DSCP question

So i have reached the DSCP section of ONT, so far i think I'm understanding it fairly well...

The only thing i don't quite understand yet (and maybe i just haven't reached this section yet) is how or what defines the type of traffic that belongs to a certain DSCP value.

so i can define a class map saying 'match dscp af43' but what traffic as af43 referring to?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mattsthe2

yet to reach ONT yet but i had trouble with this concept to. Id be interested to see what others post but i believe the applications or devices them selfs can set the DSCP value.

For example for video conferencing you usually can set whatever DSCP value you like, although there are certain types of values that should be set for example Voice is EF. I believe its the phone that marks the traffic as EF.

As an example we marked all our traffic with a certain QoS level for our Oracle servers, matched it from an ACL and marked it with QoS marking that made sense to our organization.

ColbyG

The traffic would be marked by the device it originated from (eg Cisco phone), or a router/switch near the source of the traffic.

rakem

ColbyNA wrote: »

The traffic would be marked by the device it originated from (eg Cisco phone), or a router/switch near the source of the traffic.

Yep that makes sense...

On a router or switch i guess you could do something like the following;

RouterA(config)#class-map BLAH
RouterA(config-cmap)#match protocol http
RouterA(config-cmap)#match protocol ftp
RouterA(config-cmap)#match protocol ssh
RouterA(config-cmap)#exit
RouterA(config)#pol
RouterA(config)#policy-map LOL
RouterA(config-pmap)#claas
RouterA(config-pmap)#clas
RouterA(config-pmap)#class BLAH
RouterA(config-pmap-c)#set dscp
RouterA(config-pmap-c)#set dscp af11

so we have http, ftp and ssh getting marked as AF11, then on a different router you could to something like:

RouterB(config)#clas
RouterB(config)#class-map ABC
RouterB(config-cmap)#match ip dscp af11
RouterB(config-cmap)#ex
RouterB(config)#policy-map XYZ
RouterB(config-pmap)#class ABC
RouterB(config-pmap-c)#police 80000
RouterB(config-pmap-c-police)#exit

so router B would police anything marked as Af11....

Is that correct?

Or like if your IP phone couldn't set its own DSCP or IP Prec values, you could set it on the switchport which the phone connects to...

kpjungle

rakem wrote: »

Yep that makes sense...

On a router or switch i guess you could do something like the following;

RouterA(config)#class-map BLAH
RouterA(config-cmap)#match protocol http
RouterA(config-cmap)#match protocol ftp
RouterA(config-cmap)#match protocol ssh
RouterA(config-cmap)#exit
RouterA(config)#pol
RouterA(config)#policy-map LOL
RouterA(config-pmap)#claas
RouterA(config-pmap)#clas
RouterA(config-pmap)#class BLAH
RouterA(config-pmap-c)#set dscp
RouterA(config-pmap-c)#set dscp af11

so we have http, ftp and ssh getting marked as AF11, then on a different router you could to something like:

RouterB(config)#clas
RouterB(config)#class-map ABC
RouterB(config-cmap)#match ip dscp af11
RouterB(config-cmap)#ex
RouterB(config)#policy-map XYZ
RouterB(config-pmap)#class ABC
RouterB(config-pmap-c)#police 80000
RouterB(config-pmap-c-police)#exit

so router B would police anything marked as Af11....

Is that correct?

Or like if your IP phone couldn't set its own DSCP or IP Prec values, you could set it on the switchport which the phone connects to...

Yep.. Marking is basically done so other devices can provide a differentiated service. You want to mark as close to the source as possible.

For example at your switch level, mark using CoS (trunks only), and at the first router (or any L3 device), mark it at layer 3 as well, to preserve the markings across multiple different L2 mediums.

malcybood

If you wanted to for example mark email traffic with a server IP address of 10.10.10.10 and TCP port 1616 TO the server from a remote site you could do something along the lines of

(on the switch)
ip access-list extended MARK_EMAIL
permit tcp 0.0.0.0 0.0.0.0 10.10.10.10 0.0.0.0 eq 1616

class-map MARK_EMAIL
match ip address MARK_EMAIL
set ip dscp af41

policy-map MARK_EMAIL
class MARK_EMAIL

int-range fa0/2 - 24
service-policy input MARK_EMAIL

Then trust all markings on the switch port that connects to the router (i.e. fa0/1).

(on the router)
class-map MATCH_EMAIL_DSCP
match ip dscp af41

policy-map EMAIL_OUT
class MATCH_EMAIL_DSCP

int s0/0
desc WAN interface to MPLS
service-policy out EMAIL_OUT

The above config would obviously vary slightly depending on what type of switch you had and it's capabilities, but the general answer to your question is you would use acl's with source / destination IP addresses to mark non standard services other than voice which usually is marked on the phone.

Does this make sense?