[c-nsp] 6500 - Is it possible to sniff DSCP values over RSPAN?

Jared Mauch jared at puck.nether.net
Tue Jan 2 13:33:08 EST 2007 

On Tue, Jan 02, 2007 at 12:27:30PM -0600, Anton Kapela wrote:
>  
> 
> > The layer 2 path for the RSPAN session passes from this 6500 
> > to a 7200, into an L2TPv3 tunnel over the 'net to another 
> > 7200, through another 6500, and finally through two 3560s to 
> > the sniffer.
> 
> You should ensure that the 6500 and 3560's are set to 'trust dscp' on
> all interfaces over which your data passes. Default behaviors for
> whether or not the DSCP is set to null/zero depend on mls qos being
> enabled, routed ports vs. bridged vlan, etc. IIRC, 3550's that were not
> running mls qos would leave all dscp unmutated, but with mls qos enabled
> they would set all packets ingressing untrusted ports to zero. 3560,
> iirc, reverses this, and sets all routed packets to dscp zero regardless
> of mls qos state. 
> 
> > The RSPAN session works fine, and I see all the traffic I 
> > want to see, but all my DSCP values are zero. Before I go 
> > digging into the PBX to figure out why it's not marking DSCP 
> > properly, I'd like to see if anyone has successfully passed 
> > non-zero DSCP values over an RSPAN session.
> 
> Check those boxes, ensure that the 7200's (unlikely to touch dscp at all
> in x-connect tunnels), 6500 and 3560's aren't mutating or resetting. 
> 
> Failing rspan/l2tpv3 doing what you need, you could check this (voip
> system seting proper DSCP values..) on the main switch. You could map
> dscp to CoS queues and check counters for those queues, or use ACL's
> that match the DSCP values, assuming counters work for you. <g>

	You also want to check out this command:

"mls qos rewrite ip dscp"

	it may be on by default :)

> 
> -Tk
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list