ACL & QoS

Course Objectives

To master the principles and functions of ACL To master the principles and functions of QoS

Contenst

ACL Principles QoS Principles

Concept of ACL ACL (Access Control List) is a way to judge, classify and

filter the data that pass switches. ACL is applied as follows:

Applied to interface To judge and decide whether packets are allowed to be forwarded th

rough switches according to the characteristics of data packets and data segments

Its purpose is to manage and control data traffic. Used to achieve policy route and control special traffic An ACL contains one or more IP data packet rules of specific typ

es. ACL may include only one rule or many rules. It defines data packets that match rules through multiple rules.

As a universal data traffic judgment criterion, ACL can work with other technologies on different occasions, such as firewall, QoS and queuing technology, policy route, data rate limit, routing policy, and NAT.

ACL Work Flow

Input interface

Packet dropped

Packet dropped

Output interface

Route entry?

Select interface

Allow?

Check ACL rule

Judgment Principle inside ACL

Match the first

rule?

Match the first

rule?

Match the first

rule?

Input interface

Dropped

Destination interface

Allow

Allow

Allow

Reject

Reject

Reject

Reject

Implicit

rejection

Judgment Criteria of ACL

ACL can use the following judgment criteria: Source IP Destination IP Protocol types（ IP、 UDP、 TCP、 ICMP） Source port number Destination port number

Judgment Criteria of ACL

Frame header (such as

HDLC)

Data packet (such as

IP packet header)

Segment (such as TCP

header)Data

Use ACL to check data packets

Reject Allow

Source port number

Destination port number

Protocol

Source address

Destination address

ACL Rules

Operations should be performed from top to bottom in order. After the first match is found, carry out the corresponding operation and then skip out of ACL and do not continue matching the subsequent syntax.

The end is “deny all” by default. ACL can be applied on IP interface or some service. Before using ACL, first create the ACL or faults may occu

r. For a protocol, only one ACL can be configured at the sa

me time in one direction one a port, and the direction that ACL configures on the interface is very important. Any configuration error may disable the function.

Display ACL

gar-1#show ip access-list 1Standard IP access list 1

permit 10.1.1.0, wildcard bits 0.0.0.255permit 20.1.1.0, wildcard bits 0.0.0.255permit 30.1.1.0, wildcard bits 0.0.0.255

ACL Functions

To achieve data packet filtering, policy route and special traffic control

An ACL can involve one or more rules for data packets of specific types. These rules tell the device whether the data packets that match the rules are allowed or rejected to pass.

Which ACL is to be carried out on a port is determined according to the order of the conditional syntax in the list. If a data packet header matches a conditional judgment syntax, the subsequent syntax will be ignored.

ACL Functions ACL is classified into eight types:

Basic ACL: To match source IP addresses only Extended ACL: To match source IP addresses, destination IP addresses,

IP protocol types, TCP source port number, TCP destination port number, UDP source port number, UDP destination port number, ICMP types, ICMP code, DSCP, ToS, and Precedence

Layer-2 ACL: To match source MAC addresses, destination MAC addresses, source VLAN ID, layer-2 Ethernet protocol type, 802.1p priorities

Hybrid ACL: To match source MAC addresses, destination MAC address, source VLAN ID, source IP address, destination IP address, TCP source port number, TCP destination port number, UDP source port number, and UDP destination port number

Basic IPv6 ACL: To match source IP addresses of IPv6 only Extended IPv6 ACL: To match source and destination addresses of IPv6 User-defined ACL: To match the number of VLAN TAGs and offset bytes ATM ACL: To match VPI, VCI, and time segment

ACL Functions

ACL access list: Basic ACL ： 1~99 ， 1000~1499 Extended ACL ： 100~199 ， 1500~1999 Layer-2 ACL ： 200~299 Hybrid ACL ： 300~349 Basic IPv6 ACL ： 2000~2499 Extended IPv6 ACL ： 2500~2999 User-defined ACL ： 3000~3499 ATM ACL ： 4000~4499

Standard ACL and Extended ACL

Standard ACL Extended ACL

Based on source address filtering

Based on source, destination address, protocol types, and application type filtering

Allow/reject the whole TCP/IP protocol cluster

Specify a specific IP protocol and protocol number

ACL number ranges from 1 to 99.

ACL number ranges from 100 to 199.

Contents

ACL Principles QoS Principles

Concept of QoS

IP QoS refers to an IP network capability, namely, to provide the specific services with required services based on an IP network spanning multiple bottom-layer network technologies (FR 、 ATM 、 Ethernet、 SDH)

QoS needs to perform the following jobs: To avoid and manage IP network congestion To reduce IP packet loss rate To adjust IP network traffic To provide dedicated bandwidth for special users or s

pecial services To support realtime services on IP network

QoS Model

Integrated service: Intserv in short Differentiated service: Diffserv in short

IntServ Model

IntServ is an end-to-end flow-based QoS technology. Before the terminal sends data, it needs to ask the netwo

rk for QoS requirements according to service types. The network judges whether to adopt this service request

according a certain adoption policy. IntServ establishes an end-to-end communication path th

rough the out-band RSVP (RSVP Resource Reservation Protocol).

RSVP only transmits QoS requests between network nodes. It does not realize these QoS requirements.

The QoS requirements are realized through other technologies, such as PQ, CQ, and WFQ.

DiffServ Model DiffServ can satisfy users’ different QoS demands and is easy for ex

pansion. Different from IntServ, it does not need signaling, hop-by-hop forwar

ding, namely, before a service sends a packet, it does not necessarily inform routers.

DiffServ is a DSCP-based QoS solution. At the network entrance, classify the service and control service traffi

c. Also configure the DSCP domain of packets. In network , according to QoS mechanism and the grouped DSCP v

alues, differentiate each type of communication and provide services, including resource allocation, queue scheduling, and packet drop policy. These are generally called PHB (per-hop behavior).

All nodes in the DiffServ domain conform to PHB according to the grouped DSCP fields.

Packet Classification and Mark

Packet classification refers to the operation that the data packets to be forwarded are put into queues. Data packet

Select a queue

Is queue full?Go to the

queue

Drop

Packet Classification and Mark Network administrators can set the packet classification p

olicy. This policy may include: Physical port Source address Destination address MAC address IP protocol Port number of application programs

The classification result has no scope limit. It can be a flow with a five-element group (source address, source port number, protocol number, destination address, and destination port number), or all packets going to some network segment.

Packets are classified with the following methods: Based on ACL Based on IP priorities

Traffic Monitoring Token bucket is a common algorithm for the control interface rate. Its

parameters include: CIR: committed information rate Bc： committed burst size; data size that the network allows use

rs to transmit at the rate of CIR and at the interval of Tc Be: Excess burst size; data size that exceeds Bc and that the net

work allows users to transmit at the interval of Tc Tc: Sampling interval; monitor and control the data traffic on the v

irtual circuit at the interval of Tc; Tc= Bc/CIR In Tc:

When the user data transmission size is less than or equal to Bc, the received frames will continue to be sent.

When the user data transmission size is greater than Bc but less than or equal to Bc+Be, if the network is not seriously congested, the frames will continue to be sent, otherwise they will be dropped.

When the user data transmission size is greater than Bc+Be, the frames that exceeds the scope will be dropped.

Traffic Monitoring

Token bucket mechanism

Release token at a specified rate

Token bucket

SendData packet

Drop

CAR（ Committed Access Rate） CAR uses token bucket to control traffic.

First the packet is classified. If the classified packet is distinguished as a type of packet to be processed, the packet then goes to the token bucket for processing.

If there are sufficient tokens used to send packets in the token bucket, it is considered “Conform”; if the tokens are not sufficient, it is considered as “Exceed”.

In the subsequent action mechanism, the “Conform” packets can be sent, dropped, or tinted

When CAR is used for traffic monitoring, it is configured as follows: Send the “Conform” packet and drop the “Exceed” packet. Namely, when the tokens are enough in the token bucket, the packet is to be sent; when the tokens are not enough, the packet is dropped. Thus, the traffic of packets can be controlled.

CAR can also be used to mark the packets or tint the packets through Precedence or DSCP.

Congestion Management

Characteristics of Congestion Management: To ensure that different types of packets can obtain dif

ferent services when the network is congested. Put different types of packets into different queues to

obtain different scheduling priorities, probability or bandwidth assurance.

Data packet Go to queue Output queue

Send

Congestion Management

The algorithm for congestion management includes: FIFO （ First In First Out ） PQ （ Priority Queuing ） CQ （ Custom Queuing ） WFQ （ Weighted Fair Queuing ）

FIFO

FIFO: First In First Out FIFO does not classify the packets. When packet

s arrive, FIFO allows the packets to come into the queue in arriving sequence. Meanwhile, FIFO allows the packets to go out of the queue in arriving sequence at the exit. Packets arriving first will go out first. Packets arriving late will go out late.

The default service mode of the Internet—Best-Effort adopts the FIFO queuing policy.

FIFO

Interface queue

Drop

PQ

PQ: Priority Queueing PQ performs strict priority scheduling. Packets c

an be classified into four types at most. They respectively belong to one of the four queues. Then put the packets into the corresponding queues according to their types.

The four queues of PQ are high-priority queue, medium-priority queue, normal-priority queue, and low-priority queue. Their priorities decrease in order.

PQ

Data packet

High

Medium

Normal

Low Tail drop

Tail drop

Tail drop

Tail drop Queue1

Queue2

Queue3

Queue4

Strict p

riority sch

edu

ling

Send

CQ CQ: Custom Queueing CQ adopts round robin scheduling. Packets can be classi

fied into 17 types at most. They respectively belong to one of 17 queues of CQ.

In 17 queues of CQ, queue 0 is a priority queue. The router always send the packet in queue 0 first and then send the packets in queue 1 to queue 16. Therefore, queue 0 is generally taken as the system queue. These interactive protocol packets with high realtime requirements are put in queue 0.

Queue 1 to Queue 16 can be allocated with the bandwidth proportion according to users’s requirements. When packets go out of the queue, CQ takes a certain quantity of packets from queue1 to queue 16 to send out on the interface according to the defined bandwidth proportion.

CQ

Data packet

Queue1Data flow 1

Data flow 2

Data packet

Tail drop

Tail drop Queue2

Queue16Tail dropData flow 16

Send

Ro

un

d ro

bin

sched

ulin

g

Difference between CQ and PQ PQ assigns the absolute priority to the higher-priority pac

kets which can ensure the precedence of the key services, yet when the rate of the packets with high priorities is always higher than that of the interface, the packets with low priorities can never obtain a chance to be sent.

This situation can be avoided by using CQ. CQ can classify packets and then allocate packets to a queue of CQ according to types. For each queue, the bandwidth rate that a packet occupies the interface in the queue is specified. Thus, packets of different services can obtain the reasonable bandwidth, which can ensure that the key services can obtain sufficient bandwidth, and that the non-key services can be processed.

WFQ

WFQ Weighted Fair Queueing WFQ adopts weighted round robin scheduling. P

ackets can be classified into 64 types at most. WFQ is a complicated queuing process, which can ensure fairness among services of the same priority and weight among services of different priorities. The weight is calculated depending on priorities. The weight depends on the IP precedence carried in the IP packet header.

WFQ

Data packet

Queue1Data flow 1

Data flow 2

Data packet

Tail drop

Tail drop Queue2

Queue64Tail dropData flow 64

Send

Ro

un

d ro

bin

sched

ulin

g

CBWFQ

Data packet

Select a queue

Is queue full?Go to the

queue

Drop

CBWFQ (Class Based Weight Fair Queuing) is a class-based weight fair queuing. It is actually a combination of CQ and WFQ

Data packet

Queue1Data flow 1

Data flow 2

Data packet

Tail drop

Tail drop Queue2

Queue16Tail dropData flow 16

Send

Ro

un

d ro

bin

sch

edu

ling

Congestion Avoidance

Network Congestion

Bandwidth occupancy

Time

Congestion Avoidance

Ways to avoid congestion are: RED, WRED RED: Random Early Detection WRED: Weighted Random Early Detection Different from RED, WRED introduces IP prioritie

s to distinguish the drop policy. WRED adopts random drop policy. It avoids the t

ail drop mode which may lead to global TCP synchronization.

WRED Work Principles

Send

Data packet Go to queue Output queue

DropUpper

threshold

Lower threshold

Send

QoS Functions

QoS Functions Traffic classification Traffic policy Congestion avoidance Queue scheduling Traffic shaping

Tunnel QoS function Ethernet QoS function

QoS Functional Model

ACL rule

Traffic control

Packet

classification

Drop

Drop

Drop

Drop

Congestion avoidance

Traffic list

Traffic shaping