Cisco Commands – Trust DSCP Command Missing on Cisco 3850

ciscocisco-catalystcisco-commandsqosswitch

We have an incoming QoS configuration on our 2960X switches like this:

class-map match-any QOS_GL_TRUST
 match ip dscp 8 16 24 32 46 
class-map match-any QOS_GL_CITRIX
 match access-group name QOS_GL_CITRIX

policy-map QOS_LAN_IN
 class QOS_GL_TRUST
  trust dscp
 class QOS_GL_CITRIX
  set dscp 32
 class class-default
  set dscp default

So basically, this accepts the packets and keeps the markings for DSCP8,16,24,32, and 46. If not already marked by DSCP32, Citrix traffic will match the ACL and a marking of DSCP32 will be set. All other DSCP markings are overwritten with DSCP0. So this works great so far. Now we want to have the same configuration on our Cisco 3850 switches. But we dont have the trust command:

switch(config-pmap-c)#? 
Policy-map class configuration commands:
  bandwidth        Bandwidth
  drop             Drop all packets
  encap-sequence   MCMLP encapsulate sequence
  exit             Exit from class action configuration mode
  netflow-sampler  NetFlow action
  no               Negate or set default values of a command
  police           Police
  priority         Strict Scheduling Priority for this Class
  queue-buffers    queue buffer
  queue-limit      Queue Max Threshold for Tail Drop
  service-policy   Configure QoS Service Policy
  set              Set QoS values
  shape            Traffic Shaping

So if i want to achieve the same job as on the 2960X Switches, i'd have to do following:

class-map match-any QOS_GL_VOICERTP
 match ip dscp 46
class-map match-any QOS_GL_CITRIX
 match ip dscp 32
 match access-group name QOS_GL_CITRIX
class-map match-any QOS_GL_VOICESIP
 match ip dscp 24
class-map match-any QOS_GL_MANAGEMENT
 match ip dscp 16
class-map match-any QOS_GL_TRASH
 match ip dscp 8

policy-map QOS_LAN_IN
class QOS_GL_VOICERTP
  set dscp 46
 class QOS_GL_CITRIX
  set dscp 32
 class QOS_GL_VOICESIP
  set dscp 24
 class QOS_GL_MANAGEMENT
  set dscp 16
 class QOS_GL_TRASH
  set dscp 8
 class class-default
  set dscp default

So you can see that the 3850er configuration is much more code. So is there a better solution to achieve this? I am talking about the marking only, no actual QoS prioritization going on here.

Best Answer

The newer Cisco switches (3K, 4K, 9K) trust by default, so the trust command is no longer there. The QoS is implemented differently on those switches. You need somewhat different QoS configurations for different switch families.

Another difference that you may notice is that you can only do port-based QoS on the 2K switches, but you can do VLAN-based QoS on the 3K, 4K, and 9K switches. Also, you have limited TCAM space on the 2K switches, and you may need to adjust the TCAM allocation if you start to run out (see the answer to this question).

Related Solutions

DSCP trust over IPSec GRE

I just stumbled across this old one showing up as related, and wanted to answer, for having been in that situation more than once.

No need for trust configuration on cisco routers like ISR G1 (18xx/28xx/38xx), G2 (19xx/29xx/39xx) or ISR 4000 series - and probably older ones, too.

As long as there is no inbound QoS policies that would classifiy and (re)mark the packets, they will leave the ToS byte alone.

Usually, the to-be-encapsulated packet's ToS Byte (including DSCP) is copied out to the encapsulating headers.

Also see https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/IPSecQoS.pdf

Chapter "ToS Byte preservation" (Page 6-12):

To overcome this predicament, the IPSec protocol standards inherently have provisioned the capability to preserve the ToS byte information of the original IP header by copying it to the IP headers added by the tunneling and encryption process.

QoS Preclassification is also explained right there. In a nutshell: with QoS preclassify, every to-be-encrypted data packet gets a companion data structure in router memory that holds information from the original packet. Egress QoS policies then queue/schedule the encrypted packet properly, based on the data from the companion data instead of the encapsulated/encrypted (and therefore inaccessible) original packet.

If I understand your case correctly, default-active ToS byte preservation and an egress policy on the tunnel interface should work pretty nicely, making sure that the packets leave the router in the order you intend them to.

However, it may be that the metro ethernet or the WAN service provider might not trust the dscp markings in the outermost IP headers and might nullify them. That may be of minor concern for two reasons:

the packets left the router after queuing/scheduling, in the order you wanted them to. If your egress policy includes proper shaping to just-under-the-SP's thresholds, the SP's devices won't need to queue/reschedule.
the remote tunnel endpoint will start do decapsulate the incoming packet. First step will be to discard the outermost IP header with the possibly nullified ToS byte. No harm done, the next IP Header will still have the original ToS byte with the DSCP field.

QoS Marking Map Not Marking Properly – Cisco QoS Troubleshooting

I overlooked the match-all statement in class-map ef. In my case it meant that packet that reach LAN interface has to match both statements access-group name ef and protocol rtp. Problem was packet not match the second conditions protocol rtp.

class-map match-all ef
 match access-group name ef
 match protocol rtp

So I changed it to match-any.

class-map match-any ef
 match access-group name ef
 match protocol rtp

Best Answer

Related Solutions

DSCP trust over IPSec GRE

QoS Marking Map Not Marking Properly – Cisco QoS Troubleshooting

Related Topic