SN2010 Layer 2 QoS for Vlan

I might be overthinking this and if so let me know.

I have a pair of SN2010m switches that will be operating as a Layer 2 aggregation. Migrating from a pair of HPE 5710’s. All IDFs connect to these plus data center servers, ESXi infrastructure & iSCSI storage.

The client has a voice vlan that on all other switches is put into Traffic Class 6. What I can’t understand is how to configure QoS on the SN2010m’s to put this vlan into a traffic class.

The documentation shows applying QoS at the ethernet port and assumes an untagged vlan incoming but this doesn’t help. All the voice vlan traffic traversing through it will be a tagged vlan.

Is there a way to classify this vlan and put it in traffic class 6 when it comes through the switch strictly as a tagged vlan?

You should be able to do this by MAC ACL to match on vlan-id and set the Traffic Class or Switch Priority accordingly. Please take a look at the following:
For Onyx:

For Cumulus Linux:

Ideally QoS marking is be done at source and we can just “trust” the ingress port, which should map to the right Switch Priority.

Hope this helps.

Didn’t mean to vanish on you. I really appreciate your response and I think this sent me in the right direction.

The downstream switches are putting the traffic in CoS 6. I’m “assuming” that the HPE FlexFabric switches (these are Comware 7) are marking the PCP & DEI. Every device I’ve worked with in the past you either assigned a CoS or used DSCP. Learned something new.

Read up on the Onyx manual and this is what I came up with. Let me know if I screwed something up.

I found I couldn’t mark traffic in the ACL unless I created an “action”. I didn’t want to modify the existing vlan information so I created the action and left it blank. Then I could assign “cos” & "switchport-priority.

Vlan 2 is the voice vlan. The IDF switches all put this traffic into CoS 6 so I’m keeping in the same at the Mellanox.

ACL configuration

access-list action cos6
mac access-list VOIP
mac access-list VOIP seq-number 10 permit any any vlan 2 action cos6 switch-priority 6
mac access-list VOIP seq-number 20 permit any any
interface mlag-port-channel 1 mac port access-group VOIP
interface mlag-port-channel 10 mac port access-group VOIP

VLAN configuration

interface mlag-port-channel 10 switchport hybrid allowed-vlan except 4000
interface mlag-port-channel 1 switchport hybrid allowed-vlan 2,6,8,16 <---- (shortened for brevity)

QoS switch configuration

interface mlag-port-channel 1 qos trust both
interface mlag-port-channel 10 qos trust both

Again, thanks for pointing me in the right direction. Let me know if this is correct.

We can use MAC or IP ACL to match on keys and set the Switch Priority and Traffic Class. However if you want to also mark the CoS value (assuming it is not already marked by source), we cannot do this by ACL alone.

I dont think having an empty action will assign the cos in the access-list. The cos there should be a match which you can configure regardless. As you noted, you cannot mark traffic in the ACL as an action. See ACL Capability Summary from:

If there is no CoS marking from the source incoming on this port, a workaround may be to use MAC ACL to match on the vlan and set the Switch Priority, then enable PCP/DEI rewrite on on ingress port to rewrite CoS value of the packet based on the Switch Priority mapping (eg. default SP 6 → CoS 6). Eg.

interface ethernet 1/1 qos trust both
interface ethernet 1/1 qos rewrite pcp
mac access-list MYACL
mac access-list MYACL seq-number 10 permit any any vlan 2 counter switch-priority 6
mac access-list MYACL seq-number 20 permit any any
interface ethernet 1/1 mac port access-group MYACL
show mac access-lists MYACL
show qos interface eth 1/1 rewrite-mapping

The shortcoming is other traffic from this port hitting SP6 may also get CoS marked, but if source is not doing any QoS marking, then we should be fine.

Alternately, have the marking done at the source/end device and just trust the ports.

The VoIP traffic is being marked by the source so I think I’ll try just trusting the traffic for now and check it.

Bummer! I was hoping anything after the ‘action’ part of the command was an action. I saw the list of what an ACL could actually do. Missed ‘cos’ as just a match. Wishful thinking, I guess.