[c-nsp] 6500 - Is it possible to sniff DSCP values over RSPAN?

Jared Mauch jared at puck.nether.net
Tue Jan 2 14:00:44 EST 2007 

On Tue, Jan 02, 2007 at 01:33:08PM -0500, Jared Mauch wrote:
> On Tue, Jan 02, 2007 at 12:27:30PM -0600, Anton Kapela wrote:
> >  
> > 
> > > The layer 2 path for the RSPAN session passes from this 6500 
> > > to a 7200, into an L2TPv3 tunnel over the 'net to another 
> > > 7200, through another 6500, and finally through two 3560s to 
> > > the sniffer.
> > 
> > You should ensure that the 6500 and 3560's are set to 'trust dscp' on
> > all interfaces over which your data passes. Default behaviors for
> > whether or not the DSCP is set to null/zero depend on mls qos being
> > enabled, routed ports vs. bridged vlan, etc. IIRC, 3550's that were not
> > running mls qos would leave all dscp unmutated, but with mls qos enabled
> > they would set all packets ingressing untrusted ports to zero. 3560,
> > iirc, reverses this, and sets all routed packets to dscp zero regardless
> > of mls qos state. 
> > 
> > > The RSPAN session works fine, and I see all the traffic I 
> > > want to see, but all my DSCP values are zero. Before I go 
> > > digging into the PBX to figure out why it's not marking DSCP 
> > > properly, I'd like to see if anyone has successfully passed 
> > > non-zero DSCP values over an RSPAN session.
> > 
> > Check those boxes, ensure that the 7200's (unlikely to touch dscp at all
> > in x-connect tunnels), 6500 and 3560's aren't mutating or resetting. 
> > 
> > Failing rspan/l2tpv3 doing what you need, you could check this (voip
> > system seting proper DSCP values..) on the main switch. You could map
> > dscp to CoS queues and check counters for those queues, or use ACL's
> > that match the DSCP values, assuming counters work for you. <g>
> 
> 	You also want to check out this command:
> 
> "mls qos rewrite ip dscp"
> 
> 	it may be on by default :)

	that is if you enable 'mls qos' it silently stomps all
over the dscp values unless you disable this.  not obvious that enabling
QoS would cause this issue.  When I saw this, i asked cisco to raise a
bug on it, I don't have an ID handy though.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list