groups, 1 port in each group
– WS-X6848-SFP-2T, WS-X6748-SFP:
48 ports, 4 port groups: ports 1–12, 13–24, 25–36, and 37–48
– WS-X6824-SFP-2T, WS-X6724-SFP:
24 ports, 2 port groups: ports 1–12 and 13–24
– WS-X6848-TX-2T, WS-X6748-GE-TX:
48 ports, 4 port groups: ports 1–12, 13–24, 25–36, and 37–48
- To avoid ingress CoS mutation configuration failures, only create EtherChannels where all member ports support ingress CoS mutation or where no member ports support ingress CoS mutation. Do not create EtherChannels with mixed support for ingress CoS mutation.
- If you configure ingress CoS mutation on a port that is a member of an EtherChannel, the ingress CoS mutation is applied to the port-channel interface.
- You can configure ingress CoS mutation on port-channel interfaces.
- With ingress CoS mutation configured on a port-channel interface, the following occurs:
– The ingress CoS mutation configuration is applied to the port groups of all member ports of the EtherChannel. If any member port cannot support ingress CoS mutation, the configuration fails.
– If a port in the port group is a member of a second EtherChannel, the ingress CoS mutation configuration is applied to the second port-channel interface and to the port groups of all member ports of the second EtherChannel. If any member port of the second EtherChannel cannot support ingress CoS mutation, the configuration fails on the first EtherChannel. If the configuration originated on a nonmember port in a port group that has a member port of the first EtherChannel, the configuration fails on the nonmember port.
– The ingress CoS mutation configuration propagates without limit through port groups, member ports, and port-channel interfaces, regardless of whether or not the ports are configured to trust CoS or are configured as IEEE 802.1Q tunnel ports.
- An EtherChannel where you want to configure ingress CoS mutation must not have member ports that are in port groups containing member ports of other EtherChannels that have member ports that do not support ingress CoS mutation. (This restriction extends without limit through all port-group-linked member ports and port-channel-interface-linked ports.)
- A port where you want to configure ingress CoS mutation must not be in a port group that has a member port of an EtherChannel that has members that do not support ingress CoS mutation. (This restriction extends without limit through all port-group-linked member ports and port-channel-interface-linked ports.)
- There can be only be one ingress CoS mutation configuration applied to all port-group-linked member ports and port-channel-interface-linked ports.
Configuring Ingress CoS Mutation Maps
To configure an ingress CoS mutation map, perform this task:
This example shows how to configure a CoS mutation map named testmap:
This example shows how to verify the map configuration:
Applying Ingress CoS Mutation Maps to IEEE 802.1Q Tunnel Ports
To attach an ingress CoS mutation map to an IEEE 802.1Q tunnel port, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
Router(config-if)# platform qos cos-mutation mutation_map_name |
||
This example shows how to attach the ingress CoS mutation map named testmap to Gigabit Ethernet port 1/1:
How to Configure DSCP Value Maps
- Mapping Received CoS Values to Internal DSCP Values
- Mapping Received IP Precedence Values to Internal DSCP Values
- Configuring DSCP Markdown Values
- Mapping Internal DSCP Values to Egress CoS Values
Mapping Received CoS Values to Internal DSCP Values
To configure the mapping of received CoS values to the DSCP value that PFC QoS uses internally on the PFC, perform this task:
This example shows how to configure the received CoS to internal DSCP map:
This example shows how to verify the configuration:
Mapping Received IP Precedence Values to Internal DSCP Values
To configure the mapping of received IP precedence values to the DSCP value that PFC QoS uses internally on the PFC, perform this task:
This example shows how to configure the received IP precedence to internal DSCP map:
This example shows how to verify the configuration:
Configuring DSCP Markdown Values
To configure the mapping of DSCP markdown values used by policers, perform this task:
|
|
|
---|---|---|
Router(config)# table-map policed-discard-class { normal-burst | max-burst } dscp1 [ dscp2 [ dscp3 [ dscp4 [ dscp5 [ dscp6 [ dscp7 [ dscp8 ]]]]]]] to markdown_dscp |
||
When configuring a DSCP markdown map, note the following information:
- You can enter the normal-burst keyword to configure the markdown map used by the exceed-action policed-dscp-transmit keywords.
- You can enter the max-burst keyword to configure the markdown map used by the violate-action policed-dscp-transmit keywords.
Note When you create a policer that does not use the pir keyword, and the maximum_burst_bytes parameter is equal to the normal_burst_bytes parameter (which occurs if you do not enter the maximum_burst_bytes parameter), the exceed-action policed-dscp-transmit keywords cause PFC QoS to mark traffic down as defined by the policed-dscp max-burst markdown map.
- To avoid out-of-sequence packets, configure the markdown maps so that conforming and nonconforming traffic uses the same queue.
- You can enter up to 8 DSCP values that map to a marked-down DSCP value.
- You can enter multiple commands to map additional DSCP values to a marked-down DSCP value.
- You can enter a separate command for each marked-down DSCP value.
Note Configure marked-down DSCP values that map to CoS values consistent with the markdown penalty.
This example shows how to map DSCP 1 to marked-down DSCP value 0:
This example shows how to verify the configuration:
Note In the Policed-dscp displays, the marked-down DSCP values are shown in the body of the matrix; the first digit of the original DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP 41 maps to DSCP 41.
Mapping Internal DSCP Values to Egress CoS Values
To configure the mapping of the DSCP value that PFC QoS uses internally on the PFC to the CoS value used for egress LAN port scheduling and congestion avoidance, perform this task:
|
|
|
---|---|---|
Router(config)# table-map discard-class-cos-map dscp1 [ dscp2 [ dscp3 [ dscp4 [ dscp5 [ dscp6 [ dscp7 [ dscp8 ]]]]]]] to cos_value |
||
- You can enter up to 8 DSCP values that PFC QoS maps to a CoS value.
- You can enter multiple commands to map additional DSCP values to a CoS value.
- You can enter a separate command for each CoS value.
This example shows how to configure internal DSCP values 0, 8, 16, 24, 32, 40, 48, and 54 to be mapped to egress CoS value 0:
This example shows how to verify the configuration:
Note In the Dscp-cos map
display, the CoS values are shown in the body of the matrix; the first digit of the DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP values 41 through 47 all map to CoS 05.
How to Configure Trusted Boundary with Cisco Device Verification
The trusted boundary with Cisco device verification feature configures Ethernet LAN ports to use CDP to detect whether or not a Cisco IP phone is attached to the port.
- If CDP detects a Cisco IP phone, QoS applies a configured mls qos trust dscp, mls qos trust ip-precedence, or mls qos trust cos interface command.
- If CDP does not detect a Cisco IP phone, QoS ignores any configured nondefault trust state.
To configure trusted boundary with Cisco device verification, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
When configuring trusted boundary with Cisco device verification, CDP must be enabled on the port to use trusted boundary with Cisco device verification.
This example shows how to configure trusted boundary with Cisco device verification on Gigabit Ethernet port 1/1:
This example shows how to verify the configuration on a port configured to trust CoS, but that does not have a Cisco IP phone attached:
Legacy Configuration Procedures for Queueing-Only Mode
Note You can configure the queueing-only functionality with service policies.
To enable queueing-only mode on the switch, perform this task:
|
|
|
---|---|---|
When you enable queueing-only mode, the following actions occur:
- Except on ports configured with service policies, disables policing and marking (preserves all ingress QoS labels).
- Configures ingress queueing on ports to which an ingress queueing policy is not attached. Configures egress queueing on ports to which an egress queueing policy is not attached.
- Configures all ports to trust Layer 2 CoS.
Note The switch applies the port CoS value to untagged ingress traffic and to traffic that is received through ports that cannot be configured to trust CoS.
This example shows how to enable queueing-only mode:
Legacy Configuration Procedures for VLAN-Based PFC QoS on Layer 2 LAN Ports
Note ● You can attach policy maps to Layer 3 interfaces for application of PFC QoS to egress traffic. VLAN-based or port-based PFC QoS on Layer 2 ports is not relevant to application of PFC QoS to egress traffic on Layer 3 interfaces.
- By default, PFC QoS uses policy maps attached to LAN ports. For ports configured as Layer 2 LAN ports with the switchport keyword, you can configure PFC QoS to use policy maps attached to a VLAN. Ports not configured with the switchport keyword are not associated with a VLAN.
To enable VLAN-based PFC QoS on a Layer 2 LAN port, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
Enables VLAN-based PFC QoS on a Layer 2 LAN port or a Layer 2 EtherChannel. |
||
- The configured port trust state does not affect marking when the platform qos vlan-based interface command is configured.
- A service policy attached to the Layer 3 VLAN interface defines QoS for ports where the platform qos vlan-based interface command is configured.
- Service policies attached to ports configured with the platform qos vlan-based interface command are ignored.
- Configuring a Layer 2 LAN port for VLAN-based PFC QoS preserves the policy map port configuration. The no platform qos vlan-based port command reenables any previously configured port commands.
This example shows how to enable VLAN-based PFC QoS on Fast Ethernet port 5/42:
This example shows how to verify the configuration:
Legacy Configuration Procedures for Port Trust State
To configure a port to which a service policy is not attached as untrusted, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
Configures the port as untrusted and marks all non-MPLS traffic. |
||
To configure a port to which a service policy is not attached to trust CoS or IP precedence, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ type slot/port } | { port-channel number }} |
||
Note The trust state of a port is unrelated to enables ingress queueing. To avoid dropping traffic because of inconsistent CoS values, configure ports to trust CoS only when the received traffic carries CoS values that you know to be consistent with network policy.
This example shows how to configure Gigabit Ethernet port 1/1 with the trust cos keywords:
This example shows how to verify the configuration:
Legacy Configuration Procedures for DSCP-Based Queue Mapping
- Configuring Ingress DSCP-Based Queue Mapping
- Mapping DSCP Values to Standard Transmit-Queue Thresholds
- Mapping DSCP Values to the Transmit Strict-Priority Queue
Note ● Do not use the procedures in this section if you have policy-based queueing configured.
- You can enable DSCP-based queues and thresholds on 8q4t, 1p7q2t, and 1p7q4t ports (see the “Module to Queue Type Mappings” section)
- DSCP-based queueing is supported on 8q4t, 1p7q2t, and 1p7q4t ports. The Supervisor Engine 2T-10GE ports are 8q4t/1p7q4t with the platform qos 10g-only global configuration command configured. To configure DSCP-based queue mapping on Supervisor Engine 2T ports, you must enter shutdown interface configuration mode commands for the Supervisor Engine 2T Gigabit Ethernet ports, and then enter the platform qos 10g-only global configuration command, which disables the Gigabit Ethernet ports on the Supervisor Engine 2T.
- In releases where CSCts82932 is not resolved, do not use the default DSCP-based queue mapping for 8q4t ingress queues unless you configure supporting bandwidth and queue limits.
Enabling DSCP-Based Queue Mapping
To enable DSCP-based queue mapping, perform this task:
|
|
|
---|---|---|
This example shows how to enable DSCP-based queue mapping on 10-Gigabit Ethernet port 6/1:
This example shows how to verify the configuration:
Configuring Ingress DSCP-Based Queue Mapping
Note Ingress DSCP-to-queue mapping is supported only on ports configured to trust DSCP.
Mapping DSCP Values to Standard Receive-Queue Thresholds
To map DSCP values to the standard receive-queue thresholds, perform this task:
|
|
|
---|---|---|
Router(config-if)# rcv-queue dscp-map queue_# threshold_# dscp1 [ dscp2 [ dscp3 [ dscp4 [ dscp5 [ dscp6 [ dscp7 [ dscp8 ]]]]]]] |
||
When mapping DSCP values, note the following information:
- You can enter up to 8 DSCP values that map to a queue and threshold.
- You can enter multiple commands to map additional DSCP values to the queue and threshold.
- You must enter a separate command for each queue and threshold.
This example shows how to map the DSCP values 0 and 1 to threshold 1 in the standard receive queue for 10-Gigabit Ethernet port 6/1 port 6/1:
Note The receive queue mapping is shown in the second queue thresh dscp-map
displayed by the show queueing interface command.
This example shows how to verify the configuration:
Mapping DSCP Values to Standard Transmit-Queue Thresholds
To map DSCP values to standard transmit-queue thresholds, perform this task:
|
|
|
---|---|---|
Router(config-if)# wrr-queue dscp-map transmit_queue_# threshold_# dscp1 [ dscp2 [ dscp3 [ dscp4 [ dscp5 [ dscp6 [ dscp7 [ dscp8 ]]]]]]] |
||
- You can enter up to 8 DSCP values that map to a queue and threshold.
- You can enter multiple commands to map additional DSCP values to the queue and threshold.
- You must enter a separate command for each queue and threshold.
This example shows how to map the DSCP values 0 and 1 to standard transmit queue 1/threshold 1 for 10-Gigabit Ethernet port 6/1 port 6/1:
Note The eighth queue is the strict priority queue in the output of the show queueing interface command.
This example shows how to verify the configuration:
Mapping DSCP Values to the Transmit Strict-Priority Queue
To map DSCP values to the transmit strict-priority queue, perform this task:
- The queue number is always 1.
- You can enter up to 8 DSCP values to map to the queue.
- You can enter multiple commands to map additional DSCP values to the queue.
This example shows how to map DSCP value 7 to the strict-priority queue on 10 Gigabit Ethernet port 6/1:
Note The strict priority queue is queue 8 in the output of the show queueing interface command.
This example shows how to verify the configuration:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum