Cisco QoS Concept and Design

1© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Agenda

• QoS Introduction

• QoS Technologies Overview

• QoS Best Pratice Design Principle

• QoS Design for WAN 、 Branch 、 VPN

• QoS Design for Campus


Introduction to QoS Tools and Design

Cisco


QoS Introduction


What Is Quality of Service? Two Perspectives

• The user perspective

Users perceive that their applications are performing properly

Voice, video, and data

• The network manager perspective

Need to manage bandwidth allocations to deliver the desired application performance

Control delay, jitter, andpacket loss


Why Enable QoS? HA, Security, and QoS Are Interdependent Technologies

• Enables VoIP and IP telephony

• Drives productivity by enhancing service-levels to mission-critical applications

• Cuts costs by bandwidth optimization

• Helps maintain network availability in the event of DoS/worm attacks

Quality ofService

High Availability

Security

QoS


What Causes ...

Lack of bandwidth – multiple flows are contesting for a limited amount of bandwidth

Too much delay – packets have to traverse many network devices and links that add up to the overall delay

Variable delay – sometimes there is a lot of other traffic which results in more delay

Drops – packets have to be dropped when a link is congested


Available Bandwidth

Maximum available bandwidth equals the bandwidth of the weakest link

Multiple flows are contesting for the same bandwidth resulting in much less bandwidth being available to one single application.

IP IP IP IP

10 Mbps

256 kbps 512 kbps

100 Mbps

BWmax = min(10M, 256k, 512k, 100M)=256kbpsBWavail = BWmax /Flows


How to Increase Available Bandwidth?

Upgrade the link. The best solution but also the most expensive.

FIFO queuingIP TCP data Fancy queuing

• Take some bandwidth from less important applications.

Compress the Headers

cTCP data

• Compress the header of IP packets.

Compress the Payload

Compressed packet

• Compress the payload of layer-2 frames.

Priority Queuing (PQ)Custom Queuing (CQ)

Modified Deficit Round Robin (MDRR)Class-based Weighted Fair Queing (CB-WFQ)

StackerPredictor

TCP Header CompressionRTP Header Compression


End-to-End Delay

End-to-end delay equals a sum of all propagation, processing and queuing delays in the path

Propagation delay is fixed, processing and queuing delays are unpredictable in best-effort networks

IP

Propagation delay (P1)

Processing and queuing delay (Q1)

IP IP IP





Delay = P1 + Q1 + P2 + Q2 + P3 + Q3 + P4 = X ms



How to Reduce Delay?


FIFO queuingIP UDP data Fancy queuing

• Forward the important packets first.

Compress the Headers

cRTP data

• Compress the header of IP packets.

Priority Queuing (PQ)Custom Queuing (CQ)Strict Priority MDRRIP RTP prioritization

Class-based Low-latency Queuing (CB-LLQ)

TCP Header CompressionRTP Header Compression

RTP

Compress the Payload

Compressed packet

• Compress the payload of layer-2 frames (it takes time).

StackerPredictor


Packet Loss

Tail-drops occur when the output queue is full. These are the most common drops which happen when a link is congested.

There are also many other types of drops that are not as common and may require a hardware upgrade (input drop, ignore, overrun, no buffer, ...). These drops are usually a result of router congestion.

IP

Forwarding

IPIPIPIP

Tail-drop


How to Prevent Packet Loss?


FIFO queuingIP data Fancy queuing

• Guarantee enough bandwidth to sensitive packets.

Custom Queuing (CQ)Modified Deficit Round Robin (MDRR)

Class-based Weighted Fair Queuing (CB-WFQ)

Dropper

• Prevent congestion by randomly dropping less important packets before congestion occurs

Weighted Random Early Detection (WRED)


Quality of Service OperationsHow Do QoS Tools Work?

Classification and Marking

Queuing and (Selective) Dropping

Post-Queuing Operations


Cisco IOS QoS Behavioral Model

Packet Stream

OptionalPre-

QueuingOperators

Queuing System

Queue

OptionalPost-

QueuingOperatorsClassification

Sche-dulerQueue

Queue


Policy Actions

Queuing System

Sche-dulerQueue

Classification

OptionalPost-

QueuingOperators

Queue

QueueOptional

Pre-Queuing

Operators

Specify Match Conditions andPolicy Actions

Match Conditions

Classification Pre-QueuingQueuing and Scheduling

Post-Queuing

Classify Traffic Immediate ActionsCongestion

Management and Avoidance

Link Efficiency Mechanisms


Operators for Traffic Classification and QoS Policy Actions

Match Conditions Keyword: class-map

Policy ActionsKeyword: policy-map

Classification Pre-QueuingQueuing and Scheduling

Post-Queuing

Classify Traffic Immediate ActionsCongestion

Management and Avoidance

Link Efficiency Mechanisms

Match One or More Attributes (partial list)• ACL list• COS • Differentiated Services Code Point (DSCP)• Input-interface• Media Access Control (MAC) address• Packet length• Precedence• Protocol• VLAN

• Mark (Set QoS values)

• Police• Drop• Count

• Queue-Limit• Random-Detect• Bandwidth• Fair-Queue• Priority• Shape

• Compress header

• Fragment (Link fragmentation

and interleaving, layer two)


Cisco QoS Architectural Framework

Business Objectives

Architecture Standards

QoS forConvergence

QoS forSecurity

QoS forTiered Services

Vid

eo

Vo

ice

Dat

a

DiffServStandards

IntServStandards

HybridStandards


Automating and Management

Cisco QoS Architectural Framework

Cisco QoS Tools

Pro

vis

ion

ing

/A

uto

-Pro

vis

ion

ing

PolicingClassificationand Marking

CongestionMgmt

CongestionAvoidance

Link-Specific

Signaling

Router Cisco IOS®

QoS

CoS, DSCP, MPLS EXP,

NBAR

Single-Rate, Dual-Rate

LLQ, CBWFQ

WRED, ECN

Shaping, cRTP, LFI

RSVP

CiscoCatalyst®

QoS

CoS,

DSCP

Single Rate, Dual Rate, Microflow

1PxQyTWTD,

WRED, ECN ShapingRSVP, COPS

QoS forConvergence

QoS forSecurity

QoS forTiered Services

Vid

eo

Vo

ice

Dat

a

DiffServStandards

IntServStandards

HybridStandards

Man

ag

emen

t T

ech

no

log

ies

Man

ag

emen

t A

pp

lica

tio

ns


How Is QoS Optimally Deployed?

1. Strategically define the business objectives to be achieved via QoS

2. Analyze the service-level requirements of the various traffic classes to be provisioned for

3. Design and test the QoS policies prior to production-network rollout

4. Roll-out the tested QoS designs to the production-network in phases, during scheduled downtime

5. Monitor service levels to ensure that the QoS objectives are being met


General QoS Design PrinciplesStart with the Objectives, Not the Tools

• Clearly define the organizational objectives

Protect voice? Video? Data?

DoS/worm mitigation?

• Assign as few applications as possible to be treated as “mission-critical”

• Seek executive endorsement of the QoS objectives prior to design and deployment

• Determine how many classes of traffic are required to meet the organizational objectives

More classes = more granular service-guarantees


How Many Classes of Service Do I Need?Example Strategy for Expanding the Number of Classes of Service over Time

4/5 Class Model

Scavenger

Critical Data

Call Signaling

Realtime

8 Class Model

Critical Data

Video

Call Signaling

Best Effort

Voice

Bulk Data

Network Control

Scavenger

11 Class Model

Network Management

Call Signaling

Streaming Video

Transactional Data

Interactive-Video

Voice

Best Effort

IP Routing

Mission-Critical Data

Scavenger

Bulk Data

Time

Best Effort


Voice QoS RequirementsProvisioning for Voice

• Latency ≤ 150 ms

• Jitter ≤ 30 ms

• Loss ≤ 1%

• 17–106 kbps guaranteed priority bandwidth per call

• 150 bps (+ layer 2 overhead) guaranteed bandwidth forvoice-control traffic per call

• CAC must be enabled

• Smooth

• Benign

• Drop sensitive

• Delay sensitive

• UDP priority

VoiceOne-Way

Requirements


Video QoS RequirementsProvisioning for Interactive Video

• Latency ≤ 150 ms

• Jitter ≤ 30 ms

• Loss ≤ 1%

• Minimum priority bandwidth guarantee required is

Video-stream + 10–20%

e.g., a 384 kbps stream could require up to 460 kbps of priority bandwidth

• CAC must be enabled

VideoOne-Way

Requirements

• Bursty

• Drop sensitive

• Delay sensitive

• UDP priority


Data QoS Requirements Provisioning for Data

• Different applications have different traffic characteristics

• Different versions of the same application can have different traffic characteristics

• Classify data into four/five data classes model

Mission-critical apps

Transactional/interactive apps

Bulk data apps

Best effort apps

Optional: Scavenger apps

Data

• Smooth/bursty

• Benign/greedy

• Drop insensitive

• Delay insensitive

• TCP retransmits


Scavenger-Class What Is the Scavenger Class?

• The Scavenger class is an Internet 2 draft specification for a “less than best effort” service

• There is an implied “good faith” commitment for the “best effort” traffic class

It is generally assumed that at least some network resources will be available for the default class

• Scavenger class markings can be used to distinguish out-of-profile/abnormal traffic flows from in-profile/normal flows

The Scavenger class marking is CS1, DSCP 8

• Scavenger traffic is assigned a “less-than-best effort” queuing treatment whenevercongestion occurs


QoS Technology Overview


QoS Technologies Overview

• Classification tools

• Scheduling tools

• Policing and shaping tools

• Link-Specific tools

• Signaling tools (RSVP)

• AutoQoS tools

• QoS for Security


Classification ToolsEthernet 802.1Q Class of Service---L2

• 802.1p user priority field also called Class of Service (CoS)

• Different types of traffic are assigned different CoS values

• CoS 6 and 7 are reserved for network use

TAG4 Bytes

Three Bits Used for CoS(802.1p User Priority)

Data FCSPTSADASFDPream. Type

802.1Q/pHeader

PRI VLAN IDCFI

Ethernet Frame

1

2

3

4

5

6

7

0 Best Effort Data

Bulk Data

Critical Data

Call Signaling

Video

Voice

Routing

Reserved

CoS Application


Classification ToolsIP Precedence and DiffServ Code Points---L3

• IPv4: three most significant bits of ToS byte are called IP Precedence (IPP)—other bits unused

• DiffServ: six most significant bits of ToS byte are called DiffServ Code Point (DSCP)—remaining two bits used for flow control

• DSCP is backward-compatible with IP precedence

7 6 5 4 3 2 1 0

ID Offset TTL Proto FCS IP SA IP DA DataLenVersion Length

ToSByte

DiffServ Code Point (DSCP) IP ECN

IPv4 Packet

IP Precedence UnusedStandard IPv4

DiffServ Extensions


Payload

Label Header

Label Header

Label Stack Layer-2 Header

Classification ToolsMPLS EXP Bits

• Packet class and drop precedence inferred from EXP (three-bit) field

• RFC3270 does not recommend specific EXP values for DiffServ PHB (EF/AF/DF)

• Used for frame-based MPLS

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label EXP S TTL

MPLS Shim Header

EXP

Frame Encapsulation

3 2 1 0

MPLS EXP S


Classification ToolsDSCP Per-Hop Behaviors

• IETF RFCs have defined special keywords, called Per-Hop Behaviors, for specific DSCP markings

• EF: Expedited Forwarding (RFC3246)(DSCP 46)

• CSx: Class Selector (RFC2474)Where x corresponds to the IP Precedence value (1–7)

(DSCP 8, 16, 24, 32, 40, 48, 56)

• AFxy: Assured Forwarding (RFC2597)Where x corresponds to the IP Precedence value (only 1–4 are used for AF Classes)

And y corresponds to the Drop Preference value (either 1 or 2 or 3)

With the higher values denoting higher likelihood of dropping

(DSCP 10/12/14, 18/20/22, 26/28/30, 34/36/38)

• BE: Best Effort or Default Marking Value (RFC2474)(DSCP 0)


Classification ToolsNetwork-Based Application Recognition

• Identifies over 90 applications and protocols TCP and UDP port numbers

Statically assigned

Dynamically assigned during connection establishment

• Non-TCP and non-UDP IP protocols

• Data packet inspection for matching values

ToS SourceIP Addr

DestIP Addr

SrcPort Sub-Port/Deep Inspection

DstPort

Protocol

TCP/UDP Packet Data AreaIP Packet

Stateful and Dynamic Inspection


Policing ToolsRFC 2697 Single Rate Three Color Policer

Action Action

Overflow

B<Tc B<Te

Conform Exceed Violate

CBS EBS

CIR

Yes Yes

No No

Action

Packet ofSize B


Policing ToolsRFC 2698 Two Rate Three Color Policer

ActionAction

B>Tp B>Tc

ExceedViolate

PBS CBS

PIR

Yes Yes

No No

Conform

Action

Packet ofSize B

CIR


Scheduling ToolsQueuing Algorithms

• Congestion can occur at any point in the network where there are speed mismatches

• Routers use Cisco IOS-based software queuing

Low-Latency Queuing (LLQ) used for highest-priority traffic (voice/video)

Class-Based Weighted-Fair Queuing (CBWFQ) used for guaranteeing bandwidth to data applications

• Cisco Catalyst switches use hardware queuing

Voice

Video

Data 33

2 2

1 1


Time

Bandwidth Utilization100%

Tail Drop

Three Traffic Flows Start at Different Times

Another Traffic FlowStarts at This Point

TCP Global Synchronization: The Need for Congestion Avoidance

• All TCP flows synchronize in waves

• Synchronization wastes available bandwidth


312302021201

TAIL DROP

3

3

3

WRED

01

0

1

0

3

Queue

Scheduling ToolsCongestion Avoidance Algorithms

• Queueing algorithms manage the front of the queue Which packets get transmitted first

• Congestion avoidance algorithms manage the tail ofthe queue

Which packets get dropped first when queuing buffers fill

• Weighted Random Early Detection (WRED)WRED can operate in a DiffServ-compliant mode

Drops packets according to their DSCP markings

WRED works best with TCP-based applications, like data


Scheduling ToolsDSCP-Based WRED Operation

AverageQueueSize

100%

0

DropProbability

BeginDropping

AF13

Drop AllAF11

Max QueueLength

(Tail Drop)

Drop AllAF12

Drop AllAF13

BeginDropping

AF12

BeginDropping

AF11

50%

AF = (RFC 2597) Assured Forwarding


Congestion Avoidance

• IP header Type of Service (ToS) byte

• Explicit Congestion Notification (ECN) bits

ECT Bit:ECN-Capable Transport

CE Bit:Congestion Experienced

7 6 5 4 3 2 1 0

ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength

ToSByte

DiffServ Code Point (DSCP) CE

IPv4 Packet

ECT

RFC3168: IP Explicit Congestion Notification


Traffic Shaping

• Policers typically drop traffic

• Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops

• Very common on Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame Relay and ATM

With Traffic Shaping

Without Traffic ShapingLineRate

ShapedRate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate


Link-Specific ToolsLink-Fragmentation and Interleaving

• Serialization delay is the finite amount of time required to put frames on a wire

• For links ≤ 768 kbps serialization delay is a major factor affecting latency and jitter

• For such slow links, large data packets need to be fragmented and interleaved with smaller, more urgent voice packets

Voice

Voice DataDataDataData

DataSerializationCan Cause

Excessive Delay

With Fragmentation and Interleaving Serialization Delay Is Minimized


Link-Specific ToolsIP RTP Header Compression

• cRTP reduces L3 VoIP BW by:

~ 20% for G.711

~ 60% for G.7292–5

Bytes

RTP Header12 Bytes

VoicePayload

IP Header20 Bytes

UDP Header8 Bytes


AutoQoS AutoQoS VoIP for Cisco Catalyst Switches

!mls qos map cos-dscp 0 8 16 26 32 46 48 56mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 2 4mls qos srr-queue output cos-map queue 4 threshold 2 1mls qos srr-queue output cos-map queue 4 threshold 3 0mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7mls qos queue-set output 1 threshold 1 138 138 92 138mls qos queue-set output 1 threshold 2 138 138 92 400mls qos queue-set output 1 threshold 3 36 77 100 318mls qos queue-set output 1 threshold 4 20 50 67 400mls qos queue-set output 2 threshold 1 149 149 100 149mls qos queue-set output 2 threshold 2 118 118 100 235mls qos queue-set output 2 threshold 3 41 68 100 272mls qos queue-set output 2 threshold 4 42 72 100 242mls qos queue-set output 1 buffers 10 10 26 54mls qos queue-set output 2 buffers 16 6 17 61mls qos!!interface GigabitEthernet0/1 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone!

CAT2970(config-if)#auto qos voip cisco-phone


AutoQoS AutoQoS VoIP: WAN

interface Serial2/0 bandwidth 768 ip address 10.1.102.2 255.255.255.0 encapsulation ppp auto qos voip trust

!interface Multilink2001100117 bandwidth 768 ip address 10.1.102.2 255.255.255.0 service-policy output AutoQoS-Policy-Trust ip tcp header-compression iphc-format no cdp enable ppp multilink ppp multilink fragment delay 10 ppp multilink interleave ppp multilink group 2001100117 ip rtp header-compression iphc-format!…!interface Serial2/0 bandwidth 768 no ip address encapsulation ppp auto qos voip trust no fair-queue ppp multilink ppp multilink group 2001100117!

! class-map match-any AutoQoS-VoIP-RTP-Trust match ip dscp ef class-map match-any AutoQoS-VoIP-Control-Trust match ip dscp cs3 match ip dscp af31!! policy-map AutoQoS-Policy-Trust class AutoQoS-VoIP-RTP-Trust priority percent 70 class AutoQoS-VoIP-Control-Trust bandwidth percent 5 class class-default fair-queue!


AutoQoS AutoQoS Enterprise: WAN DiffServ Classes

Traffic Class

Transactional/Interactive AF21

Telephony Signaling CS3

Streaming Video CS4

Interactive Video AF41

Interactive Voice EF

Network Management CS2

Bulk Data AF11

Scavenger CS1

Best Effort 0

IP Routing CS6

DSCPAutoDiscoveryCisco AutoQoS

Policy

Application and Protocol Types

Cisco AutoQoS Class-Maps

Match Statements

Offered Bit Rate (Average

and Peak)

Minimum Bandwidth to Class Queues,

Scheduling and WRED


interface Serial4/0 point-to-pointencapsulation frame-relaybandwidth 256ip address 10.1.71.1 255.255.255.0frame-relay interface-dlci 100 auto discovery qos

AutoQoS AutoQoS Enterprise: WAN, Part One: Discovery

• Command should be enabled on interface of interest

• Do not change interface bandwidth when running auto discovery

• Cisco Express Forwarding must be enabled

• All previously attached QoS policies must be removed from the interface

AutoDiscovery Notes


Router# show auto discovery qos

AutoQoS Discovery enabled for applications Discovery up time: 2 days, 55 minutes AutoQoS Class information: Class VoIP: Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp audio 76/7 517/50 703104 Class Interactive Video: Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp video 24/2 5337/52 704574 Class Transactional: Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) citrix 36/3 74/7 30212 sqlnet 12/1 7/<1 1540

AutoQoS Enterprise: WAN, Part One: Discovery (Cont.)


interface Serial4/0 point-to-point bandwidth 256 ip address 10.1.71.1 255.255.255.0 frame-relay interface-dlci 100 auto qos

AutoQoS Enterprise: WAN, Part Two: Provisioning

class-map match-any AutoQoS-Voice-Se4/0 match protocol rtp audio class-map match-any AutoQoS-Inter-Video-Se4/0 match protocol rtp video class-map match-any AutoQoS-Transactional-Se4/0 match protocol sqlnet match protocol citrix!policy-map AutoQoS-Policy-Se4/0 class AutoQoS-Voice-Se4/0 priority percent 70 set dscp ef class AutoQoS-Inter-Video-Se4/0 bandwidth remaining percent 10 set dscp af41 class AutoQoS-Transactional-Se4/0 bandwidth remaining percent 1 set dscp af21 class class-default fair-queue!


AutoQoS Enterprise: WAN, Part Two: Provisioning (Cont.)

<policy continued>!policy-map AutoQoS-Policy-Se4/0-Parent class class-default shape average 256000 service-policy AutoQoS-Policy-Se4/0!interface Serial4/0 point-to-point frame-relay interface-dlci 100 class AutoQoS-FR-Serial4/0-100!map-class frame-relay AutoQoS-FR-Serial4/0-100frame-relay cir 256000frame-relay mincir 256000frame-relay fragment 320service-policy output AutoQoS-Policy-Se4/0-Parent

interface Serial4/0 point-to-point bandwidth 256 ip address 10.1.71.1 255.255.255.0 frame-relay interface-dlci 100 auto qos


AutoQoS Enterprise: WAN, Part Three: Monitoring

• Thresholds are activated in RMON alarm table to monitor drops in Voice Class

• Default drop threshold is 1bps

rmon event 33333 log trap AutoQoS description “AutoQoSSNMP traps for Voice Drops” owner AutoQoS rmon alarm 33350 cbQoSCMDDropBitRate.2881.2991 30Absolute rising-threshold 1 33333 falling-threshold 0 Owner AutoQoS

RMON Event Configured and Generated by Cisco AutoQoS

Monitoring Drops in LLQ


Handset

Multimedia Server

Multimedia Station

Handset

Reserve 16KBW on this Line

I Need 16KBW and

100 msec Delay

This App Needs16K BW and

100 msec Delay

Signaling ToolsResource Reservation Protocol (RSVP)

• RSVP QoS services

Guaranteed service

Mathematically provable bounds on end-to-end datagram queuing delay/bandwidth

Controlled service

Approximate QoS from an unloaded network for delay/bandwidth

• RSVP provides the policy to WFQ and LLQ


QoS for Security


Inte

rnet

Inte

rnet

Primary Data Center

L2VPN

BBDSL

L3VPN

Campus Branch

Teleworker

Secondary Data Center

MetroE

Impact of an Internet Worm: Part One Direct and Collateral Damage

Data PlaneOverloaded

Control PlaneOverloaded

End SystemsOverloaded


QoS Tools and Tactics for SecurityQoS for Self-Defending Networks

• Control plane policing

• Data plane policing (Scavenger-Class QoS)

• NBAR for known-worm policing


Control Plane Policing(Alleviating DoS Attack)

Silent Mode(Reconnaissance Prevention)

ProcessorSwitched Packets

Outputfrom the Control

PlaneInput to the

Control Plane

Control PlaneManagement SNMP, Telnet

ICMP IPv6Routing Updates

Management SSH, SSL

…..

PacketBuffer

Output Packet Buffer

CEF/FIB Lookup

AC

L

UR

PF

NA

T

CEF Input Forwarding Path

Control Plane PolicingOverview


Policing and Remarking (If Necessary)

Normal/Abnormal Threshold

Data Plane Policing (Scavenger-Class QoS)Part One: First Order Anomaly Detection

• All end systems generate traffic spikes, but worms create sustained spikes

• Normal/abnormal threshold set at approx 95% confidence

• No dropping at campus access-edge; only remarking


Data Plane Policing (Scavenger-Class QoS)Part Two: Second Order Anomaly Reaction

• Queuing only engages if links become congestedWhen congestion occurs, drops will also occur

• Scavenger-class QoS allows for increased intelligence in the dropping decision

“Abnormal” traffic flows will be dropped aggressively

“Normal” traffic flows will continue to receive network service

Police

Queuing Will Engage When Links Become Congested and Traffic Previously Marked as Scavenger Is Dropped Aggressively

WAN/VPN Links Will Likely Congest FirstCampus Uplinks May Also Congest

69© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 69696969

NBAR Known-Worm PolicingNBAR vs. Code Red Example

• First released in May 2001

• Exploited a vulnerability in Microsoft IIS and infected 360,000 hosts in 14 hours

• Several strains (CodeRed, CodeRedv2, CodeRed II, Code, Redv3, CodeRed.C.)

• Newer strains replaced home page of Web servers and caused DoS flooding-attacks

• Attempts to access a file with “.ida” extension

class-map match-any CODE-RED match protocol http url “*.ida*” match protocol http url “*cmd.exe*” match protocol http url “*root.exe*”

DATA

Frame IP Packet

ToS/

DSCP

Source

IP

Dest

IP

TCP Segment

Src

Port

Dst

Port

Data Payload

*HTTP GET/*.ida*

BranchSwitch

BranchRouter


Inte

rnet

Inte

rnet

Primary Data Center

L2VPN

BBDSL

L3VPN

Campus Branch

Teleworker

Secondary Data Center

MetroE

Data PlaneOverloaded

Control PlaneOverloaded

Prevent the Attack• Intrusion detection • Cisco Guard• Firewall• ACLs and NBAR

Protect the End Systems• Cisco security agent

Protect the Control Plane• Control plane policing

Impact of an Internet Worm: Part Two Integrating Security and QoS

Protect the Data Plane• Data plane policing

(Scavenger-Class QoS)

End SystemsOverloaded


QoS Best-PracticeDesign Principles


Classification and Marking DesignWhere and How Should Marking Be Done?

• QoS policies (in general) should always be performed in hardware, rather than software, whenever a choice exists

• Classify and mark applications as close to their sources as technically and administratively feasible

• Use DSCP markings whenever possible

• Follow standards-based DSCP PHBs to ensure interoperation and future expansion

RFC 2474 Class Selector Code Points

RFC 2597 Assured Forwarding Classes

RFC 3246 Expedited Forwarding


Classification and Marking DesignQoS Baseline Marking Recommendations

ApplicationL3 Classification

DSCPPHBIPP CoS

Transactional Data 18AF212 2

Call Signaling 24CS3*3 3

Streaming Video 32CS44 4

Video Conferencing 34AF414 4

Voice 46EF5 5

Network Management 16CS22 2

L2

Bulk Data 10AF111 1

Scavenger 8CS11 1

Routing 48CS66 6

Mission-Critical Data 26AF31*3 3

Best Effort 000 0


Queuing Design PrinciplesWhere and How Should Queuing Be Done?

• The only way to provide service guarantees is to enable queuing at any node that has the potential for congestion

Regardless of how rarely—in fact—this may occur

• At least 25 percent of a link’s bandwidth should be reserved for the default Best Effort class

• Limit the amount of strict-priority queuing to 33 percent of a link’s capacity

• Whenever a Scavenger queuing class is enabled, it should be assigned a minimal amount of bandwidth

• To ensure consistent PHBs, configure consistent queuing policies in the Campus + WAN + VPN, according to platform capabilities

• Enable WRED on all TCP flows, whenever supportedPreferably DSCP-based WRED


Campus Queuing DesignRealtime, Best Effort, and Scavenger Queuing Rules

Real-Time ≤ 33%

Critical Data

Best Effort≥ 25%

Scavenger/Bulk ≤ 5%


Campus and WAN/VPN Queuing DesignCompatible Four-Class and Eleven-Class Queuing Models Following Realtime, Best Effort, and Scavenger Queuing Rules

Voice18%

Scavenger 1%

Best Effort25%

Bulk4%

Streaming-Video

Mission-Critical Data

Internetwork-Control

Interactive Video 15%

Call-Signaling

Network Management

Transactional Data

Real-Time ≤ 33%

Critical Data

Best Effort≥ 25%

Scavenger/Bulk 5%


Policing Design PrinciplesWhere and How Should Policing Be Done?

• Police traffic flows as close to their sources as possible

• Perform markdown according to standards-based rules, whenever supported

RFC 2597 specifies how assured forwarding traffic classes should be marked down (AF11 AF12 AF13) which should be done whenever DSCP-based WRED is supported on egress queues

Cisco Catalyst platforms currently do not support DSCP-based WRED, so Scavenger-class remarking is a viable alternative

Additionally, non-AF classes do not have a standards-based markdown scheme, so Scavenger-class remarking is a viable option


Enterprise LAN, WAN, Branch,and VPN QoS

Design Overview


FastEthernet

GigabitEthernetTenGigabitEthernet

Campus QoS ConsiderationsWhere Is QoS Required Within the Campus?

No Trust + Policing+ QueuingConditional Trust +Policing + QueuingTrust DSCP + Queuing

Per-User MicroflowPolicing

WAN Aggregator

Cisco Catalyst 6500 Sup720

Server Farms IP Phones + PCs IP Phones + PCs


WAN Edge QoS Design ConsiderationsQoS Requirements of WAN Aggregators

WAN Aggregator

WAN Edges

CampusDistribution/

Core Switches

LAN Edges

WAN

Queuing/Dropping/Shaping/Link-Efficiency Policies for Campus-to-Branch Traffic


Branch Router QoS DesignQoS Requirements for Branch Routers

Branch Router

WAN Edge

WAN

Queuing/Dropping/Shaping/Link-Efficiency Policies forBranch-to-Campus Traffic

Optional: DSCP-to-CoS Mapping Policies for Campus-to-Branch Traffic

LAN Edge

Classification and Marking (+ NBAR)Policies for Branch-to-Campus Traffic

BranchSwitch


MPLS VPN QoS DesignQoS Requirements in MPLS VPN Architectures

CE Router

MPLS VPN

PE Router

P Routers

CE RouterPE Router

Required

Optional

CE-to-PE Queuing/Shaping/Remarking/LFI

PE Ingress Policing and Remarking

PE-to-CE Queuing/Shaping/LFI

Optional: Core DiffServ or MPLS TE Policies


IPSec VPN QoS DesignQoS Requirements in IPSec VPN Architectures

InternetVPN HeadEnd/Edge Router

Branch Router

Queuing/Dropping/Shaping/Link-Efficiency PoliciesLLQ for CryptoQoS Pre-ClassificationISAKMP ProtectionAnti-Replay Tuning

IPSec VPN Tunnel


Documents

Cisco QoS Concept and Design