We have always been told that, when it comes to traffic marking, is always best practice not to trust sources and remark everything on access network nodes.

This can be true when we do not manage directly the host (ie clearing all traffic coming from internet), but it may be a good move to allow our server guys to mark directly on their boxes. Here are some benefits:

  • Ease network management tasks: if you run many VMs behind your access trunk port,  it will save you tons of micro editing during the next server migration.

  • Reduce network resources utilization by avoiding remarking on a single point.

  • Speed up QoS policy changes: as for now, automate unix iptables or windows firewall rules, is faster than changing ACL/policy-maps on network devices.

We should always allow server teams to set DSCP on the sources, as long as everyone complies with common DSCP/services mapping.

Please leave comment with your personal experience or thoughts.