How does qos work on a switch

The set action in a policy map also causes the DSCP to be rewritten. When QoS is disabled, there is no concept of trusted or untrusted ports because the packets are not modified. Traffic is switched in pass-through mode. The packets are switched without any rewrites and classified as best effort without any policing.

When QoS is enabled using the mls qos global configuration command and all other QoS settings are at their defaults, traffic is classified as best effort the DSCP and CoS value is set to 0 without any policing. No policy maps are configured. The default port trust state on all ports is untrusted.

The following table shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1.

The port bandwidth limit is set to percent and rate unlimited. Note that for the SRR shaped weights absolute feature, a shaped weight of zero indicates that the queue is operating in shared mode. Note that for the SRR shared weights feature, one quarter of the bandwidth is allocated to each queue. The following table shows the default CoS output queue threshold map when QoS is enabled. Enters global configuration mode.

Enables QoS globally. QoS operates with the default settings described in the related topic sections below. To disable QoS, use the no mls qos global configuration command. Returns to privileged EXEC mode. Verifies the QoS configuration. Optional Saves your entries in the configuration file.

These sections describe how to classify incoming traffic by using port trust states. Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.

Specifies the port to be trusted, and enters interface configuration mode. Valid interfaces are physical ports. Configures the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings:. For an untagged packet, the port default CoS value is used. The default port CoS value is 0. For a non-IP packet, the packet CoS value is used if the packet is tagged; for an untagged packet, the default port CoS is used.

To return a port to its untrusted state, use the no mls qos trust interface configuration command. Verifies your entries. QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port.

Enters the global configuration mode. Specifies the port to be configured, and enters interface configuration mode. Valid interfaces include physical ports. Configures the default CoS value for the port. For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7.

The default is 0. Use the override keyword to override the previously configured trust state of the incoming packet and to apply the default port CoS value to the port on all incoming packets. By default, CoS override is disabled. Use the override keyword when all incoming packets on specified ports deserve higher or lower priority than packets entering from other ports.

Even if a port was previously set to trust DSCP or CoS, this command overrides the previously configured trust state, and all the incoming CoS values are assigned the default CoS value configured with this command. If an incoming packet is tagged, the CoS value of the packet is modified with the default CoS of the port at the ingress port. In a typical network, you connect a Cisco IP Phone to a switch port and cascade devices that generate data packets from the back of the telephone.

Traffic sent from the telephone to the switch is typically marked with a tag that uses the The header contains the VLAN information and the class of service CoS 3-bit field, which is the priority of the packet. For most Cisco IP Phone configurations, the traffic sent from the telephone to the switch should be trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network.

By using the mls qos trust cos interface configuration command, you configure the switch port to which the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.

With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.

Note that the trusted boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected to the switch. Enables CDP globally. By default, CDP is enabled. Specifies the port connected to the Cisco IP Phone, and enters interface configuration mode.

Enables CDP on the port. Use one of the following:. Specifies that the Cisco IP Phone is a trusted device. You cannot enable both trusted boundary and auto-QoS auto qos voip interface configuration command at the same time; they are mutually exclusive. To disable the trusted boundary feature, use the no mls qos trust device interface configuration command.

The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service QoS configuration, including the port trust setting, policing, and marking.

If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet.

Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service CoS value that represents the priority of the traffic. The switch also uses the internal DSCP value to select an egress queue and threshold. Enables DSCP transparency. If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [ cos dscp ] interface configuration command, DSCP transparency is still enabled.

If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state.

To ensure a consistent mapping strategy across both QoS domains, you must perform this procedure on the ports in both domains. For in-dscp , enter up to eight DSCP values separated by spaces. Then enter the to keyword. For out-dscp , enter a single DSCP value. The DSCP range is 0 to Specifies the port to be trusted, and enter interface configuration mode. Configures the ingress port as a DSCP-trusted port.

To return a port to its non-trusted state, use the no mls qos trust interface configuration command. Configuring a QoS policy typically requires the following tasks:. These sections describe how to classify, police, and mark traffic. Depending on your network configuration, you must perform one or more of the modules in this section.

Before you perform this task, determine which access lists you will be using for your QoS configuration. For access-list-number , enter the access list number. The range is 1 to 99 and to Use the permit keyword to permit a certain type of traffic if the conditions are matched. For source , enter the network or host from which the packet is being sent.

You can use the any keyword as an abbreviation for 0. Optional For source-wildcard , enter the wildcard bits in dotted decimal notation to be applied to the source.

Place ones in the bit positions that you want to ignore. When you create an access list, remember that by default the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. To delete an access list, use the no access-list access-list-number global configuration command. The range is to and to For protocol , enter the name or number of an IP protocol. Use the question mark?

You specify this by using dotted decimal notation, by using the any keyword as an abbreviation for source 0. For source-wildcard , enter the wildcard bits by placing ones in the bit positions that you want to ignore.

You specify the wildcard by using dotted decimal notation, by using the any keyword as an abbreviation for source 0. For destination , enter the network or host to which the packet is being sent. You have the same options for specifying the destination and destination-wildcard as those described by source and source-wildcard.

When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

Accesses list names cannot contain a space or quotation mark or begin with a numeric. To delete an access list, use the no ipv6 access-list access-list-number global configuration command. Enters permit to permit the packet if conditions are matched. These are the conditions:. For protocol , enter the name or number of an Internet protocol: ahp , esp , icmp , ipv6 , pcp , stcp , tcp , or udp , or an integer in the range 0 to representing an IPv6 protocol number.

For host source-ipv6-address or destination-ipv6-address , enter the source or destination IPv6 host address for which to set permit condition, specified in hexadecimal using bit values between colons. Optional For operator , specify an operand that compares the source or destination ports of the specified protocol.

Operands are lt less than , gt greater than , eq equal , neq not equal , and range. Optional Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to Verifies the access list configuration. To delete an access list, use the no mac access-list extended access-list-name global configuration command.

Specifies the type of traffic to permit or deny if the conditions are matched, entering the command as many times as necessary. You specify this by using the hexadecimal format H.

H , by using the any keyword as an abbreviation for source 0. For mask , enter the wildcard bits by placing ones in the bit positions that you want to ignore. For type , the range is from 0 to , typically specified in hexadecimal. You use the class-map global configuration command to name and to isolate a specific traffic flow or class from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.

The match criterion is defined with one match statement entered within the class-map configuration mode. You can also create class maps during policy map creation by using the class policy-map configuration command.

Creates a class map, and enters class-map configuration mode. By default, no class maps are defined. Optional Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched. For class-map-name , specify the name of the class map.

To delete an existing class map, use the no class-map [ match-all ] class-map-name global configuration command. Defines the match criterion to classify traffic. By default, no match criterion is defined. Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.

Separate each value with a space. The range is 0 to You can configure a policy map on a physical port that specifies which traffic class to act on. Actions can include trusting the CoS or DSCP values in the traffic class; setting a specific DSCP value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class policer and the action to take when the traffic is out of profile marking.

A policy map can contain multiple class statements, each with different match criteria and policers. A policy map can contain a predefined default traffic class explicitly placed at the end of the map.

A separate policy-map class can exist for each type of traffic received through a port. Follow these guidelines when configuring policy maps on physical ports:. You can attach only one policy map per ingress port. If you enter or have used the set ip dscp command, the switch changes this command to set dscp in its configuration. A policy-map and a port trust state can both run on a physical interface.

The policy-map is applied before the port trust state. When you configure a default traffic class by using the class class-default policy-map configuration command, unclassified traffic traffic that does not meet the match criteria specified in the traffic classes is treated as the default traffic class class-default. Creates a policy map by entering the policy map name, and enters policy-map configuration mode. By default, no policy maps are defined. No policing is performed.

To delete an existing policy map, use the no policy-map policy-map-name global configuration command. Defines a traffic classification, and enters policy-map class configuration mode. By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. A class-default traffic class is pre-defined and can be added to any policy.

It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. To delete an existing class map, use the no class class-map-name policy-map configuration command. Classifies IP traffic by setting a new value in the packet.

For dscp new-dscp , enter a new DSCP value to be assigned to the classified traffic. Defines a policer for the classified traffic. By default, no policer is defined. The range is to For burst-byte, specify the normal burst size in bytes. Optional Specifies the action to take when the rates are exceeded. Use the exceed-action drop keywords to drop the packet. To remove an existing policer, use the no police rate-bps burst-byte [ exceed-action drop ] policy-map configuration command.

Returns to policy map configuration mode. Returns to global configuration mode. Specifies the port to attach to the policy map, and enters interface configuration mode. Specifies the policy-map name, and applies it to an ingress port. Only one policy map per ingress port is supported.

To remove the policy map and port association, use the no service-policy input policy-map-name interface configuration command. Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the following modules. You need to make decisions about these characteristics:.

What drop percentage thresholds apply to the queue-set four egress queues per port , and how much reserved and maximum memory is needed for the traffic type? Does the bandwidth of the port need to be rate limited? How often should the egress queues be serviced and which technique shaped, shared, or both should be used?

Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their SRR weights:. If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.

If the egress expedite queue is disabled and the SRR shaped and shared weights are configured, the shaped mode overrides the shared mode for queue 1, and SRR services this queue in shaped mode. If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services this queue in shared mode. You can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped.

Default number of queues is 4. You can increase it to 8 using the mls qos srr-queue output queues 8 command. You should change them only when you have a thorough understanding of egress queues and if these settings do not meet your QoS solution. This procedure is optional. By default, DSCP values 0—15 are mapped to queue 2 and threshold 1. DSCP values 16—31 are mapped to queue 3 and threshold 1.

DSCP values 32—39 and 48—63 are mapped to queue 4 and threshold 1. DSCP values 40—47 are mapped to queue 1 and threshold 1. By default, CoS values 0 and 1 are mapped to queue 2 and threshold 1. CoS values 2 and 3 are mapped to queue 3 and threshold 1. CoS values 4, 6, and 7 are mapped to queue 4 and threshold 1. Thank You Thank you for taking the time to respond. Rating Submitted Do you have a suggestion for improving this article? Characters Left : Submit Cancel. Get information, documentation, videos and more for your specific product.

Ask the Community. Need to Contact Support? See Support Options. Contact Support. Select a product or category below for specific instructions. N Routers. Controlling congestion so that the device sends the highest priority traffic based on scheduler priorities. Controlling packet loss using random early detection RED algorithms, so that the device knows the packets to drop or process. How Does QoS Work? A network device, such as a routers or switch, differentiates traffic as follows: It receives packets on its ingress interface, examines the packets, and classifies the traffic into groups called classes of service CoS.

If an optional policer is configured, it limits or assigns the traffic to a different class. Queues hold packets while they await transmission resources.

The scheduler takes the packets out of the queues and transmits them in the order configured for the scheduler. If there is a shaper configured, it shapes the traffic to the configured shaping-rate. If remarking is configured, the device remarks the value of the DS-field of the IP header so that the next device to receive the packet knows how to classify it. Practical Resources. Technical Documentation.

Junos OS Class of Service. Junos OS. Back to top. Get updates from Juniper Sign Up. Follow Us. About Us. Corporate Responsibility. Investor Relations. Image Library. Find a Partner. Find a Distributor. Partner Login.