Default Switch Commands
no ip domain-lookup
port-channel load-balance src-dst-ip
!
mls qos
mls qos map cos-dscp 0 8 16 24 32 46 48 54
mls qos map dscp-cos 46 to 5
mls qos map dscp-cos 24 to 3
!
line con 0
logging syncronous
exec-timeout 0
Switch to Switch Links
!
interface fastethernet x/x
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan x (if specified by the question)
switchport trunk allowed vlan x,y,z
priority-queue out (on a 3560 or 2960)
mls qos trust dscp
!
WAN/Internet
ip access-list extended ACL-RTP
permit udp any range 16384 32767 any range 16384 32767
!ip access-list extended ACL-SCCP
permit tcp any any eq 2000
permit tco any eq 2000 any!
class-map MAP-RTP
match access-group name ACL-RTP
!
class-map MAP-SCCP
match access-group name ACL-SCCP
!
policy-map POLICY-VOICE
class MAP-RTP
set dscp ef
class MAP-SCCP
set dscp cs3
!
interface fastethernet x/x
no switchport
ip address x.x.x.x y.y.y.y
service-policy POLICY-VOICE in
priority-queue out
CME
interface fastethernet x/x
switchport mode access
switchport access vlan x
spanning-tree portfast
spanning-tree bpduguard enable
mls qos trust DSCP
priority-queue out
WISM
wism service-vlan z
!
wism module x controller 1 allowed-vlan y,z(this should bring up the LAG)
wism module x controller 1 native-vlan x (i would make this something other than management to maintain qos)
wism module x controller 1 qos-trust cos
!
wism module x controller 2 allowed-vlan y,z
wism module x controller 2 native-vlan x
wism module x controller 2 qos-trust cos
WLC (LAG)
interface fastethernet x/x
channel-group 1 mode on
!
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan x (again, dont make this the management uless you are told to)
switchport trunk allowed vlan x,y,z
spanning-tree portfast trunk
spanning-tree bpduguard enable
priority-queue out
mls qos trust cos
WLC (No LAG)
interface fastethernet x/x
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan x (if specified by the question)
switchport trunk allowed vlan x,y,z
spanning-tree portfast trunk
spanning-tree bpduguard enable
priority-queue out
mls qos trust cos
LAP (Local Mode)
interface fastethernet x/x
switchport mode access
switchport access vlan x (always needed for management interface)
spanning-tree portfast
spanning-tree bpduguard enable
priority-queue out
mls qos trust dscp
LAP (H-REAP)
interface fastethernet x/x
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan x (always needed for management interface)
switchport trunk allowed vlan x,y,z
priority-queue out
mls qos trust cos
AAP (Multiple VLANs)
interface fastethernet x/x
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan x (if specified by the question)
switchport trunk allowed vlan x,y,z
spanning-tree portfast trunk
spanning-tree bpduguard enable
priority-queue out
mls qos trust cos
AAP (Single VLAN)
interface fastethernet x/x
switchport mode access
switchport access vlan x
spanning-tree portfast
spanning-tree bpduguard enable
priority-queue out
mls qos trust dscp
IP Phone
interface fastethernet x/x
switchport mode access
switchport access vlan x
switchport voice vlan y
spanning-tree portfast
spanning-tree bpduguard enable
priority-queue out
mls qos trust device cisco-phone (cdp required, this detects a cisco phone and applies the configured trust)
mls qos trust cos
Note about "priority queue out"
This is required in the 3560 to turn queue 1 into the expedite (priority) queue. And then, based on default output queue mappings, CoS of 5 gets places into the queue and dealt with first.
The Cat 6500 depending on the module, does not need or support the command as it often has a fixed priority queue, so it may be that simply applying the correct trust state and make sure the maps are correct is enough to deal with voice as priority. I guess it depends on what they are asking.
Notes about SRR/WRR and marking
When looking at QoS configurations for switchports, there are several things to keep in mind. I'll address two here. First, when you configure "mls qos," that automatically enables SRR or WRR on the ports with the default percentages and thresholds. Additional configurations of SRR or WRR would be used to change the defaults.
For the individual interface trust configurations, remember that if the port is an access port, there will not be any CoS markings in the frame to trust. On a trunk port, you would generally trust CoS (if you need to trust anything.) However, as mentioned, you normally want to trust DSCP on trunks between switches. The reason is that the frames have already had their CoS-DSCP mappings on ingress to the switch. Thus, they have an appropriate DSCP marking that you have already determined. Let's say that you are trusting an end device's DSCP markings. And, let's say that they send a packet with DSCP AF31. On egress (with the default map,) that will be mapped to CoS 3. On ingress, if you trust CoS, that will be remarked to DSCP CS3. Thus, your trust of the end device marking is negated by trusting CoS on the trunk.
An alternitive for WAN/Internet ???
ReplyDeleteWAN/Internet
ip access-list 101 ACL-RTP
permit udp any any range 16384 32767
ip access-list 102 ACL-SCCP
permit tcp any any eq 2000
class-map MAP-RTP
match access-group name ACL-RTP
!
class-map MAP-SCCP
match access-group name ACL-SCCP
!
policy-map POLICY-VOICE
class MAP-RTP
set dscp ef
class MAP-SCCP
set dscp cs3
!
interface fastethernet x/x
no switchport
ip address x.x.x.x y.y.y.y
service-policy POLICY-VOICE in
priority-queue out (does not work on CAT65)
Well, H-REAP AP:
ReplyDeleteIf access-point is running H-REAP but your Voice WLAN is running Central Switched, you would trust DSCP as Voice WLAN LWAPP packets will run over the native interface with no dot1q&COS header. :)
Hi Phil, nice blog. I like it because it is simple and straight to the point. One question about this post. Do you think it would be ok to add spanning-tree portfast trunk with bodyguard to the H-Reap port?
ReplyDeleteThanks
Raffaele