top of page

Configure QoS 2960/3560/3750

Catalyst 2960/2970/3560/3750

 

These Catalyst switch models are generally found in the access layer of the LAN, although in some deployments, the 3750 is used in the distribution level. These models support a 1P3Q3T queuing model.

Global Commands

These commands are entered on a global level and are necessary in all QoS implementations. They are used to properly map COS and DSCP values as well as to associate these markings with the appropriate interface queue and threshold.

 

 

Switch(config)#mls qos

Switch(config)#mls qos map cos-dscp 0 8 16 24 34 46 48 56

Switch(config)#mls qos srr-queue output cos-map queue 1 threshold 3 5

Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 1 2 4

Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 2 3

Switch(config)#mls qos srr-queue output cos-map queue 2 threshold 3 6 7

Switch(config)#mls qos srr-queue output cos-map queue 3 threshold 3 0

Switch(config)#mls qos srr-queue output cos-map queue 4 threshold 3 1

Switch(config)#mls qos srr-queue output dscp-map queue 1 threshold 3 46

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 16

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 18 20 22

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 25

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 32

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 1 34 36 38

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 2 24 26

Switch(config)#mls qos srr-queue output dscp-map queue 2 threshold 3 48 56

Switch(config)#mls qos srr-queue output dscp-map queue 3 threshold 3 0

Switch(config)#mls qos srr-queue output dscp-map queue 4 threshold 1 8

Switch(config)#mls qos srr-queue output dscp-map queue 4 threshold 3 10 12 14

Switch(config)#mls qos queue-set output 1 threshold 2 70 80 100 100

Switch(config)#mls qos queue-set output 1 threshold 4 40 100 100 100

 

Trunk Port Commands

Trunk ports, which could include connections to other switches, as well as Dot1Q connections to routers, should be configured to trust the DSCP markings from the neighboring device.

 

 

Switch(config)#int gx/y

Switch(config-if)#queue-set 1

Switch(config-if)#srr-queue bandwidth share 1 70 25 5

Switch(config-if)#srr-queue bandwidth shape 30 0 0 0

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust dscp

 

Voice Servers, WAN Routers, Gateways

Generally speaking, devices such as voice servers, WAN routers, and voice gateways can be trusted, similar to trunk ports.

 

Switch(config)#int gx/y

Switch(config-if)#queue-set 1

Switch(config-if)#srr-queue bandwidth share 1 70 25 5

Switch(config-if)#srr-queue bandwidth shape 30 0 0 0

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust dscp

 

IP Phones without Soft Clients

When IP Phones are deployed in an environment without other soft clients such as CIPC, CUVA, or CUPC, then the configuration for these access ports can be to simply trust the COS of the IP Phones. If a client will have any soft clients in the enterprise, it is recommended that you follow the configuration template for IP Phones with Soft clients as it is not feasible to know exactly which ports may or may not have soft clients active.

 

 

Switch(config)#int gx/y

Switch(config-if)#queue-set 1

Switch(config-if)#srr-queue bandwidth share 1 70 25 5

Switch(config-if)#srr-queue bandwidth shape 30 0 0 0

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust device cisco-phone

Switch(config-if)#mls qos trust cos

 

IP Phones with Soft Clients

Because both Cisco Unified Personal Communicator and Cisco IP Communicator with Cisco Unified Video Advantage mark their signaling and media packets correctly as they ingress the network, Cisco recommends configuring the policy map to trust the DSCP marking of incoming traffic and apply traffic policing and rate limiting. It should be noted that this document includes IP Phone control traffic for SCCP, Secure SCCP, and SIP implementations.

The client can elect to add additional classes for other applications that fall into the Bulk, Transactional, or Interactive classes such as Oracle, FTP, etc by configuring additional ACLs and class-maps. You will be creating classes for voice and video. All other traffic not included in these classes will be policed at 5Mbps. This helps protect the environment from DoS attacks, and will not affect legitimate traffic.

Policers

Since we are going to be marking traffic from PCs to higher classes within the QoS policies, we need to ensure that we do not open the infrastructure up to a DoS attack from these PCs by allowing them to transmit more data than necessary in each class. This is done with policers. By policing unexpected packets to DSCP 8 (scavenger), we have made excessive packets with policed markings a lower priority than 0.

 

Switch(config)#mls qos map policed-dscp 0 24 26 34 to 8

 

Access Lists

Access lists (ACLs) are used to properly identify traffic that will need to be marked at the point of ingress. These ACLs will deviate from LAN segment to LAN segment, as both the voice VLAN and data VLAN may differ from location to location within a deployment.

 

 

 

ip access-list extended VVLAN-VOICE

 permit udp any any range 16384 32767

ip access-list extended VVLAN-SIGNALING

 remark SCCP

 permit tcp any any range 2000 2002

ip access-list extended MULTIMEDIA-CONFERENCING

 remark RTP

 permit udp any any range 16384 32767

ip access-list extended SIGNALING

 remark SIP

 permit tcp any any range 5060 5061

 permit udp any any range 5060 5061

ip access-list extended TRANSACTIONAL-DATA

 remark HTTPS

 permit tcp any any eq 443

 remark ORACLE-SQL*NET

 permit tcp any any eq 1521

 permit udp any any eq 1521

 remark ORACLE

 permit tcp any any eq 1526

 permit udp any any eq 1526

 permit tcp any any eq 1575

 permit udp any any eq 1575

 permit tcp any any eq 1630

 permit udp any any eq 1526

ip access-list extended BULK-DATA

 remark FTP

 permit tcp any any eq ftp

 permit tcp any any eq ftp-data

 remark SSH/SFTP

 permit tcp any any eq 22

 remark SMTP/SECURE SMTP

 permit tcp any any eq smtp

 permit tcp any any eq 465

 remark IMAP/SECURE IMAP

 permit tcp any any eq 143

 permit tcp any any eq 993

 remark POP3/SECURE POP3

 permit tcp any any eq pop3

 permit tcp any any eq 995

 remark CONNECTED PC BACKUP

 permit tcp any eq 1914 any

ip access-list extended SCAVENGER

 remark KAZAA

 permit tcp any any eq 1214

 permit udp any any eq 1214

 remark MICROSOFT DIRECT X GAMING

 permit tcp any any range 2300 2400

 permit udp any any range 2300 2400

 remark APPLE ITUNES MUSIC SHARING

 permit tcp any any eq 3689

 permit udp any any eq 3689

 remark BITTORRENT

 permit tcp any any range 6881 6999

 remark YAHOO GAMES

 permit tcp any any eq 11999

 remark MSN GAMING ZONE

 permit tcp any any range 28800 29100

ip access-list extended DEFAULT

 remark EXPLICIT CLASS-DEFAULT

 permit ip any any

 

Class-Maps

Class-Maps are created to place the traffic identified by the access lists into the appropriate QoS classes. A class-map is created for each traffic type for which an ACL was created.

 

 

 

 

class-map match-all VVLAN-VOICE

 match access-group name VVLAN-VOICE

class-map match-all VVLAN-SIGNALING

 match access-group name VVLAN-SIGNALING

class-map match-all MULTIMEDIA-CONFERENCING

 match access-group name MULTIMEDIA-CONFERENCING

class-map match-all SIGNALING

 match access-group name SIGNALING

class-map match-all TRANSACTIONAL-DATA

 match access-group name TRANSACTIONAL-DATA

class-map match-all BULK-DATA

 match access-group name BULK-DATA

class-map match-all SCAVENGER

 match access-group name SCAVENGER

class-map match-all DEFAULT

 match access-group name DEFAULT

 

Policy-Maps

Policy-Maps are created in order to take action on traffic within a class. In these examples, the policers assume that the voice only calls will use G.711 and that video calls will not exceed 384k. If a voice codec with a higher bandwidth was used, such as G.722, the policer for the voice class would need to be altered to 320k, instead of 128k.

 

 

 

 

policy-map PER-PORT-POLICING

 class VVLAN-VOICE

 set dscp ef

 police 128k 8000 exceed-action drop

 

 class VVLAN-SIGNALING

 set dscp cs3

 police 32k 8000 exceed-action drop

 

 class MULTIMEDIA-CONFERENCING

 set dscp af41

 police 5m 8000 exceed-action drop

 

 class SIGNALING

 set dscp cs3

 police 32k 8000 exceed-action drop

 

 class TRANSACTIONAL-DATA

 set dscp af21

 police 10m 8000 exceed-action policed-dscp-transmit

 

 class BULK-DATA

 set dscp af11

 police 10m 8000 exceed-action policed-dscp-transmit

 

 class SCAVENGER

 set dscp cs1

 police 10m 8000 exceed-action drop

 

 class DEFAULT

 set dscp default

 police 10m 8000 exceed-action policed-dscp-transmit

 

IP Phone and PC Ports

In order to enforce the classifications and policies, the policy-map must be applied to the ingress of all IP Phone and PC ports.

 

 

Switch(config)#int gx/y

Switch(config-if)#queue-set 1

Switch(config-if)#srr-queue bandwidth share 1 70 25 5

Switch(config-if)#srr-queue bandwidth shape 30 0 0 0

Switch(config-if)#priority-queue out

Switch(config-if)#mls qos trust device cisco-phone

Switch(config-if)#service-policy input PER-PORT-POLICING

bottom of page