Re: mls qos use policy-map for marking

It should yes as long as you trust DSCP on your inbound trunk on Cat2
and are not doing any other kind of manipulations to the DSCP value
like a DSCP-DSCP mutation or something.

2010/4/21 Bao Bao Chou <apache7220_at_hotmail.com>:
>
> Hi Joe
>
> yes, i did the some configuration as what u did, and the ping can result the
> same acl hit, and show policy-map interface fa0/1 is nothing as what u said.
>
> now if i use
>
> R1------cat1--------cat2-------r2,
>
> mark all incoming traffic from r1 to ef on cat1, between cat1 and cat 2 are
> trunk port, and trust dscp, then can r2 still can see the ef marking?
>
> Thank you so much.
>
>
>
>
>
>> From: jastorino_at_ipexpert.com
>> Date: Wed, 21 Apr 2010 03:00:51 -0400
>> Subject: Re: mls qos use policy-map for marking
>> To: kagahian_at_ccbootcamp.com
>> CC: apache7220_at_hotmail.com; ccielab_at_groupstudy.com
>>
>> Oh, BTW "show policy-map interface" is not "supported" on the 3550 : )
>> Yes, it will run but the numbers basically mean nothing : ) To test
>> your markings try something like what I have shown above.
>>
>> On Wed, Apr 21, 2010 at 2:54 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> > What does your configuration look like? I have tested this myself and
>> > it seems to work for me. However, I would agree with Kambiz that you
>> > should check out the documentation:
>> >
>> > R1---Cat1---R2
>> >
>> > Here I have R1 and R2 connected to the same 3550 switch: They operate
>> > on VLAN 12 on the 12.12.12.0/24 subnet. I have the following ACL
>> > configured on R2 inbound:
>> > access-list 101 permit ip any any dscp ef
>> > access-list 101 permit ip any any dscp default
>> >
>> >
>> > Cat1
>> > --------
>> >
>> > mls qos
>> > !
>> > vlan 12
>> > !
>> > access-list 101 permit ip any any
>> > !
>> > class-map match-all MARK-EF
>> > match access-group 101
>> > !
>> > !
>> > policy-map foo
>> > class MARK-EF
>> > set dscp ef
>> > !
>> > interface FastEthernet0/1
>> > description R1
>> > switchport access vlan 12
>> > switchport mode access
>> > spanning-tree portfast
>> > service-policy input foo
>> > !
>> > interface GigabitEthernet0/2
>> > description R2
>> > switchport access vlan 12
>> > switchport mode access
>> > spanning-tree portfast
>> >
>> >
>> > Here are the results when R2 pings R1. Note that the 3550 marks the
>> > return packet as DSCP EF:
>> >
>> > R2#show access-list 101
>> > Extended IP access list 101
>> > 10 permit ip any any dscp ef
>> > 20 permit ip any any dscp default
>> >
>> > R2#sh run int gi0/0 | i access
>> > ip access-group 101 in
>> >
>> > R2#ping 12.12.12.1
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
>> > !!!!!
>> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
>> > R2#show access-list 101
>> > Extended IP access list 101
>> > 10 permit ip any any dscp ef (5 matches)
>> > 20 permit ip any any dscp default
>> >
>> >
>> > With regards to your "mls qos trust dscp" on a trunk port -- Yes, it
>> > is a layer 2 port but it is still a layer 3 switch : ) The 3550 still
>> > has the ability to look into the IP header and take action based on
>> > that information. If you configure that command it will allow the
>> > trunk to trust the layer 3 DSCP markings on incoming IP traffic
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Apr 21, 2010 at 2:27 AM, Kambiz Agahian
>> > <kagahian_at_ccbootcamp.com> wrote:
>> >> Hi Bao,
>> >>
>> >> Instead of a YES/NO answer I want you to spend a couple of hours on the
>> >> following link:
>> >>
>> >>
>> >> http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186
>> >> a00800feff5.shtml
>> >>
>> >> Believe me; rarely does Cisco develop such a nice article.
>> >>
>> >> --------------------------
>> >> Kambiz Agahian
>> >> CCIE (R&S)
>> >> CCSI, WAASSE, RSSSE
>> >> Technical Instructor
>> >> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
>> >> Email: kagahian_at_ccbootcamp.com
>> >> Toll Free: 877-654-2243 begin_of_the_skype_highlighting
>> >> 877-654-2243 end_of_the_skype_highlighting
>> >> International: +1-702-968-5100 begin_of_the_skype_highlighting
>> >> +1-702-968-5100 end_of_the_skype_highlighting
>> >> Skype: skype:ccbootcamp?call
>> >> FAX: +1-702-446-8012
>> >> YES! We take Cisco Learning Credits!
>> >> Training And Remote Racks: http://www.ccbootcamp.com
>> >> OEQ Voice Waiver: http://www.ccbootcamp.com/noeqvoice.html
>> >> OEQ R&S Waiver: http://www.ccbootcamp.com/noeqrs.html
>> >> OEQ Commercial: http://www.ccbootcamp.com/noeq.mp
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: nobody_at_groupstudy.com on behalf of Bao Bao Chou
>> >> Sent: Tue 4/20/2010 10:50 PM
>> >> To: ccielab_at_groupstudy.com
>> >> Subject: mls qos use policy-map for marking
>> >>
>> >> Hi Group Study experts
>> >>
>> >> Recently i tested use policy-map for marking on my 3550 switch. And
>> >> found some
>> >> problems.
>> >>
>> >> First, i configured a class map to match all the traffic, and use
>> >> policy-map
>> >> to match that class to set dscp EF. Then i applied that policy map to
>> >> the
>> >> incoming direction of an access port(layer 2), which is connected to a
>> >> router.
>> >> After that i tried generate some traffic from the router, and then on
>> >> the
>> >> switch, i found there is nothing matched when i tried "show policy-map
>> >> interface".
>> >>
>> >> but after i changed the switch port to a layer 3 port, the marking is
>> >> successfully done.
>> >>
>> >> so i am wondering policy-map marking is only working on a layer 3 port.
>> >> Please
>> >> help me to confirm it. Thanks a lot.
>> >>
>> >>
>> >> And by the way, what is the meaning if i put "mls qos trust dscp " on a
>> >> trunk
>> >> port?? since trunk port is a layer 2 port, it wont check layer 3
>> >> portion, is
>> >> it??
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _________________________________________________________________
>> >> Hotmail: Powerful Free email with security by Microsoft.
>> >> https://signup.live.com/signup.aspx?id=60969
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> >
>> >
>> > Joe Astorino - CCIE #24347
>> > Sr. Technical Instructor - IPexpert
>> > Mailto: jastorino_at_ipexpert.com
>> > Telephone: +1.810.326.1444
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> > IPexpert is a premier provider of Self-Study Workbooks, Video on
>> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> > certification(s) with training locations throughout the United States,
>> > Europe, South Asia and Australia. Be sure to visit our online
>> > communities at www.ipexpert.com/communities and our public website at
>> > www.ipexpert.com
>> >
>>
>>
>>
>> --
>> Regards,
>>
>>
>>
>> Joe Astorino - CCIE #24347
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> certification(s) with training locations throughout the United States,
>> Europe, South Asia and Australia. Be sure to visit our online
>> communities at www.ipexpert.com/communities and our public website at
>> www.ipexpert.com
>
> ________________________________
> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

-- 
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities and our public website at
www.ipexpert.com
Blogs and organic groups at http://www.ccie.net