Monday, July 6, 2009

configuring QoS on 3560

Hi all, after a little break used to pass the QoS exam and become CCIP certified, I started "playing" with qos on my production lan.

So, For each platform I'm trying to think about qos.

Let's start with 3560 platform... we use Cisco Ip phones with pcs connected to the phones switched port.

Carefully read the following documents:
-Catalyst 3560 Switch Software Configuration Guide, 12.2(20)SE - Configuring QoS
(all pictures on this post are links to this guide)

and look at the basic Qos model scheme (Fig.31-2):

basic QoS model


Let's take a look on the default config when you enable mls qos on 3560s:


3650G-PoE#sh ver | inc Software|image
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
System image file is "flash:c3560-ipbase-mz.122-44.SE2/c3560-ipbase-mz.122-44.SE2.bin"
3650G-PoE#

3650G-PoE#sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled

ok, qos is enabled and now?
The task is only started, DON'T leave the default configuration, keep in mind that by default, all switchports are in untrusted mode, and SRR is enabled with a shape of 25% bandwidth for the queue 1, that serves cos 5 traffic.

Well, first of all, you need to define "trust" on the ports connected to users and to other switches, to avoid remarking of all traffic to cos 0..

By default ports are in untrusted mode:

3650G-PoE#sh run int gi 0/7 | beg int
interface GigabitEthernet0/7
description *** IP phone (vlan 4) + PC (vlan 30) ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 4,30
switchport mode trunk
switchport voice vlan 4
end

3650G-PoE#sh mls qos int gi 0/7
GigabitEthernet0/7
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based


ok, let's configure trust on the ip phone + pc port:

3650G-PoE#sh run int gi 0/7 | beg int
interface GigabitEthernet0/7
description *** IP phone (vlan 4) + PC (vlan 30) ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 4,30
switchport mode trunk
switchport voice vlan 4
mls qos trust device cisco-phone
mls qos trust cos
end

3650G-PoE#sh mls qos int gi 0/7
GigabitEthernet0/7
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
qos mode: port-based


3650G-PoE#sh loggin | inc TRUST
Jul 6 17:37:56: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi0/7,
port's configured trust state is now operational.
3650G-PoE#


Ok, as CDP is enabled globally, so the switch "senses" cisco ip phones location and trusts that ports using cos, according to our configuration.

Well, now look on the cos-to-dscp map that is used to assign an internal dscp for incoming traffic:
3650G-PoE#sh mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56


This is the default cos-to-dscp map, remember that cisco ip phones marks as cos 5 the voice traffic, as cos 3 the voice signaling and cos 0 the pc port traffic (unless extend trust it configured)
Note that the default cos-dscp map assigns cos 5 (default for voice traffic) to dscp 40 (and it's most likely to map it with dscp 46 = ef... so we need to modify this map)

Let's Modify this map as follows:

3650G-PoE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3650G-PoE(config)#mls qos map cos-dscp 0 8 16 26 32 46 48 56
3650G-PoE(config)#end
3650G-PoE#sh mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 26 32 46 48 56

Note: this is also the "auto-qos voip" cos-dscp map...

After the classification stage, it's the turn of Policer stage, by default none is enabled:

3650G-PoE#sh mls qos interface gi 0/7 policers
GigabitEthernet0/7

3650G-PoE#sh mls qos aggregate-policer
3650G-PoE#

So all our incoming traffic will be "in profile" and not remarked at "mark" stage.

Now it's the turn of the Scheduling and Queuing stage, before the TX internal ring, the so called "Ingress queues": look at figure 31-5:


Scheduling and Queuing


There are two ingress queues, with the sharing option only (no shape on ingress!)
The traffic will be placed on the two queues according to the cos-input-q map (since we have trusted cos.... I'm not completely shure about it.. if someone can confirm it pls...)

3650G-PoE#sh mls qos maps cos-input-q
Cos-inputq-threshold map:
cos: 0 1 2 3 4 5 6 7
------------------------------------
queue-threshold: 1-1 1-1 1-1 1-1 1-1 2-1 1-1 1-1


3650G-PoE#sh mls qos input-queue
Queue : 1 2
----------------------------------------------
buffers : 90 10
bandwidth : 4 4
priority : 0 10
threshold1: 100 100
threshold2: 100 100


Well, by default only cos 5 traffic it's placed on queue 2.
Queue 2 have less bandwidth (10% it's expected that voice traffic is less than data) but has priority = 10, so queue 2 is served more often by the scheduler.

The "auto-qos voip" generated configuration for input queue is:

no mls qos srr-queue input priority-queue 1
no mls qos srr-queue input priority-queue 2

mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33

mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
[..dscp input settings omitted]

In fact, since this config is applyed to a port with a cisco phone connected, it's expected to receive only cos 0,3,5. But you can configure policer and (re)mark out-profile traffic, so we can "read" this auto-qos config as:
-queue 1 thresold 2 cos 1 (maybe you use it for scavenger traffic)
-queue 1 thresold 3 cos 0 (normal data traffic expected)
-queue 2 thresold 1 cos 2 (what kind of traffic here? out-profile? video?)
-queue 2 thresold 2 cos 4 6 7 (with an attacched ip phone)
-queue 2 thresold 3 cos 3 5 (voice signaling and voice traffic)

I guess that it can be fine for our purposes.
The new map will be:
3650G-PoE#sh mls qos maps cos-input-q
Cos-inputq-threshold map:
cos: 0 1 2 3 4 5 6 7
------------------------------------
queue-threshold: 1-3 1-2 2-1 2-3 2-2 2-3 2-2 2-2

3650G-PoE#sh mls qos input-queue
Queue : 1 2
----------------------------------------------
buffers : 67 33
bandwidth : 90 10
priority : 0 10
threshold1: 8 34
threshold2: 16 66



At this stage, the traffic is switched into the internal ring and it's placed in the egress queue of the egress interface...
To better understand the egress queue, read this interesting article by Petr Lapukhov:
Quick Notes on the 3560 Egress Queuing

Let's take a look to the "auto-qos voip" generated config for cos and egress queue...

mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61


recall that you must enable priority queue on egress queue:

3650G-PoE(config)#int gi 0/7
3650G-PoE(config-if)#priority-queue out
3650G-PoE(config-if)#end
3650G-PoE#sh mls qos interface gi 0/7 queueing
GigabitEthernet0/7
Egress Priority Queue : enabled
Shaped queue weights (absolute) : 25 0 0 0
Shared queue weights : 10 10 60 20
The port bandwidth limit : 100 (Operational Bandwidth:100.0)
The port is mapped to qset : 2


[... to be continued ...]

No comments: