08-09-2010 07:33 PM
The configuration guide states that: "By default in stacking mode, 802.1p marking is not enabled. Outgoing tagged traffic is not marked with 802.1p in the VLAN tag based on teh internal hardware aueue into which ingress traffic was classified."
Is this something you can enable? I don't see how you can do this in the documentation.
If I configure VLAN priority to mark all traffic in VLAN 10 to a 802.1p priority level of 6, will this marking be carried over to an upstream device?
08-10-2010 01:48 AM
have a look at manual page 632 (PDF page 686) of the Fastiron config guide (Dated 18 March 2010)
QoS options for IP ACLs
Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on incoming port, VLAN membership, and so on.
* internal-priority-marking and 802.1p-priority-marking – Supported with the DSCP marking option, these commands assign traffic that matches the ACL to a hardware forwarding queue (internal-priority-marking), and re-mark the packets that match the ACL with the 802.1p priority (802.1p-priority-marking).
Note : CoS - 802.1p in stacking mode is onoured in ingress but as you stated not ergrss. Using the above should get you want you need.
08-10-2010 07:09 AM
Okay, this looks good. I can use an ACL like you stated in your last message and mark the traffic as it egresses the switch. That is perfect.
Another question, do you typically change the default queueing method when you are configuring QoS for an IPT installation?
Thank you very much!
08-10-2010 01:53 PM
You can do so if you want to, however I just create a VoIP and just have the phones in that vlan.
oh, and please stop the MsChipp thing
My Name is Michael Schipp
08-12-2010 01:52 PM
I have a stack of FCX switches and I want to make sure they pass traffic to their up or downstream neighbors with the DSCP set to 46. Now the FCX does not mark traffic when it egresses the switch when in a stack. So I know I can use an access-list to mark traffice with the DSCP value that I want but only inbound ACL's are supported, correct??? If so, how do I accomplish this?
Also, when I attempt to apply and ACL to an interface on FCX, the command "ip access-group" is not available to me. I only have "ip access-list" The FCX's are all running layer 3 code.
08-16-2010 05:11 AM
Yes FCX can only do engress ACL and that is ok here.
When in a stack it is disbaled by defualt.
However using FastIron(config)#access-list 101 permit ip any any dscp-marking 46 will get you want you want.
The ACL 'turns on engress marking' (in a round about way).
Why do you need ip access group?
Please read PDF page 86 (or manual page 633) of FastIron Config guilde - dated 18 march 2010. 07.0.01b
k A bit more reading and this may also course you a problem
Enabling ACL support for switched traffic in the router image
The bridged-routed CLI parameter applies to FastIron X Series devices only. For FGS, FLS, FWS, and
FCX Series devices, ACL support for switched traffic in the router image is enabled by default. There
is no command to enable or disable it.
By default, when an ACL is applied to a physical or virtual routing interface, the Brocade Layer 3
device filters routed traffic only. It does not filter traffic that is switched from one port to another
within the same VLAN or virtual routing interface, even if an ACL is applied to the interface.
You can enable the device to filter switched traffic within a VLAN or virtual routing interface. When
filtering is enabled, the device uses the ACLs applied to inbound traffic to filter traffic received by a
port from another port in the same virtual routing interface.
To enable this feature, enter a command such as the following.
FastIron(config)#ip access-list 101 bridged-routed
Applying the ACL rule above to an interface enables filtering of traffic switched within a VLAN or
virtual routing interface.
Syntax: ip access-list
<ACL-ID> parameter specifies a standard or extended numbered or named ACL.
You can use the bridged-routed feature in conjunction with enable ACL-per-port-per-vlan, to assign
an ACL to certain ports of a VLAN under the virtual interface configuration level. In this case, all of
the Layer 3 traffic (bridged and routed) are filtered by the ACL. The following shows an example
FastIron(config)#vlan 101 by port
FastIron(config-vlan-101)#tagged ethernet 1 to 4
FastIron(config-vlan-101)#router-interface ve 101
FastIron(config)#ip access-list 101 bridged-routed
FastIron(config-vif-101)#ip access group 1 in ethernet 1 ethernet 3 ethernet 4
For FastIron X Series devices, the enable ACL-per-port-per-vlan command must be followed by the
write-memory and reload commands to place the change into effect.
11-19-2010 07:44 AM
I have an unique setup that I need to apply qos-tos trust dscp and also need ACL to block other subnet from access my voice network under the VE interface. My company use both RX and CX switches, when I try to apply the ACL on the interface, I got the error saying "QOS is configured on the port". Even the tech said that I can only apply either QoS or ACL on the interface, but not both. I am wonder if you know of an alternative way for me to do that. The idea is to trust the QoS coming out from Cisco UCM and be able to configure ACL to only allow voice subnet.
11-23-2010 03:01 AM
Ok this should be fine.
By default the trust is already there on the FCX (note that queue 7 will auto drop to queue 6 as queue 7 is for the stack controll traffic).
Recommend remove the qos based ACL's let the default do what you want and then add the security ACL (for your subnet) in and you should be good to go mate.
QoS profile restrictions in an IronStack
In a stacking topology, because CoS level 7 is reserved for stacking, quality profiles for qosp7 cannot be configured. If an attempt is made to configure a profile for qosp7, the system gnores the configuration.
This applies only when the device is operating in stacking mode. It does not apply to standalone devices.
QoS behavior for trusting Layer 2 (802.1p) in an IronStack
By default, Layer 2 Trust is enabled. Because priority 7 is reserved for stacking control packets, any
ingress data traffic with priority 7 is mapped to internal hardware queue 6. All other priorities are
mapped to their corresponding queues.
QoS behavior for trusting Layer 3 (DSCP) in an IronStack
When the trust dscp mode is enabled, packets arriving with DSCP values 56 to 63 are mapped to
internal hardware queue 6. All other DSCP values are mapped to their corresponding internal
FastIron stackable devices
FastIron GS, LS, WS, and CX Series devices support DSCP-based QoS on a per-port basis.
DSCP-based QoS is not automatically honored for switched traffic. The default is 802.1p to CoS
mapping. To honor DSCP-based QoS, enter the following command at the interface level of the CLI.
Syntax: trust dscp
When trust dscp is enabled, the interface honors the Layer 3 DSCP value. By default, the interface
honors the Layer 2 CoS value.
01-16-2012 05:14 AM
I did not find any restrictions about that but want to be sure,
when configuring ACL based rate limiting, does it matter ACL is an IPv6 one?
it works for both ipv4 and ipv6 ACLs right?