Switch QoS: Other Trust Boundary Options

Here are the available switchport trust options that we will discuss in this blog: Untrusted Trust CoS Trust DSCP Trust IP Precedence Passthru DSCP Untrusted with Access Control List The Untrusted model is the default. As discussed in the last blog, this model re-marks every incoming Ethernet frame to a CoS value of zero. The CoS-DSCP mapping table will overwrite the layer 3 DSCP mapping and every packet will now have a DSCP marking different than the original. Deep packet classification can take place at every hop, but it is best practice to classify and mark at the access layer switch. The other switches and routers in the network can either perform trust boundaries or perform a classification and marking policy based on the marking of the packet. A router can perform a lookup in the layer 3 header faster than looking into the transport layer of the packet (ACL). The network based application recognition (NBAR) features look up to 400 bytes into the packet inspecting the layer 7 header. The Trust CoS option was discussed in the last blog as well. This option will mark the DSCP of the output packet based on the incoming CoS. There’s always a loss of granularity when using this model because there are only 8 possible CoS values, while there are up to 64 DSCP values in the layer 3 header. The 64 DSCP values and the practically used assured forwarding (AF) and expediting forwarding (EF) models were discussed in detail in the last QoS blog series. The Trust DSCP model allows the switch to skip the CoS to DSCP mapping table entirely. The switch uses the incoming packet’s DSCP marking as the internal DSCP to perform layer 3 DSCP to CoS queue mapping. The output packet’s DSCP will be the same as the input packets DSCP. I’m a fan of using this trust model at distribution and core layer switches that are used to aggregate access layer switching wiring closets. I prefer to not use the trust DSCP model on any port with an end user. I prefer to do classification and marking (no trust) on devices that will perform these operations in hardware. The Trust IP Precedence option is normally not used because most deployments are using DSCP markings at this point. The trust IP precedence options is very similar to the trust DSCP with the exception that the ip precedence field only has 8 possible values, while the DSCP markings have 64 values. All best practices recommend DSCP markings. This option exists for backward compatibility purposes. The passthru DSCP model will use the incoming DSCP as the internal and outgoing DSCP. While this model appears to be the same as the trust DSCP model, there is one minor distinction. This model uses the incoming CoS value to map directly to a queue. Remember that each switch performs QoS in hardware and there are many variations of hardware out there (ASICs). In the next blog we will discuss the benefits of doing classification and marking at the access layer. REFERENCES Implementing Cisco Quality of Service http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=7578&catid=206&country=United+States Advanced Cisco Quality of Service http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=9368&catid=206&country=United+States

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.